From 9e408ebf823423e15bc624ff1784691b901212a7 Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Tue, 11 Jun 2024 10:55:47 +0530 Subject: [PATCH 001/105] [M365 Defender] Adjust mappings for detection rules (#9860) Improve ECS mappings for supporting detection rules for device events. Many `DeviceEvents` logs have incorrect mappings, which needs to be adjusted. The fields in concern are mostly process.* and event.*, although other ECS fields are also adjusted to conform with detection rules. - Also removed *.pe.sections.physical_size field which doesn't hold any relevant data for this package. - Add host.os.type to `alert` pipeline to conform with ECS. --- packages/m365_defender/changelog.yml | 5 + .../test-app-and-identity.log-expected.json | 13 +- .../event/_dev/test/pipeline/test-device.log | 14 + .../pipeline/test-device.log-expected.json | 2385 +++++++++++++++-- .../pipeline_app_and_identity.yml | 17 + .../ingest_pipeline/pipeline_device.yml | 830 +++++- .../data_stream/event/fields/ecs.yml | 33 +- .../data_stream/event/fields/fields.yml | 61 + packages/m365_defender/docs/README.md | 40 +- packages/m365_defender/manifest.yml | 2 +- .../_dev/test/pipeline/test-common-config.yml | 1 - 11 files changed, 3060 insertions(+), 341 deletions(-) diff --git a/packages/m365_defender/changelog.yml b/packages/m365_defender/changelog.yml index e3298e4db21..832215f0b8a 100644 --- a/packages/m365_defender/changelog.yml +++ b/packages/m365_defender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.11.0" + changes: + - description: Improve detection rules support + type: enhancement + link: https://github.com/elastic/integrations/pull/9860 - version: "2.10.0" changes: - description: Improve handling of empty responses. diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json index b03baa02bbb..32f8877a7dc 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json @@ -22,7 +22,8 @@ "ip": "89.160.20.112", "name": "testmachine5", "os": { - "name": "Windows 10" + "name": "Windows 10", + "type": "windows" }, "type": "Desktop" }, @@ -316,7 +317,10 @@ }, "host": { "ip": "10.180.101.20", - "name": "d2wxa1303r.d300b.cenlar.com" + "name": "d2wxa1303r.d300b.cenlar.com", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -415,7 +419,10 @@ }, "host": { "ip": "10.173.130.18", - "name": "d1wrpws12d.d300b.cenlar.com" + "name": "d1wrpws12d.d300b.cenlar.com", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log index 6193c4f83e4..5bbb4e3a632 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log @@ -2,12 +2,16 @@ {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceFileCertificateInfo","operationName":"Publish","properties":{"CertificateCountersignatureTime":"2022-05-25T15:28:57.628Z","CertificateCreationTime":"2021-09-02T18:23:41Z","CertificateExpirationTime":"2022-09-01T18:23:41Z","CertificateSerialNumber":"330000033b655faefadb75e9d6000000012345","CrlDistributionPointUrls":"[\"http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl\"]","DeviceId":"de6509d550e605faf3bbeac0905ab9590fe12345","DeviceName":"testmachine5","IsRootSignerMicrosoft":true,"IsSigned":true,"IsTrusted":true,"Issuer":"Microsoft Windows Production PCA 2011","IssuerHash":"580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d","MachineGroup":"UnassignedGroup","ReportId":2486,"SHA1":"1bc5066ddf693fc034d6514618854e26a84fd0d1","SignatureType":"Embedded","Signer":"Microsoft Windows","SignerHash":"e168609353f30ff2373157b4eb8cd519d07a2bff","Timestamp":"2022-11-07T17:00:58.1501482Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-07T17:11:16.2074367Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceFileEvents","operationName":"Publish","properties":{"ActionType":"FileCreated","AdditionalFields":null,"AppGuardContainerId":null,"DeviceId":"de6509d550e605faf3bbeac0905ab9590fe12345","DeviceName":"testmachine5","FileName":"VMAgentDisabler.dll","FileOriginIP":null,"FileOriginReferrerUrl":null,"FileOriginUrl":null,"FileSize":139848,"FolderPath":"C:\\Windows\\System32\\VMAgentDisabler.dll","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"WaAppAgent.exe","InitiatingProcessCreationTime":"2022-11-07T16:45:10.3952444Z","InitiatingProcessFileName":"WaAppAgent.exe","InitiatingProcessFileSize":91360,"InitiatingProcessFolderPath":"c:\\windowsazure\\guestagent_2.7.41491.1057_2022-11-07_163802\\waappagent.exe","InitiatingProcessId":5692,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"b7f884c1b74a263f746ee12a5f7c9f6a","InitiatingProcessParentCreationTime":"2022-11-07T16:34:26.5433488Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":812,"InitiatingProcessSHA1":"1bc5066ddf693fc034d6514618854e26a84fd0d1","InitiatingProcessSHA256":"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Microsoft Azure®","InitiatingProcessVersionInfoInternalFileName":"WaAppAgent","InitiatingProcessVersionInfoOriginalFileName":"WaAppAgent.exe","InitiatingProcessVersionInfoProductName":"Microsoft® CoReXT","InitiatingProcessVersionInfoProductVersion":"2.7.41491.1057","IsAzureInfoProtectionApplied":null,"MD5":"b41a36dcfd9295b503b6bbc90bc12345","MachineGroup":"UnassignedGroup","PreviousFileName":null,"PreviousFolderPath":null,"ReportId":112,"RequestAccountDomain":"NT AUTHORITY","RequestAccountName":"SYSTEM","RequestAccountSid":"S-1-5-18","RequestProtocol":"Local","RequestSourceIP":null,"RequestSourcePort":null,"SHA1":"1bc5066ddf693fc034d6514618854e26a84fd0d1","SHA256":"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88","SensitivityLabel":null,"SensitivitySubLabel":null,"ShareName":null,"Timestamp":"2022-11-07T16:45:21.2119114Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-07T17:20:21.0560538Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceImageLoadEvents","operationName":"Publish","properties":{"ActionType":"ImageLoaded","AppGuardContainerId":null,"DeviceId":"de6509d550e605faf3bbeac0905ab9590fe12345","DeviceName":"testmachine5","FileName":"System.Management.ni.dll","FileSize":1458688,"FolderPath":"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Management\\8af759007c012da690062882e06694f1\\System.Management.ni.dll","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"WaAppAgent.exe","InitiatingProcessCreationTime":"2022-11-07T16:45:10.3952444Z","InitiatingProcessFileName":"waappagent.exe","InitiatingProcessFileSize":91360,"InitiatingProcessFolderPath":"c:\\windowsazure\\guestagent_2.7.41491.1057_2022-11-07_163802\\waappagent.exe","InitiatingProcessId":5692,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"ac71a4a58ffeb96a5d4724c1849ac456","InitiatingProcessParentCreationTime":"2022-11-07T16:34:26.5433488Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":812,"InitiatingProcessSHA1":"2f88f5bbdaae8a57287dcc12c7d2ea8cdc57260a","InitiatingProcessSHA256":"1addd6bc9893fb68076c44d9290f07c10d2cc98362d2c17d7e01e5e3a6374635","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Microsoft Azure®","InitiatingProcessVersionInfoInternalFileName":"WaAppAgent","InitiatingProcessVersionInfoOriginalFileName":"WaAppAgent.exe","InitiatingProcessVersionInfoProductName":"Microsoft® CoReXT","InitiatingProcessVersionInfoProductVersion":"2.7.41491.1057","MD5":"01a97134d9927a4001649b1d9ff25397","MachineGroup":"UnassignedGroup","ReportId":93,"SHA1":"1bc67905ae5c8e81014aa4290a338ace6a3b103e","SHA256":"62b9597b5cf263a7e76913613e1b565c0f7436ccc4ef515bf40f400a5023de8a","Timestamp":"2022-11-07T16:45:19.295067Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-07T17:20:52.5604763Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceImageLoadEvents","operationName":"Publish","properties":{"ActionType":"ImageLoaded","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-device","FileName":"System.Xml.Linq.ni.dll","FileSize":487936,"FolderPath":"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml.Linq\\627faf5941962a993235402a1c2bf310\\System.Xml.Linq.ni.dll","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment \"NGen Worker Process\"","InitiatingProcessCreationTime":"2024-05-08T15:33:47.3578095Z","InitiatingProcessFileName":"mscorsvw.exe","InitiatingProcessFileSize":138712,"InitiatingProcessFolderPath":"c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorsvw.exe","InitiatingProcessId":5664,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"97c285d649490f444176ea50170a2653","InitiatingProcessParentCreationTime":"2024-05-08T15:33:47.298751Z","InitiatingProcessParentFileName":"ngen.exe","InitiatingProcessParentId":2040,"InitiatingProcessSHA1":"4350b1923036348429b0cb174cb6a8699cf99f88","InitiatingProcessSHA256":"b63825d9b79213568cb57a52a7d607d8f9d7481ec5a0b260a6ace9f2fcd8f507","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":".NET Runtime Optimization Service","InitiatingProcessVersionInfoInternalFileName":"mscorsvw.exe","InitiatingProcessVersionInfoOriginalFileName":"mscorsvw.exe","InitiatingProcessVersionInfoProductName":"Microsoft® .NET Framework","InitiatingProcessVersionInfoProductVersion":"4.8.9093.0","MD5":"6535df1faaab240ca6331f074cd7893c","MachineGroup":null,"ReportId":24105,"SHA1":"eada7334c9922fbe97974d6e7610bea422d769e9","SHA256":"b2f607b46e185a9e67d9ad55f48e653c80e0c635c38c8909d29ba45de1634c3f","Timestamp":"2024-05-08T15:33:47.460675Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-08T15:39:06.4108776Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceImageLoadEvents","operationName":"Publish","properties":{"ActionType":"ImageLoaded","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-device2","FileName":"Microsoft.PowerShell.Commands.Utility.ni.dll","FileSize":13741056,"FolderPath":"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P521220ea#\\b555103c65d06ec11628ea371b9fdcd9\\Microsoft.PowerShell.Commands.Utility.ni.dll","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment \"NGen Worker Process\"","InitiatingProcessCreationTime":"2024-05-08T15:33:47.3578095Z","InitiatingProcessFileName":"mscorsvw.exe","InitiatingProcessFileSize":138712,"InitiatingProcessFolderPath":"c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorsvw.exe","InitiatingProcessId":5664,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"97c285d649490f444176ea50170a2653","InitiatingProcessParentCreationTime":"2024-05-08T15:33:47.298751Z","InitiatingProcessParentFileName":"ngen.exe","InitiatingProcessParentId":2040,"InitiatingProcessSHA1":"4350b1923036348429b0cb174cb6a8699cf99f88","InitiatingProcessSHA256":"b63825d9b79213568cb57a52a7d607d8f9d7481ec5a0b260a6ace9f2fcd8f507","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":".NET Runtime Optimization Service","InitiatingProcessVersionInfoInternalFileName":"mscorsvw.exe","InitiatingProcessVersionInfoOriginalFileName":"mscorsvw.exe","InitiatingProcessVersionInfoProductName":"Microsoft® .NET Framework","InitiatingProcessVersionInfoProductVersion":"4.8.9093.0","MD5":"551911f3db381004b7f1a85f153374cf","MachineGroup":null,"ReportId":24102,"SHA1":"8c66ab9c6a46dea263ca3f5e022e3f454e4c44d8","SHA256":"37653d1a68a2b0ee1834926ac7f9d4c2ad0fb04a4f3720e9fbb9442170642e44","Timestamp":"2024-05-08T15:33:47.4284452Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-08T15:39:06.4108633Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceInfo","operationName":"Publish","properties":{"AadDeviceId":null,"AdditionalFields":null,"AssetValue":"testvalue","IsInternetFacing":true,"DeviceManualTags":"testtags","DeviceDynamicTags":"testdynamictags","ExposureLevel":"testlevel","SensorHealthState":"somestatus","ExclusionReason":"somereason","IsExcluded":false,"ClientVersion":"10.8210.19041.2006","DeviceCategory":"Endpoint","DeviceId":"999b6fd7c532534ba50b3232fa992c38a2712345","DeviceName":"testmachine6","DeviceSubtype":null,"DeviceType":"Workstation","IsAzureADJoined":false,"JoinType":null,"LoggedOnUsers":"[{\"UserName\":\"administrator1\"}, {\"UserName\":\"administrator2\"}]","MachineGroup":"UnassignedGroup","MergedDeviceIds":null,"MergedToDeviceId":null,"Model":null,"OSArchitecture":null,"OSBuild":null,"OSDistribution":null,"OSPlatform":null,"OSVersion":null,"OSVersionInfo":null,"OnboardingStatus":"Onboarded","PublicIP":"81.2.69.142","RegistryDeviceTag":"evaluation","ReportId":12942,"Timestamp":"2022-11-08T05:56:25.8832339Z","Vendor":null},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-08T06:01:15.8987913Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceLogonEvents","operationName":"Publish","properties":{"AccountDomain":null,"AccountName":"administrator","AccountSid":null,"ActionType":"LogonFailed","AdditionalFields":"{\"IsLocalLogon\":true}","AppGuardContainerId":null,"DeviceId":"999b6fd7c532534ba50b3232fa992c38a273d4fb","DeviceName":"testmachine6","FailureReason":"InvalidUserNameOrPassword","InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessFolderPath":null,"InitiatingProcessId":0,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessMD5":null,"InitiatingProcessParentCreationTime":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId":0,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessTokenElevation":"None","InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"IsLocalAdmin":null,"LogonId":null,"LogonType":"Network","MachineGroup":"UnassignedGroup","Protocol":"NTLM","RemoteDeviceName":null,"RemoteIP":"67.43.156.1","RemoteIPType":"Public","RemotePort":0,"ReportId":3551,"Timestamp":"2022-11-09T17:47:28.8167685Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-09T17:51:33.5625286Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"ActionType":"NetworkSignatureInspected","AdditionalFields":"{\"SignatureName\":\"HTTP_Server\"}","AppGuardContainerId":null,"DeviceId":"999b6fd7c532534ba50b3232fa992c38a2712345","DeviceName":"testmachine6","InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessFolderPath":null,"InitiatingProcessId":0,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessMD5":null,"InitiatingProcessParentCreationTime":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId":0,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessTokenElevation":"None","InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"LocalIP":"81.2.69.144","LocalIPType":null,"LocalPort":80,"MachineGroup":"UnassignedGroup","Protocol":null,"RemoteIP":"81.2.69.142","RemoteIPType":null,"RemotePort":50094,"RemoteUrl":null,"ReportId":2321,"Timestamp":"2022-11-09T17:43:28.18835Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-09T17:47:35.5577637Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"ActionType":"DnsConnectionInspected","AdditionalFields":"{\"direction\":\"Out\",\"trans_id\":\"37169\",\"rtt\":\"1.3255689144134521\",\"query\":\"download.windowsupdate.com\",\"qclass\":\"1\",\"qclass_name\":\"C_INTERNET\",\"qtype\":\"1\",\"qtype_name\":\"A\",\"rcode\":\"0\",\"uid\":\"CTrCWZ207PBR4uklAe\",\"rcode_name\":\"NOERROR\",\"AA\":\"false\",\"TC\":\"false\",\"RD\":\"true\",\"RA\":\"true\",\"answers\":\"[\\\"89.160.20.112\\\",\\\"google.com\\\"]\",\"TTLs\":\"[5.0,5.0]\",\"rejected\":\"false\",\"ts\":\"133595672992404310\"}","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-name","InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessFolderPath":null,"InitiatingProcessId":0,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessMD5":null,"InitiatingProcessParentCreationTime":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId":0,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessTokenElevation":"None","InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"LocalIP":"192.168.133.128","LocalIPType":null,"LocalPort":55944,"MachineGroup":null,"Protocol":"Udp","RemoteIP":"192.168.133.2","RemoteIPType":null,"RemotePort":53,"RemoteUrl":null,"ReportId":17363,"Timestamp":"2024-05-07T14:55:00.5675973Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-07T14:59:09.2046961Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkInfo","operationName":"Publish","properties":{"ConnectedNetworks":"[{\"Name\":\"Network\",\"Description\":\"Network\",\"IsConnectedToInternet\":true,\"Category\":\"Public\"}, {\"Name\":\"Network2\",\"Description\":\"Network2\",\"IsConnectedToInternet\":true,\"Category\":\"Public2\"}]","DefaultGateways":"[\"67.43.156.5\"]","DeviceId":"999b6fd7c532534ba50b3232fa992c38a273d4fb","DeviceName":"testmachine6","DnsAddresses":"[\"67.43.156.2\"]","IPAddresses":"[{\"IPAddress\":\"67.43.156.0\",\"SubnetPrefix\":26,\"AddressType\":\"Private\"},{\"IPAddress\":\"fe80::39f0:832a:89a1:f6e1\",\"SubnetPrefix\":64,\"AddressType\":\"Private\"},{\"IPAddress\":\"67.43.156.1\",\"SubnetPrefix\":26,\"AddressType\":\"Private1\"},{\"IPAddress\":\"fe80::39f0:832a:89a1:f6e2\",\"SubnetPrefix\":64,\"AddressType\":\"Private2\"}]","IPv4Dhcp":"67.43.156.2","IPv6Dhcp":null,"MacAddress":"000D3A9EC781","MachineGroup":"UnassignedGroup","NetworkAdapterName":"{31D7786C-13B8-421D-A3D8-308787B9A9FF}","NetworkAdapterStatus":"Up","NetworkAdapterType":"Ethernet","NetworkAdapterVendor":null,"ReportId":4700,"Timestamp":"2022-11-09T17:54:53.5345682Z","TunnelType":"None"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-09T18:00:01.8319849Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceProcessEvents","operationName":"Publish","properties":{"AccountDomain":"testmachine6","AccountName":"administrator1","AccountObjectId":null,"AccountSid":"S-1-5-21-1874808502-2282282112-3464708742-500","AccountUpn":null,"ActionType":"ProcessCreated","AdditionalFields":"[]","AppGuardContainerId":null,"DeviceId":"999b6fd7c532534ba50b3232fa992c38a273d4fb","DeviceName":"testmachine6","FileName":"smartscreen.exe","FileSize":2387456,"FolderPath":"C:\\Windows\\System32\\smartscreen.exe","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"svchost.exe -k DcomLaunch -p","InitiatingProcessCreationTime":"2022-11-09T17:39:34.1193719Z","InitiatingProcessFileName":"svchost.exe","InitiatingProcessFileSize":55320,"InitiatingProcessFolderPath":"c:\\windows\\system32\\svchost.exe","NetworkAdapterName":"en01","InitiatingProcessId":996,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessLogonId":999,"InitiatingProcessMD5":"b7f884c1b74a263f746ee12a5f7c9f6a","InitiatingProcessParentCreationTime":"2022-11-09T17:39:33.8279942Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":852,"InitiatingProcessSHA1":"1bc5066ddf693fc034d6514618854e26a84fd0d1","InitiatingProcessSHA256":"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88","InitiatingProcessSignatureStatus":"Valid","InitiatingProcessSignerType":"OsVendor","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Host Process for Windows Services","InitiatingProcessVersionInfoInternalFileName":"svchost.exe","InitiatingProcessVersionInfoOriginalFileName":"svchost.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.1806","LogonId":1443318,"MD5":"b9d697df9e883f0d99720b0430448cb1","MachineGroup":"UnassignedGroup","ProcessCommandLine":"smartscreen.exe -Embedding","ProcessCreationTime":"2022-11-09T17:59:52.0344972Z","ProcessId":6412,"ProcessIntegrityLevel":"High","ProcessTokenElevation":"TokenElevationTypeDefault","ProcessVersionInfoCompanyName":"Microsoft Corporation","ProcessVersionInfoFileDescription":"Windows Defender SmartScreen","ProcessVersionInfoInternalFileName":"smartscreen.exe","ProcessVersionInfoOriginalFileName":"smartscreen.exe","ProcessVersionInfoProductName":"Microsoft® Windows® Operating System","ProcessVersionInfoProductVersion":"10.0.19041.2251","ReportId":4824,"SHA1":"9dec87de894f5228033f87cf874441502bfa4f97","SHA256":"8011a5f4ac65d85cbe593bdad886449e3807d950b234e77c675a0f7ca3b7c781","Timestamp":"2022-11-09T17:59:52.6265786Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-09T18:03:21.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceRegistryEvents","operationName":"Publish","properties":{"ActionType":"RegistryValueSet","AppGuardContainerId":null,"DeviceId":"999b6fd7c532534ba50b3232fa992c38a273d4fb","DeviceName":"testmachine6","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive","InitiatingProcessCreationTime":"2022-11-09T19:17:20.4156553Z","InitiatingProcessFileName":"powershell.exe","InitiatingProcessFileSize":452608,"InitiatingProcessFolderPath":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","InitiatingProcessId":5900,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"04029e121a0cfa5991749937dd22a1d9","InitiatingProcessParentCreationTime":"2022-11-09T19:16:54.9433819Z","InitiatingProcessParentFileName":"SenseIR.exe","InitiatingProcessParentId":5668,"InitiatingProcessSHA1":"f43d9bb316e30ae1a3494ac5b0624f6bea1bf054","InitiatingProcessSHA256":"9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Windows PowerShell","InitiatingProcessVersionInfoInternalFileName":"POWERSHELL","InitiatingProcessVersionInfoOriginalFileName":"PowerShell.EXE","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.546","MachineGroup":"UnassignedGroup","PreviousRegistryKey":null,"PreviousRegistryValueData":null,"PreviousRegistryValueName":"Blob","RegistryKey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C","RegistryValueData":null,"RegistryValueName":"Blob","RegistryValueType":"Binary","ReportId":6571,"Timestamp":"2022-11-09T19:17:43.5752234Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-09T19:23:21.8925266Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceRegistryEvents","operationName":"Publish","properties":{"ActionType":"RegistryValueSet","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-device3","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"\"MsSense.exe\"","InitiatingProcessCreationTime":"2024-05-06T11:55:32.2214858Z","InitiatingProcessFileName":"mssense.exe","InitiatingProcessFileSize":522184,"InitiatingProcessFolderPath":"c:\\program files\\windows defender advanced threat protection\\mssense.exe","InitiatingProcessId":4688,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"71fc679ef0665dde1cbb72c95cecf894","InitiatingProcessParentCreationTime":"2024-05-06T11:48:52.81722Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":688,"InitiatingProcessSHA1":"d608e39caae86429f9f45b7f9a1f0417222cf641","InitiatingProcessSHA256":"1b32190da2ba5be59c35fa659cc063d1dd98a9f87d0b0a716f99fbc1c8433022","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Windows Defender Advanced Threat Protection Service Executable","InitiatingProcessVersionInfoInternalFileName":"MsSense.exe","InitiatingProcessVersionInfoOriginalFileName":"MsSense.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.8737.26020.1018","MachineGroup":null,"PreviousRegistryKey":"","PreviousRegistryValueData":null,"PreviousRegistryValueName":"782655b2-0575-4aa2-82b8-7fd560afeff6","RegistryKey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Security","RegistryValueData":null,"RegistryValueName":"782655b2-0575-4aa2-82b8-7fd560afeff6","RegistryValueType":"Binary","ReportId":21669,"Timestamp":"2024-05-08T15:23:15.8225851Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-08T15:27:56.0452290Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T12:17:42.7782364Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "ConnectionFailed","RemoteIP": "175.16.199.0","RemotePort": 80,"RemoteUrl": "subdomain.domain.tld","LocalIP": "89.160.20.112","LocalPort": 50258,"Protocol": "Tcp","LocalIPType": "Private","RemoteIPType": "Public","InitiatingProcessSHA1": "3e44b0d0319d24fa51b472de23062b10c0c32ec3","InitiatingProcessSHA256": "fe0ddd41ed02f1faa59526c53178c8366d9c90a777619eaaf7b7e5656f3ea4cb","InitiatingProcessMD5": "df9b3bee634a5578481a8c7cf4f614a3","InitiatingProcessFileName": "msedgewebview2.exe","InitiatingProcessFileSize": 3657056,"InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation","InitiatingProcessVersionInfoProductName": "Microsoft Edge WebView2","InitiatingProcessVersionInfoProductVersion": "114.0.1823.79","InitiatingProcessVersionInfoInternalFileName": "msedgewebview2_exe","InitiatingProcessVersionInfoOriginalFileName": "msedgewebview2.exe","InitiatingProcessVersionInfoFileDescription": "Microsoft Edge WebView2","InitiatingProcessId": 17916,"InitiatingProcessCommandLine": "\"msedgewebview2.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir=\"C:\\Users\\username\\AppData\\Local\\Citrix\\SelfService\\CitrixWebControlCache\\EBWebView\" --webview-exe-name=SelfService.exe --webview-exe-version=22.3.1.22 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=3456 --field-trial-handle=1824,i --enable-features=msSingleSignOnOSForPrimaryAccountIsShared --disable-features=MojoIpcz /prefetch:3 /pfhostedapp:1234","InitiatingProcessCreationTime": "2023-08-09T18:43:00.0810399Z","InitiatingProcessFolderPath": "c:\\program files (x86)\\microsoft\\edgewebview\\application\\114.0.1823.79\\msedgewebview2.exe","InitiatingProcessParentFileName": "msedgewebview2.exe","InitiatingProcessParentId": 17808,"InitiatingProcessParentCreationTime": "2023-08-09T18:42:58.8197327Z","InitiatingProcessAccountDomain": "corporatedomain","InitiatingProcessAccountName": "username","InitiatingProcessAccountSid": "S-1-5-21-57989841-2025429265-839522115-329672","InitiatingProcessAccountUpn": "email@domain","InitiatingProcessAccountObjectId": "3600a12b-9d66-4dc3-9e2a-956c3623d0e4","InitiatingProcessIntegrityLevel": "Medium","InitiatingProcessTokenElevation": "TokenElevationTypeDefault","ReportId": 110313,"AppGuardContainerId":null,"AdditionalFields":null},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:21.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T12:16:10.7489034Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "DnsConnectionInspected","RemoteIP": "175.16.199.0","RemotePort": 53,"RemoteUrl":null,"LocalIP": "89.160.20.112","LocalPort": 54125,"Protocol": "Udp","LocalIPType":null,"RemoteIPType":null,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessMD5":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessId": 0,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFolderPath":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId": 0,"InitiatingProcessParentCreationTime":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessTokenElevation": "None","ReportId": 19542,"AppGuardContainerId":null,"AdditionalFields": { "direction": "Out", "trans_id": "18296", "rtt": "0.05926012992858887", "query": "janeslaptop1.corporatedomain", "qclass": "1", "qclass_name": "C_INTERNET", "qtype": "1", "qtype_name": "A", "rcode": "0", "uid": "CpeJkh3698EpWwy4Z9", "rcode_name": "NOERROR", "AA": "true", "TC": "false", "RD": "true", "RA": "true", "answers": "[\"89.160.20.112\"]", "TTLs": "[1200.0]", "rejected": "false", "ts": "133370937691236740"}},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:22.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T12:16:28.6231143Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "NtlmAuthenticationInspected","RemoteIP": "175.16.199.0","RemotePort": 135,"RemoteUrl":null,"LocalIP": "89.160.20.112","LocalPort": 55514,"Protocol": "Tcp","LocalIPType":null,"RemoteIPType":null,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessMD5":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessId": 0,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFolderPath":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId": 0,"InitiatingProcessParentCreationTime":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessTokenElevation": "None","ReportId": 33108,"AppGuardContainerId":null,"AdditionalFields": { "direction": "In", "server_nb_computer_name": "hostname", "server_nb_domain_name": "corporatedomain", "server_dns_computer_name": "janeslaptop1.corporatedomain", "server_dns_domain_name": "corporatedomain", "server_tree_name": "corporatedomain", "uid": "Cd6CKC1yC7AvYHXnq", "server_version": "10.0 22621 15", "ts": "133370931234950000"}},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:23.9948950Z"} @@ -26,4 +30,14 @@ {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceProcessEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T14:02:19.4882081Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "ProcessCreated","FileName": "msedgewebview2.exe","FolderPath": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.79\\msedgewebview2.exe","SHA1": "271eb137d3d8519cb42e5bccd690a3b9a3059f2a","SHA256": "075d1edc11548c9ebf7f238dea9393f26c5b83cd0362aa4cc24b1d8a6ebc6354","MD5": "b21b158fce974aa46125820ce6b42e9d","FileSize": 3653056,"ProcessVersionInfoCompanyName": "Microsoft Corporation","ProcessVersionInfoProductName": "Microsoft Edge WebView2","ProcessVersionInfoProductVersion": "114.0.1732.12","ProcessVersionInfoInternalFileName": "msedgewebview2_exe","ProcessVersionInfoOriginalFileName": "msedgewebview2.exe","ProcessVersionInfoFileDescription": "Microsoft Edge WebView2","ProcessId": 5498762,"ProcessCommandLine": "\"msedgewebview2.exe\" --type=renderer --noerrdialogs --user-data-dir=\"C:\\Users\\JANEBLOGGS\\AppData\\Local\\Microsoft\\Office\\16.0\\Wef\\webview2\\4ee9dcb0-735b-442e-945c-177c665efe6b_ADAL\\2\\EBWebView\" --webview-exe-name=MSOUTLOOK.EXE","ProcessIntegrityLevel": "Low","ProcessTokenElevation": "TokenElevationTypeDefault","ProcessCreationTime": "2023-07-19T14:02:19.4882081Z","AccountDomain": "corporatedomain","AccountName": "janebloggs","AccountSid": "S-1-5-21-57989841-2025429265-839522115-962270","AccountUpn": "janebloggs@corporate.com","AccountObjectId": "4ee9dcb0-735b-442e-945c-177c665efe6b","LogonId": 3654987,"InitiatingProcessAccountDomain": "corporatedomain","InitiatingProcessAccountName": "janebloggs","InitiatingProcessAccountSid": "S-1-5-21-57989841-2025429265-839522115-962270","InitiatingProcessAccountUpn": "janebloggs@corporate.com","InitiatingProcessAccountObjectId": "4ee9dcb0-735b-442e-945c-177c665efe6b","InitiatingProcessLogonId": 3654987,"InitiatingProcessIntegrityLevel": "Medium","InitiatingProcessTokenElevation": "TokenElevationTypeDefault","InitiatingProcessSHA1": "271eb137d3d8519cb42e5bccd690a3b9a3059f2a","InitiatingProcessSHA256": "075d1edc11548c9ebf7f238dea9393f26c5b83cd0362aa4cc24b1d8a6ebc6354","InitiatingProcessMD5": "b21b158fce974aa46125820ce6b42e9d","InitiatingProcessFileName": "msedgewebview2.exe","InitiatingProcessFileSize": 5498762,"InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation","InitiatingProcessVersionInfoProductName": "Microsoft Edge WebView2","InitiatingProcessVersionInfoProductVersion": "114.0.1732.12","InitiatingProcessVersionInfoInternalFileName": "msedgewebview2_exe","InitiatingProcessVersionInfoOriginalFileName": "msedgewebview2.exe","InitiatingProcessVersionInfoFileDescription": "Microsoft Edge WebView2","InitiatingProcessId": 65485,"InitiatingProcessCommandLine": "\"msedgewebview2.exe\" --embedded-browser-webview=1 --webview-exe-name=MSOUTLOOK.EXE --webview-exe-version=16.0.15601.20706 --user-data-dir=\"C:\\Users\\USERNAME\\AppData\\Local\\Microsoft\\Office\\16.0\\Wef\\webview2\\1234dcb0-735b-442e-945c-e6c5df94062c_ADAL\\2\\EBWebView\" --noerrdialogs","InitiatingProcessCreationTime":null},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:21.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T14:09:43.8734771Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "SmtpConnectionInspected","RemoteIP": "-","RemotePort": 25,"RemoteUrl":null,"LocalIP": "-","LocalPort": 60697,"Protocol": "Tcp","LocalIPType":null,"RemoteIPType":null,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessMD5":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessId": 0,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFolderPath":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId": 0,"InitiatingProcessParentCreationTime":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessTokenElevation": "None","ReportId": 18984951960,"AppGuardContainerId":null,"AdditionalFields": { "direction": "Out", "fuids": "[]", "helo": "janeslaptop1.corporatedomain", "last_reply": "220 2.0.0 SMTP server ready", "path": "[\"89.160.20.112\",\"89.160.20.112\"]", "tls": "true", "trans_depth": "1", "uid": "0278e28ff5d8eff6d3"}},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:34.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceInfo","operationName":"Publish","properties":{"AadDeviceId":null,"AdditionalFields":null,"AssetValue":"testvalue","IsInternetFacing":true,"DeviceManualTags":"testtags","DeviceDynamicTags":"testdynamictags","ExposureLevel":"testlevel","SensorHealthState":"somestatus","ExclusionReason":"somereason","IsExcluded":false,"ClientVersion":"10.8210.19041.2006","DeviceCategory":"Endpoint","DeviceId":"999b6fd7c532534ba50b3232fa992c38a2712345","DeviceName":"testmachine6","DeviceSubtype":null,"DeviceType":"Workstation","IsAzureADJoined":false,"JoinType":null,"LoggedOnUsers":"[{\"UserName\":\"administrator1\"}, {\"UserName\":\"administrator2\"}]","MachineGroup":"UnassignedGroup","MergedDeviceIds":null,"MergedToDeviceId":null,"Model":null,"OSArchitecture":null,"OSBuild":null,"OSDistribution":null,"OSPlatform":null,"OSVersion":null,"OSVersionInfo":null,"OnboardingStatus":"Onboarded","PublicIP":"-","RegistryDeviceTag":"evaluation","ReportId":12942,"Timestamp":"2022-11-08T05:56:25.8832339Z","Vendor":null},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-08T06:01:15.8987913Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":"nt authority","AccountName":"system","AccountSid":"S-1-5-18","ActionType":"ReadProcessMemoryApiCall","AdditionalFields":"{\"TotalBytesCopied\":6847224}","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-device210","FileName":"lsass.exe","FileOriginIP":null,"FileOriginUrl":null,"FileSize":60640,"FolderPath":"C:\\Windows\\System32","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"\"MsMpEng.exe\"","InitiatingProcessCreationTime":"2024-05-06T11:48:54.2153786Z","InitiatingProcessFileName":"MsMpEng.exe","InitiatingProcessFileSize":133576,"InitiatingProcessFolderPath":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24030.9-0","InitiatingProcessId":3232,"InitiatingProcessLogonId":0,"InitiatingProcessMD5":"94d34f16a16b0e735c9d2d94e201b9ce","InitiatingProcessParentCreationTime":"2024-05-06T11:48:52.81722Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":688,"InitiatingProcessSHA1":"e83099dd42393ad12002ce4dea5c750d6b0964e5","InitiatingProcessSHA256":"6450755a9bdc845618dcf2cb78f010a1d408ba9b32865a44184a0e80afa3f301","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Antimalware Service Executable","InitiatingProcessVersionInfoInternalFileName":"MsMpEng.exe","InitiatingProcessVersionInfoOriginalFileName":"MsMpEng.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"4.18.24030.9","LocalIP":null,"LocalPort":null,"LogonId":null,"MD5":"60e18f7b8d1f43731d0e9169c2d16547","MachineGroup":null,"ProcessCommandLine":null,"ProcessCreationTime":"2024-05-06T11:48:52.8330349Z","ProcessId":700,"ProcessTokenElevation":"TokenElevationTypeDefault","RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":null,"RemotePort":null,"RemoteUrl":null,"ReportId":24158,"SHA1":"83ebb66f070956225959ee773b468f89ed55479c","SHA256":null,"Timestamp":"2024-05-08T15:35:27.0091751Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-08T15:40:20.2261934Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":null,"AccountName":null,"AccountSid":null,"ActionType":"NtProtectVirtualMemoryApiCall","AdditionalFields":null,"AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-name","FileName":null,"FileOriginIP":null,"FileOriginUrl":null,"FileSize":null,"FolderPath":null,"InitiatingProcessAccountDomain":"desktop-name","InitiatingProcessAccountName":"jonh","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-21-2850353385-2443355826-2041408518-1001","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"\"DllHost.exe\" /Processid:{776DBC8D-7347-478C-8D71-791E12EF49D8}","InitiatingProcessCreationTime":"2024-05-08T15:24:48.1227891Z","InitiatingProcessFileName":"dllhost.exe","InitiatingProcessFileSize":20352,"InitiatingProcessFolderPath":"c:\\windows\\syswow64\\dllhost.exe","InitiatingProcessId":8140,"InitiatingProcessLogonId":717143,"InitiatingProcessMD5":"61df0fa6ef720ddb2c284349d848599f","InitiatingProcessParentCreationTime":"2024-05-06T11:48:52.9496546Z","InitiatingProcessParentFileName":"svchost.exe","InitiatingProcessParentId":832,"InitiatingProcessSHA1":"2cb98ff117a34662c096937005db985929ab2111","InitiatingProcessSHA256":"6947ec4cade9c3f410aafb1d30d9664f6cbda797c983a1bc7a682006bb08a466","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"COM Surrogate","InitiatingProcessVersionInfoInternalFileName":"dllhost.exe","InitiatingProcessVersionInfoOriginalFileName":"dllhost.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.3636","LocalIP":null,"LocalPort":null,"LogonId":null,"MD5":null,"MachineGroup":null,"ProcessCommandLine":null,"ProcessCreationTime":null,"ProcessId":null,"ProcessTokenElevation":null,"RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":null,"RemotePort":null,"RemoteUrl":null,"ReportId":22406,"SHA1":null,"SHA256":null,"Timestamp":"2024-05-08T15:24:48.3272705Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-08T15:28:19.8963638Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":null,"AccountName":null,"AccountSid":null,"ActionType":"NtAllocateVirtualMemoryApiCall","AdditionalFields":"{\"BaseAddress\":138490605600768,\"RegionSize\":104,\"ProtectionMask\":64}","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-name","FileName":null,"FileOriginIP":null,"FileOriginUrl":null,"FileSize":null,"FolderPath":null,"InitiatingProcessAccountDomain":"desktop-name","InitiatingProcessAccountName":"jonh","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-21-2850353385-2443355826-2041408518-1001","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"iexplore.exe /c echo -Embedding ;C:\\Users\\Public\\iexplore.exe","InitiatingProcessCreationTime":"2024-05-06T19:34:38.4354434Z","InitiatingProcessFileName":"iexplore.exe","InitiatingProcessFileSize":446976,"InitiatingProcessFolderPath":"c:\\users\\public\\iexplore.exe","InitiatingProcessId":5212,"InitiatingProcessLogonId":717087,"InitiatingProcessMD5":"d1a8228a8bba76ac33195db983f21607","InitiatingProcessParentCreationTime":"2024-05-06T19:34:34.5472444Z","InitiatingProcessParentFileName":"python.exe","InitiatingProcessParentId":6968,"InitiatingProcessSHA1":"72db7587afa1354f6c5dda643b3dff771027b121","InitiatingProcessSHA256":"7fe5a235d305a60255423c2f8cd33bed88c29161a15dac11b609e3788aac575a","InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"LocalIP":null,"LocalPort":null,"LogonId":null,"MD5":null,"MachineGroup":null,"ProcessCommandLine":null,"ProcessCreationTime":null,"ProcessId":null,"ProcessTokenElevation":null,"RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":null,"RemotePort":null,"RemoteUrl":null,"ReportId":15906,"SHA1":null,"SHA256":null,"Timestamp":"2024-05-06T19:51:06.4815198Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-06T19:54:58.0031198Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":"nt authority","AccountName":"system","AccountSid":"S-1-5-18","ActionType":"OpenProcessApiCall","AdditionalFields":"{\"DesiredAccess\":5136}","AppGuardContainerId":"","DeviceId":"2cde6cee4dd3a5932ee140f871f6095966e74ff9","DeviceName":"desktop-d45trp5","FileName":"lsass.exe","FileOriginIP":null,"FileOriginUrl":null,"FileSize":59456,"FolderPath":"C:\\Windows\\System32","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"\"MRT.exe\" /Q /W","InitiatingProcessCreationTime":"2024-05-02T15:53:28.4793777Z","InitiatingProcessFileName":"MRT.exe","InitiatingProcessFileSize":192651728,"InitiatingProcessFolderPath":"C:\\Windows\\System32","InitiatingProcessId":7976,"InitiatingProcessLogonId":999,"InitiatingProcessMD5":"62731ed3c4ad2df6af945f57fe77fba8","InitiatingProcessParentCreationTime":"2024-05-02T15:53:22.44386Z","InitiatingProcessParentFileName":"\\Device\\HarddiskVolume3\\Windows\\SoftwareDistribution\\Download\\Install\\Windows-KB890830-x64-V5.123.exe","InitiatingProcessParentId":1860,"InitiatingProcessSHA1":"049216fd79902074425404a6a1049d0ee219c937","InitiatingProcessSHA256":"d5b4ce826658201115461d70aa2c876aa32e6aa449c200d8d90b008195785f7e","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Microsoft Windows Malicious Software Removal Tool","InitiatingProcessVersionInfoInternalFileName":"mrt.exe","InitiatingProcessVersionInfoOriginalFileName":"mrt.exe","InitiatingProcessVersionInfoProductName":"Microsoft Windows Malicious Software Removal Tool","InitiatingProcessVersionInfoProductVersion":"5.123.24040.1001","LocalIP":null,"LocalPort":null,"LogonId":999,"MD5":"a1cc00332bbf370654ee3dc8cdc8c95a","MachineGroup":null,"ProcessCommandLine":"lsass.exe","ProcessCreationTime":"2024-04-30T17:16:21.6015876Z","ProcessId":648,"ProcessTokenElevation":"TokenElevationTypeDefault","RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":null,"RemotePort":null,"RemoteUrl":null,"ReportId":7280,"SHA1":"65efbd61f80291ab32ff9799a32b289f21fa1d47","SHA256":null,"Timestamp":"2024-05-02T15:53:56.358579Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-02T15:58:14.0903277Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":null,"AccountName":null,"AccountSid":null,"ActionType":"DriverLoad","AdditionalFields":"{\"ImageBase\":\"18446735304154021888\",\"ImageMD5\":\"kAklAHRb6YaQifuDi3tsew==\",\"ImageName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\drivers\\\\bthpan.sys\",\"ImageSHA1\":\"kpzraHlktifOktGL6HickKsbAsg=\",\"ImageSHA256\":\"9BPVWcAwLRzYaDRpJV/gPczgNixWuP5VJz9dKYI9Jk4=\",\"UserSid\":\"S-1-5-18\"}","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-name","FileName":"bthpan.sys","FileOriginIP":null,"FileOriginUrl":null,"FileSize":null,"FolderPath":"C:\\Windows\\System32\\drivers","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":"2024-05-06T11:48:52.1256635Z","InitiatingProcessFileName":"ntoskrnl.exe","InitiatingProcessFileSize":10871664,"InitiatingProcessFolderPath":"C:\\Windows\\System32","InitiatingProcessId":4,"InitiatingProcessLogonId":0,"InitiatingProcessMD5":"225d4dc97a46861d0eda1748dda4e740","InitiatingProcessParentCreationTime":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId":0,"InitiatingProcessSHA1":"54044b5acd720bc61f62338bdbf3f108d82fc5d9","InitiatingProcessSHA256":"d2d44a847fa61ad52982e5694db1376695fd60bc9698060eedd17fc646422f49","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"NT Kernel \u0026 System","InitiatingProcessVersionInfoInternalFileName":"ntkrnlmp.exe","InitiatingProcessVersionInfoOriginalFileName":"ntkrnlmp.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.4291","LocalIP":null,"LocalPort":null,"LogonId":null,"MD5":"90092500745be9869089fb838b7b6c7b","MachineGroup":null,"ProcessCommandLine":null,"ProcessCreationTime":"2024-05-05T22:25:42.4236026Z","ProcessId":null,"ProcessTokenElevation":null,"RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":null,"RemotePort":null,"RemoteUrl":null,"ReportId":10400,"SHA1":"929ceb687964b627ce92d18be8789c90ab1b02c8","SHA256":"f413d559c0302d1cd8683469255fe03dcce0362c56b8fe55273f5d29823d264e","Timestamp":"2024-05-06T19:21:01.8790078Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-06T19:24:37.3461525Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":null,"AccountName":null,"AccountSid":null,"ActionType":"DpapiAccessed","AdditionalFields":"{\"CallerProcessID\":4248}","AppGuardContainerId":null,"DeviceId":"de6509d550e605faf3bbeac0905ab9590fe12345","DeviceName":"testmachine5","FileName":null,"FileOriginIP":null,"FileOriginUrl":null,"FileSize":329,"FolderPath":null,"InitiatingProcessAccountDomain":"testmachine5","InitiatingProcessAccountName":"administrator1","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-21-375308137-164487297-2828222098-111","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"\"InstallUtil.exe\" /u \"C:\\Program Files (x86)\\Lenovo\\System Update\\SUService.exe\"","InitiatingProcessCreationTime":"2022-11-07T17:07:41.698868Z","InitiatingProcessFileName":"backgroundtaskhost.exe","InitiatingProcessFileSize":19776,"InitiatingProcessFolderPath":"c:\\windows\\system32\\InstallUtil.exe","InitiatingProcessId":4248,"InitiatingProcessLogonId":1431021,"InitiatingProcessMD5":"b7f884c1b74a263f746ee12a5f7c9f6a","InitiatingProcessParentCreationTime":"2022-11-07T16:34:27.0112578Z","InitiatingProcessParentFileName":"svchost.exe","InitiatingProcessParentId":948,"InitiatingProcessSHA1":"1bc5066ddf693fc034d6514618854e26a84fd0d1","InitiatingProcessSHA256":"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Background Task Host","InitiatingProcessVersionInfoInternalFileName":"Background Task Host","InitiatingProcessVersionInfoOriginalFileName":"InstallUtil.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.546","LocalIP":null,"LocalPort":null,"LogonId":null,"MD5":null,"MachineGroup":"UnassignedGroup","ProcessCommandLine":null,"ProcessCreationTime":null,"ProcessId":null,"ProcessTokenElevation":null,"RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":null,"RemotePort":null,"RemoteUrl":null,"ReportId":2833,"SHA1":null,"SHA256":null,"Timestamp":"2022-11-07T17:07:42.0259186Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-07T17:45:56.3057929Z"} +{"Tenant":"DefaultTenant","_TimeReceivedBySvc":"2024-05-17T09:43:48.5484538Z","category":"AdvancedHunting-DeviceInfo","operationName":"Publish","properties":{"AadDeviceId":null,"AdditionalFields":"[]","AssetValue":null,"ClientVersion":"30.124032.7.0","DeviceCategory":"Endpoint","DeviceDynamicTags":null,"DeviceId":"78dca52447922201adb5c38f20f3351dc2a31668","DeviceManualTags":null,"DeviceName":"sample-device","DeviceSubtype":null,"DeviceType":"Server","ExclusionReason":null,"ExposureLevel":"Low","IsAzureADJoined":false,"IsExcluded":false,"IsInternetFacing":null,"JoinType":"Domain Joined","LoggedOnUsers":"[{\"UserName\":\"LOGIN\"}]","MachineGroup":null,"MergedDeviceIds":"","MergedToDeviceId":"","Model":"","OSArchitecture":"64-bit","OSBuild":null,"OSDistribution":"Debian","OSPlatform":"Linux","OSVersion":"11.0","OSVersionInfo":"","OnboardingStatus":"Onboarded","PublicIP":"81.2.69.142","RegistryDeviceTag":"","ReportId":638515358285484500,"SensorHealthState":"Active","Timestamp":"2024-05-17T09:42:55.895275Z","Vendor":""},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-17T09:47:00.1365521Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":null,"AccountName":null,"AccountSid":"S-1-5-19","ActionType":"NamedPipeEvent","AdditionalFields":"{\"DesiredAccess\":1180063,\"FileOperation\":\"File opened\",\"NamedPipeEnd\":\"Server\",\"PipeName\":\"\\\\Device\\\\NamedPipe\\\\W32TIME_ALT\",\"RemoteClientsAccess\":\"AcceptRemote\",\"SessionId\":0,\"ThreadId\":10540}","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7ba1b6c1ffcb54ab5cd4cdec1e593","DeviceName":"desktop-name","FileName":null,"FileOriginIP":null,"FileOriginUrl":null,"FileSize":null,"FolderPath":null,"InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"local service","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-19","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"svchost.exe -k LocalService -s W32Time","InitiatingProcessCreationTime":"2024-05-08T15:33:37.3307862Z","InitiatingProcessFileName":"svchost.exe","InitiatingProcessFileSize":55456,"InitiatingProcessFolderPath":"c:\\windows\\system32\\svchost.exe","InitiatingProcessId":10192,"InitiatingProcessLogonId":997,"InitiatingProcessMD5":"145dcf6706eeea5b066885ee17964c09","InitiatingProcessParentCreationTime":"2024-05-06T11:48:52.81722Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":688,"InitiatingProcessSHA1":"445f5f38365af88ec29b357f4696f0e3ee50a1d8","InitiatingProcessSHA256":"f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Host Process for Windows Services","InitiatingProcessVersionInfoInternalFileName":"svchost.exe","InitiatingProcessVersionInfoOriginalFileName":"svchost.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.3636","LocalIP":null,"LocalPort":null,"LogonId":null,"MD5":null,"MachineGroup":null,"ProcessCommandLine":null,"ProcessCreationTime":null,"ProcessId":null,"ProcessTokenElevation":null,"RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":"","RemotePort":null,"RemoteUrl":null,"ReportId":23860,"SHA1":null,"SHA256":null,"Timestamp":"2024-05-08T15:33:37.4669184Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-08T15:39:02.1739813Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":null,"AccountName":null,"AccountSid":null,"ActionType":"GetClipboardData","AdditionalFields":null,"AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1bfa1fccb55ab5cd4cdec1e593","DeviceName":"desktop-name","FileName":null,"FileOriginIP":null,"FileOriginUrl":null,"FileSize":null,"FolderPath":null,"InitiatingProcessAccountDomain":"desktop-name","InitiatingProcessAccountName":"ipan","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-21-2850353385-2443355826-2041408518-1001","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"Explorer.EXE","InitiatingProcessCreationTime":"2024-05-06T11:53:36.4136444Z","InitiatingProcessFileName":"explorer.exe","InitiatingProcessFileSize":5656192,"InitiatingProcessFolderPath":"c:\\windows\\explorer.exe","InitiatingProcessId":1040,"InitiatingProcessLogonId":0,"InitiatingProcessMD5":"238538d74fea273bff1e00622eccaf3a","InitiatingProcessParentCreationTime":"2024-05-06T11:53:36.3698545Z","InitiatingProcessParentFileName":"userinit.exe","InitiatingProcessParentId":3424,"InitiatingProcessSHA1":"61ee53287d7aa2abbf323cc04e4475ae07ed6e75","InitiatingProcessSHA256":"33ca082676d3e3162eccdbef28daa3240930245ff218b70d309f34ab0e7b372e","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Windows Explorer","InitiatingProcessVersionInfoInternalFileName":"explorer","InitiatingProcessVersionInfoOriginalFileName":"EXPLORER.EXE","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.4239","LocalIP":null,"LocalPort":null,"LogonId":null,"MD5":null,"MachineGroup":null,"ProcessCommandLine":null,"ProcessCreationTime":null,"ProcessId":null,"ProcessTokenElevation":null,"RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":null,"RemotePort":null,"RemoteUrl":null,"ReportId":22403,"SHA1":null,"SHA256":null,"Timestamp":"2024-05-08T15:24:47.9470226Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-08T15:28:19.8963512Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":null,"AccountName":null,"AccountSid":null,"ActionType":"PowerShellCommand","AdditionalFields":"{\"Command\":\"Microsoft.PowerShell.Core\\\\Set-StrictMode\"}","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-name","FileName":null,"FileOriginIP":null,"FileOriginUrl":null,"FileSize":null,"FolderPath":null,"InitiatingProcessAccountDomain":"desktop-name","InitiatingProcessAccountName":"jonh","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-21-2850353385-2443355826-2041408518-1001","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"\"powershell.exe\" ","InitiatingProcessCreationTime":"2024-05-07T14:54:54.3102466Z","InitiatingProcessFileName":"powershell.exe","InitiatingProcessFileSize":455680,"InitiatingProcessFolderPath":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","InitiatingProcessId":6768,"InitiatingProcessLogonId":717087,"InitiatingProcessMD5":"2e5a8590cf6848968fc23de3fa1e25f1","InitiatingProcessParentCreationTime":"2024-05-06T11:53:51.6764165Z","InitiatingProcessParentFileName":"svchost.exe","InitiatingProcessParentId":6780,"InitiatingProcessSHA1":"801262e122db6a2e758962896f260b55bbd0136a","InitiatingProcessSHA256":"9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Windows PowerShell","InitiatingProcessVersionInfoInternalFileName":"POWERSHELL","InitiatingProcessVersionInfoOriginalFileName":"PowerShell.EXE","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.3996","LocalIP":null,"LocalPort":null,"LogonId":null,"MD5":null,"MachineGroup":null,"ProcessCommandLine":null,"ProcessCreationTime":null,"ProcessId":null,"ProcessTokenElevation":null,"RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":null,"RemotePort":null,"RemoteUrl":null,"ReportId":17334,"SHA1":null,"SHA256":null,"Timestamp":"2024-05-07T14:54:56.1383178Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-07T14:59:10.7367071Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceEvents","operationName":"Publish","properties":{"AccountDomain":null,"AccountName":null,"AccountSid":null,"ActionType":"ScreenshotTaken","AdditionalFields":null,"AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-name","FileName":null,"FileOriginIP":null,"FileOriginUrl":null,"FileSize":null,"FolderPath":null,"InitiatingProcessAccountDomain":"desktop-name","InitiatingProcessAccountName":"jonh","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-21-2850353385-2443355826-2041408518-1001","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"\"msdt.exe\" /c echo /cab C:\\Users\\Public\\","InitiatingProcessCreationTime":"2024-05-06T16:42:49.9489733Z","InitiatingProcessFileName":"msdt.exe","InitiatingProcessFileSize":498176,"InitiatingProcessFolderPath":"c:\\windows\\system32\\msdt.exe","InitiatingProcessId":10164,"InitiatingProcessLogonId":0,"InitiatingProcessMD5":"f2c31dadb5569110e9941642728fe182","InitiatingProcessParentCreationTime":"2024-05-06T16:42:49.6757415Z","InitiatingProcessParentFileName":"firefox.exe","InitiatingProcessParentId":4744,"InitiatingProcessSHA1":"3f82161d99b7411e88d6aaeef8bba9586a5554f6","InitiatingProcessSHA256":"94842ff132a47234f199b80ccf44b1cdee55e402d8404d8b49255d08fbb8d9d6","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Diagnostics Troubleshooting Wizard","InitiatingProcessVersionInfoInternalFileName":"DiagWizard","InitiatingProcessVersionInfoOriginalFileName":"msdt.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.3636","LocalIP":null,"LocalPort":null,"LogonId":null,"MD5":null,"MachineGroup":null,"ProcessCommandLine":null,"ProcessCreationTime":null,"ProcessId":null,"ProcessTokenElevation":null,"RegistryKey":null,"RegistryValueData":null,"RegistryValueName":null,"RemoteDeviceName":null,"RemoteIP":null,"RemotePort":null,"RemoteUrl":null,"ReportId":9773,"SHA1":null,"SHA256":null,"Timestamp":"2024-05-06T16:42:50.3859006Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-06T16:47:06.7452869Z"} diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json index 0216b38cd69..7b3acc24603 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json @@ -72,45 +72,40 @@ } }, "process": { + "args": [ + "backgroundTaskHost.exe", + "-ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca" + ], + "args_count": 2, + "command_line": "\"backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca", + "executable": "c:\\windows\\system32\\backgroundtaskhost.exe", + "hash": { + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + }, + "name": "backgroundtaskhost.exe", "parent": { - "args": [ - "backgroundTaskHost.exe", - "-ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca" - ], - "args_count": 2, - "command_line": "\"backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca", - "executable": "c:\\windows\\system32\\backgroundtaskhost.exe", - "group_leader": { - "name": "svchost.exe", - "pid": 948, - "start": "2022-11-07T16:34:27.011Z" - }, - "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" - }, - "name": "backgroundtaskhost.exe", - "pe": { - "company": "Microsoft Corporation", - "description": "Background Task Host", - "file_version": "10.0.19041.546", - "original_file_name": "backgroundTaskHost.exe", - "product": "Microsoft® Windows® Operating System", - "sections": { - "physical_size": 19776 - } - }, - "pid": 4248, - "start": "2022-11-07T17:07:41.698Z" + "name": "svchost.exe", + "pid": 948, + "start": "2022-11-07T16:34:27.011Z" }, "pe": { - "sections": { - "physical_size": 329 - } - } + "company": "Microsoft Corporation", + "description": "Background Task Host", + "file_version": "10.0.19041.546", + "original_file_name": "backgroundTaskHost.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 4248, + "start": "2022-11-07T17:07:41.698Z" }, "related": { + "hash": [ + "b7f884c1b74a263f746ee12a5f7c9f6a", + "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + ], "hosts": [ "de6509d550e605faf3bbeac0905ab9590fe12345", "testmachine5" @@ -220,24 +215,26 @@ "version": "8.11.0" }, "event": { - "action": "filecreated", + "action": "creation", "category": [ "file" ], "kind": "event", "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"operationName\":\"Publish\",\"properties\":{\"ActionType\":\"FileCreated\",\"AdditionalFields\":null,\"AppGuardContainerId\":null,\"DeviceId\":\"de6509d550e605faf3bbeac0905ab9590fe12345\",\"DeviceName\":\"testmachine5\",\"FileName\":\"VMAgentDisabler.dll\",\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"FileOriginUrl\":null,\"FileSize\":139848,\"FolderPath\":\"C:\\\\Windows\\\\System32\\\\VMAgentDisabler.dll\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"WaAppAgent.exe\",\"InitiatingProcessCreationTime\":\"2022-11-07T16:45:10.3952444Z\",\"InitiatingProcessFileName\":\"WaAppAgent.exe\",\"InitiatingProcessFileSize\":91360,\"InitiatingProcessFolderPath\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1057_2022-11-07_163802\\\\waappagent.exe\",\"InitiatingProcessId\":5692,\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessMD5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"InitiatingProcessParentCreationTime\":\"2022-11-07T16:34:26.5433488Z\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessParentId\":812,\"InitiatingProcessSHA1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"InitiatingProcessSHA256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Azure®\",\"InitiatingProcessVersionInfoInternalFileName\":\"WaAppAgent\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WaAppAgent.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® CoReXT\",\"InitiatingProcessVersionInfoProductVersion\":\"2.7.41491.1057\",\"IsAzureInfoProtectionApplied\":null,\"MD5\":\"b41a36dcfd9295b503b6bbc90bc12345\",\"MachineGroup\":\"UnassignedGroup\",\"PreviousFileName\":null,\"PreviousFolderPath\":null,\"ReportId\":112,\"RequestAccountDomain\":\"NT AUTHORITY\",\"RequestAccountName\":\"SYSTEM\",\"RequestAccountSid\":\"S-1-5-18\",\"RequestProtocol\":\"Local\",\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"SHA1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"SHA256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"ShareName\":null,\"Timestamp\":\"2022-11-07T16:45:21.2119114Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2022-11-07T17:20:21.0560538Z\"}", "type": [ - "info" + "creation" ] }, "file": { - "directory": "C:\\Windows\\System32\\VMAgentDisabler.dll", + "directory": "C:\\Windows\\System32", + "extension": "dll", "hash": { "md5": "b41a36dcfd9295b503b6bbc90bc12345", "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" }, "name": "VMAgentDisabler.dll", + "path": "C:\\Windows\\System32\\VMAgentDisabler.dll", "size": 139848 }, "host": { @@ -330,10 +327,7 @@ "description": "Microsoft Azure®", "file_version": "2.7.41491.1057", "original_file_name": "WaAppAgent.exe", - "product": "Microsoft® CoReXT", - "sections": { - "physical_size": 91360 - } + "product": "Microsoft® CoReXT" }, "pid": 5692, "start": "2022-11-07T16:45:10.395Z" @@ -362,39 +356,50 @@ ], "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" } }, { "@timestamp": "2022-11-07T16:45:19.295Z", "dll": { + "Ext": { + "size": 1458688 + }, "hash": { "md5": "01a97134d9927a4001649b1d9ff25397", "sha1": "1bc67905ae5c8e81014aa4290a338ace6a3b103e", "sha256": "62b9597b5cf263a7e76913613e1b565c0f7436ccc4ef515bf40f400a5023de8a" }, "name": "System.Management.ni.dll", - "path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Management\\8af759007c012da690062882e06694f1\\System.Management.ni.dll", - "pe": { - "sections": { - "physical_size": 1458688 - } - } + "path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Management\\8af759007c012da690062882e06694f1\\System.Management.ni.dll" }, "ecs": { "version": "8.11.0" }, "event": { - "action": "imageloaded", + "action": "load", "category": [ - "process" + "library" ], "kind": "event", "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceImageLoadEvents\",\"operationName\":\"Publish\",\"properties\":{\"ActionType\":\"ImageLoaded\",\"AppGuardContainerId\":null,\"DeviceId\":\"de6509d550e605faf3bbeac0905ab9590fe12345\",\"DeviceName\":\"testmachine5\",\"FileName\":\"System.Management.ni.dll\",\"FileSize\":1458688,\"FolderPath\":\"C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\System.Management\\\\8af759007c012da690062882e06694f1\\\\System.Management.ni.dll\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"WaAppAgent.exe\",\"InitiatingProcessCreationTime\":\"2022-11-07T16:45:10.3952444Z\",\"InitiatingProcessFileName\":\"waappagent.exe\",\"InitiatingProcessFileSize\":91360,\"InitiatingProcessFolderPath\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1057_2022-11-07_163802\\\\waappagent.exe\",\"InitiatingProcessId\":5692,\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessMD5\":\"ac71a4a58ffeb96a5d4724c1849ac456\",\"InitiatingProcessParentCreationTime\":\"2022-11-07T16:34:26.5433488Z\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessParentId\":812,\"InitiatingProcessSHA1\":\"2f88f5bbdaae8a57287dcc12c7d2ea8cdc57260a\",\"InitiatingProcessSHA256\":\"1addd6bc9893fb68076c44d9290f07c10d2cc98362d2c17d7e01e5e3a6374635\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Azure®\",\"InitiatingProcessVersionInfoInternalFileName\":\"WaAppAgent\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WaAppAgent.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® CoReXT\",\"InitiatingProcessVersionInfoProductVersion\":\"2.7.41491.1057\",\"MD5\":\"01a97134d9927a4001649b1d9ff25397\",\"MachineGroup\":\"UnassignedGroup\",\"ReportId\":93,\"SHA1\":\"1bc67905ae5c8e81014aa4290a338ace6a3b103e\",\"SHA256\":\"62b9597b5cf263a7e76913613e1b565c0f7436ccc4ef515bf40f400a5023de8a\",\"Timestamp\":\"2022-11-07T16:45:19.295067Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2022-11-07T17:20:52.5604763Z\"}", "type": [ - "end" + "start" ] }, + "file": { + "directory": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Management\\8af759007c012da690062882e06694f1", + "extension": "dll", + "hash": { + "md5": "01a97134d9927a4001649b1d9ff25397", + "sha1": "1bc67905ae5c8e81014aa4290a338ace6a3b103e", + "sha256": "62b9597b5cf263a7e76913613e1b565c0f7436ccc4ef515bf40f400a5023de8a" + }, + "name": "System.Management.ni.dll", + "path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Management\\8af759007c012da690062882e06694f1\\System.Management.ni.dll", + "size": 1458688 + }, "host": { "id": "de6509d550e605faf3bbeac0905ab9590fe12345", "name": "testmachine5" @@ -402,7 +407,7 @@ "m365_defender": { "event": { "action": { - "type": "ImageLoaded" + "type": "load" }, "category": "AdvancedHunting-DeviceImageLoadEvents", "device": { @@ -454,42 +459,188 @@ } }, "process": { + "Ext": { + "token": { + "integrity_level_name": "System" + } + }, + "args": [ + "WaAppAgent.exe" + ], + "args_count": 1, + "command_line": "WaAppAgent.exe", + "executable": "c:\\windowsazure\\guestagent_2.7.41491.1057_2022-11-07_163802\\waappagent.exe", + "name": "waappagent.exe", "parent": { - "args": [ - "WaAppAgent.exe" - ], - "args_count": 1, - "command_line": "WaAppAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1057_2022-11-07_163802\\waappagent.exe", - "group_leader": { - "name": "services.exe", - "pid": 812, - "start": "2022-11-07T16:34:26.543Z" + "name": "services.exe", + "pid": 812, + "start": "2022-11-07T16:34:26.543Z" + }, + "pid": 5692, + "start": "2022-11-07T16:45:10.395Z" + }, + "related": { + "hash": [ + "01a97134d9927a4001649b1d9ff25397", + "1bc67905ae5c8e81014aa4290a338ace6a3b103e", + "62b9597b5cf263a7e76913613e1b565c0f7436ccc4ef515bf40f400a5023de8a" + ], + "hosts": [ + "de6509d550e605faf3bbeac0905ab9590fe12345", + "testmachine5", + "nt authority" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } + }, + { + "@timestamp": "2024-05-08T15:33:47.460Z", + "dll": { + "Ext": { + "size": 487936 + }, + "hash": { + "md5": "6535df1faaab240ca6331f074cd7893c", + "sha1": "eada7334c9922fbe97974d6e7610bea422d769e9", + "sha256": "b2f607b46e185a9e67d9ad55f48e653c80e0c635c38c8909d29ba45de1634c3f" + }, + "name": "System.Xml.Linq.ni.dll", + "path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml.Linq\\627faf5941962a993235402a1c2bf310\\System.Xml.Linq.ni.dll" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "load", + "category": [ + "library" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceImageLoadEvents\",\"operationName\":\"Publish\",\"properties\":{\"ActionType\":\"ImageLoaded\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-device\",\"FileName\":\"System.Xml.Linq.ni.dll\",\"FileSize\":487936,\"FolderPath\":\"C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\System.Xml.Linq\\\\627faf5941962a993235402a1c2bf310\\\\System.Xml.Linq.ni.dll\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment \\\"NGen Worker Process\\\"\",\"InitiatingProcessCreationTime\":\"2024-05-08T15:33:47.3578095Z\",\"InitiatingProcessFileName\":\"mscorsvw.exe\",\"InitiatingProcessFileSize\":138712,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\microsoft.net\\\\framework64\\\\v4.0.30319\\\\mscorsvw.exe\",\"InitiatingProcessId\":5664,\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessMD5\":\"97c285d649490f444176ea50170a2653\",\"InitiatingProcessParentCreationTime\":\"2024-05-08T15:33:47.298751Z\",\"InitiatingProcessParentFileName\":\"ngen.exe\",\"InitiatingProcessParentId\":2040,\"InitiatingProcessSHA1\":\"4350b1923036348429b0cb174cb6a8699cf99f88\",\"InitiatingProcessSHA256\":\"b63825d9b79213568cb57a52a7d607d8f9d7481ec5a0b260a6ace9f2fcd8f507\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\".NET Runtime Optimization Service\",\"InitiatingProcessVersionInfoInternalFileName\":\"mscorsvw.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"mscorsvw.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® .NET Framework\",\"InitiatingProcessVersionInfoProductVersion\":\"4.8.9093.0\",\"MD5\":\"6535df1faaab240ca6331f074cd7893c\",\"MachineGroup\":null,\"ReportId\":24105,\"SHA1\":\"eada7334c9922fbe97974d6e7610bea422d769e9\",\"SHA256\":\"b2f607b46e185a9e67d9ad55f48e653c80e0c635c38c8909d29ba45de1634c3f\",\"Timestamp\":\"2024-05-08T15:33:47.460675Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-08T15:39:06.4108776Z\"}", + "type": [ + "start" + ] + }, + "file": { + "directory": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml.Linq\\627faf5941962a993235402a1c2bf310", + "extension": "dll", + "hash": { + "md5": "6535df1faaab240ca6331f074cd7893c", + "sha1": "eada7334c9922fbe97974d6e7610bea422d769e9", + "sha256": "b2f607b46e185a9e67d9ad55f48e653c80e0c635c38c8909d29ba45de1634c3f" + }, + "name": "System.Xml.Linq.ni.dll", + "path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml.Linq\\627faf5941962a993235402a1c2bf310\\System.Xml.Linq.ni.dll", + "size": 487936 + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-device" + }, + "m365_defender": { + "event": { + "action": { + "type": "load" }, - "hash": { - "md5": "ac71a4a58ffeb96a5d4724c1849ac456", - "sha1": "2f88f5bbdaae8a57287dcc12c7d2ea8cdc57260a", - "sha256": "1addd6bc9893fb68076c44d9290f07c10d2cc98362d2c17d7e01e5e3a6374635" + "category": "AdvancedHunting-DeviceImageLoadEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-device" }, - "name": "waappagent.exe", - "pe": { - "company": "Microsoft Corporation", - "description": "Microsoft Azure®", - "file_version": "2.7.41491.1057", - "original_file_name": "WaAppAgent.exe", - "product": "Microsoft® CoReXT", - "sections": { - "physical_size": 91360 - } + "file": { + "name": "System.Xml.Linq.ni.dll", + "size": 487936 + }, + "folder_path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml.Linq\\627faf5941962a993235402a1c2bf310\\System.Xml.Linq.ni.dll", + "initiating_process": { + "account_domain": "nt authority", + "account_name": "system", + "account_sid": "S-1-5-18", + "command_line": "mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment \"NGen Worker Process\"", + "creation_time": "2024-05-08T15:33:47.357Z", + "file_name": "mscorsvw.exe", + "file_size": 138712, + "folder_path": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorsvw.exe", + "id": 5664, + "integrity_level": "System", + "md5": "97c285d649490f444176ea50170a2653", + "parent_creation_time": "2024-05-08T15:33:47.298Z", + "parent_file_name": "ngen.exe", + "parent_id": 2040, + "sha1": "4350b1923036348429b0cb174cb6a8699cf99f88", + "sha256": "b63825d9b79213568cb57a52a7d607d8f9d7481ec5a0b260a6ace9f2fcd8f507", + "token_elevation": "TokenElevationTypeDefault", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": ".NET Runtime Optimization Service", + "version_info_internal_file_name": "mscorsvw.exe", + "version_info_original_file_name": "mscorsvw.exe", + "version_info_product_name": "Microsoft® .NET Framework", + "version_info_product_version": "4.8.9093.0" + }, + "md5": "6535df1faaab240ca6331f074cd7893c", + "operation_name": "Publish", + "report_id": "24105", + "sha1": "eada7334c9922fbe97974d6e7610bea422d769e9", + "sha256": "b2f607b46e185a9e67d9ad55f48e653c80e0c635c38c8909d29ba45de1634c3f", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" }, - "pid": 5692, - "start": "2022-11-07T16:45:10.395Z" + "time": "2024-05-08T15:39:06.410Z", + "timestamp": "2024-05-08T15:33:47.460Z" } }, + "process": { + "Ext": { + "token": { + "integrity_level_name": "System" + } + }, + "args": [ + "mscorsvw.exe", + "-StartupEvent", + "1ec", + "-InterruptEvent", + "0", + "-NGENProcess", + "1dc", + "-Pipe", + "1e8", + "-Comment", + "NGen Worker Process" + ], + "args_count": 11, + "command_line": "mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment \"NGen Worker Process\"", + "executable": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorsvw.exe", + "name": "mscorsvw.exe", + "parent": { + "name": "ngen.exe", + "pid": 2040, + "start": "2024-05-08T15:33:47.298Z" + }, + "pid": 5664, + "start": "2024-05-08T15:33:47.357Z" + }, "related": { + "hash": [ + "6535df1faaab240ca6331f074cd7893c", + "eada7334c9922fbe97974d6e7610bea422d769e9", + "b2f607b46e185a9e67d9ad55f48e653c80e0c635c38c8909d29ba45de1634c3f" + ], "hosts": [ - "de6509d550e605faf3bbeac0905ab9590fe12345", - "testmachine5", + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-device", "nt authority" ], "user": [ @@ -499,7 +650,165 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } + }, + { + "@timestamp": "2024-05-08T15:33:47.428Z", + "dll": { + "Ext": { + "size": 13741056 + }, + "hash": { + "md5": "551911f3db381004b7f1a85f153374cf", + "sha1": "8c66ab9c6a46dea263ca3f5e022e3f454e4c44d8", + "sha256": "37653d1a68a2b0ee1834926ac7f9d4c2ad0fb04a4f3720e9fbb9442170642e44" + }, + "name": "Microsoft.PowerShell.Commands.Utility.ni.dll", + "path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P521220ea#\\b555103c65d06ec11628ea371b9fdcd9\\Microsoft.PowerShell.Commands.Utility.ni.dll" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "load", + "category": [ + "library" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceImageLoadEvents\",\"operationName\":\"Publish\",\"properties\":{\"ActionType\":\"ImageLoaded\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-device2\",\"FileName\":\"Microsoft.PowerShell.Commands.Utility.ni.dll\",\"FileSize\":13741056,\"FolderPath\":\"C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\Microsoft.P521220ea#\\\\b555103c65d06ec11628ea371b9fdcd9\\\\Microsoft.PowerShell.Commands.Utility.ni.dll\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment \\\"NGen Worker Process\\\"\",\"InitiatingProcessCreationTime\":\"2024-05-08T15:33:47.3578095Z\",\"InitiatingProcessFileName\":\"mscorsvw.exe\",\"InitiatingProcessFileSize\":138712,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\microsoft.net\\\\framework64\\\\v4.0.30319\\\\mscorsvw.exe\",\"InitiatingProcessId\":5664,\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessMD5\":\"97c285d649490f444176ea50170a2653\",\"InitiatingProcessParentCreationTime\":\"2024-05-08T15:33:47.298751Z\",\"InitiatingProcessParentFileName\":\"ngen.exe\",\"InitiatingProcessParentId\":2040,\"InitiatingProcessSHA1\":\"4350b1923036348429b0cb174cb6a8699cf99f88\",\"InitiatingProcessSHA256\":\"b63825d9b79213568cb57a52a7d607d8f9d7481ec5a0b260a6ace9f2fcd8f507\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\".NET Runtime Optimization Service\",\"InitiatingProcessVersionInfoInternalFileName\":\"mscorsvw.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"mscorsvw.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® .NET Framework\",\"InitiatingProcessVersionInfoProductVersion\":\"4.8.9093.0\",\"MD5\":\"551911f3db381004b7f1a85f153374cf\",\"MachineGroup\":null,\"ReportId\":24102,\"SHA1\":\"8c66ab9c6a46dea263ca3f5e022e3f454e4c44d8\",\"SHA256\":\"37653d1a68a2b0ee1834926ac7f9d4c2ad0fb04a4f3720e9fbb9442170642e44\",\"Timestamp\":\"2024-05-08T15:33:47.4284452Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-08T15:39:06.4108633Z\"}", + "type": [ + "start" + ] + }, + "file": { + "directory": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P521220ea#\\b555103c65d06ec11628ea371b9fdcd9", + "extension": "dll", + "hash": { + "md5": "551911f3db381004b7f1a85f153374cf", + "sha1": "8c66ab9c6a46dea263ca3f5e022e3f454e4c44d8", + "sha256": "37653d1a68a2b0ee1834926ac7f9d4c2ad0fb04a4f3720e9fbb9442170642e44" + }, + "name": "Microsoft.PowerShell.Commands.Utility.ni.dll", + "path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P521220ea#\\b555103c65d06ec11628ea371b9fdcd9\\Microsoft.PowerShell.Commands.Utility.ni.dll", + "size": 13741056 + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-device2" + }, + "m365_defender": { + "event": { + "action": { + "type": "load" + }, + "category": "AdvancedHunting-DeviceImageLoadEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-device2" + }, + "file": { + "name": "Microsoft.PowerShell.Commands.Utility.ni.dll", + "size": 13741056 + }, + "folder_path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P521220ea#\\b555103c65d06ec11628ea371b9fdcd9\\Microsoft.PowerShell.Commands.Utility.ni.dll", + "initiating_process": { + "account_domain": "nt authority", + "account_name": "system", + "account_sid": "S-1-5-18", + "command_line": "mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment \"NGen Worker Process\"", + "creation_time": "2024-05-08T15:33:47.357Z", + "file_name": "mscorsvw.exe", + "file_size": 138712, + "folder_path": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorsvw.exe", + "id": 5664, + "integrity_level": "System", + "md5": "97c285d649490f444176ea50170a2653", + "parent_creation_time": "2024-05-08T15:33:47.298Z", + "parent_file_name": "ngen.exe", + "parent_id": 2040, + "sha1": "4350b1923036348429b0cb174cb6a8699cf99f88", + "sha256": "b63825d9b79213568cb57a52a7d607d8f9d7481ec5a0b260a6ace9f2fcd8f507", + "token_elevation": "TokenElevationTypeDefault", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": ".NET Runtime Optimization Service", + "version_info_internal_file_name": "mscorsvw.exe", + "version_info_original_file_name": "mscorsvw.exe", + "version_info_product_name": "Microsoft® .NET Framework", + "version_info_product_version": "4.8.9093.0" + }, + "md5": "551911f3db381004b7f1a85f153374cf", + "operation_name": "Publish", + "report_id": "24102", + "sha1": "8c66ab9c6a46dea263ca3f5e022e3f454e4c44d8", + "sha256": "37653d1a68a2b0ee1834926ac7f9d4c2ad0fb04a4f3720e9fbb9442170642e44", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-08T15:39:06.410Z", + "timestamp": "2024-05-08T15:33:47.428Z" + } + }, + "process": { + "Ext": { + "token": { + "integrity_level_name": "System" + } + }, + "args": [ + "mscorsvw.exe", + "-StartupEvent", + "1ec", + "-InterruptEvent", + "0", + "-NGENProcess", + "1dc", + "-Pipe", + "1e8", + "-Comment", + "NGen Worker Process" + ], + "args_count": 11, + "command_line": "mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment \"NGen Worker Process\"", + "executable": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorsvw.exe", + "name": "mscorsvw.exe", + "parent": { + "name": "ngen.exe", + "pid": 2040, + "start": "2024-05-08T15:33:47.298Z" + }, + "pid": 5664, + "start": "2024-05-08T15:33:47.357Z" + }, + "related": { + "hash": [ + "551911f3db381004b7f1a85f153374cf", + "8c66ab9c6a46dea263ca3f5e022e3f454e4c44d8", + "37653d1a68a2b0ee1834926ac7f9d4c2ad0fb04a4f3720e9fbb9442170642e44" + ], + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-device2", + "nt authority" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } }, { "@timestamp": "2022-11-08T05:56:25.883Z", @@ -705,6 +1014,7 @@ { "@timestamp": "2022-11-09T17:43:28.188Z", "destination": { + "address": "81.2.69.142", "geo": { "city_name": "London", "continent_name": "Europe", @@ -816,41 +1126,178 @@ ] }, { - "@timestamp": "2022-11-09T17:54:53.534Z", + "@timestamp": "2024-05-07T14:55:00.567Z", + "destination": { + "address": "192.168.133.2", + "ip": "192.168.133.2", + "port": 53 + }, + "dns": { + "answers": [ + "89.160.20.112", + "google.com" + ], + "header_flags": [ + "RD", + "RA" + ], + "question": { + "class": "C_INTERNET", + "name": "download.windowsupdate.com", + "type": "A" + }, + "response_code": "NOERROR" + }, "ecs": { "version": "8.11.0" }, "event": { + "action": "dnsconnectioninspected", "category": [ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkInfo\",\"operationName\":\"Publish\",\"properties\":{\"ConnectedNetworks\":\"[{\\\"Name\\\":\\\"Network\\\",\\\"Description\\\":\\\"Network\\\",\\\"IsConnectedToInternet\\\":true,\\\"Category\\\":\\\"Public\\\"}, {\\\"Name\\\":\\\"Network2\\\",\\\"Description\\\":\\\"Network2\\\",\\\"IsConnectedToInternet\\\":true,\\\"Category\\\":\\\"Public2\\\"}]\",\"DefaultGateways\":\"[\\\"67.43.156.5\\\"]\",\"DeviceId\":\"999b6fd7c532534ba50b3232fa992c38a273d4fb\",\"DeviceName\":\"testmachine6\",\"DnsAddresses\":\"[\\\"67.43.156.2\\\"]\",\"IPAddresses\":\"[{\\\"IPAddress\\\":\\\"67.43.156.0\\\",\\\"SubnetPrefix\\\":26,\\\"AddressType\\\":\\\"Private\\\"},{\\\"IPAddress\\\":\\\"fe80::39f0:832a:89a1:f6e1\\\",\\\"SubnetPrefix\\\":64,\\\"AddressType\\\":\\\"Private\\\"},{\\\"IPAddress\\\":\\\"67.43.156.1\\\",\\\"SubnetPrefix\\\":26,\\\"AddressType\\\":\\\"Private1\\\"},{\\\"IPAddress\\\":\\\"fe80::39f0:832a:89a1:f6e2\\\",\\\"SubnetPrefix\\\":64,\\\"AddressType\\\":\\\"Private2\\\"}]\",\"IPv4Dhcp\":\"67.43.156.2\",\"IPv6Dhcp\":null,\"MacAddress\":\"000D3A9EC781\",\"MachineGroup\":\"UnassignedGroup\",\"NetworkAdapterName\":\"{31D7786C-13B8-421D-A3D8-308787B9A9FF}\",\"NetworkAdapterStatus\":\"Up\",\"NetworkAdapterType\":\"Ethernet\",\"NetworkAdapterVendor\":null,\"ReportId\":4700,\"Timestamp\":\"2022-11-09T17:54:53.5345682Z\",\"TunnelType\":\"None\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2022-11-09T18:00:01.8319849Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"ActionType\":\"DnsConnectionInspected\",\"AdditionalFields\":\"{\\\"direction\\\":\\\"Out\\\",\\\"trans_id\\\":\\\"37169\\\",\\\"rtt\\\":\\\"1.3255689144134521\\\",\\\"query\\\":\\\"download.windowsupdate.com\\\",\\\"qclass\\\":\\\"1\\\",\\\"qclass_name\\\":\\\"C_INTERNET\\\",\\\"qtype\\\":\\\"1\\\",\\\"qtype_name\\\":\\\"A\\\",\\\"rcode\\\":\\\"0\\\",\\\"uid\\\":\\\"CTrCWZ207PBR4uklAe\\\",\\\"rcode_name\\\":\\\"NOERROR\\\",\\\"AA\\\":\\\"false\\\",\\\"TC\\\":\\\"false\\\",\\\"RD\\\":\\\"true\\\",\\\"RA\\\":\\\"true\\\",\\\"answers\\\":\\\"[\\\\\\\"89.160.20.112\\\\\\\",\\\\\\\"google.com\\\\\\\"]\\\",\\\"TTLs\\\":\\\"[5.0,5.0]\\\",\\\"rejected\\\":\\\"false\\\",\\\"ts\\\":\\\"133595672992404310\\\"}\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-name\",\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessId\":0,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessTokenElevation\":\"None\",\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"LocalIP\":\"192.168.133.128\",\"LocalIPType\":null,\"LocalPort\":55944,\"MachineGroup\":null,\"Protocol\":\"Udp\",\"RemoteIP\":\"192.168.133.2\",\"RemoteIPType\":null,\"RemotePort\":53,\"RemoteUrl\":null,\"ReportId\":17363,\"Timestamp\":\"2024-05-07T14:55:00.5675973Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-07T14:59:09.2046961Z\"}", + "type": [ + "protocol" + ] }, "host": { - "id": "999b6fd7c532534ba50b3232fa992c38a273d4fb", - "mac": "000D3A9EC781", - "name": "testmachine6" + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" }, "m365_defender": { "event": { - "category": "AdvancedHunting-DeviceNetworkInfo", - "connected_networks": [ - { - "Category": "Public", - "Description": "Network", - "IsConnectedToInternet": true, - "Name": "Network" - }, - { - "Category": "Public2", - "Description": "Network2", - "IsConnectedToInternet": true, - "Name": "Network2" - } - ], - "default_gateways": [ - "67.43.156.5" + "action": { + "type": "DnsConnectionInspected" + }, + "additional_fields": { + "AA": "false", + "RA": "true", + "RD": "true", + "TC": "false", + "TTLs": "[5.0,5.0]", + "qclass": "1", + "qtype": "1", + "rcode": "0", + "rejected": "false", + "rtt": "1.3255689144134521", + "trans_id": "37169", + "ts": "133595672992404310", + "uid": "CTrCWZ207PBR4uklAe" + }, + "category": "AdvancedHunting-DeviceNetworkEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "dns": { + "answers": [ + "89.160.20.112", + "google.com" + ], + "header_flags": [ + "RD", + "RA" + ], + "qclass_name": "C_INTERNET", + "qtype_name": "A", + "query": "download.windowsupdate.com", + "rcode_name": "NOERROR" + }, + "initiating_process": { + "id": 0, + "parent_id": 0, + "token_elevation": "None" + }, + "local": { + "ip": "192.168.133.128", + "port": 55944 + }, + "network_direction": "Out", + "operation_name": "Publish", + "protocol": "Udp", + "remote": { + "ip": "192.168.133.2", + "port": 53 + }, + "report_id": "17363", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-07T14:59:09.204Z", + "timestamp": "2024-05-07T14:55:00.567Z" + } + }, + "network": { + "direction": "outbound", + "protocol": "dns" + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 0 + }, + "related": { + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-name" + ], + "ip": [ + "192.168.133.128", + "192.168.133.2" + ] + }, + "source": { + "ip": "192.168.133.128", + "port": 55944 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2022-11-09T17:54:53.534Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkInfo\",\"operationName\":\"Publish\",\"properties\":{\"ConnectedNetworks\":\"[{\\\"Name\\\":\\\"Network\\\",\\\"Description\\\":\\\"Network\\\",\\\"IsConnectedToInternet\\\":true,\\\"Category\\\":\\\"Public\\\"}, {\\\"Name\\\":\\\"Network2\\\",\\\"Description\\\":\\\"Network2\\\",\\\"IsConnectedToInternet\\\":true,\\\"Category\\\":\\\"Public2\\\"}]\",\"DefaultGateways\":\"[\\\"67.43.156.5\\\"]\",\"DeviceId\":\"999b6fd7c532534ba50b3232fa992c38a273d4fb\",\"DeviceName\":\"testmachine6\",\"DnsAddresses\":\"[\\\"67.43.156.2\\\"]\",\"IPAddresses\":\"[{\\\"IPAddress\\\":\\\"67.43.156.0\\\",\\\"SubnetPrefix\\\":26,\\\"AddressType\\\":\\\"Private\\\"},{\\\"IPAddress\\\":\\\"fe80::39f0:832a:89a1:f6e1\\\",\\\"SubnetPrefix\\\":64,\\\"AddressType\\\":\\\"Private\\\"},{\\\"IPAddress\\\":\\\"67.43.156.1\\\",\\\"SubnetPrefix\\\":26,\\\"AddressType\\\":\\\"Private1\\\"},{\\\"IPAddress\\\":\\\"fe80::39f0:832a:89a1:f6e2\\\",\\\"SubnetPrefix\\\":64,\\\"AddressType\\\":\\\"Private2\\\"}]\",\"IPv4Dhcp\":\"67.43.156.2\",\"IPv6Dhcp\":null,\"MacAddress\":\"000D3A9EC781\",\"MachineGroup\":\"UnassignedGroup\",\"NetworkAdapterName\":\"{31D7786C-13B8-421D-A3D8-308787B9A9FF}\",\"NetworkAdapterStatus\":\"Up\",\"NetworkAdapterType\":\"Ethernet\",\"NetworkAdapterVendor\":null,\"ReportId\":4700,\"Timestamp\":\"2022-11-09T17:54:53.5345682Z\",\"TunnelType\":\"None\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2022-11-09T18:00:01.8319849Z\"}", + "type": [ + "info" + ] + }, + "host": { + "id": "999b6fd7c532534ba50b3232fa992c38a273d4fb", + "mac": "000D3A9EC781", + "name": "testmachine6" + }, + "m365_defender": { + "event": { + "category": "AdvancedHunting-DeviceNetworkInfo", + "connected_networks": [ + { + "Category": "Public", + "Description": "Network", + "IsConnectedToInternet": true, + "Name": "Network" + }, + { + "Category": "Public2", + "Description": "Network2", + "IsConnectedToInternet": true, + "Name": "Network2" + } + ], + "default_gateways": [ + "67.43.156.5" ], "device": { "id": "999b6fd7c532534ba50b3232fa992c38a273d4fb", @@ -930,7 +1377,7 @@ "kind": "event", "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":\"testmachine6\",\"AccountName\":\"administrator1\",\"AccountObjectId\":null,\"AccountSid\":\"S-1-5-21-1874808502-2282282112-3464708742-500\",\"AccountUpn\":null,\"ActionType\":\"ProcessCreated\",\"AdditionalFields\":\"[]\",\"AppGuardContainerId\":null,\"DeviceId\":\"999b6fd7c532534ba50b3232fa992c38a273d4fb\",\"DeviceName\":\"testmachine6\",\"FileName\":\"smartscreen.exe\",\"FileSize\":2387456,\"FolderPath\":\"C:\\\\Windows\\\\System32\\\\smartscreen.exe\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"svchost.exe -k DcomLaunch -p\",\"InitiatingProcessCreationTime\":\"2022-11-09T17:39:34.1193719Z\",\"InitiatingProcessFileName\":\"svchost.exe\",\"InitiatingProcessFileSize\":55320,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\svchost.exe\",\"NetworkAdapterName\":\"en01\",\"InitiatingProcessId\":996,\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessLogonId\":999,\"InitiatingProcessMD5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"InitiatingProcessParentCreationTime\":\"2022-11-09T17:39:33.8279942Z\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessParentId\":852,\"InitiatingProcessSHA1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"InitiatingProcessSHA256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Host Process for Windows Services\",\"InitiatingProcessVersionInfoInternalFileName\":\"svchost.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"svchost.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.1806\",\"LogonId\":1443318,\"MD5\":\"b9d697df9e883f0d99720b0430448cb1\",\"MachineGroup\":\"UnassignedGroup\",\"ProcessCommandLine\":\"smartscreen.exe -Embedding\",\"ProcessCreationTime\":\"2022-11-09T17:59:52.0344972Z\",\"ProcessId\":6412,\"ProcessIntegrityLevel\":\"High\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoFileDescription\":\"Windows Defender SmartScreen\",\"ProcessVersionInfoInternalFileName\":\"smartscreen.exe\",\"ProcessVersionInfoOriginalFileName\":\"smartscreen.exe\",\"ProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.19041.2251\",\"ReportId\":4824,\"SHA1\":\"9dec87de894f5228033f87cf874441502bfa4f97\",\"SHA256\":\"8011a5f4ac65d85cbe593bdad886449e3807d950b234e77c675a0f7ca3b7c781\",\"Timestamp\":\"2022-11-09T17:59:52.6265786Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2022-11-09T18:03:21.9948950Z\"}", "type": [ - "end" + "start" ] }, "host": { @@ -1019,6 +1466,11 @@ } }, "process": { + "Ext": { + "token": { + "integrity_level_name": "System" + } + }, "args": [ "smartscreen.exe", "-Embedding" @@ -1041,7 +1493,9 @@ ], "args_count": 4, "code_signature": { - "status": "Valid" + "exists": true, + "status": "trusted", + "trusted": true }, "command_line": "svchost.exe -k DcomLaunch -p", "executable": "c:\\windows\\system32\\svchost.exe", @@ -1061,10 +1515,7 @@ "description": "Host Process for Windows Services", "file_version": "10.0.19041.1806", "original_file_name": "svchost.exe", - "product": "Microsoft® Windows® Operating System", - "sections": { - "physical_size": 55320 - } + "product": "Microsoft® Windows® Operating System" }, "pid": 996, "start": "2022-11-09T17:39:34.119Z" @@ -1074,10 +1525,7 @@ "description": "Windows Defender SmartScreen", "file_version": "10.0.19041.2251", "original_file_name": "smartscreen.exe", - "product": "Microsoft® Windows® Operating System", - "sections": { - "physical_size": 2387456 - } + "product": "Microsoft® Windows® Operating System" }, "pid": 6412, "start": "2022-11-09T17:59:52.034Z" @@ -1117,7 +1565,7 @@ "version": "8.11.0" }, "event": { - "action": "registryvalueset", + "action": "modification", "category": [ "registry" ], @@ -1172,7 +1620,7 @@ "registry_value_name": "Blob" }, "registry": { - "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C", + "key": "SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C", "value_name": "Blob", "value_type": "Binary" }, @@ -1212,16 +1660,17 @@ "description": "Windows PowerShell", "file_version": "10.0.19041.546", "original_file_name": "PowerShell.EXE", - "product": "Microsoft® Windows® Operating System", - "sections": { - "physical_size": 452608 - } + "product": "Microsoft® Windows® Operating System" }, "pid": 5900, "start": "2022-11-09T19:17:20.415Z" }, "registry": { - "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C", + "data": { + "type": "Binary" + }, + "key": "SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C", + "path": "SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C\\Blob", "value": "Blob" }, "related": { @@ -1242,11 +1691,151 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } + }, + { + "@timestamp": "2024-05-08T15:23:15.822Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "modification", + "category": [ + "registry" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceRegistryEvents\",\"operationName\":\"Publish\",\"properties\":{\"ActionType\":\"RegistryValueSet\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-device3\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"\\\"MsSense.exe\\\"\",\"InitiatingProcessCreationTime\":\"2024-05-06T11:55:32.2214858Z\",\"InitiatingProcessFileName\":\"mssense.exe\",\"InitiatingProcessFileSize\":522184,\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\windows defender advanced threat protection\\\\mssense.exe\",\"InitiatingProcessId\":4688,\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessMD5\":\"71fc679ef0665dde1cbb72c95cecf894\",\"InitiatingProcessParentCreationTime\":\"2024-05-06T11:48:52.81722Z\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessParentId\":688,\"InitiatingProcessSHA1\":\"d608e39caae86429f9f45b7f9a1f0417222cf641\",\"InitiatingProcessSHA256\":\"1b32190da2ba5be59c35fa659cc063d1dd98a9f87d0b0a716f99fbc1c8433022\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows Defender Advanced Threat Protection Service Executable\",\"InitiatingProcessVersionInfoInternalFileName\":\"MsSense.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"MsSense.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.8737.26020.1018\",\"MachineGroup\":null,\"PreviousRegistryKey\":\"\",\"PreviousRegistryValueData\":null,\"PreviousRegistryValueName\":\"782655b2-0575-4aa2-82b8-7fd560afeff6\",\"RegistryKey\":\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\WMI\\\\Security\",\"RegistryValueData\":null,\"RegistryValueName\":\"782655b2-0575-4aa2-82b8-7fd560afeff6\",\"RegistryValueType\":\"Binary\",\"ReportId\":21669,\"Timestamp\":\"2024-05-08T15:23:15.8225851Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-08T15:27:56.0452290Z\"}", + "type": [ + "change" + ] + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-device3" + }, + "m365_defender": { + "event": { + "action": { + "type": "RegistryValueSet" + }, + "category": "AdvancedHunting-DeviceRegistryEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-device3" + }, + "initiating_process": { + "account_domain": "nt authority", + "account_name": "system", + "account_sid": "S-1-5-18", + "command_line": "\"MsSense.exe\"", + "creation_time": "2024-05-06T11:55:32.221Z", + "file_name": "mssense.exe", + "file_size": 522184, + "folder_path": "c:\\program files\\windows defender advanced threat protection\\mssense.exe", + "id": 4688, + "integrity_level": "System", + "md5": "71fc679ef0665dde1cbb72c95cecf894", + "parent_creation_time": "2024-05-06T11:48:52.817Z", + "parent_file_name": "services.exe", + "parent_id": 688, + "sha1": "d608e39caae86429f9f45b7f9a1f0417222cf641", + "sha256": "1b32190da2ba5be59c35fa659cc063d1dd98a9f87d0b0a716f99fbc1c8433022", + "token_elevation": "TokenElevationTypeDefault", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "Windows Defender Advanced Threat Protection Service Executable", + "version_info_internal_file_name": "MsSense.exe", + "version_info_original_file_name": "MsSense.exe", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.8737.26020.1018" + }, + "operation_name": "Publish", + "previous": { + "registry_value_name": "782655b2-0575-4aa2-82b8-7fd560afeff6" + }, + "registry": { + "key": "SYSTEM\\ControlSet001\\Control\\WMI\\Security", + "value_name": "782655b2-0575-4aa2-82b8-7fd560afeff6", + "value_type": "Binary" + }, + "report_id": "21669", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-08T15:27:56.045Z", + "timestamp": "2024-05-08T15:23:15.822Z" + } + }, + "process": { + "args": [ + "MsSense.exe" + ], + "args_count": 1, + "command_line": "\"MsSense.exe\"", + "executable": "c:\\program files\\windows defender advanced threat protection\\mssense.exe", + "hash": { + "md5": "71fc679ef0665dde1cbb72c95cecf894", + "sha1": "d608e39caae86429f9f45b7f9a1f0417222cf641", + "sha256": "1b32190da2ba5be59c35fa659cc063d1dd98a9f87d0b0a716f99fbc1c8433022" + }, + "name": "mssense.exe", + "parent": { + "name": "services.exe", + "pid": 688, + "start": "2024-05-06T11:48:52.817Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Windows Defender Advanced Threat Protection Service Executable", + "file_version": "10.8737.26020.1018", + "original_file_name": "MsSense.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 4688, + "start": "2024-05-06T11:55:32.221Z" + }, + "registry": { + "data": { + "type": "Binary" + }, + "key": "SYSTEM\\ControlSet001\\Control\\WMI\\Security", + "path": "SYSTEM\\ControlSet001\\Control\\WMI\\Security\\782655b2-0575-4aa2-82b8-7fd560afeff6", + "value": "782655b2-0575-4aa2-82b8-7fd560afeff6" + }, + "related": { + "hash": [ + "71fc679ef0665dde1cbb72c95cecf894", + "d608e39caae86429f9f45b7f9a1f0417222cf641", + "1b32190da2ba5be59c35fa659cc063d1dd98a9f87d0b0a716f99fbc1c8433022" + ], + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-device3", + "nt authority" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } }, { "@timestamp": "2023-07-19T12:17:42.778Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -1382,10 +1971,7 @@ "description": "Microsoft Edge WebView2", "file_version": "114.0.1823.79", "original_file_name": "msedgewebview2.exe", - "product": "Microsoft Edge WebView2", - "sections": { - "physical_size": 3657056 - } + "product": "Microsoft Edge WebView2" }, "pid": 17916, "start": "2023-08-09T18:43:00.081Z" @@ -1433,11 +2019,17 @@ "extension": "tld", "original": "subdomain.domain.tld", "path": "subdomain.domain.tld" + }, + "user": { + "domain": "corporatedomain", + "id": "S-1-5-21-57989841-2025429265-839522115-329672", + "name": "username" } }, { "@timestamp": "2023-07-19T12:16:10.748Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -1453,6 +2045,22 @@ "ip": "175.16.199.0", "port": 53 }, + "dns": { + "answers": [ + "89.160.20.112" + ], + "header_flags": [ + "AA", + "RD", + "RA" + ], + "question": { + "class": "C_INTERNET", + "name": "janeslaptop1.corporatedomain", + "type": "A" + }, + "response_code": "NOERROR" + }, "ecs": { "version": "8.11.0" }, @@ -1462,7 +2070,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:16:10.7489034Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"DnsConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 53,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 54125,\"Protocol\": \"Udp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 19542,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"trans_id\": \"18296\", \"rtt\": \"0.05926012992858887\", \"query\": \"janeslaptop1.corporatedomain\", \"qclass\": \"1\", \"qclass_name\": \"C_INTERNET\", \"qtype\": \"1\", \"qtype_name\": \"A\", \"rcode\": \"0\", \"uid\": \"CpeJkh3698EpWwy4Z9\", \"rcode_name\": \"NOERROR\", \"AA\": \"true\", \"TC\": \"false\", \"RD\": \"true\", \"RA\": \"true\", \"answers\": \"[\\\"89.160.20.112\\\"]\", \"TTLs\": \"[1200.0]\", \"rejected\": \"false\", \"ts\": \"133370937691236740\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:22.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:16:10.7489034Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"DnsConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 53,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 54125,\"Protocol\": \"Udp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 19542,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"trans_id\": \"18296\", \"rtt\": \"0.05926012992858887\", \"query\": \"janeslaptop1.corporatedomain\", \"qclass\": \"1\", \"qclass_name\": \"C_INTERNET\", \"qtype\": \"1\", \"qtype_name\": \"A\", \"rcode\": \"0\", \"uid\": \"CpeJkh3698EpWwy4Z9\", \"rcode_name\": \"NOERROR\", \"AA\": \"true\", \"TC\": \"false\", \"RD\": \"true\", \"RA\": \"true\", \"answers\": \"[\\\"89.160.20.112\\\"]\", \"TTLs\": \"[1200.0]\", \"rejected\": \"false\", \"ts\": \"133370937691236740\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:22.9948950Z\"}", + "type": [ + "protocol" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -1479,14 +2090,9 @@ "RD": "true", "TC": "false", "TTLs": "[1200.0]", - "answers": "[\"89.160.20.112\"]", "qclass": "1", - "qclass_name": "C_INTERNET", "qtype": "1", - "qtype_name": "A", - "query": "janeslaptop1.corporatedomain", "rcode": "0", - "rcode_name": "NOERROR", "rejected": "false", "rtt": "0.05926012992858887", "trans_id": "18296", @@ -1498,6 +2104,20 @@ "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", "name": "janeslaptop1.corporatedomain" }, + "dns": { + "answers": [ + "89.160.20.112" + ], + "header_flags": [ + "AA", + "RD", + "RA" + ], + "qclass_name": "C_INTERNET", + "qtype_name": "A", + "query": "janeslaptop1.corporatedomain", + "rcode_name": "NOERROR" + }, "initiating_process": { "id": 0, "parent_id": 0, @@ -1525,7 +2145,7 @@ }, "network": { "direction": "outbound", - "protocol": "udp" + "protocol": "dns" }, "process": { "parent": { @@ -1567,6 +2187,7 @@ { "@timestamp": "2023-07-19T12:16:28.623Z", "destination": { + "address": "89.160.20.112", "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -1591,7 +2212,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:16:28.6231143Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"NtlmAuthenticationInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 135,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 55514,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 33108,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"In\", \"server_nb_computer_name\": \"hostname\", \"server_nb_domain_name\": \"corporatedomain\", \"server_dns_computer_name\": \"janeslaptop1.corporatedomain\", \"server_dns_domain_name\": \"corporatedomain\", \"server_tree_name\": \"corporatedomain\", \"uid\": \"Cd6CKC1yC7AvYHXnq\", \"server_version\": \"10.0 22621 15\", \"ts\": \"133370931234950000\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:23.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:16:28.6231143Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"NtlmAuthenticationInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 135,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 55514,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 33108,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"In\", \"server_nb_computer_name\": \"hostname\", \"server_nb_domain_name\": \"corporatedomain\", \"server_dns_computer_name\": \"janeslaptop1.corporatedomain\", \"server_dns_domain_name\": \"corporatedomain\", \"server_tree_name\": \"corporatedomain\", \"uid\": \"Cd6CKC1yC7AvYHXnq\", \"server_version\": \"10.0 22621 15\", \"ts\": \"133370931234950000\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:23.9948950Z\"}", + "type": [ + "info" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -1686,6 +2310,7 @@ { "@timestamp": "2023-07-19T12:16:46.717Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -1799,6 +2424,7 @@ { "@timestamp": "2023-07-19T12:20:29.940Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -1823,7 +2449,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:20:29.9404916Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"HttpConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 8080,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 65132,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 19673,\"AppGuardContainerId\":null,\"AdditionalFields\": \"{\\\"direction\\\":\\\"Out\\\",\\\"host\\\":\\\"www.gstatic.com\\\",\\\"method\\\":\\\"CONNECT\\\",\\\"proxied\\\":\\\"[\\\\\\\"PROXY-CONNECTION -> keep-alive\\\\\\\"]\\\",\\\"request_body_len\\\":\\\"0\\\",\\\"response_body_len\\\":\\\"0\\\",\\\"status_code\\\":\\\"200\\\",\\\"status_msg\\\":\\\"Connection established\\\",\\\"tags\\\":\\\"[]\\\",\\\"trans_depth\\\":\\\"1\\\",\\\"uri\\\":\\\"www.gstatic.com:443\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0\\\"}\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:25.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:20:29.9404916Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"HttpConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 8080,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 65132,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 19673,\"AppGuardContainerId\":null,\"AdditionalFields\": \"{\\\"direction\\\":\\\"Out\\\",\\\"host\\\":\\\"www.gstatic.com\\\",\\\"method\\\":\\\"CONNECT\\\",\\\"proxied\\\":\\\"[\\\\\\\"PROXY-CONNECTION -> keep-alive\\\\\\\"]\\\",\\\"request_body_len\\\":\\\"0\\\",\\\"response_body_len\\\":\\\"0\\\",\\\"status_code\\\":\\\"200\\\",\\\"status_msg\\\":\\\"Connection established\\\",\\\"tags\\\":\\\"[]\\\",\\\"trans_depth\\\":\\\"1\\\",\\\"uri\\\":\\\"www.gstatic.com:443\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0\\\"}\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:25.9948950Z\"}", + "type": [ + "info" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -1921,6 +2550,7 @@ { "@timestamp": "2023-07-19T12:16:55.952Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -1947,7 +2577,7 @@ "kind": "event", "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:16:55.9520799Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"ConnectionSuccess\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 8080,\"RemoteUrl\": \"url.com\",\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 50830,\"Protocol\": \"Tcp\",\"LocalIPType\": \"Private\",\"RemoteIPType\": \"Private\",\"InitiatingProcessSHA1\": \"071336f8df7d581188f59c3e8edd21e57f11c146\",\"InitiatingProcessSHA256\": \"fe0ddd41ed02f1faa59526c53178c8366d9c90a777619eaaf7b7e5656f3ea4cb\",\"InitiatingProcessMD5\": \"7448f851eb4e9b2fbfc46b2b49daf43f\",\"InitiatingProcessFileName\": \"msoia.exe\",\"InitiatingProcessFileSize\": 8522792,\"InitiatingProcessVersionInfoCompanyName\": \"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\": \"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\": \"16.0.123456.123456\",\"InitiatingProcessVersionInfoInternalFileName\": \"msoia\",\"InitiatingProcessVersionInfoOriginalFileName\": \"msoia.exe\",\"InitiatingProcessVersionInfoFileDescription\": \"Office Telemetry Dashboard Agent (OTD msoia)\",\"InitiatingProcessId\": 65498,\"InitiatingProcessCommandLine\": \"msoia.exe\\\" scan upload\",\"InitiatingProcessCreationTime\": \"2023-07-19T12:16:56.1160286Z\",\"InitiatingProcessFolderPath\": \"c:\\\\program files\\\\mozilla firefox\\\\firefox.exe\",\"InitiatingProcessParentFileName\": \"firefox.exe\",\"InitiatingProcessParentId\": 65498,\"InitiatingProcessParentCreationTime\": \"2023-07-19T12:16:56.0455613Z\",\"InitiatingProcessAccountDomain\": \"corporatedomain\",\"InitiatingProcessAccountName\": \"username\",\"InitiatingProcessAccountSid\": \"S-1-5-21-57989841-2025429265-839522115-325552\",\"InitiatingProcessAccountUpn\": \"email@domain\",\"InitiatingProcessAccountObjectId\": \"e2157d1b-258b-4027-9f6f-76514c05c048\",\"InitiatingProcessIntegrityLevel\": \"Medium\",\"InitiatingProcessTokenElevation\": \"TokenElevationTypeDefault\",\"ReportId\": 29293,\"AppGuardContainerId\":null,\"AdditionalFields\":null},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:26.9948950Z\"}", "type": [ - "end" + "start" ] }, "host": { @@ -2040,10 +2670,7 @@ "description": "Office Telemetry Dashboard Agent (OTD msoia)", "file_version": "16.0.123456.123456", "original_file_name": "msoia.exe", - "product": "Microsoft Office", - "sections": { - "physical_size": 8522792 - } + "product": "Microsoft Office" }, "pid": 65498, "start": "2023-07-19T12:16:56.116Z" @@ -2091,11 +2718,17 @@ "extension": "com", "original": "url.com", "path": "url.com" + }, + "user": { + "domain": "corporatedomain", + "id": "S-1-5-21-57989841-2025429265-839522115-325552", + "name": "username" } }, { "@timestamp": "2023-07-19T12:16:25.741Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2120,7 +2753,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:16:25.7414522Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"SslConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 8531,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 53645,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 6694,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"version\": \"TLSv12\", \"curve\": \"secp384r1\", \"server_name\": \"janeslaptop1.corporatedomain\", \"resumed\": \"false\", \"next_protocol\": \"h2\", \"established\": \"true\", \"subject\": \"CN=janeslaptop1.corporatedomain,O=Company,C=US\", \"uid\": \"CmHkX031vK8QoEJ3O7\", \"issuer\": \"CN=Company System CA 22,O=Company,C=US\", \"cipher\": \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\", \"ts\": \"133370123850310000\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:27.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:16:25.7414522Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"SslConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 8531,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 53645,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 6694,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"version\": \"TLSv12\", \"curve\": \"secp384r1\", \"server_name\": \"janeslaptop1.corporatedomain\", \"resumed\": \"false\", \"next_protocol\": \"h2\", \"established\": \"true\", \"subject\": \"CN=janeslaptop1.corporatedomain,O=Company,C=US\", \"uid\": \"CmHkX031vK8QoEJ3O7\", \"issuer\": \"CN=Company System CA 22,O=Company,C=US\", \"cipher\": \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\", \"ts\": \"133370123850310000\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:27.9948950Z\"}", + "type": [ + "info" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -2218,6 +2854,7 @@ { "@timestamp": "2023-07-19T14:30:34.595Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2244,7 +2881,7 @@ "kind": "event", "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:30:34.5955683Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"InboundConnectionAccepted\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 54022,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 135,\"Protocol\": \"Tcp\",\"LocalIPType\": \"Private\",\"RemoteIPType\": \"Private\",\"InitiatingProcessSHA1\": \"0cb388ecf4055d73afc0ac4012b607753f899f08\",\"InitiatingProcessSHA256\": \"949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b\",\"InitiatingProcessMD5\": \"122beaba9a49e1c60bf8446668a1de3e\",\"InitiatingProcessFileName\": \"svchost.exe\",\"InitiatingProcessFileSize\": 79990,\"InitiatingProcessVersionInfoCompanyName\": \"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\": \"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\": \"10.0.22621.1\",\"InitiatingProcessVersionInfoInternalFileName\": \"svchost.exe\",\"InitiatingProcessVersionInfoOriginalFileName\": \"svchost.exe\",\"InitiatingProcessVersionInfoFileDescription\": \"Host Process for Windows Services\",\"InitiatingProcessId\": 1772,\"InitiatingProcessCommandLine\": \"svchost.exe -k RPCSS -p\",\"InitiatingProcessCreationTime\": \"2023-07-19T14:29:02.5168183Z\",\"InitiatingProcessFolderPath\": \"c:\\\\windows\\\\system32\\\\svchost.exe\",\"InitiatingProcessParentFileName\": \"services.exe\",\"InitiatingProcessParentId\": 1152,\"InitiatingProcessParentCreationTime\": \"2023-07-19T14:29:01.9698479Z\",\"InitiatingProcessAccountDomain\": \"nt authority\",\"InitiatingProcessAccountName\": \"network service\",\"InitiatingProcessAccountSid\": \"S-1-5-12\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\": \"System\",\"InitiatingProcessTokenElevation\": \"TokenElevationTypeDefault\",\"ReportId\": 884651,\"AppGuardContainerId\":null,\"AdditionalFields\":null},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:28.9948950Z\"}", "type": [ - "allowed" + "start" ] }, "host": { @@ -2337,10 +2974,7 @@ "description": "Host Process for Windows Services", "file_version": "10.0.22621.1", "original_file_name": "svchost.exe", - "product": "Microsoft® Windows® Operating System", - "sections": { - "physical_size": 79990 - } + "product": "Microsoft® Windows® Operating System" }, "pid": 1772, "start": "2023-07-19T14:29:02.516Z" @@ -2383,11 +3017,17 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-12", + "name": "network service" + } }, { "@timestamp": "2023-07-19T12:18:35.239Z", "destination": { + "address": "89.160.20.112", "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -2411,7 +3051,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:18:35.2391226Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"IcmpConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\":null,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\":null,\"Protocol\": \"Icmp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 9846513,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"In\", \"conn_state\": \"OTH\", \"duration\": \"236.02695489659583\", \"missed_bytes\": \"0\", \"orig_bytes\": \"1344\", \"orig_ip_bytes\": \"2016\", \"orig_pkts\": \"24\", \"resp_bytes\": \"0\", \"resp_ip_bytes\": \"0\", \"resp_pkts\": \"0\", \"uid\": \"CoJ8an1SJN7SewZU9l\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:29.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:18:35.2391226Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"IcmpConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\":null,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\":null,\"Protocol\": \"Icmp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 9846513,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"In\", \"conn_state\": \"OTH\", \"duration\": \"236.02695489659583\", \"missed_bytes\": \"0\", \"orig_bytes\": \"1344\", \"orig_ip_bytes\": \"2016\", \"orig_pkts\": \"24\", \"resp_bytes\": \"0\", \"resp_ip_bytes\": \"0\", \"resp_pkts\": \"0\", \"uid\": \"CoJ8an1SJN7SewZU9l\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:29.9948950Z\"}", + "type": [ + "info" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -2505,6 +3148,7 @@ { "@timestamp": "2023-07-19T12:16:15.490Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2645,11 +3289,6 @@ "pid": 654, "start": "2023-07-18T16:38:42.246Z" }, - "pe": { - "sections": { - "physical_size": 4934752 - } - }, "pid": 189, "start": "2023-07-18T16:38:50.745Z" }, @@ -2691,11 +3330,17 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "macbookpro-123", + "id": "S-1-5-18", + "name": "root" + } }, { "@timestamp": "2023-07-19T07:43:20.845Z", "destination": { + "address": "2a02:cf40::", "geo": { "continent_name": "Europe", "country_iso_code": "NO", @@ -2804,6 +3449,7 @@ { "@timestamp": "2023-07-19T14:11:37.698Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2828,7 +3474,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:11:37.6987985Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"SshConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 22,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 49708,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 89741320,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"auth_attempts\": \"2\", \"auth_success\": \"true\", \"client\": \"SSH-2.0-PuTTY\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:32.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:11:37.6987985Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"SshConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 22,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 49708,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 89741320,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"auth_attempts\": \"2\", \"auth_success\": \"true\", \"client\": \"SSH-2.0-PuTTY\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:32.9948950Z\"}", + "type": [ + "info" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -2918,6 +3567,7 @@ { "@timestamp": "2023-07-19T14:18:19.714Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2942,7 +3592,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:18:19.7144334Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"InboundInternetScanInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 5432,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 46390,\"Protocol\": \"Udp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 9841651,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"PublicScannedPort\": 5432, \"PublicScannedIp\": \"175.16.199.0\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:33.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:18:19.7144334Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"InboundInternetScanInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 5432,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 46390,\"Protocol\": \"Udp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 9841651,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"PublicScannedPort\": 5432, \"PublicScannedIp\": \"175.16.199.0\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:33.9948950Z\"}", + "type": [ + "info" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -3030,6 +3683,7 @@ { "@timestamp": "2023-07-19T14:09:43.873Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -3054,7 +3708,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:09:43.8734771Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"SmtpConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 25,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 60697,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 18984951960,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"fuids\": \"[]\", \"helo\": \"janeslaptop1.corporatedomain\", \"last_reply\": \"220 2.0.0 SMTP server ready\", \"path\": \"[\\\"89.160.20.112\\\",\\\"89.160.20.112\\\"]\", \"tls\": \"true\", \"trans_depth\": \"1\", \"uid\": \"0278e28ff5d8eff6d3\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:34.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:09:43.8734771Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"SmtpConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 25,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 60697,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 18984951960,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"fuids\": \"[]\", \"helo\": \"janeslaptop1.corporatedomain\", \"last_reply\": \"220 2.0.0 SMTP server ready\", \"path\": \"[\\\"89.160.20.112\\\",\\\"89.160.20.112\\\"]\", \"tls\": \"true\", \"trans_depth\": \"1\", \"uid\": \"0278e28ff5d8eff6d3\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:34.9948950Z\"}", + "type": [ + "info" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -3148,6 +3805,7 @@ { "@timestamp": "2023-07-19T12:12:10.059Z", "destination": { + "address": "175.16.199.0", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -3172,7 +3830,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:12:10.0598052Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"FtpConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 21,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 56885,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 98498,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"user\": \"\", \"reply_msg\": \"Service ready\", \"reply_code\": \"220\", \"cwd\": \".\", \"command\": \"\", \"uid\": \"603f4dc5c8d46599fd\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:35.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T12:12:10.0598052Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"FtpConnectionInspected\",\"RemoteIP\": \"175.16.199.0\",\"RemotePort\": 21,\"RemoteUrl\":null,\"LocalIP\": \"89.160.20.112\",\"LocalPort\": 56885,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 98498,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"user\": \"\", \"reply_msg\": \"Service ready\", \"reply_code\": \"220\", \"cwd\": \".\", \"command\": \"\", \"uid\": \"603f4dc5c8d46599fd\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:35.9948950Z\"}", + "type": [ + "info" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -3275,7 +3936,7 @@ "kind": "event", "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:02:19.4882081Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"ProcessCreated\",\"FileName\": \"msedgewebview2.exe\",\"FolderPath\": \"C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\114.0.1823.79\\\\msedgewebview2.exe\",\"SHA1\": \"271eb137d3d8519cb42e5bccd690a3b9a3059f2a\",\"SHA256\": \"075d1edc11548c9ebf7f238dea9393f26c5b83cd0362aa4cc24b1d8a6ebc6354\",\"MD5\": \"b21b158fce974aa46125820ce6b42e9d\",\"FileSize\": 3653056,\"ProcessVersionInfoCompanyName\": \"Microsoft Corporation\",\"ProcessVersionInfoProductName\": \"Microsoft Edge WebView2\",\"ProcessVersionInfoProductVersion\": \"114.0.1732.12\",\"ProcessVersionInfoInternalFileName\": \"msedgewebview2_exe\",\"ProcessVersionInfoOriginalFileName\": \"msedgewebview2.exe\",\"ProcessVersionInfoFileDescription\": \"Microsoft Edge WebView2\",\"ProcessId\": 5498762,\"ProcessCommandLine\": \"\\\"msedgewebview2.exe\\\" --type=renderer --noerrdialogs --user-data-dir=\\\"C:\\\\Users\\\\JANEBLOGGS\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\16.0\\\\Wef\\\\webview2\\\\4ee9dcb0-735b-442e-945c-177c665efe6b_ADAL\\\\2\\\\EBWebView\\\" --webview-exe-name=MSOUTLOOK.EXE\",\"ProcessIntegrityLevel\": \"Low\",\"ProcessTokenElevation\": \"TokenElevationTypeDefault\",\"ProcessCreationTime\": \"2023-07-19T14:02:19.4882081Z\",\"AccountDomain\": \"corporatedomain\",\"AccountName\": \"janebloggs\",\"AccountSid\": \"S-1-5-21-57989841-2025429265-839522115-962270\",\"AccountUpn\": \"janebloggs@corporate.com\",\"AccountObjectId\": \"4ee9dcb0-735b-442e-945c-177c665efe6b\",\"LogonId\": 3654987,\"InitiatingProcessAccountDomain\": \"corporatedomain\",\"InitiatingProcessAccountName\": \"janebloggs\",\"InitiatingProcessAccountSid\": \"S-1-5-21-57989841-2025429265-839522115-962270\",\"InitiatingProcessAccountUpn\": \"janebloggs@corporate.com\",\"InitiatingProcessAccountObjectId\": \"4ee9dcb0-735b-442e-945c-177c665efe6b\",\"InitiatingProcessLogonId\": 3654987,\"InitiatingProcessIntegrityLevel\": \"Medium\",\"InitiatingProcessTokenElevation\": \"TokenElevationTypeDefault\",\"InitiatingProcessSHA1\": \"271eb137d3d8519cb42e5bccd690a3b9a3059f2a\",\"InitiatingProcessSHA256\": \"075d1edc11548c9ebf7f238dea9393f26c5b83cd0362aa4cc24b1d8a6ebc6354\",\"InitiatingProcessMD5\": \"b21b158fce974aa46125820ce6b42e9d\",\"InitiatingProcessFileName\": \"msedgewebview2.exe\",\"InitiatingProcessFileSize\": 5498762,\"InitiatingProcessVersionInfoCompanyName\": \"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\": \"Microsoft Edge WebView2\",\"InitiatingProcessVersionInfoProductVersion\": \"114.0.1732.12\",\"InitiatingProcessVersionInfoInternalFileName\": \"msedgewebview2_exe\",\"InitiatingProcessVersionInfoOriginalFileName\": \"msedgewebview2.exe\",\"InitiatingProcessVersionInfoFileDescription\": \"Microsoft Edge WebView2\",\"InitiatingProcessId\": 65485,\"InitiatingProcessCommandLine\": \"\\\"msedgewebview2.exe\\\" --embedded-browser-webview=1 --webview-exe-name=MSOUTLOOK.EXE --webview-exe-version=16.0.15601.20706 --user-data-dir=\\\"C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\16.0\\\\Wef\\\\webview2\\\\1234dcb0-735b-442e-945c-e6c5df94062c_ADAL\\\\2\\\\EBWebView\\\" --noerrdialogs\",\"InitiatingProcessCreationTime\":null},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:21.9948950Z\"}", "type": [ - "end" + "start" ] }, "host": { @@ -3356,6 +4017,11 @@ } }, "process": { + "Ext": { + "token": { + "integrity_level_name": "Medium" + } + }, "args": [ "msedgewebview2.exe", "--type=renderer", @@ -3394,10 +4060,7 @@ "description": "Microsoft Edge WebView2", "file_version": "114.0.1732.12", "original_file_name": "msedgewebview2.exe", - "product": "Microsoft Edge WebView2", - "sections": { - "physical_size": 5498762 - } + "product": "Microsoft Edge WebView2" }, "pid": 65485 }, @@ -3406,10 +4069,7 @@ "description": "Microsoft Edge WebView2", "file_version": "114.0.1732.12", "original_file_name": "msedgewebview2.exe", - "product": "Microsoft Edge WebView2", - "sections": { - "physical_size": 3653056 - } + "product": "Microsoft Edge WebView2" }, "pid": 5498762, "start": "2023-07-19T14:02:19.488Z" @@ -3453,7 +4113,10 @@ "network" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:09:43.8734771Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"SmtpConnectionInspected\",\"RemoteIP\": \"-\",\"RemotePort\": 25,\"RemoteUrl\":null,\"LocalIP\": \"-\",\"LocalPort\": 60697,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 18984951960,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"fuids\": \"[]\", \"helo\": \"janeslaptop1.corporatedomain\", \"last_reply\": \"220 2.0.0 SMTP server ready\", \"path\": \"[\\\"89.160.20.112\\\",\\\"89.160.20.112\\\"]\", \"tls\": \"true\", \"trans_depth\": \"1\", \"uid\": \"0278e28ff5d8eff6d3\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:34.9948950Z\"}" + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:09:43.8734771Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"SmtpConnectionInspected\",\"RemoteIP\": \"-\",\"RemotePort\": 25,\"RemoteUrl\":null,\"LocalIP\": \"-\",\"LocalPort\": 60697,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 18984951960,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"fuids\": \"[]\", \"helo\": \"janeslaptop1.corporatedomain\", \"last_reply\": \"220 2.0.0 SMTP server ready\", \"path\": \"[\\\"89.160.20.112\\\",\\\"89.160.20.112\\\"]\", \"tls\": \"true\", \"trans_depth\": \"1\", \"uid\": \"0278e28ff5d8eff6d3\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:34.9948950Z\"}", + "type": [ + "info" + ] }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", @@ -3603,123 +4266,1375 @@ ] }, { - "@timestamp": "2022-11-07T17:07:42.025Z", + "@timestamp": "2024-05-08T15:35:27.009Z", + "Target": { + "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "action": "dpapiaccessed", + "action": "readprocessmemoryapicall", "category": [ - "host" + "api" ], "kind": "event", - "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":null,\"AccountName\":null,\"AccountSid\":null,\"ActionType\":\"DpapiAccessed\",\"AdditionalFields\":\"{\\\"CallerProcessID\\\":4248}\",\"AppGuardContainerId\":null,\"DeviceId\":\"de6509d550e605faf3bbeac0905ab9590fe12345\",\"DeviceName\":\"testmachine5\",\"FileName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":329,\"FolderPath\":null,\"InitiatingProcessAccountDomain\":\"testmachine5\",\"InitiatingProcessAccountName\":\"administrator1\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-21-375308137-164487297-2828222098-111\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"\\\"InstallUtil.exe\\\" /u \\\"C:\\\\Program Files (x86)\\\\Lenovo\\\\System Update\\\\SUService.exe\\\"\",\"InitiatingProcessCreationTime\":\"2022-11-07T17:07:41.698868Z\",\"InitiatingProcessFileName\":\"backgroundtaskhost.exe\",\"InitiatingProcessFileSize\":19776,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\InstallUtil.exe\",\"InitiatingProcessId\":4248,\"InitiatingProcessLogonId\":1431021,\"InitiatingProcessMD5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"InitiatingProcessParentCreationTime\":\"2022-11-07T16:34:27.0112578Z\",\"InitiatingProcessParentFileName\":\"svchost.exe\",\"InitiatingProcessParentId\":948,\"InitiatingProcessSHA1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"InitiatingProcessSHA256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Background Task Host\",\"InitiatingProcessVersionInfoInternalFileName\":\"Background Task Host\",\"InitiatingProcessVersionInfoOriginalFileName\":\"InstallUtil.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.546\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":null,\"MachineGroup\":\"UnassignedGroup\",\"ProcessCommandLine\":null,\"ProcessCreationTime\":null,\"ProcessId\":null,\"ProcessTokenElevation\":null,\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":2833,\"SHA1\":null,\"SHA256\":null,\"Timestamp\":\"2022-11-07T17:07:42.0259186Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2022-11-07T17:45:56.3057929Z\"}", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":\"nt authority\",\"AccountName\":\"system\",\"AccountSid\":\"S-1-5-18\",\"ActionType\":\"ReadProcessMemoryApiCall\",\"AdditionalFields\":\"{\\\"TotalBytesCopied\\\":6847224}\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-device210\",\"FileName\":\"lsass.exe\",\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":60640,\"FolderPath\":\"C:\\\\Windows\\\\System32\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"\\\"MsMpEng.exe\\\"\",\"InitiatingProcessCreationTime\":\"2024-05-06T11:48:54.2153786Z\",\"InitiatingProcessFileName\":\"MsMpEng.exe\",\"InitiatingProcessFileSize\":133576,\"InitiatingProcessFolderPath\":\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\4.18.24030.9-0\",\"InitiatingProcessId\":3232,\"InitiatingProcessLogonId\":0,\"InitiatingProcessMD5\":\"94d34f16a16b0e735c9d2d94e201b9ce\",\"InitiatingProcessParentCreationTime\":\"2024-05-06T11:48:52.81722Z\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessParentId\":688,\"InitiatingProcessSHA1\":\"e83099dd42393ad12002ce4dea5c750d6b0964e5\",\"InitiatingProcessSHA256\":\"6450755a9bdc845618dcf2cb78f010a1d408ba9b32865a44184a0e80afa3f301\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Antimalware Service Executable\",\"InitiatingProcessVersionInfoInternalFileName\":\"MsMpEng.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"MsMpEng.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"4.18.24030.9\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":\"60e18f7b8d1f43731d0e9169c2d16547\",\"MachineGroup\":null,\"ProcessCommandLine\":null,\"ProcessCreationTime\":\"2024-05-06T11:48:52.8330349Z\",\"ProcessId\":700,\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":24158,\"SHA1\":\"83ebb66f070956225959ee773b468f89ed55479c\",\"SHA256\":null,\"Timestamp\":\"2024-05-08T15:35:27.0091751Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-08T15:40:20.2261934Z\"}", "type": [ "info" ] }, "host": { - "id": "de6509d550e605faf3bbeac0905ab9590fe12345", - "name": "testmachine5" + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-device210" }, "m365_defender": { "event": { + "account": { + "domain": "nt authority", + "name": "system", + "sid": "S-1-5-18" + }, "action": { - "type": "DpapiAccessed" + "type": "ReadProcessMemoryApiCall" }, "additional_fields": { - "CallerProcessID": 4248 + "TotalBytesCopied": 6847224 }, "category": "AdvancedHunting-DeviceEvents", "device": { - "id": "de6509d550e605faf3bbeac0905ab9590fe12345", - "name": "testmachine5" + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-device210" }, "file": { - "size": 329 + "name": "lsass.exe", + "size": 60640 }, + "folder_path": "C:\\Windows\\System32", "initiating_process": { - "account_domain": "testmachine5", - "account_name": "administrator1", - "account_sid": "S-1-5-21-375308137-164487297-2828222098-111", - "command_line": "\"InstallUtil.exe\" /u \"C:\\Program Files (x86)\\Lenovo\\System Update\\SUService.exe\"", - "creation_time": "2022-11-07T17:07:41.698Z", - "file_name": "backgroundtaskhost.exe", - "file_size": 19776, - "folder_path": "c:\\windows\\system32\\InstallUtil.exe", - "id": 4248, - "logon_id": "1431021", - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "parent_creation_time": "2022-11-07T16:34:27.011Z", - "parent_file_name": "svchost.exe", - "parent_id": 948, - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "account_domain": "nt authority", + "account_name": "system", + "account_sid": "S-1-5-18", + "command_line": "\"MsMpEng.exe\"", + "creation_time": "2024-05-06T11:48:54.215Z", + "file_name": "MsMpEng.exe", + "file_size": 133576, + "folder_path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24030.9-0", + "id": 3232, + "logon_id": "0", + "md5": "94d34f16a16b0e735c9d2d94e201b9ce", + "parent_creation_time": "2024-05-06T11:48:52.817Z", + "parent_file_name": "services.exe", + "parent_id": 688, + "sha1": "e83099dd42393ad12002ce4dea5c750d6b0964e5", + "sha256": "6450755a9bdc845618dcf2cb78f010a1d408ba9b32865a44184a0e80afa3f301", "version_info_company_name": "Microsoft Corporation", - "version_info_file_description": "Background Task Host", - "version_info_internal_file_name": "Background Task Host", - "version_info_original_file_name": "InstallUtil.exe", + "version_info_file_description": "Antimalware Service Executable", + "version_info_internal_file_name": "MsMpEng.exe", + "version_info_original_file_name": "MsMpEng.exe", "version_info_product_name": "Microsoft® Windows® Operating System", - "version_info_product_version": "10.0.19041.546" + "version_info_product_version": "4.18.24030.9" }, - "machine_group": "UnassignedGroup", + "md5": "60e18f7b8d1f43731d0e9169c2d16547", "operation_name": "Publish", - "report_id": "2833", + "process": { + "creation_time": "2024-05-06T11:48:52.833Z", + "id": 700, + "token_elevation": "TokenElevationTypeDefault" + }, + "report_id": "24158", + "sha1": "83ebb66f070956225959ee773b468f89ed55479c", "tenant": { "id": "12345af3-bc0e-4f36-b08e-27759e912345", "name": "DefaultTenant" }, - "time": "2022-11-07T17:45:56.305Z", - "timestamp": "2022-11-07T17:07:42.025Z" + "time": "2024-05-08T15:40:20.226Z", + "timestamp": "2024-05-08T15:35:27.009Z" } }, "process": { + "Ext": { + "api": { + "name": "ReadProcessMemory" + } + }, + "args": [ + "MsMpEng.exe" + ], + "args_count": 1, + "command_line": "\"MsMpEng.exe\"", + "executable": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24030.9-0\\MsMpEng.exe", + "group_leader": { + "name": "services.exe", + "pid": 688, + "start": "2024-05-06T11:48:52.817Z" + }, + "hash": { + "md5": "94d34f16a16b0e735c9d2d94e201b9ce", + "sha1": "e83099dd42393ad12002ce4dea5c750d6b0964e5", + "sha256": "6450755a9bdc845618dcf2cb78f010a1d408ba9b32865a44184a0e80afa3f301" + }, + "name": "MsMpEng.exe", "parent": { - "args": [ - "InstallUtil.exe", - "/u", - "C:\\Program Files (x86)\\Lenovo\\System Update\\SUService.exe" - ], - "args_count": 3, - "command_line": "\"InstallUtil.exe\" /u \"C:\\Program Files (x86)\\Lenovo\\System Update\\SUService.exe\"", - "executable": "c:\\windows\\system32\\InstallUtil.exe", - "group_leader": { - "name": "svchost.exe", - "pid": 948, - "start": "2022-11-07T16:34:27.011Z" + "name": "services.exe", + "pid": 688, + "start": "2024-05-06T11:48:52.817Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Antimalware Service Executable", + "file_version": "4.18.24030.9", + "original_file_name": "MsMpEng.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 700, + "start": "2024-05-06T11:48:52.833Z" + }, + "related": { + "hash": [ + "94d34f16a16b0e735c9d2d94e201b9ce", + "e83099dd42393ad12002ce4dea5c750d6b0964e5", + "6450755a9bdc845618dcf2cb78f010a1d408ba9b32865a44184a0e80afa3f301" + ], + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-device210", + "nt authority" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } + }, + { + "@timestamp": "2024-05-08T15:24:48.327Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ntprotectvirtualmemoryapicall", + "category": [ + "api" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":null,\"AccountName\":null,\"AccountSid\":null,\"ActionType\":\"NtProtectVirtualMemoryApiCall\",\"AdditionalFields\":null,\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-name\",\"FileName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":null,\"FolderPath\":null,\"InitiatingProcessAccountDomain\":\"desktop-name\",\"InitiatingProcessAccountName\":\"jonh\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-21-2850353385-2443355826-2041408518-1001\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"\\\"DllHost.exe\\\" /Processid:{776DBC8D-7347-478C-8D71-791E12EF49D8}\",\"InitiatingProcessCreationTime\":\"2024-05-08T15:24:48.1227891Z\",\"InitiatingProcessFileName\":\"dllhost.exe\",\"InitiatingProcessFileSize\":20352,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\syswow64\\\\dllhost.exe\",\"InitiatingProcessId\":8140,\"InitiatingProcessLogonId\":717143,\"InitiatingProcessMD5\":\"61df0fa6ef720ddb2c284349d848599f\",\"InitiatingProcessParentCreationTime\":\"2024-05-06T11:48:52.9496546Z\",\"InitiatingProcessParentFileName\":\"svchost.exe\",\"InitiatingProcessParentId\":832,\"InitiatingProcessSHA1\":\"2cb98ff117a34662c096937005db985929ab2111\",\"InitiatingProcessSHA256\":\"6947ec4cade9c3f410aafb1d30d9664f6cbda797c983a1bc7a682006bb08a466\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"COM Surrogate\",\"InitiatingProcessVersionInfoInternalFileName\":\"dllhost.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"dllhost.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.3636\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":null,\"MachineGroup\":null,\"ProcessCommandLine\":null,\"ProcessCreationTime\":null,\"ProcessId\":null,\"ProcessTokenElevation\":null,\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":22406,\"SHA1\":null,\"SHA256\":null,\"Timestamp\":\"2024-05-08T15:24:48.3272705Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-08T15:28:19.8963638Z\"}", + "type": [ + "info" + ] + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "m365_defender": { + "event": { + "action": { + "type": "NtProtectVirtualMemoryApiCall" }, - "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + "category": "AdvancedHunting-DeviceEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" }, - "name": "backgroundtaskhost.exe", - "pe": { - "company": "Microsoft Corporation", - "description": "Background Task Host", - "file_version": "10.0.19041.546", - "original_file_name": "InstallUtil.exe", - "product": "Microsoft® Windows® Operating System", - "sections": { - "physical_size": 19776 - } + "initiating_process": { + "account_domain": "desktop-name", + "account_name": "jonh", + "account_sid": "S-1-5-21-2850353385-2443355826-2041408518-1001", + "command_line": "\"DllHost.exe\" /Processid:{776DBC8D-7347-478C-8D71-791E12EF49D8}", + "creation_time": "2024-05-08T15:24:48.122Z", + "file_name": "dllhost.exe", + "file_size": 20352, + "folder_path": "c:\\windows\\syswow64\\dllhost.exe", + "id": 8140, + "logon_id": "717143", + "md5": "61df0fa6ef720ddb2c284349d848599f", + "parent_creation_time": "2024-05-06T11:48:52.949Z", + "parent_file_name": "svchost.exe", + "parent_id": 832, + "sha1": "2cb98ff117a34662c096937005db985929ab2111", + "sha256": "6947ec4cade9c3f410aafb1d30d9664f6cbda797c983a1bc7a682006bb08a466", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "COM Surrogate", + "version_info_internal_file_name": "dllhost.exe", + "version_info_original_file_name": "dllhost.exe", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.0.19041.3636" + }, + "operation_name": "Publish", + "report_id": "22406", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" }, - "pid": 4248, - "start": "2022-11-07T17:07:41.698Z" + "time": "2024-05-08T15:28:19.896Z", + "timestamp": "2024-05-08T15:24:48.327Z" + } + }, + "process": { + "Ext": { + "api": { + "name": "NtProtectVirtualMemory" + } + }, + "args": [ + "DllHost.exe", + "/Processid:{776DBC8D-7347-478C-8D71-791E12EF49D8}" + ], + "args_count": 2, + "command_line": "\"DllHost.exe\" /Processid:{776DBC8D-7347-478C-8D71-791E12EF49D8}", + "executable": "c:\\windows\\syswow64\\dllhost.exe\\dllhost.exe", + "group_leader": { + "name": "svchost.exe", + "pid": 832, + "start": "2024-05-06T11:48:52.949Z" + }, + "hash": { + "md5": "61df0fa6ef720ddb2c284349d848599f", + "sha1": "2cb98ff117a34662c096937005db985929ab2111", + "sha256": "6947ec4cade9c3f410aafb1d30d9664f6cbda797c983a1bc7a682006bb08a466" + }, + "name": "dllhost.exe", + "parent": { + "name": "svchost.exe", + "pid": 832, + "start": "2024-05-06T11:48:52.949Z" }, "pe": { - "sections": { - "physical_size": 329 - } + "company": "Microsoft Corporation", + "description": "COM Surrogate", + "file_version": "10.0.19041.3636", + "original_file_name": "dllhost.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 8140, + "start": "2024-05-08T15:24:48.122Z" + }, + "related": { + "hash": [ + "61df0fa6ef720ddb2c284349d848599f", + "2cb98ff117a34662c096937005db985929ab2111", + "6947ec4cade9c3f410aafb1d30d9664f6cbda797c983a1bc7a682006bb08a466" + ], + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-name" + ], + "user": [ + "jonh" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-05-06T19:51:06.481Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ntallocatevirtualmemoryapicall", + "category": [ + "api" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":null,\"AccountName\":null,\"AccountSid\":null,\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"AdditionalFields\":\"{\\\"BaseAddress\\\":138490605600768,\\\"RegionSize\\\":104,\\\"ProtectionMask\\\":64}\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-name\",\"FileName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":null,\"FolderPath\":null,\"InitiatingProcessAccountDomain\":\"desktop-name\",\"InitiatingProcessAccountName\":\"jonh\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-21-2850353385-2443355826-2041408518-1001\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"iexplore.exe /c echo -Embedding ;C:\\\\Users\\\\Public\\\\iexplore.exe\",\"InitiatingProcessCreationTime\":\"2024-05-06T19:34:38.4354434Z\",\"InitiatingProcessFileName\":\"iexplore.exe\",\"InitiatingProcessFileSize\":446976,\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\public\\\\iexplore.exe\",\"InitiatingProcessId\":5212,\"InitiatingProcessLogonId\":717087,\"InitiatingProcessMD5\":\"d1a8228a8bba76ac33195db983f21607\",\"InitiatingProcessParentCreationTime\":\"2024-05-06T19:34:34.5472444Z\",\"InitiatingProcessParentFileName\":\"python.exe\",\"InitiatingProcessParentId\":6968,\"InitiatingProcessSHA1\":\"72db7587afa1354f6c5dda643b3dff771027b121\",\"InitiatingProcessSHA256\":\"7fe5a235d305a60255423c2f8cd33bed88c29161a15dac11b609e3788aac575a\",\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":null,\"MachineGroup\":null,\"ProcessCommandLine\":null,\"ProcessCreationTime\":null,\"ProcessId\":null,\"ProcessTokenElevation\":null,\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":15906,\"SHA1\":null,\"SHA256\":null,\"Timestamp\":\"2024-05-06T19:51:06.4815198Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-06T19:54:58.0031198Z\"}", + "type": [ + "info" + ] + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "m365_defender": { + "event": { + "action": { + "type": "NtAllocateVirtualMemoryApiCall" + }, + "category": "AdvancedHunting-DeviceEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "initiating_process": { + "account_domain": "desktop-name", + "account_name": "jonh", + "account_sid": "S-1-5-21-2850353385-2443355826-2041408518-1001", + "command_line": "iexplore.exe /c echo -Embedding ;C:\\Users\\Public\\iexplore.exe", + "creation_time": "2024-05-06T19:34:38.435Z", + "file_name": "iexplore.exe", + "file_size": 446976, + "folder_path": "c:\\users\\public\\iexplore.exe", + "id": 5212, + "logon_id": "717087", + "md5": "d1a8228a8bba76ac33195db983f21607", + "parent_creation_time": "2024-05-06T19:34:34.547Z", + "parent_file_name": "python.exe", + "parent_id": 6968, + "sha1": "72db7587afa1354f6c5dda643b3dff771027b121", + "sha256": "7fe5a235d305a60255423c2f8cd33bed88c29161a15dac11b609e3788aac575a" + }, + "operation_name": "Publish", + "report_id": "15906", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-06T19:54:58.003Z", + "timestamp": "2024-05-06T19:51:06.481Z" } }, + "process": { + "Ext": { + "api": { + "name": "NtAllocateVirtualMemory", + "parameters": { + "address": 138490605600768, + "protection": "64", + "size": 104 + } + } + }, + "args": [ + "iexplore.exe", + "/c", + "echo", + "-Embedding", + ";C:\\Users\\Public\\iexplore.exe" + ], + "args_count": 5, + "command_line": "iexplore.exe /c echo -Embedding ;C:\\Users\\Public\\iexplore.exe", + "executable": "c:\\users\\public\\iexplore.exe\\iexplore.exe", + "group_leader": { + "name": "python.exe", + "pid": 6968, + "start": "2024-05-06T19:34:34.547Z" + }, + "hash": { + "md5": "d1a8228a8bba76ac33195db983f21607", + "sha1": "72db7587afa1354f6c5dda643b3dff771027b121", + "sha256": "7fe5a235d305a60255423c2f8cd33bed88c29161a15dac11b609e3788aac575a" + }, + "name": "iexplore.exe", + "parent": { + "name": "python.exe", + "pid": 6968, + "start": "2024-05-06T19:34:34.547Z" + }, + "pid": 5212, + "start": "2024-05-06T19:34:38.435Z" + }, "related": { + "hash": [ + "d1a8228a8bba76ac33195db983f21607", + "72db7587afa1354f6c5dda643b3dff771027b121", + "7fe5a235d305a60255423c2f8cd33bed88c29161a15dac11b609e3788aac575a" + ], "hosts": [ - "de6509d550e605faf3bbeac0905ab9590fe12345", - "testmachine5" + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-name" ], "user": [ - "administrator1" + "jonh" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-05-02T15:53:56.358Z", + "Target": { + "process": { + "command_line": "lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "openprocessapicall", + "category": [ + "api" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":\"nt authority\",\"AccountName\":\"system\",\"AccountSid\":\"S-1-5-18\",\"ActionType\":\"OpenProcessApiCall\",\"AdditionalFields\":\"{\\\"DesiredAccess\\\":5136}\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2cde6cee4dd3a5932ee140f871f6095966e74ff9\",\"DeviceName\":\"desktop-d45trp5\",\"FileName\":\"lsass.exe\",\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":59456,\"FolderPath\":\"C:\\\\Windows\\\\System32\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"\\\"MRT.exe\\\" /Q /W\",\"InitiatingProcessCreationTime\":\"2024-05-02T15:53:28.4793777Z\",\"InitiatingProcessFileName\":\"MRT.exe\",\"InitiatingProcessFileSize\":192651728,\"InitiatingProcessFolderPath\":\"C:\\\\Windows\\\\System32\",\"InitiatingProcessId\":7976,\"InitiatingProcessLogonId\":999,\"InitiatingProcessMD5\":\"62731ed3c4ad2df6af945f57fe77fba8\",\"InitiatingProcessParentCreationTime\":\"2024-05-02T15:53:22.44386Z\",\"InitiatingProcessParentFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\Windows-KB890830-x64-V5.123.exe\",\"InitiatingProcessParentId\":1860,\"InitiatingProcessSHA1\":\"049216fd79902074425404a6a1049d0ee219c937\",\"InitiatingProcessSHA256\":\"d5b4ce826658201115461d70aa2c876aa32e6aa449c200d8d90b008195785f7e\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Windows Malicious Software Removal Tool\",\"InitiatingProcessVersionInfoInternalFileName\":\"mrt.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"mrt.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Windows Malicious Software Removal Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"5.123.24040.1001\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":999,\"MD5\":\"a1cc00332bbf370654ee3dc8cdc8c95a\",\"MachineGroup\":null,\"ProcessCommandLine\":\"lsass.exe\",\"ProcessCreationTime\":\"2024-04-30T17:16:21.6015876Z\",\"ProcessId\":648,\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":7280,\"SHA1\":\"65efbd61f80291ab32ff9799a32b289f21fa1d47\",\"SHA256\":null,\"Timestamp\":\"2024-05-02T15:53:56.358579Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-02T15:58:14.0903277Z\"}", + "type": [ + "access" + ] + }, + "host": { + "id": "2cde6cee4dd3a5932ee140f871f6095966e74ff9", + "name": "desktop-d45trp5" + }, + "m365_defender": { + "event": { + "account": { + "domain": "nt authority", + "name": "system", + "sid": "S-1-5-18" + }, + "action": { + "type": "OpenProcessApiCall" + }, + "category": "AdvancedHunting-DeviceEvents", + "device": { + "id": "2cde6cee4dd3a5932ee140f871f6095966e74ff9", + "name": "desktop-d45trp5" + }, + "file": { + "name": "lsass.exe", + "size": 59456 + }, + "folder_path": "C:\\Windows\\System32", + "initiating_process": { + "account_domain": "nt authority", + "account_name": "system", + "account_sid": "S-1-5-18", + "command_line": "\"MRT.exe\" /Q /W", + "creation_time": "2024-05-02T15:53:28.479Z", + "file_name": "MRT.exe", + "file_size": 192651728, + "folder_path": "C:\\Windows\\System32", + "id": 7976, + "logon_id": "999", + "md5": "62731ed3c4ad2df6af945f57fe77fba8", + "parent_creation_time": "2024-05-02T15:53:22.443Z", + "parent_file_name": "\\Device\\HarddiskVolume3\\Windows\\SoftwareDistribution\\Download\\Install\\Windows-KB890830-x64-V5.123.exe", + "parent_id": 1860, + "sha1": "049216fd79902074425404a6a1049d0ee219c937", + "sha256": "d5b4ce826658201115461d70aa2c876aa32e6aa449c200d8d90b008195785f7e", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "Microsoft Windows Malicious Software Removal Tool", + "version_info_internal_file_name": "mrt.exe", + "version_info_original_file_name": "mrt.exe", + "version_info_product_name": "Microsoft Windows Malicious Software Removal Tool", + "version_info_product_version": "5.123.24040.1001" + }, + "logon": { + "id": "999" + }, + "md5": "a1cc00332bbf370654ee3dc8cdc8c95a", + "operation_name": "Publish", + "process": { + "command_line": "lsass.exe", + "creation_time": "2024-04-30T17:16:21.601Z", + "id": 648, + "token_elevation": "TokenElevationTypeDefault" + }, + "report_id": "7280", + "sha1": "65efbd61f80291ab32ff9799a32b289f21fa1d47", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-02T15:58:14.090Z", + "timestamp": "2024-05-02T15:53:56.358Z" + } + }, + "process": { + "Ext": { + "api": { + "name": "OpenProcess", + "parameters": { + "desired_access_numeric": 5136 + } + } + }, + "args": [ + "lsass.exe" + ], + "args_count": 1, + "command_line": "lsass.exe", + "executable": "C:\\Windows\\System32\\MRT.exe", + "group_leader": { + "name": "\\Device\\HarddiskVolume3\\Windows\\SoftwareDistribution\\Download\\Install\\Windows-KB890830-x64-V5.123.exe", + "pid": 1860, + "start": "2024-05-02T15:53:22.443Z" + }, + "hash": { + "md5": "62731ed3c4ad2df6af945f57fe77fba8", + "sha1": "049216fd79902074425404a6a1049d0ee219c937", + "sha256": "d5b4ce826658201115461d70aa2c876aa32e6aa449c200d8d90b008195785f7e" + }, + "name": "MRT.exe", + "parent": { + "name": "\\Device\\HarddiskVolume3\\Windows\\SoftwareDistribution\\Download\\Install\\Windows-KB890830-x64-V5.123.exe", + "pid": 1860, + "start": "2024-05-02T15:53:22.443Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Microsoft Windows Malicious Software Removal Tool", + "file_version": "5.123.24040.1001", + "original_file_name": "mrt.exe", + "product": "Microsoft Windows Malicious Software Removal Tool" + }, + "pid": 648, + "start": "2024-04-30T17:16:21.601Z" + }, + "related": { + "hash": [ + "62731ed3c4ad2df6af945f57fe77fba8", + "049216fd79902074425404a6a1049d0ee219c937", + "d5b4ce826658201115461d70aa2c876aa32e6aa449c200d8d90b008195785f7e" + ], + "hosts": [ + "2cde6cee4dd3a5932ee140f871f6095966e74ff9", + "desktop-d45trp5", + "nt authority" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } + }, + { + "@timestamp": "2024-05-06T19:21:01.879Z", + "dll": { + "hash": { + "md5": "90092500745be9869089fb838b7b6c7b", + "sha1": "929ceb687964b627ce92d18be8789c90ab1b02c8", + "sha256": "f413d559c0302d1cd8683469255fe03dcce0362c56b8fe55273f5d29823d264e" + }, + "name": "bthpan.sys", + "path": "C:\\Windows\\System32\\drivers\\bthpan.sys" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "load", + "category": [ + "driver" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":null,\"AccountName\":null,\"AccountSid\":null,\"ActionType\":\"DriverLoad\",\"AdditionalFields\":\"{\\\"ImageBase\\\":\\\"18446735304154021888\\\",\\\"ImageMD5\\\":\\\"kAklAHRb6YaQifuDi3tsew==\\\",\\\"ImageName\\\":\\\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\bthpan.sys\\\",\\\"ImageSHA1\\\":\\\"kpzraHlktifOktGL6HickKsbAsg=\\\",\\\"ImageSHA256\\\":\\\"9BPVWcAwLRzYaDRpJV/gPczgNixWuP5VJz9dKYI9Jk4=\\\",\\\"UserSid\\\":\\\"S-1-5-18\\\"}\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-name\",\"FileName\":\"bthpan.sys\",\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":null,\"FolderPath\":\"C:\\\\Windows\\\\System32\\\\drivers\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":\"2024-05-06T11:48:52.1256635Z\",\"InitiatingProcessFileName\":\"ntoskrnl.exe\",\"InitiatingProcessFileSize\":10871664,\"InitiatingProcessFolderPath\":\"C:\\\\Windows\\\\System32\",\"InitiatingProcessId\":4,\"InitiatingProcessLogonId\":0,\"InitiatingProcessMD5\":\"225d4dc97a46861d0eda1748dda4e740\",\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessSHA1\":\"54044b5acd720bc61f62338bdbf3f108d82fc5d9\",\"InitiatingProcessSHA256\":\"d2d44a847fa61ad52982e5694db1376695fd60bc9698060eedd17fc646422f49\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"NT Kernel \\u0026 System\",\"InitiatingProcessVersionInfoInternalFileName\":\"ntkrnlmp.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"ntkrnlmp.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.4291\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":\"90092500745be9869089fb838b7b6c7b\",\"MachineGroup\":null,\"ProcessCommandLine\":null,\"ProcessCreationTime\":\"2024-05-05T22:25:42.4236026Z\",\"ProcessId\":null,\"ProcessTokenElevation\":null,\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":10400,\"SHA1\":\"929ceb687964b627ce92d18be8789c90ab1b02c8\",\"SHA256\":\"f413d559c0302d1cd8683469255fe03dcce0362c56b8fe55273f5d29823d264e\",\"Timestamp\":\"2024-05-06T19:21:01.8790078Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-06T19:24:37.3461525Z\"}", + "type": [ + "start" + ] + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "m365_defender": { + "event": { + "action": { + "type": "DriverLoad" + }, + "additional_fields": { + "ImageBase": "18446735304154021888", + "ImageMD5": "kAklAHRb6YaQifuDi3tsew==", + "ImageName": "\\Device\\HarddiskVolume3\\Windows\\System32\\drivers\\bthpan.sys", + "ImageSHA1": "kpzraHlktifOktGL6HickKsbAsg=", + "ImageSHA256": "9BPVWcAwLRzYaDRpJV/gPczgNixWuP5VJz9dKYI9Jk4=", + "UserSid": "S-1-5-18" + }, + "category": "AdvancedHunting-DeviceEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "file": { + "name": "bthpan.sys" + }, + "folder_path": "C:\\Windows\\System32\\drivers", + "initiating_process": { + "account_domain": "nt authority", + "account_name": "system", + "account_sid": "S-1-5-18", + "creation_time": "2024-05-06T11:48:52.125Z", + "file_name": "ntoskrnl.exe", + "file_size": 10871664, + "folder_path": "C:\\Windows\\System32", + "id": 4, + "logon_id": "0", + "md5": "225d4dc97a46861d0eda1748dda4e740", + "parent_id": 0, + "sha1": "54044b5acd720bc61f62338bdbf3f108d82fc5d9", + "sha256": "d2d44a847fa61ad52982e5694db1376695fd60bc9698060eedd17fc646422f49", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "NT Kernel & System", + "version_info_internal_file_name": "ntkrnlmp.exe", + "version_info_original_file_name": "ntkrnlmp.exe", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.0.19041.4291" + }, + "md5": "90092500745be9869089fb838b7b6c7b", + "operation_name": "Publish", + "process": { + "creation_time": "2024-05-05T22:25:42.423Z" + }, + "report_id": "10400", + "sha1": "929ceb687964b627ce92d18be8789c90ab1b02c8", + "sha256": "f413d559c0302d1cd8683469255fe03dcce0362c56b8fe55273f5d29823d264e", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-06T19:24:37.346Z", + "timestamp": "2024-05-06T19:21:01.879Z" + } + }, + "process": { + "executable": "C:\\Windows\\System32\\ntoskrnl.exe", + "group_leader": { + "pid": 0 + }, + "hash": { + "md5": "225d4dc97a46861d0eda1748dda4e740", + "sha1": "54044b5acd720bc61f62338bdbf3f108d82fc5d9", + "sha256": "d2d44a847fa61ad52982e5694db1376695fd60bc9698060eedd17fc646422f49" + }, + "name": "ntoskrnl.exe", + "parent": { + "pid": 0 + }, + "pe": { + "company": "Microsoft Corporation", + "description": "NT Kernel & System", + "file_version": "10.0.19041.4291", + "original_file_name": "ntkrnlmp.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 4, + "start": "2024-05-05T22:25:42.423Z" + }, + "related": { + "hash": [ + "225d4dc97a46861d0eda1748dda4e740", + "54044b5acd720bc61f62338bdbf3f108d82fc5d9", + "d2d44a847fa61ad52982e5694db1376695fd60bc9698060eedd17fc646422f49" + ], + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-name", + "nt authority" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } + }, + { + "@timestamp": "2022-11-07T17:07:42.025Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "dpapiaccessed", + "category": [ + "host" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":null,\"AccountName\":null,\"AccountSid\":null,\"ActionType\":\"DpapiAccessed\",\"AdditionalFields\":\"{\\\"CallerProcessID\\\":4248}\",\"AppGuardContainerId\":null,\"DeviceId\":\"de6509d550e605faf3bbeac0905ab9590fe12345\",\"DeviceName\":\"testmachine5\",\"FileName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":329,\"FolderPath\":null,\"InitiatingProcessAccountDomain\":\"testmachine5\",\"InitiatingProcessAccountName\":\"administrator1\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-21-375308137-164487297-2828222098-111\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"\\\"InstallUtil.exe\\\" /u \\\"C:\\\\Program Files (x86)\\\\Lenovo\\\\System Update\\\\SUService.exe\\\"\",\"InitiatingProcessCreationTime\":\"2022-11-07T17:07:41.698868Z\",\"InitiatingProcessFileName\":\"backgroundtaskhost.exe\",\"InitiatingProcessFileSize\":19776,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\InstallUtil.exe\",\"InitiatingProcessId\":4248,\"InitiatingProcessLogonId\":1431021,\"InitiatingProcessMD5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"InitiatingProcessParentCreationTime\":\"2022-11-07T16:34:27.0112578Z\",\"InitiatingProcessParentFileName\":\"svchost.exe\",\"InitiatingProcessParentId\":948,\"InitiatingProcessSHA1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"InitiatingProcessSHA256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Background Task Host\",\"InitiatingProcessVersionInfoInternalFileName\":\"Background Task Host\",\"InitiatingProcessVersionInfoOriginalFileName\":\"InstallUtil.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.546\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":null,\"MachineGroup\":\"UnassignedGroup\",\"ProcessCommandLine\":null,\"ProcessCreationTime\":null,\"ProcessId\":null,\"ProcessTokenElevation\":null,\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":2833,\"SHA1\":null,\"SHA256\":null,\"Timestamp\":\"2022-11-07T17:07:42.0259186Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2022-11-07T17:45:56.3057929Z\"}", + "type": [ + "info" + ] + }, + "host": { + "id": "de6509d550e605faf3bbeac0905ab9590fe12345", + "name": "testmachine5" + }, + "m365_defender": { + "event": { + "action": { + "type": "DpapiAccessed" + }, + "additional_fields": { + "CallerProcessID": 4248 + }, + "category": "AdvancedHunting-DeviceEvents", + "device": { + "id": "de6509d550e605faf3bbeac0905ab9590fe12345", + "name": "testmachine5" + }, + "file": { + "size": 329 + }, + "initiating_process": { + "account_domain": "testmachine5", + "account_name": "administrator1", + "account_sid": "S-1-5-21-375308137-164487297-2828222098-111", + "command_line": "\"InstallUtil.exe\" /u \"C:\\Program Files (x86)\\Lenovo\\System Update\\SUService.exe\"", + "creation_time": "2022-11-07T17:07:41.698Z", + "file_name": "backgroundtaskhost.exe", + "file_size": 19776, + "folder_path": "c:\\windows\\system32\\InstallUtil.exe", + "id": 4248, + "logon_id": "1431021", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "parent_creation_time": "2022-11-07T16:34:27.011Z", + "parent_file_name": "svchost.exe", + "parent_id": 948, + "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "Background Task Host", + "version_info_internal_file_name": "Background Task Host", + "version_info_original_file_name": "InstallUtil.exe", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.0.19041.546" + }, + "machine_group": "UnassignedGroup", + "operation_name": "Publish", + "report_id": "2833", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2022-11-07T17:45:56.305Z", + "timestamp": "2022-11-07T17:07:42.025Z" + } + }, + "process": { + "args": [ + "InstallUtil.exe", + "/u", + "C:\\Program Files (x86)\\Lenovo\\System Update\\SUService.exe" + ], + "args_count": 3, + "command_line": "\"InstallUtil.exe\" /u \"C:\\Program Files (x86)\\Lenovo\\System Update\\SUService.exe\"", + "executable": "c:\\windows\\system32\\InstallUtil.exe", + "hash": { + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + }, + "name": "backgroundtaskhost.exe", + "parent": { + "name": "svchost.exe", + "pid": 948, + "start": "2022-11-07T16:34:27.011Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Background Task Host", + "file_version": "10.0.19041.546", + "original_file_name": "InstallUtil.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 4248, + "start": "2022-11-07T17:07:41.698Z" + }, + "related": { + "hash": [ + "b7f884c1b74a263f746ee12a5f7c9f6a", + "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + ], + "hosts": [ + "de6509d550e605faf3bbeac0905ab9590fe12345", + "testmachine5" + ], + "user": [ + "administrator1" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-05-17T09:42:55.895Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "host" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"_TimeReceivedBySvc\":\"2024-05-17T09:43:48.5484538Z\",\"category\":\"AdvancedHunting-DeviceInfo\",\"operationName\":\"Publish\",\"properties\":{\"AadDeviceId\":null,\"AdditionalFields\":\"[]\",\"AssetValue\":null,\"ClientVersion\":\"30.124032.7.0\",\"DeviceCategory\":\"Endpoint\",\"DeviceDynamicTags\":null,\"DeviceId\":\"78dca52447922201adb5c38f20f3351dc2a31668\",\"DeviceManualTags\":null,\"DeviceName\":\"sample-device\",\"DeviceSubtype\":null,\"DeviceType\":\"Server\",\"ExclusionReason\":null,\"ExposureLevel\":\"Low\",\"IsAzureADJoined\":false,\"IsExcluded\":false,\"IsInternetFacing\":null,\"JoinType\":\"Domain Joined\",\"LoggedOnUsers\":\"[{\\\"UserName\\\":\\\"LOGIN\\\"}]\",\"MachineGroup\":null,\"MergedDeviceIds\":\"\",\"MergedToDeviceId\":\"\",\"Model\":\"\",\"OSArchitecture\":\"64-bit\",\"OSBuild\":null,\"OSDistribution\":\"Debian\",\"OSPlatform\":\"Linux\",\"OSVersion\":\"11.0\",\"OSVersionInfo\":\"\",\"OnboardingStatus\":\"Onboarded\",\"PublicIP\":\"81.2.69.142\",\"RegistryDeviceTag\":\"\",\"ReportId\":638515358285484500,\"SensorHealthState\":\"Active\",\"Timestamp\":\"2024-05-17T09:42:55.895275Z\",\"Vendor\":\"\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-17T09:47:00.1365521Z\"}", + "type": [ + "info" + ] + }, + "host": { + "architecture": "64-bit", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "id": "78dca52447922201adb5c38f20f3351dc2a31668", + "ip": "81.2.69.142", + "name": "sample-device", + "os": { + "full": "Linux", + "platform": "Debian", + "type": "linux", + "version": "11.0" + }, + "type": "Server" + }, + "m365_defender": { + "event": { + "active_users": [ + "LOGIN" + ], + "category": "AdvancedHunting-DeviceInfo", + "client_version": "30.124032.7.0", + "device": { + "category": "Endpoint", + "id": "78dca52447922201adb5c38f20f3351dc2a31668", + "name": "sample-device", + "type": "Server" + }, + "exposure_level": "Low", + "is_azure_ad_joined": false, + "is_excluded": false, + "join_type": "Domain Joined", + "onboarding_status": "Onboarded", + "operation_name": "Publish", + "os": { + "architecture": "64-bit", + "distribution": "Debian", + "platform": "Linux", + "version": "11.0" + }, + "public_ip": { + "value": "81.2.69.142" + }, + "report_id": "638515358285484500", + "sensor_health_state": "Active", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-17T09:47:00.136Z", + "timestamp": "2024-05-17T09:42:55.895Z" + } + }, + "observer": { + "type": "Endpoint", + "version": "30.124032.7.0" + }, + "related": { + "hosts": [ + "78dca52447922201adb5c38f20f3351dc2a31668", + "sample-device" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "LOGIN" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-05-08T15:33:37.466Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "namedpipeevent", + "category": [ + "host" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":null,\"AccountName\":null,\"AccountSid\":\"S-1-5-19\",\"ActionType\":\"NamedPipeEvent\",\"AdditionalFields\":\"{\\\"DesiredAccess\\\":1180063,\\\"FileOperation\\\":\\\"File opened\\\",\\\"NamedPipeEnd\\\":\\\"Server\\\",\\\"PipeName\\\":\\\"\\\\\\\\Device\\\\\\\\NamedPipe\\\\\\\\W32TIME_ALT\\\",\\\"RemoteClientsAccess\\\":\\\"AcceptRemote\\\",\\\"SessionId\\\":0,\\\"ThreadId\\\":10540}\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7ba1b6c1ffcb54ab5cd4cdec1e593\",\"DeviceName\":\"desktop-name\",\"FileName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":null,\"FolderPath\":null,\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"local service\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-19\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"svchost.exe -k LocalService -s W32Time\",\"InitiatingProcessCreationTime\":\"2024-05-08T15:33:37.3307862Z\",\"InitiatingProcessFileName\":\"svchost.exe\",\"InitiatingProcessFileSize\":55456,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\svchost.exe\",\"InitiatingProcessId\":10192,\"InitiatingProcessLogonId\":997,\"InitiatingProcessMD5\":\"145dcf6706eeea5b066885ee17964c09\",\"InitiatingProcessParentCreationTime\":\"2024-05-06T11:48:52.81722Z\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessParentId\":688,\"InitiatingProcessSHA1\":\"445f5f38365af88ec29b357f4696f0e3ee50a1d8\",\"InitiatingProcessSHA256\":\"f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Host Process for Windows Services\",\"InitiatingProcessVersionInfoInternalFileName\":\"svchost.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"svchost.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.3636\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":null,\"MachineGroup\":null,\"ProcessCommandLine\":null,\"ProcessCreationTime\":null,\"ProcessId\":null,\"ProcessTokenElevation\":null,\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":\"\",\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":23860,\"SHA1\":null,\"SHA256\":null,\"Timestamp\":\"2024-05-08T15:33:37.4669184Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-08T15:39:02.1739813Z\"}", + "type": [ + "info" + ] + }, + "host": { + "id": "2af9e3da2eb7ba1b6c1ffcb54ab5cd4cdec1e593", + "name": "desktop-name" + }, + "m365_defender": { + "event": { + "account": { + "sid": "S-1-5-19" + }, + "action": { + "type": "NamedPipeEvent" + }, + "additional_fields": { + "DesiredAccess": 1180063, + "FileOperation": "File opened", + "NamedPipeEnd": "Server", + "PipeName": "\\Device\\NamedPipe\\W32TIME_ALT", + "RemoteClientsAccess": "AcceptRemote", + "SessionId": 0, + "ThreadId": 10540 + }, + "category": "AdvancedHunting-DeviceEvents", + "device": { + "id": "2af9e3da2eb7ba1b6c1ffcb54ab5cd4cdec1e593", + "name": "desktop-name" + }, + "initiating_process": { + "account_domain": "nt authority", + "account_name": "local service", + "account_sid": "S-1-5-19", + "command_line": "svchost.exe -k LocalService -s W32Time", + "creation_time": "2024-05-08T15:33:37.330Z", + "file_name": "svchost.exe", + "file_size": 55456, + "folder_path": "c:\\windows\\system32\\svchost.exe", + "id": 10192, + "logon_id": "997", + "md5": "145dcf6706eeea5b066885ee17964c09", + "parent_creation_time": "2024-05-06T11:48:52.817Z", + "parent_file_name": "services.exe", + "parent_id": 688, + "sha1": "445f5f38365af88ec29b357f4696f0e3ee50a1d8", + "sha256": "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "Host Process for Windows Services", + "version_info_internal_file_name": "svchost.exe", + "version_info_original_file_name": "svchost.exe", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.0.19041.3636" + }, + "operation_name": "Publish", + "report_id": "23860", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-08T15:39:02.173Z", + "timestamp": "2024-05-08T15:33:37.466Z" + } + }, + "process": { + "args": [ + "svchost.exe", + "-k", + "LocalService", + "-s", + "W32Time" + ], + "args_count": 5, + "command_line": "svchost.exe -k LocalService -s W32Time", + "executable": "c:\\windows\\system32\\svchost.exe", + "hash": { + "md5": "145dcf6706eeea5b066885ee17964c09", + "sha1": "445f5f38365af88ec29b357f4696f0e3ee50a1d8", + "sha256": "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3" + }, + "name": "svchost.exe", + "parent": { + "name": "services.exe", + "pid": 688, + "start": "2024-05-06T11:48:52.817Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Host Process for Windows Services", + "file_version": "10.0.19041.3636", + "original_file_name": "svchost.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 10192, + "start": "2024-05-08T15:33:37.330Z" + }, + "related": { + "hash": [ + "145dcf6706eeea5b066885ee17964c09", + "445f5f38365af88ec29b357f4696f0e3ee50a1d8", + "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3" + ], + "hosts": [ + "2af9e3da2eb7ba1b6c1ffcb54ab5cd4cdec1e593", + "desktop-name", + "nt authority" + ], + "user": [ + "local service" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "S-1-5-19" + } + }, + { + "@timestamp": "2024-05-08T15:24:47.947Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "getclipboarddata", + "category": [ + "host" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":null,\"AccountName\":null,\"AccountSid\":null,\"ActionType\":\"GetClipboardData\",\"AdditionalFields\":null,\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1bfa1fccb55ab5cd4cdec1e593\",\"DeviceName\":\"desktop-name\",\"FileName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":null,\"FolderPath\":null,\"InitiatingProcessAccountDomain\":\"desktop-name\",\"InitiatingProcessAccountName\":\"ipan\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-21-2850353385-2443355826-2041408518-1001\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"Explorer.EXE\",\"InitiatingProcessCreationTime\":\"2024-05-06T11:53:36.4136444Z\",\"InitiatingProcessFileName\":\"explorer.exe\",\"InitiatingProcessFileSize\":5656192,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\explorer.exe\",\"InitiatingProcessId\":1040,\"InitiatingProcessLogonId\":0,\"InitiatingProcessMD5\":\"238538d74fea273bff1e00622eccaf3a\",\"InitiatingProcessParentCreationTime\":\"2024-05-06T11:53:36.3698545Z\",\"InitiatingProcessParentFileName\":\"userinit.exe\",\"InitiatingProcessParentId\":3424,\"InitiatingProcessSHA1\":\"61ee53287d7aa2abbf323cc04e4475ae07ed6e75\",\"InitiatingProcessSHA256\":\"33ca082676d3e3162eccdbef28daa3240930245ff218b70d309f34ab0e7b372e\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows Explorer\",\"InitiatingProcessVersionInfoInternalFileName\":\"explorer\",\"InitiatingProcessVersionInfoOriginalFileName\":\"EXPLORER.EXE\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.4239\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":null,\"MachineGroup\":null,\"ProcessCommandLine\":null,\"ProcessCreationTime\":null,\"ProcessId\":null,\"ProcessTokenElevation\":null,\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":22403,\"SHA1\":null,\"SHA256\":null,\"Timestamp\":\"2024-05-08T15:24:47.9470226Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-08T15:28:19.8963512Z\"}", + "type": [ + "info" + ] + }, + "host": { + "id": "2af9e3da2eb7bd1bfa1fccb55ab5cd4cdec1e593", + "name": "desktop-name" + }, + "m365_defender": { + "event": { + "action": { + "type": "GetClipboardData" + }, + "category": "AdvancedHunting-DeviceEvents", + "device": { + "id": "2af9e3da2eb7bd1bfa1fccb55ab5cd4cdec1e593", + "name": "desktop-name" + }, + "initiating_process": { + "account_domain": "desktop-name", + "account_name": "ipan", + "account_sid": "S-1-5-21-2850353385-2443355826-2041408518-1001", + "command_line": "Explorer.EXE", + "creation_time": "2024-05-06T11:53:36.413Z", + "file_name": "explorer.exe", + "file_size": 5656192, + "folder_path": "c:\\windows\\explorer.exe", + "id": 1040, + "logon_id": "0", + "md5": "238538d74fea273bff1e00622eccaf3a", + "parent_creation_time": "2024-05-06T11:53:36.369Z", + "parent_file_name": "userinit.exe", + "parent_id": 3424, + "sha1": "61ee53287d7aa2abbf323cc04e4475ae07ed6e75", + "sha256": "33ca082676d3e3162eccdbef28daa3240930245ff218b70d309f34ab0e7b372e", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "Windows Explorer", + "version_info_internal_file_name": "explorer", + "version_info_original_file_name": "EXPLORER.EXE", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.0.19041.4239" + }, + "operation_name": "Publish", + "report_id": "22403", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-08T15:28:19.896Z", + "timestamp": "2024-05-08T15:24:47.947Z" + } + }, + "process": { + "args": [ + "Explorer.EXE" + ], + "args_count": 1, + "command_line": "Explorer.EXE", + "executable": "c:\\windows\\explorer.exe", + "hash": { + "md5": "238538d74fea273bff1e00622eccaf3a", + "sha1": "61ee53287d7aa2abbf323cc04e4475ae07ed6e75", + "sha256": "33ca082676d3e3162eccdbef28daa3240930245ff218b70d309f34ab0e7b372e" + }, + "name": "explorer.exe", + "parent": { + "name": "userinit.exe", + "pid": 3424, + "start": "2024-05-06T11:53:36.369Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Windows Explorer", + "file_version": "10.0.19041.4239", + "original_file_name": "EXPLORER.EXE", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 1040, + "start": "2024-05-06T11:53:36.413Z" + }, + "related": { + "hash": [ + "238538d74fea273bff1e00622eccaf3a", + "61ee53287d7aa2abbf323cc04e4475ae07ed6e75", + "33ca082676d3e3162eccdbef28daa3240930245ff218b70d309f34ab0e7b372e" + ], + "hosts": [ + "2af9e3da2eb7bd1bfa1fccb55ab5cd4cdec1e593", + "desktop-name" + ], + "user": [ + "ipan" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-05-07T14:54:56.138Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "powershellcommand", + "category": [ + "host" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":null,\"AccountName\":null,\"AccountSid\":null,\"ActionType\":\"PowerShellCommand\",\"AdditionalFields\":\"{\\\"Command\\\":\\\"Microsoft.PowerShell.Core\\\\\\\\Set-StrictMode\\\"}\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-name\",\"FileName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":null,\"FolderPath\":null,\"InitiatingProcessAccountDomain\":\"desktop-name\",\"InitiatingProcessAccountName\":\"jonh\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-21-2850353385-2443355826-2041408518-1001\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"\\\"powershell.exe\\\" \",\"InitiatingProcessCreationTime\":\"2024-05-07T14:54:54.3102466Z\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFileSize\":455680,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessId\":6768,\"InitiatingProcessLogonId\":717087,\"InitiatingProcessMD5\":\"2e5a8590cf6848968fc23de3fa1e25f1\",\"InitiatingProcessParentCreationTime\":\"2024-05-06T11:53:51.6764165Z\",\"InitiatingProcessParentFileName\":\"svchost.exe\",\"InitiatingProcessParentId\":6780,\"InitiatingProcessSHA1\":\"801262e122db6a2e758962896f260b55bbd0136a\",\"InitiatingProcessSHA256\":\"9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.3996\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":null,\"MachineGroup\":null,\"ProcessCommandLine\":null,\"ProcessCreationTime\":null,\"ProcessId\":null,\"ProcessTokenElevation\":null,\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":17334,\"SHA1\":null,\"SHA256\":null,\"Timestamp\":\"2024-05-07T14:54:56.1383178Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-07T14:59:10.7367071Z\"}", + "type": [ + "info" + ] + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "m365_defender": { + "event": { + "action": { + "type": "PowerShellCommand" + }, + "additional_fields": { + "Command": "Microsoft.PowerShell.Core\\Set-StrictMode" + }, + "category": "AdvancedHunting-DeviceEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "initiating_process": { + "account_domain": "desktop-name", + "account_name": "jonh", + "account_sid": "S-1-5-21-2850353385-2443355826-2041408518-1001", + "command_line": "\"powershell.exe\" ", + "creation_time": "2024-05-07T14:54:54.310Z", + "file_name": "powershell.exe", + "file_size": 455680, + "folder_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "id": 6768, + "logon_id": "717087", + "md5": "2e5a8590cf6848968fc23de3fa1e25f1", + "parent_creation_time": "2024-05-06T11:53:51.676Z", + "parent_file_name": "svchost.exe", + "parent_id": 6780, + "sha1": "801262e122db6a2e758962896f260b55bbd0136a", + "sha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "Windows PowerShell", + "version_info_internal_file_name": "POWERSHELL", + "version_info_original_file_name": "PowerShell.EXE", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.0.19041.3996" + }, + "operation_name": "Publish", + "report_id": "17334", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-07T14:59:10.736Z", + "timestamp": "2024-05-07T14:54:56.138Z" + } + }, + "process": { + "args": [ + "powershell.exe" + ], + "args_count": 1, + "command_line": "\"powershell.exe\" ", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "2e5a8590cf6848968fc23de3fa1e25f1", + "sha1": "801262e122db6a2e758962896f260b55bbd0136a", + "sha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3" + }, + "name": "powershell.exe", + "parent": { + "name": "svchost.exe", + "pid": 6780, + "start": "2024-05-06T11:53:51.676Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Windows PowerShell", + "file_version": "10.0.19041.3996", + "original_file_name": "PowerShell.EXE", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 6768, + "start": "2024-05-07T14:54:54.310Z" + }, + "related": { + "hash": [ + "2e5a8590cf6848968fc23de3fa1e25f1", + "801262e122db6a2e758962896f260b55bbd0136a", + "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3" + ], + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-name" + ], + "user": [ + "jonh" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-05-06T16:42:50.385Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "screenshottaken", + "category": [ + "host" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceEvents\",\"operationName\":\"Publish\",\"properties\":{\"AccountDomain\":null,\"AccountName\":null,\"AccountSid\":null,\"ActionType\":\"ScreenshotTaken\",\"AdditionalFields\":null,\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-name\",\"FileName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"FileSize\":null,\"FolderPath\":null,\"InitiatingProcessAccountDomain\":\"desktop-name\",\"InitiatingProcessAccountName\":\"jonh\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-21-2850353385-2443355826-2041408518-1001\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"\\\"msdt.exe\\\" /c echo /cab C:\\\\Users\\\\Public\\\\\",\"InitiatingProcessCreationTime\":\"2024-05-06T16:42:49.9489733Z\",\"InitiatingProcessFileName\":\"msdt.exe\",\"InitiatingProcessFileSize\":498176,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\msdt.exe\",\"InitiatingProcessId\":10164,\"InitiatingProcessLogonId\":0,\"InitiatingProcessMD5\":\"f2c31dadb5569110e9941642728fe182\",\"InitiatingProcessParentCreationTime\":\"2024-05-06T16:42:49.6757415Z\",\"InitiatingProcessParentFileName\":\"firefox.exe\",\"InitiatingProcessParentId\":4744,\"InitiatingProcessSHA1\":\"3f82161d99b7411e88d6aaeef8bba9586a5554f6\",\"InitiatingProcessSHA256\":\"94842ff132a47234f199b80ccf44b1cdee55e402d8404d8b49255d08fbb8d9d6\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Diagnostics Troubleshooting Wizard\",\"InitiatingProcessVersionInfoInternalFileName\":\"DiagWizard\",\"InitiatingProcessVersionInfoOriginalFileName\":\"msdt.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.3636\",\"LocalIP\":null,\"LocalPort\":null,\"LogonId\":null,\"MD5\":null,\"MachineGroup\":null,\"ProcessCommandLine\":null,\"ProcessCreationTime\":null,\"ProcessId\":null,\"ProcessTokenElevation\":null,\"RegistryKey\":null,\"RegistryValueData\":null,\"RegistryValueName\":null,\"RemoteDeviceName\":null,\"RemoteIP\":null,\"RemotePort\":null,\"RemoteUrl\":null,\"ReportId\":9773,\"SHA1\":null,\"SHA256\":null,\"Timestamp\":\"2024-05-06T16:42:50.3859006Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-05-06T16:47:06.7452869Z\"}", + "type": [ + "info" + ] + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "m365_defender": { + "event": { + "action": { + "type": "ScreenshotTaken" + }, + "category": "AdvancedHunting-DeviceEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-name" + }, + "initiating_process": { + "account_domain": "desktop-name", + "account_name": "jonh", + "account_sid": "S-1-5-21-2850353385-2443355826-2041408518-1001", + "command_line": "\"msdt.exe\" /c echo /cab C:\\Users\\Public\\", + "creation_time": "2024-05-06T16:42:49.948Z", + "file_name": "msdt.exe", + "file_size": 498176, + "folder_path": "c:\\windows\\system32\\msdt.exe", + "id": 10164, + "logon_id": "0", + "md5": "f2c31dadb5569110e9941642728fe182", + "parent_creation_time": "2024-05-06T16:42:49.675Z", + "parent_file_name": "firefox.exe", + "parent_id": 4744, + "sha1": "3f82161d99b7411e88d6aaeef8bba9586a5554f6", + "sha256": "94842ff132a47234f199b80ccf44b1cdee55e402d8404d8b49255d08fbb8d9d6", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "Diagnostics Troubleshooting Wizard", + "version_info_internal_file_name": "DiagWizard", + "version_info_original_file_name": "msdt.exe", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.0.19041.3636" + }, + "operation_name": "Publish", + "report_id": "9773", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-05-06T16:47:06.745Z", + "timestamp": "2024-05-06T16:42:50.385Z" + } + }, + "process": { + "args": [ + "msdt.exe", + "/c", + "echo", + "/cab", + "C:\\Users\\Public\\" + ], + "args_count": 5, + "command_line": "\"msdt.exe\" /c echo /cab C:\\Users\\Public\\", + "executable": "c:\\windows\\system32\\msdt.exe", + "hash": { + "md5": "f2c31dadb5569110e9941642728fe182", + "sha1": "3f82161d99b7411e88d6aaeef8bba9586a5554f6", + "sha256": "94842ff132a47234f199b80ccf44b1cdee55e402d8404d8b49255d08fbb8d9d6" + }, + "name": "msdt.exe", + "parent": { + "name": "firefox.exe", + "pid": 4744, + "start": "2024-05-06T16:42:49.675Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Diagnostics Troubleshooting Wizard", + "file_version": "10.0.19041.3636", + "original_file_name": "msdt.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 10164, + "start": "2024-05-06T16:42:49.948Z" + }, + "related": { + "hash": [ + "f2c31dadb5569110e9941642728fe182", + "3f82161d99b7411e88d6aaeef8bba9586a5554f6", + "94842ff132a47234f199b80ccf44b1cdee55e402d8404d8b49255d08fbb8d9d6" + ], + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-name" + ], + "user": [ + "jonh" ] }, "tags": [ diff --git a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml index ad43f6696d1..310f2c3422b 100644 --- a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml +++ b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml @@ -390,6 +390,23 @@ processors: copy_from: m365_defender.event.ip_address tag: set_host_ip ignore_empty_value: true + - set: + field: host.os.type + value: windows + if: ctx.m365_defender?.event?.os?.platform != null && ctx.m365_defender.event.os.platform.toLowerCase().contains('windows') + - set: + field: host.os.type + value: linux + if: ctx.m365_defender?.event?.os?.platform != null && ctx.m365_defender.event.os.platform.toLowerCase().contains('linux') + - set: + field: host.os.type + value: macos + if: ctx.m365_defender?.event?.os?.platform != null && ctx.m365_defender.event.os.platform.toLowerCase().contains('macos') + # For IdentityQueryEvents, OS type is derived from AdditionalFields.SourceComputerOperatingSystemType + - set: + field: host.os.type + copy_from: m365_defender.event.additional_fields.SourceComputerOperatingSystemType + if: ctx.m365_defender?.event?.additional_fields?.SourceComputerOperatingSystemType != null - set: field: host.os.name copy_from: m365_defender.event.os.platform diff --git a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml index 91f95e61807..0c3a81af768 100644 --- a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml +++ b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml @@ -21,7 +21,17 @@ processors: field: event.category value: host tag: append_event_category_host - if: ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') || ctx.m365_defender.event.category.toLowerCase().contains('deviceinfo') + if: ctx.m365_defender.event.category.toLowerCase().contains('deviceinfo') || (ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') && ctx.json?.properties?.ActionType != null && !ctx.json.properties.ActionType.toLowerCase().endsWith('apicall') && !ctx.json.properties.ActionType.toLowerCase().contains('driverload')) + - append: + field: event.category + value: api + tag: append_event_category_api + if: ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') && ctx.json?.properties?.ActionType != null && ctx.json.properties.ActionType.toLowerCase().endsWith('apicall') + - append: + field: event.category + value: driver + tag: append_event_category_driver + if: ctx.json?.properties?.ActionType != null && ctx.json.properties.ActionType.toLowerCase().contains('driverload') - append: field: event.category value: file @@ -31,7 +41,12 @@ processors: field: event.category value: process tag: append_event_category_process - if: ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') || ctx.m365_defender.event.category.toLowerCase().contains('deviceprocessevents') + if: ctx.m365_defender.event.category.toLowerCase().contains('deviceprocessevents') + - append: + field: event.category + value: library + tag: append_event_category_library + if: ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') - append: field: event.category value: network @@ -49,20 +64,38 @@ processors: if: >- (ctx.event?.category != null && (ctx.event.category.contains('authentication') || - ctx.event.category.contains('host') || - ctx.event.category.contains('file'))) || (ctx.json?.properties?.ActionType + ctx.event.category.contains('host'))) || (ctx.json?.properties?.ActionType != null && - (ctx.json.properties.ActionType.toLowerCase().contains('openprocess') || - ctx.json.properties.ActionType.toLowerCase().contains('connectionfound') + (ctx.json.properties.ActionType.toLowerCase().contains('connectionfound') || ctx.json.properties.ActionType.toLowerCase().contains('networksignatureinspected') || ctx.json.properties.ActionType.toLowerCase().contains('devicenetworkinfo'))) - append: field: event.type - value: end - tag: append_event_type_end - if: ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') || (ctx.json?.properties?.ActionType != null && (ctx.json.properties.ActionType.toLowerCase().contains('processcreated') || ctx.json.properties.ActionType.toLowerCase().contains('connectionsuccess'))) + value: deletion + tag: append_event_type_deletion + if: ctx.event?.category != null && ctx.event.category.contains('file') && ctx.json?.properties?.ActionType != null && ctx.json.properties.ActionType.toLowerCase() == 'filedeleted' + - append: + field: event.type + value: change + tag: append_event_type_change + if: ctx.event?.category != null && ctx.event.category.contains('file') && ctx.json?.properties?.ActionType != null && (ctx.json.properties.ActionType.toLowerCase() == 'filemodified' || ctx.json.properties.ActionType.toLowerCase() == 'filerenamed') + - append: + field: event.type + value: creation + tag: append_event_type_creation + if: ctx.event?.category != null && ctx.event.category.contains('file') && ctx.json?.properties?.ActionType != null && ctx.json.properties.ActionType.toLowerCase() == 'filecreated' + - append: + field: event.type + value: info + tag: append_event_type_info + if: ctx.event?.category != null && ctx.event.type == null && ctx.event.category.contains('file') + - append: + field: event.type + value: start + tag: append_event_type_start + if: ctx.json?.properties?.ActionType != null && (ctx.json.properties.ActionType.toLowerCase().contains('connectionsuccess') || ctx.json.properties.ActionType.toLowerCase().contains('driverload')) - append: field: event.type value: denied @@ -72,11 +105,11 @@ processors: field: event.type value: start tag: append_event_type_start - if: ctx.json?.properties?.ActionType != null && (ctx.json.properties.ActionType.toLowerCase().contains('connectionrequest') || ctx.json.properties.ActionType.toLowerCase().contains('listeningconnectioncreated')) + if: ctx.json?.properties?.ActionType != null && (ctx.json.properties.ActionType.toLowerCase().contains('connectionrequest') || ctx.json.properties.ActionType.toLowerCase().contains('listeningconnectioncreated') || ctx.json.properties.ActionType.toLowerCase().contains('processcreated') || ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents')) - append: field: event.type - value: allowed - tag: append_event_type_allowed + value: start + tag: append_event_type_start if: ctx.json?.properties?.ActionType != null && ctx.json.properties.ActionType.toLowerCase().contains('inboundconnectionaccepted') - append: field: event.type @@ -93,9 +126,37 @@ processors: value: change tag: append_event_type_change if: ctx.json?.properties?.ActionType != null && (ctx.json.properties.ActionType.toLowerCase().contains('registrykeyrenamed') || ctx.json.properties.ActionType.toLowerCase().contains('registryvalueset')) - + - set: + field: json.properties.ActionType + value: load + tag: set_json_properties_ActionType_load + override: true + if: ctx.json?.properties?.ActionType != null && ctx.json.properties.ActionType.toLowerCase().contains('imageloaded') + # Special handling for event.type when event.category is network or api + - append: + field: event.type + value: protocol + tag: append_event_type_protocol + if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.json?.properties?.ActionType != null && ctx.json.properties.ActionType.toLowerCase().contains('dnsconnectioninspected') + - append: + field: event.type + value: access + tag: append_event_type_access_api + if: ctx.event?.category != null && ctx.event.category.contains('api') && ctx.event?.type == null && ctx.json?.properties?.ActionType != null && ctx.json.properties.ActionType.toLowerCase().startsWith('open') + - append: + field: event.type + value: change + tag: append_event_type_change_api + if: ctx.event?.category != null && ctx.event.category.contains('api') && ctx.event?.type == null && ctx.json?.properties?.ActionType != null && ctx.json.properties.ActionType.toLowerCase().startsWith('write') + - append: + field: event.type + value: info + tag: append_event_type_info + if: ctx.event?.category != null && ctx.event.type == null && (ctx.event.category.contains('network') || ctx.event.category.contains('api')) + # AdditionalFields are flattened, as they can vary depending on the source, users can use custom pipelines to move fields away from AdditionalFields if required. # We move the AdditionalFields.direction when it exists, as its required for source/destination mapping + # Also move DNS fields when ActionType is 'DnsConnectionInspected' - json: field: json.properties.AdditionalFields tag: json_json_properties_AdditionalFields @@ -115,6 +176,60 @@ processors: tag: rename_additional_fields_direction ignore_missing: true if: ctx.m365_defender?.event?.additional_fields instanceof Map + - rename: + field: m365_defender.event.additional_fields.qclass_name + target_field: m365_defender.event.dns.qclass_name + tag: rename_additional_fields_dns_qclass_name + ignore_missing: true + if: ctx.m365_defender?.event?.additional_fields instanceof Map && ctx.json?.properties?.ActionType != null && ctx.event?.category != null && ctx.event.category.contains('network') && ctx.json.properties.ActionType.toLowerCase().contains('dnsconnectioninspected') + - rename: + field: m365_defender.event.additional_fields.query + target_field: m365_defender.event.dns.query + tag: rename_additional_fields_dns_query + ignore_missing: true + if: ctx.m365_defender?.event?.additional_fields instanceof Map && ctx.json?.properties?.ActionType != null && ctx.event?.category != null && ctx.event.category.contains('network') && ctx.json.properties.ActionType.toLowerCase().contains('dnsconnectioninspected') + - rename: + field: m365_defender.event.additional_fields.qtype_name + target_field: m365_defender.event.dns.qtype_name + tag: rename_additional_fields_dns_qtype_name + ignore_missing: true + if: ctx.m365_defender?.event?.additional_fields instanceof Map && ctx.json?.properties?.ActionType != null && ctx.event?.category != null && ctx.event.category.contains('network') && ctx.json.properties.ActionType.toLowerCase().contains('dnsconnectioninspected') + - rename: + field: m365_defender.event.additional_fields.rcode_name + target_field: m365_defender.event.dns.rcode_name + tag: rename_additional_fields_dns_rcode_name + ignore_missing: true + if: ctx.m365_defender?.event?.additional_fields instanceof Map && ctx.json?.properties?.ActionType != null && ctx.event?.category != null && ctx.event.category.contains('network') && ctx.json.properties.ActionType.toLowerCase().contains('dnsconnectioninspected') + - json: + field: m365_defender.event.additional_fields.answers + tag: json_m365_defender_event_additional_fields_answers + if: ctx.m365_defender?.event?.additional_fields instanceof Map && ctx.json?.properties?.ActionType != null && ctx.event?.category != null && ctx.event.category.contains('network') && ctx.json.properties.ActionType.toLowerCase().contains('dnsconnectioninspected') + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: m365_defender.event.additional_fields.answers + target_field: m365_defender.event.dns.answers + tag: rename_additional_fields_dns_answers + ignore_missing: true + if: ctx.m365_defender?.event?.additional_fields instanceof Map && ctx.json?.properties?.ActionType != null && ctx.event?.category != null && ctx.event.category.contains('network') && ctx.json.properties.ActionType.toLowerCase().contains('dnsconnectioninspected') + - script: + description: Add m365_defender.event.dns.header_flags from flags inside AdditionalFields + lang: painless + if: ctx.m365_defender?.event?.additional_fields instanceof Map && ctx.json?.properties?.ActionType != null && ctx.event?.category != null && ctx.event.category.contains('network') && ctx.json.properties.ActionType.toLowerCase().contains('dnsconnectioninspected') + source: | + def af = ctx.m365_defender.event.additional_fields; + List ecs_flags = ["AA", "TC", "RD", "RA", "AD", "CD", "DO"]; + List flags = []; + if (af instanceof Map) { + for (def flag: ecs_flags) { + if (af[flag] != null && af[flag] == "true") { + flags.add(flag); + } + } + } + ctx.m365_defender.event.dns.header_flags = flags; # JSON processors to unpack JSON string fields before renaming them - json: @@ -415,6 +530,14 @@ processors: target_field: m365_defender.event.registry.key tag: rename_json_properties_RegistryKey ignore_missing: true + - script: + description: Remove HKEY_CURRENT_USER\ and HKEY_LOCAL_MACHINE\ from registry key + lang: painless + if: ctx.m365_defender?.event?.registry?.key != null + source: | + String key = ctx.m365_defender.event.registry.key; + def regex = /HKEY_CURRENT_USER\\|HKEY_LOCAL_MACHINE\\/; + ctx.m365_defender.event.registry.key = regex.matcher(key).replaceAll(''); - rename: field: json.properties.RegistryValueName target_field: m365_defender.event.registry.value_name @@ -1003,41 +1126,72 @@ processors: # File mappings (Only when its not DeviceProcessEvent or DeviceEvent, else it means something else) - set: - field: file.directory + field: file.path copy_from: m365_defender.event.folder_path ignore_empty_value: true - tag: set_file_directory - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + tag: set_file_path + if: ctx.event?.category != null && + !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + - script: + description: Adds file information. + lang: painless + if: ctx.file?.path != null && ctx.file.path.length() > 1 + source: |- + String path = ctx.file.path; + String sep = "/"; + String windows_sep = "\\"; + def idx = -1; + if (path.contains(windows_sep)) { + idx = path.lastIndexOf(windows_sep); + } + else { + idx = path.lastIndexOf(sep); + } + if (idx > -1) { + if (ctx.file.name == null) { + ctx.file.name = path.substring(idx+1); + } + ctx.file.directory = path.substring(0, idx); + def extIdx = path.lastIndexOf("."); + if (extIdx > -1 && ctx.file.extension == null) { + ctx.file.extension = path.substring(extIdx+1); + } + } - set: field: file.hash.md5 copy_from: m365_defender.event.md5 ignore_empty_value: true tag: set_file_hash_md5 - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: ctx.event?.category != null && + !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') - set: field: file.hash.sha1 copy_from: m365_defender.event.sha1 ignore_empty_value: true tag: set_file_hash_sha1 - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: ctx.event?.category != null && + !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') - set: field: file.hash.sha256 copy_from: m365_defender.event.sha256 ignore_empty_value: true tag: set_file_hash_sha256 - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: ctx.event?.category != null && + !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') - set: field: file.name copy_from: m365_defender.event.file.name ignore_empty_value: true tag: set_file_name - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: ctx.event?.category != null && + !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') - set: field: file.size copy_from: m365_defender.event.file.size ignore_empty_value: true tag: set_file_size - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: ctx.event?.category != null && + !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') - set: field: file.x509.not_after copy_from: m365_defender.event.certificate.expiration_time @@ -1069,301 +1223,654 @@ processors: tag: set_file_code_signature_trusted ignore_empty_value: true - # DLL Mappings (Only when its DeviceImageLoadEvents, else it means something else) + # DLL Mappings (Only when its DeviceImageLoadEvents or (ActionType == 'driverload'), else it means something else) - set: field: dll.path copy_from: m365_defender.event.folder_path ignore_empty_value: true tag: set_dll_path - if: ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + if: ctx.event?.category != null && ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + - set: + field: dll.path + value: >- + {{{m365_defender.event.folder_path}}}\{{{m365_defender.event.file.name}}} + ignore_empty_value: true + tag: set_dll_path_driver + if: ctx.event?.category != null && ctx.event.category.contains('driver') - set: field: dll.hash.md5 copy_from: m365_defender.event.md5 ignore_empty_value: true tag: set_dll_md5 - if: ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + if: ctx.event?.category != null && ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + - set: + field: dll.hash.md5 + copy_from: m365_defender.event.md5 + ignore_empty_value: true + tag: set_dll_md5_driver + if: ctx.event?.category != null && ctx.event.category.contains('driver') - set: field: dll.hash.sha1 copy_from: m365_defender.event.sha1 ignore_empty_value: true tag: set_dll_sha1 - if: ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + if: ctx.event?.category != null && ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + - set: + field: dll.hash.sha1 + copy_from: m365_defender.event.sha1 + ignore_empty_value: true + tag: set_dll_sha1_driver + if: ctx.event?.category != null && ctx.event.category.contains('driver') - set: field: dll.hash.sha256 copy_from: m365_defender.event.sha256 ignore_empty_value: true tag: set_dll_sha256 - if: ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + if: ctx.event?.category != null && ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + - set: + field: dll.hash.sha256 + copy_from: m365_defender.event.sha256 + ignore_empty_value: true + tag: set_dll_sha256_driver + if: ctx.event?.category != null && ctx.event.category.contains('driver') - set: field: dll.name copy_from: m365_defender.event.file.name ignore_empty_value: true tag: set_dll_name - if: ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + if: ctx.event?.category != null && ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') - set: - field: dll.pe.sections.physical_size + field: dll.name + copy_from: m365_defender.event.file.name + ignore_empty_value: true + tag: set_dll_name_driver + if: ctx.event?.category != null && ctx.event.category.contains('driver') + - set: + field: dll.Ext.size copy_from: m365_defender.event.file.size ignore_empty_value: true tag: set_dll_pe_size - if: ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + if: ctx.event?.category != null && ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') - # Process mappings (Only when its Process category (but not DeviceImageLoadEvents), or DeviceEvent, else it means something else) - # Fields like InitatingProcess* related to process.* unless the type is DeviceProcessEvent or DeviceEvent, then it relates to process.parent.* - ## DeviceProcessEvent/DeviceEvent + # Process mappings (Only when event.category is in ['process', 'deviceevents', 'api', 'driver'], else it means something else) + # Fields like InitatingProcess* are mapped to process.* unless the Type is in ['DeviceProcessEvent', 'DeviceEvent'], then it maps to process.parent.* + ## Even when Type is DeviceEvent, certain event.action values still map to process.*, rest of them maps to process.parent.* (https://github.com/elastic/integrations/issues/9993) + ## Firstly, mapping process.parent.* below. + - set: + field: _temp_deviceevents_that_map_process + tag: set_temp_deviceevents_that_map_process_true + description: Temporary variable for some DeviceEvent's event.action values that should map to process.* instead of process.parent.* + value: true + if: >- + ctx.m365_defender?.event?.category != null + && ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + && ctx.m365_defender?.event?.action?.type != null && ['namedpipeevent', 'dpapiaccessed', 'ntallocatevirtualmemoryapicall', 'getclipboarddata', 'ntprotectvirtualmemoryapicall', 'browserlaunchedtoopenurl', 'processprimarytokenmodified', 'powershellcommand', 'clrunbackedmoduleloaded', 'ldapsearch', 'dnsqueryresponse', 'ntallocatevirtualmemoryremoteapicall', 'memoryremoteprotect', 'screenshottaken', 'antivirusscancompleted', 'exploitguardwin32systemcallblocked', 'getasynckeystateapicall', 'appguardcreatecontainer', 'exploitguardacgenforced', 'writetolsassprocessmemory', 'antivirusscancancelled', 'controlflowguardviolation', 'appcontrolpolicyapplied', 'createremotethreadapicall', 'auditpolicymodification', 'ntmapviewofsectionremoteapicall', 'appguardlaunchedwithurl', 'appguardresumecontainer', 'smartscreenurlwarning', 'appguardbrowsetourl', 'otheralertrelatedactivity', 'antivirusscanfailed'].contains(ctx.m365_defender.event.action.type.toLowerCase()) + - set: + field: _temp_deviceevents_that_map_process + tag: set_temp_deviceevents_that_map_process_false + description: Temporary variable for some DeviceEvent's event.action values that should map to process.* instead of process.parent.* + value: false + if: >- + ctx._temp_deviceevents_that_map_process == null + && ctx.m365_defender?.event?.category != null + && ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') - set: field: process.executable copy_from: m365_defender.event.folder_path ignore_empty_value: true tag: set_process_executable - if: ctx.event?.category != null && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.hash.md5 copy_from: m365_defender.event.md5 ignore_empty_value: true tag: set_process_hash_md5 - if: ctx.event?.category != null && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.hash.sha1 copy_from: m365_defender.event.sha1 ignore_empty_value: true tag: set_process_hash_sha1 - if: ctx.event?.category != null && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.hash.sha256 copy_from: m365_defender.event.sha256 ignore_empty_value: true tag: set_process_hash_sha256 - if: ctx.event?.category != null && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.name copy_from: m365_defender.event.file.name ignore_empty_value: true tag: set_process_name - if: ctx.event?.category != null && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) - - set: - field: process.pe.sections.physical_size - copy_from: m365_defender.event.file.size - ignore_empty_value: true - tag: set_process_pe_sections_physical_size - if: ctx.event?.category != null && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceimageloadevents') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.command_line copy_from: m365_defender.event.initiating_process.command_line ignore_empty_value: true tag: set_process_parent_command_line - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.hash.md5 copy_from: m365_defender.event.initiating_process.md5 ignore_empty_value: true tag: set_process_parent_hash_md5 - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.hash.sha1 copy_from: m365_defender.event.initiating_process.sha1 ignore_empty_value: true tag: set_process_parent_hash_sha1 - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.hash.sha256 copy_from: m365_defender.event.initiating_process.sha256 ignore_empty_value: true tag: set_process_parent_hash_sha256 - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.group_leader.pid copy_from: m365_defender.event.initiating_process.parent_id ignore_empty_value: true tag: set_process_parent_group_leader_pid - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.pid copy_from: m365_defender.event.initiating_process.id ignore_empty_value: true tag: set_process_parent_pid - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.start copy_from: m365_defender.event.initiating_process.creation_time ignore_empty_value: true tag: set_process_parent_start - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.name copy_from: m365_defender.event.initiating_process.file_name ignore_empty_value: true tag: set_process_parent_name - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) - - set: - field: process.parent.pe.sections.physical_size - copy_from: m365_defender.event.initiating_process.file_size - ignore_empty_value: true - tag: set_process_parent_pe_sections_physical_size - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.executable copy_from: m365_defender.event.initiating_process.folder_path ignore_empty_value: true tag: set_process_parent_executable - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.group_leader.start copy_from: m365_defender.event.initiating_process.parent_creation_time ignore_empty_value: true tag: set_process_parent_group_leader_start - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.group_leader.name copy_from: m365_defender.event.initiating_process.parent_file_name ignore_empty_value: true tag: set_process_parent_group_leader_name - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.pe.company copy_from: m365_defender.event.initiating_process.version_info_company_name ignore_empty_value: true tag: set_process_parent_pe_company - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.pe.description copy_from: m365_defender.event.initiating_process.version_info_file_description ignore_empty_value: true tag: set_process_parent_pe_description - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.pe.original_file_name copy_from: m365_defender.event.initiating_process.version_info_original_file_name ignore_empty_value: true tag: set_process_parent_pe_original_file_name - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.pe.product copy_from: m365_defender.event.initiating_process.version_info_product_name ignore_empty_value: true tag: set_process_parent_pe_product - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.pe.file_version copy_from: m365_defender.event.initiating_process.version_info_product_version ignore_empty_value: true tag: set_process_parent_pe_file_version - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) - set: field: process.parent.code_signature.status copy_from: m365_defender.event.initiating_process.signature_status tag: set_process_code_signature_status ignore_empty_value: true - if: ctx.event?.category != null && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) - + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) + - set: + field: process.parent.code_signature.exists + value: true + tag: set_process_code_signature_exists_true + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) + && ctx.m365_defender?.event?.initiating_process?.signature_status == "Valid" + - set: + field: process.parent.code_signature.exists + value: false + tag: set_process_code_signature_exists_false + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) + && ctx.m365_defender?.event?.initiating_process?.signature_status == "Unsigned" + - set: + field: process.parent.code_signature.status + value: trusted + tag: set_process_code_signature_status_trusted + override: true + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) + && ctx.m365_defender?.event?.initiating_process?.signature_status == "Valid" + - set: + field: process.parent.code_signature.trusted + value: true + tag: set_process_code_signature_trusted_true + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) + && ctx.m365_defender?.event?.initiating_process?.signature_status == "Valid" + - set: + field: process.parent.code_signature.trusted + value: false + tag: set_process_code_signature_trusted_false + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == false)) + && ctx.m365_defender?.event?.initiating_process?.signature_status == "Unsigned" + - set: + field: process.Ext.token.integrity_level_name + copy_from: m365_defender.event.initiating_process.integrity_level + tag: set_process_Ext_token_integrity_level_name + if: >- + ctx.event?.category != null && !ctx.event.category.contains('api') && !ctx.event.category.contains('driver') + && (ctx.event.category.contains('process') || ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') || ctx.event.category.contains('library')) + ignore_empty_value: true + - script: + description: Make temp variable for adding process.Ext.api.name when event.category is 'api'. + lang: painless + if: >- + ctx.event?.category != null && ctx.event.category.contains('api') + source: | + String actiontype = ctx.m365_defender.event.action.type; + def idx = actiontype.toLowerCase().lastIndexOf('apicall'); + ctx._temp_process_Ext_api_name = actiontype.substring(0, idx); + - rename: + field: _temp_process_Ext_api_name + target_field: process.Ext.api.name + tag: rename_process_Ext_api_name + ignore_missing: true + - rename: + field: m365_defender.event.additional_fields.RegionSize + target_field: process.Ext.api.parameters.size + tag: rename_process_Ext_api_parameters_size + if: >- + ctx.event?.category != null && ctx.event.category.contains('api') + ignore_missing: true + - rename: + field: m365_defender.event.additional_fields.ProtectionMask + target_field: process.Ext.api.parameters.protection + tag: rename_process_Ext_api_parameters_protection + if: >- + ctx.event?.category != null && ctx.event.category.contains('api') + ignore_missing: true + - convert: + field: process.Ext.api.parameters.protection + tag: convert_process_Ext_api_parameters_protection + if: ctx.process?.Ext?.api?.parameters?.protection != '' + type: string + ignore_missing: true + - rename: + field: m365_defender.event.additional_fields.BaseAddress + target_field: process.Ext.api.parameters.address + tag: rename_process_Ext_api_parameters_address + if: >- + ctx.event?.category != null && ctx.event.category.contains('api') + ignore_missing: true + - rename: + field: m365_defender.event.additional_fields.DesiredAccess + target_field: process.Ext.api.parameters.desired_access_numeric + tag: rename_process_Ext_api_parameters_desired_access_numeric + if: >- + ctx.event?.category != null && ctx.event.category.contains('api') + ignore_missing: true + # Add Target.process.* when remote API call i.e., ActionType: (CreateRemoteThreadApiCall or ReadProcessMemoryApiCall or ntallocatevirtualmemoryremoteapicall or OpenProcessApiCall) + - set: + field: Target.process.name + copy_from: m365_defender.event.file.name + tag: set_Target_process_name + if: ctx.event?.category != null && ctx.event.category.contains('api') && (ctx.m365_defender?.event?.action?.type != null && ['createremotethreadapicall', 'readprocessmemoryapicall', 'ntallocatevirtualmemoryremoteapicall', 'openprocessapicall'].contains(ctx.m365_defender.event.action.type.toLowerCase())) + ignore_empty_value: true + - set: + field: Target.process.command_line + copy_from: m365_defender.event.process.command_line + tag: set_Target_process_command_line + if: ctx.event?.category != null && ctx.event.category.contains('api') && (ctx.m365_defender?.event?.action?.type != null && ['createremotethreadapicall', 'readprocessmemoryapicall', 'ntallocatevirtualmemoryremoteapicall', 'openprocessapicall'].contains(ctx.m365_defender.event.action.type.toLowerCase())) + ignore_empty_value: true + - set: + field: Target.process.executable + value: >- + {{{m365_defender.event.folder_path}}}\{{{m365_defender.event.file.name}}} + tag: set_Target_process_executable + if: ctx.event?.category != null && ctx.event.category.contains('api') && (ctx.m365_defender?.event?.action?.type != null && ['createremotethreadapicall', 'readprocessmemoryapicall', 'ntallocatevirtualmemoryremoteapicall', 'openprocessapicall'].contains(ctx.m365_defender.event.action.type.toLowerCase())) + ignore_empty_value: true + ## Then, mapping process.* below. ## All other DeviceEvent types that is not DeviceProcessEvent or DeviceEvent map InitiatingProcess* to process.* rather than process.parent.* + ## Even when Type is DeviceEvent, certain event.action values still map to process.* (https://github.com/elastic/integrations/issues/9993) + ## Also, if event.category in ["api", "driver"] (a subset of DeviceEvent), then use process.* instead of process.parent.* - set: field: process.command_line copy_from: m365_defender.event.initiating_process.command_line ignore_empty_value: true tag: set_process_command_line - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) + - set: field: process.hash.md5 copy_from: m365_defender.event.initiating_process.md5 ignore_empty_value: true tag: set_process_hash_md5 - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('library') && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.hash.sha1 copy_from: m365_defender.event.initiating_process.sha1 ignore_empty_value: true tag: set_process_hash_sha1 - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('library') && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.hash.sha256 copy_from: m365_defender.event.initiating_process.sha256 ignore_empty_value: true tag: set_process_hash_sha256 - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('library') && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.parent.pid copy_from: m365_defender.event.initiating_process.parent_id ignore_empty_value: true tag: set_process_parent_pid - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.pid copy_from: m365_defender.event.initiating_process.id ignore_empty_value: true tag: set_process_pid - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.start copy_from: m365_defender.event.initiating_process.creation_time ignore_empty_value: true tag: set_process_start - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.name copy_from: m365_defender.event.initiating_process.file_name ignore_empty_value: true tag: set_process_name - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') - - set: - field: process.pe.sections.physical_size - copy_from: m365_defender.event.initiating_process.file_size - ignore_empty_value: true - tag: set_process_pe_sections_physical_size - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.executable copy_from: m365_defender.event.initiating_process.folder_path ignore_empty_value: true tag: set_process_executable - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (!ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) + - set: + field: process.executable + value: >- + {{{m365_defender.event.initiating_process.folder_path}}}\{{{m365_defender.event.initiating_process.file_name}}} + ignore_empty_value: true + tag: set_process_executable_api + if: >- + ctx.event?.category != null && (ctx.event.category.contains('api') || ctx.event.category.contains('driver')) + - set: + field: process.parent.name + copy_from: m365_defender.event.initiating_process.parent_file_name + ignore_empty_value: true + tag: set_process_parent_parent_name + if: >- + ctx.event?.category != null && (ctx.event.category.contains('api') || ctx.event.category.contains('driver')) + - set: + field: process.parent.pid + copy_from: m365_defender.event.initiating_process.parent_id + ignore_empty_value: true + tag: set_process_parent_parent_id + if: >- + ctx.event?.category != null && (ctx.event.category.contains('api')|| ctx.event.category.contains('driver')) - set: field: process.parent.start copy_from: m365_defender.event.initiating_process.parent_creation_time ignore_empty_value: true tag: set_process_parent_start - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.parent.name copy_from: m365_defender.event.initiating_process.parent_file_name ignore_empty_value: true tag: set_process_parent_name - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) + - set: + field: process.group_leader.pid + copy_from: m365_defender.event.initiating_process.parent_id + ignore_empty_value: true + tag: set_process_group_leader_pid + if: >- + ctx.event?.category != null && (ctx.event.category.contains('api') || ctx.event.category.contains('driver')) + - set: + field: process.group_leader.name + copy_from: m365_defender.event.initiating_process.parent_file_name + ignore_empty_value: true + tag: set_process_group_leader_name + if: >- + ctx.event?.category != null && (ctx.event.category.contains('api') || ctx.event.category.contains('driver')) + - set: + field: process.group_leader.start + copy_from: m365_defender.event.initiating_process.parent_creation_time + ignore_empty_value: true + tag: set_process_group_leader_start + if: >- + ctx.event?.category != null && (ctx.event.category.contains('api') || ctx.event.category.contains('driver')) - set: field: process.pe.company copy_from: m365_defender.event.initiating_process.version_info_company_name ignore_empty_value: true tag: set_process_pe_company - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('library') && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.pe.description copy_from: m365_defender.event.initiating_process.version_info_file_description ignore_empty_value: true tag: set_process_pe_description - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('library') && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.pe.original_file_name copy_from: m365_defender.event.initiating_process.version_info_original_file_name ignore_empty_value: true tag: set_process_pe_original_file_name - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('library') && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.pe.product copy_from: m365_defender.event.initiating_process.version_info_product_name ignore_empty_value: true tag: set_process_pe_product - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('library') && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.pe.file_version copy_from: m365_defender.event.initiating_process.version_info_product_version ignore_empty_value: true tag: set_process_pe_file_version - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || ctx.event.category.contains('driver') + || (!ctx.event.category.contains('library') && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) - set: field: process.code_signature.status copy_from: m365_defender.event.initiating_process.signature_status tag: set_process_code_signature_status ignore_empty_value: true - if: ctx.event?.category != null && !ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents') + if: >- + ctx.event?.category != null + && (ctx.event.category.contains('api') + || (!ctx.event.category.contains('process') && !ctx.m365_defender.event.category.toLowerCase().contains('deviceevents')) + || (ctx._temp_deviceevents_that_map_process != null && ctx._temp_deviceevents_that_map_process == true)) + ### Remove the temporary variable + - remove: + field: _temp_deviceevents_that_map_process + description: Remove temporary variable created in tag set_temp_deviceevents_that_map_process* + ignore_missing: true ## m365_defender.event.process* fields will always map to process.*, so these do not require any logic. - set: field: process.command_line @@ -1431,6 +1938,18 @@ processors: copy_from: m365_defender.event.os.architecture tag: set_host_architecture ignore_empty_value: true + - set: + field: host.os.type + value: windows + if: ctx.m365_defender?.event?.os?.platform != null && ctx.m365_defender.event.os.platform.toLowerCase().contains('windows') + - set: + field: host.os.type + value: linux + if: ctx.m365_defender?.event?.os?.platform != null && ctx.m365_defender.event.os.platform.toLowerCase().contains('linux') + - set: + field: host.os.type + value: macos + if: ctx.m365_defender?.event?.os?.platform != null && ctx.m365_defender.event.os.platform.toLowerCase().contains('macos') - set: field: host.os.full copy_from: m365_defender.event.os.platform @@ -1478,12 +1997,25 @@ processors: copy_from: m365_defender.event.registry.value_name tag: set_registry_value ignore_empty_value: true + - set: + field: registry.path + value: >- + {{{registry.key}}}\{{{registry.value}}} + tag: set_registry_path + if: ctx.registry?.key != null && ctx.registry.value != null + ignore_empty_value: true - append: field: registry.data.strings value: '{{{m365_defender.event.registry.value_data}}}' tag: append_registry_data_strings allow_duplicates: false if: ctx.m365_defender?.event?.registry?.value_data != null + - set: + field: registry.data.type + copy_from: m365_defender.event.registry.value_type + tag: set_registry_type + ignore_empty_value: true + if: ctx.m365_defender?.event?.registry?.value_type != null # Source Mapping (DeviceLoginEvent has different mappings than the rest. DeviceNetworkEvent might include a direction, which controls which field goes to source/destination) - set: @@ -1570,6 +2102,12 @@ processors: ignore_empty_value: true tag: set_destination_ip if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.m365_defender?.event?.network_direction == 'In' + - set: + field: destination.address + copy_from: destination.ip + ignore_empty_value: true + tag: set_destination_address + if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.destination?.ip != null - set: field: destination.port copy_from: m365_defender.event.remote.port @@ -1605,16 +2143,77 @@ processors: copy_from: m365_defender.event.request.account_name tag: set_user_name ignore_empty_value: true + - set: + field: user.name + copy_from: m365_defender.event.initiating_process.account_name + tag: set_user_name_initiating_process_account_name + ignore_empty_value: true + if: ctx.event?.category != null && (ctx.event.category.contains('library') || ctx.event.category.contains('registry') || ctx.event.category.contains('network') || ctx.event.category.contains('driver')) && ctx.user?.name == null - set: field: user.domain copy_from: m365_defender.event.account.domain tag: set_user_domain ignore_empty_value: true + - set: + field: user.domain + copy_from: m365_defender.event.initiating_process.account_domain + tag: set_user_domain_initiating_process_account_domain + ignore_empty_value: true + if: ctx.event?.category != null && (ctx.event.category.contains('library') || ctx.event.category.contains('registry') || ctx.event.category.contains('network') || ctx.event.category.contains('driver')) && ctx.user?.domain == null - set: field: user.id copy_from: m365_defender.event.account.sid tag: set_user_id ignore_empty_value: true + - set: + field: user.id + copy_from: m365_defender.event.initiating_process.account_sid + tag: set_user_id_initiating_process_account_sid + ignore_empty_value: true + if: ctx.event?.category != null && (ctx.event.category.contains('library') || ctx.event.category.contains('file') || ctx.event.category.contains('registry') || ctx.event.category.contains('network') || ctx.event.category.contains('driver')) && ctx.user?.id == null + - set: + field: user.id + copy_from: m365_defender.event.request.account_sid + tag: set_user_id_request_account_sid + ignore_empty_value: true + if: ctx.event?.category != null && ctx.event.category.contains('file') && ctx.user?.id == null + # DNS fields + - set: + field: dns.question.name + copy_from: m365_defender.event.dns.query + tag: set_dns_question_name + ignore_empty_value: true + if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase().contains('dnsconnectioninspected') + - set: + field: dns.question.class + copy_from: m365_defender.event.dns.qclass_name + tag: set_dns_question_class + ignore_empty_value: true + if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase().contains('dnsconnectioninspected') + - set: + field: dns.question.type + copy_from: m365_defender.event.dns.qtype_name + tag: set_dns_question_type + ignore_empty_value: true + if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase().contains('dnsconnectioninspected') + - set: + field: dns.response_code + copy_from: m365_defender.event.dns.rcode_name + tag: set_dns_response_code + ignore_empty_value: true + if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase().contains('dnsconnectioninspected') + - set: + field: dns.answers + copy_from: m365_defender.event.dns.answers + tag: set_dns_answers + ignore_empty_value: true + if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase().contains('dnsconnectioninspected') + - set: + field: dns.header_flags + copy_from: m365_defender.event.dns.header_flags + tag: set_dns_header_flags + ignore_empty_value: true + if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase().contains('dnsconnectioninspected') # Network fields (Only one of them exists in an event) - set: @@ -1631,6 +2230,12 @@ processors: field: network.protocol tag: lowercase_network_protocol ignore_missing: true + - set: + field: network.protocol + value: dns + tag: set_network_protocol_dns + if: ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase().contains('dns') + override: true - set: field: network.direction value: inbound @@ -1648,11 +2253,50 @@ processors: if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.m365_defender?.event?.network_direction == null # Event Outcome/Actions mapping + # Special handling when event.category is 'file' or 'registry' or 'driver' for better compatibility and detection rules. + - set: + field: event.action + value: deletion + tag: set_event_action_deletion + if: (ctx.event?.category != null && ctx.event.category.contains('file')) && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase() == 'filedeleted' + - set: + field: event.action + value: modification + tag: set_event_action_modification_file + if: (ctx.event?.category != null && ctx.event.category.contains('file')) && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase() == 'filemodified' + - set: + field: event.action + value: rename + tag: set_event_action_rename + if: (ctx.event?.category != null && ctx.event.category.contains('file')) && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase() == 'filerenamed' + - set: + field: event.action + value: creation + tag: set_event_action_creation_file + if: (ctx.event?.category != null && ctx.event.category.contains('file')) && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase() == 'filecreated' + - set: + field: event.action + value: creation + tag: set_event_action_creation_registry + if: (ctx.event?.category != null && ctx.event.category.contains('registry')) && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase() == 'registrykeycreated' + - set: + field: event.action + value: modification + tag: set_event_action_modification_registry + if: (ctx.event?.category != null && ctx.event.category.contains('registry')) && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase() == 'registryvalueset' + - set: + field: event.action + value: load + tag: set_event_action_load + if: ctx.event?.category != null && ctx.event.category.contains('driver') + # For all other categories, copy the value from m365_defender.event.action.type - set: field: event.action copy_from: m365_defender.event.action.type tag: set_event_action + if: ctx.event?.category != null && !ctx.event.category.contains('file') ignore_empty_value: true + override: false - lowercase: field: event.action tag: lowercase_event_action @@ -2025,6 +2669,12 @@ processors: - m365_defender.event.signer - m365_defender.event.issuer - m365_defender.event.is_trusted + - m365_defender.event.dns.qclass_name + - m365_defender.event.dns.query + - m365_defender.event.dns.qtype_name + - m365_defender.event.dns.rcode_name + - m365_defender.event.dns.answers + - m365_defender.event.dns.header_flags ignore_missing: true on_failure: - append: diff --git a/packages/m365_defender/data_stream/event/fields/ecs.yml b/packages/m365_defender/data_stream/event/fields/ecs.yml index b991910e84c..9b0fe006804 100644 --- a/packages/m365_defender/data_stream/event/fields/ecs.yml +++ b/packages/m365_defender/data_stream/event/fields/ecs.yml @@ -4,6 +4,8 @@ name: tags - external: ecs name: message +- external: ecs + name: destination.address - external: ecs name: destination.domain - external: ecs @@ -24,6 +26,16 @@ name: destination.geo.region_name - external: ecs name: destination.port +- external: ecs + name: dns.header_flags +- external: ecs + name: dns.question.class +- external: ecs + name: dns.question.name +- external: ecs + name: dns.question.type +- external: ecs + name: dns.response_code - external: ecs name: email.direction - external: ecs @@ -60,6 +72,8 @@ name: event.kind - external: ecs name: file.directory +- external: ecs + name: file.path - external: ecs name: file.extension - external: ecs @@ -88,8 +102,6 @@ name: dll.path - external: ecs name: dll.name -- external: ecs - name: dll.pe.sections.physical_size - external: ecs name: dll.hash.md5 - external: ecs @@ -124,8 +136,6 @@ name: process.executable - external: ecs name: process.name -- external: ecs - name: process.pe.sections.physical_size - external: ecs name: process.pe.company - external: ecs @@ -158,8 +168,6 @@ name: process.parent.executable - external: ecs name: process.parent.name -- external: ecs - name: process.parent.pe.sections.physical_size - external: ecs name: process.parent.pe.company - external: ecs @@ -172,6 +180,10 @@ name: process.parent.pe.file_version - external: ecs name: process.parent.code_signature.status +- external: ecs + name: process.parent.code_signature.exists +- external: ecs + name: process.parent.code_signature.trusted - external: ecs name: process.parent.group_leader.pid - external: ecs @@ -179,12 +191,21 @@ # Missing in ECS flatfile - name: process.parent.group_leader.name type: keyword +- name: dns.answers + type: object + object_type: keyword - external: ecs name: registry.key - external: ecs name: registry.value +- external: ecs + name: registry.hive +- external: ecs + name: registry.path - external: ecs name: registry.data.strings +- external: ecs + name: registry.data.type - external: ecs name: related.hash - external: ecs diff --git a/packages/m365_defender/data_stream/event/fields/fields.yml b/packages/m365_defender/data_stream/event/fields/fields.yml index b45ed22676b..5d860bf5aef 100644 --- a/packages/m365_defender/data_stream/event/fields/fields.yml +++ b/packages/m365_defender/data_stream/event/fields/fields.yml @@ -94,6 +94,7 @@ description: Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam. - name: category type: keyword + description: The Advanced Hunting table name with 'AdvancedHunting-' prefix. - name: certificate type: group fields: @@ -181,6 +182,27 @@ - name: type type: keyword description: Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer. + - name: dns + type: group + fields: + - name: qclass_name + type: keyword + description: The DNS class of records being queried. + - name: query + type: keyword + description: The DNS query. + - name: qtype_name + type: keyword + description: The type of DNS record being queried. + - name: rcode_name + type: keyword + description: The DNS response code. + - name: answers + type: keyword + description: The answers returned by the server from DNS query. + - name: header_flags + type: keyword + description: Array of 2 letter DNS header flags. - name: dns_addresses type: keyword description: DNS server addresses in JSON array format. @@ -800,6 +822,7 @@ description: Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. - name: time type: date + description: The time Microsoft Defender received the event. - name: timestamp type: date description: Date and time when the event was recorded. @@ -843,3 +866,41 @@ description: The application from which the user clicked on the link, with the values being Email, Office and Teams. - name: url.user_info type: keyword +- name: dll.Ext.size + type: long + description: Size of the dll executable. +- name: process.Ext.token.integrity_level_name + type: keyword + description: Integrity level that determine the levels of protection or access for a principal used by Mandatory Integrity Control (MIC). +- name: process.Ext.api.name + type: keyword +- name: process.Ext.api.parameters.size + type: long + description: The size of parameter values passed to the API call. +- name: process.Ext.api.parameters.protection + type: keyword + description: The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect`. +- name: process.Ext.api.parameters.address + type: long + description: The target memory address. +- name: process.Ext.api.parameters.desired_access_numeric + type: long + description: This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. +- name: Target.process.name + type: keyword + description: Process name. Sometimes called program name or similar. + multi_fields: + - name: text + type: text +- name: Target.process.command_line + type: wildcard + description: Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: text +- name: Target.process.executable + type: keyword + description: Absolute path to the process executable. + multi_fields: + - name: text + type: text diff --git a/packages/m365_defender/docs/README.md b/packages/m365_defender/docs/README.md index 838505717ba..6aa34122da6 100644 --- a/packages/m365_defender/docs/README.md +++ b/packages/m365_defender/docs/README.md @@ -567,6 +567,12 @@ This is the `event` dataset. | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | +| Target.process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| Target.process.command_line.text | Multi-field of `Target.process.command_line`. | text | +| Target.process.executable | Absolute path to the process executable. | keyword | +| Target.process.executable.text | Multi-field of `Target.process.executable`. | text | +| Target.process.name | Process name. Sometimes called program name or similar. | keyword | +| Target.process.name.text | Multi-field of `Target.process.name`. | text | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -583,6 +589,7 @@ This is the `event` dataset. | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | @@ -593,12 +600,18 @@ This is the `event` dataset. | destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | +| dll.Ext.size | Size of the dll executable. | long | | dll.hash.md5 | MD5 hash. | keyword | | dll.hash.sha1 | SHA1 hash. | keyword | | dll.hash.sha256 | SHA256 hash. | keyword | | dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | | dll.path | Full file path of the library. | keyword | -| dll.pe.sections.physical_size | PE Section List physical size. | long | +| dns.answers | | object | +| dns.header_flags | Array of 2 letter DNS header flags. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.response_code | The DNS response code. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | email.direction | The direction of the message based on the sending and receiving domains. | keyword | | email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | @@ -629,6 +642,8 @@ This is the `event` dataset. | file.hash.sha1 | SHA1 hash. | keyword | | file.hash.sha256 | SHA256 hash. | keyword | | file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | | file.x509.not_after | Time at which the certificate is no longer considered valid. | date | @@ -683,7 +698,7 @@ This is the `event` dataset. | m365_defender.event.attack_techniques | MITRE ATT&CK techniques associated with the activity that triggered the alert. | keyword | | m365_defender.event.authentication_details | List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth). | keyword | | m365_defender.event.bulk_complaint_level | Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam. | long | -| m365_defender.event.category | | keyword | +| m365_defender.event.category | The Advanced Hunting table name with 'AdvancedHunting-' prefix. | keyword | | m365_defender.event.certificate.countersignature_time | Date and time the certificate was countersigned. | date | | m365_defender.event.certificate.creation_time | Date and time the certificate was created. | date | | m365_defender.event.certificate.expiration_time | Date and time the certificate is set to expire. | date | @@ -710,6 +725,12 @@ This is the `event` dataset. | m365_defender.event.device.type | Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer. | keyword | | m365_defender.event.device_dynamic_tags | Device tags assigned automatically using dynamic tagging rules. | keyword | | m365_defender.event.device_manual_tags | Device tags created manually using the portal UI or public API. | keyword | +| m365_defender.event.dns.answers | The answers returned by the server from DNS query. | keyword | +| m365_defender.event.dns.header_flags | Array of 2 letter DNS header flags. | keyword | +| m365_defender.event.dns.qclass_name | The DNS class of records being queried. | keyword | +| m365_defender.event.dns.qtype_name | The type of DNS record being queried. | keyword | +| m365_defender.event.dns.query | The DNS query. | keyword | +| m365_defender.event.dns.rcode_name | The DNS response code. | keyword | | m365_defender.event.dns_addresses | DNS server addresses in JSON array format. | keyword | | m365_defender.event.email.action | Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message. | keyword | | m365_defender.event.email.action_policy | Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware, Safe Attachments, Enterprise Transport Rules (ETR). | keyword | @@ -892,7 +913,7 @@ This is the `event` dataset. | m365_defender.event.threat.family | Malware family that the suspicious or malicious file or process has been classified under. | keyword | | m365_defender.event.threat.names | Detection name for malware or other threats found. | keyword | | m365_defender.event.threat.types | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. | keyword | -| m365_defender.event.time | | date | +| m365_defender.event.time | The time Microsoft Defender received the event. | date | | m365_defender.event.timestamp | Date and time when the event was recorded. | date | | m365_defender.event.title | Title of the alert. | keyword | | m365_defender.event.tunnel_type | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH. | keyword | @@ -912,6 +933,12 @@ This is the `event` dataset. | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | | observer.version | Observer version. | keyword | +| process.Ext.api.name | | keyword | +| process.Ext.api.parameters.address | The target memory address. | long | +| process.Ext.api.parameters.desired_access_numeric | This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. | long | +| process.Ext.api.parameters.protection | The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect`. | keyword | +| process.Ext.api.parameters.size | The size of parameter values passed to the API call. | long | +| process.Ext.token.integrity_level_name | Integrity level that determine the levels of protection or access for a principal used by Mandatory Integrity Control (MIC). | keyword | | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | @@ -926,7 +953,9 @@ This is the `event` dataset. | process.name.text | Multi-field of `process.name`. | match_only_text | | process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | | process.parent.executable | Absolute path to the process executable. | keyword | @@ -944,7 +973,6 @@ This is the `event` dataset. | process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.parent.pe.sections.physical_size | PE Section List physical size. | long | | process.parent.pid | Process id. | long | | process.parent.start | The time the process started. | date | | process.pe.company | Internal company name of the file, provided at compile-time. | keyword | @@ -952,11 +980,13 @@ This is the `event` dataset. | process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.pe.sections.physical_size | PE Section List physical size. | long | | process.pid | Process id. | long | | process.start | The time the process started. | date | | registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | +| registry.data.type | Standard registry type for encoding contents | keyword | +| registry.hive | Abbreviated name for the hive. | keyword | | registry.key | Hive-relative path of keys. | keyword | +| registry.path | Full path, including hive, key and value | keyword | | registry.value | Name of the value written. | keyword | | related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | diff --git a/packages/m365_defender/manifest.yml b/packages/m365_defender/manifest.yml index 0794c1c94ac..0f8950f2154 100644 --- a/packages/m365_defender/manifest.yml +++ b/packages/m365_defender/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: m365_defender title: Microsoft M365 Defender -version: "2.10.0" +version: "2.11.0" description: Collect logs from Microsoft M365 Defender with Elastic Agent. categories: - "security" diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-common-config.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-common-config.yml index 785eb5f3c23..36a61b6a6fd 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-common-config.yml +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-common-config.yml @@ -1,7 +1,6 @@ fields: tags: - preserve_original_event - dynamic_fields: # This can be removed after ES 8.14 is the minimum version. # Relates: https://github.com/elastic/elasticsearch/pull/105689 From 7a68798fb1d325e9578c40ef557973ccf94b845a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernhard=20Fl=C3=BChmann?= <135961274+ltflb-bgdi@users.noreply.github.com> Date: Tue, 11 Jun 2024 12:51:50 +0200 Subject: [PATCH 002/105] Traefik 2.x access-log support (#9131) * Support traefik 2.x access-logs - Refactored field structure according to traefik 2.x format (json) - Parsed more fields - Improved ecs compatibility - Implemented review recommendations --------- Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com> Co-authored-by: muthu-mps --- packages/traefik/_dev/build/build.yml | 3 +- packages/traefik/_dev/build/docs/README.md | 52 +- packages/traefik/changelog.yml | 55 +- .../_dev/test/pipeline/test-format-common.log | 1 + .../test-format-common.log-expected.json | 188 +- .../_dev/test/pipeline/test-format-json.log | 7 +- .../test-format-json.log-expected.json | 654 ++++++- .../test/system/test-format-common-config.yml | 1 + .../test/system/test-format-json-config.yml | 1 + .../elasticsearch/ingest_pipeline/default.yml | 23 +- .../ingest_pipeline/format-common.yml | 21 +- .../ingest_pipeline/format-json.yml | 282 ++- .../data_stream/access/fields/agent.yml | 6 + .../traefik/data_stream/access/fields/ecs.yml | 100 -- .../data_stream/access/fields/fields.yml | 119 +- .../data_stream/access/sample_event.json | 116 +- .../_dev/test/system/test-default-config.yml | 6 - .../traefik/data_stream/health/fields/ecs.yml | 4 + .../data_stream/health/sample_event.json | 44 +- packages/traefik/docs/README.md | 360 ++-- .../traefik-Logs-Traefik-Dashboard.json | 1586 ++++++++--------- packages/traefik/manifest.yml | 20 +- 22 files changed, 2293 insertions(+), 1356 deletions(-) create mode 100644 packages/traefik/data_stream/access/fields/agent.yml delete mode 100644 packages/traefik/data_stream/access/fields/ecs.yml delete mode 100644 packages/traefik/data_stream/health/_dev/test/system/test-default-config.yml diff --git a/packages/traefik/_dev/build/build.yml b/packages/traefik/_dev/build/build.yml index aaafc5d833b..1f4fa988f6e 100644 --- a/packages/traefik/_dev/build/build.yml +++ b/packages/traefik/_dev/build/build.yml @@ -1,3 +1,4 @@ dependencies: ecs: - reference: git@v8.5.1 + reference: git@v8.11.0 + import_mappings: true diff --git a/packages/traefik/_dev/build/docs/README.md b/packages/traefik/_dev/build/docs/README.md index 239b0cbdb4d..dff0a13d78f 100644 --- a/packages/traefik/_dev/build/docs/README.md +++ b/packages/traefik/_dev/build/docs/README.md @@ -1,28 +1,56 @@ # Traefik Integration -This integration periodically fetches metrics from [Traefik](https://traefik.io/) servers. It also ingests access -logs created by the Traefik server. +## Overview + +[Traefik](https://traefik.io/) is a modern reverse proxy and load balancer that helps to manage and route incoming web traffic to the user's applications. It is designed to dynamically adjust to the changes in user's infrastructure, making it easy to deploy and scale user's services. Traefik integrates well with containerized environments and provides features like automatic SSL certificate management and support for multiple backends. + +Use the Traefik integration to: + +- Collect logs related to access. +- Create informative visualizations to track usage trends, measure key logs, and derive actionable business insights. +- Set up alerts to minimize Mean Time to Detect (MTTD) and Mean Time to Resolve (MTTR) by quickly referencing relevant logs during troubleshooting. + +## Data streams + +The Traefik integration collects logs data. + +Logs help User keep a record of events that happen on user's machine. Users can monitor and troubleshoot the performance of their Traefik instance by accessing the `Log` data stream, which includes client IP, host, username, request address, duration, and content. + +Data streams: +- `access`: Collects information related to the client IP, host, username, request address, duration, and content. + +Note: +- Users can monitor and see the log inside the ingested documents for Traefik in the `logs-*` index pattern from `Discover`. ## Compatibility -The Traefik datasets were tested with Traefik 1.6. +The Traefik datasets were tested with Traefik 1.6, 1.7 and 2.9 versions. -## Logs +## Prerequisites -### Access Logs +User need Elasticsearch for storing and searching user's data and Kibana for visualizing and managing it. User can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended or self-manage the Elastic Stack on user's own hardware. -The `access` data stream collects Traefik access logs. +## Setup -{{event "access"}} +For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. -{{fields "access"}} +## Validation + +After the integration is successfully configured, clicking on the Assets tab of the Traefik Integration should display a list of available dashboards. Click on the dashboard available for user's configured data stream. It should be populated with the required data. ## Metrics +Note: +- The `/health` API endpoint which is used to collect the metrics is removed from Traefik `v2` version. Please refer this [issue](https://github.com/traefik/traefik/issues/7629) for more information. +- We are currently working on the metrics collection using the suggested [alternative](https://doc.traefik.io/traefik/v2.3/observability/metrics/prometheus/). Keep a watch on this [issue](https://github.com/elastic/integrations/issues/9820) for more updates. -### Health Metrics +## Logs -The `health` data stream collects metrics from the Traefik server. +### Access Logs -{{event "health"}} +The `access` data stream collects Traefik access logs. This data stream collects logs related to client IP, host, username, request address, duration, and content. -{{fields "health"}} +An example event for `access` looks as following: + +{{event "access"}} + +{{fields "access"}} diff --git a/packages/traefik/changelog.yml b/packages/traefik/changelog.yml index 0271f2ee970..a1b9170d47e 100644 --- a/packages/traefik/changelog.yml +++ b/packages/traefik/changelog.yml @@ -1,6 +1,11 @@ +- version: "2.0.0" + changes: + - description: Support traefik v2.x access-logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/9131 - version: "1.11.1" changes: - - description: Inline "by reference" visualizations + - description: Inline "by reference" visualizations. type: enhancement link: https://github.com/elastic/integrations/pull/8423 - version: 1.11.0 @@ -25,12 +30,12 @@ link: https://github.com/elastic/integrations/pull/7767 - version: "1.8.1" changes: - - description: Add null check and ignore_missing check to the rename processor + - description: Add null check and ignore_missing check to the rename processor. type: bugfix link: https://github.com/elastic/integrations/pull/7845 - version: "1.8.0" changes: - - description: Rename ownership from obs-service-integrations to obs-infraobs-integrations + - description: Rename ownership from obs-service-integrations to obs-infraobs-integrations. type: enhancement link: https://github.com/elastic/integrations/pull/6298 - version: "1.7.0" @@ -45,7 +50,7 @@ link: https://github.com/elastic/integrations/pull/5123 - version: "1.6.0" changes: - - description: Update ECS version to 8.5.1 + - description: Update ECS version to 8.5.1. type: enhancement link: https://github.com/elastic/integrations/pull/4485 - version: "1.5.0" @@ -55,22 +60,22 @@ link: https://github.com/elastic/integrations/pull/4485 - version: "1.4.2" changes: - - description: Fix the if condition on the community_id processor in the ingest pipeline + - description: Fix the if condition on the community_id processor in the ingest pipeline. type: bugfix link: https://github.com/elastic/integrations/issues/4074 - version: "1.4.1" changes: - - description: Remove unused visualizations + - description: Remove unused visualizations. type: enhancement link: https://github.com/elastic/integrations/issues/3975 - version: "1.4.0" changes: - - description: Migrate tile map to map in logs dashboard + - description: Migrate tile map to map in logs dashboard. type: enhancement link: https://github.com/elastic/integrations/pull/3450 - version: "1.3.1" changes: - - description: Add documentation for multi-fields + - description: Add documentation for multi-fields. type: enhancement link: https://github.com/elastic/integrations/pull/2916 - version: "1.3.0" @@ -80,84 +85,84 @@ link: https://github.com/elastic/integrations/pull/2513 - version: "1.2.2" changes: - - description: Regenerate test files using the new GeoIP database + - description: Regenerate test files using the new GeoIP database. type: bugfix link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.1" changes: - - description: Change test public IPs to the supported subset + - description: Change test public IPs to the supported subset. type: bugfix link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - - description: Release traefik package for v8.0.0 + - description: Release traefik package for v8.0.0. type: enhancement link: https://github.com/elastic/integrations/pull/2186 - version: "1.1.2" changes: - - description: Uniform with guidelines + - description: Uniform with guidelines. type: enhancement link: https://github.com/elastic/integrations/pull/2047 - version: "1.1.1" changes: - - description: Fix logic that checks for the 'forwarded' tag + - description: Fix logic that checks for the 'forwarded' tag. type: bugfix link: https://github.com/elastic/integrations/pull/1857 - version: "1.1.0" changes: - - description: Update to ECS 1.12.0 + - description: Update to ECS 1.12.0. type: enhancement link: https://github.com/elastic/integrations/pull/1710 - version: "1.0.0" changes: - - description: Release Traefik as GA + - description: Release Traefik as GA. type: enhancement link: https://github.com/elastic/integrations/pull/1621 - version: "0.4.3" changes: - - description: Convert to generated ECS fields + - description: Convert to generated ECS fields. type: enhancement link: https://github.com/elastic/integrations/pull/1510 - version: '0.4.2' changes: - - description: update to ECS 1.11.0 + - description: update to ECS 1.11.0. type: enhancement link: https://github.com/elastic/integrations/pull/1423 - version: "0.4.1" changes: - - description: Escape special characters in docs + - description: Escape special characters in docs. type: enhancement link: https://github.com/elastic/integrations/pull/1405 - version: "0.4.0" changes: - - description: Update integration description + - description: Update integration description. type: enhancement link: https://github.com/elastic/integrations/pull/1364 - version: "0.3.0" changes: - - description: Set "event.module" and "event.dataset" + - description: Set "event.module" and "event.dataset". type: enhancement link: https://github.com/elastic/integrations/pull/1247 - version: "0.2.0" changes: - - description: update to ECS 1.10.0 and adding event.original options + - description: update to ECS 1.10.0 and adding event.original options. type: enhancement link: https://github.com/elastic/integrations/pull/1107 - version: "0.1.2" changes: - - description: setting minimum Kibana version required to 7.13.0 + - description: setting minimum Kibana version required to 7.13.0. type: bugfix link: https://github.com/elastic/integrations/pull/1003 - version: "0.1.1" changes: - - description: parse either commonlog- or json-formatted logs + - description: parse either commonlog- or json-formatted logs. type: enhancement link: https://github.com/elastic/integrations/pull/770 - - description: update to ECS 1.9.0 + - description: update to ECS 1.9.0. type: enhancement link: https://github.com/elastic/integrations/pull/876 - version: "0.1.0" changes: - - description: initial release + - description: initial release. type: enhancement # can be one of: enhancement, bugfix, breaking-change link: https://github.com/elastic/integrations/pull/763 diff --git a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log index 9fb557e3ff3..88449e46267 100644 --- a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log +++ b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log @@ -5,3 +5,4 @@ 89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] "GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1" 200 85 - "Android" 623112 "Host-api-wearerealitygames-com-2" "http://172.25.0.9:4140" 13ms 89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] "GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1" 200 150 - "Android" 623114 "Host-api-wearerealitygames-com-2" "http://172.25.0.6:4140" 8ms 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 +::1 - - [15/Apr/2024:13:04:10 +0000] "GET / HTTP/1.1" - - "-" "-" 27 "-" "-" 0ms diff --git a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json index cae84f8687c..d18a71fb924 100644 --- a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json +++ b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json @@ -2,8 +2,13 @@ "expected": [ { "@timestamp": "2017-10-02T20:22:07.000Z", + "destination": { + "address": "172.19.0.3:5601", + "ip": "172.19.0.3", + "port": 5601 + }, "ecs": { - "version": "8.5.1" + "version": "8.11.0" }, "event": { "category": [ @@ -11,7 +16,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "duration": 2000000, - "ingested": "2023-10-15T20:29:57.434126924Z", + "ingested": "2024-04-15T14:45:35.976489481Z", "kind": "event", "original": "192.168.33.1 - - [02/Oct/2017:20:22:07 +0000] \"GET /ui/favicons/favicon-16x16.png HTTP/1.1\" 304 0 \"http://example.com/login\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\" 262 \"Host-host-1\" \"http://172.19.0.3:5601\" 2ms", "outcome": "success", @@ -37,7 +42,8 @@ }, "related": { "ip": [ - "192.168.33.1" + "192.168.33.1", + "172.19.0.3" ] }, "source": { @@ -49,9 +55,13 @@ ], "traefik": { "access": { - "backend_url": "http://172.19.0.3:5601", - "frontend_name": "Host-host-1", "request_count": 262, + "router": { + "name": "Host-host-1" + }, + "service": { + "address": "http://172.19.0.3:5601" + }, "user_identifier": "-" } }, @@ -75,8 +85,13 @@ }, { "@timestamp": "2017-10-02T20:22:08.000Z", + "destination": { + "address": "172.19.0.3:5601", + "ip": "172.19.0.3", + "port": 5601 + }, "ecs": { - "version": "8.5.1" + "version": "8.11.0" }, "event": { "category": [ @@ -84,7 +99,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "duration": 3000000, - "ingested": "2023-10-15T20:29:57.434135216Z", + "ingested": "2024-04-15T14:45:35.976500584Z", "kind": "event", "original": "89.160.20.156 - - [02/Oct/2017:20:22:08 +0000] \"GET /ui/favicons/favicon.ico HTTP/1.1\" 304 0 \"http://example.com/login\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\" 271 \"Host-host1\" \"http://172.19.0.3:5601\" 3ms", "outcome": "success", @@ -110,7 +125,8 @@ }, "related": { "ip": [ - "89.160.20.156" + "89.160.20.156", + "172.19.0.3" ] }, "source": { @@ -140,9 +156,13 @@ ], "traefik": { "access": { - "backend_url": "http://172.19.0.3:5601", - "frontend_name": "Host-host1", "request_count": 271, + "router": { + "name": "Host-host1" + }, + "service": { + "address": "http://172.19.0.3:5601" + }, "user_identifier": "-" } }, @@ -166,8 +186,13 @@ }, { "@timestamp": "2018-02-28T17:30:33.000Z", + "destination": { + "address": "172.19.0.6:14008", + "ip": "172.19.0.6", + "port": 14008 + }, "ecs": { - "version": "8.5.1" + "version": "8.11.0" }, "event": { "category": [ @@ -175,7 +200,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "duration": 247000000, - "ingested": "2023-10-15T20:29:57.434136383Z", + "ingested": "2024-04-15T14:45:35.976502718Z", "kind": "event", "original": "89.160.20.156 - - [28/Feb/2018:17:30:33 +0000] \"GET /en/ HTTP/2.0\" 200 2814 - \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1\" 13 \"Host-host1-com-0\" \"http://172.19.0.6:14008\" 247ms", "outcome": "success", @@ -200,7 +225,8 @@ }, "related": { "ip": [ - "89.160.20.156" + "89.160.20.156", + "172.19.0.6" ] }, "source": { @@ -230,9 +256,13 @@ ], "traefik": { "access": { - "backend_url": "http://172.19.0.6:14008", - "frontend_name": "Host-host1-com-0", "request_count": 13, + "router": { + "name": "Host-host1-com-0" + }, + "service": { + "address": "http://172.19.0.6:14008" + }, "user_identifier": "-" } }, @@ -258,8 +288,11 @@ }, { "@timestamp": "2018-11-29T15:03:51.000Z", + "destination": { + "address": "/" + }, "ecs": { - "version": "8.5.1" + "version": "8.11.0" }, "event": { "category": [ @@ -267,7 +300,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "duration": 0, - "ingested": "2023-10-15T20:29:57.434137341Z", + "ingested": "2024-04-15T14:45:35.976504143Z", "kind": "event", "original": "::1 - - [29/Nov/2018:15:03:51 +0000] \"GET / HTTP/1.1\" 404 19 \"-\" \"curl/7.62.0\" 10 \"backend not found\" \"/\" 0ms", "outcome": "failure", @@ -305,9 +338,13 @@ ], "traefik": { "access": { - "backend_url": "/", - "frontend_name": "backend not found", "request_count": 10, + "router": { + "name": "backend not found" + }, + "service": { + "address": "/" + }, "user_identifier": "-" } }, @@ -328,8 +365,13 @@ }, { "@timestamp": "2018-01-19T10:01:02.000Z", + "destination": { + "address": "172.25.0.9:4140", + "ip": "172.25.0.9", + "port": 4140 + }, "ecs": { - "version": "8.5.1" + "version": "8.11.0" }, "event": { "category": [ @@ -337,7 +379,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "duration": 13000000, - "ingested": "2023-10-15T20:29:57.434138133Z", + "ingested": "2024-04-15T14:45:35.976505409Z", "kind": "event", "original": "89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] \"GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1\" 200 85 - \"Android\" 623112 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.9:4140\" 13ms", "outcome": "success", @@ -362,7 +404,8 @@ }, "related": { "ip": [ - "89.160.20.156" + "89.160.20.156", + "172.25.0.9" ] }, "source": { @@ -392,9 +435,13 @@ ], "traefik": { "access": { - "backend_url": "http://172.25.0.9:4140", - "frontend_name": "Host-api-wearerealitygames-com-2", "request_count": 623112, + "router": { + "name": "Host-api-wearerealitygames-com-2" + }, + "service": { + "address": "http://172.25.0.9:4140" + }, "user_identifier": "-" } }, @@ -417,8 +464,13 @@ }, { "@timestamp": "2018-01-19T10:01:02.000Z", + "destination": { + "address": "172.25.0.6:4140", + "ip": "172.25.0.6", + "port": 4140 + }, "ecs": { - "version": "8.5.1" + "version": "8.11.0" }, "event": { "category": [ @@ -426,7 +478,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "duration": 8000000, - "ingested": "2023-10-15T20:29:57.434138883Z", + "ingested": "2024-04-15T14:45:35.976506646Z", "kind": "event", "original": "89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] \"GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1\" 200 150 - \"Android\" 623114 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.6:4140\" 8ms", "outcome": "success", @@ -451,7 +503,8 @@ }, "related": { "ip": [ - "89.160.20.156" + "89.160.20.156", + "172.25.0.6" ] }, "source": { @@ -481,9 +534,13 @@ ], "traefik": { "access": { - "backend_url": "http://172.25.0.6:4140", - "frontend_name": "Host-api-wearerealitygames-com-2", "request_count": 623114, + "router": { + "name": "Host-api-wearerealitygames-com-2" + }, + "service": { + "address": "http://172.25.0.6:4140" + }, "user_identifier": "-" } }, @@ -507,14 +564,14 @@ { "@timestamp": "2000-10-10T20:55:36.000Z", "ecs": { - "version": "8.5.1" + "version": "8.11.0" }, "event": { "category": [ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2023-10-15T20:29:57.434139674Z", + "ingested": "2024-04-15T14:45:35.976507882Z", "kind": "event", "original": "127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326", "outcome": "success", @@ -563,6 +620,75 @@ "user": { "name": "frank" } + }, + { + "@timestamp": "2024-04-15T13:04:10.000Z", + "destination": { + "address": "-" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "created": "2020-04-28T11:07:58.223Z", + "duration": 0, + "ingested": "2024-04-15T14:45:35.976509119Z", + "kind": "event", + "original": "::1 - - [15/Apr/2024:13:04:10 +0000] \"GET / HTTP/1.1\" - - \"-\" \"-\" 27 \"-\" \"-\" 0ms", + "type": [ + "access" + ] + }, + "http": { + "request": { + "method": "GET", + "referrer": "-" + }, + "version": "1.1" + }, + "network": { + "transport": "tcp" + }, + "related": { + "ip": [ + "::1" + ] + }, + "source": { + "address": "::1", + "ip": "::1" + }, + "tags": [ + "preserve_original_event" + ], + "traefik": { + "access": { + "request_count": 27, + "router": { + "name": "-" + }, + "service": { + "address": "-" + }, + "user_identifier": "-" + } + }, + "url": { + "original": "/" + }, + "user": { + "name": "-" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "-" + } } ] } \ No newline at end of file diff --git a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log index 95babbf05d2..471e022c473 100644 --- a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log +++ b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log @@ -1,2 +1,7 @@ {"BackendAddr":"","BackendName":"Traefik","BackendURL":{"Scheme":"","Opaque":"","User":null,"Host":"","Path":"/","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":""},"ClientAddr":"127.0.0.1:48658","ClientHost":"127.0.0.1","ClientPort":"48658","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"DownstreamStatusLine":"404 Not Found","Duration":40356,"FrontendName":"backend not found","OriginContentSize":19,"OriginDuration":4086,"OriginStatus":404,"OriginStatusLine":"404 Not Found","Overhead":36270,"RequestAddr":"backend.elastic-package-service.docker.localhost","RequestContentSize":0,"RequestCount":7,"RequestHost":"backend.elastic-package-service.docker.localhost","RequestLine":"GET / HTTP/1.1","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RetryAttempts":0,"StartLocal":"2021-03-16T18:56:54.735539596Z","StartUTC":"2021-03-16T18:56:54.735539596Z","downstream_Content-Type":"text/plain; charset=utf-8","downstream_X-Content-Type-Options":"nosniff","level":"info","msg":"","origin_Content-Type":"text/plain; charset=utf-8","origin_X-Content-Type-Options":"nosniff","request_Accept":"*/*","request_User-Agent":"curl/7.67.0","time":"2021-03-16T18:56:54Z"} -{"BackendAddr":"172.21.0.2:80","BackendName":"backend-backend-docker","BackendURL":{"Scheme":"http","Opaque":"","User":null,"Host":"172.21.0.2:80","Path":"","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":""},"ClientAddr":"172.21.0.1:59068","ClientHost":"172.21.0.1","ClientPort":"59068","ClientUsername":"-","DownstreamContentSize":383,"DownstreamStatus":200,"DownstreamStatusLine":"200 OK","Duration":3034764,"FrontendName":"Host-backend-docker-docker-localhost-2","OriginContentSize":383,"OriginDuration":2155389,"OriginStatus":200,"OriginStatusLine":"200 OK","Overhead":879375,"RequestAddr":"backend.docker.docker.localhost","RequestContentSize":0,"RequestCount":27,"RequestHost":"backend.docker.docker.localhost","RequestLine":"GET / HTTP/1.1","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RetryAttempts":0,"StartLocal":"2021-03-16T19:08:41.039598834Z","StartUTC":"2021-03-16T19:08:41.039598834Z","downstream_Content-Length":"383","downstream_Content-Type":"text/plain; charset=utf-8","downstream_Date":"Tue, 16 Mar 2021 19:08:41 GMT","level":"info","msg":"","origin_Content-Length":"383","origin_Content-Type":"text/plain; charset=utf-8","origin_Date":"Tue, 16 Mar 2021 19:08:41 GMT","request_Accept":"*/*","request_User-Agent":"curl/7.64.1","time":"2021-03-16T19:08:41Z"} \ No newline at end of file +{"BackendAddr":"10.10.10.10:80","BackendName":"backend-backend-docker","BackendURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.10.10.20:80","Path":"","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":""},"ClientAddr":"10.10.10.20:12345","ClientHost":"10.10.10.20","ClientPort":"12345","ClientUsername":"-","DownstreamContentSize":383,"DownstreamStatus":200,"DownstreamStatusLine":"200 OK","Duration":100000,"FrontendName":"Host-backend-docker-docker-localhost-2","OriginContentSize":383,"OriginDuration":2155389,"OriginStatus":200,"OriginStatusLine":"200 OK","Overhead":879375,"RequestAddr":"backend.docker.docker.localhost","RequestContentSize":0,"RequestCount":27,"RequestHost":"backend.docker.docker.localhost","RequestLine":"GET / HTTP/1.1","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RetryAttempts":0,"StartLocal":"2021-03-16T19:08:41.039598834Z","StartUTC":"2021-03-16T19:08:41.039598834Z","downstream_Content-Length":"383","downstream_Content-Type":"text/plain; charset=utf-8","downstream_Date":"Tue, 16 Mar 2021 19:08:41 GMT","level":"info","msg":"","origin_Content-Length":"383","origin_Content-Type":"text/plain; charset=utf-8","origin_Date":"Tue, 16 Mar 2021 19:08:41 GMT","request_Accept":"*/*","request_User-Agent":"curl/7.64.1","time":"2021-03-16T19:08:41Z"} +{"ClientAddr":"10.10.10.10:12345","ClientHost":"10.10.10.10","ClientPort":"12345","ClientUsername":"-","DownstreamContentSize":2,"DownstreamStatus":200,"Duration":24814,"OriginContentSize":2,"OriginDuration":12613,"OriginStatus":200,"Overhead":12201,"RequestAddr":"10.10.10.11:4567","RequestContentSize":0,"RequestCount":12345,"RequestHost":"10.10.10.11","RequestMethod":"GET","RequestPath":"/ping","RequestPort":"4567","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"ping@internal","StartLocal":"2024-02-01T15:43:38.669746824Z","StartUTC":"2024-02-01T15:43:38.669746824Z","entryPointName":"ping","level":"info","msg":"","request_X-Forwarded-Host":"10.10.10.12:1234","time":"2024-02-01T15:43:38Z"} +{"ClientAddr":"10.10.10.20:23456","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":486767,"OriginContentSize":19,"OriginDuration":467360,"OriginStatus":404,"Overhead":19407,"RequestAddr":"10.10.10.11:12345","RequestContentSize":814,"RequestCount":583793,"RequestHost":"10.10.10.11","RequestMethod":"GET","RequestPath":"/foo/bar/baz.php","RequestPort":"-","RequestProtocol":"HTTP/1.1","RetryAttempts":0,"RouterName":"service-foo-0101010101010101@kubernetescrd","ServiceAddr":"10.10.10.40:1234","ServiceName":"service-foo-0120101010101@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.10.10.60:5678","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-02-02T17:07:08.048870614Z","downstream_Content-Type":"text/plain; charset=utf-8","entryPointName":"web","level":"info","msg":"","origin_Content-Type":"text/plain; charset=utf-8","request_User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/123.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36","time":"2024-02-02T17:07:08Z"} +{"ClientAddr":"10.10.10.21:34567","DownstreamContentSize":0,"DownstreamStatus":304,"Duration":46382173,"OriginContentSize":0,"OriginDuration":46361120,"OriginStatus":304,"Overhead":21053,"RequestAddr":"foo.acme.com","RequestContentSize":0,"RequestCount":583779,"RequestHost":"foo.acme.com","RequestMethod":"GET","RequestPath":"/1.0.0/acme/current/foo.png","RequestPort":"-","RequestProtocol":"HTTP/1.1","RetryAttempts":0,"RouterName":"service-bar-202020202020202@kubernetescrd","ServiceAddr":"10.10.10.60:5678","ServiceName":"service-bar-0d0d0d0d0d0@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.10.10.90:8901","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-02-02T16:18:24.844946659Z","downstream_X-Tiles-S3-Cache":"miss","entryPointName":"web","level":"info","msg":"","origin_X-Tiles-S3-Cache":"miss","request_Origin":"https://foo.acme.com/","request_User-Agent":"MapFishPrint/UNAVAILABLE Apache-HttpClient/4.5.14 (Java/11.0.21)","request_X-Amz-Cf-Id":"oeoereofajjvaifei-dadfa-adfafa_dpafdeofkdasf==","time":"2024-02-02T16:18:24Z"} +{"ClientAddr": "10.10.8.105:48376","ClientHost": "175.16.199.10","ClientPort": "48376","ClientUsername": "-","DownstreamContentSize": 88,"DownstreamStatus": 200,"Duration": 59518533,"OriginContentSize": 88,"OriginDuration": 59428568,"OriginStatus": 200,"Overhead": 89965,"RequestAddr": "api-students.unpad.ac.id","RequestContentSize": 0,"RequestCount": 75,"RequestHost": "api-students.unpad.ac.id","RequestMethod": "GET","RequestPath": "/api/v1/study/140410210038/card/comment","RequestPort": "-","RequestProtocol": "HTTP/1.0","RequestScheme": "http","RetryAttempts": 0,"RouterName": "app-unpad-students-api-prod-app-unpad-students-api-api-students-unpad-ac-id-api@kubernetes","ServiceAddr": "10.1.25.243:80","ServiceName": "app-unpad-students-api-prod-app-unpad-students-api-80@kubernetes","ServiceURL": {"Scheme": "http","Opaque": "","User": null,"Host": "10.1.25.243:80","Path": "","RawPath": "","OmitHost": false,"ForceQuery": false,"RawQuery": "","Fragment": "","RawFragment": ""},"StartLocal": "2024-02-09T11:53:32.609696286Z","StartUTC": "2024-02-09T11:53:32.609696286Z","entryPointName": "web","level": "info","msg": "","time": "2024-02-09T11:53:32Z"} +{"ClientAddr":"[::1]:56348","ClientHost":"::1","ClientPort":"56348","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":32673,"Overhead":32673,"RequestAddr":"backend.elastic-package-service.docker.localhost","RequestContentSize":0,"RequestCount":27,"RequestHost":"backend.elastic-package-service.docker.localhost","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"StartLocal":"2024-04-15T13:26:33.80902715Z","StartUTC":"2024-04-15T13:26:33.80902715Z","level":"info","msg":"","time":"2024-04-15T13:26:33Z"} diff --git a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json index a6197bb96cd..389297b3cc9 100644 --- a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json +++ b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json @@ -1,9 +1,9 @@ { "expected": [ { - "@timestamp": "2021-03-16T18:56:54Z", + "@timestamp": "2021-03-16T18:56:54.735539596Z", "ecs": { - "version": "8.5.1" + "version": "8.11.0" }, "event": { "category": [ @@ -11,7 +11,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "duration": 40356, - "ingested": "2023-10-15T20:29:57.503748924Z", + "ingested": "2024-04-15T14:45:36.219190787Z", "kind": "event", "original": "{\"BackendAddr\":\"\",\"BackendName\":\"Traefik\",\"BackendURL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"ClientAddr\":\"127.0.0.1:48658\",\"ClientHost\":\"127.0.0.1\",\"ClientPort\":\"48658\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":19,\"DownstreamStatus\":404,\"DownstreamStatusLine\":\"404 Not Found\",\"Duration\":40356,\"FrontendName\":\"backend not found\",\"OriginContentSize\":19,\"OriginDuration\":4086,\"OriginStatus\":404,\"OriginStatusLine\":\"404 Not Found\",\"Overhead\":36270,\"RequestAddr\":\"backend.elastic-package-service.docker.localhost\",\"RequestContentSize\":0,\"RequestCount\":7,\"RequestHost\":\"backend.elastic-package-service.docker.localhost\",\"RequestLine\":\"GET / HTTP/1.1\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RetryAttempts\":0,\"StartLocal\":\"2021-03-16T18:56:54.735539596Z\",\"StartUTC\":\"2021-03-16T18:56:54.735539596Z\",\"downstream_Content-Type\":\"text/plain; charset=utf-8\",\"downstream_X-Content-Type-Options\":\"nosniff\",\"level\":\"info\",\"msg\":\"\",\"origin_Content-Type\":\"text/plain; charset=utf-8\",\"origin_X-Content-Type-Options\":\"nosniff\",\"request_Accept\":\"*/*\",\"request_User-Agent\":\"curl/7.67.0\",\"time\":\"2021-03-16T18:56:54Z\"}", "outcome": "failure", @@ -21,26 +21,49 @@ }, "http": { "request": { + "body": { + "bytes": 0 + }, + "headers": { + "accept": "*/*" + }, "method": "GET" }, "response": { "body": { "bytes": 19 }, + "headers": { + "content-type": "text/plain; charset=utf-8", + "x-content-type-options": "nosniff" + }, "status_code": 404 }, "version": "1.1" }, + "log": { + "level": "info" + }, "network": { "transport": "tcp" }, + "observer": { + "egress": { + "interface": { + "name": "Traefik" + } + }, + "product": "traefik", + "type": "proxy", + "vendor": "traefik" + }, "related": { "ip": [ "127.0.0.1" ] }, "source": { - "address": "127.0.0.1", + "address": "127.0.0.1:48658", "ip": "127.0.0.1", "port": 48658 }, @@ -49,14 +72,33 @@ ], "traefik": { "access": { - "backend_url": "", - "frontend_name": "backend not found", - "request_count": 7 + "origin": { + "content_size": 19, + "duration": 4086, + "headers": { + "content-type": "text/plain; charset=utf-8", + "x-content-type-options": "nosniff" + }, + "status_code": 404 + }, + "overhead": 36270, + "request_count": 7, + "retry_attempts": 0, + "router": { + "name": "backend not found" + }, + "service": { + "url": { + "force_query": false, + "path": "/" + } + } } }, "url": { "domain": "backend.elastic-package-service.docker.localhost", - "original": "/" + "original": "backend.elastic-package-service.docker.localhost/", + "path": "/" }, "user": { "name": "-" @@ -71,24 +113,24 @@ } }, { - "@timestamp": "2021-03-16T19:08:41Z", + "@timestamp": "2021-03-16T19:08:41.039598834Z", "destination": { - "address": "172.21.0.2", - "ip": "172.21.0.2", + "address": "10.10.10.10", + "ip": "10.10.10.10", "port": 80 }, "ecs": { - "version": "8.5.1" + "version": "8.11.0" }, "event": { "category": [ "web" ], "created": "2020-04-28T11:07:58.223Z", - "duration": 3034764, - "ingested": "2023-10-15T20:29:57.503757966Z", + "duration": 100000, + "ingested": "2024-04-15T14:45:36.219217692Z", "kind": "event", - "original": "{\"BackendAddr\":\"172.21.0.2:80\",\"BackendName\":\"backend-backend-docker\",\"BackendURL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"172.21.0.2:80\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"ClientAddr\":\"172.21.0.1:59068\",\"ClientHost\":\"172.21.0.1\",\"ClientPort\":\"59068\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":383,\"DownstreamStatus\":200,\"DownstreamStatusLine\":\"200 OK\",\"Duration\":3034764,\"FrontendName\":\"Host-backend-docker-docker-localhost-2\",\"OriginContentSize\":383,\"OriginDuration\":2155389,\"OriginStatus\":200,\"OriginStatusLine\":\"200 OK\",\"Overhead\":879375,\"RequestAddr\":\"backend.docker.docker.localhost\",\"RequestContentSize\":0,\"RequestCount\":27,\"RequestHost\":\"backend.docker.docker.localhost\",\"RequestLine\":\"GET / HTTP/1.1\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RetryAttempts\":0,\"StartLocal\":\"2021-03-16T19:08:41.039598834Z\",\"StartUTC\":\"2021-03-16T19:08:41.039598834Z\",\"downstream_Content-Length\":\"383\",\"downstream_Content-Type\":\"text/plain; charset=utf-8\",\"downstream_Date\":\"Tue, 16 Mar 2021 19:08:41 GMT\",\"level\":\"info\",\"msg\":\"\",\"origin_Content-Length\":\"383\",\"origin_Content-Type\":\"text/plain; charset=utf-8\",\"origin_Date\":\"Tue, 16 Mar 2021 19:08:41 GMT\",\"request_Accept\":\"*/*\",\"request_User-Agent\":\"curl/7.64.1\",\"time\":\"2021-03-16T19:08:41Z\"}", + "original": "{\"BackendAddr\":\"10.10.10.10:80\",\"BackendName\":\"backend-backend-docker\",\"BackendURL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"10.10.10.20:80\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"ClientAddr\":\"10.10.10.20:12345\",\"ClientHost\":\"10.10.10.20\",\"ClientPort\":\"12345\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":383,\"DownstreamStatus\":200,\"DownstreamStatusLine\":\"200 OK\",\"Duration\":100000,\"FrontendName\":\"Host-backend-docker-docker-localhost-2\",\"OriginContentSize\":383,\"OriginDuration\":2155389,\"OriginStatus\":200,\"OriginStatusLine\":\"200 OK\",\"Overhead\":879375,\"RequestAddr\":\"backend.docker.docker.localhost\",\"RequestContentSize\":0,\"RequestCount\":27,\"RequestHost\":\"backend.docker.docker.localhost\",\"RequestLine\":\"GET / HTTP/1.1\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RetryAttempts\":0,\"StartLocal\":\"2021-03-16T19:08:41.039598834Z\",\"StartUTC\":\"2021-03-16T19:08:41.039598834Z\",\"downstream_Content-Length\":\"383\",\"downstream_Content-Type\":\"text/plain; charset=utf-8\",\"downstream_Date\":\"Tue, 16 Mar 2021 19:08:41 GMT\",\"level\":\"info\",\"msg\":\"\",\"origin_Content-Length\":\"383\",\"origin_Content-Type\":\"text/plain; charset=utf-8\",\"origin_Date\":\"Tue, 16 Mar 2021 19:08:41 GMT\",\"request_Accept\":\"*/*\",\"request_User-Agent\":\"curl/7.64.1\",\"time\":\"2021-03-16T19:08:41Z\"}", "outcome": "success", "type": [ "access" @@ -96,44 +138,88 @@ }, "http": { "request": { + "body": { + "bytes": 0 + }, + "headers": { + "accept": "*/*" + }, "method": "GET" }, "response": { "body": { "bytes": 383 }, + "headers": { + "content-length": "383", + "content-type": "text/plain; charset=utf-8", + "date": "Tue, 16 Mar 2021 19:08:41 GMT" + }, "status_code": 200 }, "version": "1.1" }, + "log": { + "level": "info" + }, "network": { - "community_id": "1:DJlJOSbrvisPNQtgBIyBaYAwlz8=", + "community_id": "1:kcKdWwm5M2AO7OEsq15WgQghykE=", "transport": "tcp" }, + "observer": { + "egress": { + "interface": { + "name": "backend-backend-docker" + } + }, + "product": "traefik", + "type": "proxy", + "vendor": "traefik" + }, "related": { "ip": [ - "172.21.0.1", - "172.21.0.2" + "10.10.10.20", + "10.10.10.10" ] }, "source": { - "address": "172.21.0.1", - "ip": "172.21.0.1", - "port": 59068 + "address": "10.10.10.20:12345", + "ip": "10.10.10.20", + "port": 12345 }, "tags": [ "preserve_original_event" ], "traefik": { "access": { - "backend_url": "172.21.0.2:80", - "frontend_name": "Host-backend-docker-docker-localhost-2", - "request_count": 27 + "origin": { + "content_size": 383, + "duration": 2155389, + "headers": { + "content-length": "383", + "content-type": "text/plain; charset=utf-8", + "date": "Tue, 16 Mar 2021 19:08:41 GMT" + }, + "status_code": 200 + }, + "overhead": 879375, + "request_count": 27, + "retry_attempts": 0, + "router": { + "name": "Host-backend-docker-docker-localhost-2" + }, + "service": { + "url": { + "domain": "10.10.10.20:80", + "force_query": false + } + } } }, "url": { "domain": "backend.docker.docker.localhost", - "original": "/" + "original": "backend.docker.docker.localhost/", + "path": "/" }, "user": { "name": "-" @@ -146,6 +232,524 @@ "original": "curl/7.64.1", "version": "7.64.1" } + }, + { + "@timestamp": "2024-02-01T15:43:38.669746824Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "created": "2020-04-28T11:07:58.223Z", + "duration": 24814, + "ingested": "2024-04-15T14:45:36.219219629Z", + "kind": "event", + "original": "{\"ClientAddr\":\"10.10.10.10:12345\",\"ClientHost\":\"10.10.10.10\",\"ClientPort\":\"12345\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":2,\"DownstreamStatus\":200,\"Duration\":24814,\"OriginContentSize\":2,\"OriginDuration\":12613,\"OriginStatus\":200,\"Overhead\":12201,\"RequestAddr\":\"10.10.10.11:4567\",\"RequestContentSize\":0,\"RequestCount\":12345,\"RequestHost\":\"10.10.10.11\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/ping\",\"RequestPort\":\"4567\",\"RequestProtocol\":\"HTTP/1.1\",\"RequestScheme\":\"http\",\"RetryAttempts\":0,\"RouterName\":\"ping@internal\",\"StartLocal\":\"2024-02-01T15:43:38.669746824Z\",\"StartUTC\":\"2024-02-01T15:43:38.669746824Z\",\"entryPointName\":\"ping\",\"level\":\"info\",\"msg\":\"\",\"request_X-Forwarded-Host\":\"10.10.10.12:1234\",\"time\":\"2024-02-01T15:43:38Z\"}", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 0 + }, + "headers": { + "x-forwarded-host": "10.10.10.12:1234" + }, + "method": "GET" + }, + "response": { + "body": { + "bytes": 2 + }, + "status_code": 200 + }, + "version": "1.1" + }, + "log": { + "level": "info" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "ping" + } + }, + "product": "traefik", + "type": "proxy", + "vendor": "traefik" + }, + "related": { + "ip": [ + "10.10.10.10" + ] + }, + "source": { + "address": "10.10.10.10:12345", + "ip": "10.10.10.10", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ], + "traefik": { + "access": { + "origin": { + "content_size": 2, + "duration": 12613, + "status_code": 200 + }, + "overhead": 12201, + "request_count": 12345, + "retry_attempts": 0, + "router": { + "name": "ping@internal" + } + } + }, + "url": { + "domain": "10.10.10.11", + "original": "http://10.10.10.11:4567/ping", + "path": "/ping", + "port": 4567, + "scheme": "http" + }, + "user": { + "name": "-" + } + }, + { + "@timestamp": "2024-02-02T17:07:08Z", + "destination": { + "address": "10.10.10.40", + "ip": "10.10.10.40", + "port": 1234 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "created": "2020-04-28T11:07:58.223Z", + "duration": 486767, + "ingested": "2024-04-15T14:45:36.219220882Z", + "kind": "event", + "original": "{\"ClientAddr\":\"10.10.10.20:23456\",\"DownstreamContentSize\":19,\"DownstreamStatus\":404,\"Duration\":486767,\"OriginContentSize\":19,\"OriginDuration\":467360,\"OriginStatus\":404,\"Overhead\":19407,\"RequestAddr\":\"10.10.10.11:12345\",\"RequestContentSize\":814,\"RequestCount\":583793,\"RequestHost\":\"10.10.10.11\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/foo/bar/baz.php\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RetryAttempts\":0,\"RouterName\":\"service-foo-0101010101010101@kubernetescrd\",\"ServiceAddr\":\"10.10.10.40:1234\",\"ServiceName\":\"service-foo-0120101010101@kubernetescrd\",\"ServiceURL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"10.10.10.60:5678\",\"Path\":\"\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"StartLocal\":\"2024-02-02T17:07:08.048870614Z\",\"downstream_Content-Type\":\"text/plain; charset=utf-8\",\"entryPointName\":\"web\",\"level\":\"info\",\"msg\":\"\",\"origin_Content-Type\":\"text/plain; charset=utf-8\",\"request_User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/123.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36\",\"time\":\"2024-02-02T17:07:08Z\"}", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 814 + }, + "method": "GET" + }, + "response": { + "body": { + "bytes": 19 + }, + "headers": { + "content-type": "text/plain; charset=utf-8" + }, + "status_code": 404 + }, + "version": "1.1" + }, + "log": { + "level": "info" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "service-foo-0120101010101@kubernetescrd" + } + }, + "ingress": { + "interface": { + "name": "web" + } + }, + "product": "traefik", + "type": "proxy", + "vendor": "traefik" + }, + "related": { + "ip": [ + "10.10.10.40" + ] + }, + "source": { + "address": "10.10.10.20:23456" + }, + "tags": [ + "preserve_original_event" + ], + "traefik": { + "access": { + "origin": { + "content_size": 19, + "duration": 467360, + "headers": { + "content-type": "text/plain; charset=utf-8" + }, + "status_code": 404 + }, + "overhead": 19407, + "request_count": 583793, + "retry_attempts": 0, + "router": { + "name": "service-foo-0101010101010101@kubernetescrd" + }, + "service": { + "url": { + "domain": "10.10.10.60:5678", + "force_query": false + } + } + } + }, + "url": { + "domain": "10.10.10.11", + "original": "10.10.10.11/foo/bar/baz.php", + "path": "/foo/bar/baz.php" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/123.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", + "os": { + "full": "Mac OS X 10.10.1", + "name": "Mac OS X", + "version": "10.10.1" + }, + "version": "39.0.2171.95" + } + }, + { + "@timestamp": "2024-02-02T16:18:24Z", + "destination": { + "address": "10.10.10.60", + "ip": "10.10.10.60", + "port": 5678 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "created": "2020-04-28T11:07:58.223Z", + "duration": 46382173, + "ingested": "2024-04-15T14:45:36.219222026Z", + "kind": "event", + "original": "{\"ClientAddr\":\"10.10.10.21:34567\",\"DownstreamContentSize\":0,\"DownstreamStatus\":304,\"Duration\":46382173,\"OriginContentSize\":0,\"OriginDuration\":46361120,\"OriginStatus\":304,\"Overhead\":21053,\"RequestAddr\":\"foo.acme.com\",\"RequestContentSize\":0,\"RequestCount\":583779,\"RequestHost\":\"foo.acme.com\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/1.0.0/acme/current/foo.png\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RetryAttempts\":0,\"RouterName\":\"service-bar-202020202020202@kubernetescrd\",\"ServiceAddr\":\"10.10.10.60:5678\",\"ServiceName\":\"service-bar-0d0d0d0d0d0@kubernetescrd\",\"ServiceURL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"10.10.10.90:8901\",\"Path\":\"\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"StartLocal\":\"2024-02-02T16:18:24.844946659Z\",\"downstream_X-Tiles-S3-Cache\":\"miss\",\"entryPointName\":\"web\",\"level\":\"info\",\"msg\":\"\",\"origin_X-Tiles-S3-Cache\":\"miss\",\"request_Origin\":\"https://foo.acme.com/\",\"request_User-Agent\":\"MapFishPrint/UNAVAILABLE Apache-HttpClient/4.5.14 (Java/11.0.21)\",\"request_X-Amz-Cf-Id\":\"oeoereofajjvaifei-dadfa-adfafa_dpafdeofkdasf==\",\"time\":\"2024-02-02T16:18:24Z\"}", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 0 + }, + "headers": { + "origin": "https://foo.acme.com/", + "x-amz-cf-id": "oeoereofajjvaifei-dadfa-adfafa_dpafdeofkdasf==" + }, + "method": "GET" + }, + "response": { + "body": { + "bytes": 0 + }, + "headers": { + "x-tiles-s3-cache": "miss" + }, + "status_code": 304 + }, + "version": "1.1" + }, + "log": { + "level": "info" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "service-bar-0d0d0d0d0d0@kubernetescrd" + } + }, + "ingress": { + "interface": { + "name": "web" + } + }, + "product": "traefik", + "type": "proxy", + "vendor": "traefik" + }, + "related": { + "ip": [ + "10.10.10.60" + ] + }, + "source": { + "address": "10.10.10.21:34567" + }, + "tags": [ + "preserve_original_event" + ], + "traefik": { + "access": { + "origin": { + "content_size": 0, + "duration": 46361120, + "headers": { + "x-tiles-s3-cache": "miss" + }, + "status_code": 304 + }, + "overhead": 21053, + "request_count": 583779, + "retry_attempts": 0, + "router": { + "name": "service-bar-202020202020202@kubernetescrd" + }, + "service": { + "url": { + "domain": "10.10.10.90:8901", + "force_query": false + } + } + } + }, + "url": { + "domain": "foo.acme.com", + "original": "foo.acme.com/1.0.0/acme/current/foo.png", + "path": "/1.0.0/acme/current/foo.png" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Apache-HttpClient", + "original": "MapFishPrint/UNAVAILABLE Apache-HttpClient/4.5.14 (Java/11.0.21)", + "version": "4.5.14" + } + }, + { + "@timestamp": "2024-02-09T11:53:32.609696286Z", + "destination": { + "address": "10.1.25.243", + "ip": "10.1.25.243", + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "created": "2020-04-28T11:07:58.223Z", + "duration": 59518533, + "ingested": "2024-04-15T14:45:36.219223187Z", + "kind": "event", + "original": "{\"ClientAddr\": \"10.10.8.105:48376\",\"ClientHost\": \"175.16.199.10\",\"ClientPort\": \"48376\",\"ClientUsername\": \"-\",\"DownstreamContentSize\": 88,\"DownstreamStatus\": 200,\"Duration\": 59518533,\"OriginContentSize\": 88,\"OriginDuration\": 59428568,\"OriginStatus\": 200,\"Overhead\": 89965,\"RequestAddr\": \"api-students.unpad.ac.id\",\"RequestContentSize\": 0,\"RequestCount\": 75,\"RequestHost\": \"api-students.unpad.ac.id\",\"RequestMethod\": \"GET\",\"RequestPath\": \"/api/v1/study/140410210038/card/comment\",\"RequestPort\": \"-\",\"RequestProtocol\": \"HTTP/1.0\",\"RequestScheme\": \"http\",\"RetryAttempts\": 0,\"RouterName\": \"app-unpad-students-api-prod-app-unpad-students-api-api-students-unpad-ac-id-api@kubernetes\",\"ServiceAddr\": \"10.1.25.243:80\",\"ServiceName\": \"app-unpad-students-api-prod-app-unpad-students-api-80@kubernetes\",\"ServiceURL\": {\"Scheme\": \"http\",\"Opaque\": \"\",\"User\": null,\"Host\": \"10.1.25.243:80\",\"Path\": \"\",\"RawPath\": \"\",\"OmitHost\": false,\"ForceQuery\": false,\"RawQuery\": \"\",\"Fragment\": \"\",\"RawFragment\": \"\"},\"StartLocal\": \"2024-02-09T11:53:32.609696286Z\",\"StartUTC\": \"2024-02-09T11:53:32.609696286Z\",\"entryPointName\": \"web\",\"level\": \"info\",\"msg\": \"\",\"time\": \"2024-02-09T11:53:32Z\"}", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 0 + }, + "method": "GET" + }, + "response": { + "body": { + "bytes": 88 + }, + "status_code": 200 + }, + "version": "1.0" + }, + "log": { + "level": "info" + }, + "network": { + "community_id": "1:yUHkpEwKYgJDAiUUfAa0sf8N3qY=", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "app-unpad-students-api-prod-app-unpad-students-api-80@kubernetes" + } + }, + "ingress": { + "interface": { + "name": "web" + } + }, + "product": "traefik", + "type": "proxy", + "vendor": "traefik" + }, + "related": { + "ip": [ + "175.16.199.10", + "10.1.25.243" + ] + }, + "source": { + "address": "10.10.8.105:48376", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.10", + "port": 48376 + }, + "tags": [ + "preserve_original_event" + ], + "traefik": { + "access": { + "origin": { + "content_size": 88, + "duration": 59428568, + "status_code": 200 + }, + "overhead": 89965, + "request_count": 75, + "retry_attempts": 0, + "router": { + "name": "app-unpad-students-api-prod-app-unpad-students-api-api-students-unpad-ac-id-api@kubernetes" + }, + "service": { + "url": { + "domain": "10.1.25.243:80", + "force_query": false + } + } + } + }, + "url": { + "domain": "api-students.unpad.ac.id", + "original": "http://api-students.unpad.ac.id/api/v1/study/140410210038/card/comment", + "path": "/api/v1/study/140410210038/card/comment", + "scheme": "http" + }, + "user": { + "name": "-" + } + }, + { + "@timestamp": "2024-04-15T13:26:33.80902715Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "created": "2020-04-28T11:07:58.223Z", + "duration": 32673, + "ingested": "2024-04-15T14:45:36.219224341Z", + "kind": "event", + "original": "{\"ClientAddr\":\"[::1]:56348\",\"ClientHost\":\"::1\",\"ClientPort\":\"56348\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":19,\"DownstreamStatus\":404,\"Duration\":32673,\"Overhead\":32673,\"RequestAddr\":\"backend.elastic-package-service.docker.localhost\",\"RequestContentSize\":0,\"RequestCount\":27,\"RequestHost\":\"backend.elastic-package-service.docker.localhost\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RequestScheme\":\"http\",\"RetryAttempts\":0,\"StartLocal\":\"2024-04-15T13:26:33.80902715Z\",\"StartUTC\":\"2024-04-15T13:26:33.80902715Z\",\"level\":\"info\",\"msg\":\"\",\"time\":\"2024-04-15T13:26:33Z\"}", + "outcome": "failure", + "type": [ + "access" + ] + }, + "http": { + "request": { + "body": { + "bytes": 0 + }, + "method": "GET" + }, + "response": { + "body": { + "bytes": 19 + }, + "status_code": 404 + }, + "version": "1.1" + }, + "log": { + "level": "info" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "traefik", + "type": "proxy", + "vendor": "traefik" + }, + "related": { + "ip": [ + "::1" + ] + }, + "source": { + "address": "[::1]:56348", + "ip": "::1", + "port": 56348 + }, + "tags": [ + "preserve_original_event" + ], + "traefik": { + "access": { + "overhead": 32673, + "request_count": 27, + "retry_attempts": 0 + } + }, + "url": { + "domain": "backend.elastic-package-service.docker.localhost", + "original": "http://backend.elastic-package-service.docker.localhost/", + "path": "/", + "scheme": "http" + }, + "user": { + "name": "-" + } } ] } \ No newline at end of file diff --git a/packages/traefik/data_stream/access/_dev/test/system/test-format-common-config.yml b/packages/traefik/data_stream/access/_dev/test/system/test-format-common-config.yml index 03059f3eda3..0f059de8cee 100644 --- a/packages/traefik/data_stream/access/_dev/test/system/test-format-common-config.yml +++ b/packages/traefik/data_stream/access/_dev/test/system/test-format-common-config.yml @@ -4,3 +4,4 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/access-common.log" + preserve_original_event: true diff --git a/packages/traefik/data_stream/access/_dev/test/system/test-format-json-config.yml b/packages/traefik/data_stream/access/_dev/test/system/test-format-json-config.yml index f25de027427..b024650c2a0 100644 --- a/packages/traefik/data_stream/access/_dev/test/system/test-format-json-config.yml +++ b/packages/traefik/data_stream/access/_dev/test/system/test-format-json-config.yml @@ -4,3 +4,4 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/access-json.log" + preserve_original_event: true diff --git a/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/default.yml index e051a1486b2..2a2453d4598 100644 --- a/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/default.yml @@ -6,7 +6,7 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '8.5.1' + value: '8.11.0' - rename: field: '@timestamp' target_field: event.created @@ -34,6 +34,10 @@ processors: - remove: field: temp ignore_missing: true + - convert: + field: http.response.status_code + type: long + ignore_missing: true - user_agent: field: user_agent.original ignore_failure: true @@ -103,6 +107,23 @@ processors: if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true + - script: + lang: painless + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + description: Drops null/empty values recursively. on_failure: - set: field: error.message diff --git a/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/format-common.yml b/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/format-common.yml index db2cb8026e3..57ea8364168 100644 --- a/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/format-common.yml +++ b/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/format-common.yml @@ -7,12 +7,17 @@ processors: pattern: '%{source.address} %{traefik.access.user_identifier} %{user.name} [%{traefik.access.time}] "%{http.request.method} %{url.original} HTTP/%{http.version}" %{http.response.status_code} %{traefik.access.message}' +- remove: + description: Remove http.response.status_code it is not available ('-') + field: + http.response.status_code + if: ctx.http?.response?.status_code != null && ctx.http?.response?.status_code == '-' - grok: field: traefik.access.message patterns: - (?:%{NUMBER:http.response.body.bytes:long}|-)( (?:"%{DATA:http.request.referrer}"|-)?( (?:"%{DATA:user_agent.original}"|-)?)?( (?:%{NUMBER:traefik.access.request_count:long}|-)?)?( - (?:"%{DATA:traefik.access.frontend_name}"|-)?)?( "%{DATA:traefik.access.backend_url}")?( + (?:"%{DATA:traefik.access.router.name}"|-)?)?( "%{DATA:traefik.access.service.address}")?( %{NUMBER:temp.duration:long}ms)?)? ignore_missing: true - remove: @@ -25,19 +30,27 @@ processors: - dd/MMM/yyyy:H:m:s Z - remove: field: traefik.access.time -- convert: - field: http.response.status_code - type: long - grok: field: source.address patterns: - ^(%{IP:source.ip}|%{HOSTNAME:source.domain})$ +- grok: + field: traefik.access.service.address + patterns: + - ^(https?://)?%{DATA:destination.address}$ + ignore_missing: true +- grok: + field: destination.address + patterns: + - ^(%{IP:destination.ip}|%{HOSTNAME:destination.domain})(:%{POSINT:destination.port:long})?$ + ignore_failure: true - script: lang: painless source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) params: scale: 1000000 if: ctx.temp?.duration != null + on_failure: - set: field: error.message diff --git a/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/format-json.yml b/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/format-json.yml index d822386610d..3669e094dce 100644 --- a/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/format-json.yml +++ b/packages/traefik/data_stream/access/elasticsearch/ingest_pipeline/format-json.yml @@ -9,42 +9,133 @@ processors: field: temp.time target_field: "@timestamp" ignore_missing: true + - set: + field: "@timestamp" + copy_from: temp.StartUTC + if: 'ctx?.temp?.StartUTC != null' + override: true + - set: + field: "@timestamp" + copy_from: temp.StartLocal + override: true + if: 'ctx?.temp?.StartUTC == null && ctx?.temp?.StarLocal != null' + - rename: + field: temp.Duration + target_field: event.duration + ignore_missing: true + - rename: + field: temp.RouterName + target_field: traefik.access.router.name + ignore_missing: true + - rename: + field: temp.FrontendName + target_field: traefik.access.router.name + ignore_missing: true + description: traefik 1.x backwards compatibility + if: 'ctx?.traefik?.access?.router?.name == null' - rename: field: temp.ClientUsername target_field: user.name ignore_missing: true - rename: - field: temp.FrontendName - target_field: traefik.access.frontend_name + field: temp.ServiceName + target_field: observer.egress.interface.name ignore_missing: true - rename: - field: temp.BackendAddr - target_field: traefik.access.backend_url + field: temp.BackendName + target_field: observer.egress.interface.name + ignore_missing: true + description: traefik 1.x backwards compatibility + if: 'ctx?.observer?.egress?.interface?.name == null' + - rename: + field: temp.BackendURL + target_field: temp.ServiceURL + ignore_missing: true + if: 'ctx?.temp?.ServiceURL == null' + - rename: + field: temp.ServiceURL.Opaque + target_field: traefik.access.service.url.opaque + ignore_missing: true + - rename: + field: temp.ServiceURL.User + target_field: traefik.access.service.url.user + ignore_missing: true + - rename: + field: temp.ServiceURL.Host + target_field: traefik.access.service.url.domain + ignore_missing: true + - rename: + field: temp.ServiceURL.Path + target_field: traefik.access.service.url.path + ignore_missing: true + - rename: + field: temp.ServiceURL.RawPath + target_field: traefik.access.service.url.raw_path + ignore_missing: true + - rename: + field: temp.ServiceURL.ForceQuery + target_field: traefik.access.service.url.force_query + ignore_missing: true + - rename: + field: temp.ServiceURL.RawQuery + target_field: traefik.access.service.url.raw_query + ignore_missing: true + - rename: + field: temp.ServiceURL.Fragment + target_field: traefik.access.service.url.fragment ignore_missing: true - rename: field: temp.RequestCount target_field: traefik.access.request_count ignore_missing: true - rename: + field: temp.ClientAddr + target_field: source.address + ignore_missing: true + - grok: + description: IPv6 '[]' notation must be removed to avoid ip field mapping errors. + field: source.address + patterns: + - '^\\[?%{IP:source.ip}\\]?:%{POSINT:source.port}$' + ignore_missing: true + ignore_failure: true + - convert: field: temp.ClientHost target_field: source.ip + type: ip ignore_missing: true - - set: - field: source.address - copy_from: source.ip - if: ctx.source?.ip != null + ignore_failure: true + if: 'ctx?.source?.ip == null' + - convert: + field: temp.ClientHost + target_field: network.forwarded_ip + type: ip + ignore_missing: true + if: 'ctx?.source?.ip != null && ctx?.source?.ip != ctx?.temp?.ClientHost' + - append: + field: related.ip + value: "{{{network.forwarded_ip}}}" + if: 'ctx?.network?.forwarded_ip != null' - rename: field: temp.ClientPort target_field: source.port ignore_missing: true + if: 'ctx?.source?.port == null' - convert: field: source.port type: long ignore_missing: true - dissect: - field: traefik.access.backend_url + field: temp.ServiceAddr pattern: "%{destination.ip}:%{destination.port}" - if: 'ctx?.traefik?.access?.backend_url != ""' + ignore_missing: true + ignore_failure: true + - dissect: + field: temp.BackendAddr + pattern: "%{destination.ip}:%{destination.port}" + ignore_missing: true + ignore_failure: true + if: 'ctx?.temp.SourceAddr == null' - convert: field: destination.port type: long @@ -55,36 +146,191 @@ processors: if: "ctx?.destination?.ip != null" - rename: field: temp.RequestPath - target_field: url.original + target_field: url.path ignore_missing: true - rename: field: temp.RequestMethod target_field: http.request.method ignore_missing: true + - rename: + field: temp.RequestHost + target_field: url.domain + ignore_missing: true - rename: field: temp.RequestAddr target_field: url.domain ignore_missing: true + if: 'ctx?.url?.domain == null' + - convert: + field: temp.RequestPort + target_field: url.port + type: long + if: 'ctx?.temp?.RequestPort != null && ctx?.temp?.RequestPort != "-"' + - dissect: + field: temp.RequestProtocol + pattern: "HTTP/%{http.version}" + - rename: + field: temp.RequestScheme + target_field: url.scheme + ignore_missing: true + - append: + field: url.original + value: "{{{url.scheme}}}://" + if: 'ctx?.url?.scheme != null' + - append: + field: url.original + value: "{{{url.domain}}}" + if: 'ctx?.url?.domain != null' + - append: + field: url.original + value: ":{{{url.port}}}" + if: 'ctx?.url?.port != null' + - append: + field: url.original + value: "{{{url.path}}}" + if: 'ctx?.url?.path != null' + - join: + field: url.original + separator: "" + - remove: + field: url.original + if: 'ctx?.url?.original == ""' - rename: field: temp.DownstreamStatus target_field: http.response.status_code - ignore_missing: true + if: 'ctx?.temp?.DownstreamStatus != null && ctx?.temp?.DownstreamStatus != "-"' - rename: field: temp.DownstreamContentSize target_field: http.response.body.bytes ignore_missing: true - - dissect: - field: temp.RequestProtocol - pattern: "HTTP/%{http.version}" - rename: field: temp.request_User-Agent target_field: user_agent.original ignore_missing: true - rename: - field: temp.Duration - target_field: event.duration + field: temp.OriginContentSize + target_field: traefik.access.origin.content_size + ignore_missing: true + - rename: + field: temp.OriginDuration + target_field: traefik.access.origin.duration ignore_missing: true + - rename: + field: temp.OriginStatus + target_field: traefik.access.origin.status_code + if: 'ctx?.temp?.OriginStatus != null && ctx?.temp?.OriginStatus != "-"' + - rename: + field: temp.Overhead + target_field: traefik.access.overhead + ignore_missing: true + - rename: + field: temp.RequestContentSize + target_field: http.request.body.bytes + ignore_missing: true + - rename: + field: temp.RetryAttempts + target_field: traefik.access.retry_attempts + ignore_missing: true + - user_agent: + field : temp.request_User-Agent + ignore_missing: true + extract_device_type: true + - script: + source: | + Map downstream_headers = new HashMap(); + Map origin_headers = new HashMap(); + Map request_headers = new HashMap(); + + // Get the headers + for (fieldname in ctx?.temp?.keySet()){ + if (fieldname.startsWith('downstream_')){ + downstream_headers.put(fieldname.replace('downstream_', '').toLowerCase(), ctx.temp[fieldname]); + } + else if (fieldname.startsWith('request_')){ + request_headers.put(fieldname.replace('request_', '').toLowerCase(), ctx.temp[fieldname]); + } + else if (fieldname.startsWith('origin_')){ + origin_headers.put(fieldname.replace('origin_', '').toLowerCase(), ctx.temp[fieldname]); + } + } + + if (!request_headers.isEmpty()){ + // Make sure http.request object exists + if (ctx.http == null){ + ctx.put('http', new HashMap()); + } + if (ctx.http.request == null){ + ctx.http.put('request', new HashMap()); + } + + // Add headers + ctx.http.request.put('headers', request_headers); + } + + if (!downstream_headers.isEmpty()){ + // Make sure http.response object exists + if (ctx.http == null){ + ctx.put('http', new HashMap()); + } + if (ctx.http.response == null){ + ctx.http.put('response', new HashMap()); + } + // Add headers + ctx.http.response.put('headers', downstream_headers); + } + + if (!origin_headers.isEmpty()){ + // Make sure traefik.access.origin object exists + if (ctx.traefik == null){ + ctx.put('traefik', new HashMap()); + } + if (ctx.traefik.access == null){ + ctx.traefik.put('access', new HashMap()); + } + if (ctx.traefik.access.origin == null){ + ctx.traefik.access.put('origin', new HashMap()); + } + // Add headers + ctx.traefik.access.origin.put('headers', origin_headers); + } + + - rename: + field: temp.TLSCipher + target_field: tls.cipher + ignore_missing: true + - rename: + field: temp.TLSVersion + target_field: tls.version + ignore_missing: true + - rename: + field: temp.GzipRatio + target_field: traefik.access.gzip_ratio + ignore_missing: true + - rename: + field: temp.entryPointName + target_field: observer.ingress.interface.name + ignore_missing: true + - set: + field: log.level + copy_from: temp.level + override: true + ignore_empty_value: true + - set: + field: message + copy_from: temp.msg + override: true + ignore_empty_value: true + - set: + field: observer.vendor + value: traefik + - set: + field: observer.product + value: traefik + - set: + field: observer.type + value: proxy + on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/traefik/data_stream/access/fields/agent.yml b/packages/traefik/data_stream/access/fields/agent.yml new file mode 100644 index 00000000000..a07e2ce0b2b --- /dev/null +++ b/packages/traefik/data_stream/access/fields/agent.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/traefik/data_stream/access/fields/ecs.yml b/packages/traefik/data_stream/access/fields/ecs.yml deleted file mode 100644 index 70fcbb1952f..00000000000 --- a/packages/traefik/data_stream/access/fields/ecs.yml +++ /dev/null @@ -1,100 +0,0 @@ -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: ecs.version -- external: ecs - name: http.request.method -- external: ecs - name: http.request.referrer -- external: ecs - name: http.response.body.bytes -- external: ecs - name: http.response.status_code -- external: ecs - name: http.version -- external: ecs - name: log.file.path -- external: ecs - name: network.community_id -- external: ecs - name: network.transport -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: user.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/traefik/data_stream/access/fields/fields.yml b/packages/traefik/data_stream/access/fields/fields.yml index fe9007a9fe9..e6697b7bb31 100644 --- a/packages/traefik/data_stream/access/fields/fields.yml +++ b/packages/traefik/data_stream/access/fields/fields.yml @@ -1,32 +1,109 @@ +- name: http.request.headers.* + type: object + object_type: keyword + description: | + The canonical headers of the monitored HTTP request. +- name: http.response.headers.* + type: object + object_type: keyword + description: | + The canonical headers of the monitored HTTP response. - name: traefik.access type: group fields: - - name: user_identifier - type: keyword + - name: origin + type: group + fields: + - name: content_size + type: long + description: | + The content length specified by the origin server, or 0 if unspecified. + - name: duration + type: long + description: | + The time taken (in nanoseconds) by the origin server ('upstream') to return its response. + - name: headers.* + type: object + object_type: keyword + description: | + The canonical headers of the monitored HTTP request. + - name: status_code + type: long + description: | + The HTTP status code returned by the origin server. + If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). + - name: status_line + type: keyword + description: | + OriginStatus + Status code explanation + - name: overhead + type: long description: | - Is the RFC 1413 identity of the client + The processing time overhead (in nanoseconds) caused by Traefik - name: request_count type: long description: | - The number of requests - - name: frontend_name - type: keyword + The number of requests received since the Traefik instance started. + - name: retry_attempts + type: long description: | - The name of the frontend used - - name: backend_url - type: keyword - description: The url of the backend where request is forwarded - - name: user_agent + The amount of attempts the request was retried + - name: router type: group fields: - - name: os - type: alias - path: user_agent.os.full_name - - name: geoip + - name: name + type: keyword + description: The name of the Traefik router + - name: service type: group -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset + fields: + - name: address + type: keyword + description: The IP:port of the Traefik backend (extracted from ServiceURL) + - name: duration + type: long + description: The time taken (in nanoseconds) by the origin server ('upstream') to return its response. + - name: url + type: group + description: The URL of the Traefik backend + fields: + - name: domain + type: keyword + description: Domain of the url + - name: force_query + type: boolean + description: Traefik specific url field + - name: fragment + type: keyword + description: The fragment of the url + - name: opaque + type: keyword + description: Traefik specific url field + - name: original + type: keyword + description: Traefik url as used in common log format + - name: path + type: keyword + description: The path of the url + - name: query + type: keyword + description: The query string of the url + - name: raw_path + type: keyword + description: Traefik specific url field + - name: raw_query + type: keyword + description: Traefik specific url field + - name: scheme + type: keyword + description: The scheme of the url + - name: user + type: group + description: Traefik specific url field + - name: username + type: keyword + description: The username of the url + - name: user_identifier + type: keyword + description: | + Is the RFC 1413 identity of the client diff --git a/packages/traefik/data_stream/access/sample_event.json b/packages/traefik/data_stream/access/sample_event.json index 2f7111a12fd..77a2ce504cd 100644 --- a/packages/traefik/data_stream/access/sample_event.json +++ b/packages/traefik/data_stream/access/sample_event.json @@ -1,35 +1,22 @@ { - "@timestamp": "2022-01-12T04:40:22.000Z", - "agent": { - "ephemeral_id": "49d5036c-5357-4aee-b7ae-08e2615d64e2", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "traefik.access", - "namespace": "ep", - "type": "logs" + "@timestamp": "2024-02-09T11:53:32.609696286Z", + "destination": { + "address": "10.1.25.243", + "ip": "10.1.25.243", + "port": 80 }, "ecs": { "version": "8.5.1" }, - "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", - "snapshot": false, - "version": "8.0.0-beta1" - }, "event": { - "agent_id_status": "verified", "category": [ "web" ], - "created": "2022-01-12T04:40:38.534Z", - "dataset": "traefik.access", - "duration": 0, - "ingested": "2022-01-12T04:40:39Z", + "created": "2020-04-28T11:07:58.223Z", + "duration": 59518533, + "ingested": "2024-02-13T16:08:40.190327617Z", "kind": "event", + "original": "{\"ClientAddr\": \"10.10.8.105:48376\",\"ClientHost\": \"175.16.199.10\",\"ClientPort\": \"48376\",\"ClientUsername\": \"-\",\"DownstreamContentSize\": 88,\"DownstreamStatus\": 200,\"Duration\": 59518533,\"OriginContentSize\": 88,\"OriginDuration\": 59428568,\"OriginStatus\": 200,\"Overhead\": 89965,\"RequestAddr\": \"api-students.unpad.ac.id\",\"RequestContentSize\": 0,\"RequestCount\": 75,\"RequestHost\": \"api-students.unpad.ac.id\",\"RequestMethod\": \"GET\",\"RequestPath\": \"/api/v1/study/140410210038/card/comment\",\"RequestPort\": \"-\",\"RequestProtocol\": \"HTTP/1.0\",\"RequestScheme\": \"http\",\"RetryAttempts\": 0,\"RouterName\": \"app-unpad-students-api-prod-app-unpad-students-api-api-students-unpad-ac-id-api@kubernetes\",\"ServiceAddr\": \"10.1.25.243:80\",\"ServiceName\": \"app-unpad-students-api-prod-app-unpad-students-api-80@kubernetes\",\"ServiceURL\": {\"Scheme\": \"http\",\"Opaque\": \"\",\"User\": null,\"Host\": \"10.1.25.243:80\",\"Path\": \"\",\"RawPath\": \"\",\"OmitHost\": false,\"ForceQuery\": false,\"RawQuery\": \"\",\"Fragment\": \"\",\"RawFragment\": \"\"},\"StartLocal\": \"2024-02-09T11:53:32.609696286Z\",\"StartUTC\": \"2024-02-09T11:53:32.609696286Z\",\"entryPointName\": \"web\",\"level\": \"info\",\"msg\": \"\",\"time\": \"2024-02-09T11:53:32Z\"}", "outcome": "success", "type": [ "access" @@ -37,61 +24,88 @@ }, "http": { "request": { - "method": "GET", - "referrer": "-" + "body": { + "bytes": 0 + }, + "method": "GET" }, "response": { "body": { - "bytes": 415 + "bytes": 88 }, "status_code": 200 }, - "version": "1.1" - }, - "input": { - "type": "log" + "version": "1.0" }, "log": { - "file": { - "path": "/tmp/service_logs/access-common.log" - }, - "offset": 0 + "level": "info" }, "network": { + "community_id": "1:Mgo2d5qbyedZ2JnxvcBh0BuPcWk=", "transport": "tcp" }, + "observer": { + "egress": { + "interface": { + "name": "app-unpad-students-api-prod-app-unpad-students-api-80@kubernetes" + } + }, + "ingress": { + "interface": { + "name": "web" + } + }, + "product": "traefik", + "type": "proxy", + "vendor": "traefik" + }, "related": { "ip": [ - "127.0.0.1" + "10.10.8.105", + "10.1.25.243" ] }, "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" + "address": "10.10.8.105:48376", + "ip": "10.10.8.105", + "port": 48376 }, "tags": [ - "forwarded" + "preserve_original_event" ], "traefik": { "access": { - "backend_url": "http://172.21.0.2:80", - "frontend_name": "Host-backend-elastic-package-service-docker-localhost-0", - "request_count": 1, - "user_identifier": "-" + "origin": { + "content_size": 88, + "duration": 59428568, + "status_code": 200 + }, + "overhead": 89965, + "request_count": 75, + "retry_attempts": 0, + "router": { + "name": "app-unpad-students-api-prod-app-unpad-students-api-api-students-unpad-ac-id-api@kubernetes" + }, + "service": { + "url": { + "domain": "10.1.25.243:80", + "force_query": false, + "fragment": "", + "opaque": "", + "path": "", + "raw_path": "", + "raw_query": "", + "user": null + } + } } }, "url": { - "original": "/" + "domain": "api-students.unpad.ac.id", + "original": "/api/v1/study/140410210038/card/comment", + "scheme": "http" }, "user": { "name": "-" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "curl", - "original": "curl/7.79.1", - "version": "7.79.1" } -} \ No newline at end of file +} diff --git a/packages/traefik/data_stream/health/_dev/test/system/test-default-config.yml b/packages/traefik/data_stream/health/_dev/test/system/test-default-config.yml deleted file mode 100644 index f1a3a16dfa8..00000000000 --- a/packages/traefik/data_stream/health/_dev/test/system/test-default-config.yml +++ /dev/null @@ -1,6 +0,0 @@ -service: traefik_format_common -vars: - hosts: - - http://{{Hostname}}:{{Port}} -data_stream: - vars: ~ diff --git a/packages/traefik/data_stream/health/fields/ecs.yml b/packages/traefik/data_stream/health/fields/ecs.yml index 6f425968328..c6a5dcc8d47 100644 --- a/packages/traefik/data_stream/health/fields/ecs.yml +++ b/packages/traefik/data_stream/health/fields/ecs.yml @@ -21,6 +21,10 @@ dimension: true - external: ecs name: ecs.version +- external: ecs + name: host.ip +- external: ecs + name: host.mac - external: ecs name: host.name dimension: true diff --git a/packages/traefik/data_stream/health/sample_event.json b/packages/traefik/data_stream/health/sample_event.json index abccc84a90f..de29a4653aa 100644 --- a/packages/traefik/data_stream/health/sample_event.json +++ b/packages/traefik/data_stream/health/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2022-01-12T04:42:17.051Z", + "@timestamp": "2024-02-12T17:21:39.672Z", "agent": { - "ephemeral_id": "ddbf0fe2-5932-46a6-833b-101861fae9e6", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "63e0045d-0344-4bdb-9f94-26442e08d137", + "id": "d95af4f5-ce65-45c7-8b0b-39929f004883", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.0.0-beta1" + "version": "8.11.4" }, "data_stream": { "dataset": "traefik.health", @@ -13,40 +13,40 @@ "type": "metrics" }, "ecs": { - "version": "8.5.1" + "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "d95af4f5-ce65-45c7-8b0b-39929f004883", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.11.4" }, "event": { "agent_id_status": "verified", "dataset": "traefik.health", - "duration": 37594678, - "ingested": "2022-01-12T04:42:18Z", + "duration": 1679238, + "ingested": "2024-02-12T17:21:42Z", "module": "traefik" }, "host": { "architecture": "x86_64", - "containerized": true, + "containerized": false, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", + "id": "65c6e8a59cee4f20baaa9c3b45722316", "ip": [ - "172.18.0.4" + "172.18.0.6" ], "mac": [ - "02:42:ac:12:00:04" + "02-42-AC-12-00-06" ], "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-44-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "5.15.0-92-generic", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "metricset": { @@ -62,7 +62,7 @@ "health": { "response": { "avg_time": { - "us": 3441 + "us": 826 }, "count": 16, "status_codes": { @@ -70,8 +70,8 @@ } }, "uptime": { - "sec": 20 + "sec": 17 } } } -} \ No newline at end of file +} diff --git a/packages/traefik/docs/README.md b/packages/traefik/docs/README.md index 6429141cb20..069e3ba7fa3 100644 --- a/packages/traefik/docs/README.md +++ b/packages/traefik/docs/README.md @@ -1,53 +1,78 @@ # Traefik Integration -This integration periodically fetches metrics from [Traefik](https://traefik.io/) servers. It also ingests access -logs created by the Traefik server. +## Overview + +[Traefik](https://traefik.io/) is a modern reverse proxy and load balancer that helps to manage and route incoming web traffic to the user's applications. It is designed to dynamically adjust to the changes in user's infrastructure, making it easy to deploy and scale user's services. Traefik integrates well with containerized environments and provides features like automatic SSL certificate management and support for multiple backends. + +Use the Traefik integration to: + +- Collect logs related to access. +- Create informative visualizations to track usage trends, measure key logs, and derive actionable business insights. +- Set up alerts to minimize Mean Time to Detect (MTTD) and Mean Time to Resolve (MTTR) by quickly referencing relevant logs during troubleshooting. + +## Data streams + +The Traefik integration collects logs data. + +Logs help User keep a record of events that happen on user's machine. Users can monitor and troubleshoot the performance of their Traefik instance by accessing the `Log` data stream, which includes client IP, host, username, request address, duration, and content. + +Data streams: +- `access`: Collects information related to the client IP, host, username, request address, duration, and content. + +Note: +- Users can monitor and see the log inside the ingested documents for Traefik in the `logs-*` index pattern from `Discover`. ## Compatibility -The Traefik datasets were tested with Traefik 1.6. +The Traefik datasets were tested with Traefik 1.6, 1.7 and 2.9 versions. + +## Prerequisites + +User need Elasticsearch for storing and searching user's data and Kibana for visualizing and managing it. User can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended or self-manage the Elastic Stack on user's own hardware. + +## Setup + +For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +## Validation + +After the integration is successfully configured, clicking on the Assets tab of the Traefik Integration should display a list of available dashboards. Click on the dashboard available for user's configured data stream. It should be populated with the required data. + +## Metrics +Note: +- The `/health` API endpoint which is used to collect the metrics is removed from Traefik `v2` version. Please refer this [issue](https://github.com/traefik/traefik/issues/7629) for more information. +- We are currently working on the metrics collection using the suggested [alternative](https://doc.traefik.io/traefik/v2.3/observability/metrics/prometheus/). Keep a watch on this [issue](https://github.com/elastic/integrations/issues/9820) for more updates. ## Logs ### Access Logs -The `access` data stream collects Traefik access logs. +The `access` data stream collects Traefik access logs. This data stream collects logs related to client IP, host, username, request address, duration, and content. + +An example event for `access` looks as following: An example event for `access` looks as following: ```json { - "@timestamp": "2022-01-12T04:40:22.000Z", - "agent": { - "ephemeral_id": "49d5036c-5357-4aee-b7ae-08e2615d64e2", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "traefik.access", - "namespace": "ep", - "type": "logs" + "@timestamp": "2024-02-09T11:53:32.609696286Z", + "destination": { + "address": "10.1.25.243", + "ip": "10.1.25.243", + "port": 80 }, "ecs": { "version": "8.5.1" }, - "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", - "snapshot": false, - "version": "8.0.0-beta1" - }, "event": { - "agent_id_status": "verified", "category": [ "web" ], - "created": "2022-01-12T04:40:38.534Z", - "dataset": "traefik.access", - "duration": 0, - "ingested": "2022-01-12T04:40:39Z", + "created": "2020-04-28T11:07:58.223Z", + "duration": 59518533, + "ingested": "2024-02-13T16:08:40.190327617Z", "kind": "event", + "original": "{\"ClientAddr\": \"10.10.8.105:48376\",\"ClientHost\": \"175.16.199.10\",\"ClientPort\": \"48376\",\"ClientUsername\": \"-\",\"DownstreamContentSize\": 88,\"DownstreamStatus\": 200,\"Duration\": 59518533,\"OriginContentSize\": 88,\"OriginDuration\": 59428568,\"OriginStatus\": 200,\"Overhead\": 89965,\"RequestAddr\": \"api-students.unpad.ac.id\",\"RequestContentSize\": 0,\"RequestCount\": 75,\"RequestHost\": \"api-students.unpad.ac.id\",\"RequestMethod\": \"GET\",\"RequestPath\": \"/api/v1/study/140410210038/card/comment\",\"RequestPort\": \"-\",\"RequestProtocol\": \"HTTP/1.0\",\"RequestScheme\": \"http\",\"RetryAttempts\": 0,\"RouterName\": \"app-unpad-students-api-prod-app-unpad-students-api-api-students-unpad-ac-id-api@kubernetes\",\"ServiceAddr\": \"10.1.25.243:80\",\"ServiceName\": \"app-unpad-students-api-prod-app-unpad-students-api-80@kubernetes\",\"ServiceURL\": {\"Scheme\": \"http\",\"Opaque\": \"\",\"User\": null,\"Host\": \"10.1.25.243:80\",\"Path\": \"\",\"RawPath\": \"\",\"OmitHost\": false,\"ForceQuery\": false,\"RawQuery\": \"\",\"Fragment\": \"\",\"RawFragment\": \"\"},\"StartLocal\": \"2024-02-09T11:53:32.609696286Z\",\"StartUTC\": \"2024-02-09T11:53:32.609696286Z\",\"entryPointName\": \"web\",\"level\": \"info\",\"msg\": \"\",\"time\": \"2024-02-09T11:53:32Z\"}", "outcome": "success", "type": [ "access" @@ -55,64 +80,92 @@ An example event for `access` looks as following: }, "http": { "request": { - "method": "GET", - "referrer": "-" + "body": { + "bytes": 0 + }, + "method": "GET" }, "response": { "body": { - "bytes": 415 + "bytes": 88 }, "status_code": 200 }, - "version": "1.1" - }, - "input": { - "type": "log" + "version": "1.0" }, "log": { - "file": { - "path": "/tmp/service_logs/access-common.log" - }, - "offset": 0 + "level": "info" }, "network": { + "community_id": "1:Mgo2d5qbyedZ2JnxvcBh0BuPcWk=", "transport": "tcp" }, + "observer": { + "egress": { + "interface": { + "name": "app-unpad-students-api-prod-app-unpad-students-api-80@kubernetes" + } + }, + "ingress": { + "interface": { + "name": "web" + } + }, + "product": "traefik", + "type": "proxy", + "vendor": "traefik" + }, "related": { "ip": [ - "127.0.0.1" + "10.10.8.105", + "10.1.25.243" ] }, "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" + "address": "10.10.8.105:48376", + "ip": "10.10.8.105", + "port": 48376 }, "tags": [ - "forwarded" + "preserve_original_event" ], "traefik": { "access": { - "backend_url": "http://172.21.0.2:80", - "frontend_name": "Host-backend-elastic-package-service-docker-localhost-0", - "request_count": 1, - "user_identifier": "-" + "origin": { + "content_size": 88, + "duration": 59428568, + "status_code": 200 + }, + "overhead": 89965, + "request_count": 75, + "retry_attempts": 0, + "router": { + "name": "app-unpad-students-api-prod-app-unpad-students-api-api-students-unpad-ac-id-api@kubernetes" + }, + "service": { + "url": { + "domain": "10.1.25.243:80", + "force_query": false, + "fragment": "", + "opaque": "", + "path": "", + "raw_path": "", + "raw_query": "", + "user": null + } + } } }, "url": { - "original": "/" + "domain": "api-students.unpad.ac.id", + "original": "/api/v1/study/140410210038/card/comment", + "scheme": "http" }, "user": { "name": "-" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "curl", - "original": "curl/7.79.1", - "version": "7.79.1" } } + ``` **Exported fields** @@ -123,184 +176,33 @@ An example event for `access` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | +| http.request.headers.\* | The canonical headers of the monitored HTTP request. | object | +| http.response.headers.\* | The canonical headers of the monitored HTTP response. | object | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Log offset | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| traefik.access.backend_url | The url of the backend where request is forwarded | keyword | -| traefik.access.frontend_name | The name of the frontend used | keyword | -| traefik.access.request_count | The number of requests | long | -| traefik.access.user_agent.os | | alias | +| traefik.access.origin.content_size | The content length specified by the origin server, or 0 if unspecified. | long | +| traefik.access.origin.duration | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. | long | +| traefik.access.origin.headers.\* | The canonical headers of the monitored HTTP request. | object | +| traefik.access.origin.status_code | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). | long | +| traefik.access.origin.status_line | OriginStatus + Status code explanation | keyword | +| traefik.access.overhead | The processing time overhead (in nanoseconds) caused by Traefik | long | +| traefik.access.request_count | The number of requests received since the Traefik instance started. | long | +| traefik.access.retry_attempts | The amount of attempts the request was retried | long | +| traefik.access.router.name | The name of the Traefik router | keyword | +| traefik.access.service.address | The IP:port of the Traefik backend (extracted from ServiceURL) | keyword | +| traefik.access.service.duration | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. | long | +| traefik.access.service.url.domain | Domain of the url | keyword | +| traefik.access.service.url.force_query | Traefik specific url field | boolean | +| traefik.access.service.url.fragment | The fragment of the url | keyword | +| traefik.access.service.url.opaque | Traefik specific url field | keyword | +| traefik.access.service.url.original | Traefik url as used in common log format | keyword | +| traefik.access.service.url.path | The path of the url | keyword | +| traefik.access.service.url.query | The query string of the url | keyword | +| traefik.access.service.url.raw_path | Traefik specific url field | keyword | +| traefik.access.service.url.raw_query | Traefik specific url field | keyword | +| traefik.access.service.url.scheme | The scheme of the url | keyword | +| traefik.access.service.url.username | The username of the url | keyword | | traefik.access.user_identifier | Is the RFC 1413 identity of the client | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -### Health Metrics - -The `health` data stream collects metrics from the Traefik server. - -An example event for `health` looks as following: - -```json -{ - "@timestamp": "2022-01-12T04:42:17.051Z", - "agent": { - "ephemeral_id": "ddbf0fe2-5932-46a6-833b-101861fae9e6", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", - "name": "docker-fleet-agent", - "type": "metricbeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "traefik.health", - "namespace": "ep", - "type": "metrics" - }, - "ecs": { - "version": "8.5.1" - }, - "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "dataset": "traefik.health", - "duration": 37594678, - "ingested": "2022-01-12T04:42:18Z", - "module": "traefik" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-44-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "metricset": { - "name": "health", - "period": 10000 - }, - "service": { - "address": "http://elastic-package-service-traefik_format_common-1:8080/health", - "name": "traefik", - "type": "traefik" - }, - "traefik": { - "health": { - "response": { - "avg_time": { - "us": 3441 - }, - "count": 16, - "status_codes": { - "200": 16 - } - }, - "uptime": { - "sec": 20 - } - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Event timestamp. | date | | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host, resource, or service is located. | keyword | | -| container.id | Unique container id. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| event.dataset | Event dataset | constant_keyword | | -| event.module | Event module | constant_keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | -| traefik.health.response.avg_time.us | Average response time in microseconds | long | gauge | -| traefik.health.response.count | Number of responses | long | counter | -| traefik.health.response.status_codes.\* | Number of responses per status code | object | counter | -| traefik.health.uptime.sec | Uptime of Traefik instance in seconds | long | gauge | diff --git a/packages/traefik/kibana/dashboard/traefik-Logs-Traefik-Dashboard.json b/packages/traefik/kibana/dashboard/traefik-Logs-Traefik-Dashboard.json index ed26c613540..e62fecd2c67 100644 --- a/packages/traefik/kibana/dashboard/traefik-Logs-Traefik-Dashboard.json +++ b/packages/traefik/kibana/dashboard/traefik-Logs-Traefik-Dashboard.json @@ -1,821 +1,821 @@ { - "id": "traefik-Logs-Traefik-Dashboard", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.7.0" - }, - "coreMigrationVersion": "8.8.0", - "typeMigrationVersion": "8.7.0", - "updated_at": "2023-11-07T17:29:45.074Z", - "created_at": "2023-11-07T17:29:45.074Z", - "version": "WzE2OCwxXQ==", - "attributes": { - "description": "Dashboard for the Logs Traefik integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "darkTheme": false + "id": "traefik-Logs-Traefik-Dashboard", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hiddenLayers": [], - "isLayerTOCOpen": true, - "mapBuffer": { - "maxLat": 40.9799, - "maxLon": 135, - "minLat": -40.9799, - "minLon": -135 - }, - "mapCenter": { - "lat": 19.94277, - "lon": 0, - "zoom": 2.11 - }, - "openTOCDetails": [], - "attributes": { - "title": "Traefik logs [Logs Traefik]", - "description": "", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}", - "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"zoom\":2.11}", - "layerListJSON": "[{\"alpha\":1,\"id\":\"cccbea23-8692-421c-80e4-0f33e025c810\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\",\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"151240fd-cdc3-41d3-aaf8-21af553ecb69\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":\"Access Map [Logs Traefik]\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"a8ada758-9bca-4cde-93b2-a62db261663d\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"point\",\"resolution\":\"MOST_FINE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"type\":\"ORDINAL\"},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"maxSize\":18,\"minSize\":7},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#3d3d3d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]" - } - }, - "gridData": { - "h": 15, - "i": "121accaa-e45e-414b-b9a3-f73fba06cf83", - "w": 48, - "x": 0, - "y": 0 + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:29:45.074Z", + "created_at": "2023-11-07T17:29:45.074Z", + "version": "WzE2OCwxXQ==", + "attributes": { + "description": "Dashboard for the Logs Traefik integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } }, - "panelIndex": "121accaa-e45e-414b-b9a3-f73fba06cf83", - "type": "map", - "version": "8.4.0" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 12, - "i": "2efa927c-4fd1-4073-9b78-8ef6ec27200d", - "w": 48, - "x": 0, - "y": 15 + "optionsJSON": { + "darkTheme": false }, - "panelIndex": "2efa927c-4fd1-4073-9b78-8ef6ec27200d", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2b18aa0a-3889-45f0-9aa1-3ba3510050c3", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "2b18aa0a-3889-45f0-9aa1-3ba3510050c3": { - "columnOrder": [ - "9589a442-3d90-43f6-b4cc-1cecc12fd524", - "6d13e5b3-058b-4b1c-b5f0-fec158cc5750", - "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" - ], - "columns": { - "6d13e5b3-058b-4b1c-b5f0-fec158cc5750": { - "customLabel": true, - "dataType": "number", - "isBucketed": true, - "label": "http.response.status_code: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "6ff80030-787b-4fae-a4f4-7a0b0194e4ad", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "http.response.status_code" - }, - "6ff80030-787b-4fae-a4f4-7a0b0194e4ad": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "9589a442-3d90-43f6-b4cc-1cecc12fd524": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto", - "includeEmptyRows": true - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 40.9799, + "maxLon": 135, + "minLat": -40.9799, + "minLon": -135 + }, + "mapCenter": { + "lat": 19.94277, + "lon": 0, + "zoom": 2.11 + }, + "openTOCDetails": [], + "attributes": { + "title": "Traefik logs [Logs Traefik]", + "description": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}", + "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"zoom\":2.11}", + "layerListJSON": "[{\"alpha\":1,\"id\":\"cccbea23-8692-421c-80e4-0f33e025c810\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\",\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"151240fd-cdc3-41d3-aaf8-21af553ecb69\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":\"Access Map [Logs Traefik]\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"a8ada758-9bca-4cde-93b2-a62db261663d\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"point\",\"resolution\":\"MOST_FINE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"type\":\"ORDINAL\"},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"maxSize\":18,\"minSize\":7},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#3d3d3d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]" } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "(data_stream.dataset:traefik.access)" - }, - "visualization": { - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true }, - "layers": [ - { - "accessors": [ - "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" - ], - "layerId": "2b18aa0a-3889-45f0-9aa1-3ba3510050c3", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "splitAccessor": "6d13e5b3-058b-4b1c-b5f0-fec158cc5750", - "xAccessor": "9589a442-3d90-43f6-b4cc-1cecc12fd524", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true, - "legendSize": "auto" + "gridData": { + "h": 15, + "i": "121accaa-e45e-414b-b9a3-f73fba06cf83", + "w": 48, + "x": 0, + "y": 0 }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } + "panelIndex": "121accaa-e45e-414b-b9a3-f73fba06cf83", + "type": "map", + "version": "8.4.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "type": "lens" - }, - "title": "Response codes over time [Logs Traefik]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 12, - "i": "b22d8a5b-a46f-4763-a884-e0032620fb37", - "w": 48, - "x": 0, - "y": 27 - }, - "panelIndex": "b22d8a5b-a46f-4763-a884-e0032620fb37", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ef238d74-b1e4-43f4-a941-8ffd25108069", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "ef238d74-b1e4-43f4-a941-8ffd25108069": { - "columnOrder": [ - "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", - "54e6eb58-591a-4687-96a5-c5a86d89f84b", - "d30886a2-878c-4684-ad70-e678d5c373f1" - ], - "columns": { - "54e6eb58-591a-4687-96a5-c5a86d89f84b": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Top URLs", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", - "type": "column" + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "2efa927c-4fd1-4073-9b78-8ef6ec27200d", + "w": 48, + "x": 0, + "y": 15 + }, + "panelIndex": "2efa927c-4fd1-4073-9b78-8ef6ec27200d", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "url.original" - }, - "607e1467-5e59-4bd0-85fc-18a9c7a87ad0": { - "customLabel": true, - "dataType": "number", - "isBucketed": true, - "label": "http.response.status_code", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", - "type": "column" + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2b18aa0a-3889-45f0-9aa1-3ba3510050c3", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "2b18aa0a-3889-45f0-9aa1-3ba3510050c3": { + "columnOrder": [ + "9589a442-3d90-43f6-b4cc-1cecc12fd524", + "6d13e5b3-058b-4b1c-b5f0-fec158cc5750", + "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" + ], + "columns": { + "6d13e5b3-058b-4b1c-b5f0-fec158cc5750": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "http.response.status_code: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6ff80030-787b-4fae-a4f4-7a0b0194e4ad", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" + }, + "6ff80030-787b-4fae-a4f4-7a0b0194e4ad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "9589a442-3d90-43f6-b4cc-1cecc12fd524": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto", + "includeEmptyRows": true + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "(data_stream.dataset:traefik.access)" }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "http.response.status_code" + "visualization": { + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" + ], + "layerId": "2b18aa0a-3889-45f0-9aa1-3ba3510050c3", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "6d13e5b3-058b-4b1c-b5f0-fec158cc5750", + "xAccessor": "9589a442-3d90-43f6-b4cc-1cecc12fd524", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true, + "legendSize": "auto" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } }, - "d30886a2-878c-4684-ad70-e678d5c373f1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", - "isTransposed": true - }, - { - "columnId": "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", - "isTransposed": true - }, - { - "columnId": "54e6eb58-591a-4687-96a5-c5a86d89f84b", - "isTransposed": false - }, - { - "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", - "isTransposed": false - } - ], - "layerId": "ef238d74-b1e4-43f4-a941-8ffd25108069", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "type": "lens" + }, + "title": "Response codes over time [Logs Traefik]" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "type": "lens" - }, - "title": "Response codes by top URLs [Logs Traefik]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 16, - "i": "d299d213-6e63-485b-9c58-61209d984bce", - "w": 16, - "x": 0, - "y": 39 - }, - "panelIndex": "d299d213-6e63-485b-9c58-61209d984bce", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-4197aa5d-acaf-4763-b484-11eb2549236f", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "4197aa5d-acaf-4763-b484-11eb2549236f": { - "columnOrder": [ - "2a765fd5-0372-4b9d-905f-f4b4f26a6447", - "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae", - "6d5f8062-c79c-486c-9794-6573d150079e" - ], - "columns": { - "2a765fd5-0372-4b9d-905f-f4b4f26a6447": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.name: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "6d5f8062-c79c-486c-9794-6573d150079e", - "type": "column" + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "b22d8a5b-a46f-4763-a884-e0032620fb37", + "w": 48, + "x": 0, + "y": 27 + }, + "panelIndex": "b22d8a5b-a46f-4763-a884-e0032620fb37", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.name" - }, - "6d5f8062-c79c-486c-9794-6573d150079e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.version: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "6d5f8062-c79c-486c-9794-6573d150079e", - "type": "column" + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ef238d74-b1e4-43f4-a941-8ffd25108069", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "ef238d74-b1e4-43f4-a941-8ffd25108069": { + "columnOrder": [ + "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", + "54e6eb58-591a-4687-96a5-c5a86d89f84b", + "d30886a2-878c-4684-ad70-e678d5c373f1" + ], + "columns": { + "54e6eb58-591a-4687-96a5-c5a86d89f84b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top URLs", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "url.original" + }, + "607e1467-5e59-4bd0-85fc-18a9c7a87ad0": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "http.response.status_code", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" + }, + "d30886a2-878c-4684-ad70-e678d5c373f1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.version" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "layerId": "4197aa5d-acaf-4763-b484-11eb2549236f", - "layerType": "data", - "legendDisplay": "show", - "legendPosition": "bottom", - "nestedLegend": false, - "numberDisplay": "percent", - "legendSize": "auto", - "primaryGroups": [ - "2a765fd5-0372-4b9d-905f-f4b4f26a6447", - "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae" - ], - "metrics": [ - "6d5f8062-c79c-486c-9794-6573d150079e" - ] - } - ], - "palette": { - "name": "kibana_palette", - "type": "palette" + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", + "isTransposed": true + }, + { + "columnId": "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", + "isTransposed": true + }, + { + "columnId": "54e6eb58-591a-4687-96a5-c5a86d89f84b", + "isTransposed": false + }, + { + "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", + "isTransposed": false + } + ], + "layerId": "ef238d74-b1e4-43f4-a941-8ffd25108069", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "type": "lens" }, - "shape": "donut" - } + "title": "Response codes by top URLs [Logs Traefik]" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "type": "lens" - }, - "title": "Browsers breakdown [Logs Traefik]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 16, - "i": "2386dd27-15d0-42ac-85f2-406febb6d3b1", - "w": 16, - "x": 16, - "y": 39 - }, - "panelIndex": "2386dd27-15d0-42ac-85f2-406febb6d3b1", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-38d38e12-d8c2-41a2-944b-f543271336df", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "38d38e12-d8c2-41a2-944b-f543271336df": { - "columnOrder": [ - "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36", - "27deb44a-1572-43a0-9db2-34e312e891a3", - "97ebb05c-0b6e-4828-aff7-154fd2726900" - ], - "columns": { - "27deb44a-1572-43a0-9db2-34e312e891a3": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.os.version: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "97ebb05c-0b6e-4828-aff7-154fd2726900", - "type": "column" + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 16, + "i": "d299d213-6e63-485b-9c58-61209d984bce", + "w": 16, + "x": 0, + "y": 39 + }, + "panelIndex": "d299d213-6e63-485b-9c58-61209d984bce", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.os.version" - }, - "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.os.name: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "97ebb05c-0b6e-4828-aff7-154fd2726900", - "type": "column" + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4197aa5d-acaf-4763-b484-11eb2549236f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "4197aa5d-acaf-4763-b484-11eb2549236f": { + "columnOrder": [ + "2a765fd5-0372-4b9d-905f-f4b4f26a6447", + "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae", + "6d5f8062-c79c-486c-9794-6573d150079e" + ], + "columns": { + "2a765fd5-0372-4b9d-905f-f4b4f26a6447": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.name: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6d5f8062-c79c-486c-9794-6573d150079e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.name" + }, + "6d5f8062-c79c-486c-9794-6573d150079e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.version: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6d5f8062-c79c-486c-9794-6573d150079e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.version" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.os.name" + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "4197aa5d-acaf-4763-b484-11eb2549236f", + "layerType": "data", + "legendDisplay": "show", + "legendPosition": "bottom", + "nestedLegend": false, + "numberDisplay": "percent", + "legendSize": "auto", + "primaryGroups": [ + "2a765fd5-0372-4b9d-905f-f4b4f26a6447", + "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae" + ], + "metrics": [ + "6d5f8062-c79c-486c-9794-6573d150079e" + ] + } + ], + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "shape": "donut" + } }, - "97ebb05c-0b6e-4828-aff7-154fd2726900": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "layerId": "38d38e12-d8c2-41a2-944b-f543271336df", - "layerType": "data", - "legendDisplay": "show", - "legendPosition": "bottom", - "nestedLegend": false, - "numberDisplay": "percent", - "legendSize": "auto", - "primaryGroups": [ - "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36", - "27deb44a-1572-43a0-9db2-34e312e891a3" - ], - "metrics": [ - "97ebb05c-0b6e-4828-aff7-154fd2726900" - ] - } - ], - "palette": { - "name": "kibana_palette", - "type": "palette" + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "type": "lens" }, - "shape": "donut" - } + "title": "Browsers breakdown [Logs Traefik]" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "type": "lens" - }, - "title": "Operating systems breakdown [Logs Traefik]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 16, - "i": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d", - "w": 16, - "x": 32, - "y": 39 - }, - "panelIndex": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-7042a118-2f13-41fb-b0e6-192c1233689d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-0b13f4d2-11cd-47b5-8128-7dcb60514861", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "0b13f4d2-11cd-47b5-8128-7dcb60514861": { - "columnOrder": [ - "df0a2fac-79a4-4354-a468-b9a6992e9335", - "092db128-4fe0-463d-aee6-871ea4032f18" - ], - "columns": { - "092db128-4fe0-463d-aee6-871ea4032f18": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 16, + "i": "2386dd27-15d0-42ac-85f2-406febb6d3b1", + "w": 16, + "x": 16, + "y": 39 + }, + "panelIndex": "2386dd27-15d0-42ac-85f2-406febb6d3b1", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-38d38e12-d8c2-41a2-944b-f543271336df", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "38d38e12-d8c2-41a2-944b-f543271336df": { + "columnOrder": [ + "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36", + "27deb44a-1572-43a0-9db2-34e312e891a3", + "97ebb05c-0b6e-4828-aff7-154fd2726900" + ], + "columns": { + "27deb44a-1572-43a0-9db2-34e312e891a3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.os.version: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "97ebb05c-0b6e-4828-aff7-154fd2726900", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.version" + }, + "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.os.name: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "97ebb05c-0b6e-4828-aff7-154fd2726900", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.name" + }, + "97ebb05c-0b6e-4828-aff7-154fd2726900": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "38d38e12-d8c2-41a2-944b-f543271336df", + "layerType": "data", + "legendDisplay": "show", + "legendPosition": "bottom", + "nestedLegend": false, + "numberDisplay": "percent", + "legendSize": "auto", + "primaryGroups": [ + "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36", + "27deb44a-1572-43a0-9db2-34e312e891a3" + ], + "metrics": [ + "97ebb05c-0b6e-4828-aff7-154fd2726900" + ] + } + ], + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "shape": "donut" + } }, - "df0a2fac-79a4-4354-a468-b9a6992e9335": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto", - "includeEmptyRows": true - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} + "title": "", + "type": "lens", + "visualizationType": "lnsPie" }, - "7042a118-2f13-41fb-b0e6-192c1233689d": { - "columnOrder": [ - "bca2786a-0632-4fcb-bddf-6d0a9259844f", - "f4e8ed07-3254-4ec6-b80d-8568d9ea7018" - ], - "columns": { - "bca2786a-0632-4fcb-bddf-6d0a9259844f": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto", - "includeEmptyRows": true - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "f4e8ed07-3254-4ec6-b80d-8568d9ea7018": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Data sent", - "operationType": "sum", - "scale": "ratio", - "sourceField": "http.response.body.bytes" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:traefik.access" - }, - "visualization": { - "fittingFunction": "Linear", - "layers": [ - { - "accessors": [ - "f4e8ed07-3254-4ec6-b80d-8568d9ea7018" - ], - "layerId": "7042a118-2f13-41fb-b0e6-192c1233689d", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "bca2786a-0632-4fcb-bddf-6d0a9259844f" - }, - { - "accessors": [ - "092db128-4fe0-463d-aee6-871ea4032f18" - ], - "layerId": "0b13f4d2-11cd-47b5-8128-7dcb60514861", - "layerType": "data", - "seriesType": "line", - "xAccessor": "df0a2fac-79a4-4354-a468-b9a6992e9335", - "yConfig": [ - { - "axisMode": "right", - "color": "#d6bf57", - "forAccessor": "092db128-4fe0-463d-aee6-871ea4032f18" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "legendSize": "auto" - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" + "enhancements": {}, + "type": "lens" }, - "yRightExtent": { - "mode": "full" - } - } + "title": "Operating systems breakdown [Logs Traefik]" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "type": "lens" + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 16, + "i": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d", + "w": 16, + "x": 32, + "y": 39 + }, + "panelIndex": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7042a118-2f13-41fb-b0e6-192c1233689d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0b13f4d2-11cd-47b5-8128-7dcb60514861", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "0b13f4d2-11cd-47b5-8128-7dcb60514861": { + "columnOrder": [ + "df0a2fac-79a4-4354-a468-b9a6992e9335", + "092db128-4fe0-463d-aee6-871ea4032f18" + ], + "columns": { + "092db128-4fe0-463d-aee6-871ea4032f18": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "df0a2fac-79a4-4354-a468-b9a6992e9335": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto", + "includeEmptyRows": true + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + }, + "7042a118-2f13-41fb-b0e6-192c1233689d": { + "columnOrder": [ + "bca2786a-0632-4fcb-bddf-6d0a9259844f", + "f4e8ed07-3254-4ec6-b80d-8568d9ea7018" + ], + "columns": { + "bca2786a-0632-4fcb-bddf-6d0a9259844f": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto", + "includeEmptyRows": true + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f4e8ed07-3254-4ec6-b80d-8568d9ea7018": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Data sent", + "operationType": "sum", + "scale": "ratio", + "sourceField": "http.response.body.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:traefik.access" + }, + "visualization": { + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "f4e8ed07-3254-4ec6-b80d-8568d9ea7018" + ], + "layerId": "7042a118-2f13-41fb-b0e6-192c1233689d", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "bca2786a-0632-4fcb-bddf-6d0a9259844f" + }, + { + "accessors": [ + "092db128-4fe0-463d-aee6-871ea4032f18" + ], + "layerId": "0b13f4d2-11cd-47b5-8128-7dcb60514861", + "layerType": "data", + "seriesType": "line", + "xAccessor": "df0a2fac-79a4-4354-a468-b9a6992e9335", + "yConfig": [ + { + "axisMode": "right", + "color": "#d6bf57", + "forAccessor": "092db128-4fe0-463d-aee6-871ea4032f18" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "legendSize": "auto" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "type": "lens" + }, + "title": "Sent Byte Size [Logs Traefik]" + } + ], + "timeRestore": false, + "title": "[Logs Traefik] Access logs", + "version": 1 + }, + "references": [ + { + "id": "logs-*", + "name": "2efa927c-4fd1-4073-9b78-8ef6ec27200d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2efa927c-4fd1-4073-9b78-8ef6ec27200d:indexpattern-datasource-layer-2b18aa0a-3889-45f0-9aa1-3ba3510050c3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b22d8a5b-a46f-4763-a884-e0032620fb37:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "title": "Sent Byte Size [Logs Traefik]" - } + { + "id": "logs-*", + "name": "b22d8a5b-a46f-4763-a884-e0032620fb37:indexpattern-datasource-layer-ef238d74-b1e4-43f4-a941-8ffd25108069", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d299d213-6e63-485b-9c58-61209d984bce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d299d213-6e63-485b-9c58-61209d984bce:indexpattern-datasource-layer-4197aa5d-acaf-4763-b484-11eb2549236f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2386dd27-15d0-42ac-85f2-406febb6d3b1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2386dd27-15d0-42ac-85f2-406febb6d3b1:indexpattern-datasource-layer-38d38e12-d8c2-41a2-944b-f543271336df", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-layer-7042a118-2f13-41fb-b0e6-192c1233689d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-layer-0b13f4d2-11cd-47b5-8128-7dcb60514861", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "121accaa-e45e-414b-b9a3-f73fba06cf83:layer_1_source_index_pattern", + "id": "logs-*" + } ], - "timeRestore": false, - "title": "[Logs Traefik] Access logs", - "version": 1 - }, - "references": [ - { - "id": "logs-*", - "name": "2efa927c-4fd1-4073-9b78-8ef6ec27200d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2efa927c-4fd1-4073-9b78-8ef6ec27200d:indexpattern-datasource-layer-2b18aa0a-3889-45f0-9aa1-3ba3510050c3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b22d8a5b-a46f-4763-a884-e0032620fb37:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b22d8a5b-a46f-4763-a884-e0032620fb37:indexpattern-datasource-layer-ef238d74-b1e4-43f4-a941-8ffd25108069", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d299d213-6e63-485b-9c58-61209d984bce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d299d213-6e63-485b-9c58-61209d984bce:indexpattern-datasource-layer-4197aa5d-acaf-4763-b484-11eb2549236f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2386dd27-15d0-42ac-85f2-406febb6d3b1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2386dd27-15d0-42ac-85f2-406febb6d3b1:indexpattern-datasource-layer-38d38e12-d8c2-41a2-944b-f543271336df", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-layer-7042a118-2f13-41fb-b0e6-192c1233689d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-layer-0b13f4d2-11cd-47b5-8128-7dcb60514861", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "121accaa-e45e-414b-b9a3-f73fba06cf83:layer_1_source_index_pattern", - "id": "logs-*" - } - ], - "managed": false + "managed": false } \ No newline at end of file diff --git a/packages/traefik/manifest.yml b/packages/traefik/manifest.yml index 6403b941cee..fc5dc34caa1 100644 --- a/packages/traefik/manifest.yml +++ b/packages/traefik/manifest.yml @@ -1,7 +1,7 @@ name: traefik title: Traefik -version: "1.11.1" -description: Collect logs and metrics from Traefik servers with Elastic Agent. +version: "2.0.0" +description: Collect logs from Traefik servers with Elastic Agent. type: integration icons: - src: /img/traefik.svg @@ -23,24 +23,12 @@ screenshots: type: image/png policy_templates: - name: traefik - title: Traefik logs and metrics - description: Collect logs and metrics from Traefik instances + title: Traefik logs + description: Collect logs from Traefik instances inputs: - type: logfile title: "Collect Traefik access logs" description: "Collecting access logs from Traefik instances" - - type: traefik/metrics - vars: - - name: hosts - type: text - title: Hosts - multi: true - required: true - show_user: true - default: - - localhost:8080 - title: Collect Traefik health metrics - description: Collecting health metrics from Traefik instances owner: github: elastic/obs-infraobs-integrations type: elastic From 8cbfb3f7eea589f4dcca8195f84f0589c095dd26 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 11 Jun 2024 21:03:05 +0930 Subject: [PATCH 003/105] all: ensure field usage conforms to ECS definitions (#10120) * atlassian_bitbucket * barracuda * cisco_umbrella * crowdstrike * cylance * darktrace * forgerock * lumos * m365_defender * mattermost * microsoft_exchange_online_message_trace * pulse_connect_secure * sentinel_one * ti_cybersixgill * trend_micro_vision_one --- packages/atlassian_bitbucket/changelog.yml | 5 + .../pipeline/test-audit-api.log-expected.json | 636 +++++++++++++----- .../test-audit-files.log-expected.json | 140 ++-- .../elasticsearch/ingest_pipeline/default.yml | 20 +- packages/atlassian_bitbucket/manifest.yml | 2 +- packages/barracuda/changelog.yml | 5 + .../pipeline/test-access.log-expected.json | 23 +- .../elasticsearch/ingest_pipeline/access.yml | 15 +- packages/barracuda/manifest.yml | 2 +- packages/cisco_umbrella/changelog.yml | 5 + .../test-umbrella-auditlogs.log-expected.json | 12 +- ...brella-cloudfirewalllogs.log-expected.json | 12 +- .../test-umbrella-dnslogs.log-expected.json | 60 +- .../test-umbrella-iplogs.log-expected.json | 8 +- .../test-umbrella-proxylogs.log-expected.json | 56 +- .../_dev/test/system/test-default-config.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 6 +- packages/cisco_umbrella/manifest.yml | 2 +- packages/crowdstrike/changelog.yml | 5 + .../test-event-stream.log-expected.json | 4 +- ...tity-protection-incident.log-expected.json | 4 +- .../test-falcon-ipd-summary.log-expected.json | 4 +- .../identity_protection_incident.yml | 12 +- .../ingest_pipeline/ipd_detection_summary.yml | 12 +- packages/crowdstrike/manifest.yml | 2 +- packages/darktrace/changelog.yml | 5 + .../test-model-breach-alert.log-expected.json | 8 +- .../_dev/test/system/test-udp-config.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 6 +- packages/darktrace/manifest.yml | 2 +- packages/forgerock/changelog.yml | 5 + .../pipeline/test-am-access.log-expected.json | 56 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../test-am-authentication.log-expected.json | 28 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../test-idm-access.log-expected.json | 16 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../test-idm-authentication.log-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../test-idm-config.log-expected.json | 12 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/forgerock/manifest.yml | 2 +- packages/lumos/changelog.yml | 5 + .../test-activity-logs.log-expected.json | 12 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/lumos/manifest.yml | 2 +- packages/m365_defender/changelog.yml | 5 + .../test-app-and-identity.log-expected.json | 16 +- .../pipeline/test-device.log-expected.json | 14 +- .../pipeline_app_and_identity.yml | 24 +- .../ingest_pipeline/pipeline_device.yml | 40 +- packages/m365_defender/manifest.yml | 2 +- packages/mattermost/changelog.yml | 5 + .../pipeline/test-audit.log-expected.json | 3 - .../elasticsearch/ingest_pipeline/default.yml | 2 - packages/mattermost/manifest.yml | 2 +- .../_dev/deploy/docker/files/config.yml | 6 +- .../changelog.yml | 5 + .../test/pipeline/test-log.log-expected.json | 8 +- .../elasticsearch/ingest_pipeline/default.yml | 12 +- .../manifest.yml | 2 +- packages/pulse_connect_secure/changelog.yml | 5 + .../pipeline/test-log-admin.log-expected.json | 40 +- .../test-log-syslog.log-expected.json | 20 +- .../test-log-system.log-expected.json | 32 +- .../pipeline/test-log-vpn.log-expected.json | 58 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- packages/pulse_connect_secure/manifest.yml | 2 +- packages/sentinel_one/changelog.yml | 5 + .../test-pipeline-agent.log-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 11 +- .../test-pipeline-alert.log-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 11 +- .../test-pipeline-threat.log-expected.json | 20 +- .../elasticsearch/ingest_pipeline/default.yml | 15 +- packages/sentinel_one/manifest.yml | 2 +- packages/ti_cybersixgill/changelog.yml | 5 + ...test-cybersixgill-ndjson.log-expected.json | 16 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/ti_cybersixgill/manifest.yml | 2 +- packages/trend_micro_vision_one/changelog.yml | 5 + .../_dev/test/pipeline/test-common-config.yml | 2 +- .../test-pipeline-detection.log-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 6 +- packages/trend_micro_vision_one/manifest.yml | 2 +- 85 files changed, 1180 insertions(+), 474 deletions(-) diff --git a/packages/atlassian_bitbucket/changelog.yml b/packages/atlassian_bitbucket/changelog.yml index a35968cfdab..2a6caed7174 100644 --- a/packages/atlassian_bitbucket/changelog.yml +++ b/packages/atlassian_bitbucket/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Make `event.type` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.23.0" changes: - description: Set sensitive values as secret. diff --git a/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json b/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json index 6cbbb23f51b..970c6c2b0de 100644 --- a/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json +++ b/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json @@ -774,7 +774,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:19.269Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 66\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"66\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:29:18.849Z\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -843,7 +845,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:18.873Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"67 - 166\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"100\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-27T17:29:18.850Z - 2021-11-27T17:36:18.370Z\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -902,7 +906,6 @@ "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:18.370Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"action\":\"Audit Log configuration updated\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Retention\",\"i18nKey\":\"atlassian.audit.event.change.retention\",\"to\":\"3 Years\"}],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ - "admin", "change" ] }, @@ -964,7 +967,6 @@ "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:17.994Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"action\":\"Audit Log configuration updated\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Coverage Level\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"from\":\"security : base\",\"to\":\"security : full\"}],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ - "admin", "change" ] }, @@ -1026,7 +1028,6 @@ "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:17.994Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"action\":\"Audit Log configuration updated\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Coverage Level\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"from\":\"permissions : base\",\"to\":\"permissions : full\"}],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ - "admin", "change" ] }, @@ -1088,7 +1089,6 @@ "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:17.994Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"action\":\"Audit Log configuration updated\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Coverage Level\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"from\":\"ecosystem : base\",\"to\":\"ecosystem : full\"}],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ - "admin", "change" ] }, @@ -1150,7 +1150,6 @@ "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:17.994Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"action\":\"Audit Log configuration updated\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Coverage Level\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"from\":\"local_config_and_administration : base\",\"to\":\"local_config_and_administration : full\"}],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ - "admin", "change" ] }, @@ -1212,7 +1211,6 @@ "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:17.994Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"action\":\"Audit Log configuration updated\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Coverage Level\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"from\":\"user_management : base\",\"to\":\"user_management : full\"}],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ - "admin", "change" ] }, @@ -1274,7 +1272,6 @@ "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:17.993Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"action\":\"Audit Log configuration updated\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Coverage Level\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"from\":\"end_user_activity : base\",\"to\":\"end_user_activity : full\"}],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ - "admin", "change" ] }, @@ -1336,7 +1333,6 @@ "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:36:17.991Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"action\":\"Audit Log configuration updated\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Coverage Level\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"from\":\"global_config_and_administration : base\",\"to\":\"global_config_and_administration : full\"}],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ - "admin", "change" ] }, @@ -1407,7 +1403,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:35:46.331Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 56\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"56\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:29:12.363Z\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -1476,7 +1474,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:35:45.810Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"57 - 156\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"100\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-27T17:29:12.364Z - 2021-11-27T17:35:33.093Z\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -1545,7 +1545,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:35:33.093Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 54\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"54\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:29:11.102Z\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -1614,7 +1616,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:35:31.362Z\",\"author\":{\"name\":\"admin\",\"type\":\"NORMAL\",\"id\":\"2\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"55 - 154\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"100\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-27T17:29:11.242Z - 2021-11-27T17:35:11.898Z\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -1681,7 +1685,9 @@ "action": "bitbucket.search.audit.action.elasticsearchconfigurationchange", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:35:11.898Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.globaladministration\",\"category\":\"Global administration\",\"actionI18nKey\":\"bitbucket.search.audit.action.elasticsearchconfigurationchange\",\"action\":\"Elasticsearch settings changed\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Username\",\"i18nKey\":\"bitbucket.search.audit.changedvalue.elasticsearchconfigurationchange.username\",\"to\":\"bitbucket\"}],\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"name\":\"details\",\"value\":\"{\\\"changed\\\":\\\",elasticsearchPasswordelasticsearchUsername\\\",\\\"username\\\":\\\"bitbucket\\\"}\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"Elasticsearch\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -1734,7 +1740,9 @@ "action": "bitbucket.service.applicationconfiguration.audit.action.applicationsetup", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:34:26.112Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.globaladministration\",\"category\":\"Global administration\",\"actionI18nKey\":\"bitbucket.service.applicationconfiguration.audit.action.applicationsetup\",\"action\":\"Instance setup completed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"name\":\"details\",\"value\":\"{\\\"new\\\":true,\\\"old\\\":false}\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"SERVER_IS_SETUP\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -1807,7 +1815,9 @@ "action": "bitbucket.service.user.audit.action.globalpermissiongranted", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:34:26.108Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.globalpermissiongranted\",\"action\":\"Global permission granted\"},\"affectedObjects\":[{\"name\":\"admin\",\"type\":\"USER\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"id\":\"2\"}],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"name\":\"Permission\",\"value\":\"SYS_ADMIN\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"name\":\"details\",\"value\":\"{\\\"permission\\\":\\\"SYS_ADMIN\\\",\\\"user\\\":\\\"admin\\\"}\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"Global\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -1880,7 +1890,9 @@ "action": "bitbucket.service.user.audit.action.globalpermissiongrantrequested", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:34:26.019Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.globalpermissiongrantrequested\",\"action\":\"Global permission requested\"},\"affectedObjects\":[{\"name\":\"admin\",\"type\":\"USER\",\"uri\":\"http://bitbucket.internal:7990/users/admin\",\"id\":\"2\"}],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"name\":\"Permission\",\"value\":\"SYS_ADMIN\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"name\":\"details\",\"value\":\"{\\\"permission\\\":\\\"SYS_ADMIN\\\",\\\"user\\\":\\\"admin\\\"}\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"Global\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -2103,7 +2115,9 @@ "action": "bitbucket.service.license.audit.action.licensechanged", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:31:41.984Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.globaladministration\",\"category\":\"Global administration\",\"actionI18nKey\":\"bitbucket.service.license.audit.action.licensechanged\",\"action\":\"Product license changed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"System\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -2170,7 +2184,9 @@ "action": "bitbucket.service.applicationconfiguration.audit.action.baseurlchanged", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:31:41.375Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.globaladministration\",\"category\":\"Global administration\",\"actionI18nKey\":\"bitbucket.service.applicationconfiguration.audit.action.baseurlchanged\",\"action\":\"Base URL changed\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Base URL\",\"i18nKey\":\"bitbucket.service.applicationconfiguration.audit.changedvalue.baseurlchanged.baseurl\",\"to\":\"http://bitbucket.internal:7990\"}],\"source\":\"10.50.73.5\",\"system\":\"http://bitbucket.internal:7990\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"name\":\"details\",\"value\":\"{\\\"new\\\":\\\"http://bitbucket.internal:7990\\\",\\\"old\\\":null}\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"BASE_URL\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -2236,7 +2252,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.694Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"tac.bitbucket.languages.ja_JP\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0.rc1-202111050047\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"tac.bitbucket.languages.ja_JP\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2289,7 +2307,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.688Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"tac.bitbucket.languages.fr_FR\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0.rc1-202111050047\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"tac.bitbucket.languages.fr_FR\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2342,7 +2362,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.681Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"tac.bitbucket.languages.de_DE\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0.rc1-202111050047\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"tac.bitbucket.languages.de_DE\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2395,7 +2417,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.674Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.springsource.net.jcip.annotations-1.0.0\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.springsource.net.jcip.annotations-1.0.0\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2448,7 +2472,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.672Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.zdu.bitbucket-zdu-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.1.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.zdu.bitbucket-zdu-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2501,7 +2527,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.560Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.webhooks.atlassian-webhooks-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"6.1.6\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.webhooks.atlassian-webhooks-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2554,7 +2582,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.557Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.troubleshooting.plugin-bitbucket\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.33.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.troubleshooting.plugin-bitbucket\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2607,7 +2637,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.502Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.stash.plugins.stash-remote-event-bitbucket-server-spi\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.9.2\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.stash.plugins.stash-remote-event-bitbucket-server-spi\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2660,7 +2692,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.491Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.soy.soy-template-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"5.1.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.soy.soy-template-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2713,7 +2747,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.477Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.prettyurls.atlassian-pretty-urls-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"3.0.3\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.prettyurls.atlassian-pretty-urls-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2766,7 +2802,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.472Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.static-assets-url\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.0.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.static-assets-url\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2819,7 +2857,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.450Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.shortcuts.atlassian-shortcuts-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.3.2\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.shortcuts.atlassian-shortcuts-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2872,7 +2912,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.439Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.less-transformer-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.less-transformer-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2925,7 +2967,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.216Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.jquery\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.2.4.11-c72c117\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.jquery\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -2978,7 +3022,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.214Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.issue-status-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.1.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.issue-status-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3031,7 +3077,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.212Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.cleanup-hub-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0.7\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.cleanup-hub-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3084,7 +3132,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.203Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.browser.metrics.browser-metrics-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"8.0.2\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.browser.metrics.browser-metrics-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3137,7 +3187,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:52.201Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.authentication.atlassian-authentication-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.2.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.authentication.atlassian-authentication-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3190,7 +3242,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:51.049Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-remote-event-producer-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"6.3.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-remote-event-producer-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3243,7 +3297,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:51.037Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-remote-event-consumer-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"6.3.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-remote-event-consumer-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3296,7 +3352,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:51.022Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-plugins-webresource-rest\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.4.4-bitbucket1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-plugins-webresource-rest\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3349,7 +3407,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:51.005Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-plugins-webresource-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.4.4-bitbucket1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-plugins-webresource-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3402,7 +3462,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:51.001Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-clientside-extensions-runtime\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-clientside-extensions-runtime\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3455,7 +3517,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.889Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-client-resource\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.0.3\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-client-resource\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3508,7 +3572,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.887Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-chaperone\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.1.6\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-chaperone\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3561,7 +3627,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.863Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugin.atlassian-spring-scanner-runtime\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.2.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugin.atlassian-spring-scanner-runtime\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3614,7 +3682,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.862Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.oauth.serviceprovider.sal\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.3.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.oauth.serviceprovider.sal\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3667,7 +3737,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.861Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.oauth.serviceprovider\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.3.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.oauth.serviceprovider\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3720,7 +3792,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.849Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.oauth.consumer\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.3.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.oauth.consumer\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3773,7 +3847,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.846Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.oauth.admin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.3.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.oauth.admin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3826,7 +3902,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.845Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.healthcheck.atlassian-healthcheck\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"5.1.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.healthcheck.atlassian-healthcheck\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3879,7 +3957,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.824Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.diagnostics.atlassian-diagnostics-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.1.2\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.diagnostics.atlassian-diagnostics-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3932,7 +4012,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.801Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.crowd.embedded.admin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.3.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.crowd.embedded.admin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -3985,7 +4067,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.718Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.business.insights.core-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.1.6\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.business.insights.core-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4038,7 +4122,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.698Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.business.insights.bitbucket-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.1.6\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.business.insights.bitbucket-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4091,7 +4177,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.697Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.support-info-providers\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.support-info-providers\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4144,7 +4232,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:50.634Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.feature-wrm-data\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.feature-wrm-data\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4197,7 +4287,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:49.656Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.config-wrm-data\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.config-wrm-data\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4250,7 +4342,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:49.399Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-xcode\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-xcode\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4303,7 +4397,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:49.394Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-webpack-INTERNAL\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-webpack-INTERNAL\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4356,7 +4452,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:48.385Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-web-resource-transformers\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-web-resource-transformers\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4409,7 +4507,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:48.370Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-web-api\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-web-api\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4462,7 +4562,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:48.363Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-web\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-web\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4515,7 +4617,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:32.073Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-velocity-helper\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-velocity-helper\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4568,7 +4672,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:32.072Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-user-erasure\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-user-erasure\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4621,7 +4727,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:32Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-upm-accessor\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-upm-accessor\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4674,7 +4782,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:31.999Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-tag\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-tag\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4727,7 +4837,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:31.988Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-suggestions\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-suggestions\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4780,7 +4892,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:31.723Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-soy-functions\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-soy-functions\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4833,7 +4947,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:24.643Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-sourcetree\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-sourcetree\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4886,7 +5002,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:24.638Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-server-web-fragments\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-server-web-fragments\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4939,7 +5057,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:23.479Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-search\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-search\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -4992,7 +5112,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:23.434Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-sal\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-sal\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5045,7 +5167,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:23.432Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-rest-ui\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-rest-ui\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5098,7 +5222,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:23.422Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-repository-shortcuts\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-repository-shortcuts\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5151,7 +5277,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:23.406Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-repository-management\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-repository-management\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5204,7 +5332,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:23.343Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-repository-hooks\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-repository-hooks\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5257,7 +5387,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:23.039Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-ref-metadata\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-ref-metadata\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5310,7 +5442,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:22.847Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-rate-limit\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-rate-limit\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5363,7 +5497,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:22.726Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-pull-request-properties\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-pull-request-properties\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5416,7 +5552,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:22.723Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-pull-request-cleanup\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-pull-request-cleanup\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5469,7 +5607,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:22.706Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-policies\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-policies\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5522,7 +5662,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:22.681Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-plugin-information-provider\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-plugin-information-provider\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5575,7 +5717,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:22.680Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-page-data\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-page-data\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5628,7 +5772,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:21.575Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-notification\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-notification\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5681,7 +5827,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:21.522Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-nav-links\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-nav-links\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5734,7 +5882,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:21.519Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-mirroring-upstream\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-mirroring-upstream\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5787,7 +5937,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:21.497Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-connect-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-connect-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5840,7 +5992,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:21.330Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.upm.atlassian-universal-plugin-manager-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.2.10\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.upm.atlassian-universal-plugin-manager-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5893,7 +6047,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:20.129Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"rome.rome-1.0\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"rome.rome-1.0\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5946,7 +6102,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:20.128Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bundles.json-schema-validator-atlassian-bundle\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bundles.json-schema-validator-atlassian-bundle\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -5999,7 +6157,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:20.127Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-markup-renderers\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-markup-renderers\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6052,7 +6212,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:20.119Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-labels\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-labels\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6105,7 +6267,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:19.922Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-keyboard-shortcuts\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-keyboard-shortcuts\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6158,7 +6322,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:19.913Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-jira-development-integration\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-jira-development-integration\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6211,7 +6377,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:19.896Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-repository-ref-sync\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-repository-ref-sync\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6264,7 +6432,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:19.622Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.remote-link-aggregator-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"3.0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.remote-link-aggregator-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6317,7 +6487,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:19.613Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-remote-event-common-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"6.3.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-remote-event-common-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6370,7 +6542,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:19.602Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.atlassian-nav-links-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.atlassian-nav-links-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6423,7 +6597,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:18.850Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugin.atlassian-spring-scanner-annotation\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.2.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugin.atlassian-spring-scanner-annotation\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6476,7 +6652,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:18.849Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-jira-commit-checker\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-jira-commit-checker\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6529,7 +6707,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:18.770Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-instance-migration\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-instance-migration\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6582,7 +6762,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:18.764Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-importer\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-importer\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6635,7 +6817,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:18.134Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-i18n\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-i18n\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6688,7 +6872,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:17.595Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-http-scm-protocol\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-http-scm-protocol\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6741,7 +6927,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:17.589Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-highlight\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-highlight\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6794,7 +6982,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:12.439Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-gpg\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-gpg\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6847,7 +7037,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:12.421Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-git-rest\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-git-rest\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6900,7 +7092,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:12.393Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-git-lfs\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-git-lfs\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -6953,7 +7147,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:12.364Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.httpclient.atlassian-httpclient-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.2.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.httpclient.atlassian-httpclient-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7006,7 +7202,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:12.363Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-git\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-git\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7059,7 +7257,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:11.242Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-frontend\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-frontend\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7112,7 +7312,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:11.102Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-jira\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-jira\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7165,7 +7367,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:11.019Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-deployments\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-deployments\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7218,7 +7422,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:10.955Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-default-reviewers\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-default-reviewers\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7271,7 +7477,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:10.661Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-crowd-sso\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-crowd-sso\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7324,7 +7532,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:10.658Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-crowd-spi\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-crowd-spi\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7377,7 +7587,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:10.656Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-contributing-guidelines\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-contributing-guidelines\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7430,7 +7642,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:10.644Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-connect-support\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-connect-support\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7483,7 +7697,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:10.643Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.jwt.jwt-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"3.2.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.jwt.jwt-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7536,7 +7752,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:10.560Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-compare\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-compare\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7589,7 +7807,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.996Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-comment-properties\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-comment-properties\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7642,7 +7862,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.992Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-comment-likes\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-comment-likes\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7695,7 +7917,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.967Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-emoticons\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-emoticons\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7748,7 +7972,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.825Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-code-insights\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-code-insights\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7801,7 +8027,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.800Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-cluster-info\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-cluster-info\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7854,7 +8082,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.796Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-client-web-fragments\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-client-web-fragments\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7907,7 +8137,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.732Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-bundled-hooks\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-bundled-hooks\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -7960,7 +8192,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.340Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-build-jenkins\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-build-jenkins\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8013,7 +8247,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.068Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-build-feature\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-build-feature\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8066,7 +8302,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:09.008Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-build-bamboo\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-build-bamboo\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8119,7 +8357,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:08.877Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-build\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-build\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8172,7 +8412,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:08.836Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-branch\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-branch\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8225,7 +8467,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:08.642Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.integration.jira.jira-integration-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"8.0.2\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.integration.jira.jira-integration-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8278,7 +8522,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:08.597Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-ref-restriction\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-ref-restriction\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8331,7 +8577,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:07.438Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.stash.ssh-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.stash.ssh-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8384,7 +8632,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:07.326Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-authentication\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-authentication\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8437,7 +8687,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:07.312Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-audit\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-audit\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8490,7 +8742,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:07.281Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-announcement-banner\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-announcement-banner\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8543,7 +8797,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:05.974Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-analytics-whitelist\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-analytics-whitelist\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8596,7 +8852,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:05.973Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-access-tokens\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-access-tokens\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8649,7 +8907,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:05.941Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-rest\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-rest\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8702,7 +8962,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:05.922Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-webhooks\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-webhooks\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8755,7 +9017,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:05.893Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bitbucket.server.bitbucket-ao-common\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"7.18.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bitbucket.server.bitbucket-ao-common\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8808,7 +9072,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:05.892Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.auiplugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"9.3.2\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.auiplugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8861,7 +9127,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:03.203Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.audit.atlassian-audit-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.12.6\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.audit.atlassian-audit-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8914,7 +9182,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.812Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.atlassian-failure-cache-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"2.0.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.atlassian-failure-cache-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -8967,7 +9237,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.809Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.applinks.applinks-trustedapps-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"8.0.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.applinks.applinks-trustedapps-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9020,7 +9292,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.796Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.applinks.applinks-oauth-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"8.0.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.applinks.applinks-oauth-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9073,7 +9347,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.529Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.oauth.consumer.sal\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.3.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.oauth.consumer.sal\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9126,7 +9402,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.528Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.applinks.applinks-cors-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"8.0.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.applinks.applinks-cors-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9179,7 +9457,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.521Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.applinks.applinks-basicauth-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"8.0.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.applinks.applinks-basicauth-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9232,7 +9512,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.387Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.applinks.applinks-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"8.0.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.applinks.applinks-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9285,7 +9567,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.050Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.oauth.atlassian-oauth-service-provider-spi\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.3.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.oauth.atlassian-oauth-service-provider-spi\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9338,7 +9622,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.049Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.bundles.json-20070829.0.0.1\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"20070829.0.0.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.bundles.json-20070829.0.0.1\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9391,7 +9677,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.047Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.oauth.atlassian-oauth-consumer-spi\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.3.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.oauth.atlassian-oauth-consumer-spi\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9444,7 +9732,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.047Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.springsource.org.jdom-1.1.0\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"1.1.0\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.springsource.org.jdom-1.1.0\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9497,7 +9787,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.046Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.analytics.analytics-whitelist\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"3.84\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.analytics.analytics-whitelist\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9550,7 +9842,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:02.043Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.analytics.analytics-client\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"6.2.1\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.analytics.analytics-client\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9603,7 +9897,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:00.763Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.plugins.rest.atlassian-rest-module\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"6.0.7\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.plugins.rest.atlassian-rest-module\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9656,7 +9952,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:00.746Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.templaterenderer.atlassian-template-renderer-velocity1.6-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.1.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.templaterenderer.atlassian-template-renderer-velocity1.6-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9709,7 +10007,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:00.736Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.activeobjects.activeobjects-plugin\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"3.2.11\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.activeobjects.activeobjects-plugin\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9762,7 +10062,9 @@ "action": "bitbucket.service.plugin.audit.action.pluginenabled", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:29:00.687Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.apps\",\"category\":\"Apps\",\"actionI18nKey\":\"bitbucket.service.plugin.audit.action.pluginenabled\",\"action\":\"Plugin enabled\"},\"affectedObjects\":[{\"name\":\"com.atlassian.templaterenderer.api\",\"type\":\"MISC\"}],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.plugin.audit.attribute.version\",\"name\":\"Version\",\"value\":\"4.1.4\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"com.atlassian.templaterenderer.api\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9816,7 +10118,9 @@ "action": "bitbucket.service.applicationconfiguration.audit.action.displaynamechanged", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:26:26.205Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.globaladministration\",\"category\":\"Global administration\",\"actionI18nKey\":\"bitbucket.service.applicationconfiguration.audit.action.displaynamechanged\",\"action\":\"Server name changed\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Name\",\"i18nKey\":\"bitbucket.service.applicationconfiguration.audit.changedvalue.displaynamechanged.name\",\"to\":\"Bitbucket\"}],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"name\":\"details\",\"value\":\"{\\\"new\\\":\\\"Bitbucket\\\",\\\"old\\\":null}\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"DISPLAY_NAME\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ @@ -9923,7 +10227,9 @@ "action": "bitbucket.service.user.audit.action.directorycreated", "kind": "event", "original": "{\"timestamp\":\"2021-11-27T17:26:25.045Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"category\":\"Users and groups\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.directorycreated\",\"action\":\"User directory created\"},\"affectedObjects\":[],\"changedValues\":[],\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"method\":\"System\",\"extraAttributes\":[{\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.directory.name\",\"name\":\"Directory name\",\"value\":\"Bitbucket Internal Directory\"},{\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"name\":\"target\",\"value\":\"Bitbucket Internal Directory\"}]}", - "type": "info" + "type": [ + "info" + ] }, "related": { "user": [ diff --git a/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json b/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json index 04b558e2815..417a0f8684e 100644 --- a/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json +++ b/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json @@ -140,7 +140,9 @@ "action": "bitbucket.service.user.audit.action.globalpermissiongrantrequested", "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Global permission requested\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.globalpermissiongrantrequested\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"SYS_ADMIN\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"Global\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"SYS_ADMIN\\\",\\\"user\\\":\\\"admin\\\"}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034466,\"nano\":19000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -214,7 +216,9 @@ "action": "bitbucket.service.user.audit.action.globalpermissiongranted", "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Global permission granted\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.globalpermissiongranted\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"SYS_ADMIN\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"Global\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"SYS_ADMIN\\\",\\\"user\\\":\\\"admin\\\"}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034466,\"nano\":108000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -276,7 +280,9 @@ "action": "bitbucket.service.applicationconfiguration.audit.action.applicationsetup", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Instance setup completed\",\"actionI18nKey\":\"bitbucket.service.applicationconfiguration.audit.action.applicationsetup\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Global administration\",\"categoryI18nKey\":\"bitbucket.service.audit.category.globaladministration\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"SERVER_IS_SETUP\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"new\\\":true,\\\"old\\\":false}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034466,\"nano\":112000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -345,7 +351,9 @@ "action": "bitbucket.search.audit.action.elasticsearchconfigurationchange", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Elasticsearch settings changed\",\"actionI18nKey\":\"bitbucket.search.audit.action.elasticsearchconfigurationchange\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Global administration\",\"categoryI18nKey\":\"bitbucket.service.audit.category.globaladministration\",\"level\":\"BASE\"},\"author\":{\"id\":\"-1\",\"name\":\"System\",\"type\":\"system\"},\"changedValues\":[{\"i18nKey\":\"bitbucket.search.audit.changedvalue.elasticsearchconfigurationchange.username\",\"key\":\"Username\",\"to\":\"bitbucket\"}],\"extraAttributes\":[{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"changed\\\":\\\",elasticsearchPasswordelasticsearchUsername\\\",\\\"username\\\":\\\"bitbucket\\\"}\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"Elasticsearch\"}],\"method\":\"System\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034511,\"nano\":898000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -409,7 +417,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"55 - 154\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"100\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:29:11.242Z - 2021-11-27T17:35:11.898Z\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034531,\"nano\":362000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -480,7 +490,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"54\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:29:11.102Z\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 54\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034533,\"nano\":93000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -551,7 +563,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:29:12.364Z - 2021-11-27T17:35:33.093Z\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"100\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"57 - 156\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034545,\"nano\":810000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -622,7 +636,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:29:12.363Z\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"56\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 56\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034546,\"nano\":331000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -684,7 +700,6 @@ "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log configuration updated\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"from\":\"global_config_and_administration : base\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"key\":\"Coverage Level\",\"to\":\"global_config_and_administration : full\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034577,\"nano\":991000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -748,7 +763,6 @@ "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log configuration updated\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"from\":\"end_user_activity : base\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"key\":\"Coverage Level\",\"to\":\"end_user_activity : full\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034577,\"nano\":993000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -812,7 +826,6 @@ "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log configuration updated\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"from\":\"user_management : base\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"key\":\"Coverage Level\",\"to\":\"user_management : full\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034577,\"nano\":994000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -876,7 +889,6 @@ "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log configuration updated\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"from\":\"local_config_and_administration : base\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"key\":\"Coverage Level\",\"to\":\"local_config_and_administration : full\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034577,\"nano\":994000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -940,7 +952,6 @@ "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log configuration updated\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"from\":\"ecosystem : base\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"key\":\"Coverage Level\",\"to\":\"ecosystem : full\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034577,\"nano\":994000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -1004,7 +1015,6 @@ "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log configuration updated\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"from\":\"permissions : base\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"key\":\"Coverage Level\",\"to\":\"permissions : full\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034577,\"nano\":994000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -1068,7 +1078,6 @@ "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log configuration updated\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"from\":\"security : base\",\"i18nKey\":\"atlassian.audit.event.change.coverage.level\",\"key\":\"Coverage Level\",\"to\":\"security : full\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034577,\"nano\":994000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -1131,7 +1140,6 @@ "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log configuration updated\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"i18nKey\":\"atlassian.audit.event.change.retention\",\"key\":\"Retention\",\"to\":\"3 Years\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034578,\"nano\":370000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -1204,7 +1212,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"67 - 166\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:29:18.850Z - 2021-11-27T17:36:18.370Z\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"100\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034578,\"nano\":873000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -1275,7 +1285,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"66\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:29:18.849Z\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 66\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034579,\"nano\":269000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -2160,7 +2172,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"177\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:38:58.087Z\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 177\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638034756,\"nano\":499000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -2244,7 +2258,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"1\",\"name\":\"~ADMIN\",\"type\":\"PROJECT\"},{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Project permission granted\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.projectpermissiongranted\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"PROJECT_ADMIN\\\",\\\"user\\\":\\\"admin\\\"}\"},{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"PROJECT_ADMIN\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"~ADMIN\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035568,\"nano\":728000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -2403,7 +2416,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Personal access token created\",\"actionI18nKey\":\"bitbucket.access.tokens.audit.action.accesstokencreated.personal\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":\\\"957928486530\\\",\\\"tokenOwner\\\":{\\\"id\\\":2,\\\"name\\\":\\\"admin\\\",\\\"slug\\\":\\\"admin\\\"},\\\"name\\\":\\\"dddd\\\",\\\"permissions\\\":[\\\"PROJECT_READ\\\",\\\"REPO_READ\\\"]}\"},{\"name\":\"ID\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.id\",\"value\":\"957928486530\"},{\"name\":\"Name\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.name\",\"value\":\"dddd\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"GLOBAL\"},{\"name\":\"Permissions\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.permissions\",\"value\":\"PROJECT_READ, REPO_READ\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035618,\"nano\":996000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -2491,7 +2503,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Personal access token changed\",\"actionI18nKey\":\"bitbucket.access.tokens.audit.action.accesstokenmodified.personal\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"from\":\"dddd\",\"i18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.name\",\"key\":\"Name\",\"to\":\"ddddcccc\"}],\"extraAttributes\":[{\"name\":\"ID\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.id\",\"value\":\"957928486530\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"GLOBAL\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":\\\"957928486530\\\",\\\"tokenOwner\\\":{\\\"id\\\":2,\\\"name\\\":\\\"admin\\\",\\\"slug\\\":\\\"admin\\\"},\\\"name\\\":\\\"ddddcccc\\\",\\\"permissions\\\":[\\\"PROJECT_READ\\\",\\\"REPO_READ\\\"]}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035626,\"nano\":125000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -2579,7 +2590,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Personal access token changed\",\"actionI18nKey\":\"bitbucket.access.tokens.audit.action.accesstokenmodified.personal\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[{\"from\":\"PROJECT_READ, REPO_READ\",\"i18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.permissions\",\"key\":\"Permissions\",\"to\":\"PROJECT_ADMIN, REPO_ADMIN\"}],\"extraAttributes\":[{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":\\\"957928486530\\\",\\\"tokenOwner\\\":{\\\"id\\\":2,\\\"name\\\":\\\"admin\\\",\\\"slug\\\":\\\"admin\\\"},\\\"name\\\":\\\"ddddcccc\\\",\\\"permissions\\\":[\\\"PROJECT_ADMIN\\\",\\\"REPO_ADMIN\\\"]}\"},{\"name\":\"ID\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.id\",\"value\":\"957928486530\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"GLOBAL\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035632,\"nano\":18000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -2669,7 +2679,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Personal access token deleted\",\"actionI18nKey\":\"bitbucket.access.tokens.audit.action.accesstokendeleted.personal\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permissions\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.permissions\",\"value\":\"PROJECT_ADMIN, REPO_ADMIN\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":\\\"957928486530\\\",\\\"tokenOwner\\\":{\\\"id\\\":2,\\\"name\\\":\\\"admin\\\",\\\"slug\\\":\\\"admin\\\"},\\\"name\\\":\\\"ddddcccc\\\",\\\"permissions\\\":[\\\"PROJECT_ADMIN\\\",\\\"REPO_ADMIN\\\"]}\"},{\"name\":\"Name\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.name\",\"value\":\"ddddcccc\"},{\"name\":\"ID\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.id\",\"value\":\"957928486530\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"GLOBAL\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035636,\"nano\":893000000},\"version\":\"1.0\"}", "type": [ - "admin", "deletion" ] }, @@ -2810,7 +2819,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"186\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:54:02.547Z\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 186\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035642,\"nano\":652000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -3145,7 +3156,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 191\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:54:51.210Z\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"191\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035691,\"nano\":275000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -3308,7 +3321,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"User added SSH access key to profile\",\"actionI18nKey\":\"bitbucket.ssh.audit.action.sshkeycreated\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Key ID\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.id\",\"value\":\"1\"},{\"name\":\"Label\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.label\",\"value\":\"schacon@mylaptop.local\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":1,\\\"public-key\\\":\\\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\\\r\\\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\\\r\\\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\\\r\\\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\\\r\\\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\\\r\\\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\\\",\\\"label\\\":\\\"schacon@mylaptop.local\\\",\\\"user\\\":{\\\"id\\\":2,\\\"name\\\":\\\"admin\\\",\\\"slug\\\":\\\"admin\\\"}}\"},{\"name\":\"Public key\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.publickey\",\"value\":\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\r\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\r\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\r\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\r\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\r\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"admin\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035891,\"nano\":80000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -3408,7 +3420,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"GPG key created\",\"actionI18nKey\":\"bitbucket.plugins.gpg.audit.action.gpgevent.created\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Subkeys\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.subkeys\",\"value\":\"{\\\"id\\\":\\\"11c2e18c5314e70b\\\",\\\"fingerprint\\\":\\\"dbcf265ce5178b92adeaaa7111c2e18c5314e70b\\\"}\"},{\"name\":\"Key text\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.text\",\"value\":\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\r\\nVersion: GnuPG v1\\r\\nComment: See Alan's GPG guide at https://futureboy.us/pgp.html\\r\\n\\r\\nmQINBFPOzTUBEADT1kIEMY1Ix+9DyNfGHE9HPjLSI/Ybnsn/bbx8cWmeAktoYjBS\\r\\nq29mJ0tchjyG8KP38vlkvfNYKn80985a/p7ZKupxOm1dDyAn5TZguDG2fEgCYxcB...\"},{\"name\":\"Email\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.email\",\"value\":\"eliasen@mindspring.com\"},{\"name\":\"Fingerprint\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.fingerprint\",\"value\":\"ec2392f2ede74488680da3cf5f2b4756ed873d23\"},{\"name\":\"ID\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.id\",\"value\":\"5f2b4756ed873d23\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":\\\"5f2b4756ed873d23\\\",\\\"fingerprint\\\":\\\"ec2392f2ede74488680da3cf5f2b4756ed873d23\\\",\\\"key-text\\\":\\\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\\\r\\\\nVersion: GnuPG v1\\\\r\\\\nComment: See Alan's GPG guide at https://futureboy.us/pgp.html\\\\r\\\\n\\\\r\\\\nmQINBFPOzTUBEADT1kIEMY1Ix+9DyNfGHE9HPjLSI/Ybnsn/bbx8cWmeAktoYjBS\\\\r\\\\nq29mJ0tchjyG8KP38vlkvfNYKn80985a/p7ZKupxOm1dDyAn5TZguDG2fEgCYxcB...\\\",\\\"sub-keys\\\":[{\\\"id\\\":\\\"11c2e18c5314e70b\\\",\\\"fingerprint\\\":\\\"dbcf265ce5178b92adeaaa7111c2e18c5314e70b\\\"}],\\\"user\\\":{\\\"id\\\":2,\\\"name\\\":\\\"admin\\\",\\\"slug\\\":\\\"admin\\\"}}\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"admin\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035948,\"nano\":272000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -3508,7 +3519,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"GPG key deleted\",\"actionI18nKey\":\"bitbucket.plugins.gpg.audit.action.gpgevent.deleted\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Subkeys\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.subkeys\",\"value\":\"{\\\"id\\\":\\\"11c2e18c5314e70b\\\",\\\"fingerprint\\\":\\\"dbcf265ce5178b92adeaaa7111c2e18c5314e70b\\\"}\"},{\"name\":\"Key text\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.text\",\"value\":\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\r\\nVersion: GnuPG v1\\r\\nComment: See Alan's GPG guide at https://futureboy.us/pgp.html\\r\\n\\r\\nmQINBFPOzTUBEADT1kIEMY1Ix+9DyNfGHE9HPjLSI/Ybnsn/bbx8cWmeAktoYjBS\\r\\nq29mJ0tchjyG8KP38vlkvfNYKn80985a/p7ZKupxOm1dDyAn5TZguDG2fEgCYxcB...\"},{\"name\":\"Email\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.email\",\"value\":\"eliasen@mindspring.com\"},{\"name\":\"Fingerprint\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.fingerprint\",\"value\":\"ec2392f2ede74488680da3cf5f2b4756ed873d23\"},{\"name\":\"ID\",\"nameI18nKey\":\"bitbucket.plugins.gpg.audit.attribute.gpgevent.id\",\"value\":\"5f2b4756ed873d23\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":\\\"5f2b4756ed873d23\\\",\\\"fingerprint\\\":\\\"ec2392f2ede74488680da3cf5f2b4756ed873d23\\\",\\\"key-text\\\":\\\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\\\r\\\\nVersion: GnuPG v1\\\\r\\\\nComment: See Alan's GPG guide at https://futureboy.us/pgp.html\\\\r\\\\n\\\\r\\\\nmQINBFPOzTUBEADT1kIEMY1Ix+9DyNfGHE9HPjLSI/Ybnsn/bbx8cWmeAktoYjBS\\\\r\\\\nq29mJ0tchjyG8KP38vlkvfNYKn80985a/p7ZKupxOm1dDyAn5TZguDG2fEgCYxcB...\\\",\\\"sub-keys\\\":[{\\\"id\\\":\\\"11c2e18c5314e70b\\\",\\\"fingerprint\\\":\\\"dbcf265ce5178b92adeaaa7111c2e18c5314e70b\\\"}],\\\"user\\\":{\\\"id\\\":2,\\\"name\\\":\\\"admin\\\",\\\"slug\\\":\\\"admin\\\"}}\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"admin\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035955,\"nano\":721000000},\"version\":\"1.0\"}", "type": [ - "admin", "deletion" ] }, @@ -3598,7 +3608,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"User deleted SSH access key from profile\",\"actionI18nKey\":\"bitbucket.ssh.audit.action.sshkeydeleted\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Key ID\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.id\",\"value\":\"1\"},{\"name\":\"Label\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.label\",\"value\":\"schacon@mylaptop.local\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":1,\\\"public-key\\\":\\\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\\\r\\\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\\\r\\\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\\\r\\\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\\\r\\\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\\\r\\\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\\\",\\\"label\\\":\\\"schacon@mylaptop.local\\\",\\\"user\\\":{\\\"id\\\":2,\\\"name\\\":\\\"admin\\\",\\\"slug\\\":\\\"admin\\\"}}\"},{\"name\":\"Public key\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.publickey\",\"value\":\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\r\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\r\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\r\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\r\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\r\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"admin\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035959,\"nano\":377000000},\"version\":\"1.0\"}", "type": [ - "admin", "deletion" ] }, @@ -3812,7 +3821,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"199\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:26:25.045Z - 2021-11-27T17:59:30.135Z\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 199\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638035970,\"nano\":204000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -3862,7 +3873,9 @@ "action": "bitbucket.scm.git.lfs.audit.action.gitlfsfeatureenabled", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"LFS feature enabled\",\"actionI18nKey\":\"bitbucket.scm.git.lfs.audit.action.gitlfsfeatureenabled\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Global administration\",\"categoryI18nKey\":\"bitbucket.service.audit.category.globaladministration\",\"level\":\"ADVANCED\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036037,\"nano\":416000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -3926,7 +3939,9 @@ "action": "bitbucket.service.project.audit.action.projectcreationrequested", "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"0\",\"name\":\"TEST\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project creation requested\",\"actionI18nKey\":\"bitbucket.service.project.audit.action.projectcreationrequested\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Projects\",\"categoryI18nKey\":\"bitbucket.service.audit.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036077,\"nano\":660000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -4010,7 +4025,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Project permission granted\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.projectpermissiongranted\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"PROJECT_ADMIN\\\",\\\"user\\\":\\\"admin\\\"}\"},{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"PROJECT_ADMIN\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036077,\"nano\":828000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -4170,7 +4184,9 @@ "action": "bitbucket.branch.audit.action.projectbranchmodelconfigurationcreated", "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project branch model created\",\"actionI18nKey\":\"bitbucket.branch.audit.action.projectbranchmodelconfigurationcreated\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Projects\",\"categoryI18nKey\":\"bitbucket.service.audit.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Feature prefix\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.featureprefix\",\"value\":\"feature/\"},{\"name\":\"Development branch\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.developmentbranch\",\"value\":\"(default branch)\"},{\"name\":\"Hotfix prefix\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.hotfixprefix\",\"value\":\"hotfix/\"},{\"name\":\"Bugfix prefix\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.bugfixprefix\",\"value\":\"bugfix/\"},{\"name\":\"Production branch\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.productionbranch\",\"value\":\"(none)\"},{\"name\":\"Release prefix\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.releaseprefix\",\"value\":\"release/\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036078,\"nano\":549000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -4239,7 +4255,9 @@ "action": "bitbucket.service.repository.audit.action.repositorycreationrequested", "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"0\",\"name\":\"test2\",\"type\":\"REPOSITORY\"}],\"auditType\":{\"action\":\"Repository creation requested\",\"actionI18nKey\":\"bitbucket.service.repository.audit.action.repositorycreationrequested\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Repositories\",\"categoryI18nKey\":\"bitbucket.service.audit.category.repositories\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST/test2\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036095,\"nano\":988000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -4313,7 +4331,9 @@ "action": "bitbucket.service.repository.audit.action.repositorycreated", "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"}],\"auditType\":{\"action\":\"Repository created\",\"actionI18nKey\":\"bitbucket.service.repository.audit.action.repositorycreated\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Repositories\",\"categoryI18nKey\":\"bitbucket.service.audit.category.repositories\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"project\\\":\\\"TEST\\\",\\\"repository\\\":\\\"test2\\\"}\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST/test2\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036101,\"nano\":63000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -4856,7 +4876,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"},{\"id\":\"4\",\"name\":\"09e096ea84245cc5\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Repository permission requested\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.repositorypermissiongrantrequested\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"REPO_WRITE\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST/test2\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"REPO_WRITE\\\",\\\"user\\\":\\\"09e096ea84245cc5\\\"}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036247,\"nano\":861000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -4947,7 +4966,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"},{\"id\":\"4\",\"name\":\"09e096ea84245cc5\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Repository permission granted\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.repositorypermissiongranted\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"REPO_WRITE\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST/test2\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"REPO_WRITE\\\",\\\"user\\\":\\\"09e096ea84245cc5\\\"}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036248,\"nano\":132000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -5037,7 +5055,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"4\",\"name\":\"09e096ea84245cc5\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"User added SSH access key to profile\",\"actionI18nKey\":\"bitbucket.ssh.audit.action.sshkeycreated\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Label\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.label\",\"value\":\"schacon@mylaptop.local\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":2,\\\"public-key\\\":\\\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\\\r\\\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\\\r\\\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\\\r\\\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\\\r\\\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\\\r\\\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\\\",\\\"label\\\":\\\"schacon@mylaptop.local\\\",\\\"user\\\":{\\\"id\\\":4,\\\"name\\\":\\\"09e096ea84245cc5\\\",\\\"slug\\\":\\\"09e096ea84245cc5\\\"}}\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"09e096ea84245cc5\"},{\"name\":\"Public key\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.publickey\",\"value\":\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\r\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\r\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\r\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\r\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\r\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\"},{\"name\":\"Key ID\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.id\",\"value\":\"2\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036248,\"nano\":133000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -5142,7 +5159,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"},{\"id\":\"4\",\"name\":\"09e096ea84245cc5\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"SSH access key added to repository\",\"actionI18nKey\":\"bitbucket.ssh.audit.action.sshaccesskeygranted.repository\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Repositories\",\"categoryI18nKey\":\"bitbucket.service.audit.category.repositories\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Label\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.label\",\"value\":\"schacon@mylaptop.local\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"{\\\"id\\\":2,\\\"label\\\":\\\"schacon@mylaptop.local\\\"}\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"key\\\":{\\\"id\\\":2,\\\"label\\\":\\\"schacon@mylaptop.local\\\"},\\\"permission\\\":\\\"REPO_WRITE\\\",\\\"repository\\\":{\\\"id\\\":1,\\\"slug\\\":\\\"test2\\\",\\\"project\\\":{\\\"id\\\":2,\\\"key\\\":\\\"TEST\\\"}}}\"},{\"name\":\"Public key\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.publickey\",\"value\":\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\r\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\r\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\r\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\r\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\r\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\"},{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshaccesskey.permission\",\"value\":\"REPO_WRITE\"},{\"name\":\"Key ID\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.id\",\"value\":\"2\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036248,\"nano\":141000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -5233,7 +5249,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"},{\"id\":\"5\",\"name\":\"access-token-user/2/1\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Repository permission requested\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.repositorypermissiongrantrequested\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"REPO_ADMIN\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST/test2\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"REPO_ADMIN\\\",\\\"user\\\":\\\"access-token-user/2/1\\\"}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036263,\"nano\":970000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -5324,7 +5339,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"},{\"id\":\"5\",\"name\":\"access-token-user/2/1\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Repository permission granted\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.repositorypermissiongranted\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"REPO_ADMIN\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST/test2\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"REPO_ADMIN\\\",\\\"user\\\":\\\"access-token-user/2/1\\\"}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036263,\"nano\":975000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -5414,7 +5428,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"}],\"auditType\":{\"action\":\"Repository access token created\",\"actionI18nKey\":\"bitbucket.access.tokens.audit.action.accesstokencreated.repository\",\"area\":\"SECURITY\",\"category\":\"Repositories\",\"categoryI18nKey\":\"bitbucket.service.audit.category.repositories\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permissions\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.permissions\",\"value\":\"REPO_READ\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":\\\"254498386527\\\",\\\"tokenOwner\\\":{\\\"id\\\":5,\\\"name\\\":\\\"access-token-user/2/1\\\",\\\"slug\\\":\\\"access-token-user_2_1\\\"},\\\"name\\\":\\\"ddddd\\\",\\\"permissions\\\":[\\\"REPO_READ\\\"]}\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"GLOBAL\"},{\"name\":\"Name\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.name\",\"value\":\"ddddd\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036264,\"nano\":6000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -5504,7 +5517,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"}],\"auditType\":{\"action\":\"Repository access token changed\",\"actionI18nKey\":\"bitbucket.access.tokens.audit.action.accesstokenmodified.repository\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Repositories\",\"categoryI18nKey\":\"bitbucket.service.audit.category.repositories\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Name\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.name\",\"value\":\"dddddasdf\"},{\"name\":\"Permissions\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.permissions\",\"value\":\"REPO_ADMIN\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"GLOBAL\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":\\\"254498386527\\\",\\\"tokenOwner\\\":{\\\"id\\\":5,\\\"name\\\":\\\"access-token-user/2/1\\\",\\\"slug\\\":\\\"access-token-user_2_1\\\"},\\\"name\\\":\\\"dddddasdf\\\",\\\"permissions\\\":[\\\"REPO_ADMIN\\\"]}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036272,\"nano\":296000000},\"version\":\"1.0\"}", "type": [ - "admin", "change" ] }, @@ -5594,7 +5606,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"}],\"auditType\":{\"action\":\"Repository access token deleted\",\"actionI18nKey\":\"bitbucket.access.tokens.audit.action.accesstokendeleted.repository\",\"area\":\"SECURITY\",\"category\":\"Repositories\",\"categoryI18nKey\":\"bitbucket.service.audit.category.repositories\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Name\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.name\",\"value\":\"dddddasdf\"},{\"name\":\"Permissions\",\"nameI18nKey\":\"bitbucket.access.tokens.audit.attribute.accesstoken.permissions\",\"value\":\"REPO_ADMIN\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"GLOBAL\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":\\\"254498386527\\\",\\\"tokenOwner\\\":{\\\"id\\\":5,\\\"name\\\":\\\"access-token-user/2/1\\\",\\\"slug\\\":\\\"access-token-user_2_1\\\"},\\\"name\\\":\\\"dddddasdf\\\",\\\"permissions\\\":[\\\"REPO_ADMIN\\\"]}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036275,\"nano\":945000000},\"version\":\"1.0\"}", "type": [ - "admin", "deletion" ] }, @@ -5685,7 +5696,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"},{\"id\":\"4\",\"name\":\"09e096ea84245cc5\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Repository permission remove request\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.repositorypermissionrevocationrequested\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"REPO_WRITE\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST/test2\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"REPO_WRITE\\\",\\\"user\\\":\\\"09e096ea84245cc5\\\"}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036287,\"nano\":255000000},\"version\":\"1.0\"}", "type": [ - "admin", "deletion" ] }, @@ -5776,7 +5786,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"},{\"id\":\"4\",\"name\":\"09e096ea84245cc5\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Repository permission removed\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.repositorypermissionrevoked\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"REPO_WRITE\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"TEST/test2\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"REPO_WRITE\\\",\\\"user\\\":\\\"09e096ea84245cc5\\\"}\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036287,\"nano\":288000000},\"version\":\"1.0\"}", "type": [ - "admin", "deletion" ] }, @@ -5866,7 +5875,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"4\",\"name\":\"09e096ea84245cc5\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"User deleted SSH access key from profile\",\"actionI18nKey\":\"bitbucket.ssh.audit.action.sshkeydeleted\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"bitbucket.service.audit.category.usersandgroups\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Label\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.label\",\"value\":\"schacon@mylaptop.local\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"id\\\":2,\\\"public-key\\\":\\\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\\\r\\\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\\\r\\\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\\\r\\\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\\\r\\\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\\\r\\\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\\\",\\\"label\\\":\\\"schacon@mylaptop.local\\\",\\\"user\\\":{\\\"id\\\":4,\\\"name\\\":\\\"09e096ea84245cc5\\\",\\\"slug\\\":\\\"09e096ea84245cc5\\\"}}\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"09e096ea84245cc5\"},{\"name\":\"Public key\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.publickey\",\"value\":\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\r\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\r\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\r\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\r\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\r\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\"},{\"name\":\"Key ID\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.id\",\"value\":\"2\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036287,\"nano\":298000000},\"version\":\"1.0\"}", "type": [ - "admin", "deletion" ] }, @@ -5971,7 +5979,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"2\",\"name\":\"TEST\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"},{\"id\":\"4\",\"name\":\"09e096ea84245cc5\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"SSH access key deleted from repository\",\"actionI18nKey\":\"bitbucket.ssh.audit.action.sshaccesskeyrevoked.repository\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Repositories\",\"categoryI18nKey\":\"bitbucket.service.audit.category.repositories\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Label\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.label\",\"value\":\"schacon@mylaptop.local\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"{\\\"id\\\":2,\\\"label\\\":\\\"schacon@mylaptop.local\\\"}\"},{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"key\\\":{\\\"id\\\":2,\\\"label\\\":\\\"schacon@mylaptop.local\\\"},\\\"permission\\\":\\\"REPO_WRITE\\\",\\\"repository\\\":{\\\"id\\\":1,\\\"slug\\\":\\\"test2\\\",\\\"project\\\":{\\\"id\\\":2,\\\"key\\\":\\\"TEST\\\"}}}\"},{\"name\":\"Public key\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.publickey\",\"value\":\"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\\r\\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\\r\\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\\r\\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\\r\\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\\r\\nNrRFi9wrf+M7Q== schacon@mylaptop.local\"},{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshaccesskey.permission\",\"value\":\"REPO_WRITE\"},{\"name\":\"Key ID\",\"nameI18nKey\":\"bitbucket.ssh.audit.attr.sshkey.id\",\"value\":\"2\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036287,\"nano\":298000000},\"version\":\"1.0\"}", "type": [ - "admin", "deletion" ] }, @@ -6186,7 +6193,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"200\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:29:07.312Z - 2021-11-27T18:05:10.261Z\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"29 - 228\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036310,\"nano\":321000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -6250,7 +6259,9 @@ "action": "bitbucket.service.project.audit.action.projectcreationrequested", "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"0\",\"name\":\"AT\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project creation requested\",\"actionI18nKey\":\"bitbucket.service.project.audit.action.projectcreationrequested\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Projects\",\"categoryI18nKey\":\"bitbucket.service.audit.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"AT\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036657,\"nano\":308000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -6334,7 +6345,6 @@ "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"3\",\"name\":\"AT\",\"type\":\"PROJECT\"},{\"id\":\"2\",\"name\":\"admin\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Project permission granted\",\"actionI18nKey\":\"bitbucket.service.user.audit.action.projectpermissiongranted\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"bitbucket.service.audit.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"details\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.details\",\"value\":\"{\\\"permission\\\":\\\"PROJECT_ADMIN\\\",\\\"user\\\":\\\"admin\\\"}\"},{\"name\":\"Permission\",\"nameI18nKey\":\"bitbucket.service.user.audit.attribute.permission.permission\",\"value\":\"PROJECT_ADMIN\"},{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"AT\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036657,\"nano\":315000000},\"version\":\"1.0\"}", "type": [ - "admin", "creation" ] }, @@ -6494,7 +6504,9 @@ "action": "bitbucket.branch.audit.action.projectbranchmodelconfigurationcreated", "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"3\",\"name\":\"AT\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project branch model created\",\"actionI18nKey\":\"bitbucket.branch.audit.action.projectbranchmodelconfigurationcreated\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Projects\",\"categoryI18nKey\":\"bitbucket.service.audit.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Feature prefix\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.featureprefix\",\"value\":\"feature/\"},{\"name\":\"Development branch\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.developmentbranch\",\"value\":\"(default branch)\"},{\"name\":\"Hotfix prefix\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.hotfixprefix\",\"value\":\"hotfix/\"},{\"name\":\"Bugfix prefix\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.bugfixprefix\",\"value\":\"bugfix/\"},{\"name\":\"Production branch\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.productionbranch\",\"value\":\"(none)\"},{\"name\":\"Release prefix\",\"nameI18nKey\":\"bitbucket.branch.audit.attribute.branchmodel.releaseprefix\",\"value\":\"release/\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036657,\"nano\":333000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -6955,7 +6967,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:29:09.732Z - 2021-11-27T18:11:17.550Z\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"39 - 238\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"200\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036677,\"nano\":629000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -7024,7 +7038,9 @@ "action": "bitbucket.service.repository.audit.action.repositorydeletionrequested", "kind": "event", "original": "{\"affectedObjects\":[{\"id\":\"3\",\"name\":\"AT\",\"type\":\"PROJECT\"},{\"id\":\"1\",\"name\":\"test2\",\"type\":\"REPOSITORY\"}],\"auditType\":{\"action\":\"Repository deletion requested\",\"actionI18nKey\":\"bitbucket.service.repository.audit.action.repositorydeletionrequested\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Repositories\",\"categoryI18nKey\":\"bitbucket.service.audit.category.repositories\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"AT/test2\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036760,\"nano\":133000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -7242,7 +7258,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"200\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"43 - 242\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:29:09.967Z - 2021-11-27T18:12:44.207Z\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036764,\"nano\":262000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -7519,7 +7537,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"200\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"47 - 246\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:29:10.643Z - 2021-11-27T18:13:24.368Z\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036804,\"nano\":428000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ @@ -7814,7 +7834,9 @@ "action": "atlassian.audit.event.action.audit.search", "kind": "event", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"51 - 250\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"200\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-27T17:29:10.661Z - 2021-11-27T18:14:18.395Z\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036858,\"nano\":451000000},\"version\":\"1.0\"}", - "type": "info" + "type": [ + "info" + ] }, "related": { "hosts": [ diff --git a/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index dd1d3164cc5..10c9eb46f51 100644 --- a/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -177,113 +177,95 @@ processors: - iam - configuration type: - - admin - creation bitbucket.access.tokens.audit.action.accesstokencreated.personal: category: - iam type: - - admin - creation bitbucket.access.tokens.audit.action.accesstokendeleted.personal: category: - iam type: - - admin - deletion bitbucket.access.tokens.audit.action.accesstokenmodified.personal: category: - iam type: - - admin - change bitbucket.access.tokens.audit.action.accesstokencreated.repository: category: - iam type: - - admin - creation bitbucket.access.tokens.audit.action.accesstokendeleted.repository: category: - iam type: - - admin - deletion bitbucket.access.tokens.audit.action.accesstokenmodified.repository: category: - iam type: - - admin - change bitbucket.ssh.audit.action.sshkeycreated: category: - iam type: - - admin - creation bitbucket.ssh.audit.action.sshkeydeleted: category: - iam type: - - admin - deletion bitbucket.ssh.audit.action.sshaccesskeygranted.repository: category: - iam type: - - admin - creation bitbucket.ssh.audit.action.sshaccesskeyrevoked.repository: category: - iam type: - - admin - deletion bitbucket.plugins.gpg.audit.action.gpgevent.created: category: - iam type: - - admin - creation bitbucket.plugins.gpg.audit.action.gpgevent.deleted: category: - iam type: - - admin - deletion bitbucket.service.user.audit.action.repositorypermissiongranted: category: - iam - configuration type: - - admin - creation bitbucket.service.user.audit.action.repositorypermissiongrantrequested: category: - iam - configuration type: - - admin - creation bitbucket.service.user.audit.action.repositorypermissionrevoked: category: - iam - configuration type: - - admin - deletion bitbucket.service.user.audit.action.repositorypermissionrevocationrequested: category: - iam - configuration type: - - admin - deletion atlassian.audit.event.action.audit.config.updated: category: - configuration type: - - admin - change bitbucket.service.repository.audit.action.repositoryaccessed: category: @@ -332,7 +314,7 @@ processors: - change source: >- ctx.event.kind = 'event'; - ctx.event.type = 'info'; + ctx.event.type = ['info']; if (ctx?.event?.action == null) { return; diff --git a/packages/atlassian_bitbucket/manifest.yml b/packages/atlassian_bitbucket/manifest.yml index 5418f112afc..f181d4e8baf 100644 --- a/packages/atlassian_bitbucket/manifest.yml +++ b/packages/atlassian_bitbucket/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: atlassian_bitbucket title: Atlassian Bitbucket -version: "1.23.0" +version: "2.0.0" description: Collect logs from Atlassian Bitbucket with Elastic Agent. type: integration categories: diff --git a/packages/barracuda/changelog.yml b/packages/barracuda/changelog.yml index 85bb4c9035e..d4c288c8f0b 100644 --- a/packages/barracuda/changelog.yml +++ b/packages/barracuda/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Make `host.ip` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.12.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-access.log-expected.json b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-access.log-expected.json index 9af6a9aa5d8..aba1d91efde 100644 --- a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-access.log-expected.json +++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-access.log-expected.json @@ -63,7 +63,9 @@ ] }, "host": { - "ip": "67.43.156.2" + "ip": [ + "67.43.156.2" + ] }, "http": { "request": { @@ -196,7 +198,9 @@ ] }, "host": { - "ip": "67.43.156.2" + "ip": [ + "67.43.156.2" + ] }, "http": { "request": { @@ -320,9 +324,6 @@ "connection" ] }, - "host": { - "ip": "petstore.sec-vanderwal.nl" - }, "http": { "request": { "bytes": 292, @@ -453,7 +454,9 @@ ] }, "host": { - "ip": "67.43.156.2" + "ip": [ + "67.43.156.2" + ] }, "http": { "request": { @@ -582,7 +585,9 @@ ] }, "host": { - "ip": "67.43.156.2" + "ip": [ + "67.43.156.2" + ] }, "http": { "request": { @@ -704,7 +709,9 @@ ] }, "host": { - "ip": "81.2.69.144" + "ip": [ + "81.2.69.144" + ] }, "http": { "request": { diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/access.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/access.yml index 61d0351272b..8f03e97f936 100644 --- a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/access.yml +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/access.yml @@ -3,7 +3,20 @@ description: Pipeline for processing access logs processors: - dissect: field: _temp.remMessage - pattern: "%{_temp.destIp} %{_temp.destPort} %{_temp.clientIp} %{_temp.clientPort} %{client.user.id} %{client.user.name} %{http.request.method} %{network.protocol} %{host.ip} %{http.version} %{http.response.status_code} %{http.response.bytes} %{http.request.bytes} %{barracuda.waf.cache_hit} %{barracuda.waf.response_timetaken} %{_temp.serverIp} %{_temp.serverPort} %{barracuda.waf.server_time} %{barracuda.waf.sessionid} %{barracuda.waf.response_type} %{barracuda.waf.profile_matched} %{barracuda.waf.protected} %{barracuda.waf.wf_matched} %{url.path} %{url.query} %{http.request.referrer} %{barracuda.waf.request_cookie} %{_temp.remMessage}" + pattern: "%{_temp.destIp} %{_temp.destPort} %{_temp.clientIp} %{_temp.clientPort} %{client.user.id} %{client.user.name} %{http.request.method} %{network.protocol} %{_temp.hostIp} %{http.version} %{http.response.status_code} %{http.response.bytes} %{http.request.bytes} %{barracuda.waf.cache_hit} %{barracuda.waf.response_timetaken} %{_temp.serverIp} %{_temp.serverPort} %{barracuda.waf.server_time} %{barracuda.waf.sessionid} %{barracuda.waf.response_type} %{barracuda.waf.profile_matched} %{barracuda.waf.protected} %{barracuda.waf.wf_matched} %{url.path} %{url.query} %{http.request.referrer} %{barracuda.waf.request_cookie} %{_temp.remMessage}" + - convert: + field: _temp.hostIp + if: ctx._temp?.hostIp != null + type: ip + on_failure: + - remove: + field: _temp.hostIp + ignore_missing: true + ignore_failure: true + - append: + field: host.ip + value: '{{{_temp.hostIp}}}' + if: ctx._temp?.hostIp != null - grok: field: _temp.remMessage patterns: diff --git a/packages/barracuda/manifest.yml b/packages/barracuda/manifest.yml index 7f921d6dacb..4542a70db12 100644 --- a/packages/barracuda/manifest.yml +++ b/packages/barracuda/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: barracuda title: "Barracuda Web Application Firewall" -version: "1.12.0" +version: "1.13.0" description: "Collect logs from Barracuda Web Application Firewall with Elastic Agent." type: integration source: diff --git a/packages/cisco_umbrella/changelog.yml b/packages/cisco_umbrella/changelog.yml index 888ca1fb12a..2fbcb807e82 100644 --- a/packages/cisco_umbrella/changelog.yml +++ b/packages/cisco_umbrella/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.24.0" + changes: + - description: Make `event.category` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.23.0" changes: - description: Add dashboards. diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json index 3029896e7d1..2b133454bfa 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json @@ -26,7 +26,9 @@ }, "event": { "action": "update", - "category": "configuration", + "category": [ + "configuration" + ], "id": "1234567890", "kind": "event", "original": "\"1234567890\",\"2021-07-22 10:46:45\",\"user@domain.com\",\"user\", \"logexportconfigurations\", \"update\",\"81.2.69.144\",\"version: 4\",\"version: 5\"", @@ -96,7 +98,9 @@ }, "event": { "action": "create", - "category": "configuration", + "category": [ + "configuration" + ], "id": "1234567891", "kind": "event", "original": "\"1234567891\",\"2023-03-28 08:08:07\",\"null\",\"null\",\"onpremlogentry\",\"create\",\"81.2.69.144\",\"\",\"id: 33333333\\noriginId: 222222222\\norganizationId: 1111111\\nonpremActionId: 2\\nonpremUser: SYSTEM\\ndescription: name: Host-1234\\naction: uninstall\\nuser: SYSTEM\\n\\noriginTypeId: 34\\ncreatedAt: 2023-03-28 08:08:06\\n\"", @@ -158,7 +162,9 @@ }, "event": { "action": "delete", - "category": "configuration", + "category": [ + "configuration" + ], "id": "1234567892", "kind": "event", "original": "\"1234567892\",\"2023-03-24 12:52:25\",\"email@example.com\",\"Firstname Surname\",\"roamingdevices\",\"delete\",\"81.2.69.144\",\"deviceKey: 1111::2222222\\nlabel: 1787\\nbundle: minimal\\nphishing: 1\\ncreatedAt: 2023-03-16 09:37:31\\ntimeZoneName: GMT\\noriginId: 222222222\\ndeviceTypeId: 1\\nmaxBlockedDomains: 25\\nmaxNoredirectDomains: 25\\nmaxWhitelistDomains: 10\\norganizationId: 1111111\\noriginTypeId: 34\\nmodifiedAt: 2023-03-16 09:37:31\\n\",\"\"", diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json index 3247b620dbe..81eee0b387e 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json @@ -35,7 +35,9 @@ }, "event": { "action": "fw-connection-ALLOW", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,ALLOW", "type": [ @@ -114,7 +116,9 @@ }, "event": { "action": "fw-connection-BLOCK", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,BLOCK", "type": [ @@ -198,7 +202,9 @@ }, "event": { "action": "fw-connection-ALLOW", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2019-01-14 18:03:46\",\"[211039844]\",\"Passive Monitor\", \"CDFW Tunnel Device\",\"OUTBOUND\",\"1\",\"84\",\"172.17.3.4\",\"\",\"67.43.156.12\", \"\",\"ams1.edc\",\"12\",\"ALLOW\",\"google.com,apple.com\",\"44,66\"", "type": [ diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json index 3f081056e07..8a5d305e705 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json @@ -37,7 +37,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2020-07-23 23:49:54\",\"elasticuser\",\"elasticuser,Elastic Machine\",\"192.168.1.1\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"www.elastic.co.\",\"Software/Technology,Business Services,Application\",\"Test Policy Name\",\"AD Users, Roaming Computers\",\"\"", "type": [ @@ -125,7 +127,9 @@ }, "event": { "action": "dns-request-Blocked", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2020-07-23 23:50:25\",\"elasticuser\",\"elasticuser,Elastic Machine\",\"192.168.1.1\",\"67.43.156.12\",\"Blocked\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Chat,Instant Messaging,Block List,Application\",\"Test Policy Name\",\"AD Users, Roaming Computers\",\"BlockedCategories\"", "type": [ @@ -207,7 +211,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2021-05-14 19:39:58\",\"Elastic Machine\",\"Elastic Machine,Elastic User (ElasticUser@elastic.co)\",\"192.168.1.1\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Infrastructure\",\"Roaming Computers\",\"Roaming Computers,AD Users\",\"\"", "type": [ @@ -300,7 +306,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-28 10:50:02\",\"Users-Internal\",\"Users-Internal,Default Site,Internet-Network\",\"192.168.1.1\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"eu-v20.events.data.microsoft.com.\",\"Software/Technology,Business Services,Application,Business and Industry,Computers and Internet\",\"Internal Networks\",\"Internal Networks,Sites,Networks\",\"\"", "type": [ @@ -384,7 +392,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-28 10:50:01\",\"Users-Internal\",\"Users-Internal,Default Site,Internet-Network\",\"192.168.1.1\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"i.ytimg.com.\",\"Video Sharing,Infrastructure and Content Delivery Networks,Application\",\"Internal Networks\",\"Internal Networks,Sites,Networks\",\"\"", "type": [ @@ -472,7 +482,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-28 10:50:01\",\"Always On Internal-Network\",\"Always On Internal-Network,Default Site,Internet-Network\",\"192.168.1.1\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"outlook.office365.com.\",\"Software/Technology,Webmail,Business Services,Organizational Email,Application,Web-based Email,Online Document Sharing and Collaboration\",\"Internal Networks\",\"Internal Networks,Sites,Networks\",\"\"", "type": [ @@ -556,7 +568,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-28 10:50:00\",\"Servers-Internal\",\"Servers-Internal,Default Site,Internet-Network\",\"192.168.1.1\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"test.servicebus.windows.net.\",\"Software/Technology,Business Services,Computers and Internet\",\"Internal Networks\",\"Internal Networks,Sites,Networks\",\"\"", "type": [ @@ -642,7 +656,9 @@ }, "event": { "action": "dns-request-Blocked", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-28 10:58:39\",\"Users-Internal\",\"Users-Internal,Default Site,Internet-Network\",\"192.168.1.1\",\"81.2.69.144\",\"Blocked\",\"1 (A)\",\"NOERROR\",\"test.com.\",\"Business Services,Pornography,Business and Industry\",\"Internal Networks\",\"Internal Networks,Sites,Networks\",\"Pornography\"", "type": [ @@ -720,7 +736,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2015-01-16 17:48:41\",\"ActiveDirectoryUserName\", \"ActiveDirectoryUserName,ADSite,Network\", \"10.10.1.100\",\"81.2.69.144\",\"Allowed\",\"1 (A)\", \"NOERROR\",\"domain-visited.com.\", \"Chat,Photo Sharing,Social Networking,Allow List\"", "type": [ @@ -793,7 +811,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2015-01-16 17:48:41\",\"c4dde8eb61890000\", \"c4dde8eb61890000\", \"10.10.1.100\",\"81.2.69.144\",\"Allowed\",\"1 (A)\", \"NOERROR\",\"android.googleapis.com.\", \"Search Engines,Application,Search Engines and Portals\",\"Mobile Devices\",\"Mobile Devices\",\"\"", "type": [ @@ -871,7 +891,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-05-05 12:50:00\",\"Mc_redacted, Do_redacted (Do_redacted.Mc_redacted@example.com)\",\"Mc_redacted, Do_redacted (Do_redacted.Mc_redacted@example.com),5CD133BTPT\",\"192.168.1.127\",\"89.160.20.112\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"d27xxe7juh1us6.cloudfront.net.\",\"Infrastructure and Content Delivery Networks,Application\",\"AD Users\",\"AD Users,Anyconnect Roaming Client\",\"\"", "type": [ @@ -966,7 +988,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-05-05 12:50:00\",\"Pa_redacted, De_redacted (De_redacted.Pa_redacted@example.com)\",\"Pa_redacted, De_redacted (De_redacted.Pa_redacted@example.com),3WP64M3\",\"2a02:cf40::1\",\"2a02:cf40::2\",\"Allowed\",\"28 (AAAA)\",\"NOERROR\",\"us-v10c.events.data.microsoft.com.\",\"Software/Technology,Business Services,Allow List,Application,Business and Industry,Computers and Internet\",\"AD Users\",\"AD Users,Anyconnect Roaming Client\",\"Allow List\"", "type": [ @@ -1071,7 +1095,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-05-05 12:50:00\",\"Ca_redacted, Ch_redacted (CC_redacted@example.com)\",\"Ca_redacted, Ch_redacted (CC_redacted@example.com),5CG0310TQZ\",\"192.168.1.79\",\"89.160.20.128\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"presence.gcc.teams.microsoft.com.\",\"Software/Technology,Business Services,Allow List,Infrastructure and Content Delivery Networks,Online Meetings,Application,Cloud and Data Centers\",\"AD Users\",\"AD Users,Anyconnect Roaming Client\",\"Allow List\"", "type": [ @@ -1170,7 +1196,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-05-05 12:40:01\",\"G_redacted, Er_redacted R (Er_redacted.G_redacted@example.com)\",\"G_redacted, Er_redacted R (Er_redacted.G_redacted@example.com),Mega Corp,MXL952303K\",\"10.245.149.68\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"outlook.office365.com.\",\"Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Online Document Sharing and Collaboration\",\"AD Users\",\"AD Users,Networks,Anyconnect Roaming Client\",\"Allow List\"", "type": [ @@ -1272,7 +1300,9 @@ }, "event": { "action": "dns-request-Allowed", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-05-05 12:40:01\",\"LastName, Tiredacted M (Ti) (Tiredacted.LastName@example.com)\",\"LastName, Tiredacted M (Ti) (Tiredacted.LastName@example.com),5CG0310TPJ\",\"192.168.4.66\",\"81.2.69.192\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"outlook.office365.com.\",\"Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Online Document Sharing and Collaboration\",\"AD Users\",\"AD Users,Anyconnect Roaming Client\",\"Allow List\"", "type": [ diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json index ed26a32be0b..1c260c885fd 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json @@ -29,7 +29,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2020-08-26 20:32:46\",\"elasticuser\",\"192.168.1.1\",\"0\",\"81.2.69.144\",\"0\",\"Test Category\"", "type": [ @@ -90,7 +92,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2020-08-26 20:32:45\",\"elasticuser\",\"192.168.1.1\",\"61095\",\"81.2.69.144\",\"445\",\"Test Category\"", "type": [ diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json index 09df7fa9ada..12013be29fa 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json @@ -32,7 +32,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2020-07-23 23:48:56\",\"Elastic Machine\",\"192.168.1.1\",\"67.43.156.12\",\"81.2.69.144\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", "type": [ @@ -128,7 +130,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2020-07-23 23:48:56\",\"Elastic Machine\",\"192.168.1.1\",\"67.43.156.12\",\"81.2.69.144\",\"\",\"BLOCKED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", "type": [ @@ -204,7 +208,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2017-10-02 23:52:53\",\"NetworkName2\",\"192.168.192.135\",\"67.43.156.12\",\"\",\"\",\"ALLOWED\",\"http://google.com/the.js\",\"www.google.com\",\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"200\",\"562\",\"1489\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"Networks\"", "type": [ @@ -315,7 +321,9 @@ }, "event": { "action": "proxy-request-GET", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2017-10-02 23:52:53\",\"TheComputerName\",\"192.168.192.135\",\"89.160.20.129\",\"89.160.20.130\",\"\",\"ALLOWED\", \"http://google.com/the.js\",\"www.google.com\",\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"200\",\"562\",\"1489\",\"\",\"\",\"Search Engines\",\"\",\"\",\"\",\"\",\"\",\"Roaming Computer\",\"\",\"TheComputerName,ADSite,Network\",\"Roaming Computer, Site, Network\",\"GET\",\"\",\"\",\"the.js\",\"\",\"\",\"\"", "type": [ @@ -422,7 +430,9 @@ }, "event": { "action": "proxy-request-GET", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2017-10-02 23:52:53\",\"TheComputerName\",\"175.16.199.135\",\"1.128.1.91\", \"1.128.2.3\",\"\",\"ALLOWED\",\"http://google.com/the.js\",\"www.google.com\",\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"200\",\"562\",\"1489\",\"\",\"\",\"Search Engines\",\"\",\"\",\"\",\"\",\"\",\"Roaming Computer\",\"\",\"TheComputerName,ADSite,Network\",\"Roaming Computer, Site, Network\",\"GET\",\"\",\"\",\"the.js\",\"\",\"\",\"\",\"isolated\",\"downloaded_original_file\",\"warn-session\"", "type": [ @@ -544,7 +554,9 @@ }, "event": { "action": "proxy-request-GET", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-08 06:54:32\",\"NetworkName\",\"\",\"175.16.199.104\",\"67.43.156.204\",\"application/octet-stream\",\"ALLOWED\",\"http://luna.avcdn.net/ez/xow7/jx7fcbcz7axphe46u2zh6iufcuewqpfrmfibkydoufe3qq.bin\",\"\",\"Avast Antivirus\",\"200\",\"\",\"797\",\"466\",\"a459e1374395119b8a5aa26cf97738c3864d3130e93c083fbab6da3fe1ad9175\",\"Computer Security\",\"\",\"\",\"UNKNOWN\",\"\",\"0\",\"Networks\",\"\",\"NetworkName\",\"Networks\",\"GET\",\"\",\"\",\"jx7fcbcz7axphe46u2zh6iufcuewqpfrmfibkydoufe3qq.bin\",\"13671956\",\"\",\"\"", "type": [ @@ -655,7 +667,9 @@ }, "event": { "action": "proxy-request-GET", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-08 12:38:56\",\"NetworkName2\",\"\",\"81.2.69.142\",\"81.2.69.144\",\"application/octet-stream\",\"ALLOWED\",\"http://luna.avcdn.net/ez/xow7/jx7fcbcz7axphe46u2zh6iufcuewqpfrmfibkydoufe3qq.bin\",\"\",\"Avast Antivirus\",\"200\",\"\",\"797\",\"466\",\"a459e1374395119b8a5aa26cf97738c3864d3130e93c083fbab6da3fe1ad9175\",\"Computer Security\",\"\",\"\",\"UNKNOWN\",\"\",\"0\",\"Networks\",\"\",\"NetworkName2\",\"Networks\",\"GET\",\"\",\"\",\"jx7fcbcz7axphe46u2zh6iufcuewqpfrmfibkydoufe3qq.bin\",\"13671956\",\"\",\"\",\"\",\"\",\"\"", "type": [ @@ -763,7 +777,9 @@ }, "event": { "action": "proxy-request-HEAD", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-08 10:21:28\",\"NetworkName\",\"\",\"175.16.199.104\",\"67.43.156.205\",\"\",\"ALLOWED\",\"http://analyticsnew.overwolf.com/\",\"\",\" \",\"200\",\"\",\"\",\"\",\"\",\"Games,Software/Technology\",\"\",\"\",\"\",\"\",\"\",\"Networks\",\"\",\"NetworkName\",\"Networks\",\"HEAD\",\"\",\"\",\"\",\"13671956\",\"\",\"\"", "type": [ @@ -860,7 +876,9 @@ }, "event": { "action": "proxy-request-GET", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-08 10:21:40\",\"NetworkName\",\"\",\"175.16.199.104\",\"67.43.156.205\",\"text/plain\",\"ALLOWED\",\"http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=0.219.0&PartnerID=4047&Name=UpdatedApp&Value=1&UserName=OW_ffffffff-0052-4e41-bd2c-0511667dd4aa&Extra=%255b%257b%2522Name%2522%253a%2522Name%2522%252c%2522Value%2522%253a%2522oldfhfbggeglgjgenidckaneodejpjkaggklojma%2522%257d%252c%257b%2522Name%2522%253a%2522Version%2522%252c%2522Value%2522%253a%2522221.0.3%2522%257d%252c%257b%2522Name%2522%253a%2522app_channel%2522%252c%2522Value%2522%253a%2522%2522%257d%255d&owver=0.219.0.3&MUID=be987755-daa3-4cd7-b14c-7eee43920149\",\"\",\" \",\"200\",\"\",\"374\",\"2\",\"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a\",\"Games,Software/Technology\",\"\",\"\",\"\",\"\",\"\",\"Networks\",\"\",\"NetworkName\",\"Networks\",\"GET\",\"\",\"\",\"Counter\",\"13671956\",\"\",\"\"", "type": [ @@ -969,7 +987,9 @@ }, "event": { "action": "proxy-request-GET", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-08 10:21:42\",\"NetworkName\",\"\",\"175.16.199.104\",\"67.43.156.205\",\"text/plain\",\"BLOCKED\",\"http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=0.219.0&PartnerID=4047&Name=ConnectedUser&Value=1&UserName=OW_ffffffff-0052-4e41-bd2c-0511667dd4aa&Extra=%255b%257b%2522Name%2522%253a%2522OWChannel%2522%252c%2522Value%2522%253a%2522Regular%2522%257d%252c%257b%2522Name%2522%253a%2522OWVersion%2522%252c%2522Value%2522%253a%25220.219.0.3%2522%257d%252c%257b%2522Name%2522%253a%2522InstalledApps%2522%252c%2522Value%2522%253a%2522%255b%255c%2522cchhcaiapeikjbdbpfplgmpobbcdkdaphclbmkbj%255c%2522%255d%2522%257d%252c%257b%2522Name%2522%253a%2522LoggedIn%2522%252c%2522Value%2522%253a%2522False%2522%257d%252c%257b%2522Name%2522%253a%2522GIds%2522%252c%2522Value%2522%253a%2522%255b10746%252c10778%252c10798%252c21216%252c21344%252c21652%252c21784%252c21794%252c4688%252c6365%252c7764%252c8032%255d%2522%257d%255d&owver=0.219.0.3&MUID=be987755-daa3-4cd7-b14c-7eee43920149\",\"\",\" \",\"200\",\"\",\"374\",\"2\",\"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a\",\"Games,Software/Technology\",\"\",\"\",\"\",\"\",\"\",\"Networks\",\"\",\"NetworkName\",\"Networks\",\"GET\",\"\",\"\",\"Counter\",\"13671956\",\"\",\"\"", "type": [ @@ -1078,7 +1098,9 @@ }, "event": { "action": "proxy-request-HEAD", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-08 10:21:39\",\"NetworkName\",\"\",\"175.16.199.104\",\"67.43.156.205\",\"text/plain\",\"ALLOWED\",\"http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=0.219.0&PartnerID=4047&Name=overwolf_init&Value=1&UserName=OW_ffffffff-0052-4e41-bd2c-0511667dd4aa&Extra=%255b%257b%2522Name%2522%253a%2522origin%2522%252c%2522Value%2522%253a%2522silent%2522%257d%255d&owver=0.219.0.3&MUID=be987755-daa3-4cd7-b14c-7eee43920149\",\"\",\" \",\"200\",\"\",\"374\",\"2\",\"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a\",\"Games,Software/Technology\",\"\",\"\",\"\",\"\",\"\",\"Networks\",\"\",\"NetworkName\",\"Networks\",\"HEAD\",\"\",\"\",\"Counter\",\"13671956\",\"\",\"\"", "type": [ @@ -1187,7 +1209,9 @@ }, "event": { "action": "proxy-request-HEAD", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-08 10:21:41\",\"NetworkName\",\"\",\"175.16.199.104\",\"67.43.156.205\",\"text/plain\",\"BLOCKED\",\"http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=0.219.0&PartnerID=4047&Name=UserLoggedIn&Value=1&UserName=OW_ffffffff-0052-4e41-bd2c-0511667dd4aa&owver=0.219.0.3&MUID=be987755-daa3-4cd7-b14c-7eee43920149\",\"\",\" \",\"200\",\"\",\"374\",\"2\",\"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a\",\"Games,Software/Technology\",\"\",\"\",\"\",\"\",\"\",\"Networks\",\"\",\"NetworkName\",\"Networks\",\"HEAD\",\"\",\"\",\"Counter\",\"13671956\",\"\",\"\"", "type": [ @@ -1298,7 +1322,9 @@ }, "event": { "action": "proxy-request-GET", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2023-03-08 06:54:32\",\"NetworkName\",\"\",\"175.16.199.104\",\"67.43.156.204\",\"application/octet-stream\",\"ALLOWED\",\"http://luna.avcdn.net/yq/rjse/evypttvncfx36yl3n2toc7xnu4zgngn2qa2gkx4npzch5a.bin\",\"\",\"Avast Antivirus\",\"200\",\"\",\"561\",\"230\",\"f6b70243c6f2c3b1b36bb5055550351bd540f35daf53c7c6cc719f34ed8b4c80\",\"Computer Security\",\"\",\"\",\"UNKNOWN\",\"\",\"0\",\"Networks\",\"\",\"NetworkName\",\"Networks\",\"GET\",\"\",\"\",\"evypttvncfx36yl3n2toc7xnu4zgngn2qa2gkx4npzch5a.bin\",\"13671956\",\"\",\"\"", "type": [ @@ -1412,7 +1438,9 @@ }, "event": { "action": "proxy-request-GET", - "category": "network", + "category": [ + "network" + ], "kind": "event", "original": "\"2017-10-02 23:52:53\",\"TheComputerName\",\"175.16.199.104\",\"67.43.156.204\", \"67.43.156.204\",\"\",\"ALLOWED\",\"http://google.com/the.js\",\"www.google.com\",\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"200\",\"562\",\"1489\",\"\",\"\",\"Search Engines\",\"\",\"\",\"\",\"\",\"\",\"Roaming Computer\",\"\",\"TheComputerName, ADSite,Network\",\"Roaming Computer, Site, Network\",\"GET\",\"\",\"\",\"the.js\",\"\",\"\",\"\",\"isolated\",\"downloaded_original_file\",\"warn-session\"", "type": [ diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/system/test-default-config.yml b/packages/cisco_umbrella/data_stream/log/_dev/test/system/test-default-config.yml index 685ba985ddf..9a9bc633b8a 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/system/test-default-config.yml +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/system/test-default-config.yml @@ -10,4 +10,4 @@ data_stream: file_selectors: |- - regex: '^(.+?)\.log' assert: - hit_count: 19 \ No newline at end of file + hit_count: 19 diff --git a/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml index cf2eaae44dc..f58521edcff 100644 --- a/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -492,10 +492,11 @@ processors: field: event.action value: "dlp-{{cisco.umbrella.action}}" if: ctx.cisco?.umbrella?.action != null && ctx.log?.file?.path != null && ctx.log.file.path.contains('dlplogs') - - set: + - append: field: event.category value: network if: "ctx.log?.file?.path != null && !ctx.log.file.path.contains('auditlogs')" + allow_duplicates: false - append: field: event.type value: allowed @@ -508,10 +509,11 @@ processors: field: event.type value: connection if: "ctx.log?.file?.path != null && !ctx.log.file.path.contains('auditlogs')" - - set: + - append: field: event.category value: configuration if: "ctx.log?.file?.path != null && ctx.log.file.path.contains('auditlogs')" + allow_duplicates: false - append: field: event.category value: file diff --git a/packages/cisco_umbrella/manifest.yml b/packages/cisco_umbrella/manifest.yml index ef6e280be16..24734845cb2 100644 --- a/packages/cisco_umbrella/manifest.yml +++ b/packages/cisco_umbrella/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_umbrella title: Cisco Umbrella -version: "1.23.0" +version: "1.24.0" description: Collect logs from Cisco Umbrella with Elastic Agent. type: integration categories: diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 8809256127b..b1029bc5883 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.35.0" + changes: + - description: Make `host.ip` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.34.3" changes: - description: Fix handling of empty responses in CEL. diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json index 9bf6eef6340..4ebb3b0732a 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json @@ -151,7 +151,9 @@ ] }, "host": { - "ip": "81.2.69.142", + "ip": [ + "81.2.69.142" + ], "name": "nope122.na.net.ABC.com" }, "message": "A user logged into a machine for the first time", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-identity-protection-incident.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-identity-protection-incident.log-expected.json index dfbb159cc5d..4ef98901420 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-identity-protection-incident.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-identity-protection-incident.log-expected.json @@ -38,7 +38,9 @@ }, "host": { "hostname": "TESTHOSTNAME", - "ip": "89.160.20.112" + "ip": [ + "89.160.20.112" + ] }, "message": "User seen coming from a location that deviates from their baseline.", "observer": { diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-ipd-summary.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-ipd-summary.log-expected.json index 1a9245a8a31..a39291730f4 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-ipd-summary.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-ipd-summary.log-expected.json @@ -40,7 +40,9 @@ ] }, "host": { - "ip": "81.2.69.144", + "ip": [ + "81.2.69.144" + ], "name": "pc01.domain.com" }, "message": "A user logged in to a machine for the first time", diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml index 9228595f4b5..b954b96a87b 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml @@ -52,11 +52,15 @@ processors: target_field: host.hostname ignore_missing: true tag: rename_user_name - - rename: + - append: + field: host.ip + value: '{{{crowdstrike.event.EndpointIp}}}' + if: ctx.crowdstrike?.event?.EndpointIp != null && ctx.crowdstrike.event.EndpointIp != '' + tag: append_host_ip + - remove: field: crowdstrike.event.EndpointIp - target_field: host.ip - ignore_missing: true - tag: rename_user_name + if: ctx.crowdstrike?.event?.EndpointIp != null + tag: remove_host_ip - convert: field: crowdstrike.event.StartTime type: string diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml index 1989ecb1719..46aff8ade2e 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml @@ -63,11 +63,15 @@ processors: target_field: host.name ignore_missing: true tag: rename_source_endpoint_hostname - - rename: + - append: + field: host.ip + value: '{{{crowdstrike.event.SourceEndpointIpAddress}}}' + if: ctx.crowdstrike?.event?.SourceEndpointIpAddress != null && ctx.crowdstrike.event.SourceEndpointIpAddress != '' + tag: append_host_ip + - remove: field: crowdstrike.event.SourceEndpointIpAddress - target_field: host.ip - ignore_missing: true - tag: rename_source_endpoint_ipaddress + if: ctx.crowdstrike?.event?.SourceEndpointIpAddress != null + tag: remove_host_ip - append: field: threat.technique.name value: "{{{crowdstrike.event.Technique}}}" diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 78cceed2386..bdc2c01d386 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "1.34.3" +version: "1.35.0" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/darktrace/changelog.yml b/packages/darktrace/changelog.yml index c90e902916d..c8bc1e4924d 100644 --- a/packages/darktrace/changelog.yml +++ b/packages/darktrace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.0" + changes: + - description: Make `host.mac` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.16.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json index 4509f20b8e8..2fae1304d8d 100644 --- a/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json @@ -1179,7 +1179,9 @@ "ip": [ "175.16.199.1" ], - "mac": "00-00-5E-00-53-00" + "mac": [ + "00-00-5E-00-53-00" + ] }, "related": { "hosts": [ @@ -1258,7 +1260,9 @@ "ip": [ "175.16.199.1" ], - "mac": "00-00-5E-00-53-00" + "mac": [ + "00-00-5E-00-53-00" + ] }, "log": { "syslog": { diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml index e53246e2920..3369c9ff068 100644 --- a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml @@ -11,4 +11,4 @@ data_stream: numeric_keyword_fields: - darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value assert: - hit_count: 4 \ No newline at end of file + hit_count: 4 diff --git a/packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml index 55231ee922a..b87cb690c28 100644 --- a/packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml @@ -343,10 +343,10 @@ processors: - uppercase: field: darktrace.model_breach_alert.device.mac_address ignore_missing: true - - set: + - append: field: host.mac - copy_from: darktrace.model_breach_alert.device.mac_address - ignore_failure: true + value: '{{{darktrace.model_breach_alert.device.mac_address}}}' + if: ctx.darktrace?.model_breach_alert?.device?.mac_address != null && ctx.darktrace.model_breach_alert.device.mac_address != '' - convert: field: json.device.sid target_field: darktrace.model_breach_alert.device.sid diff --git a/packages/darktrace/manifest.yml b/packages/darktrace/manifest.yml index 4476d0137c8..750fa88fd76 100644 --- a/packages/darktrace/manifest.yml +++ b/packages/darktrace/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: darktrace title: Darktrace -version: "1.16.0" +version: "1.17.0" description: Collect logs from Darktrace with Elastic Agent. type: integration categories: diff --git a/packages/forgerock/changelog.yml b/packages/forgerock/changelog.yml index 16ab612120c..07f7dda044e 100644 --- a/packages/forgerock/changelog.yml +++ b/packages/forgerock/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.0" + changes: + - description: Make `event.type` and `event.category` fields conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.16.0" changes: - description: Improve handling of empty responses. diff --git a/packages/forgerock/data_stream/am_access/_dev/test/pipeline/test-am-access.log-expected.json b/packages/forgerock/data_stream/am_access/_dev/test/pipeline/test-am-access.log-expected.json index 8513738a62f..d7079a8a80d 100644 --- a/packages/forgerock/data_stream/am_access/_dev/test/pipeline/test-am-access.log-expected.json +++ b/packages/forgerock/data_stream/am_access/_dev/test/pipeline/test-am-access.log-expected.json @@ -11,7 +11,9 @@ "event": { "action": "AM-ACCESS-ATTEMPT", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256203", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-ATTEMPT", @@ -80,7 +82,9 @@ "duration": 22000000, "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256211", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-OUTCOME", @@ -161,7 +165,9 @@ "event": { "action": "AM-ACCESS-ATTEMPT", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256218", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-ATTEMPT", @@ -224,7 +230,9 @@ "duration": 27000000, "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256225", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-OUTCOME", @@ -300,7 +308,9 @@ "event": { "action": "AM-ACCESS-ATTEMPT", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256232", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-ATTEMPT", @@ -369,7 +379,9 @@ "duration": 18000000, "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256240", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-OUTCOME", @@ -450,7 +462,9 @@ "event": { "action": "AM-ACCESS-ATTEMPT", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256244", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-ATTEMPT", @@ -510,7 +524,9 @@ "event": { "action": "AM-ACCESS-ATTEMPT", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-437950", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-ATTEMPT", @@ -580,7 +596,9 @@ "duration": 10000000, "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-437955", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-OUTCOME", @@ -656,7 +674,9 @@ "event": { "action": "AM-ACCESS-ATTEMPT", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438032", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-ATTEMPT", @@ -728,7 +748,9 @@ "duration": 42000000, "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438041", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-OUTCOME", @@ -809,7 +831,9 @@ "event": { "action": "AM-ACCESS-ATTEMPT", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438299", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-ATTEMPT", @@ -883,7 +907,9 @@ "event": { "action": "AM-ACCESS-ATTEMPT", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438327", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-ATTEMPT", @@ -946,7 +972,9 @@ "duration": 34000000, "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438334", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-ACCESS-OUTCOME", diff --git a/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml index 59b528f434f..971578f3dcd 100644 --- a/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml @@ -39,7 +39,7 @@ processors: # am-access processing - set: field: event.type - value: access + value: [access] - set: field: event.action copy_from: forgerock.eventName diff --git a/packages/forgerock/data_stream/am_authentication/_dev/test/pipeline/test-am-authentication.log-expected.json b/packages/forgerock/data_stream/am_authentication/_dev/test/pipeline/test-am-authentication.log-expected.json index fbc04c8c0a9..6072c0f20a4 100644 --- a/packages/forgerock/data_stream/am_authentication/_dev/test/pipeline/test-am-authentication.log-expected.json +++ b/packages/forgerock/data_stream/am_authentication/_dev/test/pipeline/test-am-authentication.log-expected.json @@ -7,7 +7,9 @@ }, "event": { "action": "AM-LOGIN-COMPLETED", - "category": "authentication", + "category": [ + "authentication" + ], "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", "outcome": "success" }, @@ -55,7 +57,9 @@ }, "event": { "action": "AM-LOGIN-MODULE-COMPLETED", - "category": "authentication", + "category": [ + "authentication" + ], "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256221", "outcome": "success" }, @@ -101,7 +105,9 @@ }, "event": { "action": "AM-LOGIN-COMPLETED", - "category": "authentication", + "category": [ + "authentication" + ], "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256223", "outcome": "success" }, @@ -149,7 +155,9 @@ }, "event": { "action": "AM-LOGIN-MODULE-COMPLETED", - "category": "authentication", + "category": [ + "authentication" + ], "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256235", "outcome": "success" }, @@ -195,7 +203,9 @@ }, "event": { "action": "AM-LOGIN-COMPLETED", - "category": "authentication", + "category": [ + "authentication" + ], "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256237", "outcome": "success" }, @@ -243,7 +253,9 @@ }, "event": { "action": "AM-LOGIN-MODULE-COMPLETED", - "category": "authentication", + "category": [ + "authentication" + ], "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256247", "outcome": "success" }, @@ -289,7 +301,9 @@ }, "event": { "action": "AM-LOGIN-COMPLETED", - "category": "authentication", + "category": [ + "authentication" + ], "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256249", "outcome": "success" }, diff --git a/packages/forgerock/data_stream/am_authentication/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/am_authentication/elasticsearch/ingest_pipeline/default.yml index 7ec7baae2fc..ea4a0d27c37 100644 --- a/packages/forgerock/data_stream/am_authentication/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/am_authentication/elasticsearch/ingest_pipeline/default.yml @@ -39,7 +39,7 @@ processors: # am-authentication processing - set: field: event.category - value: authentication + value: [authentication] - set: field: event.action copy_from: forgerock.eventName diff --git a/packages/forgerock/data_stream/idm_access/_dev/test/pipeline/test-idm-access.log-expected.json b/packages/forgerock/data_stream/idm_access/_dev/test/pipeline/test-idm-access.log-expected.json index b0ddb823279..d904b57a9b4 100644 --- a/packages/forgerock/data_stream/idm_access/_dev/test/pipeline/test-idm-access.log-expected.json +++ b/packages/forgerock/data_stream/idm_access/_dev/test/pipeline/test-idm-access.log-expected.json @@ -13,7 +13,9 @@ "duration": 2000000, "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49025", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "access", @@ -78,7 +80,9 @@ "duration": 2000000, "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49037", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "access", @@ -143,7 +147,9 @@ "duration": 2000000, "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49036", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "access", @@ -208,7 +214,9 @@ "duration": 2000000, "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49043", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "access", diff --git a/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml index d060c38e07a..f3e52548d7c 100644 --- a/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml @@ -39,7 +39,7 @@ processors: # idm-access processing - set: field: event.type - value: access + value: [access] - convert: field: forgerock.client.ip target_field: client.ip diff --git a/packages/forgerock/data_stream/idm_authentication/_dev/test/pipeline/test-idm-authentication.log-expected.json b/packages/forgerock/data_stream/idm_authentication/_dev/test/pipeline/test-idm-authentication.log-expected.json index 2d8a2700efb..10628d44625 100644 --- a/packages/forgerock/data_stream/idm_authentication/_dev/test/pipeline/test-idm-authentication.log-expected.json +++ b/packages/forgerock/data_stream/idm_authentication/_dev/test/pipeline/test-idm-authentication.log-expected.json @@ -6,7 +6,9 @@ "version": "8.11.0" }, "event": { - "category": "authentication", + "category": [ + "authentication" + ], "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", "outcome": "success" }, diff --git a/packages/forgerock/data_stream/idm_authentication/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_authentication/elasticsearch/ingest_pipeline/default.yml index 70ca8d32fb2..432174f8f7e 100644 --- a/packages/forgerock/data_stream/idm_authentication/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/idm_authentication/elasticsearch/ingest_pipeline/default.yml @@ -39,7 +39,7 @@ processors: # idm-authentication processing - set: field: event.category - value: authentication + value: [authentication] - set: field: user.id copy_from: forgerock.userId diff --git a/packages/forgerock/data_stream/idm_config/_dev/test/pipeline/test-idm-config.log-expected.json b/packages/forgerock/data_stream/idm_config/_dev/test/pipeline/test-idm-config.log-expected.json index e4e9f589af1..0e0e793abab 100644 --- a/packages/forgerock/data_stream/idm_config/_dev/test/pipeline/test-idm-config.log-expected.json +++ b/packages/forgerock/data_stream/idm_config/_dev/test/pipeline/test-idm-config.log-expected.json @@ -6,7 +6,9 @@ "version": "8.11.0" }, "event": { - "category": "configuration", + "category": [ + "configuration" + ], "id": "5e787c05-c32f-40d3-9e77-666376f6738f-134332" }, "forgerock": { @@ -38,7 +40,9 @@ "version": "8.11.0" }, "event": { - "category": "configuration", + "category": [ + "configuration" + ], "id": "5e787c05-c32f-40d3-9e77-666376f6738f-135286" }, "forgerock": { @@ -70,7 +74,9 @@ "version": "8.11.0" }, "event": { - "category": "configuration", + "category": [ + "configuration" + ], "id": "5e787c05-c32f-40d3-9e77-666376f6738f-135504" }, "forgerock": { diff --git a/packages/forgerock/data_stream/idm_config/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_config/elasticsearch/ingest_pipeline/default.yml index fe960c7a787..00fc0b04b45 100644 --- a/packages/forgerock/data_stream/idm_config/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/idm_config/elasticsearch/ingest_pipeline/default.yml @@ -39,7 +39,7 @@ processors: # idm-config processing - set: field: event.category - value: configuration + value: [configuration] - set: field: user.id copy_from: forgerock.userId diff --git a/packages/forgerock/manifest.yml b/packages/forgerock/manifest.yml index bd910386831..5cf00dab053 100644 --- a/packages/forgerock/manifest.yml +++ b/packages/forgerock/manifest.yml @@ -1,6 +1,6 @@ name: forgerock title: "ForgeRock" -version: "1.16.0" +version: "1.17.0" description: Collect audit logs from ForgeRock with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/lumos/changelog.yml b/packages/lumos/changelog.yml index 3569bb977be..82bcec0922a 100644 --- a/packages/lumos/changelog.yml +++ b/packages/lumos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Make `event.type` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.1.0" changes: - description: Improve handling of empty responses. diff --git a/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json b/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json index a4caf105880..e148e5ff78a 100644 --- a/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json +++ b/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json @@ -7,9 +7,11 @@ "event": { "action": "SOD_POLICY_DELETED", "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", + "kind": "event", "outcome": "success", - "type": "info", - "kind": "event" + "type": [ + "info" + ] }, "lumos": { "activity_logs": { @@ -38,9 +40,11 @@ "event": { "action": "SOD_POLICY_DELETED", "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", + "kind": "event", "outcome": "success", - "type": "info", - "kind": "event" + "type": [ + "info" + ] }, "lumos": { "activity_logs": { diff --git a/packages/lumos/data_stream/activity_logs/elasticsearch/ingest_pipeline/default.yml b/packages/lumos/data_stream/activity_logs/elasticsearch/ingest_pipeline/default.yml index 648d7b43563..4dafa0c0aae 100644 --- a/packages/lumos/data_stream/activity_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/lumos/data_stream/activity_logs/elasticsearch/ingest_pipeline/default.yml @@ -36,7 +36,7 @@ processors: value: event - set: field: event.type - value: info + value: [info] - script: description: Drops null/empty values recursively lang: painless diff --git a/packages/lumos/manifest.yml b/packages/lumos/manifest.yml index f60ee036d08..247ea50d7f9 100644 --- a/packages/lumos/manifest.yml +++ b/packages/lumos/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.2 name: lumos title: "Lumos" -version: 1.1.0 +version: 1.2.0 description: "An integration with Lumos to ship your Activity logs to your Elastic instance." type: integration categories: diff --git a/packages/m365_defender/changelog.yml b/packages/m365_defender/changelog.yml index 832215f0b8a..3529064c4fa 100644 --- a/packages/m365_defender/changelog.yml +++ b/packages/m365_defender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.12.0" + changes: + - description: Make `host.ip` and `host.mac` fields conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "2.11.0" changes: - description: Improve detection rules support diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json index 32f8877a7dc..8c4f7b4c564 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json @@ -19,7 +19,9 @@ ] }, "host": { - "ip": "89.160.20.112", + "ip": [ + "89.160.20.112" + ], "name": "testmachine5", "os": { "name": "Windows 10", @@ -234,7 +236,9 @@ ] }, "host": { - "ip": "81.2.69.142" + "ip": [ + "81.2.69.142" + ] }, "m365_defender": { "event": { @@ -316,7 +320,9 @@ ] }, "host": { - "ip": "10.180.101.20", + "ip": [ + "10.180.101.20" + ], "name": "d2wxa1303r.d300b.cenlar.com", "os": { "type": "windows" @@ -418,7 +424,9 @@ ] }, "host": { - "ip": "10.173.130.18", + "ip": [ + "10.173.130.18" + ], "name": "d1wrpws12d.d300b.cenlar.com", "os": { "type": "windows" diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json index 7b3acc24603..b113b2a5bae 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json @@ -839,7 +839,9 @@ "region_name": "England" }, "id": "999b6fd7c532534ba50b3232fa992c38a2712345", - "ip": "81.2.69.142", + "ip": [ + "81.2.69.142" + ], "name": "testmachine6", "type": "Workstation" }, @@ -1276,7 +1278,9 @@ }, "host": { "id": "999b6fd7c532534ba50b3232fa992c38a273d4fb", - "mac": "000D3A9EC781", + "mac": [ + "00-0D-3A-9E-C7-81" + ], "name": "testmachine6" }, "m365_defender": { @@ -2016,7 +2020,6 @@ "preserve_duplicate_custom_fields" ], "url": { - "extension": "tld", "original": "subdomain.domain.tld", "path": "subdomain.domain.tld" }, @@ -2715,7 +2718,6 @@ "preserve_duplicate_custom_fields" ], "url": { - "extension": "com", "original": "url.com", "path": "url.com" }, @@ -5102,7 +5104,9 @@ "region_name": "England" }, "id": "78dca52447922201adb5c38f20f3351dc2a31668", - "ip": "81.2.69.142", + "ip": [ + "81.2.69.142" + ], "name": "sample-device", "os": { "full": "Linux", diff --git a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml index 310f2c3422b..6b826df8051 100644 --- a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml +++ b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml @@ -385,11 +385,11 @@ processors: field: host.name tag: lowercase_host_name if: ctx.host?.name != null - - set: + - append: field: host.ip - copy_from: m365_defender.event.ip_address - tag: set_host_ip - ignore_empty_value: true + value: '{{{m365_defender.event.ip_address}}}' + tag: append_host_ip + if: ctx.m365_defender?.event?.ip_address != null && ctx.m365_defender.event.ip_address != '' - set: field: host.os.type value: windows @@ -537,12 +537,16 @@ processors: tag: append_related_hosts if: ctx.host?.name != null allow_duplicates: false - - append: - field: related.ip - value: '{{{host.ip}}}' - tag: append_related_ip - if: ctx.host?.ip != null - allow_duplicates: false + - foreach: + field: host.ip + if: ctx.host?.ip instanceof List + ignore_failure: true + processor: + append: + field: related.ip + tag: append_host_ip_to_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false - append: field: related.hosts value: '{{{user.domain}}}' diff --git a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml index 0c3a81af768..c66b737837d 100644 --- a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml +++ b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml @@ -1928,11 +1928,11 @@ processors: copy_from: m365_defender.event.device.id tag: set_host_id ignore_empty_value: true - - set: + - append: field: host.ip - copy_from: m365_defender.event.public_ip.value - tag: set_host_ip - ignore_empty_value: true + value: '{{{m365_defender.event.public_ip.value}}}' + tag: append_host_ip + if: ctx.m365_defender?.event?.public_ip?.value != null && ctx.m365_defender.event.public_ip.value != '' - set: field: host.architecture copy_from: m365_defender.event.os.architecture @@ -1981,10 +1981,21 @@ processors: tag: uppercase_m365_defender_event_mac_address ignore_missing: true - set: - field: host.mac + field: _tmp.mac copy_from: m365_defender.event.mac_address tag: set_host_mac ignore_empty_value: true + - gsub: + field: _tmp.mac + pattern: '(..)(?!$)' + replacement: '$1-' + tag: gsub_host_mac + ignore_missing: true + - append: + field: host.mac + value: '{{{_tmp.mac}}}' + if: ctx._tmp?.mac != null + allow_duplicates: false # Registry Mapping - set: @@ -2529,11 +2540,16 @@ processors: value: '{{{destination.ip}}}' if: ctx.destination?.ip != null allow_duplicates: false - - append: - field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null - allow_duplicates: false + - foreach: + field: host.ip + if: ctx.host?.ip instanceof List + ignore_failure: true + processor: + append: + field: related.ip + tag: append_host_ip_to_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false - append: field: related.ip value: '{{{m365_defender.event.ipv4_dhcp}}}' @@ -2676,6 +2692,10 @@ processors: - m365_defender.event.dns.answers - m365_defender.event.dns.header_flags ignore_missing: true + - remove: + field: + - _tmp + ignore_missing: true on_failure: - append: field: error.message diff --git a/packages/m365_defender/manifest.yml b/packages/m365_defender/manifest.yml index 0f8950f2154..d96266b8594 100644 --- a/packages/m365_defender/manifest.yml +++ b/packages/m365_defender/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: m365_defender title: Microsoft M365 Defender -version: "2.11.0" +version: "2.12.0" description: Collect logs from Microsoft M365 Defender with Elastic Agent. categories: - "security" diff --git a/packages/mattermost/changelog.yml b/packages/mattermost/changelog.yml index 49508cac48a..f7550a8dee7 100644 --- a/packages/mattermost/changelog.yml +++ b/packages/mattermost/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Make `event.type` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.18.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index c9b686e7ffb..e94017669a9 100644 --- a/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -1584,7 +1584,6 @@ "original": "{\"timestamp\":\"2021-12-05 00:03:01.043 Z\",\"event\":\"getConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "outcome": "success", "type": [ - "admin", "info" ] }, @@ -1851,7 +1850,6 @@ "original": "{\"timestamp\":\"2021-12-05 00:12:11.211 Z\",\"event\":\"getConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "outcome": "success", "type": [ - "admin", "info" ] }, @@ -2920,7 +2918,6 @@ "original": "{\"timestamp\":\"2021-12-05 17:24:33.077 Z\",\"event\":\"updateUserActive\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"jnqqnh3onjympe4u8pa5mgtexw\",\"ip_address\":\"89.160.20.156\",\"active\":false,\"api_path\":\"/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active\",\"user\":{\"id\":\"z63ehbxy47fwpc8bmz9ouuh7fe\",\"name\":\"other2\",\"roles\":\"system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "outcome": "success", "type": [ - "admin", "user", "change" ] diff --git a/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 13ce825b45c..461ed79ac19 100644 --- a/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -213,7 +213,6 @@ processors: category: - configuration type: - - admin - info updateConfig: category: @@ -236,7 +235,6 @@ processors: category: - iam type: - - admin - user - change patchUser: diff --git a/packages/mattermost/manifest.yml b/packages/mattermost/manifest.yml index d2ba2cade86..001f869f42a 100644 --- a/packages/mattermost/manifest.yml +++ b/packages/mattermost/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: mattermost title: "Mattermost" -version: "1.18.0" +version: "2.0.0" description: Collect logs from Mattermost with Elastic Agent. type: integration categories: diff --git a/packages/microsoft_exchange_online_message_trace/_dev/deploy/docker/files/config.yml b/packages/microsoft_exchange_online_message_trace/_dev/deploy/docker/files/config.yml index c80066e82ac..073ed113dbb 100644 --- a/packages/microsoft_exchange_online_message_trace/_dev/deploy/docker/files/config.yml +++ b/packages/microsoft_exchange_online_message_trace/_dev/deploy/docker/files/config.yml @@ -64,7 +64,7 @@ rules: # end normal httpjson test # start null trailing httpjson test - path: /ecp/reportingwebservice/reporting.svc/MessageTrace - methods: [ GET ] + methods: [GET] request_headers: Authorization: - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" @@ -85,7 +85,7 @@ rules: ] } - path: /ecp/reportingwebservice/reporting.svc/MessageTrace - methods: [ GET ] + methods: [GET] request_headers: Authorization: - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" @@ -102,4 +102,4 @@ rules: "odata.metadata":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/$metadata#MessageTrace", "value": [] } - # end null trailing httpjson test +# end null trailing httpjson test diff --git a/packages/microsoft_exchange_online_message_trace/changelog.yml b/packages/microsoft_exchange_online_message_trace/changelog.yml index c7edeab7509..83ed1c79b49 100644 --- a/packages/microsoft_exchange_online_message_trace/changelog.yml +++ b/packages/microsoft_exchange_online_message_trace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.0" + changes: + - description: Make `event.outcome` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.20.0" changes: - description: Improve handling of empty responses. diff --git a/packages/microsoft_exchange_online_message_trace/data_stream/log/_dev/test/pipeline/test-log.log-expected.json b/packages/microsoft_exchange_online_message_trace/data_stream/log/_dev/test/pipeline/test-log.log-expected.json index ca07b4f65e1..3adbb319800 100644 --- a/packages/microsoft_exchange_online_message_trace/data_stream/log/_dev/test/pipeline/test-log.log-expected.json +++ b/packages/microsoft_exchange_online_message_trace/data_stream/log/_dev/test/pipeline/test-log.log-expected.json @@ -57,7 +57,7 @@ "event": { "end": "2022-09-05T21:46:46.420Z", "original": "{\"EndDate\":\"2022-09-05T21:46:46.4206759Z\",\"FromIP\":\"81.2.69.144\",\"Index\":0,\"MessageId\":\"\\u003ca210cf91-4f2e-484c-8ada-3b27064ee5e3@az.uksouth.production.microsoft.com\\u003e\",\"MessageTraceId\":\"cf7a249a-5edd-4350-130a-08da8f69e0f6\",\"Organization\":\"contoso.com\",\"Received\":\"2022-09-05T18:10:13.4907658\",\"RecipientAddress\":\"linus@contoso.com\",\"SenderAddress\":\"azure-noreply@azure.microsoft.com\",\"Size\":87891,\"StartDate\":\"2022-09-03T21:46:46.4206759Z\",\"Status\":\"Delivered\",\"Subject\":\"PIM: A privileged directory role was assigned outside of PIM\",\"ToIP\":\"216.160.83.56\"}", - "outcome": "Delivered", + "outcome": "success", "start": "2022-09-03T21:46:46.420Z" }, "microsoft": { @@ -161,7 +161,7 @@ "event": { "end": "2022-10-22T09:40:10.000Z", "original": "{\"Organization\":\"contoso.com\",\"MessageId\":\"\\u003cGVAP278MB037518E76F4082DFE9B607B3DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"Received\":\"2022-10-21T17:25:30.6006882Z\",\"SenderAddress\":\"noreply@azure.microsoft.com\",\"RecipientAddress\":\"linus@contoso.com\",\"Subject\":\"testmail 1\",\"Status\":\"Delivered\",\"ToIP\":null,\"FromIP\":\"81.2.69.144\",\"Size\":22704,\"MessageTraceId\":\"a6f62809-5cda-4454-0962-08dab38940d6\",\"StartDate\":\"2022-10-21T09:40:10Z\",\"EndDate\":\"2022-10-22T09:40:10Z\",\"Index\":1}", - "outcome": "Delivered", + "outcome": "success", "start": "2022-10-21T09:40:10.000Z" }, "microsoft": { @@ -264,7 +264,7 @@ "event": { "end": "2022-10-22T09:40:10.000Z", "original": "{\"Organization\":\"contoso.com\",\"MessageId\":\"\\u003cGVAP278MB037586A65EF1FB2F844B0258DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"Received\":\"2022-10-21T17:25:36.969376Z\",\"SenderAddress\":\"noreply@azure.microsoft.com\",\"RecipientAddress\":\"linus@contoso.com\",\"Subject\":\"testmail 2\",\"Status\":\"Delivered\",\"ToIP\":null,\"FromIP\":\"81.2.69.144\",\"Size\":22761,\"MessageTraceId\":\"a5e6dc0f-23df-4b20-d240-08dab38944a1\",\"StartDate\":\"2022-10-21T09:40:10Z\",\"EndDate\":\"2022-10-22T09:40:10Z\",\"Index\":0}", - "outcome": "Delivered", + "outcome": "success", "start": "2022-10-21T09:40:10.000Z" }, "microsoft": { @@ -367,7 +367,7 @@ "event": { "end": "2022-10-22T09:40:10.000Z", "original": "{\"Organization\":\"contoso.com\",\"MessageId\":\"\\u003cGVAP278MB037586A65EF1FB2F844B0258DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"Received\":\"2022-10-21T17:25:36.969376Z\",\"SenderAddress\":\"noreply@contoso.com\",\"RecipientAddress\":\"linus@contoso.com\",\"Subject\":\"testmail 2\",\"Status\":\"Delivered\",\"ToIP\":null,\"FromIP\":\"81.2.69.144\",\"Size\":22761,\"MessageTraceId\":\"a5e6dc0f-23df-4b20-d240-08dab38944a1\",\"StartDate\":\"2022-10-21T09:40:10Z\",\"EndDate\":\"2022-10-22T09:40:10Z\",\"Index\":0}", - "outcome": "Delivered", + "outcome": "success", "start": "2022-10-21T09:40:10.000Z" }, "microsoft": { diff --git a/packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 09af005de28..89b542d0154 100644 --- a/packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -19,8 +19,16 @@ processors: if: ctx.microsoft?.online_message_trace?.value instanceof List && ctx.microsoft.online_message_trace.value.length == 0 - set: field: event.outcome - copy_from: microsoft.online_message_trace.Status - ignore_empty_value: true + value: success + if: ctx.microsoft?.online_message_trace?.Status?.equalsIgnoreCase('delivered') == true + - set: + field: event.outcome + value: failure + if: ctx.microsoft?.online_message_trace?.Status?.equalsIgnoreCase('failed') == true + - set: + field: event.outcome + value: unknown + if: ctx.event?.outcome == null - set: field: _temp_.email.from.address copy_from: microsoft.online_message_trace.SenderAddress diff --git a/packages/microsoft_exchange_online_message_trace/manifest.yml b/packages/microsoft_exchange_online_message_trace/manifest.yml index 6a0d0739788..e210fd066f4 100644 --- a/packages/microsoft_exchange_online_message_trace/manifest.yml +++ b/packages/microsoft_exchange_online_message_trace/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_exchange_online_message_trace title: "Microsoft Exchange Online Message Trace" -version: "1.20.0" +version: "1.21.0" description: "Microsoft Exchange Online Message Trace Integration" type: integration categories: diff --git a/packages/pulse_connect_secure/changelog.yml b/packages/pulse_connect_secure/changelog.yml index 579b9998ec3..924aa0c5bb8 100644 --- a/packages/pulse_connect_secure/changelog.yml +++ b/packages/pulse_connect_secure/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Make `event.category` and `event.type` fields conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.19.1" changes: - description: Fix ingest pipeline warnings diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log-expected.json b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log-expected.json index 8238e716f26..e9b60ff159a 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log-expected.json +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log-expected.json @@ -28,7 +28,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:20:40.000+02:00", "kind": "event", "original": "Oct 19 10:20:40 pcs-node1 1 2021-10-19T10:20:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:40 - pcs-node1 - [89.160.20.156] System()[] - Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off)", @@ -90,7 +92,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:20:41.000+02:00", "kind": "event", "original": "Oct 19 10:20:41 pcs-node1 1 2021-10-19T10:20:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:41 - pcs-node1 - [127.0.0.1] System()[] - Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off)", @@ -152,7 +156,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:20:57.000+02:00", "kind": "event", "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM", @@ -232,7 +238,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:20:57.000+02:00", "kind": "event", "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM", @@ -312,7 +320,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:20:57.000+02:00", "kind": "event", "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Login failed. Reason: Wrong Password", @@ -394,7 +404,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:20:57.000+02:00", "kind": "event", "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Primary authentication failed for admin/Administrators from 89.160.20.156", @@ -474,7 +486,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:20:57.000+02:00", "kind": "event", "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[ADMIN_ROLE] - Login failed using auth server Administrators (Local Authentication). Reason: Failed", @@ -556,7 +570,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:21:07.000+02:00", "kind": "event", "original": "Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM", @@ -636,7 +652,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:21:07.000+02:00", "kind": "event", "original": "Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM", @@ -716,7 +734,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:21:07.000+02:00", "kind": "event", "original": "Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Primary authentication successful for admin/Administrators fr", diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json index b84281d3e94..d0f93fde2c1 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json @@ -28,7 +28,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2022-01-19T10:19:35.000+01:00", "kind": "event", "original": "<174>1 2022-01-19T10:19:35+01:00 89.160.20.112 PulseSecure: - - - 2022-01-19 10:19:35 - pcs-name - [89.160.20.156] username(REALM)[ROLE] - Primary authentication successful for username/REALM from 89.160.20.156", @@ -110,7 +112,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2022-01-19T10:23:16.000+01:00", "kind": "event", "original": "<174>1 2022-01-19T10:23:16+01:00 89.160.20.112 PulseSecure: - - - 2022-01-19 10:23:16 - pcs-name - [89.160.20.156] username(REALM)[ROLE] - Host Checker policy 'HC_POLICY' passed on host '89.160.20.156' address '2D-FF-88-AA-BB-DC' for user 'username'.", @@ -192,7 +196,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2022-01-19T10:24:04.000+01:00", "kind": "event", "original": "<174>1 2022-01-19T10:24:04+01:00 89.160.20.112 PulseSecure: - - - 2022-01-19 10:24:04 - pcs-name - [89.160.20.156] username(REALM)[ROLE] - Syslog server 81.2.69.144 (facility LOCAL5, filter Standard, type UDP, interface Global) removed from Events logs", @@ -256,7 +262,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2022-01-19T10:23:06.000+01:00", "kind": "event", "original": "<174>1 2022-01-19T10:23:06+01:00 89.160.20.112 PulseSecure: - - - 2022-01-19 10:23:06 - pcs-name - [127.0.0.1] System()[] - The current virus signature list imported successfully.", @@ -302,7 +310,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2022-01-19T10:23:06.000+01:00", "kind": "event", "original": "<174>1 2022-01-19T10:23:06+01:00 89.160.20.112 PulseSecure: - - - 2022-01-19 10:23:06 - pcs-name - [127.0.0.1] System()[] - The current virus signature list downloaded successfully from 'https://download.pulsesecure.net/software/av/uac/epupdate_hist.xml'", diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json index 81700ecf127..dcedff488b0 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json @@ -10,7 +10,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:11:09.000+02:00", "kind": "event", "original": "Oct 19 09:11:09 pcs-node0 1 2021-10-19T09:11:09+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:09 - pcs-node0 - [127.0.0.1] System()[] - No new virus signature list available from 'https://download.pulsesecure.net/software/av/uac/epupdate_hist.xml'.", @@ -72,7 +74,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:11:55.000+02:00", "kind": "event", "original": "Oct 19 09:11:55 pcs-node1 1 2021-10-19T09:11:55+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:55 - pcs-node1 - [89.160.20.156] System(REALM)[] - User Limit realm restrictions successfully passed for /REALM", @@ -134,7 +138,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:18:34.000+02:00", "kind": "event", "original": "Oct 19 09:18:34 pcs-node0 1 2021-10-19T09:18:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:18:34 - pcs-node0 - [127.0.0.1] System()[] - Integrity Checker Tool: Periodic Scan Started!", @@ -178,7 +184,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:18:47.000+02:00", "kind": "event", "original": "Oct 19 09:18:47 pcs-node0 1 2021-10-19T09:18:47+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:18:47 - pcs-node0 - [127.0.0.1] System()[] - Integrity Scan Completed: Integrity Scan Results : Matched Files 18773, Newly Detected Files 0, Mismatched Files 0", @@ -222,7 +230,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:18:47.000+02:00", "kind": "event", "original": "Oct 19 09:18:47 pcs-node0 1 2021-10-19T09:18:47+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:18:47 - pcs-node0 - [127.0.0.1] System()[] - Integrity Checker Tool: Periodic Scan Finished!", @@ -284,7 +294,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:11:19.000+02:00", "kind": "event", "original": "Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - User user.name denied access as the client version '9.1.11.6725' is lower than the minimum client version configured", @@ -364,7 +376,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:16:34.000+02:00", "kind": "event", "original": "Oct 19 09:16:34 pcs-node1 1 2021-10-19T09:16:34+02:00 hostname.example.com PulseSecure: - - - 2021-10-19 09:16:34 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Session timed out for user.name/REALM (session:sid03ac4653fd74a5ac36cffb2783be3309590f3d616617a4a7) due to inactivity (last access at 09:05:47 2021/10/19). Idle session identified during routine system scan.", @@ -445,7 +459,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:16:34.000+02:00", "kind": "event", "original": "Oct 19 09:16:34 pcs-node1 1 2021-10-19T09:16:34+02:00 hostname.example.com PulseSecure: - - - 2022-09-01 11:24:26 - ive - [89.160.20.156] Root::DOMAIN\\testuser(Network Connect)[General Web Bookmarks, Group Drives, Pulse Secure Client, VPN Static Pool 1, VLAN Source IP 12.3] - Host Checker policy 'Antivirus' passed on host '111.111.111.111' address 'aa-aa-aa-aa-aa-0c' for user 'DOMAIN\\testuser'", diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json index b0e78a041b5..25033cb2840 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json @@ -28,7 +28,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:16:53.000+02:00", "kind": "event", "original": "Oct 19 09:16:53 pcs-node1 1 2021-10-19T09:16:53+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:53 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Primary authentication successful for user.name/REALM from 89.160.20.156", @@ -108,7 +110,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:10:35.000+02:00", "kind": "event", "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", @@ -207,14 +211,15 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:10:35.000+02:00", "kind": "event", "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session started for user (session: sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) with IPv4 address 172.22.27.209, hostname Desktop", "timezone": "+02:00", "type": [ "connection", - "session", "start" ] }, @@ -302,7 +307,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:10:35.000+02:00", "kind": "event", "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: User with IP 172.22.27.209 connected with SSL transport mode.", @@ -382,7 +389,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:12:11.000+02:00", "kind": "event", "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - User Limit realm restrictions successfully passed for user.name/REALM", @@ -462,7 +471,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:12:11.000+02:00", "kind": "event", "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Login failed. Reason: Wrong Password", @@ -544,7 +555,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:12:11.000+02:00", "kind": "event", "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Primary authentication failed for user.name/sign-in-page from 89.160.20.156", @@ -624,7 +637,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T10:12:11.000+02:00", "kind": "event", "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Login failed using auth server AuthServer (Local Authentication). Reason: Failed", @@ -706,7 +721,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:49:40.000+02:00", "kind": "event", "original": "Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Closed connection to TUN-VPN port 443 after 9 seconds, with 1308 bytes read (in 1 chunks) and 1131 bytes written (in 1 chunks) (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4)", @@ -792,14 +809,15 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:49:40.000+02:00", "kind": "event", "original": "Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session ended for user (session: sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) with IPv4 address 172.22.27.209", "timezone": "+02:00", "type": [ "connection", - "session", "end" ] }, @@ -886,7 +904,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:49:41.000+02:00", "kind": "event", "original": "Oct 19 09:49:41 pcs-node1 1 2021-10-19T09:49:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:41 - pcs-node1 - [89.160.20.156] user.name()[] - Logout from 89.160.20.156 (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4)", @@ -969,7 +989,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:11:19.000+02:00", "kind": "event", "original": "Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Session resumed from user agent 'Pulse-Secure/9.1.11.6725 (Windows 10) Pulse/9.1.11.6725' (session:sid9734dc3a195205ddb89cc05a9261a271201b4687ab468240).", @@ -1064,7 +1086,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2023-03-03T17:21:09.000+01:00", "kind": "event", "original": "<134>1 2023-03-03T17:21:09+01:00 10.5.2.3 PulseSecure: - - - 2023-03-03 17:21:09 - sslvpn02 - [89.160.20.156] user.name@students.mydom.com(MembersSAML)[MemberRole] - WebRequest completed, GET to https://some.web.ch:443//sss/sessionPing?unique=0.10846163950738053 from 81.2.69.144 result=200 sent=60 received=4 in 1 seconds", @@ -1147,7 +1171,9 @@ "version": "8.11.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "created": "2024-01-11T14:23:28.000+01:00", "kind": "event", "original": "<134>1 2024-01-11T14:23:28+01:00 10.5.2.3 PulseSecure: - - - 2024-01-11 14:23:28 - ssl-vpn01 - [89.160.20.156] user.name@mydom.mytld(Admin SSO)[.Administrators][64e62c265e] - Session timed out for user.name@mydom.tld/Admin SSO (session:sidbe3ce20a68202d1b91a4be7060b78c4a2825ce9100000000) due to inactivity (last access at 13:51:42 2024/01/11). Idle session identified during routine system scan.", diff --git a/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml index ace8572d9fd..ae8a2068bd2 100644 --- a/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -51,7 +51,7 @@ processors: value: event - set: field: event.category - value: network + value: [network] - grok: field: message patterns: @@ -83,14 +83,12 @@ processors: field: event.type value: - connection - - session - start if: ctx._tmp?.type != null && ctx._tmp?.type == "started" - append: field: event.type value: - connection - - session - end if: ctx._tmp?.type != null && ctx._tmp?.type == "ended" # IP Geolocation Lookup diff --git a/packages/pulse_connect_secure/manifest.yml b/packages/pulse_connect_secure/manifest.yml index 079d716aa4f..c6659c897a1 100644 --- a/packages/pulse_connect_secure/manifest.yml +++ b/packages/pulse_connect_secure/manifest.yml @@ -1,6 +1,6 @@ name: pulse_connect_secure title: Pulse Connect Secure -version: 1.19.1 +version: 2.0.0 description: Collect logs from Pulse Connect Secure with Elastic Agent. type: integration icons: diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index 4bde37e1a09..1710c03e9f2 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.0" + changes: + - description: Make `host.ip` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.22.0" changes: - description: Add agent.id to all agent related data. diff --git a/packages/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json b/packages/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json index f1d893a939f..13643692a51 100644 --- a/packages/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json +++ b/packages/sentinel_one/data_stream/agent/_dev/test/pipeline/test-pipeline-agent.log-expected.json @@ -34,7 +34,9 @@ "region_name": "England" }, "id": "13491234512345", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "00-00-5E-00-53-00" ], diff --git a/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml index 27a2cdf9466..576ec6c4836 100644 --- a/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml @@ -187,7 +187,6 @@ processors: value: '{{{_ingest.on_failure_message}}}' - convert: field: json.externalIp - target_field: host.ip type: ip ignore_missing: true on_failure: @@ -197,10 +196,16 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - append: + field: host.ip + value: '{{{json.externalIp}}}' + if: ctx.json?.externalIp != null + allow_duplicates: false + ignore_failure: true - append: field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null + value: '{{{json.externalIp}}}' + if: ctx.json?.externalIp != null allow_duplicates: false ignore_failure: true - convert: diff --git a/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json b/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json index a4bcbdd7749..c094ff3fd68 100644 --- a/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json +++ b/packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json @@ -43,7 +43,9 @@ "mtime": "2018-02-27T04:49:26.257Z" }, "host": { - "ip": "81.2.69.192", + "ip": [ + "81.2.69.192" + ], "name": "string", "os": { "family": "string", diff --git a/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index 11614c75bc2..95b52afdfca 100644 --- a/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -202,7 +202,6 @@ processors: ignore_missing: true - convert: field: json.alertInfo.srcMachineIp - target_field: host.ip type: ip ignore_missing: true on_failure: @@ -212,10 +211,16 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - append: + field: host.ip + value: '{{{json.alertInfo.srcMachineIp}}}' + if: ctx.json?.alertInfo?.srcMachineIp != null + allow_duplicates: false + ignore_failure: true - append: field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null + value: '{{{json.alertInfo.srcMachineIp}}}' + if: ctx.json?.alertInfo?.srcMachineIp != null allow_duplicates: false ignore_failure: true - rename: diff --git a/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json b/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json index 8b57a0e42fc..9a43927082b 100644 --- a/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json +++ b/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json @@ -32,7 +32,9 @@ "region_name": "England" }, "id": "1234567890123456789", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "00-00-5E-00-53-00" ], @@ -277,7 +279,9 @@ "region_name": "England" }, "id": "1234567890123456789", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "00-00-5E-00-53-00" ], @@ -567,7 +571,9 @@ "region_name": "England" }, "id": "1234567890123456789", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "00-00-5E-00-53-00" ], @@ -857,7 +863,9 @@ "region_name": "England" }, "id": "1234567890123456789", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "00-00-5E-00-53-00" ], @@ -1147,7 +1155,9 @@ "region_name": "England" }, "id": "1234567890123456789", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "00-00-5E-00-53-00" ], diff --git a/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index 792219ae3ec..cce132a5da6 100644 --- a/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -168,7 +168,6 @@ processors: ignore_missing: true - convert: field: json.agentDetectionInfo.externalIp - target_field: host.ip type: ip ignore_missing: true on_failure: @@ -179,18 +178,24 @@ processors: field: error.message value: '{{{_ingest.on_failure_message}}}' - geoip: - field: host.ip + field: json.agentDetectionInfo.externalIp target_field: host.geo ignore_missing: true - if: ctx.host?.ip != null && ctx.host.ip != '' + if: ctx.json?.agentDetectionInfo?.externalIp != null on_failure: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - append: + field: host.ip + value: '{{{json.agentDetectionInfo.externalIp}}}' + if: ctx.json?.agentDetectionInfo?.externalIp != null + allow_duplicates: false + ignore_failure: true - append: field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null + value: '{{{json.agentDetectionInfo.externalIp}}}' + if: ctx.json?.agentDetectionInfo?.externalIp != null allow_duplicates: false ignore_failure: true - rename: diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index a0af02ef890..d3badc4457f 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: sentinel_one title: SentinelOne -version: "1.22.0" +version: "1.23.0" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: diff --git a/packages/ti_cybersixgill/changelog.yml b/packages/ti_cybersixgill/changelog.yml index cc6806f8a7b..e04ab070b79 100644 --- a/packages/ti_cybersixgill/changelog.yml +++ b/packages/ti_cybersixgill/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.29.0" + changes: + - description: Make `event.type` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.28.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-cybersixgill-ndjson.log-expected.json b/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-cybersixgill-ndjson.log-expected.json index 3a6aeeb9b57..b700fe9ca11 100644 --- a/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-cybersixgill-ndjson.log-expected.json +++ b/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-cybersixgill-ndjson.log-expected.json @@ -26,7 +26,9 @@ "kind": "enrichment", "original": "{\"confidence\":80,\"created\":\"2021-12-07T09:22:41.485Z\",\"description\":\"Virustotal link that appeared on a dark web site, generally to show malware that is undetected\",\"extensions\":{\"extension-definition--4582f9eb-bad5-46ac-bd26-1b4201d52537\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"none\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/2e7e43be1fc3cbefef8d686ce63ceb30456a4a67d555407fb6797e969972945c\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Test capabilities\",\"mitre_attack_tactic_id\":\"TA0025\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0025/\",\"mitre_attack_technique\":\"Test signature detection for file upload/email filters\",\"mitre_attack_technique_id\":\"T1361\",\"mitre_attack_technique_url\":\"https://attack.mitre.org/techniques/T1361/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--b34d3caa-e4e2-49bd-9b57-f585728320e8\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T09:22:41.485Z\",\"name\":\"31aef6bddfeeb3f519dfe3d5ebe9c2ae;e54ef45c82899dd2b20372cf47958cea94dd80a7;2e7e43be1fc3cbefef8d686ce63ceb30456a4a67d555407fb6797e969972945c\",\"pattern\":\"[file:hashes.MD5 = '31aef6bddfeeb3f519dfe3d5ebe9c2ae' OR file:hashes.'SHA-1' = 'e54ef45c82899dd2b20372cf47958cea94dd80a7' OR file:hashes.'SHA-256' = '2e7e43be1fc3cbefef8d686ce63ceb30456a4a67d555407fb6797e969972945c']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"layna61524\",\"sixgill_confidence\":80,\"sixgill_feedid\":\"darkfeed_002\",\"sixgill_feedname\":\"darkweb_vt_links\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/2e7e43be1fc3cbefef8d686ce63ceb30456a4a67d555407fb6797e969972945c\",\"sixgill_postid\":\"a452593da2f6314c2f2d6c98c6473608e11914e3\",\"sixgill_posttitle\":\"[GET] LAYNA'S LAGNIAPPE - DECEMBER 6, 2021\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_bestblackhat\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T00:03:00Z\"}", "severity": 70, - "type": "indicator" + "type": [ + "indicator" + ] }, "tags": [ "preserve_original_event" @@ -85,7 +87,9 @@ "kind": "enrichment", "original": "{\"confidence\":80,\"created\":\"2021-12-07T18:04:26.451Z\",\"description\":\"Malware available for download from file-sharing sites\",\"extensions\":{\"extension-definition--4582f9eb-bad5-46ac-bd26-1b4201d52537\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"mitre_attack_technique\":\"Obtain/re-use payloads\",\"mitre_attack_technique_id\":\"T1346\",\"mitre_attack_technique_url\":\"https://attack.mitre.org/techniques/T1346/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--ade54b36-752d-4107-a2ed-dd666fa1cb85\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"ru\",\"modified\":\"2021-12-07T18:04:26.451Z\",\"name\":\"https://ru.scribd.com/user/456422024/ForkLog#from_embed\",\"pattern\":\"[url:value = 'https://ru.scribd.com/user/456422024/ForkLog#from_embed']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"CoinProject.info\",\"sixgill_confidence\":80,\"sixgill_feedid\":\"darkfeed_010\",\"sixgill_feedname\":\"malware_download_urls\",\"sixgill_postid\":\"3f8c56e4cf6407ee7608e0f605503cb1e3fcedb9\",\"sixgill_posttitle\":\"Банковский регулятор США напомнил о рисках внедрения криптовалют\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_hyipinvest\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T14:52:00Z\"}", "severity": 70, - "type": "indicator" + "type": [ + "indicator" + ] }, "tags": [ "preserve_original_event" @@ -144,7 +148,9 @@ "kind": "enrichment", "original": "{\"confidence\":70,\"created\":\"2021-12-07T21:24:50.350Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--4582f9eb-bad5-46ac-bd26-1b4201d52537\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--18f0351d-b61f-4961-ab41-0b10566ee602\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"zh\",\"modified\":\"2021-12-07T21:24:50.350Z\",\"name\":\"1dce6f3ba4a8d355df21a17584c514697ee0c37b51ab5657bc5b3a297b65955f\",\"pattern\":\"[file:hashes.'SHA-256' = '1dce6f3ba4a8d355df21a17584c514697ee0c37b51ab5657bc5b3a297b65955f']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"Admin\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/1dce6f3ba4a8d355df21a17584c514697ee0c37b51ab5657bc5b3a297b65955f\",\"sixgill_postid\":\"c550f74ba76c0b2c9c46b0577f551ba5ef855813\",\"sixgill_posttitle\":\"海康威视因自身漏洞被黑客利用而遭受攻击\",\"sixgill_severity\":70,\"sixgill_source\":\"blog_hackdig\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T21:23:33Z\"}", "severity": 70, - "type": "indicator" + "type": [ + "indicator" + ] }, "tags": [ "preserve_original_event" @@ -201,7 +207,9 @@ "kind": "enrichment", "original": "{\"confidence\":90,\"created\":\"2021-12-07T22:48:59.141Z\",\"description\":\"Shell access to this domain is being sold on dark web markets\",\"extensions\":{\"extension-definition--4582f9eb-bad5-46ac-bd26-1b4201d52537\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Establish & Maintain Infrastructure\",\"mitre_attack_tactic_id\":\"TA0022\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0022/\",\"mitre_attack_technique\":\"Compromise 3rd party infrastructure to support delivery\",\"mitre_attack_technique_id\":\"T1334\",\"mitre_attack_technique_url\":\"https://attack.mitre.org/techniques/T1334/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--557a6021-b0c0-441a-8fba-e8a734f19ada\",\"indicator_types\":[\"compromised\"],\"lang\":\"en\",\"modified\":\"2021-12-07T22:48:59.141Z\",\"name\":\"sdbpibandung.sch.id\",\"pattern\":\"[domain-name:value = 'sdbpibandung.sch.id']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"enginewo\",\"sixgill_confidence\":90,\"sixgill_feedid\":\"darkfeed_001\",\"sixgill_feedname\":\"compromised_sites\",\"sixgill_postid\":\"955f5379c2828ce483b74a671e498a5f69f9ea36\",\"sixgill_posttitle\":\"Beranda http://sdbpibandung.sch.id\",\"sixgill_severity\":70,\"sixgill_source\":\"market_magbo\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T22:43:29Z\"}", "severity": 70, - "type": "indicator" + "type": [ + "indicator" + ] }, "tags": [ "preserve_original_event" diff --git a/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index 585d4e80769..9d12234fa20 100644 --- a/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -12,7 +12,7 @@ processors: value: [threat] - set: field: event.type - value: indicator + value: [indicator] - rename: field: message target_field: event.original diff --git a/packages/ti_cybersixgill/manifest.yml b/packages/ti_cybersixgill/manifest.yml index f480b8a2ded..e592cbe6a3d 100644 --- a/packages/ti_cybersixgill/manifest.yml +++ b/packages/ti_cybersixgill/manifest.yml @@ -1,6 +1,6 @@ name: ti_cybersixgill title: Cybersixgill -version: "1.28.1" +version: "1.29.0" description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml index df73279eb60..fcbbd6436bf 100644 --- a/packages/trend_micro_vision_one/changelog.yml +++ b/packages/trend_micro_vision_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.19.0" + changes: + - description: Make `host.mac` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 - version: "1.18.0" changes: - description: Improve handling of empty responses. diff --git a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml index a4f449c6dd4..db60624f2b3 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml +++ b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml @@ -4,4 +4,4 @@ fields: - preserve_duplicate_custom_fields numeric_keyword_fields: - trend_micro_vision_one.alert.indicators.id - - trend_micro_vision_one.alert.impact_scope.entities.related_indicator_id \ No newline at end of file + - trend_micro_vision_one.alert.impact_scope.entities.related_indicator_id diff --git a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json index 9df40fb10fb..447edd17bdf 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json +++ b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json @@ -43,7 +43,9 @@ "ip": [ "81.2.69.142" ], - "mac": "00-11-22-33-44-55", + "mac": [ + "00-11-22-33-44-55" + ], "name": "xxx-docker" }, "http": { diff --git a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml index baa92057ec8..1ad788e9ad1 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml @@ -190,9 +190,11 @@ processors: field: json.endpointMacAddress target_field: trend_micro_vision_one.detection.endpoint.mac ignore_missing: true - - set: + - append: field: host.mac - copy_from: trend_micro_vision_one.detection.endpoint.mac + value: '{{{trend_micro_vision_one.detection.endpoint.mac}}}' + if: ctx.trend_micro_vision_one?.detection?.endpoint?.mac != null + allow_duplicates: false ignore_failure: true - rename: field: json.endpointHostName diff --git a/packages/trend_micro_vision_one/manifest.yml b/packages/trend_micro_vision_one/manifest.yml index d00bb6f03f9..3ccb4db932c 100644 --- a/packages/trend_micro_vision_one/manifest.yml +++ b/packages/trend_micro_vision_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: trend_micro_vision_one title: Trend Micro Vision One -version: "1.18.0" +version: "1.19.0" description: Collect logs from Trend Micro Vision One with Elastic Agent. type: integration categories: From a256c812c3387376fe49348c1ce82eca638c6c75 Mon Sep 17 00:00:00 2001 From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Date: Tue, 11 Jun 2024 12:26:29 -0400 Subject: [PATCH 004/105] [Security Rules] Update security rules package to v8.14.3-beta.1 (#10128) --- .../security_detection_engine/changelog.yml | 5 + ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json | 137 ++++++++++++++ ...54db96b-fd34-43b3-9af2-587b3bd33964_4.json | 97 ++++++++++ ...1ef73-1fde-4a49-a34a-5dd40011b076_210.json | 119 ++++++++++++ ...251b98a-ff45-11ee-89a1-f661ea17fbce_1.json | 89 +++++++++ ...7384f-00f3-44d5-9a8c-2373ba071e92_310.json | 107 +++++++++++ ...3e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json | 91 +++++++++ ...51d8f72-0747-11ef-a0c2-f661ea17fbcc_1.json | 94 ++++++++++ ...8ba77-1c13-4274-88fe-6bd14133861e_111.json | 142 +++++++++++++++ ...ac1a1-21ee-4ca6-b720-458e3855d046_110.json | 120 ++++++++++++ ...b0a495-4d9f-414c-8ad0-92f018b8e001_11.json | 131 +++++++++++++ ...85c782e-f86a-11ee-9d9f-f661ea17fbce_1.json | 107 +++++++++++ ...92657ba-ab0e-4901-89a2-911d611eee98_1.json | 166 +++++++++++++++++ ...d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json | 97 ++++++++++ ...68dba-ce29-497b-8e13-b4fde1db5a2d_208.json | 97 ++++++++++ ...8f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json | 110 +++++++++++ ...7d495-59bd-4250-b395-c29409b76086_313.json | 172 ++++++++++++++++++ ...78aa2-9c56-48de-b139-f169bf99cf86_313.json | 109 +++++++++++ ...0fbf4db-c502-4e68-a239-2e99af0f70da_1.json | 96 ++++++++++ ...5bd2c-0baa-4df0-80ea-45e474b5ef93_102.json | 57 ++++++ ...4675e-6c49-4ace-80f9-97c9259dca2e_313.json | 149 +++++++++++++++ ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json | 103 +++++++++++ ...7900d-e793-49e8-968f-c90dc3526aa1_312.json | 97 ++++++++++ ...182e486-fc61-11ee-a05d-f661ea17fbce_1.json | 55 ++++++ ...494c14f-5ff8-4ed2-8e99-bf816a1642fc_4.json | 111 +++++++++++ ...c47004-b34a-42e6-8003-376a123ea447_10.json | 109 +++++++++++ ...f0ffd-b317-4b9c-9494-92ce861f22c7_310.json | 112 ++++++++++++ ...397080f-34e5-449b-8e9c-4c8083d7ccc6_6.json | 85 +++++++++ ...b9eb30f-87d6-45f4-9289-2bf2024f0376_5.json | 121 ++++++++++++ ...8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json | 90 +++++++++ ...3431796-f813-43af-820b-492ee2efec8e_1.json | 148 +++++++++++++++ ...554fc-0777-47ce-8c9b-3d01f198d7f8_207.json | 97 ++++++++++ ...ce640-e631-4870-ba8e-5fdda09325db_313.json | 140 ++++++++++++++ ...1de53ea-ff3b-11ee-b572-f661ea17fbce_1.json | 101 ++++++++++ ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json | 115 ++++++++++++ ...e1aeb-5225-4067-b8cc-f4a1de8a8546_203.json | 101 ++++++++++ ...9ce2c96-72f7-44f9-88ef-60fa1ac2ce47_5.json | 126 +++++++++++++ ...c2e1297-7664-42bc-af11-6d5d35220b6b_1.json | 115 ++++++++++++ ...d091a76-0737-11ef-8469-f661ea17fbcc_1.json | 89 +++++++++ ...df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json | 125 +++++++++++++ ...b500fa-8e24-4bd1-9480-2a819352602c_11.json | 110 +++++++++++ ...fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json | 56 ++++++ ...4755a05-78c8-4430-8681-89cd6c857d71_1.json | 150 +++++++++++++++ ...73b5452-074e-11ef-852e-f661ea17fbcc_1.json | 97 ++++++++++ ...17a33-60d3-411f-ba79-7c905d865b2a_108.json | 85 +++++++++ ...dcb8c-60e5-46ee-9206-2663adf1b1ce_106.json | 123 +++++++++++++ ...1ce76-494c-4f01-8167-35edfb52f7b1_309.json | 85 +++++++++ ...4418745-529f-4259-8d25-a713a6feb6ae_1.json | 96 ++++++++++ ...d11d31-9a79-480f-8401-da28b194608f_11.json | 102 +++++++++++ ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json | 114 ++++++++++++ ...94e40aa-8c85-43de-825e-15f665375ee8_6.json | 100 ++++++++++ ...aa4be8d-5828-417d-9f54-7cd304571b24_1.json | 86 +++++++++ ...681e3-9ed6-447c-ab2c-be648821c622_312.json | 107 +++++++++++ ...8aaa49d-9834-462d-bf8f-b1255cebc004_1.json | 104 +++++++++++ ...012b8-8da8-440b-aaaf-aedafdea2dff_314.json | 151 +++++++++++++++ ...dbfa3ee-777e-4747-b6b0-7bd645f30880_5.json | 136 ++++++++++++++ ...a7e96-2eb3-4edf-8346-427b6858d3bd_310.json | 104 +++++++++++ ...8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json | 88 +++++++++ ...54892-5e0e-424b-83a0-5aef95aa43bf_110.json | 91 +++++++++ ...caa15ce-2d41-44d7-a322-918f9db77766_5.json | 90 +++++++++ ...29aa8-9974-42da-bfb6-53a0a515a145_110.json | 116 ++++++++++++ ...1e79a70-fa6f-11ee-8bc8-f661ea17fbce_2.json | 81 +++++++++ ...915e0-22f3-4bf7-991d-b643513c722f_309.json | 103 +++++++++++ ...9482bfa-a553-4226-8ea2-4959bd4f7923_6.json | 108 +++++++++++ ...a7f5803-1cd4-42fd-a890-0173ae80ac69_5.json | 85 +++++++++ ...d52d45a-4602-4195-9018-ebe0f219c273_1.json | 108 +++++++++++ ...de13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json | 86 +++++++++ ...f919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json | 86 +++++++++ ...8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json | 97 ++++++++++ ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json | 92 ++++++++++ ...18a474c-3632-427f-bcf5-363c994309ee_1.json | 93 ++++++++++ ...e2be4-6eca-4349-bdd9-381573730c22_110.json | 113 ++++++++++++ ...3403393-1fd9-4686-8f6e-596c58bc00b4_5.json | 90 +++++++++ ...48ecc44-7d02-437d-9562-b838d2c41987_1.json | 121 ++++++++++++ ...88440-04cc-41d7-9279-539387bf2a17_211.json | 115 ++++++++++++ ...1d790-9f74-4e76-97dd-b4b0f7bf6435_105.json | 143 +++++++++++++++ ...d332492-0bc6-11ef-b5be-f661ea17fbcc_1.json | 104 +++++++++++ ...da1d332-5e08-4f27-8a9b-8c802e3292a6_9.json | 117 ++++++++++++ ...f0d807d-869b-4a0d-a493-52bc46d2f1b1_5.json | 64 +++++++ ...10d4d8-fea7-422d-afb1-e5a2702369a9_11.json | 154 ++++++++++++++++ .../security_detection_engine/manifest.yml | 2 +- 81 files changed, 8484 insertions(+), 1 deletion(-) create mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json create mode 100644 packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_210.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_310.json create mode 100644 packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/151d8f72-0747-11ef-a0c2-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_111.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_110.json create mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_11.json create mode 100644 packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_313.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_313.json create mode 100644 packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_313.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_312.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_10.json create mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_310.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_313.json create mode 100644 packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json create mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_203.json create mode 100644 packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_11.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/873b5452-074e-11ef-852e-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_309.json create mode 100644 packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_11.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json create mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_312.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a8aaa49d-9834-462d-bf8f-b1255cebc004_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_314.json create mode 100644 packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_310.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_110.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_110.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_309.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f18a474c-3632-427f-bcf5-363c994309ee_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_110.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_211.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_11.json diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 2e87d6dfbd2..c86cd5fbd5f 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.14.3-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/10128 - version: 8.14.2 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json new file mode 100644 index 00000000000..1f7dda0ad03 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Shells via Services", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 312 + }, + "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_4.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_4.json new file mode 100644 index 00000000000..48973512688 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_4.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Systemd-udevd Rule File Creation", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and \nprocess.executable != null and \nfile.path : (\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\"\n ) or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "054db96b-fd34-43b3-9af2-587b3bd33964_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_210.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_210.json new file mode 100644 index 00000000000..87f033bf464 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_210.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Account TokenFilter Policy Disabled", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", + "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.002", + "name": "Pass the Hash", + "reference": "https://attack.mitre.org/techniques/T1550/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 210 + }, + "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce_1.json new file mode 100644 index 00000000000..b8c20e9c7cb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce_1.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a rule that uses this signal as a building block.", + "false_positives": [ + "Legitimate changes to Lambda functions can trigger this signal. Ensure that the changes are authorized and align with your organization's policies." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Lambda Function Created or Updated", + "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: \"lambda.amazonaws.com\"\n and event.outcome: \"success\"\n and event.action: (CreateFunction* or UpdateFunctionCode*)\n", + "references": [ + "https://mattslifebytes.com/2023/04/14/from-rebuilds-to-reloads-hacking-aws-lambda-to-enable-instant-code-updates/", + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code/", + "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1251b98a-ff45-11ee-89a1-f661ea17fbce", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Asset Visibility", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "1251b98a-ff45-11ee-89a1-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_310.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_310.json new file mode 100644 index 00000000000..47256aec29c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_310.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", + "false_positives": [ + "Legitimate scheduled jobs may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Scheduled Job Creation", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n not (\n (\n process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n ) or\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n ) and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 310 + }, + "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_310", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json new file mode 100644 index 00000000000..1f5d776a545 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", + "from": "now-10m", + "index": [ + "endgame-*", + "logs-endpoint.events.process-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", + "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "blocklist_label", + "type": "unknown" + }, + { + "ecs": false, + "name": "problemchild.prediction", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", + "severity": "low", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/151d8f72-0747-11ef-a0c2-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/151d8f72-0747-11ef-a0c2-f661ea17fbcc_1.json new file mode 100644 index 00000000000..544214d0434 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/151d8f72-0747-11ef-a0c2-f661ea17fbcc_1.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an AWS Lambda function policy is updated to allow public invocation. This rule specifically looks for the `AddPermission` API call with the `Principal` set to `*` which allows any AWS account to invoke the Lambda function. Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code.", + "false_positives": [ + "Lambda function owners may legitimately update the function policy to allow public invocation." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Lambda Function Policy Updated to Allow Public Invocation", + "note": "## Triage and Analysis\n\n### Investigating AWS Lambda Function Policy Updated to Allow Public Invocation\n\nThis rule detects when an AWS Lambda function policy is updated to allow public invocation. It specifically looks for the `AddPermission` API call with the `Principal` set to `*`, which allows any AWS account to invoke the Lambda function. Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the Lambda function policy. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the update to allow public invocation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the Lambda function policy to remove the public invocation permission and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive functions or permissions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning Lambda function management and the use of permissions.\n- **Audit Lambda Functions and Policies**: Conduct a comprehensive audit of all Lambda functions and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing Lambda functions and securing AWS environments, refer to the [AWS Lambda documentation](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on Lambda persistence techniques:\n- [AWS Lambda Persistence](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence)\n- [AWS Lambda Backdoor Function](https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function/)\n- [AWS API AddPermission](https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html)\n\n\n", + "query": "event.dataset: aws.cloudtrail\n and event.provider: lambda.amazonaws.com\n and event.outcome: success\n and event.action: AddPermission*\n and aws.cloudtrail.request_parameters: (*lambda\\:InvokeFunction* and *principal=\\**)\n", + "references": [ + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence", + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function/", + "https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "151d8f72-0747-11ef-a0c2-f661ea17fbcc", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "151d8f72-0747-11ef-a0c2-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_111.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_111.json new file mode 100644 index 00000000000..46482e03fa4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_111.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Scheduled Task Execution at Scale via GPO", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse", + "https://twitter.com/menasec1/status/1106899890377052160", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", + "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1570", + "name": "Lateral Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1570/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_110.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_110.json new file mode 100644 index 00000000000..552c75e6a28 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_110.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", + "false_positives": [ + "Legitimate Administrative Activity" + ], + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Startup/Logon Script added to Group Policy Object", + "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", + "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_11.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_11.json new file mode 100644 index 00000000000..b749db25972 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_11.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Systemd Service Created", + "note": "## Triage and analysis\n\n### Investigating Systemd Service Created\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"service\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "references": [ + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 11 + }, + "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_11", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce_1.json new file mode 100644 index 00000000000..0e3bd92686d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce_1.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule attempts to identify rapid secret retrieval attempts from AWS SecretsManager. Adversaries may attempt to retrieve secrets from the Secrets Manager programmatically using the `GetSecretValue` or `BatchGetSecretValue` API actions.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString or BatchGetSecretValue APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-5m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", + "note": "## Triage and analysis\n\n### Investigating Rapid Secret Retrieval Attempts from AWS SecretsManager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan. \n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\")\n", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", + "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum", + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "185c782e-f86a-11ee-9d9f-f661ea17fbce", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Secrets Manager", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.006", + "name": "Cloud Secrets Management Stores", + "reference": "https://attack.mitre.org/techniques/T1555/006/" + } + ] + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 20 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 1 + }, + "id": "185c782e-f86a-11ee-9d9f-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_1.json b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_1.json new file mode 100644 index 00000000000..5451ad2b4f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_1.json @@ -0,0 +1,166 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.", + "from": "now-9m", + "index": [ + "logs-fim.event-*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Persistence via File Modification", + "query": "file where host.os.type == \"linux\" and event.dataset == \"fim.event\" and event.action == \"updated\" and\nfile.path : (\n // cron, anacron & at\n \"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.monthly/*\",\n \"/etc/cron.weekly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/etc/cron.allow\",\n \"/etc/cron.deny\", \"/var/spool/anacron/*\", \"/var/spool/cron/atjobs/*\",\n\n // systemd services & timers\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\",\n\n // LD_PRELOAD\n \"/etc/ld.so.preload\", \"/etc/ld.so.conf.d/*\", \"/etc/ld.so.conf\",\n\n // message-of-the-day (MOTD)\n \"/etc/update-motd.d/*\",\n\n // SSH\n \"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\",\n\n // system-wide shell configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/zsh/*\", \"/etc/csh.cshrc\",\n \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n\n // root and user shell configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\",\n\n // runtime control\n \"/etc/rc.common\", \"/etc/rc.local\",\n\n // init daemon\n \"/etc/init.d/*\",\n\n // passwd/sudoers/shadow\n \"/etc/passwd\", \"/etc/shadow\", \"/etc/sudoers\", \"/etc/sudoers.d/*\",\n\n // Systemd udevd\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\",\n\n // XDG/KDE autostart entries\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\"\n) and not (\n file.path : (\n \"/var/spool/cron/crontabs/tmp.*\", \"/run/udev/rules.d/*rules.*\", \"/home/*/.ssh/known_hosts.*\", \"/root/.ssh/known_hosts.*\"\n ) or\n file.extension in (\"dpkg-new\", \"dpkg-remove\", \"SEQ\")\n)\n", + "related_integrations": [ + { + "package": "fim", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "192657ba-ab0e-4901-89a2-911d611eee98", + "setup": "## Setup\n\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\n\n### Elastic FIM Integration Setup\nTo configure the Elastic FIM integration, follow these steps:\n\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/ingest-management/current/agent-configuration.html) for detailed instructions.\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\n3. In the Kibana home page, click on \"Integrations\" in the left sidebar.\n4. Search for \"File Integrity Monitoring\" in the search bar and select the integration.\n6. Provide a name and optional description for the integration.\n7. Select the appropriate agent policy for your Linux system or create a new one.\n8. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\n9. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\n\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: File Integrity Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + }, + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "192657ba-ab0e-4901-89a2-911d611eee98_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json new file mode 100644 index 00000000000..e2aa4c04f35 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere is a feature that allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. This rule detects the creation of a profile that can be assumed from any service. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. Ensure that the profile creation is expected and that the trust policy is configured securely.", + "false_positives": [ + "AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. Ensure that the profile created is expected and that the trust policy is configured securely." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Roles Anywhere Profile Creation", + "note": "\n## Triage and Analysis\n\n### Investigating AWS IAM Roles Anywhere Profile Creation\n\nThis rule detects the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. It is crucial to ensure that the profile creation is expected and that the trust policy is configured securely.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who created the profile. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the profile creation. Look for any unusual parameters or overly permissive roles that could suggest unauthorized or malicious activity.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the location and origin of the request. Ensure the request originated from a known and trusted location.\n- **Check the Created Profile\u2019s Permissions**: Review the `roleArns` associated with the created profile. Verify that the roles are appropriate for the user's intended actions and do not grant excessive permissions.\n- **Verify the Profile\u2019s Configuration**: Ensure that the profile's `durationSeconds`, `enabled`, and `tags` are configured according to your organization's security policies. Pay particular attention to any configuration that might allow prolonged access or concealment of activity.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the profile creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the profile creation was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the profile creation was unauthorized, disable or delete the created profile and review the associated roles and permissions for any potential misuse.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive roles or unexpected locations.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning profile and role management and the risks of unauthorized profile creation.\n- **Audit IAM Policies and Permissions**: Conduct a comprehensive audit of all IAM policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing AWS IAM Roles Anywhere profiles and securing AWS environments, refer to the [AWS Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on profile management and potential abuse:\n- [AWS IAM Roles Anywhere Profile Creation API Reference](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html)\n- [Ermetic Blog - Managing Third Party Access](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)\n\n", + "query": "event.dataset:aws.cloudtrail\n and event.provider: rolesanywhere.amazonaws.com\n and event.action: CreateProfile\n and event.outcome: success\n", + "references": [ + "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", + "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-iam-roles-anywhere-trust-anchor-created/", + "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", + "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_208.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_208.json new file mode 100644 index 00000000000..415ab624a20 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_208.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese", + "Austin Songer" + ], + "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force a Microsoft 365 User Account", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo or SsoArtifactExpiredDueToConditionalAccess or\n PasswordResetRegistrationRequiredInterrupt or SsoUserAccountNotFoundInResourceTenant or\n UserStrongAuthExpired)\n", + "references": [ + "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 10 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 208 + }, + "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json b/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json new file mode 100644 index 00000000000..8044a4c17bf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.", + "false_positives": [ + "Legitimate user shell modification activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Shell Configuration Creation or Modification", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n // system-wide configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/zsh/*\",\n \"/etc/csh.cshrc\", \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n // root and user configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/sbin/adduser\", \"/usr/sbin/useradd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "references": [ + "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.004", + "name": "Unix Shell Configuration Modification", + "reference": "https://attack.mitre.org/techniques/T1546/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_313.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_313.json new file mode 100644 index 00000000000..e54a407b9f9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_313.json @@ -0,0 +1,172 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Web Shell Detection: Script Process Child of Common Web Processes", + "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not\n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", + "references": [ + "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2917d495-59bd-4250-b395-c29409b76086", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + }, + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 313 + }, + "id": "2917d495-59bd-4250-b395-c29409b76086_313", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_313.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_313.json new file mode 100644 index 00000000000..e1f81d43f0e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_313.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adobe Hijack Persistence", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", + "references": [ + "https://twitter.com/pabraeken/status/997997818362155008" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.010", + "name": "Services File Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1574/010/" + } + ] + }, + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 313 + }, + "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_313", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_1.json b/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_1.json new file mode 100644 index 00000000000..bcf06e6857c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_1.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.", + "false_positives": [ + "Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "history_window_start": "now-10d", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS STS GetCallerIdentity API Called for the First Time", + "new_terms_fields": [ + "aws.cloudtrail.user_identity.arn" + ], + "note": "## Triage and analysis\n\n### Investigating AWS GetCallerIdentity API Called for the First Time\n\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. \nNo permissions are required to run this operation and the same information is returned even when access is denied.\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.dataset:\"aws.cloudtrail\" and event.provider:\"sts.amazonaws.com\" and event.action:\"GetCallerIdentity\"\n", + "references": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html", + "https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials", + "https://detectioninthe.cloud/ttps/discovery/get_caller_identity/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "30fbf4db-c502-4e68-a239-2e99af0f70da", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.004", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1087/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "30fbf4db-c502-4e68-a239-2e99af0f70da_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_102.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_102.json new file mode 100644 index 00000000000..b1e9e077e1a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_102.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects events that have a mismatch on the expected event agent ID. The status \"agent_id_mismatch/mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.", + "false_positives": [ + "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." + ], + "from": "now-9m", + "index": [ + "logs-*", + "metrics-*", + "traces-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Agent Spoofing - Mismatched Agent ID", + "query": "event.agent_id_status:(agent_id_mismatch or mismatch)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_313.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_313.json new file mode 100644 index 00000000000..f7d813b5f7b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_313.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Outlook Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 313 + }, + "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_313", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json new file mode 100644 index 00000000000..de7776e4c44 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Port Forwarding Rule Addition", + "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 312 + }, + "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_312.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_312.json new file mode 100644 index 00000000000..71ecc95c8a2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_312.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent Process for cmd.exe", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 312 + }, + "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_312", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce_1.json new file mode 100644 index 00000000000..3d442fe2094 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce_1.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.", + "false_positives": [ + "AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action." + ], + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "AWS EC2 EBS Snapshot Shared with Another Account", + "note": "\n## Triage and Analysis\n\n### Investigating AWS EC2 EBS Snapshot Shared with Another Account\n\nThis rule detects when an AWS EC2 EBS snapshot is shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this to copy the snapshot into an environment they control to access the data. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions.\n- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing EBS snapshots and securing AWS environments, refer to the [AWS EBS documentation](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security:\n- [AWS EBS Snapshot Permissions](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html)\n- [AWS API ModifySnapshotAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html)\n- [AWS EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump)\n", + "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"ec2.amazonaws.com\" and event.action == \"ModifySnapshotAttribute\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\"\n| where operationType == \"add\" and cloud.account.id != userId\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\n", + "references": [ + "https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump" + ], + "risk_score": 21, + "rule_id": "4182e486-fc61-11ee-a05d-f661ea17fbce", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Threat Detection", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "4182e486-fc61-11ee-a05d-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_4.json b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_4.json new file mode 100644 index 00000000000..48fcbfbdcd4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_4.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as VLC DLL", + "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.name : (\"libvlc.dll\", \"libvlccore.dll\", \"axvlc.dll\") and\n not (\n dll.code_signature.subject_name : (\"VideoLAN\", \"716F2E5E-A03A-486B-BC67-9B18474B9D51\")\n and dll.code_signature.trusted == true\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_10.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_10.json new file mode 100644 index 00000000000..b1d6f1406b6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_10.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Spawned from Message-of-the-Day (MOTD)", + "note": "## Triage and analysis\n\n### Investigating Process Spawned from Message-of-the-Day (MOTD)\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Message-of-the-Day (MOTD) File Creation - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where event.type == \"start\" and host.os.type == \"linux\" and event.action : (\"exec\", \"exec_event\") and\n process.parent.executable : \"/etc/update-motd.d/*\" and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count >= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\")) or\n (process.args : (\n \"./*\", \"/boot/*\", \"/dev/shm/*\", \"/etc/cron.*/*\", \"/etc/init.d/*\", \"/etc/update-motd.d/*\", \"/run/*\", \"/srv/*\",\n \"/tmp/*\", \"/var/tmp/*\", \"/var/log/*\", \"/opt/*\"\n ) and process.args_count == 1\n )\n) and \nnot (\n process.parent.args == \"--force\" or\n process.args in (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\") or\n process.parent.name == \"system-crash-notification\"\n)\n", + "references": [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 10 + }, + "id": "4ec47004-b34a-42e6-8003-376a123ea447_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_310.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_310.json new file mode 100644 index 00000000000..979a784345d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_310.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppCert DLL", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.009", + "name": "AppCert DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/009/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.009", + "name": "AppCert DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 310 + }, + "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_310", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_6.json b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_6.json new file mode 100644 index 00000000000..e9371d6a7b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_6.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", + "from": "now-1h", + "index": [ + "ml_beaconing.all" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Statistical Model Detected C2 Beaconing Activity", + "query": "beacon_stats.is_beaconing: true and\nnot process.name: (\"WaAppAgent.exe\" or \"metricbeat.exe\" or \"packetbeat.exe\" or \"WindowsAzureGuestAgent.exe\" or \"HealthService.exe\" or \"Widgets.exe\" or \"lsass.exe\" or \"msedgewebview2.exe\" or \n \"MsMpEng.exe\" or \"OUTLOOK.EXE\" or \"msteams.exe\" or \"FileSyncHelper.exe\" or \"SearchProtocolHost.exe\" or \"Creative Cloud.exe\" or \"ms-teams.exe\" or \"ms-teamsupdate.exe\" or \n \"curl.exe\" or \"rundll32.exe\" or \"MsSense.exe\" or \"wermgr.exe\" or \"java\" or \"olk.exe\" or \"iexplore.exe\" or \"NetworkManager\" or \"packetbeat\" or \"Ssms.exe\" or \"NisSrv.exe\" or \n \"gamingservices.exe\" or \"appidcertstorecheck.exe\" or \"POWERPNT.EXE\" or \"miiserver.exe\" or \"Grammarly.Desktop.exe\" or \"SnagitEditor.exe\" or \"CRWindowsClientService.exe\" or\n \"agentbeat\" or \"dnf\" or \"yum\" or \"apt\"\n )\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/beaconing", + "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic" + ], + "related_integrations": [ + { + "package": "beaconing", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "beacon_stats.is_beaconing", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6", + "setup": "## Setup\n\nThe rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n", + "severity": "low", + "tags": [ + "Domain: Network", + "Use Case: C2 Beaconing Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/", + "subtechnique": [ + { + "id": "T1102.002", + "name": "Bidirectional Communication", + "reference": "https://attack.mitre.org/techniques/T1102/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_5.json b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_5.json new file mode 100644 index 00000000000..6be37c089a5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_5.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as Browser Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Chrome Related Processes */\n (process.name : (\n \"chrome.exe\", \"GoogleUpdate.exe\", \"GoogleCrashHandler64.exe\", \"GoogleCrashHandler.exe\",\n \"GoogleUpdateComRegisterShell64.exe\", \"GoogleUpdateSetup.exe\", \"GoogleUpdateOnDemand.exe\",\n \"chrome_proxy.exe\", \"remote_assistance_host.exe\", \"remoting_native_messaging_host.exe\",\n \"GoogleUpdateBroker.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\servers\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\*\\\\servers\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Bromium, Inc.\") and process.code_signature.trusted == true\n ) and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\dynatrace\\\\synthetic\\\\Chrome-bin\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Dynatrace LLC\") and process.code_signature.trusted == true\n ) and\n not (\n process.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\ms-playwright\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\synthetics-recorder\\\\resources\\\\local-browsers\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"*\\\\node_modules\\\\puppeteer\\\\.local-chromium\\\\win64-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Invicti Professional Edition\\\\chromium\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\End2End, Inc\\\\ARMS Html Engine\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*BurpSuitePro\\\\burpbrowser\\\\*\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*BurpSuite\\\\burpbrowser\\\\*\\\\chrome.exe\"\n ) and process.args: (\n \"--enable-features=NetworkService,NetworkServiceInProcess\",\n \"--type=crashpad-handler\", \"--enable-automation\", \"--disable-xss-auditor\"\n )\n )\n ) or\n\n /* MS Edge Related Processes */\n (process.name : (\n \"msedge.exe\", \"MicrosoftEdgeUpdate.exe\", \"identity_helper.exe\", \"msedgewebview2.exe\",\n \"MicrosoftEdgeWebview2Setup.exe\", \"MicrosoftEdge_X*.exe\", \"msedge_proxy.exe\",\n \"MicrosoftEdgeUpdateCore.exe\", \"MicrosoftEdgeUpdateBroker.exe\", \"MicrosoftEdgeUpdateSetup_X*.exe\",\n \"MicrosoftEdgeUpdateComRegisterShell64.exe\", \"msedgerecovery.exe\", \"MicrosoftEdgeUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"msedgewebview2.exe\" and\n process.code_signature.subject_name : (\"Bromium, Inc.\", \"Amazon.com Services LLC\", \"Code Systems Corporation\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Brave Related Processes */\n (process.name : (\n \"brave.exe\", \"BraveUpdate.exe\", \"BraveCrashHandler64.exe\", \"BraveCrashHandler.exe\",\n \"BraveUpdateOnDemand.exe\", \"brave_vpn_helper.exe\", \"BraveUpdateSetup*.exe\",\n \"BraveUpdateComRegisterShell64.exe\"\n ) and not\n (process.code_signature.subject_name : \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Firefox Related Processes */\n (process.name : (\n \"firefox.exe\", \"pingsender.exe\", \"default-browser-agent.exe\", \"maintenanceservice.exe\",\n \"plugin-container.exe\", \"maintenanceservice_tmp.exe\", \"maintenanceservice_installer.exe\",\n \"minidump-analyzer.exe\"\n ) and not\n (process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"default-browser-agent.exe\" and\n process.code_signature.subject_name : (\"WATERFOX LIMITED\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Island Related Processes */\n (process.name : (\n \"Island.exe\", \"IslandUpdate.exe\", \"IslandCrashHandler.exe\", \"IslandCrashHandler64.exe\",\n \"IslandUpdateBroker.exe\", \"IslandUpdateOnDemand.exe\", \"IslandUpdateComRegisterShell64.exe\",\n \"IslandUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Island Technology Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Opera Related Processes */\n (process.name : (\n \"opera.exe\", \"opera_*.exe\", \"browser_assistant.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Opera Norway AS\", \"Opera Software AS\") and process.code_signature.trusted == true)\n ) or\n\n /* Whale Related Processes */\n (process.name : (\n \"whale.exe\", \"whale_update.exe\", \"wusvc.exe\"\n ) and not\n (process.code_signature.subject_name : \"NAVER Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Chromium-based Browsers processes */\n (process.name : (\n \"chrmstp.exe\", \"notification_helper.exe\", \"elevation_service.exe\"\n ) and not\n (process.code_signature.subject_name : (\n \"Island Technology Inc.\",\n \"Citrix Systems, Inc.\",\n \"Brave Software, Inc.\",\n \"Google LLC\",\n \"Google Inc\",\n \"Microsoft Corporation\",\n \"NAVER Corp.\",\n \"AVG Technologies USA, LLC\",\n \"Avast Software s.r.o.\",\n \"PIRIFORM SOFTWARE LIMITED\",\n \"NortonLifeLock Inc.\",\n \"Opera Norway AS\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json new file mode 100644 index 00000000000..c7c78c6c6c4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Skoetting" + ], + "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "User Added to Privileged Group", + "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "iam where winlog.api == \"wineventlog\" and event.action == \"added-member-to-group\" and\n(\n (\n group.name : (\n \"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\",\n \"Print Operators\",\n \"Server Operators\",\n \"Account Operators\"\n )\n ) or\n (\n group.id : (\n \"S-1-5-32-544\",\n \"S-1-5-21-*-544\",\n \"S-1-5-21-*-512\",\n \"S-1-5-21-*-519\",\n \"S-1-5-21-*-551\",\n \"S-1-5-21-*-518\",\n \"S-1-5-21-*-1101\",\n \"S-1-5-21-*-1102\",\n \"S-1-5-21-*-550\",\n \"S-1-5-21-*-549\",\n \"S-1-5-21-*-548\"\n )\n )\n)\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_1.json b/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_1.json new file mode 100644 index 00000000000..7babd3821f0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_1.json @@ -0,0 +1,148 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection Initiated by SSHD Child Process", + "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.executable == \"/usr/sbin/sshd\"] by process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n )\n ] by process.parent.entity_id\n", + "references": [ + "https://hadess.io/the-art-of-linux-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "63431796-f813-43af-820b-492ee2efec8e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.004", + "name": "Unix Shell Configuration Modification", + "reference": "https://attack.mitre.org/techniques/T1546/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + }, + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 1 + }, + "id": "63431796-f813-43af-820b-492ee2efec8e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_207.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_207.json new file mode 100644 index 00000000000..1625d812c45 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_207.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New or Modified Federation Domain", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.002", + "name": "Trust Modification", + "reference": "https://attack.mitre.org/techniques/T1484/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 207 + }, + "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_313.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_313.json new file mode 100644 index 00000000000..fd8b444d367 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_313.json @@ -0,0 +1,140 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Exporting Exchange Mailbox via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + }, + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 313 + }, + "id": "6aace640-e631-4870-ba8e-5fdda09325db_313", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_1.json new file mode 100644 index 00000000000..d7f5c0d23f7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_1.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule detects when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.", + "false_positives": [ + "AWS IAM Roles Anywhere Trust Anchors are legitimate profiles that can be created by administrators to allow access from any location. Ensure that the trust anchor is created by a legitimate administrator and that the external certificate authority is authorized." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", + "note": "\n## Triage and Analysis\n\n### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA\n\nThis rule detects when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule identifies when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the trust anchor creation. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the trust anchor was created. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Verify the Certificate Authority**: Ensure that the external certificate authority used is authorized and recognized. Unauthorized external CAs can be a red flag for malicious activity.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the trust anchor creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the creation was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the creation was unauthorized, remove the trust anchor and revoke any associated permissions.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving the creation of trust anchors with external certificate authorities.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning IAM Roles Anywhere and the use of certificate authorities.\n- **Audit IAM Roles and Policies**: Conduct a comprehensive audit of all IAM roles and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing IAM Roles Anywhere and securing AWS environments, refer to the [AWS IAM Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on IAM roles and trust anchors:\n- [AWS IAM Roles Anywhere Introduction](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)\n- [Ermetic Blog on IAM Users and Third Parties](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)\n", + "query": "event.dataset: aws.cloudtrail\n and event.provider: rolesanywhere.amazonaws.com\n and event.action: CreateTrustAnchor\n and event.outcome: success\n and not aws.cloudtrail.request_parameters: *sourceType=AWS_ACM_PCA*\n", + "references": [ + "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", + "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", + "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71de53ea-ff3b-11ee-b572-f661ea17fbce", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "71de53ea-ff3b-11ee-b572-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json new file mode 100644 index 00000000000..55adf3de001 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Tunneling Detected", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", + "references": [ + "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 312 + }, + "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_203.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_203.json new file mode 100644 index 00000000000..c468355d143 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_203.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "logs-system.security*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious ScreenConnect Client Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\",\n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", + "references": [ + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 203 + }, + "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_5.json b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_5.json new file mode 100644 index 00000000000..1e3805d41cb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_5.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as System32 Executable", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n (process.code_signature.status : \"?*\" or process.code_signature.exists != null) and\n process.name: (\n \"agentactivationruntimestarter.exe\", \"agentservice.exe\", \"aitstatic.exe\", \"alg.exe\", \"apphostregistrationverifier.exe\", \"appidcertstorecheck.exe\", \"appidpolicyconverter.exe\", \"appidtel.exe\", \"applicationframehost.exe\", \"applysettingstemplatecatalog.exe\", \"applytrustoffline.exe\", \"approvechildrequest.exe\", \"appvclient.exe\", \"appvdllsurrogate.exe\", \"appvnice.exe\", \"appvshnotify.exe\", \"arp.exe\", \"assignedaccessguard.exe\", \"at.exe\", \"atbroker.exe\", \"attrib.exe\", \"audiodg.exe\", \"auditpol.exe\", \"authhost.exe\", \"autochk.exe\", \"autoconv.exe\", \"autofmt.exe\", \"axinstui.exe\", \"baaupdate.exe\", \"backgroundtaskhost.exe\", \"backgroundtransferhost.exe\", \"bcdboot.exe\", \"bcdedit.exe\", \"bdechangepin.exe\", \"bdehdcfg.exe\", \"bdeuisrv.exe\", \"bdeunlock.exe\", \"bioiso.exe\", \"bitlockerdeviceencryption.exe\", \"bitlockerwizard.exe\", \"bitlockerwizardelev.exe\", \"bitsadmin.exe\", \"bootcfg.exe\", \"bootim.exe\", \"bootsect.exe\", \"bridgeunattend.exe\", \"browserexport.exe\", \"browser_broker.exe\", \"bthudtask.exe\", \"bytecodegenerator.exe\", \"cacls.exe\", \"calc.exe\", \"camerasettingsuihost.exe\", \"castsrv.exe\", \"certenrollctrl.exe\", \"certreq.exe\", \"certutil.exe\", \"change.exe\", \"changepk.exe\", \"charmap.exe\", \"checknetisolation.exe\", \"chglogon.exe\", \"chgport.exe\", \"chgusr.exe\", \"chkdsk.exe\", \"chkntfs.exe\", \"choice.exe\", \"cidiag.exe\", \"cipher.exe\", \"cleanmgr.exe\", \"cliconfg.exe\", \"clip.exe\", \"clipup.exe\", \"cloudexperiencehostbroker.exe\", \"cloudnotifications.exe\", \"cmd.exe\", \"cmdkey.exe\", \"cmdl32.exe\", \"cmmon32.exe\", \"cmstp.exe\", \"cofire.exe\", \"colorcpl.exe\", \"comp.exe\", \"compact.exe\", \"compattelrunner.exe\", \"compmgmtlauncher.exe\", \"comppkgsrv.exe\", \"computerdefaults.exe\", \"conhost.exe\", \"consent.exe\", \"control.exe\", \"convert.exe\", \"convertvhd.exe\", \"coredpussvr.exe\", \"credentialenrollmentmanager.exe\", \"credentialuibroker.exe\", \"credwiz.exe\", \"cscript.exe\", \"csrss.exe\", \"ctfmon.exe\", \"cttune.exe\", \"cttunesvr.exe\", \"custominstallexec.exe\", \"customshellhost.exe\", \"dashost.exe\", \"dataexchangehost.exe\", \"datastorecachedumptool.exe\", \"dccw.exe\", \"dcomcnfg.exe\", \"ddodiag.exe\", \"defrag.exe\", \"deploymentcsphelper.exe\", \"desktopimgdownldr.exe\", \"devicecensus.exe\", \"devicecredentialdeployment.exe\", \"deviceeject.exe\", \"deviceenroller.exe\", \"devicepairingwizard.exe\", \"deviceproperties.exe\", \"dfdwiz.exe\", \"dfrgui.exe\", \"dialer.exe\", \"directxdatabaseupdater.exe\", \"diskpart.exe\", \"diskperf.exe\", \"diskraid.exe\", \"disksnapshot.exe\", \"dism.exe\", \"dispdiag.exe\", \"displayswitch.exe\", \"djoin.exe\", \"dllhost.exe\", \"dllhst3g.exe\", \"dmcertinst.exe\", \"dmcfghost.exe\", \"dmclient.exe\", \"dmnotificationbroker.exe\", \"dmomacpmo.exe\", \"dnscacheugc.exe\", \"doskey.exe\", \"dpapimig.exe\", \"dpiscaling.exe\", \"dpnsvr.exe\", \"driverquery.exe\", \"drvinst.exe\", \"dsmusertask.exe\", \"dsregcmd.exe\", \"dstokenclean.exe\", \"dusmtask.exe\", \"dvdplay.exe\", \"dwm.exe\", \"dwwin.exe\", \"dxdiag.exe\", \"dxgiadaptercache.exe\", \"dxpserver.exe\", \"eap3host.exe\", \"easeofaccessdialog.exe\", \"easinvoker.exe\", \"easpolicymanagerbrokerhost.exe\", \"edpcleanup.exe\", \"edpnotify.exe\", \"eduprintprov.exe\", \"efsui.exe\", \"ehstorauthn.exe\", \"eoaexperiences.exe\", \"esentutl.exe\", \"eudcedit.exe\", \"eventcreate.exe\", \"eventvwr.exe\", \"expand.exe\", \"extrac32.exe\", \"fc.exe\", \"fclip.exe\", \"fhmanagew.exe\", \"filehistory.exe\", \"find.exe\", \"findstr.exe\", \"finger.exe\", \"fixmapi.exe\", \"fltmc.exe\", \"fodhelper.exe\", \"fondue.exe\", \"fontdrvhost.exe\", \"fontview.exe\", \"forfiles.exe\", \"fsavailux.exe\", \"fsiso.exe\", \"fsquirt.exe\", \"fsutil.exe\", \"ftp.exe\", \"fvenotify.exe\", \"fveprompt.exe\", \"gamebarpresencewriter.exe\", \"gamepanel.exe\", \"genvalobj.exe\", \"getmac.exe\", \"gpresult.exe\", \"gpscript.exe\", \"gpupdate.exe\", \"grpconv.exe\", \"hdwwiz.exe\", \"help.exe\", \"hostname.exe\", \"hvax64.exe\", \"hvix64.exe\", \"hvsievaluator.exe\", \"icacls.exe\", \"icsentitlementhost.exe\", \"icsunattend.exe\", \"ie4uinit.exe\", \"ie4ushowie.exe\", \"iesettingsync.exe\", \"ieunatt.exe\", \"iexpress.exe\", \"immersivetpmvscmgrsvr.exe\", \"infdefaultinstall.exe\", \"inputswitchtoasthandler.exe\", \"iotstartup.exe\", \"ipconfig.exe\", \"iscsicli.exe\", \"iscsicpl.exe\", \"isoburn.exe\", \"klist.exe\", \"ksetup.exe\", \"ktmutil.exe\", \"label.exe\", \"languagecomponentsinstallercomhandler.exe\", \"launchtm.exe\", \"launchwinapp.exe\", \"legacynetuxhost.exe\", \"licensemanagershellext.exe\", \"licensingdiag.exe\", \"licensingui.exe\", \"locationnotificationwindows.exe\", \"locator.exe\", \"lockapphost.exe\", \"lockscreencontentserver.exe\", \"lodctr.exe\", \"logagent.exe\", \"logman.exe\", \"logoff.exe\", \"logonui.exe\", \"lpkinstall.exe\", \"lpksetup.exe\", \"lpremove.exe\", \"lsaiso.exe\", \"lsass.exe\", \"magnify.exe\", \"makecab.exe\", \"manage-bde.exe\", \"mavinject.exe\", \"mbaeparsertask.exe\", \"mblctr.exe\", \"mbr2gpt.exe\", \"mcbuilder.exe\", \"mdeserver.exe\", \"mdmagent.exe\", \"mdmappinstaller.exe\", \"mdmdiagnosticstool.exe\", \"mdres.exe\", \"mdsched.exe\", \"mfpmp.exe\", \"microsoft.uev.cscunpintool.exe\", \"microsoft.uev.synccontroller.exe\", \"microsoftedgebchost.exe\", \"microsoftedgecp.exe\", \"microsoftedgedevtools.exe\", \"microsoftedgesh.exe\", \"mmc.exe\", \"mmgaserver.exe\", \"mobsync.exe\", \"mountvol.exe\", \"mousocoreworker.exe\", \"mpnotify.exe\", \"mpsigstub.exe\", \"mrinfo.exe\", \"mschedexe.exe\", \"msconfig.exe\", \"msdt.exe\", \"msdtc.exe\", \"msfeedssync.exe\", \"msg.exe\", \"mshta.exe\", \"msiexec.exe\", \"msinfo32.exe\", \"mspaint.exe\", \"msra.exe\", \"msspellcheckinghost.exe\", \"mstsc.exe\", \"mtstocom.exe\", \"muiunattend.exe\", \"multidigimon.exe\", \"musnotification.exe\", \"musnotificationux.exe\", \"musnotifyicon.exe\", \"narrator.exe\", \"nbtstat.exe\", \"ndadmin.exe\", \"ndkping.exe\", \"net.exe\", \"net1.exe\", \"netbtugc.exe\", \"netcfg.exe\", \"netcfgnotifyobjecthost.exe\", \"netevtfwdr.exe\", \"nethost.exe\", \"netiougc.exe\", \"netplwiz.exe\", \"netsh.exe\", \"netstat.exe\", \"newdev.exe\", \"ngciso.exe\", \"nltest.exe\", \"notepad.exe\", \"nslookup.exe\", \"ntoskrnl.exe\", \"ntprint.exe\", \"odbcad32.exe\", \"odbcconf.exe\", \"ofdeploy.exe\", \"omadmclient.exe\", \"omadmprc.exe\", \"openfiles.exe\", \"openwith.exe\", \"optionalfeatures.exe\", \"osk.exe\", \"pacjsworker.exe\", \"packagedcwalauncher.exe\", \"packageinspector.exe\", \"passwordonwakesettingflyout.exe\", \"pathping.exe\", \"pcalua.exe\", \"pcaui.exe\", \"pcwrun.exe\", \"perfmon.exe\", \"phoneactivate.exe\", \"pickerhost.exe\", \"pinenrollmentbroker.exe\", \"ping.exe\", \"pkgmgr.exe\", \"pktmon.exe\", \"plasrv.exe\", \"pnpunattend.exe\", \"pnputil.exe\", \"poqexec.exe\", \"pospaymentsworker.exe\", \"powercfg.exe\", \"presentationhost.exe\", \"presentationsettings.exe\", \"prevhost.exe\", \"printbrmui.exe\", \"printfilterpipelinesvc.exe\", \"printisolationhost.exe\", \"printui.exe\", \"proquota.exe\", \"provlaunch.exe\", \"provtool.exe\", \"proximityuxhost.exe\", \"prproc.exe\", \"psr.exe\", \"pwlauncher.exe\", \"qappsrv.exe\", \"qprocess.exe\", \"query.exe\", \"quser.exe\", \"qwinsta.exe\", \"rasautou.exe\", \"rasdial.exe\", \"raserver.exe\", \"rasphone.exe\", \"rdpclip.exe\", \"rdpinit.exe\", \"rdpinput.exe\", \"rdpsa.exe\", \"rdpsaproxy.exe\", \"rdpsauachelper.exe\", \"rdpshell.exe\", \"rdpsign.exe\", \"rdrleakdiag.exe\", \"reagentc.exe\", \"recdisc.exe\", \"recover.exe\", \"recoverydrive.exe\", \"refsutil.exe\", \"reg.exe\", \"regedt32.exe\", \"regini.exe\", \"register-cimprovider.exe\", \"regsvr32.exe\", \"rekeywiz.exe\", \"relog.exe\", \"relpost.exe\", \"remoteapplifetimemanager.exe\", \"remoteposworker.exe\", \"repair-bde.exe\", \"replace.exe\", \"reset.exe\", \"resetengine.exe\", \"resmon.exe\", \"rmactivate.exe\", \"rmactivate_isv.exe\", \"rmactivate_ssp.exe\", \"rmactivate_ssp_isv.exe\", \"rmclient.exe\", \"rmttpmvscmgrsvr.exe\", \"robocopy.exe\", \"route.exe\", \"rpcping.exe\", \"rrinstaller.exe\", \"rstrui.exe\", \"runas.exe\", \"rundll32.exe\", \"runexehelper.exe\", \"runlegacycplelevated.exe\", \"runonce.exe\", \"runtimebroker.exe\", \"rwinsta.exe\", \"sc.exe\", \"schtasks.exe\", \"scriptrunner.exe\", \"sdbinst.exe\", \"sdchange.exe\", \"sdclt.exe\", \"sdiagnhost.exe\", \"searchfilterhost.exe\", \"searchindexer.exe\", \"searchprotocolhost.exe\", \"secedit.exe\", \"secinit.exe\", \"securekernel.exe\", \"securityhealthhost.exe\", \"securityhealthservice.exe\", \"securityhealthsystray.exe\", \"sensordataservice.exe\", \"services.exe\", \"sessionmsg.exe\", \"sethc.exe\", \"setspn.exe\", \"settingsynchost.exe\", \"setupcl.exe\", \"setupugc.exe\", \"setx.exe\", \"sfc.exe\", \"sgrmbroker.exe\", \"sgrmlpac.exe\", \"shellappruntime.exe\", \"shrpubw.exe\", \"shutdown.exe\", \"sigverif.exe\", \"sihclient.exe\", \"sihost.exe\", \"slidetoshutdown.exe\", \"slui.exe\", \"smartscreen.exe\", \"smss.exe\", \"sndvol.exe\", \"snippingtool.exe\", \"snmptrap.exe\", \"sort.exe\", \"spaceagent.exe\", \"spaceman.exe\", \"spatialaudiolicensesrv.exe\", \"spectrum.exe\", \"spoolsv.exe\", \"sppextcomobj.exe\", \"sppsvc.exe\", \"srdelayed.exe\", \"srtasks.exe\", \"stordiag.exe\", \"subst.exe\", \"svchost.exe\", \"sxstrace.exe\", \"syncappvpublishingserver.exe\", \"synchost.exe\", \"sysreseterr.exe\", \"systeminfo.exe\", \"systempropertiesadvanced.exe\", \"systempropertiescomputername.exe\", \"systempropertiesdataexecutionprevention.exe\", \"systempropertieshardware.exe\", \"systempropertiesperformance.exe\", \"systempropertiesprotection.exe\", \"systempropertiesremote.exe\", \"systemreset.exe\", \"systemsettingsadminflows.exe\", \"systemsettingsbroker.exe\", \"systemsettingsremovedevice.exe\", \"systemuwplauncher.exe\", \"systray.exe\", \"tabcal.exe\", \"takeown.exe\", \"tapiunattend.exe\", \"tar.exe\", \"taskhostw.exe\", \"taskkill.exe\", \"tasklist.exe\", \"taskmgr.exe\", \"tcblaunch.exe\", \"tcmsetup.exe\", \"tcpsvcs.exe\", \"thumbnailextractionhost.exe\", \"tieringengineservice.exe\", \"timeout.exe\", \"tokenbrokercookies.exe\", \"tpminit.exe\", \"tpmtool.exe\", \"tpmvscmgr.exe\", \"tpmvscmgrsvr.exe\", \"tracerpt.exe\", \"tracert.exe\", \"tscon.exe\", \"tsdiscon.exe\", \"tskill.exe\", \"tstheme.exe\", \"tswbprxy.exe\", \"ttdinject.exe\", \"tttracer.exe\", \"typeperf.exe\", \"tzsync.exe\", \"tzutil.exe\", \"ucsvc.exe\", \"uevagentpolicygenerator.exe\", \"uevappmonitor.exe\", \"uevtemplatebaselinegenerator.exe\", \"uevtemplateconfigitemgenerator.exe\", \"uimgrbroker.exe\", \"unlodctr.exe\", \"unregmp2.exe\", \"upfc.exe\", \"upgraderesultsui.exe\", \"upnpcont.exe\", \"upprinterinstaller.exe\", \"useraccountbroker.exe\", \"useraccountcontrolsettings.exe\", \"userinit.exe\", \"usoclient.exe\", \"utcdecoderhost.exe\", \"utilman.exe\", \"vaultcmd.exe\", \"vds.exe\", \"vdsldr.exe\", \"verclsid.exe\", \"verifier.exe\", \"verifiergui.exe\", \"vssadmin.exe\", \"vssvc.exe\", \"w32tm.exe\", \"waasmedicagent.exe\", \"waitfor.exe\", \"wallpaperhost.exe\", \"wbadmin.exe\", \"wbengine.exe\", \"wecutil.exe\", \"werfault.exe\", \"werfaultsecure.exe\", \"wermgr.exe\", \"wevtutil.exe\", \"wextract.exe\", \"where.exe\", \"whoami.exe\", \"wiaacmgr.exe\", \"wiawow64.exe\", \"wifitask.exe\", \"wimserv.exe\", \"winbiodatamodeloobe.exe\", \"windows.media.backgroundplayback.exe\", \"windows.warp.jitservice.exe\", \"windowsactiondialog.exe\", \"windowsupdateelevatedinstaller.exe\", \"wininit.exe\", \"winload.exe\", \"winlogon.exe\", \"winresume.exe\", \"winrs.exe\", \"winrshost.exe\", \"winrtnetmuahostserver.exe\", \"winsat.exe\", \"winver.exe\", \"wkspbroker.exe\", \"wksprt.exe\", \"wlanext.exe\", \"wlrmdr.exe\", \"wmpdmc.exe\", \"workfolders.exe\", \"wowreg32.exe\", \"wpcmon.exe\", \"wpctok.exe\", \"wpdshextautoplay.exe\", \"wpnpinst.exe\", \"wpr.exe\", \"write.exe\", \"wscadminui.exe\", \"wscollect.exe\", \"wscript.exe\", \"wsl.exe\", \"wsmanhttpconfig.exe\", \"wsmprovhost.exe\", \"wsqmcons.exe\", \"wsreset.exe\", \"wuapihost.exe\", \"wuauclt.exe\", \"wudfcompanionhost.exe\", \"wudfhost.exe\", \"wusa.exe\", \"wwahost.exe\", \"xblgamesavetask.exe\", \"xcopy.exe\", \"xwizard.exe\", \"aggregatorhost.exe\", \"diskusage.exe\", \"dtdump.exe\", \"ism.exe\", \"ndkperfcmd.exe\", \"ntkrla57.exe\", \"securekernella57.exe\", \"spaceutil.exe\", \"configure-smremoting.exe\", \"dcgpofix.exe\", \"dcpromo.exe\", \"dimc.exe\", \"diskshadow.exe\", \"drvcfg.exe\", \"escunattend.exe\", \"iashost.exe\", \"ktpass.exe\", \"lbfoadmin.exe\", \"netdom.exe\", \"rdspnf.exe\", \"rsopprov.exe\", \"sacsess.exe\", \"servermanager.exe\", \"servermanagerlauncher.exe\", \"setres.exe\", \"tsecimp.exe\", \"vssuirun.exe\", \"webcache.exe\", \"win32calc.exe\", \"certoc.exe\", \"sdndiagnosticstask.exe\", \"xpsrchvw.exe\"\n ) and\n not (\n process.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\"\n ) and process.code_signature.trusted == true\n ) and not process.code_signature.status: (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n not\n (\n process.executable: (\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\hostname.exe\",\n \"?:\\\\Windows\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\ie4ushowIE.exe\",\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\find.exe\",\n \"?:\\\\Program Files (x86)\\\\Axence\\\\nVision Agent 2\\\\nss\\\\certutil.exe\"\n )\n ) and\n not\n (\n (process.name: \"ucsvc.exe\" and process.code_signature.subject_name == \"Wellbia.com Co., Ltd.\" and process.code_signature.status: \"trusted\") or\n (process.name: \"pnputil.exe\" and process.code_signature.subject_name: (\"Lenovo\", \"HP Inc.\", \"Dell Inc\") and process.code_signature.status: \"trusted\") or\n (process.name: \"convert.exe\" and process.code_signature.subject_name: \"ImageMagick Studio LLC\" and process.code_signature.status: \"trusted\") or\n (process.name: \"systeminfo.exe\" and process.code_signature.subject_name: \"Arctic Wolf Networks, Inc.\" and process.code_signature.status: \"trusted\") or\n (\n process.name: \"certutil.exe\" and\n process.code_signature.subject_name: (\n \"Intel(R) Online Connect Access\",\n \"Fortinet Technologies (Canada) ULC\"\n ) and process.code_signature.status: \"trusted\"\n ) or\n (\n process.name: \"sfc.exe\" and\n process.code_signature.subject_name: (\n \"Cisco Systems, Inc.\",\n \"CISCO SYSTEMS CANADA CO\"\n ) and process.code_signature.status: \"trusted\"\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_1.json b/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_1.json new file mode 100644 index 00000000000..a64977a68fe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_1.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "APT Package Manager Configuration File Creation", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : \"/etc/apt/apt.conf.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/local/bin/apt-get\", \"/usr/bin/apt-get\"\n ) or\n file.path :(\"/etc/apt/apt.conf.d/*.tmp*\") or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "references": [ + "https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7c2e1297-7664-42bc-af11-6d5d35220b6b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "7c2e1297-7664-42bc-af11-6d5d35220b6b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc_1.json new file mode 100644 index 00000000000..fae0217dcbd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc_1.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Lambda Layer is added to an existing Lambda function. AWS layers are a way to share code and data across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the context of the function.", + "false_positives": [ + "Lambda function owners may add layers to their functions for legitimate purposes." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Lambda Layer Added to Existing Function", + "note": "\n## Triage and Analysis\n\n### Investigating AWS Lambda Layer Added to Existing Function\n\nThis rule detects when a Lambda layer is added to an existing Lambda function. AWS Lambda layers are a mechanism for sharing code and data across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the context of the function. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific layer added to the Lambda function. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the addition of the Lambda layer aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, remove the added layer from the Lambda function to mitigate any unintended code execution or persistence.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive functions or layers.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning Lambda function management and the use of layers.\n- **Audit Lambda Functions and Policies**: Conduct a comprehensive audit of all Lambda functions and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing Lambda functions and securing AWS environments, refer to the [AWS Lambda documentation](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on Lambda layers and persistence techniques:\n- [AWS Lambda Layers Persistence](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence)\n- [AWS API PublishLayerVersion](https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html)\n- [AWS API UpdateFunctionConfiguration](https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html)\n\n", + "query": "event.dataset: aws.cloudtrail\n and event.provider: lambda.amazonaws.com\n and event.outcome: success\n and event.action: (PublishLayerVersion* or UpdateFunctionConfiguration)\n", + "references": [ + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence", + "https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html", + "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7d091a76-0737-11ef-8469-f661ea17fbcc", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "7d091a76-0737-11ef-8469-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json b/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json new file mode 100644 index 00000000000..cc3b5f92c30 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SSH Key Generated via ssh-keygen", + "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\") and\nprocess.executable == \"/usr/bin/ssh-keygen\" and file.path : (\"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\") and\nnot file.name : \"known_hosts.*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7df3cb8b-5c0c-4228-b772-bb6cd619053c", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.004", + "name": "SSH Authorized Keys", + "reference": "https://attack.mitre.org/techniques/T1098/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + }, + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "7df3cb8b-5c0c-4228-b772-bb6cd619053c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_11.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_11.json new file mode 100644 index 00000000000..db337408b59 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_11.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Systemd Timer Created", + "note": "## Triage and analysis\n\n### Investigating Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"timer\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "references": [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.006", + "name": "Systemd Timers", + "reference": "https://attack.mitre.org/techniques/T1053/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 11 + }, + "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_11", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json new file mode 100644 index 00000000000..b6c7a56b957 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.", + "false_positives": [ + "Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of events is not part of a legitimate operation before taking action." + ], + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential AWS S3 Bucket Ransomware Note Uploaded", + "note": "\n## Triage and Analysis\n\n### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded\n\nThis rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\n- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\n", + "query": "from logs-aws.cloudtrail-*\n\n// any successful uploads via S3 API requests\n| where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"s3.amazonaws.com\"\n and event.action == \"PutObject\"\n and event.outcome == \"success\"\n\n// abstract object name from API request parameters\n| dissect aws.cloudtrail.request_parameters \"%{?ignore_values}key=%{object_name}}\"\n\n// regex on common ransomware note extensions\n| where object_name rlike \"(.*).(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)\"\n\n// aggregate by S3 bucket, resource and object name\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\n\n// filter for single occurrence to eliminate common upload operations\n| where note_upload_count == 1\n", + "references": [ + "https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf", + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/", + "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/" + ], + "risk_score": 47, + "rule_id": "7fda9bb2-fd28-11ee-85f9-f661ea17fbce", + "setup": "AWS S3 data types need to be enabled in the CloudTrail trail configuration.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Use Case: Threat Detection", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_1.json b/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_1.json new file mode 100644 index 00000000000..6329d2dc96d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_1.json @@ -0,0 +1,150 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "At Job Created or Modified", + "query": "file where host.os.type == \"linux\" and\nevent.action in (\"rename\", \"creation\") and file.path : \"/var/spool/cron/atjobs/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "84755a05-78c8-4430-8681-89cd6c857d71", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.002", + "name": "At", + "reference": "https://attack.mitre.org/techniques/T1053/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.002", + "name": "At", + "reference": "https://attack.mitre.org/techniques/T1053/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.002", + "name": "At", + "reference": "https://attack.mitre.org/techniques/T1053/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "84755a05-78c8-4430-8681-89cd6c857d71_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/873b5452-074e-11ef-852e-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/873b5452-074e-11ef-852e-f661ea17fbcc_1.json new file mode 100644 index 00000000000..f879de01f66 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/873b5452-074e-11ef-852e-f661ea17fbcc_1.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. This action could indicate an adversary attempting to maintain access to the instance. The rule also detects the `SendSerialConsoleSSHPublicKey` API action, which could be used for privilege escalation if the serial console is enabled. Monitoring these activities helps ensure unauthorized access attempts are detected and mitigated promptly.", + "false_positives": [ + "Administrators may upload SSH public keys to EC2 instances for legitimate purposes." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Instance Connect SSH Public Key Uploaded", + "note": "## Triage and Analysis\n\n### Investigating AWS EC2 Instance Connect SSH Public Key Uploaded\n\nThis rule detects when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. Adversaries may upload SSH public keys to EC2 instances to maintain access to the instance. The rule also covers cases where the `SendSerialConsoleSSHPublicKey` API action is used to upload an SSH public key to a serial connection, which can be exploited for privilege escalation.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the SSH public key upload. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the SSH public key was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Serial Console Access**: If the `SendSerialConsoleSSHPublicKey` action was used, verify if the `ec2:EnableSerialConsoleAccess` permission was also used, which might indicate an attempt to enable and exploit the serial console.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the SSH public key upload aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the upload was unauthorized, remove the uploaded SSH public key from the EC2 instance and review the instance's access logs for any suspicious activity.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive instances or unusual file extensions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning SSH key management and the risks of unauthorized key uploads.\n- **Audit EC2 Instance Policies and Permissions**: Conduct a comprehensive audit of all EC2 instance policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing EC2 instances and securing AWS environments, refer to the [AWS EC2 Instance Connect documentation](https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html) and AWS best practices for security. Additionally, consult the following resources for specific details on SSH key management and privilege escalation techniques:\n- [Stratus Red Team - AWS EC2 Instance Connect](https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect/)\n- [HackTricks - AWS EC2 Privilege Escalation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc)\n- [AWS EC2 Instance Connect API Reference](https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html)\n", + "query": "event.dataset: aws.cloudtrail\n and event.provider: ec2-instance-connect.amazonaws.com\n and event.action: (SendSSHPublicKey or SendSerialConsoleSSHPublicKey)\n and event.outcome: success\n", + "references": [ + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect/", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc", + "https://medium.parttimepolymath.net/aws-ec2-instance-connect-a-very-neat-trick-4d2fc0c28010", + "https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html", + "https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSerialConsoleSSHPublicKey.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "873b5452-074e-11ef-852e-f661ea17fbcc", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.004", + "name": "SSH Authorized Keys", + "reference": "https://attack.mitre.org/techniques/T1098/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "873b5452-074e-11ef-852e-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_108.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_108.json new file mode 100644 index 00000000000..345ac7337a6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_108.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Sublime Plugin or Application Script Modification", + "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "88817a33-60d3-411f-ba79-7c905d865b2a_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106.json new file mode 100644 index 00000000000..52974f2f257 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Sudo Hijacking", + "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"rename\") and\nfile.path in (\"/usr/bin/sudo\", \"/bin/sudo\") and not (\n file.Ext.original.path in (\"/usr/bin/sudo\", \"/bin/sudo\") or\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/bin/pacman\", \"/usr/bin/pacman\",\n \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/apt\",\n \"/usr/sbin/pacman\", \"/usr/bin/microdnf\", \"/usr/local/bin/dockerd\", \"/usr/local/bin/podman\", \"/usr/local/bin/dnf\",\n \"/kaniko/executor\", \"/proc/self/exe\", \"/usr/bin/apt-get\", \"/usr/bin/apt-cache\", \"/usr/bin/apt-mark\"\n ) or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/var/lib/docker/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\")\n)\n", + "references": [ + "https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": false, + "name": "file.Ext.original.path", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_309.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_309.json new file mode 100644 index 00000000000..b55830a2778 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_309.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encoded Executable Stored in the Registry", + "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + } + ], + "risk_score": 47, + "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 309 + }, + "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_1.json b/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_1.json new file mode 100644 index 00000000000..5c0b4841d0a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_1.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the addition of an executable bit of the `/etc/rc.local` or `/etc/rc.common` files. These files are used to start custom applications, services, scripts or commands during start-up. They require executable permissions to be executed on boot. An alert of this rule is an indicator that this method is being set up within your environment. This method has mostly been replaced by Systemd. However, through the `systemd-rc-local-generator`, these files can be converted to services that run at boot. Adversaries may alter these files to execute malicious code at start-up, and gain persistence onto the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Executable Bit Set for rc.local/rc.common", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.args in (\"/etc/rc.local\", \"/etc/rc.common\") and (\n (process.name == \"chmod\" and process.args : (\"*+x*\", \"1*\", \"3*\", \"5*\", \"7*\")) or\n (process.name == \"install\" and process.args : \"-m*\" and process.args : (\"*7*\", \"*5*\", \"*3*\", \"*1*\"))\n)\n", + "references": [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "94418745-529f-4259-8d25-a713a6feb6ae", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "94418745-529f-4259-8d25-a713a6feb6ae_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_11.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_11.json new file mode 100644 index 00000000000..c44679f8969 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_11.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Message-of-the-Day (MOTD) File Creation", + "note": "## Triage and analysis\n\n### Investigating Message-of-the-Day (MOTD) File Creation\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` directory.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Process Spawned from Message-of-the-Day (MOTD) - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : \"/etc/update-motd.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "references": [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 11 + }, + "id": "96d11d31-9a79-480f-8401-da28b194608f_11", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json new file mode 100644 index 00000000000..8a064cd589a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Zoom Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 312 + }, + "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_6.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_6.json new file mode 100644 index 00000000000..8f2aa854099 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_6.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", + "from": "now-10m", + "index": [ + "endgame-*", + "logs-endpoint.events.process-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", + "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "blocklist_label", + "type": "unknown" + }, + { + "ecs": false, + "name": "problemchild.prediction", + "type": "unknown" + }, + { + "ecs": false, + "name": "problemchild.prediction_probability", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", + "severity": "low", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "994e40aa-8c85-43de-825e-15f665375ee8_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_1.json b/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_1.json new file mode 100644 index 00000000000..27c941ca297 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_1.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.", + "false_positives": [ + "While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user." + ], + "from": "now-10m", + "language": "esql", + "license": "Elastic License v2", + "name": "AWS IAM AdministratorAccess Policy Attached to User", + "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachUserPolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\"\n| where policyName == \"AdministratorAccess\"\n| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, target.userName, user_agent.original, source.address, source.geo.location\n| sort aws.cloudtrail.user_identity.arn\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html", + "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", + "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + ], + "risk_score": 47, + "rule_id": "9aa4be8d-5828-417d-9f54-7cd304571b24", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "9aa4be8d-5828-417d-9f54-7cd304571b24_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_312.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_312.json new file mode 100644 index 00000000000..ffb881d4c47 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_312.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Nick Jones", + "Elastic" + ], + "description": "An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue` or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "history_window_start": "now-10d", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", + "new_terms_fields": [ + "user.id" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\")\n", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", + "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Secrets Manager", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.006", + "name": "Cloud Secrets Management Stores", + "reference": "https://attack.mitre.org/techniques/T1555/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 312 + }, + "id": "a00681e3-9ed6-447c-ab2c-be648821c622_312", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8aaa49d-9834-462d-bf8f-b1255cebc004_1.json b/packages/security_detection_engine/kibana/security_rule/a8aaa49d-9834-462d-bf8f-b1255cebc004_1.json new file mode 100644 index 00000000000..f148b39884b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a8aaa49d-9834-462d-bf8f-b1255cebc004_1.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects successful authentications via PAM grantors that are not commonly used. This could indicate an attacker is attempting to escalate privileges or maintain persistence on the system by modifying the default PAM configuration.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Authentication via Unusual PAM Grantor", + "new_terms_fields": [ + "auditd.data.grantors", + "agent.id" + ], + "query": "event.category:authentication and host.os.type:linux and event.action:authenticated and event.outcome:success and\nauditd.data.grantors:(* and not (pam_rootok or *pam_cap* or *pam_permit*))\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.grantors", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a8aaa49d-9834-462d-bf8f-b1255cebc004", + "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, no additional configuration is required.\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "a8aaa49d-9834-462d-bf8f-b1255cebc004_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_314.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_314.json new file mode 100644 index 00000000000..ef08a002a86 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_314.json @@ -0,0 +1,151 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", + "false_positives": [ + "Custom Windows error reporting debugger or applications restarted by WerFault after a crash." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WerFault Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and\n\n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and\n\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", + "references": [ + "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", + "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 314 + }, + "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_314", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_5.json b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_5.json new file mode 100644 index 00000000000..c685d0201d1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_5.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Communication App Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Slack */\n (process.parent.name : \"slack.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin*\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\opera.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"powershell.exe\" and process.command_line : \"powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*\") or\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"%windir%\\\\System32\\\\rundll32.exe User32.dll,SetFocus 0\\\"\")\n )\n )\n ) or\n\n /* WebEx */\n (process.parent.name : (\"CiscoCollabHost.exe\", \"WebexHost.exe\") and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\opera.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Cisco Systems, Inc.\",\n \"Cisco WebEx LLC\",\n \"Cisco Systems Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Teams */\n (process.parent.name : \"Teams.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\BrowserCore\\\\BrowserCore.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Microsoft Corporation\",\n \"Microsoft 3rd Party Application Component\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"taskkill.exe\" and process.args : \"Teams.exe\")\n )\n )\n ) or\n\n /* Discord */\n (process.parent.name : \"Discord.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Discord Inc.\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.name : \"cmd.exe\" and \n (\n process.command_line : (\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"chcp\\\"\",\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /q /d /s /c \\\"C:\\\\Program^ Files\\\\NVIDIA^ Corporation\\\\NVSMI\\\\nvidia-smi.exe\\\"\"\n ) or\n process.args : (\n \"C:\\\\WINDOWS/System32/nvidia-smi.exe\",\n \"C:\\\\WINDOWS\\\\System32\\\\nvidia-smi.exe\",\n \"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository/*/nvidia-smi.exe*\"\n )\n )\n )\n )\n ) or\n\n /* WhatsApp */\n (process.parent.name : \"Whatsapp.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\Windows\\\\system32\\\\cmd.exe /d /s /c \\\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe*\")\n )\n )\n ) or\n\n /* Zoom */\n (process.parent.name : \"Zoom.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Zoom Video Communications, Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Outlook */\n (process.parent.name : \"outlook.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\system32\\\\wermgr.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\NewOutlookInstall\\\\NewOutlookInstaller.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\IME\\\\SHARED\\\\IMEWDBLD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\prevhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\dwwin.exe\",\n \"?:\\\\Windows\\\\System32\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.name : \"rundll32.exe\" and\n process.args : \"*hpmsn???.dll,MonitorPrintJobStatus*\"\n )\n )\n ) or\n\n /* Thunderbird */\n (process.parent.name : \"thunderbird.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Mozilla Corporation\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "adbfa3ee-777e-4747-b6b0-7bd645f30880", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "adbfa3ee-777e-4747-b6b0-7bd645f30880_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_310.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_310.json new file mode 100644 index 00000000000..695c3e39a01 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_310.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Domain Backup DPAPI private key", + "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", + "references": [ + "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", + "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 310 + }, + "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_310", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json new file mode 100644 index 00000000000..8403ff80175 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kirbi File Creation", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 207 + }, + "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_110.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_110.json new file mode 100644 index 00000000000..7573498ff7e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_110.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Group Policy Abuse for Privilege Addition", + "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n", + "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", + "setup": "## Setup\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_5.json b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_5.json new file mode 100644 index 00000000000..23c03c05af3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_5.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm.", + "from": "now-10m", + "index": [ + "logs-endpoint.events.*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", + "query": "ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration" + ], + "related_integrations": [ + { + "package": "dga", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.registered_domain", + "type": "keyword" + }, + { + "ecs": false, + "name": "ml_is_dga.malicious_prediction", + "type": "unknown" + } + ], + "risk_score": 99, + "rule_id": "bcaa15ce-2d41-44d7-a322-918f9db77766", + "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", + "severity": "critical", + "tags": [ + "Domain: Network", + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "bcaa15ce-2d41-44d7-a322-918f9db77766_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_110.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_110.json new file mode 100644 index 00000000000..bc89a3d598c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_110.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of a new GPO Scheduled Task or Service", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain or Tenant Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_2.json b/packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_2.json new file mode 100644 index 00000000000..eea04b18539 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_2.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance or to identify potential vulnerabilities. This is a building block rule that does not generate an alert on its own, but serves as a signal for anomalous activity.", + "from": "now-119m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Retrieve User Data from AWS EC2 Instance", + "query": "event.dataset:aws.cloudtrail\n and event.action:DescribeInstanceAttribute\n and aws.cloudtrail.request_parameters:(*attribute=userData* and *instanceId*)\n", + "references": [ + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html", + "https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: Amazon EC2", + "Use Case: Log Auditing", + "Tactic: Discovery", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1580", + "name": "Cloud Infrastructure Discovery", + "reference": "https://attack.mitre.org/techniques/T1580/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_309.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_309.json new file mode 100644 index 00000000000..d63dec6bba1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_309.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via BITS Job Notify Cmdline", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", + "references": [ + "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", + "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 309 + }, + "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_6.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_6.json new file mode 100644 index 00000000000..3afb07bb365 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_6.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as Communication Apps", + "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and\n (\n /* Slack */\n (process.name : \"slack.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"WebexHost.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"Teams.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"Discord.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* RocketChat */\n (process.name : \"Rocket.Chat.exe\" and not\n (process.code_signature.subject_name == \"Rocket.Chat Technologies Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Mattermost */\n (process.name : \"Mattermost.exe\" and not\n (process.code_signature.subject_name == \"Mattermost, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"WhatsApp.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"outlook.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Thunderbird */\n (process.name : \"thunderbird.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c9482bfa-a553-4226-8ea2-4959bd4f7923", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "c9482bfa-a553-4226-8ea2-4959bd4f7923_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_5.json b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_5.json new file mode 100644 index 00000000000..214c4529073 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_5.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", + "from": "now-10m", + "index": [ + "logs-endpoint.events.*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", + "query": "ml_is_dga.malicious_probability > 0.98\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration" + ], + "related_integrations": [ + { + "package": "dga", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "ml_is_dga.malicious_probability", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "da7f5803-1cd4-42fd-a890-0173ae80ac69", + "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", + "severity": "low", + "tags": [ + "Domain: Network", + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "da7f5803-1cd4-42fd-a890-0173ae80ac69_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_1.json b/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_1.json new file mode 100644 index 00000000000..d7ec6e79daa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_1.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish persistence on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connections Initiated Through XDG Autostart Entry", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.parent.executable == \"/usr/bin/xfce4-session\") or\n (process.executable == \"/bin/sh\" and process.args == \"-e\" and process.args == \"-u\" and\n process.args == \"-c\" and process.args : \"export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;*\")\n )\n ]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\"]\n", + "references": [ + "https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html", + "https://hadess.io/the-art-of-linux-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dd52d45a-4602-4195-9018-ebe0f219c273", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.013", + "name": "XDG Autostart Entries", + "reference": "https://attack.mitre.org/techniques/T1547/013/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "dd52d45a-4602-4195-9018-ebe0f219c273_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json b/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json new file mode 100644 index 00000000000..90314448075 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.", + "false_positives": [ + "While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target role." + ], + "from": "now-10m", + "language": "esql", + "license": "Elastic License v2", + "name": "AWS IAM AdministratorAccess Policy Attached to Role", + "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected role(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachRolePolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\"\n| where policyName == \"AdministratorAccess\"\n| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, role.name, user_agent.original, source.address, source.geo.location\n| sort aws.cloudtrail.user_identity.arn\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html", + "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", + "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + ], + "risk_score": 47, + "rule_id": "dde13d58-bc39-4aa0-87fd-b4bdbf4591da", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json b/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json new file mode 100644 index 00000000000..ac22ed2b88a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user group.", + "false_positives": [ + "While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user group." + ], + "from": "now-10m", + "language": "esql", + "license": "Elastic License v2", + "name": "AWS IAM AdministratorAccess Policy Attached to Group", + "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected group(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachGroupPolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\"\n| where policyName == \"AdministratorAccess\"\n| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, group.name, user_agent.original, source.address, source.geo.location\n| sort aws.cloudtrail.user_identity.arn\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html", + "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", + "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + ], + "risk_score": 47, + "rule_id": "df919b5e-a0f6-4fd8-8598-e3ce79299e3b", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json new file mode 100644 index 00000000000..0f0fcda98ac --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an AWS S3 bucket policy change to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account. This can be used to exfiltrate data or to provide access to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner.", + "false_positives": [ + "Legitimate changes to share an S3 bucket with an external account may be identified as false positive but are not best practice." + ], + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AWS S3 Bucket Policy Added to Share with External Account", + "note": "\n## Triage and Analysis\n\n### Investigating AWS S3 Bucket Policy Change to Share with External Account\n\nThis rule detects when an AWS S3 bucket policy is changed to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account to exfiltrate data or provide access to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the bucket policy. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the bucket policy change aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the bucket policy to remove any unauthorized permissions and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning bucket policy management and sharing permissions.\n- **Audit Bucket Policies and Permissions**: Conduct a comprehensive audit of all bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket policies and securing AWS environments, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) and AWS best practices for security.\n", + "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"s3.amazonaws.com\"\n and event.action == \"PutBucketPolicy\" and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"Effect=Allow\")\n and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipient_account_id)\n", + "references": [ + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy/", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.recipient_account_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce", + "setup": "\n## Setup\n\nS3 data event types must be collected in the AWS CloudTrail logs. Please refer to [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) for more information.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Use Case: Threat Detection", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json new file mode 100644 index 00000000000..32179790e65 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the password log file from the default Mimikatz memssp module.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mimikatz Memssp Log File Detected", + "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 311 + }, + "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f18a474c-3632-427f-bcf5-363c994309ee_1.json b/packages/security_detection_engine/kibana/security_rule/f18a474c-3632-427f-bcf5-363c994309ee_1.json new file mode 100644 index 00000000000..6c654bbc61b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f18a474c-3632-427f-bcf5-363c994309ee_1.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of the setcap utility to set capabilities on a process. The setcap utility is used to set the capabilities of a binary to allow it to perform privileged operations without needing to run as root. This can be used by attackers to establish persistence by creating a backdoor, or escalate privileges by abusing a misconfiguration on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Capability Set via setcap Utility", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"setcap\" and not (\n process.parent.executable == null or\n process.parent.executable : (\"/var/lib/dpkg/*\", \"/var/lib/docker/*\", \"/tmp/newroot/*\", \"/var/tmp/newroot/*\") or \n process.parent.name in (\"jem\", \"vzctl\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f18a474c-3632-427f-bcf5-363c994309ee", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f18a474c-3632-427f-bcf5-363c994309ee_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_110.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_110.json new file mode 100644 index 00000000000..167eacb8d56 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_110.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", + "false_positives": [ + "Updates to approved and trusted SSH executables can trigger this rule." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential OpenSSH Backdoor Logging Activity", + "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\", \".google_authenticator\",\n \".jelenv\", \".csvignore\", \".rtreport\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", + "references": [ + "https://github.com/eset/malware-ioc/tree/master/sshdoor", + "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "f28e2be4-6eca-4349-bdd9-381573730c22_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_5.json b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_5.json new file mode 100644 index 00000000000..85c984f28fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_5.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", + "from": "now-10m", + "index": [ + "logs-endpoint.events.*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", + "query": "ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration" + ], + "related_integrations": [ + { + "package": "dga", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.registered_domain", + "type": "keyword" + }, + { + "ecs": false, + "name": "ml_is_dga.malicious_prediction", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "f3403393-1fd9-4686-8f6e-596c58bc00b4", + "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", + "severity": "low", + "tags": [ + "Domain: Network", + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "f3403393-1fd9-4686-8f6e-596c58bc00b4_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_1.json b/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_1.json new file mode 100644 index 00000000000..e00077d2400 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_1.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials.", + "false_positives": [ + "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Pluggable Authentication Module or Configuration", + "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and \nprocess.executable != null and (\n (file.path : (\"/lib/security/*\", \"/lib64/security/*\", \"/usr/lib/security/*\", \"/usr/lib64/security/*\",\n \"/usr/lib/x86_64-linux-gnu/security/*\") and file.extension == \"so\") or\n (file.path : \"/etc/pam.d/*\" and file.extension == null) or \n (file.path : \"/etc/security/pam_*\" or file.path == \"/etc/pam.conf\")\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/pam-auth-update\",\n \"/usr/lib/systemd/systemd\", \"/usr/libexec/packagekitd\", \"/usr/bin/bsdtar\"\n ) or\n file.path : (\n \"/tmp/snap.rootfs_*/pam_*.so\", \"/tmp/newroot/lib/*/pam_*.so\", \"/tmp/newroot/usr/lib64/security/pam_*.so\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "references": [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f48ecc44-7d02-437d-9562-b838d2c41987", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f48ecc44-7d02-437d-9562-b838d2c41987_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_211.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_211.json new file mode 100644 index 00000000000..0aff73cbb68 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_211.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Antimalware Scan Interface DLL", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 211 + }, + "id": "fa488440-04cc-41d7-9279-539387bf2a17_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_105.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_105.json new file mode 100644 index 00000000000..19094c471ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_105.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as System32 DLL", + "query": "library where event.action == \"load\" and dll.Ext.relative_file_creation_time <= 3600 and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"libcrypto.dll\", \"wmi.dll\", \"geolocation.dll\", \"kerberos.dll\") and\n dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (dll.name : \"icsvc.dll\" and dll.code_signature.subject_name in (\"Dell Inc\", \"Dell Technologies Inc.\") and dll.code_signature.trusted == true) or\n (dll.name : \"offreg.dll\" and dll.code_signature.subject_name == \"Malwarebytes Inc.\" and dll.code_signature.trusted == true) or\n (dll.name : \"AppMgr.dll\" and dll.code_signature.subject_name == \"Autodesk, Inc\" and dll.code_signature.trusted == true) or\n (dll.name : (\"SsShim.dll\", \"Msi.dll\", \"wdscore.dll\") and process.name : \"DismHost.exe\" and dll.path : \"C:\\\\Windows\\\\Temp\\\\*\") or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\LINE\\\\bin\\\\current\\\\dbghelp.dll\"\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + }, + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc_1.json new file mode 100644 index 00000000000..99d986ef3bf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc_1.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the `withDecryption` parameter set to true. This is a [NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 days.", + "false_positives": [ + "Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate reason to access the parameters and that the credentials are secured." + ], + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", + "new_terms_fields": [ + "aws.cloudtrail.user_identity.arn" + ], + "note": "\n## Triage and Analysis\n\n### Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag\n\nThis rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true. SecureStrings are encrypted using a KMS key, and accessing these with decryption can indicate attempts to access sensitive data.\n\nAdversaries may target SecureStrings to retrieve sensitive information such as encryption keys, passwords, and other credentials that are stored securely. Accessing these parameters with decryption enabled is particularly concerning because it implies the adversary is attempting to bypass the encryption to obtain plain text values that can be immediately used or exfiltrated. This behavior might be part of a larger attack strategy aimed at escalating privileges or moving laterally within an environment to access protected data or critical infrastructure.\n\n#### Possible Investigation Steps\n\n- **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter.\n- **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.\n- **Contextualize with User Behavior**: Assess whether the access pattern fits the user\u2019s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.\n- **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.\n- **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.\n\n### False Positive Analysis\n\n- **Legitimate Administrative Use**: Verify if the decryption of SecureString parameters is a common practice for the user\u2019s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.\n\n### Response and Remediation\n\n- **Immediate Verification**: Contact the user or team responsible for the API call to verify their intent and authorization.\n- **Review and Revise Permissions**: If the access was unauthorized, review the permissions assigned to the user or role to ensure they align with the principle of least privilege.\n- **Audit Parameter Access Policies**: Ensure that policies governing access to SecureString parameters are strict and audit logs are enabled to track access with decryption.\n- **Incident Response**: If suspicious activity is confirmed, follow through with your organization's incident response plan to mitigate any potential security issues.\n- **Enhanced Monitoring and Alerting**: Strengthen monitoring rules to detect unusual accesses to SecureString parameters, especially those that involve decryption.\n\n### Additional Information\n\nThis rule focuses solely on SecureStrings in AWS Systems Manager (SSM) parameters. SecureStrings are encrypted using an AWS Key Management Service (KMS) key. When a user accesses a SecureString parameter, they can specify whether the parameter should be decrypted. If the user specifies that the parameter should be decrypted, the decrypted value is returned in the response.\n", + "query": "event.dataset: aws.cloudtrail\n and event.provider: \"ssm.amazonaws.com\"\n and event.action: (GetParameters or GetParameter)\n and event.outcome: success\n and aws.cloudtrail.request_parameters: *withDecryption=true*\n", + "references": [ + "https://docs.aws.amazon.com/vsts/latest/userguide/systemsmanager-getparameter.html", + "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.request_parameters", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fd332492-0bc6-11ef-b5be-f661ea17fbcc", + "setup": "This rule requires that AWS CloudTrail logs are ingested into the Elastic Stack. Ensure that the AWS integration is properly configured to collect AWS CloudTrail logs. This rule also requires event logging for AWS Systems Manager (SSM) API actions which can be enabled in CloudTrail's data events settings.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Systems Manager", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.006", + "name": "Cloud Secrets Management Stores", + "reference": "https://attack.mitre.org/techniques/T1555/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "fd332492-0bc6-11ef-b5be-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_9.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_9.json new file mode 100644 index 00000000000..f3c59084f3b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_9.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Binary Moved or Copied", + "query": "file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and\nfile.Ext.original.path : (\n \"/bin/*\", \"/usr/bin/*\", \"/usr/local/bin/*\", \"/sbin/*\", \"/usr/sbin/*\", \"/usr/local/sbin/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/bin/update-alternatives\", \"/bin/update-alternatives\", \"/usr/sbin/update-alternatives\",\n \"/sbin/update-alternatives\", \"/usr/bin/pip3\", \"/bin/pip3\", \"/usr/local/bin/pip3\", \"/usr/local/bin/node\",\n \"/bin/node\", \"/usr/bin/node\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/pip\", \"/bin/pip\",\n \"/usr/local/bin/pip\"\n ) or\n file.Ext.original.path : (\n \"/bin/*.tmp\", \"/usr/bin/*.tmp\", \"/usr/local/bin/*.tmp\", \"/sbin/*.tmp\", \"/usr/sbin/*.tmp\", \"/usr/local/sbin/*.tmp\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "references": [ + "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": false, + "name": "file.Ext.original.path", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + }, + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 9 + }, + "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_5.json b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_5.json new file mode 100644 index 00000000000..467cc6cfdd7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_5.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "dga_high_sum_probability", + "name": "Potential DGA Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration" + ], + "related_integrations": [ + { + "package": "dga", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1", + "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched DNS events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/" + } + ] + } + ], + "type": "machine_learning", + "version": 5 + }, + "id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_11.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_11.json new file mode 100644 index 00000000000..c437307b64f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_11.json @@ -0,0 +1,154 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Cron Job Created or Modified", + "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Modified\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of cron jobs by monitoring for file creation and rename events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE\\n'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE\\n'/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Cron File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\npath LIKE '/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- Systemd Service Created - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"linux\" and\nevent.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/cron.allow\", \"/etc/cron.deny\", \"/etc/cron.d/*\", \"/etc/cron.hourly/*\", \"/etc/cron.daily/*\", \"/etc/cron.weekly/*\",\n \"/etc/cron.monthly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/var/spool/anacron/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\"\n ) or\n file.path : \"/var/spool/cron/crontabs/tmp.*\" or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", + "references": [ + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.extension", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 11 + }, + "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_11", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 9d9d0fc547f..84d4af100dd 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -21,4 +21,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.14.2 +version: 8.14.3-beta.1 From 66cce590d6644545dad3fd0edfa3bf84649873bf Mon Sep 17 00:00:00 2001 From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Date: Tue, 11 Jun 2024 13:35:09 -0400 Subject: [PATCH 005/105] [Security Rules] Update security rules package to v8.14.3 (#10133) --- packages/security_detection_engine/changelog.yml | 5 +++++ packages/security_detection_engine/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index c86cd5fbd5f..930b4af4558 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.14.3 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/10133 - version: 8.14.3-beta.1 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 84d4af100dd..abe87f65fe8 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -21,4 +21,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.14.3-beta.1 +version: 8.14.3 From c34dbef298ad1c42fa65cadd18f09896450b46c6 Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Tue, 11 Jun 2024 13:39:50 -0600 Subject: [PATCH 006/105] Move integration dev docs to elastic.co (#9796) * move documentation to public doc site * add links to new content --- CONTRIBUTING.md | 19 +- docs/dashboard_guidelines.md | 133 +-------- docs/definitions.md | 50 +--- docs/developer_tsdb_migration_guidelines.md | 185 +----------- ..._workflow_bug_fix_older_package_version.md | 120 +------- ..._workflow_design_build_test_integration.md | 191 +------------ docs/developer_workflow_fleet_ui.md | 88 +----- docs/documentation_guidelines.md | 267 +----------------- docs/fine_tune_integration.md | 145 +--------- docs/generic_guidelines.md | 182 +----------- docs/how_to_test_new_indexing_features.md | 149 +--------- docs/images/backport_input_step.png | Bin 32197 -> 0 bytes docs/images/browse_package_commits.png | Bin 57651 -> 0 bytes docs/images/colours_in_visualisations.png | Bin 78927 -> 0 bytes docs/images/filter_in_visualization.png | Bin 14490 -> 0 bytes docs/images/grouping_in_visualisations.png | Bin 75614 -> 0 bytes docs/images/markdown_grouping.png | Bin 207326 -> 0 bytes docs/images/merge_commit_message.png | Bin 13514 -> 0 bytes docs/images/rows_in_visualisations.png | Bin 136181 -> 0 bytes docs/images/titles_in_visualisations.png | Bin 48843 -> 0 bytes docs/import_from_beats.md | 53 +--- docs/testing_and_validation.md | 137 +-------- docs/tips_for_building_integrations.md | 142 +--------- 23 files changed, 20 insertions(+), 1841 deletions(-) delete mode 100644 docs/images/backport_input_step.png delete mode 100644 docs/images/browse_package_commits.png delete mode 100644 docs/images/colours_in_visualisations.png delete mode 100644 docs/images/filter_in_visualization.png delete mode 100644 docs/images/grouping_in_visualisations.png delete mode 100644 docs/images/markdown_grouping.png delete mode 100644 docs/images/merge_commit_message.png delete mode 100644 docs/images/rows_in_visualisations.png delete mode 100644 docs/images/titles_in_visualisations.png diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 21b1ad69fa0..ba067e229a2 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,15 +1,10 @@ # Contributing Guide -This page is intended for contributors to the [Package Registry](https://github.com/elastic/package-registry/) and Elastic Integrations. +Ready to dive into the world of integrations? See the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/index.html) to get started. Topics include: -## Table of Contents - -* [Definitions](./docs/definitions.md) - learn basic terms used in the universe of integrations, packages, data streams -* [Generic guidelines](./docs/generic_guidelines.md) - generic guidelines for developing integrations, compliance with ECS, docs, dashboards -* [Sample package: Nginx](./packages/nginx) - use as an inspiration for new packages, look at files, folders, test resources -* [Developer workflow: build and test integration](./docs/developer_workflow_design_build_test_integration.md) - step-by-step guide on how to build and test an integration -* [Developer workflow: bug fix an old package version](./docs/developer_workflow_bug_fix_older_package_version.md) - step-by-step guide on how to release a new fix for an old package version. -* [Fine-tune integration](./docs/fine_tune_integration.md) - fill missing items, correct structure, review manifests -* [Testing and validation](./docs/testing_and_validation.md) - run the Elastic stack, use test runners, review test coverage -* [Tips for building integrations](./docs/tips_for_building_integrations.md) - see your local changes in Kibana, follow best practices -* [Documentation Guidelines](./docs/documentation_guidelines.md) - guidelines for contributing to the docs, the Generic guidelines also has lots of docs tips +* [Quick start: Sample integration](https://www.elastic.co/guide/en/integrations-developer/current/quick-start.html) +* [Build an integration](https://www.elastic.co/guide/en/integrations-developer/current/build-a-new-integration.html) +* [Upload an integration](https://www.elastic.co/guide/en/integrations-developer/current/upload-a-new-integration.html) +* [Test an integration](https://www.elastic.co/guide/en/integrations-developer/current/testing.html) +* [Publish an integration](https://www.elastic.co/guide/en/integrations-developer/current/_publish_an_integration.html) +* [Developer workflows](https://www.elastic.co/guide/en/integrations-developer/current/developer-workflows.html) diff --git a/docs/dashboard_guidelines.md b/docs/dashboard_guidelines.md index e7fd6344131..c0f7b738d2f 100644 --- a/docs/dashboard_guidelines.md +++ b/docs/dashboard_guidelines.md @@ -1,132 +1 @@ -# Dashboard guidelines - -A [Kibana dashboard][1] is a set of one or more panels, also referred as visualizations. Panels display data in charts, tables, maps, and more. Dashboards support several types of panels to display your data, and several options to create panels. - -The goal of each integration dashboard is to: - -* Provide a way to explore ingested data out of the box. -* Provide an overview of the monitored resources through installing the integration. - -Each integration package should contain one or more dashboards. - -## Dashboard Best Practises - -### Building dashboards on stable versions - -Avoid building dashboards on SNAPSHOT versions because as long as the release is not stable behavior changes might render your dashboard unusable. The only supported approach is to use a globally released version from [official releases list](https://www.elastic.co/downloads/past-releases#kibana). - -### Not too many visualizations per dashboard - -Include only necessary visualisation inside a Dashboard and split them up (if possible) to other dashboards. Linking can be done: - -* By using a Markdown visualization to improve performance -* Use [drilldowns](https://www.elastic.co/guide/en/kibana/current/drilldowns.html) to connect dashboards where they make sense - -### Out of date fields in dashboards - -The dashboards must be updated to reflect any changes to field names or types. If a PR updates a field name or type, make sure it is correctly updated in any dashboard the field is being used into. - -### Add Visualizations by value, not by reference inside a dashboard - -Kibana visualizations can be added in a dashboard by value or by reference. Historically by value did not exist. Switching to value has the advantage that the dashboards are fully self contained and only need a single request to be installed. - -To achieve this: - -* Migrate existing dashboards from by reference to by value -* Create new dashboards adding visualizations by value - -A migration script has been created to help with the migration: [flash1293/legacy_vis_analyzer][2] - -### Choose the context of your Dashboard - -Should always try to understand as much as possible what kind of context your users need to interact with. So keep the minimal context needed by answering following questions: - -* Who is going to use this dashboard? -* How much time will the users have? -* What is the main goal of this dashboard and if there are, what are the secondary ones? -* What kind of charts can help users identify insights in the most immediate and clear way? - -### Organisation and hierarchy matters in your dashboards - -The positioning of elements in space can define their belonging, with a certain degree this can be applied to dashboards. - -* Keep related visualisations close to each other - - ![Grouping in visualization](./images/grouping_in_visualisations.png) - -* Use Markdown to create blocks of related content - - ![Markdown Grouping in visualization](./images/markdown_grouping.png) - -* Reading Direction - - Most people are used to reading from top to bottom. Place at the top of your page the most important charts and the ones that could give a brief and immediate summary of the context. A good general suggestion would be to increase the level of detail while you reach the bottom of the dashboard, this way users that are interested in getting all the information can obtain them without requiring too much effort from user that only need a quick glance of the situation. - -* Central focal point - - Placing a big chart, especially with big visual shapes such as rectangles, at the center of the dashboard would help reinforce a natural visual focal point that lies in the center of the interface - - ![Central Focal Point in visualization](./images/rows_in_visualisations.png) - -### Use Margins - -Kibana dashboards offer the possibility to apply margins between visualisations, we would suggest to always do that. -Margins create separation between charts which is an important visual feature, it helps identifying when two elements belong together or not while, at the same time, they provide more spacing and empty spaces that are always useful in making our interface more clean and elegant. - -## Visualisation Best Practises - -### Lens vs TSVB visualizations - -**Always use Lens**, when possible. It's the best choice to be consistent and up to date and it should always be your first choice when creating new visualizations. - -Migrate the dashboards from TSVB to Lens where possible. If it's not possible, please engage with the Kibana team to identify any gaps that prevent full TSVB to Lens dashboard migration. - -### Visualizations should contain a filter - -Kibana visualizations can define a filter to avoid performance issues querying all `metrics-*` or `logs-*` indices. - -It is recommended to set a filter in each visualization at least by the required `data_stream.dataset`. More details about the Elastic data stream naming scheme [here][3]. - -Avoid using general filters as possible (filters with `-*`). Combine multiple fields and values inside a filter with AND/OR operators. Although your filter might become more complex, will avoid extra queries. - -Example: - -![filter in visualization](./images/filter_in_visualization.png) - -### Do not use “library visualizations” - -Do not use the visualisations that show up in the `Analytics > Visualize library`. Instead define visualizations as part of the dashboard. This is the default when creating new panels by clicking “Add new visualization” on the dashboard. If some panels are already saved to the library, you can unlink them and delete them from the library. There are little use cases where library visualizations are preferable. It makes sense e.g. if a given visualization always has to be exactly the same on multiple dashboards or if its users frequently look at the visualization without looking at the whole dashboard. - -### Use dashboard-native controls - -The **Input controls** visualization type is deprecated in favor of **Controls** embedded into the dashboard itself. The `Controls` dropdown in the Dashboard menu bar should be used. See the [documentation](https://www.elastic.co/guide/en/kibana/master/add-controls.html) page for more information. - -### Keep Consistent Color - -Use color to distinguish categories, represent quantity/density, and highlight data. When using color in this way, be aware that too many colors in a single chart can create noise and hinder quick comprehension. - -[Elastic UI](https://elastic.github.io/eui/#/elastic-charts/creating-charts) can provide guidance for correct color choice. -Colors provided there for visualization have been tested for accessibility contrast and using them you would be sure to properly serve the biggest audience. - -If your dashboard is made to identify specific behaviors it might be interesting to consider a color setting that could help pointing it out. Use a neutral color for generic elements and an accent one for the things that you are looking for. - -![Colors in visualization](./images/colours_in_visualisations.png) - -### Titles in Visualisations matter - -Titles can have a strong visual impact on dashboards, especially when there are a lot of small charts. Two principles can generally be followed: - -* Remove unnecessary or repetitive titles when the information is already explained or written within the chart -* When title is needed make it self explanatory and exhaustive, this way you will be able to remove axis titles and other specifications leaving more space for the charts itself. - -![Titles in visualization](./images/titles_in_visualisations.png) - -### Numbers/Formatting - -Reduce the number of decimal places to the absolutely necessary ones to avoid extra calculations. -Use tables whenever you need precise numbers. - - -[1]: https://www.elastic.co/guide/en/kibana/current/dashboard.html -[2]: https://github.com/elastic/visualizations_integrations_tools -[3]: https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/dashboard-guidelines.html) instead.** \ No newline at end of file diff --git a/docs/definitions.md b/docs/definitions.md index 66cdd277e99..9281b4218c8 100644 --- a/docs/definitions.md +++ b/docs/definitions.md @@ -1,49 +1 @@ -# Definitions - -## Package - -An Elastic Package, or simply package for short, contains the dashboards, visualisations, and configurations to monitor the logs and metrics of a particular technology or group of related services, such as “MySQL”, or “System”. - -The package consists of: - -* Name -* Zero or more dashboards and visualisations and Canvas workpads -* Zero or more ML job definitions -* Zero or more data stream index templates - -The package is versioned. - -## Integration - -An integration is a specific type of a _package_ defining data streams used to observe a product using logs, metrics, and traces. - -## Data stream - -A data stream is logical sub-division of an Integration package, dealing with a specific type of observable aspect of the service or product being observed. For example, the `mysql` package defines a data stream for collecting metrics and another data stream for collecting server logs. - -A data stream defines all the assets needed to create an Elasticsearch data stream, for example: index templates and ingest pipelines. These assets are loaded into Elasticsearch when a user installs a package via the Fleet UI in Kibana. - -A data stream also defines a policy template. Policy templates include variables that allow users to configure the data stream via the Fleet UI in Kibana. The resulting policy is interpreted by the Elastic Agent to collect relevant information from the product or service being observed. - -Data streams are defined inside the `data_stream` folder located under the package's root directory. Each data stream is defined in it's own sub-folder. - -The data stream consists of: - -* Field definitions (`fields.yml` files) -* Zero or more ingest pipelines -* An Elastic Agent policy template - -## Development Extensions: '_dev' directories - -The `_dev` directory is part of [the package spec](https://github.com/elastic/package-spec), containing development resources. These development resources cover any types of files/folders needed only at development time. This includes resources needed for testing but also includes any templates that might be used for generating documentation. In the future it could include other files/folders needed just at development time. It can be defined on the following levels: - -1. the package-level `_dev` folder contains files needed to setup the testing environment for that package. This environment setup is specified via folders/files in the `_dev/deploy` folder. For example, the `apache` package [specifies](https://github.com/elastic/integrations/tree/main/packages/apache/_dev/deploy) how to spin up an Apache Docker container for testing. -1. the data stream-level `_dev` folder contains test configuration files for various types of tests. For example, see the [`_dev/test` folder](https://github.com/elastic/integrations/tree/main/packages/apache/data_stream/error/_dev/test) under the `apache/error` data stream. - -The integrations have also [asset](https://github.com/elastic/elastic-package/blob/main/docs/howto/asset_testing.md) and [static](https://github.com/elastic/elastic-package/blob/main/docs/howto/static_testing.md) tests. They don't require config files, but configs can be used to mark them as optional. - -## Migration from Beats Modules - -Filebeat and Metricbeat modules can be migrated over to Elastic Integrations. When migrating over, the same module in Filebeat and Metricbeat, related to the same observed product, can be combined into a single Elastic Integration. - -[Learn more](/docs/import_from_beats.md) about how to migrate Filebeat and Metricbeat modules to Elastic Integrations. +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/integration-definitions.html) instead.** \ No newline at end of file diff --git a/docs/developer_tsdb_migration_guidelines.md b/docs/developer_tsdb_migration_guidelines.md index 21bcef9a1d4..457b6fa962b 100644 --- a/docs/developer_tsdb_migration_guidelines.md +++ b/docs/developer_tsdb_migration_guidelines.md @@ -1,184 +1 @@ -# TSDB Guideline for Integration Developers - -Important related resources: - -- Meta [issue](https://github.com/elastic/integrations/issues/5233) with all migrated packages -- TSDB [test](https://github.com/elastic/TSDB-migration-test-kit) migration kit. - -In this document you can find: - -* [Background](#background) -* [Steps for migrating an existing package](#migration-steps) -* [Testing](#testing) -* [Best practices](#best-practices) -* [Troubleshooting](#troubleshooting) - - -# Background - -A time series is a sequence of observations for a specific entity. TSDB enables the column-oriented functionality in elasticsearch by co-locating the data and optimizing the storage and aggregations to take advantage of such co-allocation. - -Integration is one of the biggest sources of input data to elasticsearch. Enabling TSDB on integration packages can be achieved by minimal changes made in `fields.yml` and `manifest.yml` files of a package. - - -# Steps for migrating an existing package - - -> **Warning**: Datastream having type `logs` are excluded from TSDB migration. - - -### Step 1: Set the dimension fields - -Each field belonging to the set of fields that uniquely identify a document is a dimension. You can read more details about dimensions [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#time-series-dimension). - -To set a field as dimension simply add `dimension: true` to its mapping: - -```yaml -- name: ApiId - type: keyword - dimension: true -``` - -> **Note**: A field having type [flattened](https://www.elastic.co/guide/en/elasticsearch/reference/current/flattened.html) cannot be selected as a dimension field. If the field that you are choosing as a dimension is too long or is of type flattened, consider hashing the value of this field and using the result as a dimension. [Fingerprint processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/fingerprint-processor.html) can be used for this purpose. -> -> You can find an example in [Oracle Integration TSDB Enablement Example](https://github.com/elastic/integrations/blob/8a57d6ba96d391afc33da20c80ec51280d22f009/packages/oracle/data_stream/performance/elasticsearch/ingest_pipeline/default.yml#LL127C4-L131C29) - -Important considerations: -- There is a limit on how many dimension fields a datastream can have. By default, this value is [21](https://github.com/elastic/elasticsearch/blob/6417a4f80f32ace48b8ad682ad46b19b57e49d60/server/src/main/java/org/elasticsearch/index/mapper/MapperService.java#L114)). You can adjust this restriction by altering the `index.mapping.dimension_fields.limit`: -```yaml -elasticsearch: - index_template: - settings: - index.mapping.dimension_fields.limit: 32 # Defaults to 21 -``` -- Dimension _keys_ have a hard limit of 512b. Documents are rejected if this limit is reached. -- Dimension _values_ have a hard limit of 1024b. Documents are rejected if this limit is reached. - -#### ECS fiels -There are fields that are part of every package, and they are potential candidates of becoming dimension fields: - -* `host.name` -* `service.address` -* `agent.id` -* `container.id` - -For products that are capable of running both on-premise and in a public cloud environment (by being deployed on public cloud virtual machines), it is recommended to annotate the ECS fields listed below as dimension fields: -* `host.name` -* `service.address` -* `container.id` -* `cloud.account.id` -* `cloud.provider` -* `cloud.region` -* `cloud.availability_zone` -* `agent.id` -* `cloud.instance.id` - -For products operating as managed services within cloud providers like AWS, Azure, and GCP, it is advised to label the fields listed below as dimension fields. -* `cloud.account.id` -* `cloud.region` -* `cloud.availability_zone` -* `cloud.provider` -* `agent.id ` - -Note that for some packages some of these fields do not hold any value, so make sure to only use the needed ones. - - -#### Integration specific fields - -`files.yml` file has the field mappings specific to a datastream of an integration. Some of these fields might need to be set as dimension if the set of dimension fields in ECS is not enough to create a unique [_tsid](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#tsid). - -Adding an inline comment prior to the dimension annotation is advised, detailing the rationale behind the choice of a particular field as a dimension field. - - ``` - - name: wait_class - type: keyword - # Multiple events are generated based on the values of wait_class. Hence, it is a dimension - dimension: true - description: Every wait event belongs to a class of wait events. - ``` - -### Step 2: Set type for metric fields - -Metrics are fields that contain numeric measurements, as well as aggregations and/or down sampling values based off of those measurements. Annotate each metric with the correct metric type. The [currently supported](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#time-series-metric) values are `gauge`, `counter` and `null`. - -Example of adding a metric type to a field: - -```yaml -- name: compactions_failed - type: double - metric_type: counter - description: | - Counter of TSM compactions by level that have failed due to error. -``` -> **Note**: Some of the aggregation functions are not supported for certain metric_type. In such a scenario, please revisit to see if the selection of metric_type you made is indeed correct for that field. If valid, please create an issue under elastic/elasticsearch explaining the use case. - -### Step 3: Update Kibana version - -Modify the `kibana.version` to at least `8.8.0` within the `manifest.yml` file of the package: -```yaml -conditions: - kibana.version: "^8.8.0" -``` - -### Step 4: Enable `time_series` index mode - -Add the changes to the `manifest.yml` file of the datastream as below to enable the timeseries index mode: -```yaml -elasticsearch: - index_mode: "time_series" -``` - - - -# Testing - -- If the number of dimensions is insufficient, we will have loss of data. Consider testing this using the [TSDB migration test kit](https://github.com/elastic/TSDB-migration-test-kit). - -- Verify the dashboard is rendering the data properly. If certain visualisation do not work, consider migrating to [Lens](https://www.elastic.co/guide/en/kibana/current/lens.html). Remember that certain aggregation functions are not supported when a field has metric type `counter`. Example `avg()`. Replace such aggregation functions with a supported aggregation type such as `max()` or `min()`. - - -# Best practices - -- Use [Lens](https://www.elastic.co/guide/en/kibana/current/lens.html) as the preferred visualisation type. - -- Always assess the number of unique values the field that is selected to be dimension would hold, especially if it is a numeric field. -A field that holds millions of unique values may not be an ideal candidate for becoming a dimension field. - -- If the dimension field value length is very long (max limit is 1024B), consider transforming the value to hash value representation. [Fingerprint processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/fingerprint-processor.html) can be used for this purpose. - -- In the field mapping files above each dimension field, add in-line comments stating the reason for selecting the field as a dimension field. - -- As part of TSDB migration testing, you may discover other errors which may be unrelated to TSDB migration. Keep the PR for TSDB migration free from such changes. This helps in obtaining quick PR approval. - - -# Troubleshooting - -### Conflicting field type - -Fields having conflicting field type will not be considered as dimension. Resolve the field type ambiguity before defining a field as dimension field. - -### Identification of write index - -When mappings are modified for a datastream, index rollover happens and a new index is created under the datastream. Even if there exists a new index, the data continues to go to the old index until the timestamp matches `index.time_series.start_time` of the newly created index. - -An enhancement [request](https://github.com/elastic/kibana/issues/150549) for Kibana is created to indicate the write index. Until then, refer to the `index.time_series.start_time` of indices and compare with the current time to identify the write index. - -If you find this error (references [this issue](https://github.com/elastic/integrations/issues/7345) and [this PR](https://github.com/elastic/elasticsearch/pull/98518)): - -```console -... (status=400): {"type":"illegal_argument_exception","reason":"the document timestamp [2023-08-07T00:00:00.000Z] is outside of ranges of currently writable indices [[2023-08-07T08:55:38.000Z,2023-08-07T12:55:38.000Z]]"}, dropping event! -``` - -Consider: -1. Defining the `look_ahead` or `look_back_time` for each data stream. Example: -```yaml -elasticsearch: - index_mode: "time_series" - index_template: - settings: - index.look_ahead_time: "10h" -``` -> **Note**: Updating the package with this does not cause an automatic rollover on the data stream. You have to do that manually. -2. Updating the `timestamp` of the document being rejected. -3. Finding a fix to receive the document without a delay. - +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/developer-tsds-guidelines.html) instead.** \ No newline at end of file diff --git a/docs/developer_workflow_bug_fix_older_package_version.md b/docs/developer_workflow_bug_fix_older_package_version.md index ff5c1f0ee52..ccd0fcf2d2f 100644 --- a/docs/developer_workflow_bug_fix_older_package_version.md +++ b/docs/developer_workflow_bug_fix_older_package_version.md @@ -1,119 +1 @@ -# Developer workflow: release a bug fix for supporting older package version - -In some cases, when we drop the support for an older version of the stack and later on find -out needing to add a bug fix to the some old package version, we have to make some manual changes -to release the bug fix to users. For example: in this [PR](https://github.com/elastic/integrations/pull/3688) -(AWS package version 1.23.4), support for Kibana version 7.x was dropped -and bumped the AWS package version from 1.19.5 to 1.20.0. But we found -a bug in the EC2 dashboard that needs to be fixed with Kibana version 7.x. So instead of -adding a new AWS package version 1.23.5, we need to fix it between 1.19.5 and 1.20.0. - -Follow these detailed steps to release a fix for a given package version: - -1. **Find git commit (package version) that needs to be fixed** - - In the example above, the commit to be fixed is the one right before this - [PR](https://github.com/elastic/integrations/pull/3688) updating package `aws`: - - Using the web: - - Look for the merge commit of the PR - - https://github.com/elastic/integrations/commit/aa63e1f6a61d2a017e1f88af2735db129cc68e0c - - It can be found as one of the last messages in the PR - ![merged commit](./images/merge_commit_message.png) - - And then show the previous commits for that changeset inside the package folder (e.g. `packages/aws`): - - https://github.com/elastic/integrations/commits/aa63e1f6a61d2a017e1f88af2735db129cc68e0c/packages/aws/ - ![commits from package](./images/browse_package_commits.png) - - Using the command line: - - ```bash - cd packages/ - git log --grep "#" . - git log -n 1 ^ . - - # following the example - $ cd packages/aws - $ git log --grep "#3688" - commit aa63e1f6a61d2a017e1f88af2735db129cc68e0c - Author: Joe Reuter - Date: Mon Aug 8 17:14:55 2022 +0200 - - Inline all aws dashboards (#3688) - - * inline all aws dashboards - - * format - - * apply the right format - - * inline again - - * format - $ git log -n 1 aa63e1f6a61d2a017e1f88af2735db129cc68e0c^ . - commit 8cb321075afb9b77ea965e1373a03a603d9c9796 - Author: Mario Castro - Date: Thu Aug 4 16:52:06 2022 +0200 - - Move lightweight manifest to integration for EBS data stream (#3856) - ``` - -2. Run the **integrations-backport** pipeline https://buildkite.com/elastic/integrations-backport for creating the backport branch. - - **Please, pay attention!**, if you just run the pipeline it'll wait for your inputs, nothing will happen without that. - - ![waiting input step](./images/backport_input_step.png) - - - Pipeline's inputs: - - * **DRY_RUN** (default: "true"), - If DRY_RUN is defined as "true" it will check: - - if the package is published, - - if the entered commit exists, - - if the backport branch exists. - Also, it will create the local branch, update the branch with `.buildkite` and `.ci` folders, and remove other packages except the defined one (if set as input). This local branch will not be pushed to the upstream repository in this mode. - - If DRY_RUN is defined as "false", in addition to written above it will create a commit and push the local branch to the upstream repository https://github.com/elastic/integrations.git. In this case, the name of the branch will be `backport-${PACKAGE_NAME}-${TRIMMED_PACKAGE_VERSION}`, for example, `backport-aws-1.19`. - * **BASE_COMMIT** (default: "") - enter the commit from the previous step (8cb321075afb9b77ea965e1373a03a603d9c9796) - * **PACKAGE_NAME** (default: "") - enter the package name, for example aws - * **PACKAGE_VERSION** (default: "") - enter the package version, for example: 1.19.7, 1.0.0-beta1 - * **REMOVE_OTHER_PACKAGES** (default: "false") - If **REMOVE_OTHER_PACKAGES** is defined as "true" all packages from the **packages** folder, except the defined package, will be removed from the created branch. - - -3. **Create a PR for the bug fix** - - Create a new branch in your own remote (it is advised **not using** a branch name starting with `backport-`), and apply bugfixes there. - Remember to update the version in the package manifest (update patch version like `1.19.`) and add a new changelog entry for this patch version. - - Once ready, open a PR selecting as a base branch the one created above: `backport--.` (e.g. `backport-aws-1.19`). - - Once this PR is merged, this new version of the package is going to be published automatically following the usual CI/CD jobs. - - If it is needed to release a new fix for that version, there is no need to create a new branch. Just create a new PR to merge a - new branch onto the same backport branch created previously. - -4. **Update changelog in main** - - Once PR has been merged in the corresponding backport branch (e.g. `backport-aws-1.9`) and the package has been published, - a new Pull Request should be created manually to update the changelog in the main branch to include the new version published in the backport branch. - Take into account to add the changelog entry following the version order. - - In order to keep track, this new PR should have a reference (relates) to the backport PR too in its description. - -5. **Known issues and their solutions:** - - 1. Missing shellinit command: - - Example of the error: https://buildkite.com/elastic/integrations/builds/7634#018c87f4-7b0c-4d6f-8ddd-b779a9a7a019/507-512 - - `Error: could not create kibana client: undefined environment variable: ELASTIC_PACKAGE_KIBANA_HOST. If you have started the Elastic stack using the elastic-package tool, please load stack environment variables using 'eval "$(elastic-package stack shellinit)"' or set their values manually` - - - **Solution**: add elastic-package stack shellinit command in `.buildkite/scripts/common.sh`. - - `eval "$(elastic-package stack shellinit)"` - - Example: https://github.com/elastic/integrations/blob/0226f93e0b1493d963a297e2072f79431f6cc443/.buildkite/scripts/common.sh#L828 - - 2. Not found license file: - - Example of the error: https://buildkite.com/elastic/integrations/builds/7644#018c883c-546f-4d32-ab4a-71e919ddebf8/270-309 - - `Error: checking package failed: building package failed: copying license text file: failure while looking for license "licenses/Elastic-2.0.txt" in repository: failed to find repository license: stat /opt/buildkite-agent/builds/bk-agent-prod-gcp-1703092724145948143/elastic/integrations/licenses/Elastic-2.0.txt: no such file or directory` - - **Solution**: Remove line defining `ELASTIC_PACKAGE_REPOSITORY_LICENSE` environment variable. - - Example: https://github.com/elastic/integrations/blob/0daff27f0e0195a483771a50d60ab28ca2830f75/.buildkite/pipeline.yml#L17 +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/developer-workflow-support-old-package.html) instead.** \ No newline at end of file diff --git a/docs/developer_workflow_design_build_test_integration.md b/docs/developer_workflow_design_build_test_integration.md index 6db228c5b5d..26b74b61915 100644 --- a/docs/developer_workflow_design_build_test_integration.md +++ b/docs/developer_workflow_design_build_test_integration.md @@ -1,190 +1 @@ -# Developer workflow: build and test the integration - -## Prerequisites - -* `elastic-package` (builder tool) installed - follow the [Getting Started Guide](https://github.com/elastic/elastic-package#getting-started) guide to install the tool. -* If you don't understand the `elastic-package` command or would like to learn more about it, try the `help` switch, e.g. `elastic-package stack up --help`. - -## Steps - -I assume that you've selected a product or service from which you'd like to collect logs and metrics. If this is your -first interaction with Integrations or packages, I suggest to review existing Integrations in the Fleet UI and focus on -available UI controls, labels, icons, screenshots. The goal is to meet current standards and practices and apply them -to your new integration. - -Let's bring up the Elastic stack: - -```bash -elastic-package stack up -v -d -``` - -Navigate to the [Integrations](http://localhost:5601/app/fleet#/integration) page, try to add an integration to the default -policy and review the forms. Good example integrations to look at are "Nginx", "Apache", and "Nats". After you have -familiarized yourself with some existing integrations you are ready to create your own. - -### Bootstrap New Integration Package - -The `elastic-package create` command is used to bootstrap new integrations and -new data streams. Let's create a new integration package: - -```bash -cd packages -elastic-package create package -Create a new package -? Package name: demo_example -? Version: 0.0.1 -? Package title: Demo -? Description: This is a demo! -? Categories: security -? Release: experimental -? Kibana version constraint: ^7.15.1 -? Github owner: elastic/integrations -New package has been created: demo_example -Done -``` - -Respond to the prompts, and then it creates your package in `package/`. You can change any of the answers later by modifying the generated -`manifest.yml`. - -The generated integration package does not have any data streams yet so it -cannot collect any logs/metrics. Let's add a data stream to the package for -collecting logs. - -```bash -cd demo_example -elastic-package create data-stream -Create a new data stream -? Data stream name: log -? Data stream title: Example Logs -? Type: logs -New data stream has been created: log -Done -``` - -Respond to the prompts and your new data stream will be created in -`packages//`. Now you can customize the data -stream with the appropriate Elastic Agent config, Elasticsearch Ingest Node -pipelines, and field definitions for the Elasticsearch index templates. - -### Build - -Now, it's the moment to build the package: - -```bash -elastic-package build -``` - -... and recycle the package-registry Docker container (run from inside of the integration directory): - -```bash -elastic-package stack up -v -d --services package-registry -``` - -Once the container is recycled, you can refresh the Fleet UI and Kibana will pick up updated packages. - -### Lint - -You can verify if the package is aligned with the package-spec using: - -```bash -elastic-package lint -``` - -The command will show potential problems with linting and give you a suggestion on how to fix it. - -### Format - -You can format the package contents (JSON, YML files) with: - -```bash -elastic-package format -``` - -### Export resources - -If you're working on Kibana dashboards and would like to export them to local directories, run the following command -(run from inside of the integration directory): - -```bash -elastic-package export -``` - -... and follow TUI steps (dashboard selection). - -### Test - -The `elastic-package` tool supports multiple types of tests - pipeline, system, assets. Follow up on the specific topic -using the tool's [documentation](https://github.com/elastic/elastic-package/tree/master/docs/howto). - -### Open a PR - -Prior to opening a PR, you must sign the [elastic contributor agreement](https://www.elastic.co/contributor-agreement) if you haven't already. - -If you think that you've finished work on your integration, you've verified that it collects data, and you've written some tests, -you can [open a PR](https://github.com/elastic/integrations/compare) to include your integration in the [Integrations](https://github.com/elastic/integrations) repository. -The CI will verify if your integration is correct (`elastic-package check`) - a green status is a must. - -Feel free to merge the PR once you receive an approval from the Integrations team. - -### Remember to bump up the version - -When the PR is merged, the CI will kick off a [build job](../.ci/Jenkinsfile) for the main branch. This job will build and publish the integration -the package storage only if the package version doesn't already exist in the storage (hasn't been released yet). -These integrations will be available at `epr.elastic.co`. - -This storage is based completely on [semantic versioning](https://semver.org) to release the packages as snapshots, technical previews or stable versions. -More info about the versioning [here](https://github.com/elastic/elastic-package/blob/main/docs/howto/use_package_storage_v2.md#prerelease-and-stable-version). - -When you are ready for your changes in the integration to be released, remember to bump up the package version (changelog and manifest). - -It is up to you, as the package developer, to decide how many changes you want to release in a single version. -For example, you could implement a change in a PR and bump up the package version in the same PR. Or you could -implement several changes across multiple PRs and then bump up the package version in the last of these PRs -or in a separate follow up PR. For example, you can apply the following procedure for a package whose latest published version is `2.5.0`: - -1. Add a new version entry in the changelog with the prerelease tag `next`: - - Keep same version in package manifest: `2.5.0` - - Update changelog with a new entry with the prerelease tag (e.g. `2.6.0-next`): - ```yaml - - version: "2.6.0-next" - changes: - - description: First PR - type: enhancement - link: https://github.com/elastic/integrations/pull/1 - - version: "2.5.0" - ``` -2. Add the required Pull Requests under this new changelog entry: - - Keep same version in package manifest: `2.5.0` - - Changelog: - ```yaml - - version: "2.6.0-next" - changes: - - description: First PR - type: enhancement - link: https://github.com/elastic/integrations/pull/1 - - description: Second PR - type: enhancement - link: https://github.com/elastic/integrations/pull/2 - - description: Third PR - type: enhancement - link: https://github.com/elastic/integrations/pull/3 - - version: "2.5.0" - ``` -3. Once everything is merged, another PR is required to bump up the manifest version and replace the changelog entry to be `2.6.0`: - - Update version in package manifest: `2.6.0` - - Update changelog entry to `2.6.0`: - ```yaml - - version: "2.6.0" - changes: - - description: First PR - type: enhancement - link: https://github.com/elastic/integrations/pull/1 - - description: Second PR - type: enhancement - link: https://github.com/elastic/integrations/pull/2 - - description: Third PR - type: enhancement - link: https://github.com/elastic/integrations/pull/3 - - version: "2.5.0" - ``` +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/build-a-new-integration.html) instead.** \ No newline at end of file diff --git a/docs/developer_workflow_fleet_ui.md b/docs/developer_workflow_fleet_ui.md index 23ed34a8e0d..012a0d6f10b 100644 --- a/docs/developer_workflow_fleet_ui.md +++ b/docs/developer_workflow_fleet_ui.md @@ -1,87 +1 @@ -# Development process for Fleet UI - -## Development workflow - -See the Kibana docs for [how to set up your dev environment](https://github.com/elastic/kibana/blob/main/CONTRIBUTING.md#setting-up-your-development-environment), [run Elasticsearch](https://github.com/elastic/kibana/blob/main/CONTRIBUTING.md#running-elasticsearch), and [start Kibana](https://github.com/elastic/kibana/blob/main/CONTRIBUTING.md#running-kibana) - -One common development workflow is: - -- Clone Kibana repo - ``` - git clone https://github.com/[YOUR_USERNAME]/kibana.git kibana - cd kibana - ``` -- Install Dependencies - ``` - nvm use - npm install -g yarn - ``` - -- Bootstrap Kibana - ``` - yarn kbn bootstrap - ``` -- Start Elasticsearch in one shell - ``` - yarn es snapshot -E xpack.security.authc.api_key.enabled=true - ``` -- Start Kibana in another shell - ``` - yarn start --xpack.fleet.enabled=true --no-base-path - ``` -- Download fleet-server package from https://www.elastic.co/downloads/past-releases/#elastic-agent -- Untar fleet server tarball and `cd` to the directory -- Install fleet-server (See also the alternative solution) - ``` - sudo ./elastic-agent install -f \ - --fleet-server-es=http://elastic:changeme@localhost:9200 \ - --fleet-server-policy= - ``` - The `default policy id` can be retrieved by fleet ui instructions in Kibana before any fleet server is installed. - Fleet Server will start in `https://users_machine_ip:8220` -- Update Fleet settings on the top right corner of Fleet UI to set the correct Fleet Server hosts (ip from previous step). -- After that user can enrol as many agents as they want -- Any code update in Kibana fleet plugin should be picked up automatically and either cause the server to restart, or be served to the browser on the next page refresh. - -### Alternative solution for fleet server -Instead of download fleet server package and running it as a local process you can run Fleet Server Locally in a Container. - -It can be useful to run Fleet Server in a container on your local machine in order to free up your actual "bare metal" machine to run Elastic Agent for testing purposes. Otherwise, you'll only be able to a single instance of Elastic Agent dedicated to Fleet Server on your local machine, and this can make testing integrations and policies difficult. - -_The following is adapted from the Fleet Server [README](https://github.com/elastic/fleet-server#running-elastic-agent-with-fleet-server-in-container)_ - -1. Add the following configuration to your `config/kibana.yml` - -```yml -server.host: 0.0.0.0 -``` - -2. Append the following option to the command you use to start Elasticsearch - -``` --E http.host=0.0.0.0 -``` - -This command should look something like this: - -``` -yarn es snapshot --license trial -E xpack.security.authc.api_key.enabled=true -E path.data=/tmp/es-data -E http.host=0.0.0.0 -``` - -3. Run the Fleet Server Docker container. Make sure you include a `BASE-PATH` value if your local Kibana instance is using one. `YOUR-IP` should correspond to the IP address used by your Docker network to represent the host. For Windows and Mac machines, this should be `192.168.65.2`. If you're not sure what this IP should be, run the following to look it up: - -``` -docker run -it --rm alpine nslookup host.docker.internal -``` - -To run the Fleet Server Docker container: - -``` -docker run -e KIBANA_HOST=http://{YOUR-IP}:5601/{BASE-PATH} -e KIBANA_USERNAME=elastic -e KIBANA_PASSWORD=changeme -e ELASTICSEARCH_HOST=http://{YOUR-IP}:9200 -e ELASTICSEARCH_USERNAME=elastic -e ELASTICSEARCH_PASSWORD=changeme -e KIBANA_FLEET_SETUP=1 -e FLEET_SERVER_ENABLE=1 -e FLEET_SERVER_INSECURE_HTTP=1 -p 8220:8220 docker.elastic.co/beats/elastic-agent:{VERSION} -``` - -Ensure you provide the `-p 8220:8220` port mapping to map the Fleet Server container's port `8220` to your local machine's port `8220` in order for Fleet to communicate with Fleet Server. - -For the latest version, use `8.0.0-SNAPSHOT`. Otherwise, you can explore the available versions at https://www.docker.elastic.co/r/beats/elastic-agent. - -Once the Fleet Server container is running, you should be able to treat it as if it were a local process running on `http://localhost:8220` when configuring Fleet via the UI. You can then run `elastic-agent` on your local machine directly for testing purposes. +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/developer-workflow-fleet-UI.html) instead.** \ No newline at end of file diff --git a/docs/documentation_guidelines.md b/docs/documentation_guidelines.md index 8c50d6e2c4e..b09b7cdb537 100644 --- a/docs/documentation_guidelines.md +++ b/docs/documentation_guidelines.md @@ -1,266 +1 @@ -# Documentation guidelines - -The goal of each integration doc is to: - -* Help the reader see the benefits the integration offers and how Elastic can help with their use case. -* Inform the reader of any requirements including system compatibility, supported versions of third-party products, permissions needed, and more. -* Provide a comprehensive list of collected fields and the data and metric types for each. The reader can reference this information while evaluating the integration, interpreting collected data, or troubleshooting issues. -* Set the reader up for a successful installation and setup by connecting them with any other resources they'll need. - -Each integration doc should contain several sections, and you should use consistent headings -to make it easier for a single user to evaluate and use multiple integrations. -Sections include: - -* [Overview](#overview) -* [Data streams](#data-streams) -* [Requirements](#requirements) -* [Setup](#setup) -* (Optional) [Troubleshooting](#troubleshooting) -* [Reference](#reference) - -Some considerations when these documentation files are written at `_dev/build/docs/*.md`: -- These files follow the Markdown syntax and leverage the use of templates ([documentation templates info](https://github.com/elastic/elastic-package/blob/main/docs/howto/add_package_readme.md) -- There are some available functions or placeholders (`fields`, `event`, `url`) that can be used to help writing these docs: - - More info at [placeholders section](https://github.com/elastic/elastic-package/blob/main/docs/howto/add_package_readme.md#placeholders) -- Regarding `url` placeholder, this placeholder should be used to add links to Elastic documentation guides (https://www.elastic.co/guide/*) in your documentation: - - File containing all the links defined is in the root of the directory: [`links_table.yml`](../links_table.yml) - - If needed, more links to Elastic documentation guides can be added into that file. - - Example of usage: - - In documentation files (`_dev/build/docs/*.md`): - ``` - {{ url "getting-started-observability" "Elastic guide" }} - ``` - - It generates the following link - ``` - [Elastic guide](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) - ``` - -## Overview - -The overview section explains what the integration is, defines the third-party product that is providing data, -establishes its relationship to the larger ecosystem of Elastic products, and helps the reader understand -how it can be used to solve a tangible problem. - -The overview should answer the following questions: - -* What is the integration? -* What is the third-party product that is providing data? -* What can you do with it? - * General description - * Basic example - -**Template** - -Use this template language as a starting point, replacing `` with details about the integration: - -```md -The integration allows you to monitor . is . - -Use the integration to . Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference when troubleshooting an issue. - -For example, if you wanted to you could . Then you can by . -``` - -**Example** - ->The AWS CloudFront integration allows you to monitor your [AWS CloudFront](https://aws.amazon.com/cloudfront/) usage. ->AWS CloudFront is a content delivery network (CDN) service. -> ->Use the AWS CloudFront integration to collect and parse logs related to content delivery. -Then visualize that data in Kibana, create alerts to notify you if something goes wrong, -and reference logs when troubleshooting an issue. -> ->For example, you could use the data from this integration to know when there are more than some number of failed requests for a single piece of content in a given time period. You could also use the data to troubleshoot the underlying issue by looking at additional context in the logs like the number of unique users (by IP address) who experienced the issue, the source of the request, and more. - -## Data streams - -The data streams section provides a high-level overview of the kind of data that is collected by the integration. -This is helpful since it can be difficult to quickly derive an understanding from just the reference sections (since they're so long). - -The data streams section should include: - -* A list of the types of data streams collected by the integration -* A summary of each type of data stream included and a link to the relevant reference section: - * Logs - * Metrics -* (Optional) Notes - -**Template** - -Use this template language as a starting point, replacing `` with details about the integration: - -```md -## Data streams - -The integration collects two types of data streams: logs and metrics. - -**Logs** help you keep a record of events happening in . -Log data streams collected by the integration include and more. See more details in the [Metrics](#metrics-reference). - - - - -``` - -**Example** - ->The System integration collects two types of data: logs and metrics. -> ->**Logs** help you keep a record of events that happen on your machine. ->Log data streams collected by the System integration include application, system, and security events on ->machines running Windows or auth and syslog events on machines running macOS or Linux. ->See more details in the [Logs reference](#logs-reference). -> ->**Metrics** give you insight into the state of the machine. ->Metric data streams collected by the System integration include CPU usage, load statistics, memory usage, ->information on network behavior, and more. ->See more details in the [Metrics reference](#metrics-reference). -> ->You can enable and disable individual data streams. If _all_ data streams are disabled and the System integration -is still enabled, Fleet uses the default data streams. - -## Requirements - -The requirements section helps the reader be confident up front that the integration will work with their systems. - -* Elastic prerequisites (for example, a self-managed or cloud deployment) -* System compatibility -* Supported versions of third-party products -* Permissions needed -* Anything else that could block a user from successfully using the integration - -**Template** - -Use this template language as a starting point, including any other requirements for the integration: - -```md -## Requirements - -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. -You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. - - -``` - -**Example** - ->You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. ->You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. -> ->Each data stream collects different kinds of metric data, which may require dedicated permissions ->to be fetched and may vary across operating systems. ->Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference). - -See a much more detailed example in [`packages/aws/_dev/build/docs/README.md`](../packages/aws/_dev/build/docs/README.md#requirements). - -## Setup - -The setup section points the reader to the Getting started guide for generic step-by-step instructions. - -It should also include any additional setup instructions beyond what's included in the -[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide, -which may include updating the configuration of a third-party service. -For example, for the Cisco ASA integration, users need to configure their Cisco device following the -[steps found in the Cisco documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration#Configuring_a_Syslog_Server). - -Note: When possible, use links to point to third-party documentation for configuring non-Elastic products -since workflows may change without notice. - -**Template** - -Use this template language as a starting point, including any other setup instructions for the integration: - -```md -## Setup - - - -For step-by-step instructions on how to set up an integration, see the -{{ url "getting-started-observability" "Getting started" }} guide. - - -``` - -**Example** - ->Before sending logs to Elastic from your Cisco device, you must configure your device according to ->[Cisco's documentation on configuring a syslog server](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration#Configuring_a_Syslog_Server). -> ->After you've configured your device, you can set up the Elastic integration. ->For step-by-step instructions on how to set up an integration, see the -{{ url "getting-started-observability" "Getting started" }} guide. - -## Troubleshooting - -The troubleshooting section is optional. -It should contain information about special cases and exceptions that isn't necessary for getting started or won't be applicable to all users. - -**Template** - -There is no standard format for the troubleshooting section. - -**Example** - ->Note that certain data streams may access `/proc` to gather process information, ->and the resulting `ptrace_may_access()` call by the kernel to check for ->permissions can be blocked by ->[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. -> ->In addition, when running inside a container the proc filesystem directory of the host ->should be set using `system.hostfs` setting to `/hostfs`. - -## Reference - -Readers might use the reference section while evaluating the integration, interpreting collected data, or troubleshooting issues. - -There can be any number of reference sections (for example, `## Metrics reference`, `## Logs reference`). -And each reference section can contain one or more subsections, one for each individual data stream (for example, `### Access Logs` and `### Error logs`). - -Each reference section should contain detailed information about: - -* A list of the log or metric types we support within the integration and a link to the relevant third-party docs. -* (Optional) An example event in JSON format. -* Exported fields for logs, metrics, and events with actual types (for example, `counters`, `gauges`, `histograms` vs. `longs` and `doubles`). Fields should be generated using the instructions in [Fine-tune the integration](./fine_tune_integration.md). -* ML Modules jobs. - -**Template** - -```md - -## reference - - -### - -The `` data stream provides events from of the following types: . - - - - - - -#### Exported fields - - -``` - -**Example** - ->## Logs reference -> ->### PAN-OS -> ->The `panos` data stream provides events from Palo Alto Networks device of the following types: [GlobalProtect](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields), [HIP Match](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields), [Threat](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields), [Traffic](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields) and [User-ID](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields). -> ->#### Example -> ->An example event for `panos` looks as following: -> ->(code block) -> ->#### Exported fields -> ->(table of fields) +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/documentation-guidelines.html) instead.** \ No newline at end of file diff --git a/docs/fine_tune_integration.md b/docs/fine_tune_integration.md index 8be0e58f33c..88e92fedd30 100644 --- a/docs/fine_tune_integration.md +++ b/docs/fine_tune_integration.md @@ -1,144 +1 @@ -# Fine-tune the integration - -## Motivation - -Most of migration work has been done by the `import-beats` script, but there're tasks that require developer's -interaction. - -It may happen that your integration misses a screenshot or an icon, it's a good moment to add missing resources to -Beats/Kibana repositories and re-import the integration (idempotent). - -## Checklist - -The order of action items on the checklist is advised to prevent the contributor from repeating some actions (fixing -what's been already fixed, as the script has overridden part of it). - -1. Add icon if missing. - - The integration icons are presented in different places in Kibana, hence it's better to define custom icons to make - the UI easier to navigate. - - As the `import-beats` script looks for icons in Kibana and EUI repositories, add an icon to the first one the same - way as for tutorial resources (Kibana directory: `src/legacy/core_plugins/kibana/public/home/tutorial_resources/logos/`). - -2. Add screenshot if missing. - - The Kibana Integration Manager shows screenshots related with the integration. Screenshots present Kibana - dashboards visualizing the metric/log data. - - The `import-beats` script finds references to screenshots mentioned in `_meta/docs.asciidoc` and copies image files - from the Beats directories: - * `metricbeat/docs/images` - * `filebeat/docs/images` - -3. Improve/correct spelling product names. - - The correct spelling of product names simply makes better impression. The `import-beats` scripts uses the `fields.yml` - file as the source of the correct spelling (`title` property), e.g. Mysql - MySQL, Nginx - NGINX, Aws - AWS. - - Keep in mind that this step requires reimporting package contents. - -4. Write README template file for the integration. - - The README template is used to render the final README file including exported fields. The template should be placed - in the `package//_dev/build/docs/README.md`. If the directory doesn't exist, please create it. - - Review the MySQL docs template to see how to use template functions (e.g. `{{fields "data-stream-name"}}`). - If the same data stream name is used in both metrics and logs, please add `-metrics` and `-logs` in the template. For example, `elb` is a data stream for log and also a data stream for metrics. In README.md template, `{{fields "elb_logs"}}` and `{{fields "elb_metrics"}}` are used to separate them. - -5. Review fields file and exported fields in docs. - - The goal of this action item is to verify if produced artifacts are correct. - - The fields files (package-fields.yml, fields.yml and ecs.yml) in the package were created from original fields.yml - files (that may contain ECS schema fields) and fields.epr.yml (defining some other fields used in the ingest - pipeline). It may happen that original sources have a typo, bad description or misses a field definition. - The sum of fields in all present files should contain only fields that are really used, e.g. not all existing ECS - fields. - - It may happen that the ingest pipeline uses fields abstracted from ECS, but not mentioned in `fields.yml`. - Integrations should contain these fields and also have them documented. - - The fields for an integration package are divided into the following three files: - - - ecs.yml: ECS compliant fields that are used by this particular data stream. - - package-fields.yml: Package level fields that are used by this particular data stream, which does not exist under `.`. - - fields.yml: Dataset level fields that are specific to this particular data stream, and non ECS compliant. - - - See the PR https://github.com/elastic/beats/pull/17895 to understand how to add them to Beats (e.g. `event.code`, - `event.provider`) using the `fields.epr.yml` file. - -6. Metricbeat: add missing configuration options. - - The `import-beats` script extracts configuration options from Metricbeat module's `_meta` directory. It analyzes - the configuration files and selects options based on enabled metricsets (not commented). If you notice that some - configuration options are missing in your package's manifest files, simply create the `config.epr.yml` file with all - required options. - - Sample PR: https://github.com/elastic/beats/pull/17323 - -7. Review _titles_ and _descriptions_ in manifest files. - - Titles and descriptions are fields visualized in the Kibana UI. Most users will use them to see how to configure - the integration with their installation of a product or to how to use advanced configuration options. - -8. Compact configuration options (vars). - - Currently, all configuration options are set by the `import-beats` script on the stream level - (path: `data stream//manifest.yml`). - - It may happen that some of them in different data streams are simply duplicates or concern the same setting, which - will be always equal (e.g. MySQL username, password). Keep in mind that two data streams may have the same configuration - option, but different values (e.g. `period`, `paths`), hence can't be compacted. - - To sum up, compacting takes down from the user the necessity to setup the same configuration option few times (one - per data stream). - -9. Define all variable properties. - - The variable properties customize visualization of configuration options in the Kibana UI. Make sure they're - defined in all manifest files. - -```yaml - vars: - - name: paths - required: true - show_user: true - title: Access log paths - description: Paths to the nginx access log file. - type: text - multi: true - default: - - /var/log/nginx/access.log* -``` - -**required** - option is required - -**show_user** - don't hide the configuration option (collapsed menu) - -**title** - human readable variable name - -**description** - variable description (may contain some details) - -**type** - field type (according to the reference: text, password, bool, integer) - -**multi** - the field has mutliple values. - -10. Review stream configuration. - - Due to changed templating engine from a standard Golang one to [handlebars](https://handlebarsjs.com/), it may be - hard to automatically convert the Filebeat input configuration (nested variables, many representations, conditions, - loops). Please review the output stream configuration and identify potential bugs. - -11. Update docs template with sample events. - - The events collected by the agent slightly differ from the original, Metricbeat and Filebeat, ones. Adjust the event - content manually basing on already migrated integrations (e.g. [MySQL integration](https://github.com/elastic/integrations/blob/main/packages/mysql/_dev/build/docs/README.md)) - or copy them once managed to run whole setup with real agent. - -12. Kibana: use `stream.data stream` field instead of `event.data stream`. - - Using `stream.data stream` instead of `event.data stream` also makes queries a lot more efficient as this is a - `constant_keyword`. Make sure that dashboards in your package don't use the `event.data stream` field. If so, - simply replace them with the more efficient one. +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/tips-for-building.html) instead.** \ No newline at end of file diff --git a/docs/generic_guidelines.md b/docs/generic_guidelines.md index ae2119a56ea..0a47085e030 100644 --- a/docs/generic_guidelines.md +++ b/docs/generic_guidelines.md @@ -1,181 +1 @@ -# Integrations Development Guidelines - -_DISCLAIMER_: The following guidelines capture general aspects of the integrations that can be improved and should not be treated as a mandatory list of requirements every package should adhere to. Some guidelines that are applicable to one integration can be completely irrelevant to another. Treat them as best effort. - -While the guidelines focus on metrics, they are equally applicable to logs. - -#### Data types - -Given that all packages are basic, developers should use Basic types (e.g. `histogram`. `wildcard`, etc.) when applicable. Of course, for ECS (see below) we should use the type specified by ECS. - -#### ECS compliance - -An integration package should be compliant with the most recent version of ECS. This implies an increased amount of relevant ECS fields populated by an integration. - -Starting with ECS 1.6, ECS is going to start using Basic types for some fields. Integration fields should be upgraded to the new types as part of the process. - -#### Document all fields - -All fields produced by an integration must be mapped by `fields.yml`. This guarantees that their index mapping is correct, and Kibana has enough info to deal with all fields. - -##### Field limits - -By default, data streams will have a `total_fields.limit` setting of 1000. Besides defined custom fields, this also includes dynamically generated ECS fields. If your data stream is expected to eventually house more than 1000 fields, set an explicit limit in the `manifest.yml` of the data stream: -```yaml -elasticsearch: - index_template: - settings: - index: - mapping: - total_fields: - limit: 5000 -``` - -Note: For backwards compatibility, the limit is automatically bumped to 10000 fields if there are more than 500 fields explicitly defined for a data stream, however newly created integrations should not rely on this behavior but instead assume a fixed limit of 1000 fields. - -##### Specify metric types and units - -As part of the field definition, there are two settings that add metadata which will help Kibana graphing it: - -- `unit` applies to all data types, defines the units of the field. Some - examples of units are `byte` or `ms`. When using `percent` for percentages, - the convention is to use 1 for 100%. You can find the full list of supported - units in the [package spec](https://github.com/elastic/package-spec/blob/ff8286d0c40ad76bb082e9c8ea78f4551c2519c1/spec/integration/data_stream/fields/fields.spec.yml#L103). -- `metric_type` applies to metric events only, to be added to metric fields, - it defines their metric type. It can be of type `gauge` or `counter`. Counters - are used for metrics that always increase over time, as number of visits. - Gauges are used for amounts that can increase or decrease over time, as the - memory used. - -Elasticsearch docs details the [expected values for these two fields](https://www.elastic.co/guide/en/elasticsearch/reference/master/mapping-field-meta.html). - -Other applications, like Kibana, can use the information provided by this -metadata when accessing these fields. The `unit` is used when formatting the -values of the field, and the `metric_type` can be used to provide better defaults -when quering the data. - -##### Specify dimensions - -A set of fields of a data stream can be defined as dimensions. A set of dimensions -with the same values identify a single time serie. - -It is important to choose wisely the set of fields, they should be the minimal set -of dimensions required to properly identify any time serie included in the data stream. -Too few dimensions can mix data of multiple time series into a single one, too many can -impact performance. - -A field can be configured as a dimension by setting `dimension: true` on its -definition. - -Only fields of certain data types can be defined as dimensions. These data types -include keywords, IPs and numeric types. - -Some guidelines to take into account when chosing dimensions: -- They can affect ingestion performance, it is recommended to have as few dimensions as - possible. When selecting dimensions, try to avoid redundant ones, as unique - identifiers and names that refer to the same object. -- Be also careful with having too few dimensions. There can be only one document - with the same timestamp for a given set of dimensions. This can lead to data - loss if different objects produce the same dimensions. -- Changing dimensions can be a breaking change. A different set of dimensions - produces a different time serie, even if they select the same data. - -Declaring dimensions is a requisite to use TSDB indexes. These indexes are -optimized for time series use cases, bringing disk storage savings and additional -queries and aggregations. - -TSDB indexes can be enabled in data streams by setting `elasticsearch.index_mode: time_series` -in their manifests. - -#### Logs and Metrics UI compatibility - -When applicable an integrataion package should provide the relevant fields for the Logs and Metrics Apps. This is especially relevant for integrations that are focused on compute-resources (VMs, containers, etc.). - -- Keep the [Logs UI fields reference](https://www.elastic.co/guide/en/logs/guide/current/logs-fields-reference.html) up to date. -- Keep the [Metrics UI fields reference](https://www.elastic.co/guide/en/metrics/guide/current/metrics-fields-reference.html) up to date. - -#### Subtracting metrics - -An integration package should collect a reasonable amount of metrics for any target system. In some cases it may mean removing some metrics that Filebeat and Metricbeat are collecting today. Collecting too many metrics has implications on metric storage as well as relevance of the data provided to the user. - -Potential candidates to remove: -- low-level garbage collector metrics -- internal metrics showing code flow (e.g. `Got100Continue`, `Wait100Continue`) -- redundant metrics (e.g. metric collection for MQ topics doesn't require to collect summary metrics) - -#### Relevant metrics - -Probably the most important and in fact the hardest one of them all as it requires knowledge of every target system. Identifying relevant metrics should be considered case by case. - -There are no well defined guidelines for this exercise, as it can be as simple as finding everything in one place (like the [RabbitMQ’s documentation](https://www.rabbitmq.com/monitoring.html)) or as hard as going through multiple sources like docs, blog posts, competitors’ integrations and consolidating the discovered information in one place for revision. A good indicator is to only collect the metrics that are needed for dashboards/visualizations in general. - -#### Keep the original message field - -Log integrations should keep the original message field (recommended name: `event.original`) so it shows up in the Logs UI. It will also be useful when users want to reindex the data after changing a pipeline. In addition, the message field can be used as source for the some future Runtime fields. - -The original field should be user-configurable with the Kibana UI for better cost and storage management, and also consistency with other integrations. - -#### Document storage efficiency - -Every integration should strive to store collected data as efficiently as possible, which implies optimizing the way each integration generates documents. - - - -#### Default datasets - -When applicable an integration package should provide a default dataset that aggregates a subset of most relevant metrics across other data streams. Think of them as the metrics that are visualized on overview dashboards or use for alerting. A rule of thumb for creating a separate default dataset could be when the number of datasets in a package is more than 3. - -#### Updated versions - -An integration package should support the most relevant versions of a target system. Some of our integrations support older versions of a target service/system, which were relevant at the time of implementation. Over time they get outdated and require a revision, which can be as simple as testing the integration against the latest version and updating the compatibility section in the docs, or it can mean refactoring the code to work with the latest version. -_For example, the Ceph module has recently been updated to support the latest version which had an entirely different way of collecting metrics. In order to accommodate both older and new versions in the module, there were created metricsets in the module specifically for newer versions and noted in the docs which metricsets to use._ - -#### Updated configuration defaults - -An integration package should provide meaningful defaults, such as collection intervals (periods), enabled metricsets and any other integration specific configuration parameters. -In the majority of cases users stick to defaults, because they don’t really know what they need and they trust us to make the call. Hence providing the relevant default values is crucial for the integration to be useful. In addition integrations should strive to provide one-click experience by providing the defaults that can cover 80% of use cases. - -#### Updated docs - -Integration packages should provide consistent and comprehensive documentation. -For more details, see the [Documentation guidelines](./documentation_guidelines.md). - -#### Updated integration content - -Integration packages should provide out-of-the-box dashboards. -For more details, see the [Dashboard guidelines](./dashboard_guidelines.md). - -#### Content for elastic.co/integrations - -Each integration will be listed on the public website elastic.co/integrations and the package registry will serve as the source of truth. As a result, our docs and screenshots should be high quality to showcase the integration. Please ensure to use `svg` for the logo and `png` for all other images. Any additional branding material should be reviewed, e.g.: - -- logo format and quality -- permission to use logos and trademarks - -#### Curated user experiences - -It's advised to set integration policies in the Fleet. Every integration and agent should be visible in Fleet and users should be able to add the integration directly from the integration list. This will lead to better cohesion since it will provide a consistent experience across integrations, allow users to add several integrations at once, and avoid sending them back and forth between multiple apps. It will also allow users to discover new integrations in the list. - -Elastic products will also have the option to provide a curated UI for settings that are difficult to put in Fleet. It's up to the product to decide how much flexibility they want to provide in changing the configuration directly from Fleet. This will depend on the use case and if it makes sense. Some level of configuration is recommended though. - -#### Asset tagging and metadata - -When assets are installed through Fleet, some metadata will be added by default. - -For Elasticsearch assets like Index Templates and Ingest Pipelines, a `_meta` property will be added to the asset as follows - -```json -{ - "managed_by": "fleet", - "managed": true, - "package": { - "name": "" - } -} -``` - -For Kibana assets, [tags](https://www.elastic.co/guide/en/kibana/current/managing-tags.html) will be generated in addition to the `_meta` property: -- One tag with a `name` matching the package's `title` property -- The `Managed` tag, which Kibana uses to recognize "system" assets, or those that are installed by Kibana itself instead of generated by an end user +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/integrations-guidelines.html) instead.** \ No newline at end of file diff --git a/docs/how_to_test_new_indexing_features.md b/docs/how_to_test_new_indexing_features.md index c129f49bfa6..d75419d35a2 100644 --- a/docs/how_to_test_new_indexing_features.md +++ b/docs/how_to_test_new_indexing_features.md @@ -1,148 +1 @@ -Elasticsearch has been adding new indexing modes and features that allow optimization of storage size and query performance. - -We'd like to enable integration developers to start testing the ingest and query performance of enabling these features before we start making any changes in the integrations themselves or allowing end users to enable these from the Fleet UI. - -Today, each of these can already be enabled by leveraging the `*@custom` component templates that Fleet installs for each integration data stream, to varying degrees of ease of use (details below). We could improve the UX around this for integration developers by adding an explicit API in Fleet to enable this, however it may not be necessary. See https://github.com/elastic/kibana/issues/132818 for discussion around how a feature flag API could be added to ease this a bit more. - -## How to do this today - -### Synthetic source - -- Background: https://github.com/elastic/elasticsearch/pull/85649 -- Integrations support: https://github.com/elastic/package-spec/issues/340 - -This one is quite easy to enable on an integration using the component template. Here's how to do this for the nginx substatus metrics for example: - -1. Install the nginx package -2. Run this dev tools command: -``` -PUT /_component_template/metrics-nginx.substatus@custom -{ - "template": { - "settings": {}, - "mappings": { - "_source": { - "mode": "synthetic" - } - } - }, - "_meta": { - "package": { - "name": "nginx" - } - } -} -``` -3. If a data stream already existed, rollover the data stream to get the new mappings: `POST metrics-nginx.substatus-default/_rollover` - -One challenge with leveraging synthetic source is that it doesn't support `keyword` fields that have a `ignore_above` configured. It may be worth removing this setting for testing on those fields. This can be done by editing the package in dev and installing it via `elastic-package` or overriding it via the custom component template, similar to the doc-value-only example below. - -### doc-value-only fields - -- Background: https://www.elastic.co/blog/whats-new-elasticsearch-kibana-cloud-8-1-0 -- Integrations support: https://github.com/elastic/integrations/issues/3419 - -This one is the most painful w/ component templates because it required adding `index: false` to every long and double field. Providing an API in Fleet would make this a bit easier. Here's how to do this manually: - -1. Install the nginx package -2. Get the mappings included with the package: `GET /_component_template/logs-nginx.access@package` -3. Copy the output into your favorite text editor, search for each `"type": "long"` and `"type": "double"` and add `"index": false` -5. Update the custom component template with the new mappings. For example, here's how to set the long fields to `index: false` -``` -PUT /_component_template/merics-nginx.substatus@custom -{ - "template": { - "settings": {}, - "mappings": { - "properties": { - "nginx": { - "properties": { - "stubstatus": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "current": { - "type": "long", - "index": false - }, - "waiting": { - "type": "long", - "index": false - }, - "accepts": { - "type": "long", - "index": false - }, - "handled": { - "type": "long", - "index": false - }, - "writing": { - "type": "long", - "index": false - }, - "dropped": { - "type": "long", - "index": false - }, - "active": { - "type": "long", - "index": false - }, - "reading": { - "type": "long", - "index": false - }, - "requests": { - "type": "long", - "index": false - } - } - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "nginx" - } - } -} -``` -6. If a data stream already existed, rollover the data stream to get the new mappings: `POST metrics-nginx.substatus-default/_rollover` - -### Time-series indexing (TSDB) - not GA - -- Background: https://github.com/elastic/elasticsearch/issues/74660 -- Integrations support: https://github.com/elastic/package-spec/issues/311 - -Usage of TSDB indexing requires the following: -- Mapping parameters must be added for `time_series_dimension` and `time_series_metric` on appropriate fields. This is already supported by the package ecosystem and Fleet, so packages can already define these options. -- The `mode: time_series` and `routing_path` index settings must be added, this can be done by editing the custom component template. - -Note that the `routing_path` setting should correspond to fields with `time_series_dimension` specified. In the future, ES may automate this setting. - -1. Install the kubernetes package (already has TSDB mappings set up) -2. Run this dev tools command: -``` -PUT /_component_template/metrics-kubernetes.pod@custom -{ - "template": { - "settings": { - "index.mode": "time_series", - "index.routing_path": ["kubernetes.pod.uid"] - }, - "mappings": {} - }, - "_meta": { - "package": { - "name": "kubernetes" - } - } -} -``` -3. If a data stream already existed, rollover the data stream to get the new mappings: `POST metrics-kubernetes.pod-default/_rollover` +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/testing-new-indexing-features.html) instead.** \ No newline at end of file diff --git a/docs/images/backport_input_step.png b/docs/images/backport_input_step.png deleted file mode 100644 index 0ff21d04163e447ef78dc5ccb966f4eab3e77933..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 32197 zcmce;c{rDA7&ZDsQHG+75v5WgVoO5)r+T~(- z-pcBni;bh}IL&i;{Ez_oA*J(H=B~Dm=QiouI#^L0Y`<<27u#fY&T5l{n8fZ);(KMq z#bm|A-kva|rcgFf4l5tj^|<%#qo={GFG~s&vy9cb^%9p?QC~{i6wY8%5@PhjFyu(w zPET2@I`%e+Mu`I1Zkb(0Z(Wq%^b{Y}GJds9#VM3^B^w8`8rAy{2Q%wCeS8Z;dl?zU zc0`;U?{ah7CfV%Oyms=wrG4_` zNn^!hYbI4TcJ_x^S&YYzAHSxa+*m5e|L>QVG8-G)tA+*|f9thsQudPjOO4mW9<4p_ z-^g1Z+|d;bJ}MAsEaEuhCS@Tf(UCj%*P(VlpONdT5kQJXWQ*GhUERk?jkos2$sOElyoCQPf^Q(|YF<7j$2?x|GC6N4XY%(>FCWU3+~xsw`rc(UbnB z_)@%_ArIh_}hR23d}Yzz3kD7W%LoxFc=@LoB?lMi*cT?}Hw%q`6?o#Vaj z^h7dPZH31k^?|lpo}m(j=|p_= z$&WIhEb>;3svj%(apt-2A~P>3X z=V?Fg4}-VdEoTzF-gn73=-g82tMGCD_4zezs(r>&y>gS?RvXi8mll5Ck#;b=Dav8f zJNV_?CR0U79l2iw7YRCs9C0Q0^bz!1!3LJa;=ainFUP0F6VY?=u8?R5_ z+3O-8EG!&%HkOKtYVPw*jh6C@vtFrp<$dPY?^~9+o%m-;Uq^pYOx3gfgaWUeN6XnU zZ=S9k(>hG*WzmW`YCgXO@!O)NS4T!{SUEVjeT*KTdKS_w|0nD9?P8xl7qH%`uW!%l z7g^NMzpSa*|FzNM?B2b5_niN{>bA(KE6GP}Tou>QvmKz*cbOWsiDYLN5R=?>@K5K^j$Jt~D=FMr z@;4$|KYsst$YkZ&U0e6KXL4%mtfmhaboy4WfyzPR~6S48hdsEh| zQq=ZhziLw2k@lTo?b^C4Y(h@oyNe9_nE2#*_FtTNiETAMva;n(etv#Sy3Y3a=5OD> zwpk=S4E9S%bTk|PmMyJM96kt~a>stkvue04a4JQ7cin|9V{2E}-PpUKGv7aO z@Afk>;XT(^;h@>#jMH%Jeq@WW+vl7|g@vs9+RUD??R0)E2zrGAxze7~?(Cm+oKdTr-Im?=E z+*o(EuVN!kQEov&VEB=b?^A4TZQqr7N-q6w_Ir3DQ%_Apqb`JrJ3%kg+|n}eeZd)q zw%fOFTfEP=(%iv1H$RrMd0kllmoLGuZ*FI3yQkpCi$mOEvpcuA_>hgwj&I+-F?Rph za_H(Nd3oLqk+dQrB6s#UKb-Kt9~&EX>e+?FvNGeeWkdXgpEryx35o4^yEtwmT~Njc;-I-5EFQFyN2q41O5}Ie7>}5 zo|OKanNv|!;yf7iwfO9NYJGkEprD}sPc`8s-oGU<{%g_E!M}c;ms?(#wCQ>rf3QK` zWr)$j(h{Gs+Q`TVldkvbhmfdf9l{&NPZg;eD01ql+2>c+tI9Y;O2ocs8c zt59Ak8gqvo<1x`sb?@FiG26FW-@SXc+kp4L;&hTcCJ0X`x$u2MR#uj)uc=SlxtZGD|FWW-IG8Ez&`t3uoBx^CZYSlt^!tqQQ`gm$mVB!tn6pm< z)uDSXeB;ERLdmqXwdss6(5>OA{QjZ%=Z|OOquxv7e#_h@CMJK^RBxy`XcJ$W77THcq@Li!21f~_gXxFdM?8}2D?_;P*$ zGp=^{aDX!Z!LG-r#J#3$28`eGh?rJHWE&NadRyb|JF|@jONZ~3QzQ zx682b!1B`KwDtIM$AZHpt>>p2gOh{z3MX3_sMTod>Q>cOt@wWLO`fC(NAqlMsIstP z1A9uzJ;N)~Yf_xv+)gk^40&sO<=tnwGWjXL7dxziwH-InQ@lUkOVHE*RBZ3wQs$}Y zC;y??G4#O$KK~3FUz}o2nR7f%_xCdh2?2CH8Q#tzRElS$QB(f+uc1fR3_t-Qj}v>(8kpRcWy4Cx@E{N%(79k#w%NEUdWK zi$O4&oZ15Ubp>n6JSP)0cT7~TRj7RbzO>V| zw6yfyQ#YZMqp|#Q?axX}NkV!N$t}ao#+EEuo}9c*eqllhN1K_?d*WdB;3g?4w$QbF zwI3XxGhMuR@t&OLI=mqV^|@&z#uvd191}}_#+3x4k*KK=n>Zy-ucDYC^p139b1Nz; zIt@2%1khR~<3%4#%`JVl5;1aMa4_)V><{zB`RO|{j=XOg8xdJ93F$xX|6be|5*)np z!uRgrJ9juExFl0v_}E=G5LUIb6C@kMX7`2#yvf|+Y#$4&u3NcLt{IiCARD`|K}#Bm zLID~5>ona44R!v89{DwS1`)SzvA(&tcm26@=g7e)PcC&Cmfo|f9;@LzHKJ8E*|aaW zsHo;^TWX%?q;=VB??vV?(;8Zb4WEigoLWIjh>1ga{Tyo zWtj3?vuo}3_3GOVoEGMs89BugPV%O0*|Oz&T-+7gwv-q3_4J3X^1Q&~#PG5h(b=RV51j`wa{FL3n0$&*|J{E-REDf>mwO21N>p9OIv)kQwPu<-1S?-ibt0#D9; zr03(~W8{)pfi>y!Wag8yV^xjd3@|D_w;6e@wYAmb_m`NvMWw$UsOa$Si;j+VqumqN z(5$e`n5-SP*JbE{VDu;KD-=?dbwEFAR0A9LUDzZeqd#8ytwY~5IHP;A$S}LsZ~2dD z;(ea|Uaa~#CTvY?B;H~$;x0o+Zg5Z3UA zWYJw{iJSPF$_6p)6LgTh*o6XoQ?v5m!Gi`xc5H$|nWL2mGx+Ii zv9a&_E9}@mAS->@^3tD)U%xJ; zrf$cZ*niwaQ*`(I8lFAO%Rp;lR`skaXlWn13^&bvi7^fO%9OpukpKEBKA$O;?k5fm zD0i|9@)YMD;|Pbd@4A$eBYH1BzBR{G;hwCU`dmdx3Fq>B*YlPq4n~FcU26)?G!pU+URhfApMumHYMMGZ}3i9VR=)whEt%Wb(vhWI_#uLsC;yos2Ve z1y7$oz3N~YVs4__SZ7sPv14CIQBhG#&h2N<_VH}o=sY=e%slRRyzJ_L6o9Qw3d??7 zX?4lF?DGs59UUEeko@z8eeUJ&RzCH`T<@f*Psn z!^ivkFY*fs9eMZTMIfCe$}vRn+`_`3f`S4~Ka6nm&DTM~H&W`)w~W5a+j3fh3sJ~x zYQ+4OrSXTTd!?m&mHD;ekNrk44|1{5iSX*_nO1s`l_gAKE#hA-!oSFhhgH?pfR6#b zi}Raz?`EYBRvhMiEUTfRp_Z&2{~cLYpsc(+Q7_Xi?rX}UN0ki?4C}&HeEs^>pxjGJ zere89*rbe8VR@loVv|96Y%dCtVBt1QHBFjeCNj9ii%To#o-hAVAPIIuJtVWn!y|@T68sTAxCNALB^PH!YNPnpZr{EgQ)3QTyvO~=yJ{W8_%}hu~!biY;EQ0wqptd%W`zOMx`Rg0oO3r_|()+uiGpM)B^SKq#hA>g(&x&YfGcZ{NOnpSSW^95}m3`*Txm8hK6wia-Vl2?>?` z=dr~CwbO&tlP{?!zfET_+z_ccSMl&6b$WXGw202ub>_fr1|?3LD;9noxwpqzaoiPI zU=>P4#P8|H90$tXHqM#)EaI^&Y;3_K-#okUeO*OVcz88RnTelue3m#qCBBPKQI=B^CK&|`R&`c6F>={5d2j=JUo&fXG=9mN=mLrEF*R3(PPJ2%P+d$x_z5| zIw`O20l$qY_G5;92v=X*n}dQ@?Ag0_^{nS`Q+)MhmM#4Q15}3&9g5(VS%Ym; z6lcOG@69PMFE12}A z-+lPN5RjaoFLCsN{KoxWQ)$I#XTQA|RdPFr9PpsD6G1lbl zmF~!q))DQ$O6>P?t6kC4b-w40tCh`CN>!30yL0B%wyyj3p?K|BXLdDWO}Ks6WAjRX zDw2v44hFiWd@Oe4tC;)5aQ4F!rhtHeJ+33nz@(Rw4n;l0kKR%6lm9h2>AbYy3CJ{% zUEEuR*qsOdVn?+4(Yw-2Iw?nA{26~9m8qX&F+cS+(pNI=dzNnBvCCm$t2-Z`3QtSh z;o;?FK`^GQo8Y?j>&+bPA4Iz(BzA z((H3iSy!9DKWlVXCV{tEli=)@o!ECCr%Ubl@mkzJySoR4 zhHeoSW(1@mMFO6573Dj>v^2Y2(FW1y3lfMLhMB*!q>aur#z`TbPT!7v%; zSSQo!)vLiI+>!T@?e(5K28MAZf*mRgFq<_<)-4$)gm$pff9omL89(;^(czo9n3qQ> zDF~rTX>>{Vbo0-+ zd%35_IB?iUH#s?3R)%vv-)9Z4+>YJuc7ot0z%0-LTL(9zjKCS$+EXHYGJgdKa*F@8 zYs^#QeS8Nxj@2VCI4>{xAg8_ha(=U#o}r;zWZF{5Q?F8XHnz>8qHB-b7G{yx5sa3V ziRoxwYmrydOZU7su0G;0?L;WiYMcxkVl)U^2kAeJ(E^ z^7ZsdYb*i@$M$8fjBkPmh1wHkDQ9lOH|Wv~}wWupWSHiU?XioBfv7 zBfuLJpW6tA#eRBl76j8^n}$No5z+D>Bw{jlg~h4$Cf+|)kmI?KU<{u7?gw2064G7H zV}kN$=DU)C0VnxTfZL7uHdE660wSlZAE=5uckWc8pm_cIHA{jBpEU)+2I1HR-=ZBX(Y4o)(U%u=w>M{vTO4@=1o_nU5cg2bo z?erDh@7|5b^$&gdvU&67gR8P`M@JtNX17GFE%Esy4Y<<+-f-&2M{Ynk5I6osMN%ju zDX6q*=+>Aa-FSS7)@Kyqh*l3qroc(6di!=AC^Z!`vrYaPUcMkq_Q=Ze@7VDw!G5yw zu8g=%%O>xs)$=n%Zpa!e)c0cQdaw_ZU=(cOz zCj~_CP&pxR5#A?8Gjpl{e#y6Zf*2~sJ$v@F|Jm0ecVUVpyyjZNmsgFAH8|A45#tDz z7IPB=V&dX2Fo4$Qetv|a#Cn5W-(q~~)X#xXKE-71zXux%WVmZeY9EHWfME45 z-zxkC&7F4PW-L8si7H;!?Gn(Ch)LOHFiO=(HON$v@=JxHU%2^W8k|Slca}|e8dde- z+*L8~C5*<|BQ!-sFq->tadD|Z8vtT*y;O@3Vv%RC{cb~3(;93c%z&7bRJQvE2?+@? zvr0;QGnSR`QWVAVEYVjRxVZ^E;`;UNN>rjO^38AFw7(bqo}Z~PsXwi|B5BPR-jx(a zcTQpN8Hf1|o0*HU7SC{g5!3C~hvduQxwXh(a`a6DP$mG&D5QTfQ%3EuYD-(Q2P7 z;o(04my!^vN4kqLdyCmnU2$}GSNy6MnwuMpVp+eQ289rb$v{*fVRQ5It3vsFFM~?7 z1P9IZc%QKF(RVorRfEsQD`+SrF#=4m$8pZh&5_(eqPKv?{Rm)Xv)(dK+VL$E65j&p z^g9|)7Fd%4VUN%J)RyP*(uLn9Cnv>0e|paigmQ{oCuKmQJsr~of zy?;Lt@7_yAA*CCtNyNEYq;xU!sudADd$nzb_MlXP1hxw34XhmvCRW&ZfyxYtq)2wq z_}PVB$M4I9fwdlyW9&L14boaoU0w0?>8)qao(+h0I4dF`ywP(xA%UMux zVk#_qo8qaU|`_pn1$=?E$#+ct!ei#lERio=H|1E@tEZfJdmP8WcZ*Af%qc6@T?gCoPAQ$C+_ zP5lG1(}y`MR1DnBmP%sXi?tqM{t54%0GkrKP2vTwPygoh;zJ$j7TP-LEv= zH|IPg^+@<`_26wQrRk^hOM=nrfGUCY4YjqZ+xruB1+`2}M2zb&*R+0qeu>M`qjk2( z2#J~_Wk3ClJ7S0mB-G!@Q&$Qy{`kq!29bi?+)C_(a4GxF{;FVx>553{_M3Y;^9u^7 z5}KA03W=Bjl5~rxsD|TYF5)Ns$zmKm_a8khKbSym2Y`mfy3yfHh&ZCQwF*yT07gZk zdUaX?k(Obt-gK$!*LB9m#w|tm`V{}0H`hZ53=ZcIeF%oG#A{j*aU}SF8sZlAucf9Z z$?ES5=nx}=knVe3u0C0F8^qIeb5#{JG9qX;z;yG1-B#L}9VJc!)DWore-75sq}7KQ z=b8mLWj#Udi*zr$Hs->G3yKriOI(;u$W68kJJ*{3=LHbsTuG^@s8E~~0W(Ap!nSSO z+-SeMoIgL&DASjK5*zzYQHKy)L^Vgmguo??_>${BZh|b7aHjb_q?k~Yn@%4$?7Q&I zGTPkMb|(@9GY1D9s*x3RbPSF80U7odO2WH#1y`nl-jkD)yLRth*7}Gmk&$e1hq~Bq zolASXecLv|zb!2-Q8My>iJFw{c*DoR5sHeFe%2gAglMr5Z1&F{m*&+Eq=wux4rl8n z`7JLg*18v;`$%|oMm~9CkG%J(8hn&WM4O5J7c^x*Yq_h+hrl=G`7U~adfI}*0qAC= z@43R(b*pe&-QJgc~e1>LqF#TE+v14~MmENGL2Ud_l22HT)1e zhr3V#du@;NC*^E`;BKGHy>_Rj7w3ikw9zFAYK8sOPfdE1&)QeG%rjnE9_IK~-?Aw? zn6k;clX?5Tovi9oO&<%2@T3);}`&aEC%dKx{ha23^G@DqTA% z9)~44CGV~>bI=p57dHV0c8+>90tsGzXMOr~KVY^p_)&-~sHrDZmmy>N9~EfZ8|LNd zDa9GFVek1zPSk=}qvB#2L=r}z^TaLhpU%{PiiGU_5>f<_5|XvkWilQg+xu8!n$A64 zSFq=3U-?B2d}L8KwZif3-W{S>*xA`}YIoakk6Ea_2dE-tL}zEG$KrGsli@j~KfK`I zdG~vbtk7c2wwFrHUNW+_vPyjP=#gF@&w-AWMTus*(|xMknn1pwnvR#dA&ZoE4om$J z0H4-&*nD~R`Eq1is>Ya{cQlq15{8wPm26|V-MLxh73Pf_Bax=N1PA9wOYwrSy=`sl zQRj|SYVluh_cGFc0FBQQG4jqncM&jFK@blUP5CLZU#zUHQ`%OSmzH`a<(v3tgswyU z027QrdaOho97i=04TuL+1^lk8JqG;O)znUO{hFFm_V$*;_8^rbUc#_0H!_lGVPOG# zJOaWlgqID4@;W*?goOsOLsbcMQN^SlBXWx1@~N?|wK$?B?&G|uG`Gv$qNGjM7Cd^i z0`dBq+E)B5$`f`81r)jipFano(&68;hZ7-RmdhHt7y0+YhYzAWfwB^WMPk_4Cf_8_ z#ShYfkT#B4qMRS!c{1%hk|6j_YjW0)C(7t{chhT#3sILYQ9nvf{<^!k(^|sI!=rz; z&+ib*Eqkl((GT14@`R!$5eV;t6Wu>FB+z~xvo&zW{&$Hm7>5-0vhOJAgdj_cCj^$1Ak(YE*WO4s;gf)-gg56@gC1# zkC+!kgoGqVW-rc7Z2r+(9==v#L37x}!DrWw9cj~MR<9hB90Z5He%*ObXw>dP@|V%k zEB^izZ){}}kibN-u(IkpGVj^HetM!DOm4=O>o5w>V|Q!<*yWX|)!ZrY8C1V!^buP6ndKZc9jPWeEt5HT)Eka0?i zlHP({zXlKUDiAB`3I{91btsBA7;4%4%y$H8*1)DBrugs;55Kd1L}u#OTXC#)VWIhl z24BQFr3le-b~C+t>NgeBs~?{CtI1o)5ZKz#?PskC`SAX<%Yn}|)N0$->87=NXeI^HiGl-V+^UCZ%S z(@NrG;Fc}6ZTB+A@5aV*y|fSq5F0(}h5|jyz0_@E84^1}jN@CaZ+5*?;mQvUcTO3G z+T85G7_S1{E51i=Jo2S;8zjUjkW7eos z|Ik#rXC6zKa@Eosz)e7v7XT?OC<#%QC#K)k^Evhaa%ni!uz_&Vib`ZiH<1#z=*SD) z8JWL7aC;4Odf`)kwjSam1q+dgAyBy8)^hQQa!Jh0$_fH^U-9S1J~&^hySnt}A|bYg z6Y;y|3L88aN-!qmIsyei?S+NO=Bi(eK7)pR@?2FN9Vg}@0gr>};_z?rn+8E-!Y?A` zJ?FH!I{&dJ)2;@n@p#pZB6XAo%#c{kE7BV8{O@ZJ8DJ+ePC zQ!a$l&qG5GQ9|9>ZF}P&SpUVeOp?P$z`)t@H?bNBC3kh^k@en zFlzJ1CgoQ&3#D=rQNsQ^cTCQ6DjZ`+OxHjqr$@87?Q-LN{T^2_JXW^F0Q zh{i%qLleB@`RmuO4L#OSFW?r6Z=K1=^lYRVeeO$L8A!L5nS~_)mH*i8;JhbK9=rKv zHL}Bu5rPdvxEG9Y^Uj@M)m8(I1s!KUe$3O;6Zly%aF_v6im1|6eK5%dJbU&`%%4V6 z>Q^Uu4X_3DqF3!^zSzB?Q-_%leDaIeuU7+5&q0+Z3s62>qL*#B`s21jhY##T4It(L zgx<67a;X4DrFTqLl#U1$kG|LFwj6@*ixdhVl@I`2A3K7~XX z6ul5d6enly$~abmN{ zy7|xuM$(V>&FgMwma1#awb@C5X*76H{}+s$2kiu3bX>H0C8DdC-g&?zr8a7NertUv zYpf@mratwreD7OAQm+JegeIrc20oJ>ce)2Z6hSiT>d^CYCQ4_966ck?8=I8c+S;a5 zQj5V<>!}Yx#`y_xfFI!)JO~VYDc5T6T)VdEXcqz-644mX>5xb6PeHE9MMzQNuR1l< z*9R4T!NMFAiGdcc2OubYBu|z#tT%tgzId zxa&Y$nK0$9RNsrxL8zW5XWw6f3Z4K}o9XK4+m?z4vThlA>vt)QZO~kHO!rALF6Zrg z=C0v5b0ZNoW7mkRwu@he%n>>FA3P9<_iuJdn^)t2&A3YC2>01Y_}lP9K})PdP4VHd z2yEWERe5AZL1Mn``}}R^U0klm#B7%{BQ!Yj!jB(6qHdX=IddiyIDo_zFkaxek0r&J zry*+4__v5^yCEAP72Rk$)18tDNJ&hMjD~d}H|?!Foam z-)Xz{dQ6xleswqow%+5>&;ity9*{HLvU?K#99`k;1^QO)jzk6U_3EK-d z#pWsTM^O4{OO3ArUJtB1V`#Vm><1NU;enb$|u-Wa=e1%;k zp8_vzMwcEuc)gx};ta3_XM@Wg{*v`Kc>QRGzg$biS^1Y9yGJ-_W?Qd00zw4L=E8Qm@{ za-yXF&6$f1)^`E}m9q7ykg>riJGdsa!j3U6o}!(;3AB&DhOe)0Jl7joDR%7K*=j3& z`{qrW>uOt1Mdv4sg0hP{NQ#$YNU2goM>r?Z? zM~+DDP~+m`BebA5unA>J|2|O-iB<$jw!=#mljfk?a5=R@M>4LLr#RN2b4l_tMcDCq ziB`Z4ij#xwRSvHwilvHF(dtaehJkP7w&gRNNNcD3%2)64(!82a&m^dOqHq5z(NIOL zt1Jh14Gc`#(A`YD6d2eFQlSi9K7#BB;e$M50VfPx-UUrc$`>v?X%U&5`#A{JsH|6} z9=WO-ED^EK!Q)~EzytY~o~Xxw%tU3I`r4-WT;loS3^%c7#5Az*@GwHA@CFU0NOxYU zP3LYEu(oaak|->OmSt#xs6LGh_Ea#8U^s1mj* z92hPA(i^mA5N{Alp#1&yihEZ|%gEFr_G-bWFkW%y^yy9T01PWKahi1bKlMA3V3*bj z%&-}Da+oVYpsZTGy7fa>R3c;gmhKcg!?nC}%rnCn;$OvFfp}Ytjd=uxgq*RbiOmdE zu3~5#?5wq2rhbtC`EVp~5Z^}Wdueg;0K9u=*2zF3#DNlHx_u0X8iHyrlw_b!!srlj z9qvTa;SbDsr_*Q7Y(d(BalkSD-fr7~2)Pi?-(! zdACa~I=6K{koGHHOs-4)?)Vkq0jfxsr;Tp9?&ZkH8caH*brbu-_Bd~E?`tT1r>0!v z=}H0l2H~#->t4m61Pd)047dom1>xfZT=k6avVtQN-;nMSNUu8t1*;gFp#d@*wFsSTO(=TCbd006P_InE{xQG0FjjWbM`1HieFTyr`=bFI({PP5WS$r5MKtsi>j5?HoYu^0IU$b&qsi` z94)JNu-63gj+_u=BOEhadb{_$%{CUPgR?pj?*|x(xSD9Xz27fT`RKhpEU+xPS!+n^ zcI|T=@h>dg4Wi^gw%#Cih3sML8BJK8f!0642B~6b7)P}&>EgF`nMQ0{ ztY-j@ej>vPA5abbz@gJ z6#=vZsd2TmwW*;t>7*WC9s4tK|5CeMk&`!EH0FQo@AFAWN={#>ZiS1MN8a1O=5Yn! zxa&v@6%4S7$W+9r2uquYY= z38nw5=H@!gEg{XP;`I#;uV8IAyA;fOeyiayeM!gXz3Hqz^gjQLm{gFRq-~&@n;JoD@Nl!tEq{5++#>PNOxhq$^Z`{vOf z@@)=nf5Z6J%WIpyU}nh1@8f5}%@1C^rXHtot{AgI#9M3$6+Jz6!y>z2C^N(vBkNdC z(kbJ6d$2LEFMRcRCI=e}fyJ4YEl7>;+}@Uhfc$;9&uo3Lqx@d%$KC>upqA3_p=gu}`a^D#+^ zV1J^D+>$oo+El7C8L)S z#%mf#3Q|q?_R>IlkM}XC@ZJlx(I2*`L>PBb8qrFheWy7tP0)~*)pN9FAQscXI*}Q@ zQOcovH%Tny%%c>Se6WJaY$WOkGQ<$nqgs@}jH3qeE$EYVNUK$h?<6GD_YE&eqDQ_(VQ zSb=~6kAR8enOWpS;teJJ4~f;C^YugU`4HVNXrL{Wi96+{xK5i(^ZrnjR-1S1AT@O6 ziR}RyDUvA2?m!~ydszP4l=y?3{>(TK0}g^Z4vY#Q#{DU4mg_9=y>Eb57^M)ICD_D> z1dm{)n5ap#W%x+d17A=90YZv^)n%-w+9q%>3QX3xdQ{6~US5oLWP-pW$r0r$FI*Py zN}MgTV{`yD_IS^UK}8BAxEA&YFvoM#U8d&d<^c%_n>O#u#?*4|J--z(ln&<_ZfwYs zDvp!oSFX?-Klk0}e=bB`Q|g-9fddqQV{t*SbdqK&sGBNyqaZh&tE7Yk3aSDXIQ~&Y zwG=y=n(vrPktT3<=Sa}%^(`0`DDY39y@Oz=AZvjmr>v?fZFhR8&dR|dl9Zu)JSH|F zv{9j^!%MAx9|<22F$yAmhhQO<1a1;BTu}hN%{C`EiD8F7I&%4`m(D$i6-NK&=H zyG9Z|Uh(rpp4hvz4U0(F`eA&d-iV0lh823Wf{_ ze35kRpis2B{r);I4!`uGb0UPe;xO?zIQI?F z0fSQPD}+N9)XVvJuCIQo{Kq6KYQZiXPl`J$C4*$YV8Q0QxS#G%vqDfAPp(*uq6I(u z@jZfWC-}5(r)-E=Wfz9XXk)uYWqP>u%SFGoXWr}cR&Am7xn`;z()K#Ns6wOMk8hDi zc2l9_Y_}x04f@WYGb>EM(1Av~C1HZhz!Jz`xUx?ws9*U&byhdwXM()2NkpWn z|L!(^ey@C>T4=r}H@B$@+5(OdR5z4b>)fkPl93!_L=Z?&#k!?euUmxI{in2 z&Z%}gHo1Ge<&zHl59bLGBJE62m*a{C&lAteyv;tP;!D{Fj9fDXsi&quA0=kdzc63yzX$$*)P4Q`&5ZqTHH82FJEX|ZhaD*_ zEUkUl)sq#qv{+zU!TLOy8e(2_AX0jF_XdPmf8{D8bL{r*2OqWC?AGwwf(2SSj#e9Z z;mpj{q$)77BHZ`Z|@$QDu&P+j4-sloD18;?+Bw|q#etDUI5Z~&lRhk ze!5NW;r63~(fQA%$;g6U?D%JA;)6EO{-2xZmCfJJ{^y^P%*C$!x49xh{-6DVSH?7y zP=E+k({U)Yt)MaBfXsd!ldZXfG$mZS*7CW**BEFYAsZ; zkkTVZW`+LmHkp!%Mj;b>Gz2j!DN7U$8JIxTlQH58sDo9|hwKCcyTC~kDAj0c?AY31 zcO1@;%MlUEz)}yUQa~iP>RkEzE)f2bli`$IG8N=Jp{Yp$M?u;h?c}4?lV>MMV;L;> z=dK*HmqzgigC?M6aCCIX&0Zcd9CdMWjlmQvH*sD@@tzv)izJ?G;_xC?YtRd%Q48$` zx^or(cl{ka6!dPc#EYO~c2!$wXlRn@b6?W`iYgHayC1&{Gv`Q_jI8Viw4j2aVUZUS z6ja3IIioItPtl_Fp~}ScbTCRolB-bpeEk@TN^KC3tn2q1Sm=SzC>e3j%m0VQ47dF2 zu&4bc9RQ$Vwz7|JTqX@eC>)3>T~V_9-8%z@LJ??ur|;#<6Q~>SiN0c^D{fq>j4$k zKQxq%q%yc<2o*ej9vgO~Ig%{!!&HN_XN6(a99wuMj&hEfiz^I}^xi)AHRvRetXN*U z2s;^lUk*eV!Zm=lov7t@G#hPCM_rfWUJA@j`noCom|l#s?YA!+*l5xqR>PoXP;OWN z2K3vQ{p$_({r!aliIQ%xF6t0^pto3^+=Y4!?o6VOVlrB@jbx7A5u?gj?&|dkRdL>R zmg47b9>aghEIE@?MJvKWOfZe*rrA;9JTn@pE)#jnaEmAbJN_ZnnmC(>t@g)+W76JT z=C}K{alP<6ww1{R-|{CH2MS!=V;ppk^!81DtN!urO>C^B^|_{zl0$+61D`=i;Ze#-SF%BdPOiwOQ;Uf zTk#140Gt&pj31h@1&&VBPNoO3cnNx3HQWl={8GNTh>s)DHGhMaGT&RG1A^up1k05@+I(OcD-I8Z{C~tZlg~%j01*FXvWH=EN+cWivjRU=F zeD@Xnu73XfnLqmw^9oqkNHa9V@L-sV;6*12+xqRtL7_2F`q5Sntr9+3vT3wTL6MAk7K7TPn`83vlLPM_r%j`s*$gO`z30ECe#%4n zwFNZ*>4z{dGJ-D4@xW(>YiaVqGOJ+HqiLb*YNVqKU1Pc#x`$KGqSi$F%F$Sfl@OqC zPSF~+s_B7(XwyxgK@@I@n1M9?9A4Z?5s8q-)_vUN&#lO(q*VMK98jW7UB$o;Z0@;3h2J8VgygAMWluk*>WGP7&dsUe8>=UIG=Ol&py|Pqjg~~KhJ_cmwnJ-Cxw!fu}NsvrJ6C+{JS1$?_9TT9U2^H z&^}c5=f^XOKXhc$^iM89h}<9rlWyYrw|A1>uSuU$37kN9OTrZvw8N)B*b5xJ<4@{e zgmWS`I^&q3;Uex-l<&vYml7l!4fe-Ad~dDPMu;`!0R!FRhsX3qVz`B6Aar8Hb>Jvl z3(k=CDdGc3?T7Rr1M7s60di*TRqcvI)48} zcKn`u_tm;f?ta$^8~asX}L`5s0jG<3Z98ybW! zpyVgEKJX-HTnGSkkt1gbZVBm<+ zxEVwW6c9QJ=&%AF3v+pUqCoTlav`n-5Q)2|q_uxN-?8sEfpjroLd+xlkpqqQ3n?xx ze($gqNmhStHOaMI1_;`uaV6=&5hHX0v4cbev><(w)##agsi#GFKXhHT7TW3%>KIO^ z_0Oh%&&?&^ED?uyhe3xr}2f+iRYC_v3 z^~v5AA>dF`pJ_J0D05fe#zMgp8KhC~U4_p+yUwhzweoWmyk!lT%81*1JUqgk<6y#f z9bd-X6mFyLaHCr+V(oiAUnsQeAZArEZe+}X{(gV(J%hk&Bx7MAz^TI+=Fh&%kW8Bm z<_ifnr7g0pNB-o=ljKeS@SG|TTs5Ej`j87xuqqNKQ@wwlxW~c561_jHvabZk{>v!h zgH@+brZC~MF?dK{zVGj9|5$Ob5>D}!G_5V@KJCZ0nV6ic2DTdb{ykfgmvy<&%ctyd z7k@OL%istLi`GvkiVLX~7&z%;Z>euX%bB@@gM(}C&ri3HSw-zKUpjeZy|8W5+7Mh9 zl^p(Y3X$jXmCbO~L3cWY9l!!FFitS!Ob)M4o6MeGXy^^n55XNCF#F}6|DsOhMXWyYfS_B@x-l*o+q@b*))KLA%))o}wpVQ66k90x zT72QHJV!)Pkj0Um{14y$bN*kgILQ2uT9YH04d6hw0m2D+?6d;sezASa-G)8K*) z99+UN6Ov3Ohw*^PMmhFJ$6Vs$7*bXoG~1-2tV_-Kw|F{A#K2y^WgiGoFW{=X*NaO? zDE<&SW!--;;z1~B%&~6_aOVO#5Q2cX25|Urf$Ik1yB9+3K2Lt#EXcd zy9ycYCv8Vfjmnt{?6u3|QUTEyxa^7yjrINryl-KWtiJxM`nHy%ywXR@#+66A8{+8G z3LC7*eC+m@IP%6H&i~Oq4VVqeI6%>5;i6hXZZQItT^benCOq74Sc}N$G7$%b1vw5 z+?DkL6%V}Xq!$SmaB|6(qQFfy`lLddosGM{KbRj+_qMspQ2x6xkiYTb_XoAqJCD%d z;0kUC`Fl~F>Z(ir*o%NzO3W+Tb4>XVb+KKUhgZYq*Eb8-Rb@E)iEb;K;!5#$#VgrK zCd3NB%F0^ytuaBuY{za14n;2e-=}w6vl!dK|L}%6sSkCV;2XoSaJ&ClHAmoB!w&dJ zBO)UBcV+5jYN6&#*R{*Fx>b7Min;Fl`sQY^$yS`xArkFXhnG{AE`Ev87eQaPL4LAgPrc1|ic+++1A&U|F0J^M2-sY2cNBJbEn`Y+Pv%_*wjcfjBvJiw+ zBt*ufUd@!M9hL`g=?Y323D97G|D1-jdnd9CSb)fC!Fp>ZDz1ET%`5ozX^Erv<+yN_ z2ILB=(-N`A8MYsg+5MK+?-k$y8W0b{4+y`6D|sT;EI(CO@H&W5OrLJLcCdLn_p7&h zS|Nr?u?(qG&whOk)nUxMd|7x4%bfliM2%9NbTk{iIsgoKOZ`hjFOP&`wjK-wYhize zE1F-=S4O(=UHD}a1(nj2UGb{Q%1=4}-gg*lezx+w(y5uLXFph4$7*hbGTrggP*xri zC;Se-AphcBo$s@8B3@;Cw|VX7dU`eT)Fify+&?Gi%Hii$%Fa)}W*g*Dk3V1bJ?ZeU z<|^<0D}Z7#W3n93zaY}x8k24O{WbLgZXDu3nP!QKG})vg&kF>-G^`1xqhms%HG6O0 z{^8>JV0+4As}M~D;y{|ecNd;Kuq@E7%TeBycefXjo^*JUG$?ve$0Y9g(maEGXBJ`S z`{C_F-j11Vw9%>qTBeWAe=lm1L3?)xpoH)PO3@FL__kcd+myq^lq!aTi z{|LPwcoZ!6F0H*dOcaWcQ0CirS^9C-rgV&)6X#_fvBuhSS?xd!die0~aZx_KS!wgl z#21lA)~Pn4Cl`3eW4wHJ0&>qL+`z@OVRt3kVPRR zz2~?v_mf=ofTE$s78*n~+Qo3E2x&4WhB#u@rlLT~qWD9q2g^~?GP4K(PNWi)7Mgh$ zD$esbPsDJD8&CRdI3@S^_FQ&ZHMpEeg3&y1>ETj_{F$s_- z6sjw^h?2lqCISp`H4`E$0nE5HAppO?Wju?}?~IEn;$_ib#z$rtf;{QACJmaTod`4; zT8wcq&?rwhjBca}(F0a?LfoM09?h!0;dNY1trFr6sXS3;a>)L;{q0%BTRH36833Pb zXyojurD!QCvP)1}NaHkO?iHW~cG*y-o!GGIU>HWhOvY41$oTg=h!c>j~ntz@kF?y;HLAr6C4vE@_-2 zl`vSW;7;?$_aXV@{VOR0lVPL#k(pDbwtSLDW;)*H6YmhnBXVaKOfO_b-`uaZ za$YFn^15_Cu~RGLwxyVg@@cMr;#AG)5rLxJPls1u@<(@i_`#azOVgs>OTUNF``W=( zre-Xy;ataLveDr?@>!N%^|$eE^>5h-f*0D@6(~ zSocu%g}@a-I15y&LY+@xp&?y9ut#W|@dA4SWQ))sa6I#5LCR~V+I0|bEtr#kGcJsm z80C-G-Wn1wIBgoPeOur%H3iE0&0!}`9zXemQJ2%cDP zA9Pt*d(EZ$4wX-jm;5&K@fO2e@7dRX_wd*iJ1&Rj@c97G1J}AtCj!^itzlnl7n#(t z@ZGspeV1MSTJyqX|E}(SXFPvV#)QOsmuq=rYF_a;Kof%8Az{pZ9D|$4u-W`5T2)n5 zyr9zjkq*^5y5OgR8ut^)doIj|j0XWUb`9xn@b1G0(TlaDPLh>?Is?OzD$cb9Rcq&Y z(EWdKnv;1reoL%rsItTX-55)bYW@l5vnpQ7!VlxQ5|ic)mG50=FdZUdq z$hUd$;6WT~cW8KcK}=_SlhhVa4BVQ$_* z+s0J`@dsKgxYt_5@?h>fGU@x%ZG+`C=l!fRz^@6*uD}f$Ds<8Kp*Bx0{9uR2ylWkpxCeI0Y_F>8z zHM4+OOKz$eI=W*Qg0i{7)}V4u%e17Z=;WQ<5am9@GW~DnSd?m|B8AREYzY^-%O6T+$I2Hx#)` z*y}{6DOIV1!$z&vT3++#hqHewky$_Ip2off^w=twkEA+?Dx8EXiFxYQt(%rfLH@#) z0N8Ou!$mwW1K3LuL`iZG^oi{+$U$!%6pf^+unf9VZG%WiVvX^Ui3=qkDaz0#6(8%X zlB|wI8C@l5CIlsiUUbv8SqI+7{JFyAhH|&Iw~xF3%R*ajJXbZlMyJ=jPEo~Gmi{Jv z_EAYfZ1hVIia2=gSBLzsNngN_td7&3R3$ts;w}?T8GZf3_lim^#xYT2YsR+K(TPBu zcL{Rmmyz+~s}eqp0?s(Azw_%@SiuPI`Wkj;qt|k$oqqM)NGju)%v}S93;+-K zUZtqmC+k@ZZkhG#_^&ZTYpl#`ezmqwj)RYmYgTIUHgSRd zzYLB9E=cexX|Y~$(qqc=1ZMh*2h|;o?iMa@9l7LLXVZg^wzv&mmVfSU;EUUf-uSEu zIkh1)bXmi~AE~mZc+4)Rf^R-^9~$KPQ4P~W8;=?s!81B)00&RX7V*0H`(X{L_f2C28(5<5TNHN3~`%IlLV47@9*Q;N7Qo7H(( zd_n?@S!2ie6UQdXgL6F+;m?}9rDht}SU&J|RcuYPnOjQiZHJjtoii(Z0*hP4Dt5Pw zj|g^FO9*}LufOAZ>GS6x1qtTUCdPy~Q>z2y4h5k?w2MYJOAWM^idKJ@bqAf}TEWWcd1NhP~nI7dol? z5`Wp9cg|U(Rsah zggQni^?2OweO8j+=6|)a?akYccrmuO?~wRyQ{IP$-QFJbNB-g)uB+7e?qQqipSH95 zB#jY1HjT62F2AYZ zGltIh)^=y3QFew)b2Rdf2H)+j?tH&tYPyCw`QQFIZekY!7*2e@brF?^cgY53`XZ-9 zA(K;nYRem5A*00MX-NHdVi2>icjRGzYYi03-rv*F6V>O^#V_*p_xp%B2wYrTc!YDO z&l2sWp`oEdfz%L>F{Y-wf0;{2sz~fcPfT*1bYkX6^$!-F;Wk>#U{xH#a<+I5mEuVQ$&PJvM*8O1CSQ zGE=x%cH!vztL@o4=t=AfTrkJ+qkKnH9nEpiPoF>UJZ)^RHpn?=+!PNbO}T!_0q%q# zg;ckOOWcolc%9iRx%yCI1==%y%Dy^}EpRznBw3GWV1qD-U7+{G*dfjfHmRHiS;9Dg z$p7Uxpd{eq6s&8pPQ^=s|HZaWecW@$yT?rsn+sn@Ur>3%@@c%ZF*Hg`XprbQViB(= zx~F#!(oEJvq#}{EjTK||^q?NW!1Q*0RDN?l{OV&wY?# zs1V<^P~8%|C(OXu1J<^WGW{iQGTna_)={AyD3UJ0<&$-G=giVMQtc^HX#|ClA+UQR zIODP8WOZ$A!(M?z;R>U~0*``AcxTiKs;{eoVTdy7xFpa*nppDUC8QQW#A^yDiin{R zpKs7@HuvFaGlX^qz2+RT$)GQ!fyanA(s~zdzdh1~DtsMcLO_rq!N3GcDHP-rONk0% z%p;Nb5h?8yqE_W;#S*i4FKdk@SYbWcL7_LBURdksPfM?Tf)<1%2p*s05UkoxlBuBm zR1^{pLGy=#UzavXafdt6f8fBzEA#RRA>L17Lo3BWo+CZ(hEJ~jP^eN+E5RRxEXVab zE@4ck@DJA>eum}^7eEA7SR#IfV0GMS6>p@%tjo7BS7tt z8U)#T-BKb;C!JlsFlnPRfRi%!U4@d7)2vl1xkR})jHl_i2&m#bm+n|N($ab%4UW(> z!?x-)r*f5GY?OIFlxM*Ki3fslV&5yev4Z}rb=$TgS;mX={3Z-&fK>WGE1xhGx7hg` z6w~RmXT4E~fRSE>orUV%VwW5#kexs_52L1?Td9tsRhTSNN}!GfAhMWO*o+Spd`6;U z`1=Xdo=l(+sDpWhiR)_BTZ>LFMB7BTUf>!=%Oh0CGZWCuZKZICXbZ$Xj5uxs$IocC|Y{`N}3^Y z)nTX=MTclF08^*)QpwFi{{vLjf;v0>eXI#72ji34G75_Cm%|qdy}Vv`IuQf-rK}PE z%eT|v;ePuV`0YnVmLvyP+&wOibD(3PHl=sq_T!AT0JPREK6$44vc}bymkZ6@4BFny z@M%LhR4X8EVP$a1T;gjf6sWlbe?oHA5(Go$E zDmyu^$W9V%Fh`}mqBD!*k%)6ecyXebbwIQDixPhwDV~Jit|c;m{~KTUW_uECQ}K2n zpSpa2tnBDx^71bK>z*gVsH1GuyGQj@y6aUd>gxY1e96;m^;_V%6Mo(@jI*b^xb zK4;|#Fg}8@n!qj*46%^Z&6IJeigV2rJf|=aE4$WBNJ-U@0DE}TAGlW*i%N7L?=;HK z6Nw@xqA-js=H5{-OEf;tKyJe^Nf&6L0Cz*cdF1k>w?^LewYH-7hQB}8eO_Ag>b^vg z&n-DO0Pkb7(xLO4f@H{^!Hv5Jj-xntdI{jj0NU9nZ{Hqov-K9<5kBD(Y0l)!FO{SM z9$5Rk;Yno^bqG?DudmPrFN1pc==rV`TXDxl4TRj`$;+3jiuO&{c3?;n0Nf);bDbkbsq6DySbgkq|KXA2 z`ZkiYWb>(XgI#qtQYD7a50?w!=Z5G-UdYXD$*mFCS0THc?8B@wbm_cx7|pAPYnKjm zx^0fTf2o!IhCf8Wg4d%*%13qt>DAdt6bcDBhKr7%>`+lilh1ws<=yoj%2h5=nfv_yY{S%@LOO20>~;zHM$H^ zjHxmL2w7#NdJW<|2_*nbaA1nuK@3Bz4z%y{46M zE%vXSufzUD0?8B9dh*b~VF^hzSY9SxLQ&?Rc2@%BlSy%f{R93~^|d_-Ym)7+*2&7X zeD)fO1xmpSk{n19qMWl)_xNuHejJzm3F;AMQY<2}bPlU9W$z|SN$drL>4bCrU5$)X zFNFIJm&CYK%tA}1NX8T(YmjE+zK_dceA-rQT zl}s#9$|v-ILbvK!S$XJWJn+ogZM8NVJ&nQd(bs3foO>Od1jOZcWv{Qo>#lhKTXy51 z@y+9cG|PJ`B-fcL=Q0V(jo%Pcl?S#g8YIExqx%#=RS5Fi^@c7hYn=A~?!qd7r{Nb!$zFb5D3> zhbaM2*HqOJuXGU%Dh(S8J6;)sMtNrLNTKg%a4M0|7AxycM*o(UrvA|q4i%HMas}`| z^HqIYFp!Q@cYCVP+`=(cR8_f|EjxMJww5yjc(b38?1CBfUiJtGFzhYrD5|s|P5-3k zbs6PFU$c$}4D#tcf2)4^rVpzLU@-1g-&Q0Vd^MZl3KU3mdG4)*GilmZ%M6Z8Jl+a| zdv=aj@TG6cjsV7+QR+mn(dq5iBI7-82GPi-dH zCCDd)$!fbu=lWlCgenTjFrr*OG&O6rWW}Jxu4L_CIfYM8o4kdUoZTV~2@RV_MbvpR zZFPufreV8t#<}8uC^M~T{5H_K)LXs2qx6zu3X(4iAyN=z1U$eWDG<{Bj2?g-rrux+ zq%Qj@U;PxYcIM z>%vA2yaQ*4c1@X^;GmaxrplstXG$Uq+Op!k(b01%bqds;EquOtRd#H1^{ZPug;SgI zfaD+m7T#_B$D+TIC>0vV4#q$0>MGFwUBhfvilB##{kFJ^ z_fn_FQqc-A5WU%=z{3l*4~-#zl&!J**(pA6?R|Yyv@{mtMNCOak(x=&Z>-`W1wg^dUrd$suUOj-2{5tb}a=phh|8jAyTsIy%lFI-VU?s<*fBeRwa< zuP*~4`y(r}V(LZ}X{qQ*&`nDcCZZcLxy2{wvQ+qRX;!|Ajj@Tal&zKmM) zmHpVZbrW%;UkEQtdGTgu5+zF5+t;sNjXODS!hWl~5~LMjqxbgf+Q0uK>#s1ocVEm) z7(8_wQ-12y14G|?z4{cBKK)`N>PgK#oRZKcP5%lzhP>J=BZ<11&>LzY6RL8r<%4S3 z38Nh2Z&{#su@0zpweHT^Ze=ptf@(nSBaL&8(o}P$b8ntB{csQ>!Lyx&JV3jE;WG8~ zSiF7I?IEWZI60}29o)M(8O0nE_*WhbRZsUHwhK1QeE9nH??sBnwn@@Yl-!sV5229~BE5zG@s)jau^H$A^4`nxWABI%F#Df*Jtc83(JVM z%y!Lc`+nv8UlS5ERg<|jC95k;1RG#Nh*phN($M#@NS!5TU-YLeZY=rP)n$-;(&hoP zxUq1A;L1HnA5Ti|+0(7in~GeM;9QDEY}pZ7<}`e*_+m(OWVbr~Sda%~)6zMx9oXwd zPRGrm(EXtcRN;Ek?Io&0p9d>bs0un*`bI!&Hd2TxfzK)xqMr%K1I!NU&3%Pi zy~cHVr?&b+-#`aqX1#Rza_OWQ+-^WcvXn_jBoF}0vcE?QZSRp&2%daG8!m7X1txDE zyR`F3m?;UyKvgLU3!s1t>}7~GrB}ocf5mKzv;?I?hxkEKNy=C0av&XWBJsLH1PcEQ zaop|HRkfBavjO;koWgqYYv&rbx25wEH!IoX+% z_f|040Mn#hK)w4!sf;Vg%++xz-(>jg<>e@LlrpNqNf~q1S?wjOk6y_OQ2W!}^IvBz z|D2j?DhC}vfx9X?Ey_hxle*QdElhO2M8}YQ8#ZD+rmEBh_sv=CHT+xgsSM}1clvq?*8T6;eVz2-sg zoDlFLDrf(c$P%feaekN)cX!BS5)qA|7}t;@z!l4QkwHl8#FIB~w!#@pdCe{?xF*|Y z)u$?Ngk-<=Gc-*4g8!v-KQJu(tm`vsI9y-VT|7zp7T*6e+U=jsrBrZA$EX1EI0 zL2P>6IcPg9Ix^>}Q2a#qiedpWFU&g@7)tCqEbZd$MxtT`e!rMwUj4M}ny(qK6)f&O2#O3YnB zR`#oGJ9(eO?oi*;NDn)E_VwfQ(>$kP!lT%1v1L)b+y+Jm_p31postnii=N%f_3)(e zy=!jId{Z0HW@ot#sj@`U&~5VBJ4qZbXAUM1at;p@MZ|h zF-LOB3_L({mWTF>7D2Si@fxHL>)`$q$s-dsV)>(&_tSe2guR}wyY1>g$BYFj)(~J&c;SH=9fK%(!U|lK18t~N5`OCMt3!9 z**}0@0;IX()q?8a`;V>8;utT%2B}>*VM=`H%38JHiF~_@jHuG`@*mk|K)cxdtuN5q zw-{7h(t1=yFqEjPQPGR3j`dIE=_tLZCxOEspIhZJ$8@og)$0UDl_4nY$V~0FHM;t6 z3r32ALz5qV>RfliGFTWBycb(0c6Prtzi9N^e>`I<$kAV58NG3CjydnKJ`D6xCZ-qP!#qm?irBtI?>|>wk>eFE9A#zw0Sp{o6UdNDCtA z`;V({17$7sg!7pOsbRx+`R~lr|KSU6SVVAOEmp(cITPwD9l1C|{(F;C_ny`7qkOcU zvdKYQi2S?Z=Xfg44^f!s<)z)ctFPX~)*z=HmBx1>*Lb4+KYug3+kc^FH~s5YICRjt zutm%#kE~~uYK+7Jg@6K&f_>X5z2}(gb%46Vqjnp%6^nm#lX1l zj)8&c`Tz&`A7{TkE#RMfuJ2{l9{`8%1M_g;oYL)swwoHr(#_Mv#R9|15#(U;+SSa( z!otzj8sv72-7XGX#QgUnNf!$fHye;6gSw4_1%`u(3j_BX21k$w0}mGu4+A&1Fz|?Cv|L<{u-`B(vyc&;o+HY#fsZClp_Ci`A0q5;zgzVVP8z~9ta<8rpgyObFVe2AnQ(VSh^6!S5%q@Le@wmw4*eNJ88B5@PfD5q z++f&mBS52c=a;*`%R6e|uTJYwqsz)VWVN0S5+gQAk6o;v^h1u?vE*m6WF!YIZ5^g$ zB^?z*Rr{k5_Wi+WyAMyY8C=OZX5dm1##Q&e0k7t4g6W}Gce@myRvz}RARlstNJ~ll zPPu<|y^JvBNgo&#pW6f306`4-zWV#vV&1ZbIHpgUii)Z&WfM~Cwd=wLg$|5<0zIUt zL!03}VB!!Dit=l2NAO@?UEiM0<>Z)e*T2>-n`SZ3T7Kg)Ea-^3&hl+Nt7+r-RFTo_ z#2uWlB;ZWneojSs>!GHv{nl{w888ilqw=`HA{`WzwBU)QMD*{yQs;yMAFS<>eq-0l z`pwFE3Co%^%u_r+Iwy(w*tnIVb|rH$F~V{v7S@bOLY zI-aS&f8Tw5l{Gs6720sDvcqVe{v;_W24upV(gen_&^D*lUX+eKtf{dg^6#pWAnl)4 zMT~;!nb?H;&I1hmXg^%v_eBkY50>lp8}Mh1KJ@mHlF|&J{J=hb^Ff`@4v7$OxW(FT zWJLJa&X7ohMM$;HoiN7x_wTjcW=NmspEtMcD$xcP zKG8n6TkD^gVCLdVg^AvP$I#Kygo!ChRi3koZMxTZGq#8kRRafFwC^9K#H8d)>uZ*- z&QgMG@D076L6l+2-x+lyfcc_S!UPuiGp1`Q_#iuC*?}q(zfJT577y(W+hep0y~-EQ z(^^NOazvxycAA(cH*%cH8XC^Sn^)Yo;-mDf-ciG;VzF?$w(d3SgQU%O{cwT6aclFL zC2#pu(WF8YO2GEuQZZ#R1%8ozs3&Ar-24Ot?swRuKrB)ioSq}rgZfd!U(v|OWf2HC zR4I!)(t_M*)QosVPDi%N>Z*}kzo+9J9&(*C;ACo&nbRx`dK`Hp3aqh%QaAqc>-ugR zAWg2e&SL`^->sSzkG=2i(yqOt2_=$y#=!Lm9Gz7fcDM^N}A-rkb za)HID^xo7ZRyTW01kT5-lruKUUbRUP7xS)_^M@_y3kj~q459D;IC%tdW0EPrmu6es!W% zHVRjGiNs-{_Vrr2}#-Kra{)?soCi`QTu!Q zdiUHD)TArj&qFogwK*w9K;TPmT3Y=og&3wUefGUBXYCvtl5)GSQ0HSTMZZd!_}CM9 zM}>0iKsS^DUK^PD13R>!`<#L}M zp6g{TE`zW($S7&|@ownkK804EJU|^6EMEC+7Pg$8p^HjNSR7a1ax`4I`1<;JuWzE= z8>8wMD-YkivyoLHhWstD1E)eq{eyLH>SWGtH9A=6TV(c%s-kGblDiwj1kt%ruG>`a z>uW2qbJ44-9IwNl=qhl3y<^4pw&yZ*W`sJG&jIH}$bBS20{xtiJ?cE!sO#H?$<)kL zH3*@&5^(FT6li&K(3n|$;)X;b=j*+(F>vxCW{q^mEgD-|T6L-~u=*5JAK)+wg%O<{ z?N=!4t3PhjQv(?Hr>o`BFDelXXR<_YtS{+j`)u1V)c{U}O-IGN-2ur${#?(M{o zd-rkGG;{`kacWijOlyg)%(VHVXk+k+W6f`8USj}(QBhA-()JRxc+o5Mq4%T@%K67l zcyKPKZ)%q}B9i)}qvGv5Pa_F*0#8u}P^}tMB{XODY}sB76_>s&WRQr>T7;ZMHXmkLc z*IymW|VM7@B_1 z)(#Jka2*-RVR7<}iHl-jbZ8@5%kXlrCMLo+HdI=I}&M`(+}&ezidM43_FGH)$**Lkf9ak65p6u3fkog9VKIg2Ice%ddAw zD59k4t|!Tm?GmDWFC-d63GFn&ml2dT+uW{4zCZ2^JLku$;E2qU+^4J!$Uug*X zA(;>nK^;B_?ZG{6>AZY>G|LAr$rdzp(35iKD;02aM+t&=?*q>=IYn3v{5C&ozr9pM z+}8Jh)Y=aJ`_5ZJ&)Yph8c6kXU2E+!R;vcO&eIWNohzwsk;%_ zfIaGd6~205|!E8arOd()r^ch<@?`S`cSPiD{dXQrktMmwO^E;f3@@fWbr}hxb0fExqoZy zxGe>kEdZj}yVKVCL8U{P2se)d#Lw#G|NJ&DZ{6jmyMbp-&Dr@_WYCnvU>%KMF0Tx1 z`j^537VY9YBV;onNYbvn+<}jBX2<1+!$y_i{d6tl7*=_~f0JjUWm6jqd*I_@zucHa z@Z_4{FGIP-=8~}r?C0q*k@efRTQlQ->2Zn{vTE2L7mn+%ND}4@@d?W5F>Eftf4+;hlLh8G5*hUx~6SK)Y+Bf zmoHzcFFr?Nghx|%G(tK4l+7A$1c4n{Zdc#+DWxwQK5Z+^Y5cM?Cx}AMNs9U&8*Et8 zZ=~;oI<4J6)zI>$WcLy+XBaKyGzBL1-uFG$q~+*VP3#IVkF>sskrYuMw3t+XkMmX| z)C-jsaJs(;TI=0Ljo4UmJmYtK8w&}7%rC7qWFFXu5>bbaTlbh&J$gbb=Q#QdKw3qm zrPlC9C=~ht4_~4Hj{Gf1OVoCCVHO%o6FuJy-#$8M=A|Ie_lLVb-q=1pY4tpxI3IKB z6OxmarJddsE*wc6S?ys02Hw2{-YzS>zO>`G8+=0%-KW@JXU;{@aC4JUrKxqkgWbLb zY6pL*4FAZ{biksJ1N~s^^Z*<8#R>3EUF*clGV=B`Y6Z>M(pIkxLPvB*x)G>&nWMWG zo0}HwLdTz1=8MFP@g96{s9Y^tb$D;e}7v zaQQUx=IN_(vwmJH6qY7(J4e(9CN^iU$_)6SKXxKQtoXkQxnCwiM9u5? zJaSYx4A|H^LH^hHZO99=@|H^+oIVzeRkx;8-T+McHUxjHgd3+(1v2rRqlF;2^LGin z=ah|u{iJ1Kfo8y3r1Ve;v{hv9jdBvE&Cic{&gdr*fIO5mI6^qMd&E2dmgZSW#Wr+I ze5=!Fd9bez<_uQ?b@k7tu%OQbF^KQ>6lW@QrVrPvc@3sZJ}3|qfbG2RdRJPT!^5MV zm+ofrG59~?Ah*}9N&nFuYR1(7Ijvk{tkfynpc~qC(pj+t`MWGf+b_2KP@)UZ{5Y*p zHnE*qjX`e&W9%*|(QdbV0*AYIRMBD^xEnu|q0e|-*GjZd>;F0!hlTVh$!?nEMFZZ! za%;&LcGJi%=Yn{HE#>b+_9SUfxbz+9lHYY&31kV&HW2kf(3a}JpWrJ=L`sKs^F|LY zMyi!}SAdX!cYtQlhJbzBkWxV(peRK6t4)6;{+NvM#!0Y^2ld3;)SXltJ$u%xhY2sVN}S906hh=4xU zioSj9N>+`VDmscvAbUx29_S^2car8W*Hf^uk%eela8aa++i~RhU(h8bCGqj|oy^M| zlRTp7Saza`K?OebY+cwflAc;i9CDEZ)k>3b2Lw|2np|?>RX1li$C7#>O_# zZO%hNv(SW{H`>;G^$t&}zwZ<%)y5DVp>JuOXw>;*jVA`%TJTeN@0xXf{b(!NUb{J6 z=IHi?Vqwjs^Xpy~0%m6Z7-E=TWYdD~uac6hv&mRWZd(Fz@go;77+eFKIyLG8$ita| zH*27XV$7gvWy1&qXcz*a2V){Sk~?x#-|~a+y(z+IkgbAX=2p^Y_~F zbz@CtfTR$qcVK3@WiVq=Jd>}nn)Oh!L$`uG){l>s-o7=im?7&g5el>2|L*8d{%#q` zk-SiMIZDrwf-hsn2($q&rl*sZ7mhRB-D4;uys1L2!{)1<#p>R?DK&(@0kvL|N_UUL zjXYzaqZb~nHv$g#Wvjpy^e}mDES2AaOrQ!1Xet73v>K9@Pf(2CNH+Q ze`_w9)$oSgzuur3vh3Pm4ZLlp60;NqUUmO;`$)k-?+-sN8Cc}|;(^ybx-&xZ^z_tZ zvyfiJ$Vg^kWjViYS8C?KVJpuQ)@fO%s;er0gYqkLNrAXk>*JQ%4sk9o*$TK1djTB; z^{g*cASXadR;6v5>bp?GVgj;n+UDo`9^2^q{A%W&##=7;TAO|Mt0=KSIgxw zY1wR?oab)o$vG)<8W#6SRJgso!3mi>pDVQdzmC}c%x?&P1M@#jt6)J;0!{YWy2sKk zxuV2A%~N)9d<+mL2%w)@u7~i==?8?5y6QAkeVHJJUQ&;lIXUUj`w21%r5AU;$fHGl-|OjNy~^;~R`6W43GIi&T1}{s zTVU2=z0<58aa>ZI;zIVa{X%8=EcnQv_KLl_dP1jpPj9%*GMS_KFS=4wF$`@~h~%h= zC5E$n-@X`~E1hAin5i3xO#YU-v=`bS6t;jE+;qX+r*ZfU%kuLyA&HxFsMl=Np1f=V zm1AKCix|NA+)F4$Oh^&pNH94@>wk2pY!RZ7aYrLOWgx|9$UXDt<6t8 zd0IB9>tQ(6((Vlg=T!RqF`vvjm$5mGqX}7_|5uU&o7?x=e7KP5IgaNy)|Y~n(X*z&X=CjNFQ(2F#Tnb%GGp{tV4+l3>8Qm@P6bzz*Q zyv?flB!&H1F7QfmDe_A44;jw-;re7D?ViWu1_vU#OOLnYG3_W~BEnwVI#naBZOUZu z&Lcd@cu};#ltAsnY5{&epV3=~EcsbXrwwhOlqEi{6WL-)$!FtW(D?{?j=T5ph584b{dMU0PRHV+ys|QvbY9##)ZX(czN<6LO8Ov>hQKzOcShOiLsaMtjJ_L}W5@4qNT|01!huX}bhb^gW%W z@>s#aCuf(rRh_MOU0sZG)y|TI``2xC_D{@ebgL|Wf*q?DY>!?bZ+V=4Gwki}6&00s z^lyK}XsJ0SO24c!GcGF!02TUmFj)c+LcYipb_<|WMV^BK4&3x-(-B5mC9uOm@o$5m zEu_#67R+Zk@Z0y7JUPR7K`+MJ5YJi2nmT+`U%nwH{8D-!^= z?W1HwyIbT9dsqmzx;L{XtqVr#Rf^GZmH@g+a6AUDuD`(p-P)cQryN(A`<+d8O< zW}2<)XJw_+!}D{YyHZ!L{b_O~_3>C$)x_f??ULZkRfjjYPh(|P)@aU%wojG?j7XnQ zLk~UCKsVWUxyQYl-QZ3*1F!P#xm2Lmaap-fK*N{Hz0O=|w!bAlLbwOQ6J>K+Jkvk- zbBpp|hX*(u#$7zd!KR4$wXHiVq1c4J>=<;R<+ACcSsmaX8~wxrY^liCM`3mV-zXEE zQRBp2B97ik#cBphQyS&%;PBkokdnCRUX)O#=UT75ZhHaL%rX$&L049i2j!B?xFy8M zEMqx3`WNs(Hc-YECOv2n*?Re!HMcguXqoyf^yWrWpxTn29@(_RRUq;yGV&CD&d9`f zFi<@rp3QQnk@VzCXh>Z;i}2P*qS4VI4FdxpZ(egdmvOG7yP_xwaDXifSSx>v`gXQY zd>yRZ^z0%}q=7qK{z?z)B?sF^2B-LXgoLQH#)tcP{faxMR*pp#$4>e-&Ug`$%a|$& zgFOIBOH6*OVg^ab0jEZ&6`1f*0{a&!XM$E?g}Y~c_DVcJC3yRdl0N$VYkHWPQ*?2! zu%WVJQqlzkS%UL}c>&@AU|{jAG8km7U;q&j0HCMEK@_xySKh+?2P@~J1~w^y$@p7RJd zO;-*KP<(0{PcIYLk3i*@oXhBm%^x=l%OoZz*9)^?42xMjBZ*UyDT6fkTUhxt8;X&@ zFCyaGJc--d{N*!+qkj#38v3*Znl?XxLBID%#jAxTWVjYhnxUr2bGCcYV%_=0lg&ws z$Xge#N!stx)(Pj}i3=e>&M2JbQo=P@1k=5hm!<7(RA_Y8V;dSP>~my!DR|Wo6BHVX zBX3x?-}3u+HbmXtvZAU6yiL>>MLo7t<(K2LmN6z_3whxvLrmJPv|NTRDS1@|h#k~nTP#<%o~UR`jDANc&ljD$3s&Xm5ibE7UIycO!~-aihCwWsF2;b@4#Dza7_GL z(6}`d14AX$tN@~}rM2eL_<&HvMV`?9)ZlVMToT|@{gbdb9*<*}5gG&lz=0hmt|Y(* zTTB034d9;VW~NHctmp&YzVCYEh@3x^&*l#%UhylLoUzC%D}>CKYASK|JLruJJB+Jn zzE^coQx*tSu+ySFzrn)7#v{Ue!TvlxF0bEZee9@badF8Jng}57%!6Q{5q7?uz<)qM zVEJ)EnWJIDB}$qM0GYrHa<{O`m}`68%hTKVV&K1<#NK}Ji5(M@A{qyWg?Y_IxR{;u z7)X1e`T33QEtkIeZPUxsXM#+L_X{~Kw`X3L8IIV;j$3b7dBUJeYD(P)4t3V`_-1tXawHj!fm_4R-n z>FJYRw4)7#vDr`GqoBrTdTcCK@3a#E4t@QsH{H8B^ku^hl4v%D<;+-jcgn@X#ZU0l8{xlt?(&PDo)->n)X z8~OBdZ!d`(0utX`sV4JS>hhk+bU|H-ZdUX2JhPaVVi$rk!dF8>sXPu(p&U(#4Od>D zgM%X?W4Axcm3P=*K64m50`LnUVVpp;!y{vHjeCkzvH_8J{7ks0QR7bm+%661?I@yX zhKCMLtx!Mq9Pe_n(x#`@7Hj~0l!=)Boy$(=&mfT}+3oWpds=oDUrO!+w= zk0i&!yrTsSy^_U5>H*Po{fO%|cUlnz!e4u$TmR^dhlo`UBnnuB3;^-^{o5nbgs`fE zKhT%#19?T2e^=sR) zxt)W_fcX6m5NH$t4E;bNAmDFbmi_daqnT~CkiIo+zCR@+z?t08lJ~l?QS>j2~}qklnSkR>uFa_e_fkhc{`=k_N$U#rN)SuLqOcaJ*>yjgWO~&wl|Y!`=y@) zVKx%G(ECeZpLI6pzi~ggm?`0Oxt!P>PMvWrz4^xr0H`5<-UDO8FBtPMs%*bokORv2 zizRoMq!&1im5t4~msiQ8MpuM(cIK;9&K44%b1g^){bkwG0$_xFPaJ1y?+IloqHZq| zGF#n*01||(aB}d+0d}_8wp8`}Qq~VZ!=cWYUa-I~9@wE6BQ#RNex_zMYzggyAGYzd zm>k+Vw%s{)b#={GIq=4fkL&yPP6N!bGXrB5d5#}dAb^Q@13I4{p+*=*Z`JoR!Ofob z>(GIh-fKrbJZ`nM}aiz0*EtUf) zG=StN3rxpcDgWj1VmF~gbJm!+Z@Wytg^X}XyPd7A*Pqz-Nr&I6mi~fS?99) zmN@{ufBe$!;RCvT?!Ryr;Ku#{tmh8^jbGHZ0#p{Jq<~1ItvBt(A`JO3EHCa3>^c5> zu46`FUva3V-|uJ54QvcH#+%jJH;O+dHZs3$(1DzMS_Rrx)bzU+nzZt)aCeY(b}sQb z1Zv_-fU3(^7c})PnQ1(HBR*e~2i{fCU1)G51dic!ksLMhtOy81K;y|1fCmfal(?Nr z7|N{y)+7H?n}u4~>^%c-i(XfKw`+|h#3D>BHKpH*zI6<}?DdKx(_rOqqY=)>yL17S z(f7!JgU9rIcp9#TN{TB=wnwxKclL8>cmo3PpP7&tD0xM(4SiCyR))NKeSV~ig%u-G z^opfWv-KM!A#%bL&v+tA2ryhI>uaCn6;<4H0Ti(Kp2qBDXx+4L<|X`8$o4=m*}zSR zc*)g`C50t;2nixB> zcl5EW@#lA}k1$S8=&-hGe=Xh0N@e}}ZF))yxwG>r3w*>MGzIfBP+GJNxjJFlGg!=JvSr#=`-6v0AR&7%^JrNBTSDs800Qex;3Qk187H$ooX4 zzSIZ`AbBSC=bu?8txgYTjV^2&eI%hiJqC~{7Wad=(TQ~WugGtE8FB$<0e`(10Pk(g zMIi`G&E?@rabP(R?~Cwf+!n*JTeJ=I@8y;)JD>e%rJAeLDJd%5@%R52cO2YHy4o0L z=Qv^s(P8BnW)b1N%O{$J21*L^O5avaJQcdi$QO zfo0q;7GQ5A2y7g8QIftz^b{05*W^ahfF!9X!?=4p>4ku66_=ME?B_-Ryr{%k-oriA zZva~f50B3o04)w+5o#JFB@qhpQ4J``ehLH;2xI-@sXI(3#P9uB$b8hGITk^d{9)Ic z6VOO2IYb-0!y<_jpYp#e^U($HB5(*7e*Zf+|2{rSm>%q7{c{F96Tw>a>c3{FiP)F_ z7oB;1knX>9r~LO@{Qa4q(E?bOZkq`HJK*ON3ZL2;{(Jg=*ZBW$n#=$H#{#B#-_@n< zF+bhY%Tg=iKU!SKi>T!lMRPW;l7`08dFFog)Xz0r*Y;g;NjCJo|HFi&wO-#HgxGRZeQep^2dz*{6LxaN=nz!RzQ4V8^uai-+`s4^QgF*)?u+ zO>vcV45j@H9E`|+8cqK9scoy%v-hvK0l(exWi1MYd38l+v@a3d83?_AX=LttSHK3s)a{SmvOt`2h#r#Q6gK^f^_hk$W zUN_F;&NaG|t;MMf8#GV^@+NbzaI$2)f%yiFo11RT;So?}hF4V3zp3*evaqNI-#*np zdcY=^Y%~OzlpAItdNxRWPqyR)sbcTF3@gaz@#$g`_d0(33uP<13Z%5ojmL(G& zUEniTfbj!q1B}A+W`@4KXn$co$GYKvt))MTV_KjeG|m#ZCrK@IF~2To%O=~16hh{O zVRJd590)Q4s29;5Y@;|L{&A8K8GhKwm}cCm^4hMDgxlVnqE}-!DCM5fhU9SWZBwpW zQ?Z7i+}9QHzH1WJr6s1@XuW$KsTty(8|3mgb^>G~>$>b!#rC&Q8jR=toQ$SR-l@TV zoTfBY)9TV&G?e}n)o>fHyp~dEx)-?m!<8bSU$=Ut2|K~)0iM;8oPvt*t)~9kJdR0m zA=#VV=e}Jy!O);qhUhN%n3}tj7)INgB!%;|oS<#V{4GpQR{P==`{}xMZSpt7@?_%i z?NUwYw>A9mY&SgdAHf*pZ+a;om-@x*9T3tUh2iAI4WwH0Tpl`lwiu~D?5?=t)B(Xh zY<$75?1}E2*Or?vM-1x0mGn7SR*B5}N18C(=N=PCgZ4fV$0H6Uibq#=bdp~<@?mc+ zM*;W8EZ7cR`hP-sDy_Nj)#{b^xS|7vUMAmF=!fOae3}dYAf?#$IOliJZ|&GOAeKg> zyXc#*`eVLpW@9fb7m~cLLrlkD3ZvWYRz1@dPA9=IuX>H0lMpGTR#I5yJ3-sB#A74b z6#=C`_NCZMWgWP~tsxyjWL!5_YDQ@?<6E;YmrqBzK{A0S;V%J1%pn;cf69HUtgYMu zbT={!*#^Uar^S`CA)L@o>-snR9`et>@+{(_1AKghkjy#cU84>#j- zU;4#ou|WY8>MEOMPv0Aq9$@ba4Z@4akI8x~>rArWen%RZMBfSxeN%#w%4LBQA*nW3 zWx<%!hIrZxakShyQJ0R*`J+=lxoiIMjEjx!)AimYu~4N1AtxuNDK3$19V!S<60k|S zssEndbU9tw=Tz0u=?sdxYXQHOG zbJf~ThXFW~@QCLNkwj8a1i4C94P}({`}l2cr@TSCDKRR@ma5 z&P+xZoS#Xpl--Tr{1kz)IQ=${PmzciJRp91wNn$3=KsVnS=m0U9@tEoOvWpgUwQJ; zvC8B%(>T{ScCZM>q{qu+Jnu8==uiXoZ%|8}CeJ!e&4*JoCtihkzDcs8u5Zc0n9`yt z@H#J<(x`{|@Y)VpFtNAMw}<~wwcr~UkmKV`qlHxdL-D=^3Ty<0@Pi?7DYs#lje1P zl$CvlYZMO7AV~GZzqZRZ>4zyXdT!E(XL{k0tdDx8j6lQkEdqMyjak;~^ybiA)4;0d z-dKXI(LTZpRC1z`B}Ya#opqbH`0xrDA>&R|tbmz&eOT_%fy`MW&w9U=(cYnA*GnoA z|Am+SJI^}xCHk0+X9X!Foj@ERM+YA!dnA$l4nIJ46ICIr=X}3c4`zOnMvS@Y(nN3i zg=x&{M2A?#-I(w;yFKbaiH_NPM<3_)O_G%mUZj7t5JUVh1Y`vZ;4Jil?i1)b;l9ID z+xe)qI1Z?WH+li1sm^3VsY!!Cw?rvu{YcBelaag1nPy-ZgTeoIT;`Ijq#BU#re|lS z%I}|J1mh56GQ3(|oIYW>a zc(gs)=uAK?**a$S@65XQV$>}lRDqL>&s=!r-MG4WX|C7#D-2+-eUK0vvKLG(bk%v6 z{X!Zj@s;CpFISKc=uRbK-xG7q#BWqHBsFCm7{ zU+;`m>Je&elkGqDR)ym^edB?>8(=8aE&U@w8_Mj?dBv=QOo)gh9uHcX&k z-~>v(3Q*dOL10jL?Hx+R7)dW3>=zGf-&ZUwq|rz#Vbw+$aivnYFE4uGN|W-Lv-Rq^ zKA<=t5_}2*M}B@YhM`=Awo{7SijnFk`kvoVqyatDT>QamA^lB`mWhy78gQ|l;ss+449&&P_lJFXCM!rqeSO@H z4(T2b2Z+_$UMn@7d2nOJfA;K+je_rvoO5-4_&-0$KxU{#oNdF-H#X@^CoXj4v&3?` z=W$=M4HPyde3$=d{Sxp2O#JE6?1svHJ)z=$D5v~r`pMBXR4!6a!Ieuanzd#NKtghW zT7!*4m|NecsPe8Kvm}{7nz8f8kArz{K%K2FfCFxM@1bdrWieo7)5Zu>W7LZxUL6|x zcTz+dHe^O0j;_-SPz9#P6SQFGrK3D>Td{E!^1YxXSJDl7!kQMPXTw_A^+1Z%EE-tu z9>t1b8U(h0(7V@*#ypeOoIpL)h;9o4P)sxY8fhkDa^bQqTRsP73VGj);*6kaCxD$i z^SZ{VOE0vCeL~Q4;9lnPea2=yeHf1My^VF1f*1Y?nHQ?!XU#i3Pc3FcBMj(mGXA4K zIG}b=*yJ8MeS*D9I%kt3W-=n+!pXG2FaqTDTpC0_=2lQJwo1I{8qT>-f+=?-Rjb&$v00}gfk`wU98-wvb-JXQ+!@bMTzrMPB z#g8T0o0*+P9RUn{&na!d6kOI1=5;8uMOzF`&(6Axxs;7&eHushPkF$e4M*8dQ#5$C z%~Y}W*umpdCd#u=7L33mS#kjP{n1<>e#f0UjG1k0Z00Z>=RPk&^j$z#PWO%;s3r~b z0;}Xgr5Y#Ig)M%;m`?mtYt}_V)#BjBZBQQQkzi~s(rv1Kj+yYt!IZ0^rXbNi02g+0 z?|EOQb9r6APCGHqw6+o z$f+cW3{UqWiSZG6p=ZPhg7Y4FB+q6YTJv}V*4k}u$3IM1SixMilY=k-`sBw@jdWby z%QZ7y?&g^s92#bDpQ89HFHv&^R!^w14J{LsWuwR18&>0Ag~vo#jI!dVx(;FO?d^MQ z*J;hw`YVKO{-?~v(G%Twzg6yBqj^ZQZG6TGkcx(ro~Nrd;6YEH?%wS@_SNk0nY8N({1c=)iINAJ*&m z>gK*-K*i~_l5iogaK}xGUJ<8g^>yaIU*3w0N$ge83mT-EJ3`8kPrW-L4`2?MmN<>2 z4zcK<_!|M^Rc)N%);P(WyQ3nV=XvYa)}@8HrM1xBjD=b%{1S!}7eL%5Z64{fvC1B)Tr1ADsph%Few6dABk<}T zfHMG3sVjq-gjv6m`A}3EfVo{6T-&X(53qHRrx4;tlus18zA>rFME|ul>N^c?<`*8q zYjOTfXaOBNhkN3TjOjXArS?*pJZ&@)5xwxo8I<3bFLgvw<5Nu))hz@m&=1LueO zB;$NjvuXy@-VXz@DR1#2!%gQ-;u4b{o0XOCx!ok|E3za#vG^h*1)-vQy2&A@V9(GA>BoP!N zPca_O+>tM?9eQ2U);h-hw~wB}bJA6ypIiNp-Zj}=;EWOQU<(aRiQ zJ14R%h>I6a-~086O-?Q%JjP<+_v4AngB_laS{gdf1*;)B@gJrMjLHg?CwB_R~--_bx2$y&_(B;Wy>-AqiLz z0~&ceD$%5-Gs&wjM9&>Z6*ekR0`Tdh>id043?`@8iATQ2MHWJ~Wk4UF+#n?IsQp9{ zi;Q`Flm5MN*JCGPLF5PwTq}lr9uIUhBtgN2ssQ2uFwE+YBL-s&&0CnWx;zc#t?<~B zMRu?#f z_RD1yN8EY}_th}&%cZO502J&QX-ylt0O@Xa+;`%iaXwkc{n&UxnagY>y%zdp?%b19 zd`lmI!#0&EBx2X9dqb{x@~NKz6tVXTzv$!b=gO%MJ)aWo=oQiW;K}d*a-+9FgnE0aBiW$=YfjdK>bbU2QUTJ@MIEoJgP}C|H zO94}X0HG%?cz=H{6|%}VY{@G-$O?FP$>=C$-Q;PKHa9nDM-OK_|6#E2GCnu?nJ+_( zcr5>@7mQ|y%^yet@Xxz3>@N|9vHA1GW13Nmi!XzTk2lW`Q*x@@yM?Ltr~z-PFkm79 zzKFd%S{iCw7HO^Y>Q^N%bbTB$g{kDh5WX*?3N{a5BvGKbqm^( zu4v9b^kP^5d2){+9Rmj&{v>Q3Jw(_u(iRbT<%}`)*h;k$)vivfjsJG=Qh*z`pHzI0 z9SbMsCy(o!-o+JjpebH=sm&>Y=mgh&k<1Z&KRmquKrua})tDY&d?JiClyNv3629lB zJ$CR88M-r4&GMlF@_{6gE99$R4y3uIi}00oZ3+puiO{p|Er8xp_H$yqw#(`C@B+uy z%dB{!yT+9zcTOh5DIkwiy5AXGKYKVMw#a7jj#nZwq~p6Wuz5GtA(6+~%&mxK&~&f(V_qkK+w8cA-H#tXb(>4g1_Pl zBVh3Fq-~%fOf2+!hk~G=yL5#}DYT{TNoEY*ArbldRajbix1Aq9+{~H>Tw#o>RWNvL z)d^DBR&F{n-X&2x@y}rnc-?9Ku{2Ve2np!7KKs$elY^W_3zZ*U0R|K@8k+YmLk|k% zGddThORlye#~P0ca=4w8u?D-PE4{mgt9d5G-Yu725MbzYkmK@9Pzrg70$G)q)Id)K z*hfw)+V3JJNA=$ig~wgp+?bY?TTb4*@kO160fs2I{pKhCVVqGTz&G9n;8qJ+2`gjN zu9d2WO5c{dMEPjqUuYP-?lh%W%<2a5ipq8oa&~p>Nv{dH&;sqPlVW<&k33T}Hs~DG4KRe)D@lQoz!JuI?BHJq!e{A!VZ16B&xypnF3BnI zJ>K@x>7o!s^V@qj7rz#no9!k0hfFYhS#*m{{`m0_@`IHrWKsKkXTYh5WL0|sk1-M}Rf9pH_|M?gF|6g8thMsRez7pQQJwjL1gk7%a zoz=IH10P}#m~m0mV11FFc%Q*+vw&)HVX>LqIC7k9mQDDUukg?W6dc{z7Z{D`(E}fs z)yy6f&sT?-vj<19pZkl``8&CdjJapwGp=ld#f^ZFrM-Q;_a8+7m{xg)hwlH-pHfoH zk3#;B-*iA0{@&m}F$P3LJgFc5TNNC*m#d6WON>u`_erri(@+b4^W6|KNoLU$}XydLUm$!`;^n=rl8;Q|APQ7j!XSrt>BJI#c`7 zz2;m_0Mrf0vb%(MPHZ%%7<5y9Wt}V`^$qA5;H3NV{+VtDwNNdHT)e_l{kE{cipy*i z%XEGH^tNRxF~#*@ptCa_|0@eO@VNwyB1`MC7|jAC;d16F#xOH4@75@b2q%5b;Cn4A z+%Uv(ZgUM;V9^eR<%p5gCtKk)r_|&E9HPU;XqZ6L!aq~BamM|Esn9Q=CGuNU-Oj?3 z$B&hA4|=#`XocSTDZF@ElQfT?yb5pFJvyM6y?OuR5gi1d;sLqVQf=sDf2<+N4@W~2 zZX&D4nk6CG*&OKujr6R@ak z?-u+kcHkROI^RPVxKXlezSZWp1fv0w41tLmpYmx*E3gP%O2*DyL#M@ugaTDQZ?@5* zmp9;BL4R}f>c^EdS8`*>A|8%pzLlj3Uz%WpCkv6x;}0*?D(4+C#hs(n`eTgwGjtG* zoR#~nkTgCA=5cOrx7vDVFBr!byWx9#dn~%x41;6)-oqmnUY6MF$du}}kU|~sSTH~q zIyT?>6CE!~x^LQSv1`j~D$-fjB(<$L5*@>MYaM#MIXnpYGYE6WWTZ8TG&7PGh91Vy z%z-;^Q;b9-nub2*n&z^;Oqa4#TVHL;M85yD&9PBOo=v4+Z+;E;TH^Q{@V{UGBYQVC zHpw1_T&=E(0}#2lcs;DRxRk<$uCO~|@ZQe;;abNLZE#*FRFTf=rc@~Jm%=~k$H5uWl=C^U)@_SZM^XLa zZPEVT@%B|*@RWLT^mSvk>$x?^fs%A5Tf_h6%6oB>*Y8r_qvej-fcDVba=Y66n$Ujv zg3Tc7@KMCKw1lzS#g&cKY(yGh8^wRhnRl?k%@6VlN~|SFhE=8miTLGnP^VejT^|nn z(^rtv<}f?Wl@2h-p=%#ri42`il+PMnyKBa^dl2@%rS)3FQM)FFa7;{=i{iWWgnGQH zs<&%5^vaj+Eb^0f?SZf%7-jQ3?nl`pX;;Ge#`_10by>tj2QN6D#Zk{Jy>oEyHO>e+ z@9pbNNKG9E2G+G3Ww|*5F|AuTx%JCyLcEx?1cnS10Xg;@dT@hIRWnsozI1o%2{tTq z_%sQ#rt^iYhY_3dWekkI{$ADQp}uWvXH!u2(|dp?tXtN~O62b^Uda?CyUL!PUr{tw z<$2N(w0umwJiE(8^Kk9l=K&7Zfv*+x8{DJN)yb{yziWY0A<-l4XZ}yuxT2`C*(s&scK(s2_?NP~2DgGft*bV&#(-QC^IO?P+S z)D7?A`Tcy}|NG^f^Wlv1>FhCd40Lby-fPW0*PPe9uDR%{45q>(YW1kzQv1!P><3vW z%kc#QTLbP3#lLk7sx&%2CFbQ8Puw&5b^eLTt8jRYOJg*6CsglZJ)j z4_wvhnce90Y(VDP*{;YAiyFO8tIorBWD(*%U@j3}KSC2z!QQTK+E7tbN&9Iw2NaXPo^NX!j7n}S1A|QF)XL5( z39g7S;Al8SE4cMo*D7`E8^l8qVZvu}RhM99t(R#?WKIAp2>-7T-lrmvvq@Jjy=4_8b>dW7KcRot|!0J8-sWUwh5SwH4oO zrn_~{=!ssxan%v znJKU2h)`B(nM=LvSuClDS#OT0BUASDBtr?5z*Dzm!XF56fe$SzBQ{-9=nC@jI9zC} z3Yd6zy>3~u3Uhs;ghrGn*xahNaU#$W6 zNer6L9x`H_v;lTxJ#;=jTtS!zJeGG%+0#&ATc%Y7tWp)VqlBQk%+iEwYwZtz}7h zS#~F@FGc#m1#>eCS!;FkE&p0U!}IOX;_dGxucBPmUc{iCkMO7FHiCD(3vZ|?xP=Hf ze|DF7;Y$_O-PM!!JI$i2CS5|Yi#DNcBBXG6dxvUW*!&5oMHrcqE*uV+RUlwZtEmBx zwlr3Zsp2|_*hWP;GB?HiWu~~!&nvLKhs*kl5!tk}RKc&GPT0W5Aql?@J}ikfoLiWrV=i2LD5*q?RKE+Q)KN6U<**~`N;B~)-N<*!Wn zPaZB-s=78k+SkE3pu>Sic|ykHb2Qm3hlb!hV#y80#pFtkkx}-#yP|*H16jEiz8-tD zKCz&U)geSipTOCdN?7zDEAtm?zTH5;jE6#gf5=DWBm-bx(g_?<;Nt<4bIOH`BvaB9K8u?A;Ax2oqNxj3iZs@e5`Ui_ zdYKULwcxzK0gfQeZs6fViqo7&n?~l;#2BpQcDU40D7oVuKjKTb%q)q_rsUX+--7p` z*iVg1l0N!j41y-2(y4E)1iq~V?D*u$;5M9%;dL$K>FMeBufma-T$AAC%Iez8UdGNj zGCjgqRR~V*HfsS7?|4+6bg{_fk!soH(rV=5`giEM^nXRv#7-SiJnp8YTdE;~4o!>% zv%Uqy_f1xQY5z)neAH`){hy`vA>SgqrD>Cexrozq>qB4_b<6Zz^QHNuUzo$Hp(ij^w&7BASveD zQ_&E9*Zl=tBWhMWB&Xb(2T*jgK=@x)f#A)*2`HxCCD&x&mT2L=yf|#hgYXBL4Q`Id6 zJS5fgr^{Acai!WQwzzZzCAZOrsZ9qbA;$xM6Naue?bk`_F2l0FkGsLw7OwU2+swF_ zsqINza8ERC*whzl{HG5Q_nuG8!5+=el|+PAOh^eRsk=RV)E)(5W~fT+o4+3}PMqkr zhos5d-sh{DYu~A5bb9)x>T30IQatdYvIpD94u?lCk6cC!*49TyJ_>ex`u7n&WJlDH z>$QP`3yPI4ReYjw8;wrO*1(=ikjaohkF#MmXjCCDq)wcV`F9lp0|DMAT@qVti z-)dhUxYjqu1QZ2-Q(7!60`&j$^8XLAn!f`>PX2$Bc>TYTM4dR{y^MvZzb7ANE>_9s zKtpbIiv3$CBUcU(r~I~XkkMEen^G`v#2|J*P`Tk#x>WQOQC}AzVrsMkh5q7{Ec5z+ zh5FCY^#WADv`cvdLV{>$Ia6b@M87?_bBd+P$UH|?PAdzRRx@C%Lvj~qO1(zx|$#ch1^kNytAMG!=qoSGUrx4)nvAypo{UgMyYmKNDu zG6~rZzDuY8iQbWBcUzX+e{Z?U+GkcC84(dUY}9f9TRAzC-9)KcSzg)N+9y3=p{4{R z=w>6zSFa-C;_wp^2vM%!8PksGf?_y()t8h9(ds19DBZ>jWC!E|wCU-32q0KwoZm&oec9raI#gI`XyR?c_Jq_Rap)?8ar!!QCr*8JRLRPWN;@_X~G|?r1y9j^$~~+7pY0bN_|R(hTn` zzbobfE3?)0wG*h|g{#d8Dp!@|U=B=5LW)MB`{FE){P4N%$|6%*3`;* zyJc`?FDJ8d**%@b5L>w{xC7?#y;+-5Z>yD3R?WMcAgnPvVqN1-7#e6h=;qcf$r3C0 zjh%zU(vTi~=GMC*p&o%tfhMYcIm{{x@`@O3NV(SkD*sM)XpX(;;0IBc%8h=WwW<%_ zoL$o7hm%k(IW@)pCB*AEe#-~#0J`?L8p|md)GZEKnyYc^yr-N-1X2kwqht*GK=()w z6jq;NWB8+7z`2rTmvN#PuFgF8#a1>H7HF$oUXMjHLx<-(vd|gB90_cESqRa6TJ`Q; zB#B7H>aiqFRl}2CX&nVh0s;1s40uSX!!it?9Ai{6a-A#skB#S?7cNABw4Y_?6AqU4 za#}_|`?0#et5_ksr&Io9`sD^4B(r@-%cw@4Y|@8;BsGYtq~l7H|z@;+rJurW}D!h`nm5)3Y!;UcQC!aB>vdntOg(&>pp?-%j!E% z741o7Nw2|f57mh08^b#9Hkh+w2iB#uTz>$&z&X5Bt?&^?OC^a=A5(MQ_5)<6^Ecvo<#>nzH~%TpdS7X4?es4zCgTZZ|>?cVa0F=OKRzFJ6 zPU5)Gx%zvQIkA6CN%?5G6f!a~{ZL5$C^IO95&J2taSz*m-GN7Xh90-e1;QZzB~qH4 zl@(E9{{SAD$B%Bs>`^GR7wDRrf8%r_SaFfex^&L6QsJ&-Ub zM#KJOF)rfuL$9<>7P0JSn`9T;0TlMw`L3jon?_Y-`b|BBJ>jnqrZEMiI+ht%#2MN~ zKZ|bP3=TVNI@drN9triPER2+FR3fP8u`-EK4SAfhx4a`;`Wd!As@7e#Zi=`e!SHHw z;T>cR1EDUN{dAn9ErN&OE2#2;s41Q!<9X2d`zA8{qlEiq;ft9nof7bN);t-T2RpyA zb8!Fy!}WYs(j0Eg^mX`4he7F*ooG~al>f|LdTxfhbc;rAf9N2T7dg6T{53X)Ub%>d z9WVIWEX#l|Zy6-l^ z!a8|AVX*5!V+vgmmNX$msLZR6GF8r7KD@2xgI`z%1cq!Zi8Xrl8<08hMRoTn-z|o9 z(Y{_Dk4;(eZhfp;_2ms`VKrP&V}ZR_$!e6|)YvR%<1(9!hKJgZk?-ajctCko=4USr z)>a?Nsi=P&+@Yf9_s-cgLb%6UOmb+jLl2|H8e~CZ*20DhIyFv9P()W~xF{DB<+D_< zdF!}v_e?fB%G|QvtJ_F-BFR~}qWap)Kdx3A%hkbRBLu3I=5+j=^k$^BN$44G!U=&4 zwFPkNJ+dj3#2Cz;!|Ze_bzizTdJ7x920|Uq_dHVDGAT(fMp{+!a1lr^mRsp+)<1(5 zbxtd1${>80ykC~y_heC;8S&H8hWOl}Bn=!XK9Dna@_W>OS89iw@OLbQ{^bN`nFXTh8ydtp_I&$;#qp z>Nhk34b9qda#5+GI65e-hy?Y&<4Mh{~3sVSW=|b>R~< zfI*gpsem$;i2U5wqi{z!eOyb52S-!x%*dIooqBPRfDRm?eR{_ucwgG@8b zza)wVS-2lFu~hp3Xv_htFki|KDSU9)8Ncv~mB!F25fg)C@#3)n_n*aK%iA}!mQ{gzVi@kLa9-OxtI` zDc5h7XB!$UojG4D9=_w5nE|jfl0&UtTgREin{I@%%5pS@-04HlfbK+y-2`#MyeC@5 zxJ2`GW5)8OCFT_8LCiq}*Pg*meg6+ZSm%XnVzYJ=cJlj?;PQ`_Hv+dQqAW3d(!*Dt z>yvu0XBbt#UDgU;H^2nNH4dE-u68g-FZLl14q+UM^+%6a7p^$*`w`tuXU+vhpug$8 zH_Z82r+K)kq7(jn$4dPNr6C|fL6HDW-iB3_Lk2mmsoxVyP(GZ~AOZNV!YB(ffsCE~ z*3JYuc`Ex;d;PI(Q&VIuM|+3JxF5l-SoXtmuspw-&*TwaU#oVcT@gSE_x?S$L8)&X zKC0kV>>Y6ld1)9O^taJyLvjv5Z67gZsx#6y~azaJf$71t9cp;F8`=JdQP z1bSwhtG421TpY5PxHu#s#nx(+we4*aKcqyD#?(Zmg|?d7gVrw`IxOfnw5FxgV(tQk zP~ORoWwY?jB3?f;MP)_yi<;^*FEHzrl$6VMqRFaS{8bGN1-M^-lm!RPH=cY-LFp26 z-Fpn%GuS$gz5#1HNFZ^0AgRl6#|3J9J}AdBU2UuL`e%OO7%{`aUxf}oNrdgzrLTwt z@GC4=Tm{qML#1uF^chxgLB;b`3MXFEX6>KwLsX~F$fBm4b=NqNl2Gg@R{w@+_vdqG zjCLe5;=TKK?b_DiwkxR-jpvrX-IgHMnK9v&SG*rBFBs}S@fHKdsnvCuc=CeeP6N$j z6Mj~&udF@Xd0A5OJcbOt1!~<=gZ#q6?j%qRPefKp!=v0(`13+&>l{ol04(R0o@YT2 zJJNr`zPB6<9xsQ?^QhQb4kB@)2RD8d7svGVslQ(uitBR`j9JFPj%W8A7PA07UULfQ zGJX{=DgKe9jtq10t0Tpv4?+K^jA4oL=2$gNPFZyChBR-9HNz3zZ`iYb`9|w!OIlYv z+>4dMxwe+a`34$>K9ybRcmawu8}!;|=8kfTpPE-1UC?s-JILI2AYvMw{`{xo3pDKX z$%ZKx=;h;|W}SLJ8}ySHJ$i;AmQ(QOB`-}_`ZD(W=9lH{(SSoCucBhJp8FZ=&)XgV zH{Yyk-32oKd6Hhg zspsc+I~%qPkNaVlRS^b|&kfiV5AXI>YpD?0WlZqWZpjn0&=S%mcL7^|GW)xM4MEEf zZS4gli)$MxSvRNMUI_I$K2%T!!})I_H#34aBzxxhtvlR>vTAM|&ZZ4v{LHbF-`WxD zeRUO3F0TV=)g{M!J!PBNnG#+NEy(_CBvBrd9d_cHu8qecS&156z z#0)^Pu`;_l&4a}@Es1Uk;fmjH8TF3Gw!lRB*Gv;WyhVs!%YKv08Yc8wNXiz+LRpZb zHn}g)3?zq51A7O$Y=oD~P*VNrUlcK?j%28rkz%D_v6FonR&PZZ4`_Ly{*L-Qv6L5Rx(A zUC((ATs=PhK=aTkop&>v6B)ihMu8r$dRMR#9xM*3%};j4 zaB^VW-qbGKz-V|HK#t$_AtwBXw6fTYk7f0tyqf@{28lVSWr9Kq*Zdk<2`_O5p@cI> zT>G!x9Zy9zC-~ww=5!=1*pD434wRuMqv_-dw|IpIrDR)M6z;pZ3sY zHuIO^Ga^o=>bPbEjbua$i4)ZCpbzIOQ1$zjQ6KVSj15=Qmfn7RobSeef%xoF)Q@12Mk-lsy#ja3TvmqsEh>da_)N z4wv+@qw>gw-^|?>$0IfMjbb)V;0Gf!{M$Dk8}Z?smwj!n2r-jvH}2-%f{DA#!lLsv z36SvOQ=J?B5T{y`fbMvR`mJt{7BT+WoX4T_@q}Ay!!%-5LReJ8YA%w7`6-m7#VClJ z_-SOrYH!)T^F!}$$>~VO6%!tS0f>N9<@>~fh*>lCm5GC1NI$v$dGe`}85y6aPMS7&615hD3>+}-O||@2e5WTosCmA;@%lik#Bc)xxTm$4nf<0c zhog%^&v%zwivKml>pD%3ORc-Gfl!Qz*@l#}R9A%B(e9{5_*p>I_iBEN=@~T%37J-B zgR%nFYJAAfZ!bNb$zgmgH1 zzCZ7=WCs7G8`S&r=F$=e|$M1qt% zHHC^-A@o0HukSYVrzJ+O8wvS5Ei@khNTdVA4CIXWYf}au35l?$)rcayg zyPOcm#4=lIa%dT z{@Ss-u96CiZ%;{7?A`^r@}F^2Xz_NIn$yx2&15xv?ucQ7;>Gjm!^aC(iUM4AUl(q- zH!`MasOU+8^vzsXkRJ+63yk63qZF$q5rA0(QKqqo-B~6=RP-$TS^=LcI}qf=|9LtS zmE%zzaqEKVY|0uiVEz8}`;!8U>2owUUW@&^c*#-Ty-Y@_^)A5_-3cw(rOmM3u3C2Q zs^82PJU3(JW?6>~NzD;8M^PEw4R1)iyT2BWLdJv8k*>Z?F4I4skM*YN3C z5r>J0Z9nA7NDq(_&-{Hmf{gwglESmyUC6k4gOU%T%i2oIl^P<;w5;?S3Ni9^yqIw1 zk9~mpP`AiICZ_IoL(@S0)yG$hN|$N0{(3_tN=m%?=$ei1?AeDFE*m@?H5an{!aD-w zDBn|i5QXnGb}o1%R8?c@l!@p$Q0s;Ec0gSs_xT%N?vh>65t=i%F}lSSEeON*Qy+xa ztfyKV|~)VmIwdF%@H(~=qa>Ps&&~0^=JSs zp?V<67hUEZ%iM(drS)-pp=mf@Jx4Z-@=}QKpV*DElo}bEEv^<*P*~WWUp7uQ(!}br z9gMfXR!-m=^LY26;AyR6UGMiD%P-v}FLtMk-6z}Zlp}xjDnCT4*vCirExi9YVmoxp zwG>P%&b|352fve{*=L+2;Y$xGZ;@}ru%R_QzVjfAYVA7}3$hw_vEpdcQbwLvu8C6t_Psfoa zrDo2F2ov~%Kp*c5-dyI+%q2^~kY;ROep7)xwc8jW2!#aHBWjX6HQN#*8wffS2RWfY)+0r zU>U2}872<^@c-17Y{pp#WPF4(EFFiOGZT~4Mv6OB4`E2+Dak^e%@*VlPmUDze!FF1 zkUz6|yu~*md{c%$+fN$sVN+m&mvRXHx|nLXYJ1M<^J8jD)43Umf&MN0;Ae`PnOpT< zn!i(U84I$8A&0makC>BDUJ9CLBtJJ#FQ$Hh&Aa0fTw(OYzuBmzNhlFLgFf`aS*wLO z7G;TPy-Ira(+olYlDZQS#DeH3inIm~)oxIsh&I&+ zR1T|6%$$z6IqEKEonnt7Oice=-ZdO`{kLvKhJEb2B`_s5lIN7*SQf>^@3$hD`>=^v zKkMRFy~VHr&45jKBVxYU-Ftu7zjNX>>#(!@kK3(P+w1H1amfaK7&xzB)wlHDOFWP33x?oKv}@hh+|#>77#wMICOn0k}c2&x@O0KY3Ck}-I{L`#E2n$-6l z6@v64Htyn$lHC?s1^&b2XoL^3vtPZQAfE^Yp=Qt{dtMs{_!LveY6lLs8j(KPm@PlR z;XHVi*B$l5P6?ZTO{p%#A32Pu@euaJ4vM{5&>B(eBTo5YXdGh+;kLjeUDBe>-i1}v zmG20(K^j(&iiHs@K$(PS4&ONc241G5c;aSC`i16h}?IoWZNSDGR?u1Kpn5<|Xvp6(Gc zRIYcp9HUAF+y!W618A=G+QIYtCyj)8VMs*TuA0xR#%XM$Z><5I1nup&3FxiQ?Mh*I z(JE$+#-kAxKAMv974ft%#$i<#a{mpeg;&*$bvT!)+_S+K*XCZW{X6vRd<<903G zG7+3@%j}am&u@o9;S1#}oo$RRK5<))x=lg{#j(hUb3YP21E?5?(5QnAh~iaU()JU+G$uy`O%c3h<46lnx%UEu()SI^(Lm`u=|pT<4C> zik;|+L$zo+6}lzkUC3|mdN{U6a8y-rOkdSg8C=CM36;K9TOhO6m?83n zN1P$M5*fLj(~?#9NB8ZJJh?RN*YcTLYT7w_78@4;T>(TP3Oh&pP{+UwhhlAIuY%x5 zf0+X|<68#@6tpy9q31DDCXnevB~*0Fax_)kbKe}d29LHq%-hY?@Kns3y(8PgyZwuR z-df1nsQVwc$zos?q3|-@)Ake{CLud%I&^#X*t&ykDuGuK-J?=dAQA^faAl@KDC;Ug zd>0u;61t6;2@zIoc#e>=0Q3KT02HK~e=xzQ&HZis0~?0istd|l3p}r{o^?{yKLImH z<_T47n}uU|O1%5#rcB?e(Qd$o_4I1f zXeTqhE`i?_7Umduzf6*od)M$xcMs6EtvD>5XmG;~IwSiHXkNYXy-GMre79{9_gtoc z4>(BgJye07==ns|RU1J5#$$KfH;bW5@SZdKS&)^mttb}g^RVrMNJMJl;8>(OZeL>i z^o*s>N(X)2-7R1tsNP3YAAE$G0RMpXw{bih#{_nbkHjeTLlE1We5NKb?_c4Og#G7k zIMrw0y0YJ;6}V;E?^qh{=fyi+yMhdcC_Bva>&#rpsB!1P(MWit=+P>Hx+`2JlQQe% z7o)q^w{PkxPRmgc$5)qCuxYYWIGA(rf?I=H`OwTLe?j?cHyo_X z(>G($sGmJy$#j|}_>PvG^%{F+>=Tj6*#7<66mQ>t|0yW+@_G94#e+O0Ue3JwM7g#m z^jxI}$lyl5j~bBvfrqgGwDZJQ_{;k0==iWG#Ich~CdGk@86VkYlbZ6^(C`G`z89e1 z2V(*lC|x87x5(_0g^v_7!s?l$7UvdntzhsCX`TKYtOscyc`nw1SCRo@;tg5AOWySv;qe=#3+n+0|7% z1vPf23=0!cYIlBqr`ZB2o_P|OM@m1DX5A`WG}mtaJs|Tsos`EOR&|^cb30#3(e{9Al=$8RZPvE-wmMcEq5wjp`3?o{USBl_zi<<1Nn3nDbWDh*%@$ug zWyX~}3^4d*huWON-^5WdsDPp2-7K^!S^t1#U-ZOmle>mx^VYKh6yCAsY<6UPD3Hm8 zn4Yz5Y*SIZNl`J4t1_aI=OCgM23PrvF1`GMfpvb#B$CS8QDa}}{v}6^&-ktC6t~&@ z#oNc{`_#0w8zq{f_XLaSodQ5~(6voTv>*S%a?)PN|NixJ-IEUG_)070RM*YkkDq?9 zn(p%z)ZU7oA51;MQYqQx;hCOsGTcd=y&H<{9_ZJbiQ#-rm(mwfIV-6rOfQB>R+9%k zvNm(uBDfJC1B@BKw!`$RX^+ab-rkJp#U1b<22w%5B9tY$`&xHHe$S#b=yc#p>eH~J zx2(TqDYzB*P6N@KkNj0v>bycD;Lxn0I=P&mbn|H(|Kr>HF^v^|xtLvEjrE^$KDdQS zo&)$A09QzvvqT)}{nE1sjd+E@_thn!0`jp7Mn3yqmsWToR zBBl`w*(k6;8S4G^D3EFuvjMi2pjC zCtB4O?{I%cEhjhM0D663ZFHx}QYx?*cDKx%Y4`;L)t+97_5_!n>J7KA5L4GueXX&v zMUzQ6v*9p1*qIS4@Iy|1!D3s4m-|5#?1Y%VE;VnLFI`U$kmNWCRJlP5G{EeeYOrT* z*47@InJd}XtT1zn{{_u&(Jd`@8#no!KqN8PMb5zBMe+E2Xk@l4>5-JUqy!c5Q$Wq+ ziq@xjAU@cod)`8YXrF@OBZdvww6h{mK+t;P`;C~lEVbi`XBj6l&a=OqjeRUCDblZX zYjr3knT-?upf)-sUc}Iqh&_6ZPOIESJg4^dmht#1XmI(g#vjh-Ec&LMO7ZZj?qiBT z|5*I5y4z(|;ZPD1qM*)|j`4-ZLZ(tUiiQI+9_arHG53jGO z1qB$JU^P7)P8F>{QrYneJNr!; z1zH=D4@#UaCBf#ftm}O=_=m+?Ya5d#M=xwng2V^=kY8e>=y9kyIrdV^x>@;%Ks7sm zXNXPKY<&WEA(-NhEh9k-t`ey8#N5lzzvoY8hmxc-N_TlS6bxYGanK$G1|k6V7a+(u4X=3qI6<8Iv%${ob8i&Vbbue{)A}lpI;;(VIclF*2jG+7qir-i{iqTyxXfKgI;h<=Ju&ef0vQZHyLLEOJ#2Qb(y*XY zLUo*X72JwfMZgb62CSN{zMiGi?iIIZeOv_KeWor(N`a1yrKH69F4=3XS?DXM!H=+%7+K^!{`tEB7eU#R5l9%Wt{-1D zoWss^9l0Kd2~O`ZP_xp+&dpRlz`7A&JS+bMf(7iS{!EE|-Wevjv^{a9hY32@ycv2{ zKo+FTKjiVVGCL8J)*}^0t0gqNU5q z&45#wLS$t!@~fS#kSt|BJz@pLzzPkfXN%s5uArvu@bH0Pn%pK%xu)FDfArJJ-dS0q zEG#Ub`_ly+v5_X1bHgwS>`tc5wp;|HScq)wAs)|yQ!*e>8fUNs`~*vYM1V}25u5je z7W^WyPAnDzYu}bHzcM4fR49y23sXM7r#i0I+1*SstI+!d3zPl1xbO-4By8e>ymR3G zwX6><*l?N~KLio6m$UAI7$$HbGBJ0;jX=1webHa&DGQtyLh{C=uMEm$N;~a>Z`cUY z`3`^i$Fm!fs?9rvRC3f~G|gCA=x&!0xUEGLuD~ugx3}9Y1fgNjwe5|{#w%_>*t6ZK zsXcV!-t}~fJnun5?tU%7X}e0zTvi8H>HgbkCWS+RaPO#VoHG? zn3m0G1o!W2cOQTHK#oYE9zsoVHvUN^zv2~tEl}k(4;>bcO`4svLLK%6ryrzZ*7p15 zTE3LyS5`x6eWLZetDCWH$;#%M9}|O)2|vK66>!=N+af9rRUZ%XH@SOtkKg-iC7v)D zMnV7HallV`04=BqqjL`~ZC9ZyIW5 z#Hv(^IfC>4&@auKm^$o)0pEk#pP?)UsT5IB;Y3FUcbl|4fgB@hNOH3VjK2$DZmYhA9*+-;4f5;V;qHA2tYI6e zE=d|2z9q>dd!Vj+OJa?JQdU_3>P*+P34}yeJQ*q;@VB5R&*kFK1E72CTK?4=&tu+E zBnRC%(k-1qzOL$M>i}#ROzBC7d7H$3KPan*OusuRC-1_Hq~pdADPOVmkqX^Jb85c< zs=?@CBM&IvDdn1X1!pTIlB7aew+WA*203r^huD>+qRJJjS|fr*m~CSG8TGejCac}j zRLK@02wTvZy3`Y~u`Y@qiX*I>W|r-1+mC-XWPSGqbWBH{BlVY0&g~y{)d;-MW}5u; z-)|&ie*nW*_&9Kj8~f4@#FaWOF4qB4(yxg9geHZUblburisnM0Pn_UL^_sdP`5!0P zBO;VP=(;deOggzC6(!-Vo}b!z<`L%M(o#poum1RmOQ-oA@WDXocQX#3^fE&*tu{M| zQ_D5_wt*B73Bu(Q@Dx7s1p-y6?y@d3Vek*o)d0GaR#+Jeq6a`##PMeZx}pN)pSxoc zU`__MXDke7V*1-YbVeq`48+J30@zQbX!UapU1x*(v&pcYT_1^fuE+FHJ9MVjY#NW_7mo0N4aoqZK)B?u*J^5nai*{G^xz`}?m}wxw3jsT}f| z-%0)@zjx&*C@2@mYs$B;cHz6AQLFQl@|bhD)R0`Dy|c5MdQz?;E-BfzvPn+QkK@lA zw>Zg`q=`sfN|rG^DX3VQo_-voJ9&Jb$al5c>3nOerF*?zxoKp&((uXjep|c3h8s0f zrweNV*jnM@QPmsnPi+DtoH33UV-k?vdE8#I&>jBJmN&O8FTUXlE`{m~U4h$cXn-Dyvw5-1( zk2QH4-{?dD%DZcJN7e>?s!h|6$=bEq6x3`Z&d-%VRwIVdFxXd(%8dW>=7u|oLCjM% zxc7#5wl*mK1eZl;+pcb&6r%ygU{Pr*b5~dTmkXdGF_)KAH-FWHh|^Kd{;4mn6d{N` zZj>gJ$#nmHO>J#XWu0@>ZSX@A>>WORqKdi?pLlCzLlpk31)-6@oJSf@L}8jfpiJtV9M$c+&X(2CC%xf+Co-ePXLHAMgN6Hzyh*qC z__zZqT1#+@1$Iw)!{ZVs(yOGyCIqyp?VX{)4l4I~=KWFW8(G7WQ)2s~%EfIA3LT!7 z6U!lU>v-vc_D;oW1(s;#8ghDi8XobiH59Ryxhh#YUR@kioZGWyi^YI+O8BF7!;kML zHUIW9*!Pg!?g?jzQC_m*KD=yN^D5QH>n7n0-5k=c^EkXlyI|6-bo6fSOA`kCMN2^m z<8C{9Zc$#h|DZ9TVqY6+vfX3vt0MdaBeaQ_xIHahK{h3~U5ZJdk)UzmTkBFrT?umI zpwEKgOG-L*lz%%VM9he@+OPS6z*2?Y$@`nLD@^0F;!s>uoae}BXKgT+t9TiB{r zBZI^bEh@6ck)Sp|sw-!67~_81pnr~z@U9%A-HHM5Pks^-bG6by`11}Ib$GZqgXFJ> zCm{F%_!&u+4wT?S9bU6YuMcAgiE0XK&`Z4et@6!#YuBiA%`S)f-}6twZnWUW0m0v? zyL3T{;!q|WnfMdDK~Cq&`bawv%j*V8iGwX}O^(?9zW&w*>>7|-Ce4%CCTP=mCtm+{ z#oIA59WQhKdqzZUu*v^uYZ3fP^8f$oAA9+~9tkj6iy3VPun>nQ|1pYtyXY{^+TUAm zywS7OL+lSh_qMoxEz#e#?9~Z2#nbuM2!kd3l8zJw(|@TPB9;6PA4G>o#-0dSG$XwoNNwLBg2(q6l*Xfnd4MKu?YxEceg4tT zsRD)q0ERm5vGnj-5UjJMrp{(^?jR=5$gr+W`j{*@xV5};+MblGEVQ(040><^f_`%# z#r1XLN00$Yr*J2p=2^$dyeliOkh42Q0Ld_dkFOY$`8gjpcGS_O8{3%1a$5u-Zx76j zc>J{*0s%#7w-HV;-X{dAC;O_BAgI?jha(ug<%Q7 zWL@v4dByB2?CNM+aLNXP*XOcHEtjQKU%m8mp({4r+*O8n<9M`P-DD7Hb>dhCrMdZ_ zf19vyW+v2-r56<)-lo>p>{hN3cN-IY3GUT_O*k5v^%?~Qg@Uv3nQ2k9Ef}A3J7zF_ z{wXdoh^`LuOx91Au&@CBA#b;ez`D-(l7$7?KO+&b)^TLcoQ9nu2<-A(yfq$Mb$67_ zj2~j=w5#`=g!_a3CAUFeJmj+|u0iP|HA7wzG0fpHIY${a|54=J@$bEBKcfX+qAWSeR#uIeZ6cU>KcIx+Y3j!#wl;v3^iMn>1*LoZ9UgC`NIJ@CF}&VRc7LB_afgPy3qP(8^JfCoJ^A zjJL4xwV`s*e_c}7=E!^FN>wnzumW{4$Jpf7>+>SlnHdDIla5nU-&_PXF4j9kv1@c# z?*Q$h?&TvOwFZu1Og%3%zdZ2NdJ29$$;*3%<1Z6}4%V|IMs!NQ#6&_Sd^E&qxlfvY z3mdI_Ho7}T*~JaG{uxA#3lLjHilvAM&fs1%l$MQ?r7i0v*!6ENPm3X+eXE(FIsNRc zKM%i#RwyOSX&@TVYQ3TH!Bbo4fEKrl&MAYm;g4R)J1A(7z=hIB@AEepKkEMRD&QX;IkBTAK-a!+Q0*n3o0v zY9F??bY1vTOe@4X+n7C;pUWn5U3snicY_P82uxXtxf!$Nv3R?wz1{h9j!$d)0QWr^ zFm24}wJ-!QF@=XfBQ&hpY6bqjm7-{h2bs^Hbm~c1Rg#lESIxEOxwGrxWgWa!2`)h9 zkxCXdW!HWidYf9`K$dDCvUrb2)~_PI+Ejyr1J0~7V~L^rKy3^@qrK@2L}(LCUvq1sUu%9YqF9F zzJ0~;8DLsESXjFYrKT!J==xVlmz31mC8j58h`9E)JS0eJ`H1J`$o`8q8nP^6BAr%) z;NGw4(@yP<*gFS^V|!1zPq?cb@z9mWaR1vA6)R%+SLXhc+&Vc9ZTZ5yq?_B%HOkv1 zGg~DykH^OMN<0tSM@{~`yLgETRbW5S!8M<To~6(6C%*I2=ZYt@FAgt8>OV~ugs z(f5PT8573CyK5LNqwJpIM5j_}^1Ur)+!Q?blWz|esw^nRG+55iT z6$Rm7h?8p_!iNtcIy<}C=QpkhTpmt>7O_FV7H&Kieg@fvd?W(<00S)C0C?)+na45j zUo+Bz7W=->N%#ZmOTk(Oy6g~xAq4$1aIgqOq!bYm(Cy2C`bJ*WgEV%ud5pmJ5KSQi zcX86oJ+3cS%R^^riB6+DWzVuPbcW!yb%Yv|S4v9CyUvehZhX$ZI8*iJtOmAnmMna7 zxUE}ua+*p#k!z+v9{3B0Y?8jc&zsQxllu^5cFPubXM0S64Rl$eTjrqi9t;S`O6+=4V- zy6|&_UHUGA=JBEaWGYPniPW-j;kH}CGE%Pz&k8=u$PL*9)65S9R%2@*o6=(gjm?v& zD4ne~ewLfb{Kf?zd*cXF*4C1_{mi&m`^87&=OjG?cBk(M0;2QNI#;q%ci+;=O$+x_ z9KRy~E0m{kMr)bvP1K1;loELdvcLy^p!T3<3h8Dc|ITJZBCnEiA0X@E#E&ZV^mYJS zjD>hybZWqk2d&k@;n~TiFz-Dcvu#BQ2}v`nFNS;l`OdS{zyR*)))ty)e7m~9{=724 z86+emV!2Fi@vO6w79oRTpx!fU5`XI?>5#`JSMQW+FCQ4Kt@5z*r|hy*1f86CGi@8~ z@FeseJG*^-fn4@Yc8@-DtdmqwT~VT8c_#FIr|uw8z*aA#_1`efrO4wT&H#e5{ObIg zE%yDViQGwNj^-Wudj?k-Ppd@Pg+5y4Gg*9G7XToIw1E7-c`S@qRo&rJQnIxF^us~EUJ8x(7Bk>aFN1^=yhW*=Wc#4Rha zL75CxX+wB2H%sO8*e=v3Bk~hxA@ZARU_>C3x76 zooCajqH!YraLoDuyRu>@dp($WrylSBKudJ!q(Mwz;y^{e;|>)Sum}ovl(i*_9Ifw> zYHwS%skL#_l3)K@Om{hu1u@N1lTcSC{ED3fm-L@9-C2s^v>%Vr{@<{u0ea-%U%=>B z8R3UyOpFeD+{6Ko#IOH%t^YtA!b%J?^?lr$aRVplahgW|i!sbT1a1Y*dZchpquBrV zyMD8p|6RPmh9bXv5?+#=n0Ipu)@33W_Od%ynwRVcKb6i6bMXd?QPK~ob5}gg`7gqD zNMOvJ;P3B$7d*Ku)&l#N$aKoF{D2?9S?Tp2Wv!$UAjJnJhDC#%;6qKnd}*H<;mO+w zKC$5)@94waVyPC6HCT>l5S)JL{tlFZXdoGDwAcXNM%g_OC#d96&H(BkI5Yc)%A&mx zVg`DpZakpd)F4{xdvdjwJHFpN;GWE08#JxJS1CA+54ldPbHCmkXp{%u|BTr`#J}B> z>Cm&`05%la$u7Z+J@4Osw7sZkAeR1P8WIzBtRIx=g+=6YI+9}89`7(&yE7Ve0CNisGNe@Xg;kS?P@(nJbh;;?%D!hr=#-Do_Ei3;ZG)kdkEqxrcuIH ze*5PP`+K#+BO0W2)1^9%OeJVQVw^VAdfR2jEDXFI8UA3qa3A={VBunA&I~E3wciD% z%Zi#`di>fwGIK9i9jiv>vA>s?w|@rc+>Flrw*lB)T7lxw{ls=&8Uz-GcUalULaOnI zE=C38DpBKN=^f^WzA3ZE_g=0XjS5OzB z1t7R|`7*Q8ah`XHwm?<8C)bb8_p9da_tzd3?Aj$SG3sX4RV+G8bzMO1>n?OfT z59*`3T0dHC!qV4GF4C)?|)!|A< zM}NL*BIeuvIdgUNsgUrr+(54p*g-%KcIXYg%%0)4JKh!}Gvg;eYNZmcOc*2Y9gX7w zdiU(Ij11JlB0@xqZR6IxAIhC01PJbS(uWe$-=S%x_Sh%24FTQc%ER?giREPu)yk8- zqK=I)_XXY8m1~-l9MsK(QSukxp)Ihoq4#wJ>5P;z9#{@D4WhKc$-6HO#RT+4x_hp_ zeLsVIEnUJPaOsh)+X#4PaYYBpy?0twFO+qtf&QKM`6yIYT~12Mk~yMV(OUK%=;cHR z-itWs*O8os9WB8RK*nS(MCn{l?-bx5YkkkM(yc9+*$F>oz_)dafk9yPyT3$G`j7*U z2cr`{qr)dzuv&pB0{%*cjlfa~sBOLX{qBLLCYbQPy#O>jMW)?vjr)>RjNb8TJ5pr- zP%g5Y5e7-o^%ZOZ^imEvpr}eDjaahlx*(_r*DFz%JpED0`lqw!tXd_kuUoV7gOX+{ ztU;$7*N~Sy$bDr7PMB7nHW`4O3>S`Cr?qNrl8f8XL1EN`5H_nQk&Xj>KL2Fz02%uo9pxt~9 zfQTlbY!?79Mu2H+Zh$*4SY*YKJ8scr#9Qjt`Tp6Tful`T6{1H}lHJ{O^Uf!0*KNr9 z9(CZ&q6LZuKo2sWS+5j;vRen7Z!}ynXJlj?tbh{s1YcAFICAohja^-5l5FmnGc$9f zn1~|<<-i%eu) zo?pvFoNz!S9MslAJ<4`HedB-!NE08@`uFA?3f(I{U{NZU_t8oG!w0~tz+fMHS8CWZ zqm}oY^1V3zsq4;B-`*8P!h&lOy4x8iq=g}xUH6s5TSDqe-@~Jg$;0skd&i2ikb&G8 zr{WTWL9rU2KI zTsS>zMTUsrLByAqmL@UIIU}RPy3s>Kl!0L!-x!IY)B5pO_=MXW&N%bUwE_xNo(@zz zXDiOx&Gm_>U3_1HPAi=JO7bAl1v|FVlnW$o0#tL64@rtGj+j7z)a6-69o3?^SIg_? zV{x#sKEVN(PyMxDxB2?plUMVuNHxGuu-rnfeqLc#WO&jg(cO(iC+r>nCNlj)7x#)X zC7@K0Q*|DMAXxFj@cS#b{maebmoi(%2HB$Ill<(MR!$VBzrE3_W^%U**gD8lD4ZJ@ zaSGFek_)n47Mk^z$(V|tFjX9Ra*eoNz4{meWJt)-ZX)3F%VoCBOI~@C?r=xPDH?;s ztoUQT0Og$h4BXjO1nCqsn-j=H^m3gRSPj}7U{z_cgEkC-+-|(Lm$d*T|NI-VaB$|Y z|NKd@n{C5;@qI?!_N=P3F*x##nzovpv(%lOEiyE)#rzibYO_{b(ijy!6dQ{w`$kY{ zE~J*1NBJm3ml&L2Xjzi1ecCAcm~Uhpg5Ctgyb-!zN0t^PK9JodVk!X#wyA~1dK3v% zK~s|@MC`<7n5WcI$k@BN$xy|^t1ZJwnS|txnp*d^!x_3~#%9zydle?&iaMwDJ zYEuOT2{?fR)18PHVHCP)h&C?DIXrMq-;$M6>NF@{w5=wMp^_!d$i%Erd#_csb(*Jx zLaV;(GdljxZh2FGd=B+MI-Q`(aD$op_K!)2UJ8oqh>sUw)<$!kDK$fYLid!MS2hDeQoTWcnnXqm=xnFtHb~# zZGZj@R8cNRXB42g-RL$+W~{4xZXY7Nf9vqtmuAD>hG0xh&1hq_#1?+>rGH`c^*{k! z6Ag^QTPzRa7@D8&KOBSI?7Hj#<^Aan690Q4t8p9R-eU&spNkIxaekQi=` zd$f(#w^hWBC@o_mEcWW|z5tT6c4l)|W3u5R(z$ z-ier^wE9Mfs-juO^U^`YOiP#XQ;`KBTwH7u@wCzU`n#b)N1_YBe;;JGHiOhPj@v<~ zyZh;jg}lHQwj9r%#ZMg(gXdg8+ws!j^4BKf4L}15$2|7xd&0aY`hzPzdfyz>DnJqn z$i#XJ^K;;c-tWy8Q;;%RRXQtO*xR`Ip(_WAN9WEKD+*dqgk@ZfiB&w71%Y48RK1VNe}O0=Y&|_a%)>V$QjKB+p+i0FSW^ zIJ_J!78D&VsY66haIC-VF{>-|blurRoiP|+5E+SGp|{xWF}h5pgq`o>%WCYq7-We^ zEw>DejLgYv4zUbgicvodQ#5M!u-C>Zn|P!7ZHQc2svl(A#;ikI-!ha_bGOmZvKFls zQ-?D0QFzrU&YppojWVVe$JfphZ<$scrn}q`n5)orTyC24Th0D=kuzUh8&_oqs?MP? zKp)yqKu9hPSX#-{_(8Z1Amsin zSD3CPbb~EEfgEs{SFxeT*}buR8(CjYje~lao(aWYOejm!{4p+^CF6z^MOIwivi6uB?7@$|q0BZRlD0u8F5}7O}_udf? z&1@?UfrJ1b0+0ll_|8#-4pdvWD!BAIM6T}e+}tYwyWc!a7_Cjt-jWiCA?UR*Ald*k z`fgQ|(D>w+L&fy(bn^^4cB*+tCv1Ns+W00it(de-HAo8^F9<98l@B{ZnAt=l!d00; zGJ%gk=FRV;JU2$65sb&(`3X?+-QSLk2&%hchAr#< zC4S=PJ&lhILs!fDj90X}&7$))g651@+J;(5m6+Chfk4O-(Df^u_n3KkBOUNXB%0g& zdB-OVi$8AuvRpB;Az;t;J}j{VgoeS9m9^fj2oR>I-C~l6yn9P5tiIH)*MLVcRQI(k zu$5`N>_gpt?NR(=L;Ug;@my^rSVn$ILl3#k-+%5`Sm7~5A9aurQV|KSBBu5S=_ja& zRI~cf7UBGmfhnGBLCEm~=*7gsrg-K6N!2)L)LjjL^>V1^iK941T`w{$Dm_H*pjd&<@EhE474=sR_r)E!D0yq(syh6-Yh^(u2f zj?bxo*Gf@%g@*fIsEdS}eyz5DM{ZOokT}`YV81zFW3=(vc-MUu* zpVbF<>fjC`lK%)|TMjH%X!kR5Ud;F}3_%VZhQ}cR@k-FUFD}qge=?PzK?_bU7;j&{ zBVS3r0yU)nDUa32@pTB={v`RYh4Vs&Ld2K1io|Hs0lMvusZO_)Qt;CSBTv)RO)VRx zq~^JYCp>)r1nD--z4sC1P3~$L8{NAy5vdSbHW5{ro^H%ut{hl85-_#I>)j6u2%ss` zy$Km4#MCdXt)Bp+XJ^;OpOif{@aH1z%wcbeNrO6SA;snd1l7@iPm|H#kN25l>?U&y zrk+*-(N=Q-67lQT=Cub1;UMKGt0>dkL((qU+{hE?fECc>q=5WD6F5=%=Q0qVRAlp>@D8{CZ0+b$YwmYNVj(n%K1L#KH~sieJ4Czl?-&_GUGw}fhAVRkofWA)QpTzgRgacTbHVGP63Rn$DIJc zSGaCwiLu|z9}YF$os`EDv!t?|cYMF$xUgZYSlb)IcJBNvO^+zEzlhLEs%ZMXJHDug zRK7ZybXgM0)XYgf>UcA-0qxmAQG#x!*?^kpYHgzNm9_=$#z4{<*zo*g>$f`LN`Bfk%j6Sd7|S6cD&)t4k~z86 zb=Ds>H7SO;iY0?nD1!WBW1Fh-3$X)d*lUw2D#pJM%7Q|$X_DHK2AA=vStx91Cgs2% zy|6R?l;?%Pp37%;9hW%{V8bQ@st)Mev+YydPet)HR8;wZqNAZUrQ6Z^8J7v_{un?p zQj6Ge;V-(s-JF(}XTZYkXDIOGDJik*?(Q+^zw)_4pgdA`3p`mmrOz4~c}K@|EIZY( zH|NY#KmrM<7RAm}w#f)Y>ELBwO}hb^Jqm1YR?X@k?LE;vRzn70Os1f!?GFV$65j?r zEjJ4*UM5jX{(xwXo9tMhJB~9>(X+}c4=Fd7;38ff&nLhMp;XUfr%V*NCFAk4p@8cN zsjCP&VGWw-sq}B1>)X-4c$YWCWR}A@Mv5*kHCF6obxyNKtuAG1e&Z88jFaE~T}Z?O ze>43axnN|WBt^i?ITKF{Jw`~7SwWerKw?RPtBmjH z>;-wp3>;KjZQk55Q3#^DS-{ zm1j!uy@b9Alt6vRC9*0J543?~UM@))7_4-qaE9#`us>su#C6`aLY9jaaSW}E#PO!=^BCJ1S~?vHy->DUJK2Oa zeIMC&~tlK+RkA78M;~`0=tTb23n2j+yswA(xbdvz&eRP9D-;(^yN%hS7 zj&TZ~QhFWg1EA38SucsK{@89{qg3!&X5n%!3Lm%b0sjm$fIjukfAfKJ*=WTI`YN>j zPqx@u`{Oe!3yY=329$PIU!szuCHse!5+J6aWfXLH(YK$g?O{>K&y=2)?s8?A(gX&i zFBd{Q^GhR4k}q+Fii^>MZFu&WC9&JW8kSOu+cH+{gzxpl1`QEy>*WeQ$rFz^G-i z;EQcpzOky^Z2^#hZ_xs*8D`r0(DqzG(fgKrP5Nsoqh7AKUNCD8I6pb7GumGw>U4yJ zKl%r$w83qIHgA8X8AZscf`FEpUhdH40R$MNF%g9s1vsC7aYaTY@Gqj|cmBvkh1b|> zXEJ(bfFmaW7=UJ%mw#$HJ*{{SCW~=_7KD%Q$frufatxxF(68CqzT?qN`Q?n+%5Pr_ zgt-LlJ_h+cy)WJ|Gm~a~0!XkrRt{d<75@kgeE|3bMGGxIf|B5#J_&E%j$F_v!1A%& zSpuce#b`ifwQ^7u$L+y1zW4w*xq-0XVp)1);0sc8kOA<|QEO)3OtO(OdYGE34>o&P zvJ32h9EV<&Y36e=VM?gq$l8wX3)U=-R729ZJZU!>VE{dU^YIx1;k*;h^js|2&reoM zndJQ!PPwN~6UEeem%J~z$b&>qdhH%6#>#5ByQ2_Xc)1O#i#5mjA5)@}ryBDMD@-Jj zT^x{6euyP66Hq?-146bSV-VQu07~}XO{y1;OxU7teUK}7*7sYnuj?nMCDDd23uIcm zv_k*~9gGE#QyExPl+nX5(WT)%?Xa#r2_mw4y_izZ2ct2X?wvAs+fWKV8BYZhcX*#a z57&G>DGYP{8GPEry0aQNdfj=^fj|2(CF9ebZJU^fB&zCe{$4Fuo^Z)Pn4jOhWkSNq zqg}jtFhOQ9RIlN<6WWXbazXYxF5YKeu%K?x0a7&P8T(|CQ)QhD?g3z}xrMmRwc;g= z5Xdt4-tiq&rr=As4v$n@_-S+2xZ*J77k5EQtx0wI9L?wW<#)E9N3H>L+V&*~ViPYhbrCA8RRX+*77h*{G)S+=%z)^6gkE z=122CcW*)eX3UXw02im(cW%q@^^4u7ja9T) z-%UpjhFGo7oC^29HhjXuUx*4oV{}|gSCrGPF6j8~`tf7De?Y*-Anl1X5<=s)FxL!< zYXpK>yget44gg_Z?FLJ8R5P1fSnjG?A8iQ>&$x^Sw9%Tj(s~?p@ps))c4pnj#S!;> zPXQyhTeZ8t`_l?`V^%$UT`cmQS~SQV7zFu(WRel2jtN1)BzXbhuWlni1-kjg25<~z zl1Fbmio@drK)JsTWZokP)TA?WQwDfeB-BR6*lC(r38GOU%aiCk$F$DjaUY|s( zpr{|l>&yz%q>w$C&(d*NX(bYy7}za;t~chJPWQztF+F$- zRNN0^v3Ac&^$zMmIzc&ocI~Gfa^|>83;bIh@Wmt)wM68)pBe@CWc^M{{PW}Rx~8zz zVc|F5M5HbnKnbvs;wrJcKC$zMkD`Cl9^SuyOTeRq^y|^5%wEkhKTw_r%Bf~!62gYK z0(-jKfmXmcRH%rAg{8>BJ`~7LZot2oxsJB^iNM=>}J-Z-v zfBEhmFA}haEw0HI@G~Wl zqx<&;_Syi=o;PT-4FTpQz!yQkYo+P3Qs;K2$^yx^Vl1rDlju@TAE{-ByA7M5v0zYG zC89b#?yw5<>FJ$aXyvfL9! zGoe|KR-L(pUJ1JJVj@ftWVvHPc~U0J;ijxyFGuUd_Uq>f4VlhVpC%#)6cDqm3c-&c zj1k!4Iqin9$Dh<#!y;OK&5cS-BM*=v`05?$SoX>Atd-Fd1s3}m3kIf4J?^-@UsE-P z+N;Oe2i4}Iji;{yqdCK$yW>0c+|_b;Rq3v12)+s%6}k?G`qrM@CWxS6G`@~8ou$-J zr!^j;S@|`sGBRFhD3|!6#X~pUa>Zodg_4v_|JxcHv-@GXGdu`A_={Y;ECNx^TX(d9 z(9&*OI8$rsENs`g7{{!^a4Kn#+D%HFq>719dHb0h^Q=L5@xZKfV`ymFRi=a0u(L}M z7EwDrHLn?^pn~7vH#$GJS7Hbg{^s+l$QJHON1r}f?txwFWDZ~G+_HWPNyRCh3Y@cq zrHtM8oNBUaJa`7^sAI5Q=4aeL_@Rw9gLfM(+cu64{wOr2W@g4=sb+=6hPNbZd&a3l z7WNxcXKUR^lzqKH93V;|MHn{xuDl~Tmq{*?++=a2_Q>-h0Q77CQLb_{nJr-+%w0<5p!5#xZ{d9PU~sDm7OW-G9&X-kwKr(&T|UX*-^^P?5$707~0C+e{k^ia}mTn zfcAk*z(*Ig-03W0SyNjhP=@l@zZoac{F6@yvz8q|;kcc_lyuCMU)NYB7B?OD53Nuk zKd?7sGL)?0|2*}s2wE^RijI{xu=sD$I@2-jP1+Y3(+PsRkO-}xCU(CyOcT+Rj5!^!8} znol~60D1yC$UmA*_2A!qt6n=st3%I#=dyNhqY2jg+>_`FxV%SsKM!}uEzgYH1&3;! zZ-R8ULh@5lPKD`73RWILKVub3s8LqKdnom~e&x@V*P>{1e9WekNKr!Kt6S$Okf7sB zluto`ubCj_6Zo+EX3QkZX=ugamq54e>~Ej?GeIwTX$yxT(qhfcOlV(~kQm}=qk@e5 z>1XtL{^BE4X(6z;DR4(&Y@$$`m5$CSdNK3?W$-S=-o3Jv5~45~uWs&rmDSCsOW=v7 zelJnEr<_oNs+I~7-6vzWH6V>@v}}4mF1mOy)4a6Vu*Ju}df}BeVl#o+uya;jYh9_; zL>V^RC<+c`262SsTWaJ}o3m?13QtR3~+lsg0z8R zzQFiO6wjQ|>OpwZ{}=T@+rpxG?o)=3WLgx$B)T3r$n-MK{zHJ_0kx&V%^|8JBUi z6hoaLp)igWK%sJK0Mz~(IG{vq1UX@Jc+mNurm;^4zyXKeLoBGKk4@n797AC+BX9eU zg^lc!UqKZsp2CV9P)6@)WKvsSK*kPg?DanCll2mFIYVI}qlh@EiY7j;@Qkb*Z7MX& zQpyq>9O+!KI8`%lzdUMvsB2?>KH=HIZ!^5lvy|s#SVp?}WUFRLQTyK2B{?~@vZfVQ z-IBbVLUwvRvO`#>6Ijp)QsLq4dc?S?7i4a?oWuI1C_%t|Z%GZ<*GHcH&~h;63V)XA zYgcy&;X~oz@p_c!5V`VlJT%R0Lws=LjimLoVwy1|JS$(fb#Iprq<6qP+hPG9i$hCh zHPFO#`f9>?`nO;GM#zDnu$lPb(XCGYkMw@Ymt^jim~c!0@}09CoVU%L@sBnhVj}8e zCQOT&l;}Q>+oAvAU|>ZFogN9>yt}(wg$mGOc6k z0q5HsTwQIR z>-POLd`u>?zi$Yd{&vo&%bVdel!Sz_{;aknw$+Ibsl)+u3iAb_3RsZw95DD6J}I)r*}6c@6Ks(1`A0Uxw-M0#wXz;CaheP zXCyPkv)QQKar^Ap{tlt>W3r>Ig2|wPN2DBZUkLZlj>hb@+sPF#rW$sCocSf5j(#sYm4^kca<=#4;sfw>WA-{){Ho_&JZo6pOfnF_(k7)?qhIaMI>feBKe$9*t&@na zNlXbE_b2xps(mpv`@A~Qh`@qdSfo?U|9oD5{fs%7nhA`Sa-g7YqkPx~Al~3`)k>Xg zxsK=+U;Gj~m@z9cb}qk&ENDONHCE=L#vx&~L$xy%fQwOWby9OHlV_JVcRU|}EkzEc zIw5p)hC#q0XoCt;jjkz2^7!d{FS^@yDQQf;BR0RW0dZgI<&*qQ^F_?UR)x+fOS=0K zo=pq16?Ss~)|w!Srt(T3_sJCu{q;pypPrlJAp=}O))i%#@=;J1OfR|5A zclmv3d23l&sK;QlB_B<$0kJ!QI#O<1$2GbpCWTqx)BV&b1vE~dwnaM~9h{jxhm}2> z6V$GqPV&K)laqegH+%s{lLLj(hGQ&B68!L@ZJH+Q^P^Bf5&v&dP~UtbqPa({wKJo8 z4&beep9Nl>wR@1Vr6NRI6EY#pTPzQVQr03q~ei4-^8n(GZ^Dq?R%!Xgit#Mc|uNkg!-yID&%KqfC013S|>FLg(FshSLz0X70)tL?HU z^2ro4sif8}i`Ml!20ng+yd?MX;`*3=Fb#8qHl{TcFyf>LbEZ!a#`p@-`S1QYJE*QL zO1c&eQ>AXDOqLDF$5WNXIbgYt?oW%^ESMDC(Qp%DN21_!PS%NMNec&Or$6Q?DDIu! z_M&Zm7GCmNo{sk(jvNPfVwZ+{)EGYqmD-Aa0p=9;_*wD7;IR zeUtH|nE&e?xllAe9TEpOx98BWcd%|TpcQ}pDOO09>W3L|N3*pIC5c*% zZ^a?j^4MQtq6r*E8y>7i;G8afEb}%UfZKeHOMvug-tmI8r zgDJAkDI|^5GKcD+Xc65~*U5^~+ul;H#$wd^SCoAO_fz^ik}VjY$2O^L(i-L`B%@1y zt4+%&Jbthhu=K2Ar7Ph)P%B|f+LoB-8%;%W0Uj}14($8Sj%r?ll@8j zuKB~-hwMm7w6K0V!^i9owgeP7(<8k|P()0*5vEq6lFXKKJH3ikM>t>^u-(>gFJDtj z_g~%nI{AX0e&aeiaSnx1+N!|4Xt>{sx-Cr^Q2D@QNoZ$EVZXrHtS&e;0{XJ*gw$mK zg=tQfsaK*`A@tuMYsWdxA z*Hq;5)QAey=Dk+~pGuFNESD?aX< zi*^z2iD<&@KtfX-L+-vj?8#m02LaOA;`;>Wt9^Ov=|(?&ue}#)VGt;?aDM{zdHA$x z%)|O*7luKxz&we#j@*DDx?}c$w>%Q+Jm89qS!jZu2f0xn2?R)WNL-(c@d;?N|6@@! zCDo!&z6~R#CQpPBnwZzzm?Vna`#WE6)t?BS4yrXqmUoG;-4%1eMTJ9)A!ZtP}aBemGS%M zJ?e!kt1`YDH4j|^U(qeu&?emf%LTyN3p>ABYRac|`dv&w_F?M2{aORC?jvK-K#5HC zROquf=sOiMKe7uW-Ju_~@n0Ip-)eLEDxK7xFwqKRPySk*y0t5&4yyWOf68%%{wHE7DrN4 z+5YfvBU%lt*{W=MQIKLJ?G=8-$I78A^W~uQxNL8B)l6K1c`S9@Y!O2Pg2V9jFrJ>b>h_ED4v4%w*>a(d{I{W|$?dt3x4kT0iK%L^K zB2_8_$U!4#5mF5>!f^$nQN=2Q-gT1fkC zfSCnDe;66L*!5>w+6sSSL@aB=ls;f)Gzi)--nr#qgr&(dq z(fylU`-zw}KoQN~Yp4BHB>7nbvbKuNl2~Ro&(F0h=p*n4D-Cbs6KM9*xpeahBr&le~B*=8G|uIx8k6Rx&wh}%jm z+Z#W1Q1%#S1j~5HaNpMpap7A0!D5xADvS~ljMV93$gL0^_z_6Aob}Kqz%z`y z$oDbJEh>Ij#2~M1Ipd3uB3*7Y?q3^eL-g$;lXscuPzaN}*@K5Zan*sw)7`qY0Sy5% z>lfk4r1^b)E2uZ?kBAK`V#&z&!DY$GZAsKj&#YIq_}7_jF%a5>58aEK62!sB6WOwF_W$=f{x-xl+bGvsDz$Z zERs#@h26@DT*_+;=x6?f&lO8@N4Dh+$-4E|P7KR7I+yEKuRnh5xWt@at0vKGD}dj0P0k1=DD zqYCXrA;&u*ojvitKU3l{`%8JTIFOK%AM0}^e9$b9>rJGjTjHc|^>*^00mI1N78~$^ zU2V$Hk~wX62bunE%-qDtITXOriR>h)dVY4yA-5vL30OZA`2mll@a{W|*u=rUHDF8R zJ;+M8dfEm+C7HkpYl`~Y49GWkW$}zw^yj@o|rD0Q+?=d(?AC5IY|1v5IKKBKTxpmE26ija%+Mgvp>|F799e?W-_ z5bSxml{gGDg%^ihFp8~JU z>UVC@A$U{_Z1mn&X@tr&;(ywYvY+ZUd^X>Tqjnm30j1G~Ta@u?Z)|6NEYQmP}-C$_aJ?B{gLANbd{Fn`1|*E zyKSBB&imRmLem<$4oBsRWUK2W)~BmnVnX&0DmxV{b*>`^)b(wiiY8GVJ2*wCzy3DG zjT9H`QP2O>G%*l{zBf2E4>-|Svui92H>}8WSM*{H`)P;0aB=j?KYyViiEbkyXVI5+mN25Ozdk2ie46#Fp>=Ghhtc)fTDUaB2B6P7o+L8rk$#NNtk8 z!|3_Sf%DU6&r%Ou(HBs=G{F}9aflS?g$#&r21BHMK@(FIb|lmxF*Vb6d4%$O}eQ%X2VddR_@oHX!S&w5zms4{B@XO>3lQf~2)9@s(o|c7yTI zZePFgN>4Xh3v>v^!#@py-le0&;ToJkf5A!Gv|A@SnyTmUp9}X2cAw@ z0SV*xcvFHd$Mz24@|m)2D`0St(s_y{NJG5Q#k`u)(6lYs@^WVV#*EQ_R^|poayjx8 z>otXpz>~|QbzVNEm-J>JG@Rhwgn@~FvGWDNZsRFQF)|~?EKM5DRCp>#IYUQfYURp= zU^`%E%bwJ&%Jb6m#IY%lBK>BTbeGB0;2`aX4^tX*mIlS7-9~Rq1;x_=N06zMEM~-C zpA-jo4mp#Ql5sW!#@>KKiwtB33<^nd!=lEJ!_t(nxTLcp4T5KL z*Nky&F0ggQc&p}Q)^zLV?lA6f;uhzqLi_I%z%2Dl4yzpy^w`VicUfa8JXr22L>n9# z>*j!*R^s5}me`$*Y>;OMtbA3W#l&cpGfKKD6NrnK zs7=H`av3kM@Y?2aYm6EFIzbG zvxNOR4QB-*wA3N`l_3s9DgyXV!@Cn2DW3K^@%9WHS8Yuu;jt3))Fyk_xF>*#*1Ohv zc9T})t};og-)bCv4O?vFT0wHUSQJ9##`5bfrxKUrt)KSIbcgqUIG-NrQVRDQH5->J zQEX3JI4%#(zJ>+R6wUj&rrX_bF>X6+bUM4RImHj!LVjA@k=ehtB@5(upcsCs`9TSiO3-&fjg+&-Uo`R-y_0eHmjZQ*VDwmOO5ZX4YwcH{yDpnwl%5WqI9B~+-k&qz;QiBvkz-L z*SrBd?;+$!<-n76nxK2&R67@`&YGTPAc*!UpyT#(4fcj?PnTX_jXb;VZwlQbX;pfk zSMBE0B|+P4Gf&v7kx^GHCnQ`6eR&H-VS#~)I*^lz$+}OMJIOJxV`T-TY^F4*J_YoA zC^r@bLx-%NNWGCG<0NLPtvAEL#p(TwoRTMdYF<%nsYf4GBS_vX#Xv~+5a-Q1q4yzk zOFv6ov4JV@QtGYy0rFgNeUm$mhu8txTD6UpF?l=YBGepcnb;&eyo(73gO|(0cX5u- zl6hG&vZ})mU$Gb9j67aZz6|dcm?+ROZp|Y9Auo@BileX!J&tDFuLE?m8VaI;amaTJ z%&tHEsn^T!*Jq2uRuNH2eMfGMFIvY~Ms@Q(d8qNd&-LkvVL!Zf+k0K_!lLQ8lTlwD zMbsJGe;6lcvviC#ZaLX?IQ9kW?(NZJ(YqPHMD4uBqSRP{Zq;#4Xw<_mrRyEBEz*@lal^9JD#(v)-cpN+ zjeEXc$7jc(Ny5*e=bw?Up5^kZzO8wXQb+=3hvn1;I>+YM$a;yN`UpITy_&wV7m%=O z`N^JETmE0!bJt2=nbEnBQa(fqgt)K8oV)rT-WGe!@AhBnm?(IrsOv(gK^^&oQqR;h z*2~L1Jm(G#RfBXO8oejv^K%QPMQj2*<|mpTCBD%fe0{`YeZBli%(4;nCH{{UYJP9U z)&;Q#Jx2Q4-Huar3N8VUYQp*#T>O*0p#O@QU%Y&S)i+Vt??A?lzC9ZCwA@Flt{lY{ z9nI0aVzXpFxq0TW4BMk8!!3b~+~1jJj9tcfAW>l zwh-Ickg@$Hx`p{Veh;{I?Bc^$>_nqrAvQ0RJM0h7Y-JFj%FOlar z6>-hg`(es09BtDMxRUR?@Wn3L4`gPnPyeKyb>J@hKS_P4 zhF7jq$^q{5O=*1d z62s<&ED^-3tdMj}^aO?lrwoVFmGJP8Qjs;8$r)76a3wS^*#e2N50-GX%d4_-ry&u8 zEVhgUrN0;4%S_(L3H_z2zMJDRsqA9;ID=M1=C<0d4;*OafWBS&8cRWG?q=>C1N5DFlYgHY7#UX}!~8MM?dzdx_E-OWgt3w7gM_)@x%JmYe;p<1&WuRq zcAjH`0i0o}&DHEO|Ge>6Wi7UqGzL&aWZ+0H{VT^;)FZvg9X`4;%?IMR)&jWzL)=}M z76~oB4jpxRX}%9Qb4zTG!0@J6#rV>Hzryfs&ckAj$gj}I2I{*tM?n&E%#&S%Kd0CK z`UFTNbCNd#-2cBX?vN+{%kLph<}ZMI^UHhb{{nb7J7k^U@5qsxKRxpMi&g%!d|;I6 z-?jR`Ecm}yNB957*PW#*1ff=8u#Sld(Y1zw@Z}Ppx~nm(UI#M#-Uvt0ziWHwT-xt& zOGRu1p^_sXlEGz3c#DCl~&A7 zD2HxEI7JXH>31$)wV>|a{`I)}LNq;wh`Q?|nuW9YbDvjvQ$_yAy^01y_ws{+MkkUs z-v83os`;u0`wb>{&=TU==A2T(+4^`s0!C*^*6;XXpMau|<~X=`uiZ}Xw0Z+UqZa#f z^Lc5A4VE;woSOmQk z+@Gsvm!Qszr>gx>XHPa!II61a6dXKmZ2n$2Dxrc9%a@dzGIr!5yqjU^^#f9DMkn#g zm@hFLqQt3|tmK*HIbmSJ%gZ-h>g;36m$7Amia!)c2CdJRGd!rR$la3N{G&TC`jZ4Y z7Qcp^Q1BB4ydov1q~#Iz1?=On+?daT&0^p`U$OK&jpXu=4$h?kfv3U!I%&wJBf#=_Q?4A3R5g_sn)y4T-yUF z?VRBNx&Uo<9}Na>*v9*t4S(~Z#&Ou54|!Pnx#GmRZbcl^+tb%JxFwwX4>8+Pm)qVT zwDXtm%ajmn&TssphVGi@B~g(ay8bgOk2$wDZ0Dv9l;_LU60C)i7zpL=2PklAvL=dq z0B0vjm-hRV%9s-cqa%P(JN9`ks?Z~VNJd<5>UX*G$S~<9Ec>(<>$&-qysInmlC>X^ z3?9M#yHD6PWly5vJ8no4_odv%U?6eLEObu-Cy1$8L&tX|%_mPa{l-3biVG>ir&N#6 z993$@?=c{2tiy00#;`X{Oel<$v!DTc-8Zkb zdVyCr!2jm#EJ$J34c6-d=nZ0M?AikVr?V@Mhq7J6%1OyMl4$XXleK8bIw3yEQjMi# zNDV^vr6dM3Bufe-ojzjhF>{n{nzEZPF_wmyG6qAECB`^NGh-~@)A@cnzw_^T|9Jm= ze(&#nmixM{=f1DIC#4E4U27mt>N*ElW5@=jPxJw`lE4}D(+_5vZ6uQDgWeIay0A?M zGN?l6r+8JW?v#PUrN^RB!@ok)*9rT73H)fs0%_`MB~kMZs3y;%VBlCE%8GQsRoQL1 z(}(Ke_-vccCy~|r+}suue&=R(1Y|A3f+b(7zvS`ag(2cRH7K%WkdQy|p)o{TcQ*dY zqc5*4KuY1g6#|xs4^_m~u)nT-iW(c?8bK$!_9xJ27i! z4r7m^v#gcgJM=aE-roHQ0It)n@fq;t*65Js_hU{&T&}5VMzRArP#M&n{5Hf@FYeb$ z=~f5$BBge7;$Vr%ska^~4EqN6Q$DunckOowU7g)vZ@ZOLl=`8KTPcI%Bj&LoeF;I( zEL>|Vv1Krj=zge6R6uD};9Dr`xNMDfc}g+D8&5qsU!0-Ut}M1^xA0^fwB_?XiAGA? z$Rwy!!6&Ip{kVD(0Rl}?c8tO=$4H69;HUZ*Cy8G)KzdXkNBIEc*4oe|>~AR9dp0BC zwzH$n1Y8^keimuxa^$%pJ>nA7wILPQK8dUev>@@=8kr;!!Exkk)cUiQ*-q3fW1Nvf z3nnbhIcu@!7u&tGZR(N+r{_x`@y@#UW4)e{^Pz1M`^v8Db&HiB`~KZ;{?%|0kl&3Z zm4WU7?tlRfhgbdM03@~Vp4{OhO8fWP&LUzy%4i}jqYyG_PIEhE=Q+pT7ACK^c?bcQ zIkjuov8;(_tHb(@X)kgXu2)nkN~U{8z>+OJrLYezs2wV>+{%hwMpdMP~BN zEQbi2U%r9Qi|ivZ;X3CLi`D)}X>fQb?jFOx;Tvu=pJ`g@c`J*{Ygj1T9mBbzo#-bL zM;gH;jhkxUz>P0bap6WN@$pmiPu410sY*bKVjCx!bz6h#F%E1q+{$;rdY>pO2Cbd_ z&V!6$vtH}EQWCQJV)+3d*`t*E?Ng%*_q{{K3)m<0Ai^n;!ACx3Rk+aRx=&!qZwoqU zOMeHa5jehmM)G}l1E5Z6HB%1Ava~32b-me<@4y`7ZeB{7nojeEm9vl*C>*bar)bJj~H(HNG-^~ zc9r`hHDWm?=Z-K?nLx!6hn&zA);PZ^#mp5|!D9;Gn|Ru?%F)L;?HZr26=&?(J-#Vj z&*vZb<0&!RTyLre5z1?>#j^+VI7coQ;FFh17h_sU$eK{P4B&43&#c-#BI{B=kj+;v zg48_Fo!nWYdszI_q`?#1L(pU;9Lt)1ZfB9Utp|EoY^a&OC1@<=r-6q&<2l#-F#=?{fG9cm8`1zYNM>UO1xI43Y^NLq3=?NHf6M1N@ zY!=lV29w!8Gc668|A_7~2S=bbj!71rwoG~ei=E?rENa-EPUFzMcYOkKWJ_%Bu8@4y1Z|cBT82N_ydHa5_`c|wAB!OGgy#8#)iqPoXI=rW|#nkXDSa(7oIORI)g4;-w zvZtqR&dkL(C82b?8`AV35)zW)yN?4gP=x1a(Vubb~DiCdDAAKUQ6s*nC^HJAXLY4MU*4^ zO2vGrGZSNFp>+MV=!V((h1MyuoG#Tva%bG7s79l*u~+fKI;upbT=|H-jRWPTf?iON zv^ruktRA+ybR!qaf zsv`cH-sqU_i-4LN`qySTfiqwD^hrTqo?*w@izDDS#Knd^4RF!~p`!iue5QtTYP-kO zw}Y-Z)tE4^XWTJ#p1oR2nWy|KZ;Z4fu2$RF_+7ub;NiIrLq9pF>ctb8cUA{>1?w+k zNiG!!{>a>!N;^uXJd}{=?;mU{OHa3d6KQ0(h&im7QCRxTP~5;u7w&Y8+13ug1yfMU zP+^Az*1b=ptKyr(w}D+G41O`QiXQR8r|TV!SV6LmI0!9szZAKvsIY*XpMTsaYSBM) z=80<0AhKYRy_DWT)!AOCojy3jyQYZ;M&aSvw}*y@(U@>EPM)emp&I23nxDc0idUfgAIr?^{jFVf;r+}#&CX}>Ffed+FfgzoNC?n3V}6}+&@Vbx z;^Iou;^JgV&JN~Qwq`IevlVJPp+y3|8zIZFd2(ahoJX4^Gq zxAgw5Lduu>NPbYPy}iN^-_^8g$uE3R3MXtBaC;ov4Y-oL$pzK9VG}wbqf4 z&l+`TLNnbDtFbT1-7;q~cp51lVNE9ClnCg1tWh5vkWh~I{r!I)#(hT$6#8sS9>j?1 zhf_=uFPLE<1`$A9fY5ZFMcrK9zzf~Zr^8V5P_v8`7%xbr$Y%9wuYIOw7I-I z3_Y}t1Oppp1p|cEV4=@@=mXVDVkitEw0sABB=P|N)e2Xa2lrof*pR<~A63PrrJ<#& ziL;rRJ;>6*MT%Yw0wpzXrKaVgB`?Qs;$X*YZ0hjEjM>A^@h=LDpa(y+YG>wROy*%{ zYY*c05Tf`O1V6O?_caRz*}p(sY=kJZG|x@b6oGB`XgzTWtv|JE(Y|eF$^#@(KP6{{OW6Pmli#Q|o^)`8aw1H|GCp`FBip zkeRc%gB`R>7vcZW%zq;P@5cW`6lD23^8Y1?{}A)P-a_Rpj4a6V-#QaU4g{~3z`%&Y zNK1TF^MF0}MKsduufMIKDw9oF^-l8c#R=**Vr>s4;Sc;!c()UB-kExNdATk-Bpagi z&Wmk~6OJ2!(6OrN&R~aLd+pClr^D&^>Drvkax&FPr3;$Y-Fh{uNY&jbt zB9S5wi53tU@NWf%2~u5L&8;;E2Ub!PQwfOuZ$(f5a@`}vKOp8I^?d-)PY&!%6vt@% zAGE);0yQ@Njo5$m5SS(*3cs8NS*n}*KkWSFk$&=zz(4bvg!EICFi9knTjw7*l_V3! z_^N8A9w_Zq@lPYoL#pEi3`^HbXmoP_44p?uYyZEag)$h9160e4Nj8*ODfuTVn_*Ca z_&FYg{F@yA#jt2OSsuWy9HO$U@Q=b2fs(!n5@-2$A^!{b3p^~2rO9sUv>W~ZRZ||) zJ$W9Wf|STB|DU+RVE8K;hR$yds{bUJE_5jA=gmo!f8r`o>myVhS`S5a+5e~xKPc%V z#4v+@wgKe7HZa0cbfWf8HgGO33a=x=doA`)T#;#DC8mgL1bPCF>TXy&`5Gt8SEdkHJg3_icrWJ7M$f570~h^dPkqW~ z&iKGK90)}1yMXDFA||}FiP;IcK;LS3p*z%p9Kr5C&Oeqwsep}{l zSAH)Vw-af%lUT{-uD#gvpTTw;zD@p=C@>~{j?Int_SI>@#6Po3g~c=xL{Y#&N_~W0u~Zvftc_=0Kvj;+czmOng(_ z-fZEIo-{%C``PBq6D#APZw=we_QmDHsNvqh2hUf8-oD?M9-OY8GCB}Bk_CYt7x!$i z{bdW`c1gi{(0*g}M9o=#tK25&xV?)T*xKOfS@&GGf9k!y&%yRtWbLl~#^Z5hqg!|- zdqQ~dS-#o~?g?9Ke2v@NestN!;aTvau6cecX-RmZVFvqRwbsn`nY)T7u7dDQ_oYW! z4NWmwj%oT(b}UG@6H&O+_V&5q%uRI4yz}}+qjF460 z$gDTfX{NxCL~0sjX3_^~x*D(Iqc9j>NNXg8=2JqxtZFOvF_a{3q){%AD4#3x4dR>JWgd zZCFDlZIvYvzD1JYH+6g4xTd#`8M#9H#rta@>YJRt`Ey}wQfydKzz*zH$Mz;;qvzQY zdTKg`cd&L6&cm^ggZaXntLo^jEF;0aJEF{)86-_1uTrEsYGBsF`m2!pRYDw2w%`pD z8G!*;TSyzM;NHYwC<-iP+{=W${GzqtGCyG4`}FlRiR<|3j4+N7kG1N_j}>TVuntnk zVb!=KxVIqP<>`PgQ=h>O)DjP1Y3zL)xSf_6<`K65wpt>e_Zqn!h!#CUDjy#l1d!Zg zy7bRYqOJv+w^yVJ(wPSC& zT(;Sm%AJ5@6bSAGNl$!1f#r$w)IEKzeWUMcYd@DDx z#{cIod5%MpOa}A3ZC;qX_SSnm1@RL8A*8B(%+8Zei-q{*a_vp|sOunKee&-Sfmph@ z2czlQMKPE&kmHMU`@x?6o&L&2II-(JJOnpL5Mvj>)Tec|eQtu_A_Sw`b>uVZqb;A( zg`U+&baeGxylyI_4E+8McH)WjKA)|sdc*s;wK}Ld9V4%8m!|kil*4GU;?l}21 zVWOelJ7b&fEO)}YU#=m5M_Ca&kXEwmN~P5k+}3fgx=?n!$7W6;a#7^2_)gA2-*tsO zkT$EbJS8Jirleb0VIj?e-!rRblJ8Ef55@bB;B0e+KTe>fXcxP3#aU<4<{+t0+)BT6 zYcQ`>?j-Dw7eYrZKQ=QZ7DIQ7RcC(dGZ5~nudTRXpoPw@G1KW|mX5xEdX0vN-rbEF zW;iw=@T_>hsKLi5)6BpS@&-Kql;RJ0h)Pdb0af2fT(Mch>zp;xZfaf>6RKq!R_Y5_ zTw;)J82nzo3fg;+EFkc-%cPi;Ksq;(==fP$$>xV~yR0uXGlVBRzZo`iEa_KA*y_3J_Eu_kq{NLc8UhQVu7{(Xe2DeV9qc4s3{mc_{u40MJq+bPtVD zx_vdedKh5M1i&`8sf@TCr%s316#n^Kc@_$t7IxTyXiL6SCto8HdGo>$VK+SbhI5HS zkMYf`(w7K&hB8mt0p#3h+gbuvXXD2u`sk6Oy5a$1c4lTVm|x(YPDMib+zSHj-bXqU zwF8(~>s0rRl3E{F=8VXQE|P%n^_T$ zln-VdO}3+guBDC`WM^t>YIAh6kB+~5df&L&m6ntzPS>v#UC+#^sOqT*1QpZ%W%oWu zpXzz!>O)N@jY_59Oe%8!4(Ca7e{GVa8S|T=bjq)tpNSTDt=!`r#)+THpiYiN z7t<#wq3_$qRI~)cpY*!w>9{{#6BWqhy?sMFffyb8ECclnlz0Fq-ITLr=`h?xdu&ZB z4wxd+-S=aK0;&L{zHwmwDa`?~WS$+RC<79jq%d*$s}U)5!=XlJ_kZZ#R`LB6U-rq4 zP~xPWLJ1wPOXx16E}gzb&?^9Y{KYd`tc;K6ZrHfPDD+0Hsu4SoI|k-qpk|M9n|C{j zl+11VV3kX(V&j>%C7iybn*4;Zn%m^nN)860G?uAM!b!ulA_dluB2C zfVDa6EWKGWRr`mnnwvaf5t0NvfT(tehHK6o_oVL4LTIueWN(j+p_SeLCPFaAlnAHu zJ2yoJ=1)4hWEo5Awcb>_s?5eLPL9oV)%7d=rFULXuPaa#c+jC8!&Wk&#n&{zt|&EX zF*_~AAsHiT152rO3ff=(;CvE5v)9q-PX?l+14N3F0XifpKK;DGQ^}6QdKgP*WJMom zJ8~P5yc=Ywu7Y~cb)0}5noDHQp{0?*UJf+ze7?2;Ux?W|yhzlzt?%@mT7_-ji!#e6 zRDsaFD*97$GrYN;vo2w}0x#;p0_ix`SdVf{Z>As5&0oLInq2gbz zbZ-gxbz}_(v^U({{Di`|l8KVzM2XHHFETgrW7!%KSYSqY(k&va-|WtCK&Qd^rvSlT zHZb{R+$&Lhqz+|YhR-J3>R!`682o%R%>ae?86(Oy$Qo;AMA&O+9({>qlyf}Z#_GjH z`duoo;w?*n8HI?_UNNFpC%SI6N=7lXPh8l`SZ!2(eY^W1d-@3n91(*(ICEjW24Jk* zodSv8A@o#43#iA~M3ThQft*osz}^+YU*caW=iSIpw)bC4KvngXY?BdSY&?G+lho~x zdc^`vSU6AfFE#jUH2O$s7elQ|J59s)J1nm%8r3(7F%We%lsa6JPv3UyU|%nS_Hy_Z z<^E-on@C+#8^#2cwkwPZz|U3adD>G0LaQ{n|1!UDqe^V-kMUCwd~OVHW_{;S~Ojnl_hVs z;@DXzlTWsMyzu>*_6Ntcy=?s>th;93KGeQ9CA)ZXp2h`bbau%7yNL+iy!hRyCH`?tLe%?uv8Iq+8i~D>FQPyWjfhuslVybMa+9RFo=<+3>pZ^htT&{W(w~jj_bAgasZMRbc|FtXJ5q2! z0CDDW;BYh(P_E%;)9%p_W#dP(iz?o{&EC6CLra=`>js^nznjY+3O+zoQer5n#r zX8jl9i8=AKskiSxWWP%a+OuJb0HL2G>W9$mj(3|BnuJMo+V84=8~#oCRMb|iGk&(N z>Gk2q!`ea={>Ls3CBC*GKJv;jqN!*Tl6>5(-RyAh*4^{0JN96#aXb;jCJ9_79eNst ztoXh@3BI#7&~7nd6-vH~X|3%_gZQ4WprP08FzhAuB@1)B2P1db7o7 zKb~Tot;x-ya%cc?F0Y?<&Lt7CImd}>oc2i1i(&#T>`se*TS7FpbK?^jY#Ki&pDoh7U|v<@TH^YMl4thtNCPft(h z0Z#VDbj@y$(amX4U$hN~tO$IN<*c{bUe%1ksqC2f4o12$eR?T9`C0=KO-!)@zQPoUe zHxaE6>{n0zb$;OYaKDLmn7*t`?S3-%2VMvHaWwWci4YOBifR&9GiB785%5hzeP{^G zOg}mAW%A_%EciG0?J(C43#+=oLethBwK@4&$fyymGZEmpAWn#?b|aUPYios zeFy@dJKUM$r;y_Vsha+w=&%#5!2d0Y62w*+i!ZEJZ0L~#RVsYQ*m$0yZf(b6)oD*O3hGrLgp3ww5IDod^pq=ZP&3gcJ2O=JIcVZ5l@rjqr>ky@=exU?ylpNZZcH( zvGFx2N2rBRc(K~4w(Wje&T}svuh4KqnA*W)c^cac;K?B@4101b|NWSQo}p~&))_>A zUZEX^c2VDf35ordoJ`0>+=<>7vVn?x1u1SSX>04zimDsDBg5=z*4=d9pSd~^4fs{o ztB*g{WjNkUQ0aJ@iL{8#q1;8hclFC4P2bbzOrtr^+uv$pM6ZtTHO)3OKod_{R?d!! z4$Vx!sQjW{3oO(?S0c2oxKk$f;(^-oW@zwQrfqNzgZf^txOw!K!fgY<^PZ@I5%#8O z#WI&PjDK4haYYQwzu9u>!u8#>?yfGPp07`^oCnhtUU*{93Y>6K-ox>5MD?A;HYs!U z*^K{53=D|yrO+t!K&MV_a$~)GHBf^U_%b9+v*~GX3pkoPGD5mP=SgzdpjyXB><#Lc z;r=$@a6Opz!^sIWUHHZvHYG)Dc3Svx5$p0L>}uyO4x;^X`C|hmq}Lj$4dS+P#!5AcpGyK#Bj+VO5OQaXA#m7+hU%Q z9?^bZ{h<8o@=d8HX4eAOIilS9~T>Y zWI#UC>^W3kMMZ@k4)Hpv#^lrX;)cK*DpmW?TZ_3;E@uiJ^gTLa)9atg?B>^><<@IW zsisBJU(?m*)P}po`7T-HW~y+MO+7U+R1fDA#W^Xt3L$N++H%TWzX6cZfDE z{K4aZSbxhM2(uKm+T%oHbjh((h{ z)$VoELv|t;KfG_~Q=^c=sL%W(0875q`|c0j5sy8)24NC)EQh&W7Ng^o%|+twFZ7#Y z(Ig>~2|_rIKMLCEY$A(w*A9y+6SYY&`v>PSy&&`9ANu1QIBUH zts+_qu8fGKF_W^WfSSq&c-Gpt*yCw5q*2TQC?GSFbv8=J+t1QT`NRUUhO-}y6RxMa z^)Z@C&2-{ke(fy6^0}2tJQkV{1&<5GoZm>E8ZQ~@krBL+W-qZ(Jj~5F#JQxMRgP*q z+;JLa5uu9M3?u)UJCR4n8Zt#`*3T|t5qB*+`b~}TxN=m8UO!RA^h>J2fLzAj)OPFj zH&jLvZ7+vcH;$=}(ld-S?WgIJXU8~fdXP-i)VRqnbl?1Veu~<%=#fA4+6Q|MYV&$nVn8-oSop>ip^lU1)hommoV)sJQ_6FiEl2=7`%!1 zD@1(ij4KHahRPj<#@|KCP4Eb^rrz+1er9XFR`f-}po~iDHSAao?es}SD@*4>(Cu-p zjh#uNQ4|Ym)=ebS^E+%Q+v;GS-r2c(`62Q^zG@=F`e~H2XSv0d&~)uF#`%=bV)Umn zrCi6``y3X-j*)0%O+CMe2LrqUFe2$V*FJ~2UhpLWMm)&u?Ld%__pJ=oiP{fHimI(qObl#skB);>5pE7M)2!4Xy5|MKGa zbgd=*!3t`Ha^B%~>%%_Ujc(bt8#SZDaB|cpMEhx$Oy6n2`$YVe~|1PA*^0-Q=OdbcgP{JK-#;V6J7har>MBy*Xk3Fa1xV)4=0AC2G_x4_M zL#cmbI@aIf`kb1c2zoMw%kqBa|0aAPKHxtl4M~V47C@7qDr0{NY8JbS-YNX>0JAT| z_V9A*PQr<0r(op133q>G2vMQGxX6DsB%rQ3YrE>ub9yMcOs-nB184ErE}~u~zelS6 zVY>7S$K2J1-Ut8S?rukQ;xneOwSJ3RsPrzKCyLow=b1wD(KySexv1$Z51X~IIG7D9 z2s*{!1#lVXE)_XRaKFP&)j?2jDC#zVINspCpT%_;h|ON zMr2KR-`si%HM5HEML&Y)@dXVPUX+?P1~mgisp-7#*+>YULXsf_GKe9H#rkHE`t>SI zWcXtf`}LnW@zT7KXUlb(y_NG52j4ZM3eI-Fr?sWa`)x(>pNiZYi6<+K;^&Gf&?CvH zB%Zz{xUgBQ(|Py(!*=cqbwBNpf&_Mb(xf&xF;LntaIcJ* zpKo)<*in17BYwRT7hlJugYCQv&dW}iTH@@)0Bj$%@`xVDCo?>vy1AE3 z?dy^S2-myfH)b|Pl26YG2F{*Bu?i7j2#&A1%!#|VR_hkW2^}e+OeJNhb z73p{ZK8=h5%7i3xvg3&glS)6(EYL0Y1!p@U)E4GupPew*?U2fQL(#f<8e6q(chatZ zh`hv=M54rnp_3-#8Dv@A`vO<>cvCuFyFWR`cy9RoV9D?coN}HHPCqq=L%2E*lHfx+eRHX_PX0-ud+ z^?s7m?|hl-mD)tDH@w;1uC;u7)14Lffq`Q*S~)6}G0A;0E{yasLN1;Cjrn5pB?P5P z)LY1KdS;rdrMc@o!?Q+@pW}-4>wh> zx(L@tG!XoY?ay|nG*=>AVBZD(#?jqW14igce-|EUijVIT81Xw*jgv|Keg$G+mwIEo z7w$UGm|C;L1}w(|G5k@Gkwktx?9zJ*Yl~(XKjg1Qcc=PnbdH?VZi7(NZ2uQ*bJ8K%>L@-m+4nT{I46#yMbtI^9^9AFW}rsVHQQDh1D{9VZ7i z$vc`xB=OiZgCjEeAqpuaP5x--J3A1=6^+qLlc$~4Q(sg1$6u|iioyc`(NCNHzOR^4 zSnZ_G-^ujg$(K}M|75)-igaxA+_aq8|2o2MR4c#t5&smu;n6Uqt(Ro7HK(a>9K2pMsyX7|ceRoBG{y<2 zIC*xWRUd!Pq0@17!eTt0W)IFc^tixzfQAgX#d6w>zRL`^FwV1fKOZ%>+yew?!9vo}L_Ul~^LJ|H~!4u;>Rx_?YYc zPz=YRVaJJin%*%dZ1JsFt61%@AS=HncT=R>@%@|o=bMx&v8D>>{SeIs#0~vufcajozA{@0x~urFnQf zGJHb5|CL=>{DJUA@C*VX25l;6BhjieLqaD%#4H0VH$hbX50P^!!1dz#0W+;SimATi z54hb;iFSuk^^O9I4Ol2fco}{(a_Jj^bQX&2r>LCX#a-Zj)}jN6t_y{#%oScu$BkW2 zlRfk|7~B@u?`c;QNJ2#Gb?rlLllJMPg}GZ^P10 zV!sL&2nnKsv=}B;Jf7G&lhcV43$ex4dDCD>!%EJ7mfN$F0DjV; zeSJ8UZ2u*{lJM>F8oo=Z9!`Rd7S=&(c-P zh$(fX-hQcG87A%^1^Gb-CuX3YbyG>jdQkW%Vjz6P#BkubT+&WWSFHKiEUVksYVc#D zalX;b1toiltb?=*JRkqILc@1t)Hu#i<@bTG`(D_`dlRpE4JV7_Rqbq}eVhaU&37%4 zYi=tsQmjQ?l4Hl@X^SdJBM!dIz)qBWsq1|ptvMK$Uf6-&GD>xJ_=Oau}VM`Wx^Mx~%|O}Vf8 zMX^bmduc{*kET|ooaC&b9wa8E1NneiT3#>kHDO|hfDP|R6%b8joDN5~G6OGYU zwf$Dvrer;;xC6^zYhECr;Tv%>Vp|@4A5R13^4#csTQlqV36+D4S5KSi2M7{#XmeyD z#pDMhBZ{tO7@CPO>Dauvaa6Z0!7!{q9*cI9$i+>}>w@;n$Whb#YI3On)E^ziLz&-# zhpBy*@WeSrV92i%_BVwcH(@BhO%H}|z$ni3gWjPiimn!bdu@S&o}^u9p{ON;sR!$(Tl z7)J`=@0Rc$;xYR}mLuxNLzP;Y?ncxkZCU-KX-Kekv4uE;Y<`Ac@xx?>ib+e=eIaUa zgsYnljqY`H-2UBx1!vva@fw8<25kBs*jHsHCSVC?`HPCQS;)mS98jN ziR{&uS{lJ!*O{pC{4^^gtr9J@GDsnYqkjE~Y*7T=u90ef*u~mL_p?E5oIT;7RDjGv zT*!i;Y;D*=K z%L%FZ3d#DW>6}DKZ$gGT58F3^^f=*~4+!v^r8tyrr$G@T^A#(m1mKJX@<}Ys$Ixc# zU#DL8TWv??)(7L^xKhCW3fY~g&T6U)X|N$S76USr1P>oOPgxy^ z9of8_5`lqsqOPw7_m;K3t2^A>=tM9{$=dkP`n)z5G6`(T(8VPOus$D^?J@{**&_TMMYY{Hu}%Fh7bDc6pW)NjtF5I65#! zN^JBGwE@R8TgWg6xefE^=V$xhI9dy7Gc9MVrA}n7flE%W*K*o090nP(sFwPR~MtbkPZsU>I}4Zoi$yb911&-VDglPjTND=*?H8KK^?orksTgE4xv$QrHUMxX1xiHG+~IdWov?LWq`$>< z-(&4o(TNo4sF_E@kZ|T|G>Bl>1!b%4YH$-wg0`iXHc`1HYB+X4d5B;lIQj(n7mmUx2@P` zuG(h`4tTXF4|ak1--eK#ZylAfwc$@pS_AWw?wcl-@I5cd;V zFf2#4{L)g8snV_JHs$rHH|bDC7+d3Vyo zDg|;7o<~C2a<;%zooF<>oFOUl08v)SGisp(Bd_b}s$^syml?Kk#?^AWW4b#gHEBOp zf4IWZgq+||CTII^T=4}x5d3}nNE2`pFU6Cf;=Zk9Kds&A>H3ff{dpx$N#uKS4{8*{ zgluZ%Id{JQ>&qVGDkN%01qe^B>`@H=d3{(AG$!Kfb;rHpIW_x;mS(H{C9kQcM+~@h z@I@}$u7w1834JF~hsmf>)|-0${zKKtGR!O3ZjZ#5FO1UJp7jsx7>&F!&Bx86NsAJE z0OhdMUH#z}$&=W5!N$SuSG~?>r?_6cWHCB8nJKjv;qOY|Tb8h;i{(|yUw8>whgIGN zaeg;A9List)1;MH|e%Zk`IY+i~b82}O&e zZll9k13!{iNNd1v7grkazy(Q@x9D3Awh=l<1{e|%q?A0WmJK>fC*dE)Y~DTfk?GqS zN{M~fn-^GNBs(XO&#_8e8(VdVo!>-$-SZ6&o|OWrs7$X%blL zHRH>DiI*I3VC}9lx|I7~h6)dsWl6Um;A4Idl6&s&?HmwviCDcavN1hbe(QWcgxQRk z#+oBR|EFr;>oKK2q%5n)|3fRrSQC1t5t`6afsnbrZ5XC?LR^#6RLb^;=i~|j(xbdl z14J<5&$)U#^A?qB3JkkW)srQ|>o5Ct{WX9G79{*rxA%KX}OR6+a-0SR$ekeYM)k-PJ_G?Z*** zG`$Yiro8)6I1nLLpGX1yU5TUU(~@E*`bOF9fR zGv3UA-Px8e=$}x8O*V_{&j&5)_6NDE;x{UuSJOUPe3x%0uhzkN=Z|+q>X)OEW~}Nc zA4F&Ts>;|N?dp2zrgfO5$%jSA>MAy>-tlG78iWy{esRDJ;{bEv+a0hqo~2aZ-$Cf zOEkIEq>bkZ$^oJV_uO@ZQ9hk9rO}algfPsZBrz7QM(SHQ;M_$1?B*%{_Fx}z}^PJCiMuUQ~P(IE$(F~R4Ej@oqXY@;4QaxF}P=m44CJfz{# z(PYDyKkmPyqLV|J~JFO^{B zwbtVssEMHp$Lzg`gjJxM?0mlUcC2tJ7t=zg(|#|s5I=9ez|IVW$1hyJDXfLDOZukL?R4aoS6(=>pw?P zS^=Sbk4`+?7z8GjS+8bBe>A+ud>m3C@=8?&CDAblyiNX{cQGFHylW8bEz znv_+QK<>6-g?$}?+ekdBY?kS`h-eETm$-r*UMWL;tRDd7{jq2YqLL;E8<u?KU>rQg(j!WrIs|?h373buy&0J-53~sCTB?d0uTv7+is=R$1*tDOSykmGmWz$gs zFPU)$%OccydF&2O<`lp0t_LRFY-#Ibv^Q0K_d^eXXny0{tg0QxQeq0Q@ zD0?RhCxxH?z+@{a!DNe!JHdR+r?e+(V?&1m3LAYg9mUes$T<0GE>@-h8`Ciwl%J3@ z+uTTJb9KbVj^q+#9`9YOdcV!hO*&x+!*RoFNy#Ur_P)Q5<#nUevm)T9zL~`O^))I| zWrS4iP)+1Ke-Hv1>(ftk{8>ZGe({ljY5~t_k8L)?q9y4rzCBZ6>@Lqd47(`F6No1fU3iG}>rE6UGDR7E2ZoVp3 zNKh1cCfZ(PWX$n14R)ne`l?vj@#s9$06luiDjsLPU=JwR>wo&5k_ys52>PHr*}nB? zWBk!o1()%j2&K_R?(rL4QvSi=SH7BF^gfH_x)SH5Qi8>|rf9fccw%rlmfr-;vpy-! zw$x1&i#^ZyAaQ>2`Cbn*%&f&}xGh%JO#FU_=Upy+R5WfEcQ4734|nv!03HmU9$hI= z_0sT+q+6c(t7|6KU^A&N1x?K>4jl6mdbGe9hnD*HhL9J`lmmf}S7HdETZl1Yd&!yx z2=eIiWW>AND-ulO0%yMAcHFU|gfrUX-Rt@gr6!sNPKNZS1gsvP>w^U6Cp#X(+JP7? z_(BJAdGcC}dEey+)iDwi2rD!%(IQfm&PO9Eax~g#DIf0HA*(%?E`BL4ev8lgZI_8) zRX}`d8a_=rfx?Gg#}!e~+QNp1Y(oG`6UFE=ggKpUtsK&FL@|+^s+smP{E*zzZmB^L z6E=NC-^m7uoWpsu|KitPT}p&Z%vOLx-+As+AY^86dzI}j!rEOxJCx(Tu2xsjIyLK@?1y@v)zjLIy@8&gKl3T- z5S9MU-~X|dO~4ytD#;Fp&ku3$Tp;l0Ag60V^LzQ^ljkn(Kdw8Nw9IsHaoIf%F`Lr( zc&LVf6XzmB=~U;$dH(6zoB4T&u%(b*Drc{&(|CdEx9>aNhMNiki>nLd>sD_EOmBsb z<7Dhkb|-rhEu~rk8PiFNif%f0F9x75$jS^xDXkD%FicG+Jshk2pJmknQ55T-_hVA} zyBHrF0`lax(v~GMFgY&IwX<8jeeD`WH&=oAj`+Y|%Hb*CHqMJR-9!gDe|Ma$KEE;# z|1Cb@vuXBDvK%^LuHzK}6w2!hU*UqcZ*^!5!FY3}t@NncqV7XX%?cX)UicL6tY zC+iEA0qyD6h1>w5#^Tu2oncD0oIbve$;Ct(M^sAxbZN@TqI0PnSw%(m9`h5KBL!pZ z4Mh<{)P;m1^N$JJsB1m;?GFeh5!=koh~DMQI&IiG&^To1MW8)Pq1h-V3j93pHW})4 z(SW=ShQ)7vFkZ8$OzJo98vIfC`BVMYblQ>Gp_i8gkxclBDxq_nrrBe*ZFL?XWgGNn z)5QO3a)5u_lWx|2rC|*0IT$B`vNEb~-9X~p7u^&#xgGV8=vgm+fUs07N4mhxd04fY%|~A=FC!a`1gVXFHuElJBJYO3K?deV$KI zTA|bsafKSVoC4I#g(kjZ0b<@+8e4x$oAe0e&Uhp}Y;aVO)PzTF$Xc8%3J`8N8-G#C z@wl|Y8cSdCaUw)4T9n8u0xmB~&|GV%dK9ycKWmEwJe=1*hYjC6hkA#cOxjqdXPI%S zFJ2x5zxh14sS}|E{@Dk(+s6pbUFsM(u6=^JZBggv04k{F3AwiwW)WA4GLQsvH++M$ z54@!jdCb8qo4uTF{INtDgEp`eqWbEk5owfPW3qoE zmE?nMu5-2TZ;s$@|6J5#nL&WY6&^Sw1#(zZo-m&m27O zVrP$5*E%c(0waN^WTJZnQHlp~u?fSV{%k3YA7;mvMggkkdae{B}i8289k*RM}tg!C+vIRp$6~bgt3Q2ubt4?{; z5GW54J8N`Z0;dqW3++jGWrRbkmB)hM9tOG8^M>jMN!OCXpC@j# z<9FsMTDjell>}$XutQu-0#zo*%Qj;*)zpGvO3HSGj$K4$KRhlQ_)NiHy7o;d@w8~& zQ}sHS)FIW{diKf3R=7-14wH;E?=Me;;dX1&Z;@ifqB9+-K=XVl0M^b##GU+zcfqH9>UrUBf@m5Yo(&fcZ zr7t9`05)I4r0vZ?oc@fZE`x7m6vuDw&zwbK>i<3X8{w(7xrtM#oe9aPH`x(xI4wQi@Q_YiaQi{hvM#D z+}*9XyW8FWcklg@$tIiZY%-FWbKduPe#d}{wxmxV_9Kd2l=$$bMgc8I+mTT=o%B%@ zNPiz0{Xup$jqx;nvqsb})PS)t&3!_ZBJF!ZG1_ddJp11u2 zCn0aoHvHSnY3?j$=aM;C_y^j;5MCRX>xcg*Kp_Qia~|613RgU6fXQj>fW;Uf2#zh4 zqP5cM3yR8_rG;x9$+5d+PBqvw0JF&sl7J(io8*<{4tEd`bg*IzM|@sNIjs&J5J-RR z&}RIhtHwq5=J`WOtlY5q%FmQ}#tehJ{nx}-V?2xcE2|+KNY+rUA40iD|MAbzfVgTa zs5Hi_wgCRSrvJ!wL8zI+EYnL$a9YG5tiorYWpso;5oF9O|3f>*jPrkRX;_m;r=?d( zBR!N#m_JLKC3>N%V=D| zlMtx-?LtnrkJp6sOS_rlqsK3bOHI zOWO;d4<>WO?Fl;Z#&pk@!^i2294NHIdmt6C=*GFNYUvAC z`=_wIplqLf<}v>R(NUrJF#zz)6KjJQHH`D4+_rBL(-%BQP?BP6OkCDQ;GayVgX0jI zxZcxO@g#ET(E)}l^VmuY{Mg_mj@*YTSl6(oDwC|jp*^L_=okp75L>9B!k$w=gB)2I zpurWUG^-J*ZN^_h99AdVi5R8YzexlG0PNwqMr|ob`S0J!prRY>RKP- zFJYX^(l>^%Cj!AQiocUayYju&?9Jy>W++79ip^z2^)jiNV^bcY>&EW60;aaR(+SCz zhK3qbqMm+nRINS!zM2YC?UxQVtWFM7gkfN0WM^fF-yOQ$o8BSj^W01QyCZnESXqvI zv}O2}L*R$O@4$u@IDsC=iu`<0#iS&Jq24S3cTkn9vTB0b_%e^nk>>_XoT-jJ~_kwB_WEKy+g6Lzgk&M|L82QEH3J& zU~sU+O=6B9ll5Xn(uviU5#d%|ke=s=#Eo$GtLrrPLDqQ6SoNE#7CUOomDBA6&u~B5 zJC#M&J+%`t9Ro`;3K93n+U0mMwOq0sd({Ru9vLf0GWIuPb&EVp=iQIv-$?{qjQxrN ze7y9xEq?V)E(Shrl1^h|CNncWb$ds?E8pWzmwXU2^%Ljz-bml~J1*V}-DN|l=Igaa zUShHtl1zuthTk$boLUN%t$Jva>CoK+jRcC-&|32^jR;bc!(Rxq_ttJ6q#@r-p6S!P z97?tvXHT|CzTUHlVYqv@9Z3C_b~2BZ^qTuQ}`+~Ab& z-}7uHL=*8WK+$k9f2UEzXI;|wN|Mj!>>ZChnMHN#7~}I67kb`Pd-mS>u~KJBgexca zesTsu;dYj);MwQ-| z=1r#{@8_nBBDs{w-a4yvu!;y-8gWKDmM*9QtwW?-L3O@>VZUHe{#(}>Fg|^w{B3JF!XEAPfRR@MajhgAkMET=I0^P z#ZBfq`pZ&vQE6l$1|mNqgC{}%WleEm4JOP`fBB3AI<4nEhy#f z_V_T)4}s~ocO>V9CnGzVF1VMc9UDA95ScQ{L)x*WH58ox?z*J5)H)ZF_4TyU-5R0Z zH7Q)nlhG(?8OuT!@(9Dr_`VlI!e6Jf)9YcR;PWS9d9d#Ls_5;%zkjK2jVGt39<2ru z5fR75a~|!w-*IJv$`p7DPlb1K7us&@wz|}W(s>LK5s~^Xw2VbmmQ4wD{mT!W55^Pm z3_T?xBHtS8!o$NuXh)5{nuQnZUWzGK2YB4@bU*vMT;f_LGMg(Sx?3Rfbf0&V7N7=hphG#WaMwYqSt6 z9o=tmAqHx!AUe9LU;vRjaO7k*rdcZkniSh3fLjl}e}Zh%_pyf`-D)> z=|KP|95a$gBYQZRMTJVXTDjIV))9NSTi`Rw$;Ha5B=iavs(c=(_^i)LYcj~V$ByI$ zY@!M(d#-nB!QnMs*CLgu|C;BNy_|0qUra~NQo)Q)8l4O}+iAYrPj}iV;qt0Ak-65u zPSaDj`oMEsGy36}5c*}_j!P1Ls?lDt(5U0(GBs2s2TD5xH7q>9O zfwY_?o*++ zw?*?E(C1y1qvN<&F{YR7vGaY+WT7_5!1n79=?$o%Gtou~yY(10NNsKs0&>v(2_U-l z5}on>Yl=b)ZVX&uD{`MAy%MZU@OecY{zpA#)Vr&Nrc&y2TDjtM92JRSXdI>~Czt0= z&Dnx<@QPFq=2DXgI9ND6*7_riH`?xRj?E*tHQUD;y7Ke&l35Imv-ymG-5lJ4Re|VT zq=8JYX0V4G{xXpv{=hw0o!dslyrOgoj4($S{G;vuRF$pgCi_h>KB*`N%qpPVgDUQA-!hFNugDX!nKlx|)pgdFB4E8zZ}OvP-Y%`; zlj&)=%z%>Ln-5m$_@!hIEbNR!Sn<7H?`FMubu)e?220lyRO@Zb+P1LJILzm^tUFkZ zh{j!Fx!XH97)>Y|GeyMp1ggVQqpbK&KT|2ffXWW`!mZ0lECNn^_S2-t6XzK|u1qJzqfAU2i4OpGK}zO@I(< zA517x*ayyNRgIj|RG+Pq3tW3+a<%I!lJW#P02hydkY@DN~Zywl%I#%hYDGg zD?#=9Xt8e+H_B+?_p@31R8Z3F5IbqpGE9h5-uDVHJT5Q}a9OfIHZcb76DKZ##KSB{ zZAENQCME0i>IyIlx@7_YB@cat?^6S2j`$?Sn!K~yG>y?OZdKT?5DXscT zzA0)$^L0%izEz;n{rTFO?qW7mkdlDHtM*V$o|ugj{tz$(q3hRP4xtuUSFl_x70JaG zJ#+*79#Y~%lCshI3NyJ@H#Gbc#=7ort}K?oV}htftfI)8N$>*il?DQ5-CbzWiX$~= z;acADL=fD9DpWqD;j(qE{PCi$>Ob%Fbw_Q%LK|S?o8|kDr!Ib>_JL_!`-!Qf@T;Qp z%v785(%a!SDKpo^+xEwlYkkjAS(seJ@45PZH>ERdDL{x~H+RuPQYW{i&4iGT_A>m( zV?*yhZK^bR`WHeiw+pTpQ#`Kwvv*n&{=T&`GU1yZ7_W{ST$-cv&QlLo`f16*}^ zS|SXodz>r^zx$t9%Z$T#<8MKWTocz(&X2Z%mMwG@=+5oAV49zFc#a%jzmDTeihPR$ zdwNW3ZZ;`n1nvIkbB5oe8@QD31!m{; zweL2!W&BA%dfu6TK|e^j>8*oNw3+be22bw#B;*u&*sZO;c`viIzE-X64AoQbRn1gH z2H}Ly1oNd?SmmQ_n~7&PFfKQJT<=cyMZ6kSvsuq^%!HIzb*wApP7M7uU3)mEq2$F2 zl+Faaz3_Z8TQAwN9p0trw7I~_FFyPyh05`^*1ACTmioT7Z^=p7AlDAZ1y7KYt}VP zl`N4XezOz157&h^egMPLHPOo12vh@2Hlfq9^(Si-z^m8Ssi zKbeBo5qQTirCFPJV6NY1*UbccH$xGrJ7!a!W_7m6mPA|fU(mNY@fnJ8HL30ngyF=r zV_}1tzb#enYwzhbLWnUkVU|ubE`X2Lsou~OvvDd0R+|2Vu)x=1g^z2sK*7-Xc=M_3 zFH_x|b7x__{$Vakx~*1?-k$9Kgt&Ew9SOkMsJ7zLsJO$eq zpwT(r>0Xw*xtEWd#evK1#FE@Yu81q@QSYj8ko^^DBP()oug@DUiw;J{hh6>W2OpTG#;^!}VutIe?`pJ_AR?tu(@*pN{CDW89Q z+id?SVxbi|Eh&|&-{Me)z>*N<TpG-+C!heZ zlVZb}pG!4m)1xL%SfFP)s0mhQfPehANFLK&)%>0&XIZ)NsXj{pllJ4=rv2_FgFL@RH*4)JBVDv-2EKd zaEqn5b)MVr7hrUrcZ+5yj>}(|Lvv;P$4oq^@lD8z zwm%g4n#fC4O)a_{aY#rY#&)ZzU+d;B$Tc&%xhHt|{prDe>tOD|DfTu1`UMnF?@Q*g zb!(kdyBYfV&Vygzz2>Hn>X5wdGIo~?eG;Mq(znC6TXSx0!tD+-H*IkVS~gk@epea&1oRQD=@jnPX&wkMp1 zik_9CgJO~4sgZWTI5`vaT zAIfXLzCk{q5Hojw?6dyrYRbb5o)HUuFKBTJdc_9RyQ0LErM}%A&y6uo-)Of2(hm$a z3_DE9!XrkGh73Pfed_!^Ddb_?h7$(HqPSBJj56mtURIg3gJAt5$)mPDliK5PKS;9` z4M*5Ch6b@GyH3q152pF}Ya?tKf+QOoRu2WnHjzWw-0=x#Ki6u+V|Ios9V&2h(#K;l z-GGd%N>!J_>ww>OFcIaWJCUcXQD%McJe6V&9}0y?NN?5~>TpXftWeaWRLW=L#S`($G4_aDvkkZZLktv5j^XMY41$OUB%^7PARL z#>dkt64T=8Ib^TA#90PQ1mBbh3nSVdV$?&(MHV#IBuz3!rCc!k@ERC!`sgs9k}qN~ zOnAE{+iafA^*x*{$W?VdSVieJZs?!fQgMHs zYQNCr;d49-qS01qL?N9eJ=b9GTOvaguQAfaAU*}aob{`?;2;AOr^*i#Dan~8@wu|o z>UJH^es4xSe$R39KCO^|yZR|yM1>5f@Qfujpk9}E(fa3t{g`mhi`UUq|Co#)HIM7b zyv$QI%MWD~D+};tP-|q6|HrIyD<`WU$ECBkwZ>&tbBN{wgldDUwmHJ5+eilu>RB)JXj@sjbzbAF z-nQp8z!6I2#QmgoXvkUQ8;NQYwp~cn+eJO@l+fwLzsXniaQ{7g)6X?Up-N}bq&!mp z(Y_tYIZ325S&fLG^cH!@*O&y$nA9CJ9N>z$Ioz)%e%~`e$ zAyzhhN{P1ie43iU#1Px={&+<*6KFOxXE0^1A zl1tY%^R{0d3s;W1^-0wV2mo}yM^~r$*an#)QpAfM-A?B^)h3H`?8qbzjx1;z9O%y@ z<`Jr8BdKDmm-QY%*_cN~o}o3D7t|=tol-}p5OM73+I6W+3Le^6{5jpKD&I8c2`tH% z5g6+Nm(ES0^JUu1y};n41<)T7X^_GQGU&^ADtqUmkab=Y##T3+i$vaH;d4F?Bq~F@ z`(^x4O?Pe4Ph|hcP3MwKL61NM#OGnUwR3j1o3-&aKHiiRO?=2&kY@<{`M!U;VVpfB z_gA!IwuZ`2SU<3Rcl>BjUlm8@2}eM{RfnkqlH=5+VGkpu#ph&P>ojNe4%j7Ua_6@F zSg7_hhYEdz=&L}PH5&`{Gx-$cczZ#Fm&X^SQ!%vlWbFf7JtD2|g;-A68GezNj#C|$ z>nr3a5W|#@87s^bEtXma&1q8fIl4*GwpMMi#XetK(j!bid^H4>b`+0JDK)dZ&VLW_ zIqA8C{z}Xc;K9LJD^Tl${#bXOoN4Cm&eNOo&>yrG?eAr})hiNw(RP9+&*PmxjtP*< z=s0MROx$k2=unsprMHu^q1D7gAzt1(qaQnZy6hAlV!cXimmdP#1-HygV_@*qMKV6R zHK+$mNpN>VBW(AOyy0Fbs(%M_A|%l`O(mu_nr6`>45#+TzAT6!2>{uw+gxQv8$|p0 z92G^#rCQZ-qgp+t&@y#%U=I^3k@1GB60n#`4El1Xm}c zVkt8u&oLiY3lFUCPgv1`Mv>kx&y=n2O}bHjFca+kl=~?)+Ytlf!EC*rBp+NuHSdt& zB5{+wA3mHp|3;l#{to<(EHMnLL~9Z~8VilJPI4K5cmYoxQ->4pvY45eepO$*-pr0w z6JVJmHoi3*_nRSil<$8_gZ#+pHK+4-2a(*Dpc{FL_h3;A%BemnbB zY>!E4PRI3u0D!7d%}no`epM*nQW{pt!y6uH?XNoXpQ#dR7l<9s0T=-UovEK~6vML% z=<2KzEv|Mh@v$kMMr zu|Ti|x?>teueqhvar)Xr@or3DZw%kG@Vq7broHKN2@S~OA)Ncs_NOJBg$@Y=`GcK4@obwecQDs z0lRl<`)jm-J?uB|wNEY$r5;a*ihiwZ_)Uo(4N%^0*-MC&Cns)-h58F;!!{XKu`c^7 z0R2D0hp?sd1}rA)|A(}&LWt7&{QFym<6SO#Y?U$IZ)<;~YZC5tp&xUe8-j}9M{Y`@ z$LaBeC(OPuBSp)@qtt@Z<6vW8AAT?%m8loSjF;`VgR=`7^O{d)d2&%1hN|4K>Rr@D zG4_w-bH(s+xBPcTgOxN(-4aV6I9f5@{qUk|R@dk5_cv_EX<|WhyKP!L=xnyN{+iD! zs^`+T$(giEYt{Ro@9gu>A*S`cU;2GDE)RTsPL+t^OQ4BPmyUwEf6KmnNTRIG43vuIqWr#D2%fdN$pLU)_b0}iK9j+` z@L#?D_URX5zm_}q<{%}aeSep(0{cIg9bxISNZ-emSGwK4^=wd(2F3g zHIFD{V|>pO!g0CLZkX-!Kn>IB0A+gRLl{}}zOn+{NvOLf=+0?eJaf5djw3>}5?zv4+V$cuy;y^^PE zba$C2n)Fsb{s1(0=9Lv2G6!D|vi##TWKBmRscfc4Pvy4#bCpx12dKL=uJCw|ZXWjz zJ08G)%=SLf2Ki>Dt;_%l;A*w1>aw_+`N4+)r==UUiaNSg*dFwOd0 zQYg*?tVhR}Hh)7duSPppDu;o#Dw@s4HhsK0yXr}5ZP9~mVl>^NO!cYJ|F+Vd(s<>( z7MYuxde}#YNX*3g-RXnw|4Qsv>DQbu{I1X2ev&_!%rb`x-gLS}8Ju6X3bxEzu&|;k zkVr(va|~#j*|rvu$W5Z`iCq>RINCuDMEE#>|GVLZp zAAC=nY&V6RfC6r3zdCMCh&DOBL~}Idh}GSJS8u0VWTD;GfqITB)L%_U#k~afzHAL( z!|45^N{1$b*RZk`qqso9KkD|xoMDP3o8r2MA<7&ZV;mrE-M?cKG@H2i~>oH?I+6Umq_MvmEHtI32&? zs#{0lx}P?kZ(gYAj?(oWW^=4Cj^EHgGwVA(BU@O+j$pB!Ha4K>LZ2@;O0@t8EksOi zTVh{pZP!CkGTs7d1_v4wm4tOoK3Z=t)?0N)b44CzEIHtA+rYiTn=E_bqxN79$&*W= zf()K$=N@pZ7DD8d%wS&_WIkPo+IA7&y>u!)$Aj#0m8G}nmxG8Is_{A`3_OeP0%JKM zWsP5egNCqJ1Q+d=;a*;fnQV$L_otx5jv+U#qRSYx%nWcffyY3b4FF@sVVU3M z`wn+oEo9OHtRpi!f0Htf3u?x(;IUaZ(FnF}FhY&tv_6?B@Tz1W0RBNP4)yMqiK|hl5S)H}jy6*|FDYaZGBMj`KelroZ6Km>Vn$G*I;#);_fvnyx!vc1i-R zBI&){1wy5TMt-+ao?(bti%||P*#_%rE!z2Bm5-@|Cv6(E-_F2QZP8-#7Cc-OVQkpY z7Cz}mpLQh;}Ae3#v?g=Y{p&0S>Kb_t=;^o~A^2Hld z;rqAXj`0l5&d^P4nQg2AOa)K?s|zg|KjwdQmd#~!0SD^1wY0O9&M7l4Dc@A++h^0# zT~WOHQwYh#Aj%rg34V{~eN6=ukePH4-&d~KyJLjH1?w*Vl@uj0>`(|^@ZjQV>>!mp z$Dh?G>FyWJeEOqm zQ#3+y8Fa*x{GjE+k03rW0_L0hC4JD(qkgo*5fQ*7Pp?TNRuIpYrxdR7r%u!1+SZGX z{&&kZO7J2LtQH`6AjC$RUtdO7!8Y%>znn4RW%sZuYM#C3jEsf3&#Q$h3sGG5F$$c- z))KgIJG_b&+Hp_9%$&?ciz+rf@mt=)ka^~}yZ$D|itf)@nzUVVK;lM1W~Kibid~VI zf*m}J%ZVwJ@``|h^Ilgw8Trw7w0R%x9FgU=Qmtg-4fCHD5nW=zulFoMb!Z|rZX*Mo zaKp-}w4qYb%4ETh5ECR6FxI zewPq6>722hi7*nBVa{gfex@_cijCye+tS>WT)Z{wiuf7UX^ew680px(ZLnEEv@kBm zh?PBsuqebv`%^A+r!2kRY}S%z;y4iwn)5kte3@KMlVc zCbzcl7S!!}`q8Q9y0A|pd%GSh6p!W6x*S4B5>VL{)n%Uc-QLQfEDJSw9Ph-B5YWCsP5RlE37`jZl!n zRYjw80gc!02*?aHr#{TqH36=qzIJ*m-?ppze{ORDQ z%<)q5#WGza#?v(pofxM799q|>?VdgDDaPN3+xA+}ppks1u8;^B!TZnC}87GinGNWjviTwAAUF$t5NO7Qpb0Le2HJPmVUw-@Hl!EwQ0}Y;YiK-~S$Dini}75R@f;Di zFnH%8`|?d`V@}_v#JsrOyzTYjtlO=`e&gTE#vfhRh^lW7%Pf2jSIUlq*rsoyIBe|o zCnt-#c1u$P-WuJIKY59lYyEOa7hRG`C$GPrLNMtxC>s>ee%*3?>}*0q_+W$f0%HtE z{*wj*??iI3WZqX8E3e~ornJP>OKM=W=1ofoz9QA z?7P=7ci->9a|>-lO-raso;qmCPI-8Iz19y43}=;Rj1z>tHi;KpKIg@Ad)?VB-E0`6_cDTw&$TJ2Bi~P(Mi)+-EaFHQejPFkWj;ks;Z~~mlCD|gvgztZLSa4N zSW_$-*i8x8hmveRR&` z3LTPF2xQ+Muj7j6jK=5-3oIL;S1G?2Jg460!?O3XCS-#0KsyZ{rBm4~Eq#aHR(|QW z&K7<^AXPFfXc6CbJs=3)<@=P=JMP8W#2SHlCQbKSq;SbtjNE%8Z%4kt782R}QtT=H zt05g?1K{%WeT6I)3$T-fjf(Kz?DyGnHrI3;`+4QAuq;%1&SIA7=uZq+OrZx_Ls@NL zCuxa*uVM_=o~g(-tM~z|#Rt5`G1ye}U|68UG3XxDZI zZWCgbceFe^)|JVw@XA>>tbZo??*jnq`htJrbb zmK`gpc|5=qdgHkHKzoZKVS`m#R%-YA^c4i|^4T7>+h}Wk8%5?>zJ2dSd;95li3&4B z>n5y?ZMFkf-_^Y7mcpDNN_Z8Dao^na9L?Rb3ojdORnVa+K&Zun%yV?~_Z|xRo2Eh8 zSc2=8by0r-I^N0h=Ui`oz=x1Wfv^1{TJFgbG#9^Xp^w&_``r=yezUmJ-)}}c^Yxc> z-}NzEaTr`?#;iSYHjk*BVKh#iq{cHZh`#-y{UB|+Gv;Fx8gaJxIsHp+T`V_h;hEnn zJZ%43^ZTsYi$DWK*Kzn^SqNJ^f~r)3uwMeeTptzq6)PGgwsw0ZPv z)=2b1KPxHSU^J%@-<^TNsUD!g{Y3Rh>D)tW@kDjE*+x(-?t$HQ&hvYXKYvwy6S|#a zO;QP-ot4V|yw$Z#^EnVAr_^ICW3#lrNa;j2OMifB7hUY_+>2&DKvr~hpFcMonsZm} zLTR<7cYNB{Xd4Idd?#ZG>(G~^uxn_=o&bSFvoN>Tc^d7l`ghi)y`TG|`))^x8NKIC zwi#oiLXyRXk8PS`XrI%MYrY#dPfm&aB+KykgFIaZzBjbK@(wqq)WLA1InK+?_Bkw; zU3#0jW6^?oOz%S#tdcFlS8AV9LT^ajR&uiryttBA*566(NVqB&OOJ$tV5UU`mCPl! z+z%vPm=|3i2*{LZU{)MA1c;F81y}RBM9n$;p6;?9w29n_43%_h#5eP{>ICJw&k4K3 zF;Imt_WCH^dOivV#_l=z567Mf{mw`qN|^KmlKPi0l}ZN2h<_yd0AfYuz8BZBlkSU!pk4rT34D^Kr>~>~6X=G^vo<-;}cTo@K~-YEFS%;n^>LT0<%n z<~IJS%bSY+s_6HO_Zf@YWT1i#z?kA|E9B8QO0->TP#1by~L>7Sf&ZS+JKhUbJTiS$v>0%b%^1p3uY~;b8 z-xaUVCqli9AO?Is|1Gh##~8&kGjF!vvWtFHKkgsj7udSiUra^)a}}xxk<7VMZD=k{ zq4iJK=hEl$ag_DFFZ7Pcv&g4~l;%MM+)ETU2coT+V^+0ae81Uz>}X$RYZveqh3wlK zYxojKZOTfMgD=|I^Z4u#HxIS3_UrQ07fAF#_R;%@Z5}8X_0(oQW$--K{UPxFtC#QQ zR`_vl;9c3F-fCY~;Z^i~eTIdvbZmJWw_rnnl~>94ZOC`{1}Bs&(O3Qy?}P2sdTVXI ztq2GH^ZSYt=C2r&Q(*wLMZZ(*scJLyKK#o#Hr{!?oKX^@gMel=PXI1FF#42ZP{enG zq37WQCvfkLP>#Sqf<`Pa}mikTpti03e zeZS|rjwy`-OkhjY;Ce*Ur>!_w4$aWOt9rro+LSLfY zf6nXrgKRnpJ<`>Z8D{G9ww~;_d-v)2T(({8tz?zg1Y=`P7~B$ z6H1)7Nx?@OkIz@%c}4uq2Fn|v#kuAj2A(bNa%Qg(FYk}T&P$J_hI1uq|08>2r13=0 zWLP-I8Pr`g_#h3{r@-DJ7sl0k{;{`61`7~<<5Y*6b=sgN{8d`}M*HK@$1XHC5Q)Rv z{!w24YjnqAehdn#^^?Agu*xBS0e{G27~>_6;)PgSMHC;RU2-A3xDcV6@B z6`p=n&(T3Vr3DR-mo&0E`HWQF@GlAneoagA-B^^`L|hFTXJ zm-V8V8J{ZzV}x ztJT6Ef}pW|&b!yz|QrX9pzwx+E zLE?Wp6I9YBUn9Xa0E4_*-!kagJyUJ8`$Cv#SbrPvaSUIg!!Vr>ivIM6q*M0g@^MlM zz~wBJ&UJ$l3kODOV#2PjKF`1-jEiqSZHJ)}qO4i&Z_EK20#SMR*TR7Uf1u7`U{}+w zWd{~nwT79hcjlA@z8mE>?}__bCe%LEqJM zY%C?HdU7_j6FFVP23|7Et(yW$@JYx9vSiiQ=Us2frqKr3r$mlOs1Awsxhr zs6_buR@C(i>5_G>JT9{Qy=<*^hTYh_$MRYhDhUC*fq8V_$;{Fx;72Txq#5R!y0xpq zCI80Hebr<9BOb4hI0yuFn(3Jp>MX{FDk`qhiU?{0(e_~e5N>&tMswZiCVLyE`H4}A zx!*9-5HN#-Lq%dkz8#hfmaCCUYk&qwSNhhVpaSEAvd*6zja1W|Q24GyL_t6S*WV;E zm;5fcY#P|ahpr)R4i+v}u?-ZEm~rbr6;GF2;==@1xupw>2T-A0_${!lG-tWCT4WLB z@X9s3V^RP zI?#uJn2@niVU;v5+tq4o8a|@<%f8Rx@jB;N6%_?H}j?+6Io`- zMyy`cX0_cUm{9~HH&+J>@f0yDPz-AQg3F~MeDhCZk>D+(gKn+;``LJr+9Eo;VMc^F zU_8*Exf2;B_T-2=*}AMI;-pA;kwn?&2zQ(3C=l8;unJm3oJpGsYmIvt#@sSezKkLu zwdZdiETw>=O2J5_`p92vojokuj3%$tJd%0-(FI8iA}bkkO8HO<9>-Pal_cPhHVoyoG4t(MS+T9*DF9J0diwV z`1lL``ezpw@?7PuwQk_!xh{x%x|i6GHuOtk2wk(gB%Dezse(62wN&CE5U5~iaGB%Y zB+O+F54bdjL^~0Zr$hO1mYAB67SPT~ZDPsDW*!`ViQ4uh;bA&J_4k9Ewx?CF^cr#c zd94eTy*hmJE|2`EX^rz|Hhz!m7BR~CGGbyVY3@?*GvJ!|oDj{)>n~aYhjeWoj)Q}w z_Q8)sp|~^P{kJPws0kYIQ{;;j{Qf|Si`)0d2agRA9|S0CbRDs_eEvjr!BftoT$Q6- z_YswI0I+mF``%1gW-#SDl-3XLqbv4G&=6BNw~@&`<2<`{<~$8D&JNFfeanZdC_qy1 z^c0KFuYGTFohDcau~FOSKwk3}AaBt*T&csdiBWNsQ*#|EqPQ)^WLpWf^^R*&G9u7ykUX_61+(-Fz4>h zMaEvKxf5bTu$qc32O+mB>e!%bCO#AO0(oRQ?1FX4t-Yi~s_l;2G%MilcRW-tBSSoB z?CPjp!O#I5nZdtU=_lpdJ{ijwsS1EL< zSerbOE3|8&8d{}DD1__CiMo32Xd7gBkn&*yDo@{Zll5E2`PV8ARgzaU*%Y@ffsl|Q zH8isV$^fhYh+oU$n+Eh2By<(J^jH~-5jI-3=kl8FszVK1n$dyvS0(S_C_L5oSXmEZ zq2P50&w7B>ch*FUYh%7YxV{~m`Jw}b9re0B14a;Rk_d?BalBWnTu)_QEykvmq6B^| z77w_h-e`MQYmF;~Ts43fD33oa`?-CO;|_SEUI>^u5B$jEV9R@@YT)qGk{XYFKt4vQ zU}RF7p~VWdudC}u+Xa?HWFAn(5kTejg!E?JxJN9-cT_PCo-sXixLI@_&7`Ow0gfVN zrJBYJzKukVJWeAfli;2HYFkQ&Znvv6_dtQCZAC4Q`}U0+x9|L9amF4+?YV`g{RHjA zg1%xL!bDU$mjTMach`+*pV+nMM3aRTw$faqxovtex1Qve+B|y;vj%eKHNQqzC>n=! zDdaGYBC1k#xkmP8C{)5B!p~`0y_Q6bx*l+Mg2Ot~R=cU8Ub_^5N-5@k zx->kRUx}?r-CWzPb5ELWXnl<)tSo&f{{d<~utfEpHGc8oKawThF>B-W(o%a?7*aX) zDQaO%Q^2b#!La-1k`IP!`qn~~hcNM4W+1g@Jf~}a)ViGXSZcaAFR%iNuJAq-4AjH; z&F;sbV)}xF=W8zlSKY15g;-fnTG59Zd|h>yi$v(A&;o&06@iBTKMMdbz^|DM?LNSW zVDcNN`gV zci^<}?jL~QVMQB=$l5h~ih&03OU2Ep!An|Iu)w`bxEx+%nq3xGd=CyaHO_Ef*g^dC zMA+emX9H0L@KJ1=YC?+qz08vC$ zVDL=BKV*ze^kr55sehZEf8u1AAKDG&9+EVOjR>kHd6FSyv%t4^a~()0`7Sa9T&pdL zEb{NqciH5Mz>rX70vMuZU5AmgAC{|WX%@-#y^zYqHAQUEE;Q`fR_z4V+^Vx?$$j`N6506 zsvwbV1eHQ)_$9QJ7zb+r0#5uICExpbY$)d4T;bOOQQr>Ot}^;XRJ44FRgYYm5V%v} z7+u9Apln4UOvz*F-MXHr;`t5rU z9{2Dl^&2BIP)l4Z;f1zmOriuLTE@=#halZgIAcoi1~2Y9S;umuhBmYlEf07;f>bmx z%uTzClo^f~lH<2gpC7zwF6ra|2kQOV-#9w~||JmAWeMF~K=ZG{EFH5RqlCPs~QrRs+9mPpv z@aQ@@T5-jc+vgKDhiOs#RQ6YMf=LyvyRJR%b>x^CPB3Y37F7<-FM>1G&wV$b*LHRM zoI!uixa5-YnVzRSQ%MQ_gaP}cJoNmdMArPwj)4d8rRCNfkl4a5pMtflsZrFByzH_3 zf7p5ps5qMJeHcw}2=0>LF2OYrAUMGt2Eri0-3gumK|*j3?(Xh3xVy{XJ~-cGcYpie z`96W4zHCFV7=tvSMKerIzaqe2UP;x) zj8sl@IHpt!?o%OEA@NVa6xmYE3Y|ma4=BqlB|fYZ z=gn)!-_(~#CwM6KQ{r-JcpWqF?!br=2TLAWEyLNSW;FY3w5mlg2F3gE$lQgld(Op7 zl6AV=qiA}Xr@gL&RBx_Ka`7L^ngW5WCWD%Tsp)x8ak?rDad@xnXav zMV*_|49m){KOE+%xF<7`Mh+cGH2yFGVQCG9LY<24KPh%$13q_+xfHN}hOesK;+w)m zFb0@|FY>G-SCs3&_4@hziqm(Rprfr$PnaS{no3P2Oqtf!EeV{-n}UgwQX<&MS9JHm zd5VitA)Wx#4^KHGtkVE`(uO)yI~B&gQ*z&nnk*Kkorza+>Y{z%2G?J<-mq^v#WgW) zb73&$unnmiYg*~rpRC7+9Bo&BI$6(MZn$-t?T*YrBnmip>soedi@ng6eK|K3@`}Xw=a$eA~Yv#;8&Ei)_+Q`vLF%Tap28fH8!*z%)*? zro6WQ&EQ%Mv`lpZ?m<7b*qI43>k)uK>#~Z@;ZAvqknR2D=-H3`%V=xdiT4dNf=C^6 zs?ZkilL?H^$jn64B3ISdHGVvYH?$-Z z4>eGhgynV5D~t^ainmvit}FTSMf+Ww(&9W3X^=-wfs-1s<(Slq7!|UO9X4bT3oM)C z^sFXiJqI7m;2aY(WsxY|5Ym90GV|)gKEaEy%as?#Q|O_M4RZVO&T)WZGIRQ=3ZvkU zwk;u^=E6|In7Pb*kr;14SJmA1_}M@#@QnN5bvc5gajL zEryeEGWwJDV`mL6u~T`N`p^A2w>Xc;H(S@FjzL0^`RTW9>B=PxNVbLc~QPZ zzTOKYk4)BnkGE9seMj8n>Mel58(9W+du2nj4Nx$BdEt~KRLmDq{al^ehhsPi@FYB* zJz6H61wS;k@wHSK&Nd0QMP6)r)Lq=zQ5-z3EU)jMHEQR0&gFD{TYh=J#f?XUJ5Bp` zOC%usUbiMqEUISoTmA}yL46h2Dv}|*_7-*U;9En-kOC9&uMSj9{x5=oiL)d8OO2jW zOjAnrLFC{L?u1~WM6z(TcbMB~pn{dAhQ;;$!K0J50JN< zb7X(Q=#o6+sTEs#yjpfl07(u1DAdfmTS&V=2QT*t2ivCM4-ocRTz+yS zBXCiuO%$rCod(>&m^#0(CIDTEh-O;j?m00?TWtm;<~q4wCFkJ6Iqn3eh%+Rk14pMaJ^|G#Oz9t>`7Qb!s`f8o$qK? zxmyA~-ak5N)?c};ji?J?Bs6IszPRJ_sw=uqitxn7u+6ktk9Dc}ReNthh|lWT-?XW zlEfDwepGbgl+Tbf&y08%(ztEW$z7t=H}T#r9TATHq~ctVZ3viWV`OuMdVEF!)Zq`M z``f@gguN0W19>RT#4ECj^eOd z6uCnKo%?NSY)?2dWAO}KLMBexH6l713)zC~RF!cOwp+dQ4VBf>$7r!@q>L0L6&V2Q zLVoW-047LhSzKTF*?cvlQ-f$KMEQ8w7dx&G);FIGZ_`~F3xEYVrtljtS=Gce(vhaS|BO(Cb1qs6$4Zf^i++E>| zZnYA7aH59vGEl4qD+@w3>L_lw9)Vos zDk&PL6yZeEqX=T1)JlQeZJp*0?j$yX)$jJN}01hnoGPGfv+g$7$w04nWbOG z)L-T6+Kaw=r=<|OP)_}UJ4C^uj|VM3zfy{_)G&^RrHUQ`O#5lb(y5{Q8;o~GFXjq@uN zov~~6wfc;Sr_AES^xzM>aY_j7jX!$&qf9du=;o_iu2U%6I|+3Lt-|)iaYQhD3nakqM}TEZ-gA9d=9_Oq-=#4tPR3Mb zXcxz+v{a~&Ep*ubp(Z7hWtRgyQjrNy4pa}oN!Xhy;Du)*?A+$~oJj)Nrqf%5VR%+_=*6G1qzVZpujqG~tIcrL6I;%I~ zC68;e7X^P_z&uQIe_G*YzHgV-2i z6a0CB6sY_mASA$Z_THJ1E1}7uu3kK+>r#c-YFdPku~E{mRsi7B^|e-8O4OdNN##vM z`M5<$yJY~_1CxuQBYT|ovYa8;A0~_NeCpXpQ zuE>yW@YgQ;`|4*|n+cm`g$1_byfB<=aCss31)s3jO~83`P}3<%lk)}NitKfT;NIkV z?qhaW*mBb%A1SY+YbI%C@n^k#b_R`H-k9vYcJB&YngB^8-jYxoY}B%M8VFak;a6_V z9Utk_WXL406i{4Gbr~ng@mFAN%sl6~g-1FrcEOC>T;1P1T@P$FJ}>xMz4Sg@?fO=B zyt0fan%Nqc9DBa)^MK-7A)Cigo6cYph|?6=<=hhD2mR38*1`9(>ri(u-c(;l!bi&H zIpN}5)X}3n*^uNuK>bRVGp|oN#^mHCbc^FY;>8fGh5w;Kf;~-v;18B%>R#9Gs=b+0 z$2rDnQs!PO$_6Qb@f-P$9g?kb|3v z4HF0zB=ZZw%VRjoCDb%tw^?55`fx9|s^mbBGustNfysLFSrAV1?@uFMu#z?>vlES!F*WG*wuHR{aJvvINRTN1F-1y zHfJtKcX3)lr0;0n-SjNq3zwdfFu88-)Vm5V^+1k!uG42c7bbS+&FqdHX$*k43L;ZK!y!SI~22cLQlxr=J<@DOvWuPhuVi~2>xYtiU?W4>?NUbbK)137!@+W>ox2tKPlKtZATiM&we$A@ShH`zc1zVAoM zvxg#Jv^g}JuQX@zKfRZzjE6oTQ58F!s#(yH#+EvfRJ%|tRP@Wjcj^DYuKKzmV|AsX zMqabKOh~&j932dx^1z-Rdu(61I;MzV(YYY?33Z816y+ss@LphUtz)KvZMvtgXQ)Y| zXzR=bXTB3*aja+1B(Lk?4oG%LUoTZ5rpuw)(PO~k4tq?%Q3#`<^B`wWXKXDvG%|>j zCVX$n*i-;o=T6mdMHN&^Z}5Bfkp}DVm#I3}?vYygJH$>gMXfXC%iN^;2)wI`0GT^# zRvN9^AM{|1;G|z^;T%3<0^OMUA4uPlD;fu*%1_s;q)iu^+mM1d+jpSZy5LAK*-aYAf9@gLhCEb^$k6y7-w9JrGgU0Mu>O&NX3 zMGr$Y3cn2x8=h|h)^%hOMKS5m;g8e+_-_;u_w4b$$JkBUYohR8AKY!=!M={Hm+Bb} zkMW9~rvaApVoHk2`1@P*XGmgCmr+wfHXh$+^H*@L+SqcuCt~b@N!}@dnjZ=9%w#hV z@tf_&6!NLZ1oY;5*qHjji==~TT(VyuBNc?RWwu`^hM|;h-2V!)l%?velzV)%!xDQBPINR&!rz=YKYcDt*9}BNoZpt(%t&Zvs?(k$M zPVmP(>gDuqBCiKEser#5f9$GmaIIdqR3QO6qwx>}RaWf?m~8uu@b|U8ie7R~qmey+ zP-uVE8EPp|EYbKnq-x9~9Lx?#<4Kl$TXnq;elPYx)9b{KSD=O5tmaJ3!EgXHnI8L@ z+ahJ;`(kXG3MEjIpFw?O>^^v9$BistvEapbFBp_&WwVWYAZH5HP;0Pc4U|>QfB_lu zJWK_8QQx7ZX{O(L`8IXnjxC*^qBaEjnewcV_|RyvwBC zq3%>^9_wj+6uDtuq4}jKM#8$K0EKFZ8vg?@q1Phx zYWVBoW3=-fB3gGB4YFQ+FK52q)@*t*u#WBi2GCz?YzoA%7R=ue-Wn5g@$N5J&o{%Q_cf zp?Zn}wPr>0`sLS`0T|Vh?YHIu!kk((UM-tO$0j=i@Ky2gt~~ymbLvMPzOOtI$i-^_ zP)%NO+n3f8!aL1oVU(t-jAS*1^rc~QR4+R(7cK>N$~0Y7EAGnUhW`cs~ zDF?g@Q?iZ5IJiFneJOq<%vv`>`>(+TDu+?;~NzB4uOn9iIGI z0og$j*gEI1J$+X2M(jf?$}hD(|J!Wp_#CP!3#D&}rkU%~WWCXvgR9x?!huuMT{4Et ziOEXNm>1Q_1)vE)JH?cfMG3CUsruuI8bIDO4P$=!7VmmYqQ@fg2oT>IGVf$b3yD26 zsgm{Jz4$EP!wX?L)IXW6PM3x3*A}-_+KKm#Zslc5JS>X;~rg0yOrMSdd_?L@E;7$)KU6ys_6Zc zJsqsza9y>6%HE!98bvG>t`y4H5-=Q|=H4>dMlSYuq7Ie7bLKHYi_!`ov5^*h)r z^WqRHrHoX_B;aB=4Jw)N9wyLK`el|d-}O=I3pXFD54sja1f5D8$?PjTFhB_QJsXHl zK2SCx$a24y&CcrI;5~#WS5rJ{K;!Yw< z32LJ+Q(cj|74Gi_meO(jHrco9y`W_}Z}8tbzXKO$hvL%l+NG<}>G_k!^&3QWfdooz zEu%PM3uyW*c-&yHH1r#ybhAtGu`H?judiJQ%u<)2Mo}?13%HL#j5;~P6A;OeDX1&M zl;juZLRPEG_i%W~YK2M_+QnsrFz7OCfv;h-QFcjPU7cmiP&7?8-3JQnNM86W8>+3H zD{<2L6R<{g9n#_Va>|z053zm*hnWHOqk^=f?7HMx_*}tV;4Jp!n!dhE=p+93`1BR# zQ^87_4fxpQ71o3rR+;>Winqmpu*N`~#&A+s_>-FrXKXVkY;6K(I3=}X6$*jtvH;iO z?4oJ;@DI`ddd~d!1P|HB2TPoV7LjVCky6*GI5?_j4a4$>H~Ywx?GAzt0gz4=OU?*|8^AmK&gvB334eE+CGmn3@cFU82VJzZS=!?9B{y$ zh;42H%Z)x9s2vNmPgVYgKe?s$-@gC%qy}eiyrnv-$PR^bi#?{w5;J#OWI>z}L607( z!JU*B-LJNaH#|u4PPM%lBx5z^yPSk;Y zB!9k*-wrmrOp($S>FNM#~Is1 ztm~q-yQ1?qqUUd75Gqj&7JHHWx1bM0zr9U=cAszYtV4N5T-;h-US?T+TwY~qyKib^ z8j53y@jPkKTzP(i#BUcB6%7R{ocd+lr9a=MpR+xmvz>dkK|Id`L~jBl>maMXZ4c1D zR_giOZl9C1osm>RtHS;wdrNUQ7IHaNJt70g(s_4iCd%}DSN6=Psqd_wNU`$2(gr<$ z8xKQ^N@a-WG;eQ4kj+1x%VlLD{@)*dd}oL zM)Wr3d@DvNN$hs?`C*i{TYT@KUs~jK`ok8TLVwVjAP*01nOhIj*6Q=)>bC9Ej_p<` zQ)v{NH(2g`Jkm!En&pf-D=W+4;l|#Ppf7r88zBJxCZIhh$yty@|v?=3fqb|B=SE_iw)VRI&=xTHRaD*}*3k>Ae`-?@*pk z$owt^17pL3gL~iz`7Gc>7ZH z=ACxET_$p0+v8#zi*B7w&1Kh7i0A_Vn%=eK;b`@##His2ns@orVy!hWf=C%;YGL`4vjXCR1B{UUUV)$TeDCNQz`4m*1E;P&yRL(at4}Vdf;*`^g!;MdK|Nu~JNmSbm^Hm_R;-Cth2sjf-w zw!!ER9cbt24+H6hnn-=nzoj8>F4ox+APs9_KVm+gV%8oKK~~SmRsmIQsQAp~G{af~ z5xW=AkcfdE0z>A!RF@>-WJvR_u){F-tkxihF8Y&}M+>0q#jPL34Xpd{XM;D7kB{ge zq5#_eS*IxdcqlVCG2b&CW*zN~G3cmcnRGd94unO>x$L~f5lzH0pUe*xXF<@%Qp9zd z6A7~q)WJibMT$)z>n^4SVpT}vawTa!HGUevzCDj`W5$ZJizFI^ip+EL{c+PMf~KDD zj+sv{f-+KwR_Fao-_w`pAgq>`=pQ8WUZr z(+}j~)u-z^1+AcD(T6V4pU*du&rw$gv#1EN%*axD&@9Up<&<9my?9(hX6fFw8wu>Z zn8KG)4^V0Im?t*^`G|iBFg!GL2H?X|DQWG8IY~q*Fa@G!zJh!EWViYu2o@G;8(LAR zJO}U0`))G5mdFu=Z*om4*GYAn?!E)fW+}%u@LLiV!p}~gpH7D0F@-2aA&#PEovaAj z%$dC~2yXgr>p`_nce<;08Xr&l#NZLknR`UMZpx9bz%6axL2O-r4s-D4R8F1m5p=p zJ29Ysk20JX>i(1nu;A6FqgDB@ooKArzc!Q$Agz!Vo~FAj(YvgkY?EFbxMN8I{ZHa& zQ2CHe7VfrUjk|r?V0-#SHiG~lwz%2XY-3D_e%KU!G7Y zpDr@Vb1ao!;UI)rC%NtU(pgfs!kA#%y9R%K+X_~&C@HheSx?D0Ifm#KE;aU6s{6X3t4CnvcKkkm=A$3peddV0fQo*T@Eh&9sYTXU}Rh z9m418vZ4yq&W~l%94yF7v$Qwb!2^H6+S%V5&vJkk-EKG^WU`iF2T^HB*ai732b37c2FqV_f}fbgUTi9B?+;nGTYI(rV<8v!`blu7&)k?ZuJm(T)TM6SaL)u z`%BdMqBpM^C(eoQZY`=bIISAQbcv9};<`1wa_JKGh%|z{tkm%Yk;Kw(L1yw%ei;|> zzPIr_x+ubNC?;&QBI_3tqL&gbD4f94atNNM$=Np|Q1R{V8!t5T=|$Hjuw>Dhcy$;b0c|&#Tw|)4em78xe3S!-JZh2IMbBzBLb>d2$7(` zBVpyQlLJh835QCaC6z>^7RbFXKk7Q5W#Y43>KwVqulFYj#y2{ zSrWrUOdCO;EfLs^5W4?i0d{6&M03gS?C9@zrgXQ zyb+u0!Zt|3MuWw?*II>&?tGn&y*Um7ci=%)t$io^#ka0Z${S-M&cOAX3*H-iCImCk zo$)+dXRnVAC{BDXusnF)AYuK!Tq_Cn9Y%=ux@RfYpkBX3GZwaeJ5HR6i3SchgdGX? z?)SR2-S&LnHcT%57WX{h0We@ggSbuz7Srm7k9!j5>vIK0OC7@YT3PD6yXmHc-9WGn z^vjuUMT&^W+d$loEK+4>M7{<(ZWWcJyhzc zG)ei1x_+K|;+2Q|5i1ZH+0^*!G|aSK>nU_}O>E8I4v`91oC1TlFq`reu!D25Ss}tWtY;&Q~Y$wBjY9{~L_%PBEA`PLo@1MZDftBcySQ zt4Yzv$=Yy2I8g*$q@A^}oYtFTHlR#2FKHtp6^>UqF0luD)0#hOI3D4Bhn|*5xEUPc zi#d2yDvFoxR95vtYZ!v`NG)xba&4c)If2<67h#;I**+tCztN|4LlyrP=ASa%j!@n_ zM~g!RELcKGELNo>KFaOSp$=#O#o=|-9?YuaO%^2Sm0sfnnmk|anGj;+6Ji+MF_#!{ zG$m+ex(xg}DT#>NKhI35~wZeRru2X4Q`-5$PK#c z3#9z?{0-_eLbUZkS{rKxa%?Tt^&$9Gkx&Jowxx7#76pJFA_xFp?iZEu00^tn?BJ>KaM*(Xt{(ES0$QFQgv2?>e8?5I?j{tO5TNXwjIzhU4s^GHl16dU{xV$HZBsjd0ReDmE46}!aoK8yKa?GCq@G(RvHj zo(g@=6%7NcbM-93)o!3dl=%#)8&L-7kVk0y{~S^EPH z!t-yKTMKe48Yz^p>yc*z{-heq#RLtCCndi4zkd9yH~rYqs3NjB^3+Q(xYw_UajXz` zahwQfl!tAuZ;&Ncq*O`nhhJ5-$v9ik^WaJ``3B6SRBxtVXRUa8m#h%n%e&D1ErUF?oNuCMO^JRoOPVh)B`ox?@yZL z3&KLI7@1r|RopZb&uS-?jx2NmJpQBg{r6cJ0EGRNOlvKVeWZG*YoVF>ft%&!KNz1X z8g@*exvt0HS>RsOmnYjCWzU+eoOZU)eb)K|_0>qCfRgyZt>AXLV_9Yy1 zFd9o`fN*sQw&jTm08iXn5pnKJ52Ikb4TJxe_`aFQGhPF<(AyT?9q(JA*UyjNMhCz1 zF0&5Bv(&V`B=?aw@Lguw+KQ<|0=i>T_{hu@8_-}1pVvFNLi%S)lB0zGF&Fx2{n*nr z9T#*Mx^i$9Cx~=(9a0oO#vB{+*?l1Q`V^nyyMm$JU@XZo75&DtW*IS0-ZNA*t5P6MTVu0uTpX-vtA3(A+$=zoqd z4DzQRV!|5$9_y^{rj&NId31`$AP>%EFiV1)ME#i+1c9IF9!ldGs{CnE~QR2Un1g=(1RlwtApUO_LU;EUJM5L^7?-EDdw zM2MzHvouQgxLyvQO`D$1c9~SLOjeYKhgG7n+C462e6lyFGHiZ-WTX+_M~TFxilyR& z2qggh`=^;bui-p1e`)`_<>OI=(WN0xGgPHd>0y<;>4TblQLT?d1Zl{%4Njl{$ms*4 zVL$pJZa`FY`t3xnR%)GyT!?v%?Pu<`eIas5lSSOqeT_up4zbndTNGKLf!X~|J=Roi ze(vG4Ovyf{vyC8!1qNM(Q}^Rr0_Hw`Jf}!f;X*pRHgmF5Yu&oNr#W5ISsbN7qD7@w zNC{2qcKXe3_Vaa?_TuN7R~N!&2d?H7w%7K~ZO%h74jm1GTQTXkzeq(zv ztvcdx>wnCTDFTT#zau7sg9v5D=R64wS?(tHFu4Pa?W`6*n05BO_8nwWn#9S2hke8H6Ko!+Og%> z<#=fgF|#lS&iaG+g%4G8s`n1qVX(HuG+N|*4##1I-wX`y-c1&30(9x5YA?S|zg^P& zls?jEjLZRaVQaYYf|eiB9%mET3}7#7et4byU8mZv{d(uv+ao=AvH&lub-R}wR^Y{V z6)i@VH-Ks+wrLl2EV$@+4E@yQtkGYoBm#${$I5>AMR3Hohso!~>Ir0%1fN{vQFetB zJ)Jeb!)&9XW9>WIM!JYBxV0l}qe@t59Z!vHqmClDgQv{=JJRJ@R|_ixsn{|d7gt6R z=7ZWfe)&`Gd)bntQ}~(r!{W4P-AAa)9~B;gBG=2m7p5Kv-6(|z%~z3oW7gH2W+S2o zv|N*?y|f<08jQcvUTC8D*7)n0WFa^3>Aln{En&xJ$LUs@a*WfxaAT#<9)<@Ef+IhN zlX<~tR(#WLeyqYiT?YmX&8ExH;nAGi# zYKW$f8tDjD%a_Ly#dRYjTS6?di8Jazzb8wqc5OpctP4OcK$ zDAk?{G}!UajmPWt7j3inRGri^Xgo}uyS!taR{mAu{0%^!JNdw-yt^}Ke$EQ~qsM0m z8YKGX%^)T?EMQf(4%^s_>>J$&O9kQOm_M(G65~OdqS7@r1-oDP%pL1n0kzjX4o4E58kqhm`!^ zJ32KqtjQTP_PUXIc%s%RxVBWdy2{p02eOCmp@2LN7T>Dl2rXUoxrAn^wO9&QWi~Wgdp)=CX z_*MT88w3Y4#7|4TUO3k_oc%F1aNO zJ)D|MEY7}(H}r^xim&#>;^JqU2vUB==Zk^Sp-hR8?H^&TgVUP&z@4lt6Ni&Jil35U z_=Aag>5QqVN4!AgK(W8@NBaW}`{bd1P>Lg_H9`(v9;w9ILod`yrfb_K4b4sP)_uB$ zEyjCPh>qg%`AM#~x0l5k%R%%xr)=m=qzEg4zFS&KwS9}%)t&8tH$;>#oW$ zTD?f4AJTfzv;~Xjk?sR*OI*D;dMOXB>tXbz)9SLg;IB_$?h6O~vWUZRBV(^&hvQBS zq3DW~-$CBsDzs>;6LsVrwmkdeMcWe{5h>}}83eU(CH zmeBq^q}KgH#^H303TpSFtY@93>46k|@!ZT4BVT<3HHSonu?hLo9#{WE zbZV)`tcYv`KClp&=gH~4Ig*l+G96V_8Y*#JVtT$WV9WpFnZ~T$+>fxZ3k3sJmZsX5 zVfd_3_IO@>j{ID{N6xc@D|u+pnoXvch zR_pUlF15D$4AhAo7v{TW{x1nf;>AQz?q*v}w%7SHZ?*w^vpIDhUT6

RD4xGk){CYuh$_3N(O2rTmoW_y}YM6>zadiX_o><{Q>*EQ)zM1;Wq5<0J_;F!#% zAV=8LwP_hbnB5+VADC^mj|tz)R6#nJkYgPau9Xx1npB!^^yUrKNRp5Sn6E4qgB~P6 zaQ@CPXI7qHg6LfP;+61ek!pNMU6J@MKDV)#&8C#V(6a{`4`dlDU777&3*0soF4XYOOUxG3%e+R6Tam}~VJvv;=>JUy85 z)_qG_qAK_L=DYTGR#|t^4cUfM5#fwE{4AL24wLd#&~0Onlt(weCv8?D#IQOb6@TAn z7Ml63VW)6tTNkS9VS+7s@=`0+XG(OLB89H&*CvG%OoIe6hN3(@JwJ(IehJ0H2=zF= zg?CskDvj%N6)hmUZ9Z-hR{gD$&HqY=FVxJC9EBkROEHjazbCb32Kj#nzVq$;nuPo@ z^=MIOZgU0=kM{iTkmPDB8K>0QhP$xYMLfGG)$DUS>gap5J@bosu}|XaimM-wN;{b| zQ2cd1HbRl=L6?{}1MUK3Ip{o)r)Qyr$Jaemp~6M-;IY|U^>Tho{fp&hg#j*`H|>IM zw`cwEL31q2a0te;d9unF9&KDp?L&n?8ACdOb*KpD&kCuTTNnI0COqZS!GCWuUy{%_ zbK)cV6?j(}=nmu$B|Qf1&CKG3t}Z79NCaLV%$AMcW6T%&??I99lFx3-c_kC;jO}zp zVflT1u|Z3vyx8)^mH|%SZ&c)>axM%Jrj(0kjaHzu9t zxPvEc4~++$n;6yTK`Gl8I0Ag*MRF30bF5-b)x4U0*)ACePlQ+>!Uj z#ldbD3V>FG=@^{Pf* zcQq|p9AcSXgS<`4k)r!rhxB2Oo0t-Vh)mE})m2lqGLt5AooZB@`=)i}!8bbVOD`)g z`BLxO*jiqEn}`FIZ6)6)rpm|anCa zVZ~IkRN8J{#x$vrqVwSILMA_}R7t){aej6(@Cts>sVcY&pX%T_ZgF;WxMz9LoZ+>u zO)2VQ?Zj`cc9V0CcRrEtMoh+&{}Y2^ga+*l4&8`6Yd{HYvF zqA90%8KuiQ#^X8YQQ>2=J2=Ezc`_hUCKptpwjq!Asm^+tI&2C9S`1mZZ+dv(njL=wJY(0l>M4@u$rL12~V6Ms#boJj^HKhQ~L_C*%d z?PMkY0WHU1;Gi3hHEkX&Q8MF)?hw-sxl7!Qqdc1`?u+GRzK;60&DPCxThw&|I%~c8?j>p*--McLrect}Hwei^_LvzGC&`v-f zq>G3EXI^$pldK2;tEG>OXsBRmR6O&Pl#|jvH7hNoLH?m*lp<`%v@&mHLMgqOFQ3*k z+0lPr0t45OCBga7EyA#-s#v8)C`3v|9)}@}W%*t+3KXPcckTh!E-*vfgQ5DbWl@X- zJK?2*8#J*CkJq6*=Wl%cHmH5?3Ep8ZW;M#+XVIf{YAGl?WT*L{W}?cN1973jgAeV$ z=q&>Xm-9V~+cT8}Gl4tfpV*MnPY1bLFQbIJ!8Hx7r#(x%23N+apXw=1XY_-Qo? zcQaxc!mt#IOjUY)KQ@bp$3}*uWSJ=7HvjM__}9zkr?v|bib1JF>zBbsJFwjgav0u! zD;Z+D`q6B{yTV2-WC=El%?1eJ^&II~?bW@h+R9{?8e2%p6V|+fui2 ztDbdC=>5O_A^)1qrU?5#OLi&{9KJ7ob9?Enwbg>hJr< zgy5WyGp!Ba%pwZ5^GNIV1B=hjno0TGKD-DC{xm<4Q|Zv70zPDpKM9eR+G^Ov{9vmT zS*+6_es?!08gTmH7vLbT)Tr0wQNwJ|obiDKuycW^U2WHq%^nt!56wFD$2|Arc@tHG zJOITKe7Lf8<2?E;8UA~}vD4wo1jyygukk32ZU#tB=kOy9q$Bt(<`03tvX zKMJIEJlOeuzA&rD1jVAYmn+X}Z_aPo4A_R$v5un@Z=YO!<1eqT2T@;Q49vE&fAtsp7}fqwJi|-2a-g9%Q#r~axj;&~Z>v`DIQH>AJ%-nJ*ZI5y@|>Y( z4-Pu-Df7~gAQ!Ze;dk*;h7!7E1HIo5w)%YbJh#bg?-lvIZfLGtBhk>&laonoTP0Xq z-13^i=w;*D3nss}EK@5h`D5QT08Xfquql(0oy|^wsor1T0G+N~xcZfGa_0BrqKOd| z7;+-A*rl5Uy^N|nv(yHCXv%EbGLN32PijHqd1)TKiux;6yA1qpdy?*t&Sm99^IWy* zmd6mGn%OvpH>p?#1k75LP|h>X&kq)zi!SmY{3I*#B)V#ZPa%#~TTk6(@9Q7S15_ti z`1UVifR(>?^mxMb-qPx)R$1l8OchVC2)78c=zrj0V!iwqWn%p< zBVs`OI8#A*UIX6m%bohNlIKLQGgQlaVI4b8AE}fC(1%h>n+sYdqbyUO4V-J3XXlsm z(tM;=&U=3=MUdoMZcTlgs^*fBc$(n<)A`sD{W7CD+}BSz$i`Ar#RMf!t9T4roiaZt z-2%d^Fn+@RdwBv0!a)fE#9@t8hw%DHaN0bHlg8EUu3=PN%QpJNwlNQoFGxsDpMd6hyV`#0`10eHiJvu#}@m5^>WE zO{^Es#U`|H(Q%H)LOQ!__@)NAL_YT-rPVN3C%e`)`?6s zE>YRr+ga=wYrwUQrtmI7KVfWpRi}Y7ws8SFpn0t!qZpv%BFKdHlalR?0Q}D!0)rCy zGx=ip9CRxmr0-Uaco-E!4sZCN;b=^0AIu)%U2Cwf1R~G5g#=j1?q=oH$MA%7RFjEJ z73{wsz;vChe*_mBQ(J(}Ra8$EoQ1M)%io33_7V@qWBkl#1jXO#~w?J?&?rvXtf8VwDy=$?OKXOR+*)wP68QITZdM@7Ed&^sDu(!DtWqJ(o z;%UUEDEf=fp!zP|V?*n1UczH`VLGq=WLD0KbHGj=;@SyqC6dlco>g{Y`({nsDRUd2 zU+#`ajlk3rs$jtdSTNSnA6=6R3yq32=+shnV0RP&*8Eg+j#EB7xN`W|*+J#-;OFw@ z>Xr2Mb6RC`{hPgvORg&Big#X2_=0BTadiafKvz( zr5*=_Q(nhrR&H(v|2!NUJc-m^sg5ipa9GP;| zSsW`2(Z141sv58^o%lS5Kbefc$k9qU3S$wW(W!IR*(suUXmuJ&6+lM^@?XE?|LE{k zC~rZ!9%$HBq{G$P3@H7`mOApgUG<$aU-1)!AN=|DxkA{tvBhwT06hoDhN5;Zs@Te0 z4LEDY)JwBUkJ|QJs7{yHF#*vn2ZcE{%7|^d#vAco9^6uJuefQuDB}wYUm@~GwlKVt z;f6MCC1HwDqR&OZ6k&e;@?_fRqv_juj@25YoGOFEcQ?<%Rme+r_qSD0SXoit6}k(e z;tYP2vR|)nYjYgNqD^NTmYQ8Lw;B16Esdy^uy0(T+9&E<%oWtFY64z2eN*W)mUYLS{Ujmjh_dy}%*L|xxJCCtg8 z>7K1=bBEb1cz6{MyJfyRjo>TLUrKRYa4YjaupHW%>aH&N7oM=f4BEn`z<5UPiqnG8 z18hzTV7sxs_g|=WI9J`aS>+lKXm6)Ncs50RBzJ(5nM|>LiMVa{en(%Q9*9_-u=(L3 zplL4w=rXNcq;yhaa_#c2i>vvaqSzFchtD=5dQ1TOOrdMnyU93vvsv&~wcg0if>e~G zG^Qr-?v~ZWa8jtBRB2I&-kM@v{i{enii3n8=jAH)b*L*o@dmP1AsSM;?>H3xc>7WL z*^1Y21dxkww|KTawSl?oF6DlY=~ms~cHhi%q1n&aDPTUA!d3Q^Af>@!_OnILUycEnXxq%837|l5F51AYUI=&=wY1A`uq3daeiH z&8WaIe74AbazvizU~bSgQx8S@A840D2~GIys_sUh$1dQ#+jT-{t#y~ny&W}?{&3=I zkKLq1PC-H2Z1!GBFm~%-BZc<6H_E*fI$zo&gUgE%h*CSK-R-Z}An-3GB3-|KIhbbh z-$)cu2p|b!0R~O_1l12)AEbzg{Jl1F8YE8699}ceFDD1k4P?NlQY{8zPX&4Z3(}@N z5AuUhv6GW0WExnOjn0x$kR-;BWxBZ!4F&l`5uHQD4XXlxCiNwGfq#BIO$e!i$ZCs? z9W&zJl7XkRd$F;zlZh76?+hE{OdSr+6j=zONFV$E5-=WLSSUfVj}7DDTN#r1L5%hy zu6++}QUzECnkP;#5*Gr~h%fycOmfg8J6TyNhR*tliqWqOxl@q{PP$dr^&BA{1RJU^ z1XO=wleX}B6fZZ~zXls`IHZwxX5MGKH73OWM{TE%jNm28zjPa+!vFU-YV;>pQ0FG8 z5v={r>#uuC6(sOx6p>BE_RH!j=V18z$5OBQ;2~y+LO)hk0<5pLr~1G8EfL)}Mv5c5|UZUG{+`LvHta%K}V!hBUCFnMCT4M zPTJD*$fo~Ky!@|_Bq$oMZ#@6cVxq<9>0_NT{qQD&&UT$s{ z&jsJMa=jY8VgCEi+mi~z%6X=yCs&9HJsvna0Rs6`Dc!COSa`j?hiUrcPwnN@-m`zD zD|}<#bvR){an|CYXL89De9`w6(WZhZ+JC&X=>P8)-apR{dXQiW;|!=g5ZUI6yMfr#(M+T%H+_wN;b)lc(& z8;DvAqRzntO=VA13fPo8*>h!2TWVE0OueP>nn7MI7qOG03jDuY{rBq=L@_gWXxzor zEVug|h)S!s`iZKj+|S$oRzx7QNJZ*C?QZ7w;e@H!N0!6ZcaHqBuYd^1uBjJL6Ab_i z6p5aiH*H*i&GzBywLVj_vw07Hpo^W@xmiZHh}ZAxKjE3Z=OQyA!T^??}o&P5jP%oR-eX0X-i)h&&s!D~mT_o4q^}iy|MC-!y;*ULm zSG+4<`;%6U4{dhy3LWmu@}KrV&=Mz@_M+@NUzQvR7Jqg0RBAxb2N!FH56vjbFo`;sK8d1=hjGuyU8o_x1#lk!z0+#DF=}Co2 zn|mR5mh};&>N8M29xD9_eWF;1iIo#yoL?sGwJhstw|E6Lt^9WjEW$#WrHGT)CXb9- zyj5b=chRfkz_4+TrkO+s=heNxIj1VtV%4i|Prr0a>(aql5FCo10guEGpRX>CA*vCm0{JQO$jWdR?EBKsO3Fh@RRc-1vZ-27NAK z!>IquE{YevFxxKAL6}VUp;6wuF^?IU-X=c?3*FpZ=BvUQe1WP12gtdi05AU=O+)we zd7s+_pSVe9krl7ROphI2f|G&gYqjE*jU<%pN?mf&;bxCPwB5la7DomJ=kZJnLwkGc z3T5UJf%n%yfv|oys=4>0BfEx*q4$!~QJP~)iY8NZT9tr1BQejLSxxdj7BWJ*0q7jd zSDSAz1XuFf%NO1|;`I4O=4ExyM&1-X;~io(y!PWScG$tMpGMh!Mzozd*8$#k*>H#C zoSTz9bJ4lXD4{z8F3l6$Ldj9|dwF7jB^Pe#QF?_dP<{3 zeJ?rXPLzY~#;rATDE zH&co|NROFHR1z`GzHizYkTZv^`I@B$>}=)7?0)WRgCc1PF)$3|D3+pTKEHW7`ftBj*78wwcBEav))i8cd&{nrf zQjqY2uNUsH7aJJJkYCl-retZQlK=W#P@H80o&6i1hHk=cbOF*(^} zsD^uH*$$l9*l2l&FR*u~7VBqspFL#(vGiOS$>RIGJ zTBC^Rh`v_{3IX~C-+vfVRR300R;GJvptDuB^5f1;n5OQqO4Pq7uaes{Orzm+Tb6dv zfc8P^oVK@S0F(K9ZSjuXD97mJyl2PcQK>Cs;f2_t-H}l}qHnK0yIuiuwBgvtILB-I zlngdnbY=mwh!uWR6Df0 zqB*>#Td2YCx}f2JD)gT~^_KU|?+hT48LA85>e*n0pTZ=zBj@)j3Zww@2yHe)hIhP; z;qp8x3ell}ckrhzp5Lp!XDsQQz)IM=C@K!8&~8k7*udT$U-Z}^uT;Bj!gPogwx;Ls z?KNJ*3+1DCJmR)rjmv@sBas_NcKqMe<*#V{M|guqb&o0q1h2mi(ZUyyg+D4&Ly0gpfL zRv?<~en!}Vz_N0|$2mp@{aD)_u@i`;>JS7e=w424<+3%AE-&P7%It{}k+hi1|yq zb@ltXNg+^VuCU6cz!Z8hP@B^iT#3B8nXPs>+eqLgRQqoQwRee}E2GsF z*9(f&zVo{p<#3!fBjHgBen))%WX78x$z9wCwis;u*pbK8BywJ`+_!4B0Qd8i*45&$ z)G^|OCL=aw5;aKV7CT(z7Hg_v=rqkh#4twRZCHD8b60J0xEt3>5J`c^YCA`-*xpBk z_z3w(VMN0}G(~2=M5zgtOf_~C*UB1Mu`eRpwAVbmoF?pUlgVPag@$Q^ z(8mu_t#d7YbRdVw!&nr@8~3gWl9wjPH#I49HYd6hhoe}ltC#sg{}lbdx1Ylcm;a@Q zGfK9&@9Qt3UbZbo^M8}~uo<$>zT5sXp4Dv)YXF@l{|NYhNV6HrBd3+;a-Fqu z?C5JffHAK5CRa_b-|@ZgJv}wkoTty6Mt}_=#$92hPwwEPhasG%QsGf-T4Z5ZIRQN=e8jOz-CDj+nPqWl+b< z!f&aVCTedp)9UG{<s*E`*?LI>g?En?xeTw;pO3AmWC(j|OD}zX8ed|J7goQ92L{(tTV- zT+n^raY>Sum;EaJDD-B#2K zkeNPM@a?SNGa!}1q?}G=08al8HIWDsXC~)EsV+1)*@NXNKT{d3RgGsYM)Y_l?>8%c z=cm3qe1x{C3nI@M3O~3tok{H;QJ&RL?S-P%`}Yktg>6k+FZ*gW2$Z5CyW9YJ23pWCem zlgiICvbuBz^0y<(-#%3(`?+pDnj~{LCC8f`d-pkSC`-I>XUYD^E!pS?p)j`U22Y+yVk+5=;JE0aS~efT5k-7nBVU$<44H7 zkKT2&Z52*K4WqY$#cIxkfXkT{$$i9dB?qXL)y;fdS!(hF^mvUPIU7FU`fb!X6HGu5 zg+oT|c*w%O+XA9UmF|Sk<=PIlC_5s~Ua%FtJW(|~=!sfbFW5J;-Q4(HGb|opqhg;B z3pkh_M9n)=v7S4lZ!K9vBU_UWr|!}{{du;Q5ZaZHO3kw#>gV~XDbudwW{P@SjLsfX z7sk8f-|{ZRS(R>_sNu&>0yCHN`cQcN>z-*v@4o8yCu90@sAD06s&o>BwKgghqJ?Av zG^UXNf+<&5`5mHj6$_fF7a8kwvv0HC!U!k(CYDA{HKfGzOv}N!#mYmZ(eEo1;_=Y2Rtvs@d$v*sQi_95yAKqEPWQ zEikovQAf}fZugzJz-hHng^S*9D4IiHt9vJr-uKWgCr!|~9E&0O1TKFG0Mxf5=U--q zaM=8+<|q#}+_Z4{9M%4GF_He0koDLCJ)M-kD&4|DYpU$rf3kbX?dKKjjg z-&hADmQnuBhC{;i@CSKp|Iz>Gm~+~2oN z-{9WZ3>#_j)bb=^IVwJ8JXF>U|*-ToA^l@S6mwQlsg|IH*jA@4+pt38KLgT+X5%{|Wt z%u|0Kuh`FdZXbVne!3MVP-nSwuTzY}pK9P@+_-Zh$1}Fh9q(sc(k0$VLPpD z44-6-&wUj9JG>aRK|2fR1WQNi+OOGvvm;40U+WtSYArL@ole1=kWf?_lRNQZ#KhPd zQ_B2}N#88kRbEGT{-gmH>lm{|Pq^y%DebsYb6u=74~_ls9~}K}kNJ-PAn1Xn+IpAG zyWQT3n9dPVwi`{+J6uPnleG1jm zV7s0lt*I>sLH&&&i5aW@do#yQS4Z(2K7$O`U;HiozLc?iMx&JmFhCA6k8K*0rJDe< zug4UQmkHTbim=^*{LVCFDN2kn2_P(1zdm3Kxrm4S_Eq$_a?{?T{M6JG0f3B^JrMx# zxc)U!UCSllxBiKr%{rTE>7A6dwybFL2JO)(7AY?%I)LirmwrTE!bN31S+O*27&eig z9I8mpT&t%cF`oq}C0Oh2{mCrz^*7(U9IuFaL{{X8pUIp#pcC~mNHsqKb#vVDqgqw* zuJ!Hmsb0Qok{=QLV1n}PPy+joPANmt@Gzc^sP%%p^^QG?*m!DbE;%_|RJ8#?Dkj$) zX8qu_l`C=+?%{nGbYsR;-(VW~^5Dkb{?sl-xOfKxkAWtl2Kv|vx zSqU4ck5b%V+?P5cp}T+1K2~HtSG>2L8Ub=GSu6Z>`EZX4k}p^4*^fKx?t1RI+ZDa& zc2k$A>Ot5uPntX7QL<~DL7&xfwhwRRizX2%)jDKQ8Za+jFUUK}`7zD9{eGNla}4)p z6NGL3!N4kmUNH&A4!c@7{8Rs9%+6%6!fo$$onyDah}1x!|* zamx1K-XP#puT^V9{a3~Nu@-VMHh&Gx@2os(7Ngv%L5Q~8^Qbets`H<}lnj4*E{QTG z)(D0rI*_a7>%YVPWZeo#uiBYmG<}Il<;MU!;h-#M^*IUE zHcV149qs&UdGF~7dEl6|7KS`yEEb88wKltPq$Xqr`GeJwJvEaTWwA$@sSy?uMcv2@JcTCZ=9EnM-~qnB~^56 zn$M#CSdjqppOc1X%vT6jy!+nlkPSpOM=(sbS0#>`P9Y7)0es!OD&8$#d$MrZiNW4R zc+hlOUwzYx-HAZs15|=O>spP62fAJI*F6sJCjTI%iILVf&z3m*rODEM<5YofPB?5g zwY%R`=sr4o9dGb;+BfJ?ZVm|u*)1Y)>-8|$IO;cTSS;EWTN)8tvr~j(b7T<8sCYQU zV?lbQTXS(#ChMb!=S8^_;#6)(4c9iuc^Q2+hHkw*_T#~l-&?XcCGiTq^8hXI#e08| z43}ka@9$@Cx#KJEQL(}dMUSHu#mmX0`f}Xvc{IaFEEVeVQAM@Se^x#EUnPp&*rf6L z+srh%dTPBr-x@Gc8yxldUaiST_;-S@ZIleaDN$NKbR)}{7 zzAS^4W0YyMQHFL%-Wqk@r29Is*JJbvitq}(%rm& zsapN*CFP`Fz{z%@Q;c61qBpi9NLfkr{;SD6CulO6UAs}drv8c~=kXyMLR#6h6X~=+ zmAZ`_`LNQ;LmA?_If9Ka=a2-hnpN-|;!rvST{n?l5lt@D0Dp5hOPkl48*)C$=Kz0| z<@-QDKvo{0fS;S}82Ij~M11U}*cHd!>TywL_Cr5q-v<+|8HlO0mv6UCLDR`e!N;fO z*=SMBOZs@c4)F4?Q}QKwe(y3p5*00W(owxsh!_&}#~pt{%}~4FI4ydNg&O6bPue7eoNcx$9TQ@t|bG+RIv z>N=8Mlq8hTp5urSdJ(qP$Z6WCuBoT9N0e0kRBU&;3fr-@P8LGX9wiof)f@eqK=iVG zp?e00X3^(Xzr=L6GZ=e54?`n^*D*1`#+{fJ1JW?>21H*>;=G^V;j!(4V~eHSxXbs@ zY`3uq8j4QwHLcj2?}u{%THdVn9gRy)a&Pl(d-lYT>JE-nWouJhd=j~Tx9AJ2&_P}Dvi*4FwN_|Cj0vQ18&z6z-C{LAIImZ(3b-G{SUJk2&8-;K z_#N!n{9w~PwmL_Pk#G2TxP%^fhiZs5QKS$r>Xlk=55GEx8Bklttc`R8hj*b{pO(Q| zsy4VyZ`>+k&$?smPV-Oqlgm0$xgctM@(KwLr=lIR_(+8QT{7BfkhN*j_ZdlD2;Mm? zM@TDI=G*&;AwIo|e6-%P5oXPb7pMiSF$tkRP6@L~34y+fvomIXyCq@>9O7>0V9P%A zlPxYFQA{lwZ|Mpgh;H~$F(NaURd&8}-k@QV9lk7Nc`>`Pia|)U#l3#pbBi0 zSjR4(+Wfrj+SQT|q{nN&SbD#$vdzvamWh6UXL*=Xudma0W42ZV9~q;w$QGfsyINNR zy6(^a)Sa8~9*1#yjK-=#SkgGK#<18SN5a5Z5?;&iSQIf1y8a#9Bsw>*%0)q+D@B9H zuDa`Q%qk=Fa6XGAN1XelQ~i|d4O#A>WVS5l&XD{xf39xYulHN7D(_MN9xKgGg{bPl~ zVu@d8`K}Zk)yfm5gSh1?;<}&FRdo9))19Oe$m4RS7`O!~{xT$ddc~REKA~9HZ}jkh z2&66BytwSwsv z#9gtjK=)5s^)y2|8l@G3CEF0vEfTDp^ose*qja}QjVl9Xn4f9-hG*);agDYO4nJY8 z-V=^V5uBnEB6RFW>VF@5$JKIiGdIq*ICZ9yttEUtRh6CCKXAHo&bKti@lwIB^Dc%@ z6PeDVTlkYft$pwd>fqBRjLm@$cTQdx*Qs53ZC;Y}s@V=~3KqC#l>U1%)|b5>MuDUr zeP&mPJuxsc8U54^SSX?yt-Lm>Q2fBkex|9qABFyOS4{>Z(SC;UURIG9lSF&(mpp_(73E zM(IZHuZLV|io}S?ooeUP6bhL*VWh~wH=R6g>IX~EgfAw;pMmZ z4WYQqqgl4jab)eQxB89|RC4z|`c8(l7?GK8Bx;1N5IG+!q1Vjd&uSmi{5;RUA5GRl zf3lDQQ`O7F;`+~SR7LaKh7P>O*zFT|c{D>%Jg$DHQe0o-t-RH4p=)8X*4@h?I*t=I zHF$g9K3y?K3XEwli6>xQ!svajB==0{`|Qn6Z>WYnGv3CpSCYT-V()d}cTlF5g9Xo= zv|&pFFO}XT8N6O7&8{0R2dwOg%p>emH^00nuOqzFTIn>Q2W)v5(0>}lp?yPpBfLo~ z7PuF2G(0d>JJV_)gNq{?|2#~Z!e4LGDWhw>BoPF;Uytui2B^`;sGf0-3~WB7Ct<-B zgfV4SS9{G0=NJ}H(hXt<+*xV8bp@rrE9~!FEk4?@bqv#7A5k1G_kQd;N|X+u#(?P? z2Sqby+s%^&T&-nqll6Gu3~n^@nI`bPAJsCYXJ076@L>Kn7+zQv?r6iKXEr!TD}wlV3YPrEoicOpR`fRX`K^ z=3H(F^8_)X&0IZhO{{#p7X7OI-t$wDu%1U|gDoo5;V_9Y(aj|-%rPV#RQDblUo|rC zS%ij$$1D|WG+@K!9<@;O0f=qo-q@2XKObwT|1)&{`S;nVRo|$c~*?&c;z7PmlPjgatA}O4ZQiW^s-A z!5A_(0(Gjo5E2E85#901xVegp&E? z)gFf=pxk5kI+Qq)yek+Lt55b$1n%J^qD!b?kRU^NO_{xCveE6z7ZOSoGw;G zQ>MUmZGIwZe5a+q4rj%n&u)EGOkaKwaMOOf&aC(>Lxdv1 zSF>I-+KX+6IR`s6U&588mxLrd;8>shxw?OJlh)F@ce!i!mxMzn)72PQs;hmctO$C; zch=B^jD0_T`LR%2cQ(#k1)Zr=_875{6@=Nmnk{I)iG-ewj1RK0b>76(%E3Q%r*+bx znZlo4F6M$gl2>(U&jXHsxPtWU@q>Z`_GD+LEHUM$LEwO#IjE=TV8#XX?dmDR`DFqSbkWUy)t86`$37bJr<(aEQw< z8&*Kc-$r63*Uk2{&cM_ulU6F~)2BKBw6Zfp<&iD>YBCW-Yee*~kid%Q0^^;-3L5qc z_3vXT0we?*ESLmwG>%~YAc|`61 zON)|cE-dbQGd0ZN^}A6HzPZaMz^*f2gbag_;a-BXosc@^C(185 z10vv(ajCQ;P89!^T*TCQ!#ACR=XOa+B#}Z5XCt$>YCGD!l!W;+&+`MQ&FY9d%}j32 z7~vMIrOy%!0iDZnQt0+{XzGi#wKpm1SBUA-Oc{FzvB#CE z!(*-kL3sG!%Y&Ei3m#a6Jp*DISn4yC^kH6vV{J^4x&*fJJn-?(e5y-EU_`MZX1WeYBcCQN=bK}P zO)ko!HJGH|d3kp52IlSX>V}2a{K;g$q>dKDIs>;O-l(HuA}6iL_It`9Qp{1#wwq|Q z7}xcgTMYJARUQH*(N;Z=u}$khmE{`_Kb{aWvAEVU=p-Kb9U#Vv3E-QZLk(Llc0W##Ki=lB{SCV2v zO2|2%_v1osZhrJ9no;{`NjGj)>bgD6`e=J3?mpnKYOwtt$7f%bVBhrNZkFb%GO2kk zy|%o}JKPRwRE(?A={)3iBcEFT$(#FVSGf%@kwy>feJt#NO$Tj$nW~x0NgtWnnqo-^ z!uE!l=&l{?OKR(x=>4d&9M*8`W{kW?y?_c|S%QZ^8eRK7Y_xP^bX{&}Vf0FAeVk|N?2m!z>pNc-jd`2J zEzn(yif60l6-%u1~KdAUg{tNJ|sJbU66#)x62AZ%ff zjnCUSoVep9H9B>O(3IvtB_AFIoiwT0xRB4;C;diAex*Z+f(Vl!wA?Id*+nngpKOK7 zTUuV94tg8h(mST(;2liZlh=UzQ4#NIY0XEPq&(ie@nU@@b;eEb?{{ z>~T0&AI8C>9I3AWr$H)1ucyIx89bWKsAOgPK8jt9_kMw(KYy9=46T_rizPV#j_>$dIrhl%?(r&7 zf$5Fweiv^g&Uf6MSW3gZ^9EcbR%~Fr;v$z(#}kRnp?HjZ;5^fPOblb@ll%Y`C1t%f zx#X0Rq^|qRdFt&{TSqRX751t?xh^1rK665&-w~0zogUYD8K=RRrY6(tCD7A@9JxR$ zsH9zm2{rW5Ke%e40@t{@@uWWW0%97FML{7P{m7wmcVwsbA1o(QTlDFJxuvycfkrqp zR7m@HN+QhUoALq&1oX6fuWN;jkX~Jq&ptI0PopDe{5nICj_l^n^RTF0&=L<}zwdd* zl<$%sI((6=xioFcr&gpmt^brRwp=jq9NLy^r&R)xr`YgDh+7@UBIj0FLs8(QhjTAT zhva=6bDnp)2gO<~o^kq^JgHo6h zucVkz-gvNRy?J6v7a=^@u~6=P@&yfS6u$1v9fFHuPDr4m!Z~}LDE6QaymQuzd@&;D zvgLCfRkefl^eb;?xdQU-IE+TiWiTcv6IJeYN&98bZq=ARM+IzLqYu^7zsa>5K=KtC z+(5=Te4&{#Nz3zyj7LvQwKv|^-UyqRBu9bJIh~h5h{hnY^E}!i-e`?y*3|{!64AGHC95_0k0*SA?1>2r zf=kXsx-8JL7z_2z< z4To-g)D;yQ`_v7b{phlTWPU%S<*jnFyL6X=mIp?!O3RweJJ>D*z0MiHhT*k`!-il1 zjS_@$i=z_^G5A^h3B!h^4z1T=NB5K>_1@H4@_?% zlyBvkYL9sxB^fHV$`hK?^#c8d8L+4J=(TNf^WJ{+VbnAh=hSn}A0wieo&3K^lUeJ^DLrO279$j#!Xpp-Kwmk#_j zG*gtz`}9oO(b_K))Y-)uROi*xkSO0$QZvn?%YZEmp70v(GiiE#Bg?A})1Aqy-z(Cj zqGKmN<`)f)9h_6^bcE5OVjoUqa4*ElkmSIb@@vRgrlR+PU|5W5rtGqVZ7Chpy5{lB zGO*;HeLr|XyXSTf%jh-AyL-xe9x&K%!KkZ8=^U3)app)sn7R+8Bm+1>G-2kvu!Gq< z(-bxIEK(T4qfIy_gB>eoE~edU8muH%r?-9Bd`~CRFVTrJx>ochVdAN(Wye<^sH7b& zepD8y3&eT?KsMCSVn6>nVU9LIIdB)+^krjqymJkR4Sg0jPheqOJWDE+QW>_xHGC%h zGXWDelP()LddyK2{iIh%dv>cYjnOua>{P<}4n4OMK=+!ws;TBZ6p;Di+a?SX*pJtX zYt79N0_4n-BJw=0CjzwRlOH$7icY`4Kq6)aqZvk-Z;)VtJ)t?H$RBUE-^>C(a5}wA z9eLsWYv`n2mST7L8%QLw>rKSTDm4w=3AU(Hs;EzpP;gAL^`8?C{D21k-Yk>P^1q3Z z6`d}nzid=udU7?f&t$A>2h!~dyP2Y|#7j#S_T}_b&3x)s?l~Y8do)EK3!w%andHs(L6|a9``+4EE#@}q-7{c?HQTjW*^8u@H;czS>l>m5e)E4H}ia)WG!9jWL8>j zvci}~oRS}Bt9@Q`^SD$X9q&bSS&Q4Ch*gNIC~T{g3+YUv;>UOP(Rv)>3RQ-p?^qtG zS0E_#q_n8SbE71HqH%@oB|%*84;&VpV%77Mmc>uuAEhVJ36f1?mlDC%WZ6=j)P4wL z{28H6y`Kd4b=?|c2!c|{hZvAh(?M?A`jK5+%GEn_nBB)yj(4$vDTkvyTq_2Hy|u4~ zsDh|MO@79uGQ9M>3t*HcxOV$BYE15ZNGooYVm_9ommK>;uf5rb0 zfg@Qo;`~dA4@!@+{+pnzrInG8(u*@r;@QV*sxNl&3)!w8kE-u3dy3i~z?XY39&cL1 z&m3}IP+&G@ym`2GG5a1t%}$Axn1}@m)llCnzH4Z^?_JH0yZQPBTGnO>?LA!l2#zWJbIyTIg)P@vFd z;Jx9aBB0lv!G|*L)(GvHu&~;0{D#T0C~+D>c`5HcAGYXJ!_4U865k4Y1s{n6GX$GJ zcqVSz{{K(Rv~;<+4@QUoy@6)_!f7Zz$QVMXn1KeiWvX z=&9e;A~xkTuS90F{rX2rS^Sl?M5TruQp%svjHVxcFH`rqyU=t`K0HG`n{m#&)+Et9wthj>FId z6}a5f?(ROwT2WjG9XYx05)0H+Vs4M|y=B&@98ngq*{gC=!aNWzIy>ol!dSz% z=tF;3?{}EyiPUId9x3>ZG#j+KfR2BuW0;z^A^jvWPa7{rL9lbt~DUQXNBUZ+xRhYdYu9 zcfxF|l4LGo)rrj-LS=T4y(!>at?r2o>&Hj)$8IiIn`IPcRN@nBA_|z|t+lB!- zy+vu!brbESD}LVBUOD*887-ggh61mMW*Kk7%6(#|7N%yo+Fd3i$)`LuTIgpsG4i+_ z0Tpnb*C&_VBTJMItG16KcUx_DVSfAp`6(mUQACWfQd<}uR_SB~h+$hJ&>TJ~x+2^B zgC$>>J(GCNr_Sxry7gpz<|uB3J>>%S$nTUOKg#4gtdQmp2W+lOd+co&4NUXOBij7e zU;TQ*BarPwZxydSzr3wbrSfQq_!t$wF%0X?wwpv1g0Ovc`RszMNHK6#O7_t%Y4sZ$ zW#!gfqhA!^O2&okTy?;21#K&^lqhXdQCeT2r>S=FTK8<*t6YzfCe^$Mk-GU+1uhb>@3ygNz%<|P#HjwDq1?3wA;kQ%bu;;e1BhU^jTq+r;<_pn<}F8P4P5sj@H}DH^)Y^5 z*WD<+bb^3ipFNrllWRn>aIW|6Jxh*yJK5=<>;)CunZVcI$m;3}C&*=_(+XvxK>{yh zADN^LEC-M-ut=f`!$}<*nHuEl?rvs;bM=RdZH0>P0D9s=61G3 zfyObL#aMRfhyDWy<{oc6OzamV7ZM^vknkU^NuNy+x_u~g+8S<0@>i*LGlbq{4|dgjS+eZ|b^5gQU#;q? zvP$DNW)?{$z4MmYj*{1KJT7kw%b1w7GA~#i2HP#BDxKF44#deSl{TDxyV{@G8%s9) z{M+E@$x>~b{fBY(O|a>0hukv7+`m3t_wX7cEMnOkGcm&EYWkz8IcO3asFk{RTFWYmRr5VS5Jf+ORp%j}M&W?OzW z&TsvC9l;+HTx6*(q3As)x&Ym9;9%78E8MXmVJPkAHQ)JvA$}N+S^Vg=*D?1lbf`3d zzCQPO=y`hpB0+YjTQk@V{?wWC!kM4j)iNXAeO*=1?$tq;!qtzmL1~>%p-GaVPRC!) z*F}6tKW#=iSKRN=ep4Tw^d@B3Ci&?twN)7BRthu4NkA$|va8v%(|pJ5(R+u-E9km= z;R9>_HPm1aDJ0*B5ff9FeS(URtM*dB&##a#&a%>XD8s-dU=NIg@rqSb;tzf;5q1Ge zj6mnJjp3~`>vHP4fgkuFL({Lm2U1jc-Yf=F{R^k$>)7Q;>-q27=0lJMeY)c*d}=MA z)H(~&Iy_?edvI{uE7ccjKm8|7Gs{*0PS@{j%NxeQS^1O$a~N>h&l{c;l*blqB&^x3 zwJipAKPZ5n4Jwjf^V;(Cw$43uUWqvhOMI?6;MUFc)BCRU2+ARNBBnvrF3vQCuSsri z_U~^j){dbb^YYnWKHmAE!PUNGfaA zWqvb!$!Q;|?fpVJQC)DUV56U9>%KavdB~p0cIxh|$Hu0dxQ7=(Tg&dar)f;n#I(OL zEAHVy~T)V~d;$poJ zwK6mOTZhu)m`{VaFGGK?81jFhm*l_#Kqpg*3vdVZU21yKsltixZ_3LihuGoKJA%L1 z({FM_oo{+jvRw4$`%R6tzAqzZl}bF$Azr&Ivv2?2`}U-VhA*74!Q-D6y`UZJ#RD2t zQgDt4-sACaK92fzIm&`f8^G;|3YnZaXw9ADjXpRi7k6NWr0`zhG?&z$ zvWT{N?5=M{&vnfOD*jGp+)A<)7T{)yOi-Z~N@^*Mp5@7-XVConElRzI3`qW{cNv9;Lfk9HZjj!XQuQeZOM~iCI{VOK<|0KHbv1;Szu(a^R z*cVL8u|Wx~l_u5K2|v)fHaX7JnAcK&h{NWMek0 z4sx%!Rt(l5H4;B3DEkQitv%r;_3im3YTzGIwVsNYsnK=m2i($BLSL;Ng!_Z6EW0k* z7K~{xmDCmjLi?*AG0{KVf{G8tQ{VH=)Ac^su**7p98{R`t(I>)DB*GOUJvA(|e-ox7Xk^N@ZoES~?E&rj38<>arowlIoCy2N(&JZ*CcL&at3S=0J1@?a+Jd_&^;aH4K4bf#+gDu6NZYqL zSN-VkOW{9w87{bHIuSNgou(?TP$9P&F``|8V7hQ`#&H{<@L)zUYU5iZpd1 zbsYFUSxxVieu{44gyG{{5vs%_0{ZvrA)6j6bKW3^oMbOE2#e$ z7-=7L3SePml zeDCLBz3p#5F>KdxlD}MV?8USFxMWYP7Y`a5=*@MY4k>0<7?-PeM6`KvHRa!_!0ng; zvyURatmT!XwABCR(PYlf^Mu}v>YWdwNApA(l?4Wtn50Bg-psH3Wfh1A;885DBpNg zx1McSM6LboCL3VGl-e456er=g$Otw6_&1=Cg5=7Nn`%s?(K^Bj$moqho9s$o-%{wAHmj|na zD_A_z6&KB8XfVwB#q3Y@UwQLPu+Mc2FblP*Dd(q)%U?S?En1akw8NI7Y8VD0N}Lg2 z6O9Ryk0`^VZK&g%R&v83oU0;n9h~lrqxwr}T5+j2Nl@6`-ly8~^jRqP*p_FOXAu(m znOy7zr3pveP9#fajtiFt!)pkunPp=q46pQ1&BJ=`u-%z>w2!Do-;cKj6(%ptg125O zVTJDs-7^+B)0h>Ljp;MbFVFR}-C*>XIVo39A4K}*T_)O*M0gx8+3(*8$>ecP6fT%) z$mzxga%DF^H!_mO_&*6%mZCqAL^rV|+`Tef0jh7^(-S85zB2Q?fj5(fl4^Kc?9He4 zq?S`ko@%TZxA*l~-0np8*+XT~s^v;qPC#~f@AyNd0)hmK`JNATQ#{gB#F(JUs z8FewWykxWFe3GNIan4QnTe6E#T~17fxQAGpD0B~Ro7k0ew#!)Z6GTrSNrV_~yG!bc zGr5YCd!^1DD}1_LMPRCw7A={#@{``U>o1*GAr6SwcL`0LjD>t@d&U=YY55?=}Zm;pH+R z*+AsYNgZ5HIop?uP54sO< z;v+s@`3zWEU>k*t4RgcP0?{R&$uIC80^py2@8tk^GuMA10L zF3_7&AFoULWXlN@Fjizm=~S0r!2|e=gCS~C*i#g%OSDCtaxnrqwx^@nZpsc|*^Z-_&gPaB#=UWI|2~^(9UK<;fcvqafR|edrvP($}pwqlvpILLa7!%

cpi)~8^QCx;U0bVlIp zJ=Sm`7V?!}4e$DTOF3&c2g1@+A1GTs*Me4H(~9V%P|}m}zM@IEv^e3`0cxU9Vh}nf zYfxq8T#_g;HZJx;71wp!qv?>OBjj$P{;;upqnvzPe0*$qOOD%j(*xa)!eexI0QD3l zKIs~VzHXNkHjN`myC9k7m$$<}w!Mb-@zp95ZS3ExjM9q00>g^W5_d^FydxV$@~#vJ zb;c~QZNSIXd|6x`WxVw~Ya(J=*ffY)SS#z!4tG;(F=tE`^%lUKeX>}_*t08n^n}Rb z8tozUtK4HjSW!X*GO-DW8ktXS5ZB=~yf5Y|8sR*x6z0$N%Xll=u-~E5SZh1Q*VJ;= zy3oBu+9h5t%Vl~}ko%btE66(C%&2Dwx!1UoW7S{+lj1x@pNodtoD8Fy-25F<+m8|dthuKn6C6jmxNY;}`YcW8Q zh%8^+5R&;yYF(3owzdzEO;;leI|p)+vOL*G z8iF9Do;BiXgWSh(viB+QGL!EU{7;L0V|8M8Tk{XdF4z%|O3Od` zDF(uiP*WddZ6F@ms5EVC890aWLuWudZpvP{_pb542=(zqYQHRFg)n<%T%xv=53dGC zAM5T!X_8|Eo238K=KEDPS4JkBKSO8ibc^ZFMmIGmrh)(mFXYZBP%FLO8#ms+pKjF` z6i~_i81y{7BcNKrJKQ6oReVENUv340pCEH)%{H*Ik8~~j23E4%bFi6*atolU*)&bu zR$v;kUfYOAWlq?2+to(7=@1?PR0|IFI3N}u;!5OL?7e~~9HP}5FcH{bCO0Q+v%yOr za88pXv)lUOzVyo}2cQ=}v(Gqc0&GQ2JxD4s=~;L5-+JM^ovmbdSi@4#z7}t^AT0}w z1g&RWSO?$UPEbn>NyZ1x!=iRFEwV;Ka_*?0-gzDMzLrEmY*8i)L=bbfl3SnKFIc$P zBEHXkG6bd-0MQ)J?>XYW8~{-Z%R1jCEsJX0LyS%2@oAvn6oLejkIgl8N!R)Nh}jiJDa)Yb z3&tzk`)e^nA?T2DAN+`}?J?1(W562dh4$m1Nt*MIhhenGlpZ(P%~y8Pehj<^7#_9h zrx?|Q$~Qh*&YAwal0RE)&GbN`+(T zF!Pw{sMQZLhIIWe)S4?oTw-nx;g#0h5n|HjtfT*+yZi^H=>KA!)INJ^Ea$50D!Gx9 zYhifN2z**SJ}d*eTKAPuRhP2!`6`|bjPQx&PLKl(79jSeDSk4^rt8e;Ovy0s1BpSl_qs156_`I50?H>6qO4E{Ol@(7B%6W zu|*yY68k;X4QZk%b%2@I-5%+tAKP(FA{TcyGdGblC*e&P^>9U=`i#+4qXmN3{fw%|ZlN~w@W(qIVdeqGc0(HIAw@ft6Rd}v);uhLUtm7@`oS0#tc6mF+NtDLZL-U; z4I&pzSd(38jhZ{a16uahv!6AFV4tiPPW(XJ31!vv{054sJ>6^Bhw~!pGYyU1)cr=t z&Zn6t1X_YB!0}-n$N3)hMGpKS7jhQ1;9g=xG)Uh-Jedw;as$tTmmPt3n9{eqDI*iM z5gc`C8qC&7vxnTZ6s2&hwg|+6XNz4#C?%(eV(d|M#2u-m!R#CHeZGoPF)$W_Aj^e= z)Xf3p1UoT)gY<*34!5r!>Y0ShUY7+}XKpomcGbk=`zBE=bQkq>FXI_~*5^q{&c=T-C0B z86=ICmyHFxgQ#G*J_U9uXOitp68^=_{g+Blu_TQJf|OKh(ZJ`9KZsTAwdhjysv$!^ z{W)N}|FX@`zxO!Zc1Z^82kryBee51WSKZj3CcRN%sR7(5J?8fcS~_#P`YU0MQ9E?1 z<7ZVb(Cn=LibW&8{Q1xO^3IIN56Dc;wNkWbG;2hVrS3eVZiB|GBY)ASKY3Z8=U%pa7Ma_KR73@tCh|(UoLqWy>j4m&r(W=e{FW2#sA53I1=tS@Aapw$`tVXQ0m{DLOgR%vz+c zV$KmJhRICL!s4zjv%=|IhVu&`)z+MnwR5(g;`J|lv;m7vO+m%(%`?)APk?sUVnFn6 zCEh=kIV>YCw)am$|KQ=dbp4!hXMI_R=!RZ^&K=3!;l%1!dR0{W^^RGe8n3arJKmuc zGmR~;wVA*`_v_0BgHL(PP+!Y5eWmv^vL!l~lJ7GikE<_twq2iJ6;w~_wY>WK4@g4y zUkRDbMMBpKLgI4By&C7>*UCkU#GI6e;Vug<@{wh2dgIuN<}&U4ND5AL%KX*~NjiJ* zb4@tI>@L1CKN5L%RgXQdFl z038Pe5OAD>-Ui4VYrVh_3Hv)kHwm{IJTxS|k?PV2PP9^JtI^Jnae0efdKhmu zKLEXWt%+0#3%$W!G0bQ3Nc8sn=6`AR6zwEIv!-IW%=YJU%{BJNKHeDR>@HWn3-L5c z_nwvAs`Y>uB%0aEr(hWt{(<%QmjJxIuUFiBiRIF|>F*cn} zZt#lBm0M5==r4wmpKezolictoXTIBX=Knzt)FQR-mJ8*QV(!~^*l@cRSLL#XIm0sR z;x#VRYJ0vFsVTLv8E6!oH)!i^Z8ySgUq+t1xFPiy5BxJ1(+9#{lZrg1dA+bh$9cF^ zNiA#}u`XSdu}I*!5Nu+n9I@@TB1y7&ZQ#~1kiNa{)Jlq#N{*O^P=Y#cwyfB z4StMv3Ejt`ov;X|^bRsYa?N)O+ohAvoIODNinsYp&2R$+&wjL4JIuhl2pRe zL$hqgwmD`t8{I6GF9m1B8~q|K%s04g!61b4Fq2M_Yp9(nL11AO3?Ub^xb*>iC%=bS z(y*hXcQe|K&?n|m0j3Mm$&?YiXYeGbCSLLJB=T|~5c*Krc9JMNO}wmuoSY{ztF7E# z8%Qc@#~=a}7ect0!}7{AWRx)bp-xzzk5Jd6<-!gp1J}tb_eP?S_)QWrn1WHkc}O*1JqZ2Y$0 z72j}ZdX5E{ddOjhS4TT?HJCkpHh}^r`R$lsCg+IT5ZmvDZGQMqI|k0X2A*96zT>G& z_l(nzc`gT9D0SSrYg{zjL@qR#UzL&n58IFQE2_k5Yhu1AQk@_Hvq zJrlUv!WVsKBHnRo7Sw&biYIzaLeAuaEKFxK6I`sWQM!VDdh29*E zgZCgypm!Ea=YVryWg&HlDgPLQKq;Lf67YwZ{mR*i^dOT^w7MikS##Yt_%P27U^oLp z_7U)XI~CP_Uc%p-tzq2utiCLoOo*kF|6!e)b=dSy{NcL609KVNJ_v%cL4 zvOy3n+9Jfj%?AO|#N{hMb}DapLVBdfqzh(|qk;2x;o*Ux0dESI_e{|qoFCp9FVByk z+@BJF^yVu#tRqxUJr1Y5oL~zl$evl+2{r92f3#ZoOulLBkmquM$w5uj!}rMwVdQJ~ zOm^3cw#Uo%4@;8IHyvSoaHwR>xnYkcpO47wquiA6VXYR-qnsOS&OUosKZJqdTDzUf zq=@TDye6{mB>CkQ4uja)YicOZ&)-^Si4+T<{aSuE(N5-Ciuo+w4_h175wx)mL)|pg z@pYOKdQY=nf!@PBT04iRWSMCqpN6dTZs@Q(t&b&2r|XEYycFp%a54$5G6`EW@a;I_ zUIHf{tz>n$^{u-3Y)YUYom=ZZ9q~ye#yR;>{Pk0^2N3@9n{Fqtrlb5qX#Om5srP{? z`3~_AZjUf9wai*PN$#QbaXq8{s3gC03s-`re5MH&cEvo3FnvNC>vbVF?HOPQpWn|T z7kl%gtRPV+(_fDipBQ8x=L`7E?$MTqqcj?`Nc>KDzFHUnGh0F)n{Zb>1-_JqZWmFZ zeHC6JEbv)Oo*dKCq&{c&D_mxH z{f+^r9e$qkjoZS%CZ~TeFW)6UWonLX-&gVgCQ)t0%t&oIeUjgUUJoq8 Lcl7FX@5lTPX1yP{ diff --git a/docs/images/filter_in_visualization.png b/docs/images/filter_in_visualization.png deleted file mode 100644 index 8b2e29707f0ed0fca0e794869421f4230e4b5198..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 14490 zcmbt*1yodDyElk}C?PE^QYsD7rP3mxASIncHw-YOh%`v|fYRMv(hbtx4BZ1W4EY`W zzwcV#x@*1b-ur!Lt>JLaK6{_NpZ(j6pzr*&~W8sC6&?8?)3uy_dUb} z{;G>DSOBN{j_>3?KLieshsJ@xHMx_NhLeh|sT0`1!2}ItV{2`~=4j+#Vq)WHX6tl_ z(IN&s#B}$NgoBBJlew+Uv(M(%CTP~?+t0WJo|)K~Jmco%=6S}&E5t1*#KVVabH;>* z_6$u<^6h8Wl>G&;(`VJWu9c-sq~bkn>?ZKTw-3{5x!Y5f$0^s1v_`&)dI1HufH1FCwLf@6&wFi>> z8{f4P@I30hYkzL~?*XRAoiN_L`%2DZ!GMl_lWn3^W4#IA<^j4Cw#EekCs}J%BRaun zzti%fm)at|dmqw<7`>(73i79()9u2$;)F0gCS_j%x>)1~-Hog)Pu}-sy3qtHgHcJj zu}0we^C#?Y@D3Qa% z#x@;&ye6Acm0J6$C0f*(p8jGD1OV;Bu@6s_qnE4Znp#XIPW^&Pe9MDj%$HoHMj5;oNgH9uZvpSzQO zHuna47gRG>Y0298H?2P=V_W%Y5K-Yghv=Vvb=NBo;R|`YpB&ZmYHXK>?`0;3cXAw! z>fF*)h0lP6#ayi7*~lHCcr#|-IgIR)V1>&NAg<1wj!M^h^ybRCsRh31P{(j&; zbn>1$-ywAMQVsN{Nqh6};0pO{3`(h2r1D4*(dO2@+R}AdoFR5xGqvs{MY1PRNNJZ} zn)(LU2b}{BT<+ttU7m8ZehTE}^4q&HhM9PA)f9 z+!{)*^HiBdc(P4O{`~|7*8OuHr=DjjZ`f#JLegw^tM{{^I&j^+o}RX|g?C@EA0Ba# z_=Lpp1Je@u__Q%3jrsNGv;MmY#pi!{ck+kM&(%?r$;G6w!tvO|z)VEc54vG?KH!k! z8&c{Xcb2nzG|WYhDU2V^ODHwG4XB=r%5QQU7q`N`4=>8B zKWXSz!-+94^i~&Wm7+gB(b%wWqE_a}r6zfx2LGW21&FqCcxanXTWr=9GAx$XnlM7I zz&nfv=n&@DPLSC5lI)VT?vZzrov%>!ZM|r&ng`GWhKNJPp)yha2Pt$SXHRd1Vwdc# z4_CU%b5%m0&iWlMrLs9DyM!&|pX!JGdPezVS?}Nj(MME_`3A;%@DMdQdGFRIdie(% z!#TtHE58^+0lB@{vREpK!J|@` z$a_ISnY!jZvI1#mG#0dQYO&MPO!Sh`Jto;r@_4yOhr`Sz#Con;@6^dm3gdS9D#of) zbzDN{^^=kpl4J@fKGShonpqd~u?l|~NkRuXnI`}jMD~526X^xc9%7!D5&<~*%5T^S zqoLBf--XTRpLjHJAKPtXzj4V|jm0QOja$aAD)%u2&wg^E?Xy(+6bARFs_^m=pJT5# zx!ZB&NDJ~>^?83xRXq^dDz1DF;>&OH>@w7Vez}Sfd##M?T=hO;*(vybL7|S6(gcfz%&}!b zpYva{0Lw3$|J5^TJ!d}EljdDe+muR|*RlKUAwSjiHT!vECn)*Fqr8m)+SkhS)zL$H_H&`jz9@fSjQ`Hk`zks>mS`!IsfQzYN{-Au@6M6n^S&9+?O6%};Jb z$S09JXJAOUK)-R?r_la&P_s4iN2))#nxz@%5!R8j=+u~2V^{6gZ15BjSa_;nu1aIL z6eYGXkdw!f4=c`9kh*k!jLq&`Z2fbt;M(`E=2LI5!0-Ji&>*p-h4uMqjN`90SJ=f( zC0wM^{8afj>RF2v2yZcv|+?s7f!# zi`sP0qN2jw&AswFc_uWU=O`0PukwRN2qj2+G;-8$8K~Ph~?OBX{jAI zH@8Kpl(J4rN{XF}OWVW*iLmfol1+GE;8i!^cbL7_y|!m%=SiKx0uw@$tRmMYz|J6z z-Jx>+a!nLN)<#rhsx8ol&-~lq>P7(JTQLzUa_CPV*1(%3|8S- zQ)Q>8_ZuG{PqO(AEF)l|??)pG-$}5Ti+lFH@~lqA%^26B#q|O`_j-$ADarL!-~p;w zT~E;uaRM$b#qY|q^7eiqdV72GJm`VfI%os-=w0!)quizKT>0!fwwF#nD>SqZjP$PC znJlFpzR<9T^JUMl&o3;MG;IwbO{#-jcUZU*==_@$0|O|o?q-l<^5k-s zKHe!j22OA0Q&c#F7>okjfuF{;oZ?EjL&r zMGL19ZQYr;)wa8wvYqazRcBKEsGxTWb+e(`<+pk@u^1AW5Hrvw<^3aBOTdSnn>!c; z^-S!^t%$QIzEk>fIYf2iVQp2N%YVF#Sld4OXl!x7B~)QEe=e(;8YknkaI3-u`xZ zjeW`>_AK`YNvZMsnWQ9Xaeqg0?B-~SxRZTWaBr|xRj#}>fpkByCHdlMPQOK2_3*BIn%vq zt*ot&kB-to!w0VJt{SCTfPSA?>-zvvf7lW?SXNfi-lAhkp+huKhy`8l>GL-8R9Q;0 z`I5LZVgFMuolM~#U2Ty#QHyqeRF#aYhZ*QmsB~PRU|Z536=M_FNWC02w6@@}B7%=0 z2gCzevB66VZeJYwJ_q5?0n5^l+2f}M!o0m{pEL7EB-iu9su$Tl?2d9fy4p@Mg+t}i z&3`Z};p~UzXstAM{Jf+`EiGZm$`1Yd=k*r`X@#yGQ}*Zi~3}kJFi+ znIR%3*4U_5Eto2E?NvrQsD~p6cW=IwJyKT(g;NRk4Yv$nEw8N5Cknw7u0qbtICRTH zaVcw#78`8Qf5gQNZRO~#qBf-?6B2rYNeb%B--w^U;V9UYztsZ8dlyB#DW~1OcKn5q z*jSQb5&m%D!>1i*qQw~cCo%ZuqnQNAdC_k?D+B{jo(PqkHaka0Sg|mc<36vBypH@Q zNSL&%Nt+hqBht(IxVv&4)%IvE}3m zC^**MYMNYnnEh=iq*6F9Z^nbC#jbd3EV9=FW%;71fzNO?cd@o%7QV7KxDMNlh9>sU zn_O;TOu)UXgsc4sI!fvyK~l7R)2SVYAUO$+5klT$<}5UON3rTMFw?%VwcXz zwVW)QU_db=<}o!2`Ltql0G5q@?Rr!9X>YM2?dodOj}vlQ8`oO1^zMz1c$z17SiM&> z<0SYoHj|Lh_rRVPXfB5{0nyR))^nAw$`-m5v}S6}A1g(Wx9$>kIh^-=LhOrcm4XqQ8o~LL?Ow5VA%^2`mFZQX>)2=1v$dt1=F(=o2Q**Zl>+ z{@$t<=6SvjOYZ6Cc*aMEflme*>Pjss8|vw!7iNw?u&gsyRVYSp8%@jt-b+kc= z?z-IE@DP{n+J{_NSeS~6s~6J?R-M1T8|)u(&D~(|Nd2Ru?;aX@e?AVfMl)hYP9Lu+0ooj7-(YGdn{k? zVLWx38$_$LnMhF*_lj?96frbhvjcnKkgMz6GLu~wKC9WbCNTbkbnr0EeN4+Dgzk+@6u61&u$xt$x1YqGqF89KnrB#+{yix593q7kA-eO;)&amg-XlH4Kr~uM%RmNTK-I>wzjt~r>A3# zZoInZb?(Wbg@Cs9FJP-P3qJ~0*j~{G-xwt(C50tdh$1#kGhc{oW=(0#X;6MZCx1k% zt`qBnlVur|n)-MyIwd8zM2~vRfrDc>gdM*&TZ>Z|yl?R4ws~*P`^P5KEq|PEN{12% z+lckN;iBZ^iB3D?Py_shfaGLL|Lz;hPKz6jdMZmx%X=7)Tb4hYsKreb+#1~aN_=pK zeBG`mBqTg{->?d&6_;vq_gaT-#8Os=$iIKz*4~Z*P<5=l-g);&LV~gT{<5oAYEdd1 zDyax~89P1he8I2EX@Q}=X^AB==?N#5{LJ5G#%sl#UwGMZtmP-E&{;6j8a;UM5PSog zz!ZWX`yl1Z)c0kbY>ZF`T#V6+JvV( zRC-<1-_ys)MvtY$FH?OOVZ8ZMmPvep%od;d9a6?&@58&qZm^^CGe*(m!aWhHJ!?)1 zIwmo{XW~ftI?;2tnRr)EIt*lAft(8%4BIM$D`|&@DAjIhzNq(iTJgTs>c}3PE3K)? zFzMgOsxB)lTNx6z*=&X!K4WD~i4ebz%Ia6MTWSL9TUtse4xv6KrYN6(>&?tG_DZ^B z;b`Xkj@Y055f#-3SfTt%QNYI6|%zvuwmTpK2fiNE@wN3QrMioa9tM25g>ikmqOhOL)W^Q z#Etiu?5@S@dwW)jP!Vf)YtE-;)0~0DIt?kiS=S+IMPH7(Y5V*4rSODYdS`$#&VHBA5 zTSo+jMvo!AVbb)Ne!d+Yl0(oigPAmzS51ra^V-?oT+tV2y9CR65z)*_My1?;O5d(L z>nq%|T3sUwRFY+Q?ZkYxi5H1i?6rsai>HP&(zenPHoW~2X&_-u(v?IgXon9VrEKC0bMQ=+~D=WAnF>Y4J+QhD{v^giGUj+n9&= zC9^KXh+9ldHNJY5 z)%)Z2FGfPBNJ)#C4|F>FUa0`cOx_~}bmpqAtT@d(EMfl>V8S)EG*!)C-*(bmDwE^r z&oq0KNhbPV)l6%*W_^18+yPb)E82UO!je|?lPSX5)=~#0?eLb}gzquRmOCvOz}45^ zjraYS&r{rftE@g+mP$<$#U^J$S`}SUp#q}>0{oZ^weRa2g2D{&GC1Nii)-MYD>1Ez?eJgEE3$mOD9v=C}MUS>Uj#CK_OKA zU9&y`1w~)W9}wgBq;rSN{+^h4KugO3h#||81_1X^#hW~;WtjnD%e~+*hF79zU$Nl8 z@;(jE#40*pv5op!4Vir_O!07lhpv-7{Y`FIWN}M4 ze0qZkIP9Ek>VLtK$l3JKA6A@C(H{IwcjSozeK7sd{aSrS%s&6~#Fw1;A67I!LT>&h zN*tOB7`(et0SDf>M>QJqG#DecN~ z-uU~Pf;9t~;czjWeVAVAU|FE^ZcV9y;|uKLpxTCpks?dxi?b#gmVzWyvpvG<^GU*|XyKUpmpZwu*^!b%|6M>cc_3w^-MqM(tWX?jy!vQfIJ1H!fY5{+#*Ba@a z8;^eGAxKHo{fn``w`V~AC_UM--tBHFhIA7YQ3ZY7?FZrnF*V-~*5i_GGgSik(9SO= zTU!@>V+(HbR{kcY0vUA(=*Zt=!h+v9Xe;B1(YUAzZTMShkxWjiW#;6>YfLt3(kJm- z8oTQN_(D0X02_Bf%EpF9A?fuxV(wyXZ4LL$JCEnyS9MX|5zzE!Ek1nKNkAfkO+ZKh zjdLXoT$gu?TewskJD;Mhn|9<8WMpb;GWN@j=%CK>2|N2xHk<~96u8wo!g~4A{I&JG z59FYknx9`iM5p0S(^xxbN;nLMFN$#5LxN0-D53Zcz!W=}U@;B1tz&r~E^Z!zPZ1@R zHK>A4X3ZL5s1nrNwk&-<2aNB9awY&}7-1ib`hLg7C@ZUGFB=31h5a~W`MCR_dvOTr zOj&)@sa`=Y?t;U|$2X9|8v!_PM|)e{T!!m8ZXxH6D2wlSG-g6w*=)kKw~MW=5J+;k z+xpU)$mz09ZA0DB)Y2`dXO~r1^U*lUlh2>~>SqJcbyF{{)V0@v#{GyrM7!qiDjYQ> zP6FpBxmFRrm<@w%KSZ!g&H(TcsNmhzIaZF{)jv zwZYb${D^)3)Ks>_L`|!iazE@6v4G@)$7o=jI)90Ph~vW%qDlZ>;L4x{RL~@GaRX)z zsJ~i=amdkVY1jM-@xwQ!rliSy0VjJ2%(;3kNA8Esj!%+nteBaZrz(fjwJz88*B<=# zxoOg@HB0O))&hhov%1c(k1ap{#nWLuN;xZKm%KkZuQQ}o-IF<_*Q9aH=5x^n1qJsO zyc10N)d`4*y6M{w7 zonAcC{*4(ZL>UGgFP~umsK#i)W)&mi_yqC#dS-Ai@ig>9h)%^nWSfyV0e0D=X^R0( z3C~7y7n4kvUrXc#Ms~V3@ei5##lSnljjxu^%*+tX*NOU~pCw!@Zf0haOum|%ojw_b zE5*((j`T(XzKz(`x~0g1&i0>Xwp5{NdLVYjrIcV1i67B$gWzDcOX&mvuMCWFnPEoi z)bd3!WAPidmBwY4dT@P5oNR_K-W1MJ4_Bn^6(M|5;-IZ8B?@%hJ61t3!8*aGIG9#e zg?YQ1@?KtIdE48r?rsTQhO4W9XT~HV61<*CEG=@(2}B(q#+Y#B_$OcL%6oD@w6=rFFsdSN&A?l(n|!u^X*`4~IcBh+UF)+J zetAd*(O}YR!^srAnW{~+m6b@Vx#nbB&|rrArVAi=%j@g1H8!az`^9@VqV8YM&+o_G z)I}X`UcGa1;agmU0;;&os9TqiFnYQI`HYg^y5Oi$Q88S5tcb_aTeqidEhjK6Y^?^> zQeh8w0jy*J?91Q8aznqa4OeE3_~YRTB5}d)am2*fNv!Y1Tz_lYneHYOSx9BS6ug`Hdf#Vy80np6e6C(@!B+EP zcZDwY<&E84>X9Ha>0=R$^p^2e&EFi<^MB6&gDLa3|izz2nRax5})yL zRtHD8YQ{gNGAzWM)j9I(J^Gh<9@i{t6xT|K|%7*`1wn+lj)z6F7K@eHZ(jITZGmM2v0aU0_q^H?$w5znEeip zbVlU&w>Q(Xx+HaanUnp4gKM8P7yzyF8s|~&_6D#SY>uiiS{=*`EYCu;O#sN&?CH9a zgTogEeqawQeil4u0FneRfi{1jO?J4aaNG2*lauPVf66N4^WzSt5;|Db{G}_9l7yGx zjBA_QJ|#7xUQoRGr55yNDBgtqm%n=!QtB!Ttyz67UL-JxaZPD=8-{DnKbi`3{zX(i z<1G?&thbk?r!Ic5yYzcB=kH#WJq-E2e$0bFJ6b59V{{Mk6s0~ob4u4C0$;eCt!3zi zmx84URis@?*SGIjMv}G7khhmbA_F~vyIjH_Mhv_?+fKx`(_B7P_pZIekd-jXh_K@P zJf2c?!BTSSh2V(cj5@`-g5XcrACWzoTyB6EvStNL8EX_|0*8hc2>|t=0XR!1tYA= zHf66~Cwb{y1JhnElbZ`HW;n05+!>0Aq~4mEh*14G!mFHiH4k4io3AA>l8(r=Yw*0p zv%8wc#>B51T(u4i3jy^;WdX*k3DCNlSLbm@?fBvq?t?<6o=B;zxgn@%{9+U2Px{-B zRh3yxhf@GZZ0`t$CE4h3?7C%{T1`_v{$1=H-P6<8-uv?+C&2^R-7YYz1@{KO&agHD zud0+|A31l-^wtmT>s?!LJb1tf%R@{o@)1PN_B{87%P^acRF`3)Ej3dp!>(ufj`a_g za%v-3z)zN%J+U-zrurQ;)Pv%psSr)_u+2TFB zqqk?u@OE9g%VBTsdDfq+L4?<$E9zRjF)lDK(U-SPy91QK`3QJ$pzI8=tw?J5jhm1y zTm-zFnMtf+{;XRmwJF9lwiGlhmfeKJ2GEarCzTe$U1enz)KUBJbglhkKoI8n%${XH z-M>mb_6Ev-^w8~ekX{4Hm(;$#XNkPKGNc@u@4tMZ(D4(7&swh80ZQl0$>1lyQHxR`oK2@g9+~jM^#qrAG^z`(3%a*h1hMs`|!})Xmt*IJ*+a_M$ z3Cqdj!GRe`Y01%AdwN~+Tam#e5*pj>(Ut`Gnuwv1q4`ubZb^$6o~|nZ{mvk5Hbc4w_B!eL@qMaV}e&hI6&nVFbeL9@~x>uOkGzm93o~# zgR$&3z339{y6@s%w?#*~G4SRODFU5N97tLL$))C|+O_aGx3#cd21Z8vTTd{&haNw! z9!XZN=Z4&Vw{$sCFvYdDdl(oL{!_JpwDD@R;3LjAd197j6^M*S%9uJRLjm@#bKsBjgL zjOhIIQGdPp23LSEuJ5}jSJu0exa;EqU6-f|Y)vPNgSWDlhlIOf(&x^qPg`t*8CY1- zv>@m4kY=JtbCK&6MYN4#fx&r_9F(bt`f8NJ(_0wLBK3qXU)a3-9{fD!;}Dc(zxJ%t z`NPx2@0PRf(LbUF)kDH7E|(Z^)a*07p`I`V~U@1U~b5e5(&VlacpyL-m`N!v zuTw!RJerM$!{$s&JCN9gt9zog=jA?FPF8lkVt8>gPRrJ`H%eS#_fxeMq{ZiNNvx;pPZ3u(j>}>MxI$ zAc7KYYimPUbajg$_sqo7Zb;^84qw5&05^2BT89$Isl?QWZ|iv|ytklO^0+4FXgXze z+!$cw;tHa)sfF?wtb7ZQNjQiEvNo+cLMKyt1scs)woFQ1ekCA}z5~(A>3VA{qi!*o zspTOYiq}7Y$zpt5xx80u4(Frs_INs$-PFG1U9ysap95dHj7GKOK=n6jDuTkpU&3$H zom);0#{3(Rw=|-CyS9z(%WrFruEBb%Fjy~~qv^e(qD^92C!pxd-Qd-5>xD{xz)O2| z^;M%rSBI%lC=Se|ux2$rLx^7In6s0*z$C~U&=Es5T7L3KFNdUAaj>VzuH_73n7g?z zn_faRRe5GQ)gqS(+DM$dg)qg+Rp2l0829sl`E#HV^x`+F4o^;gIj>xmUJ>hPxpVIf znWl&(4`pB5n?Q$`x+B3dB#R-*^%Jm#Pt->)6(yx%Ycv*e6>rojE*pryZ*|$Muah42 zg?dVMnH;Y#Gl_8JVnZSrc}#{{2`_KT=%V6qb;vLE3my&AJy)L7%w(RKnuBhA+as*_ z@;PhI5LWkPW2f4vn|*Y2)Xi-kE+8m0T4_#nb72{4e%+40)D8S(q@^)IL*LeRcG?n4 z?e-u5D4Ib8=yD*~L;sWIh!w|r;}3wQ&*?Lc5C{fV*2Yo3OokkvG9P9dTAME$2M3RQ z0&=hrh|SwiR9vf{DEMve6C-LD!Am;dzB!@mPq*W9T2A7N9G@RK%;^~avF0C3fBU3n zai=Su$JF66-FLiTw>yjkkQ_) zHi^&r9iRp^%N%%HTT}ZQ^`aNun&u(UxHv^q7t*_2NW=q2g?${H{NZc`t-8yDpH_>N z{xl0Eos-q2Ic&nh$>WtyNxYVQ^Rz9z)cun~0MLa6ly|)H)I)n$?~-lQ-S%a~=K}ro zz*E%s?b$J~9>}40+f2pCIV$#s#7h<7=;Tm%B&K@SbPFGDF`p=ZfL!t>L*r<aP+a{VTQLvTG0ucaq)b6p1_p6ZWrFt;Yk@FJA38O2+iysQ0EtMYQDyW4+$ zF0t24ngnC)W4&*8#O}6cjTf~!tj*h^VLn(!dTA}|cWJ1mBUv?C;NLgSQAClQbuYMGGH# zCAgpMoJ9@YA+qobqSt)G%+oda95SF>wvLu8uXG~ca{ zdng1Y=#_+|O!K@Uv7W75_1}~+vIQymj`XmsF&mb?vT`&vWul&~DcC~9nXmVBqs}vi z-FEUoWfc``)o(G}EINz;ywP6baCfHC{4sb@Fo8`=f?WJY3he@U*d7#}<9es0<>hmL zoU+@oe~vSSUP#ADE-zT36d>bZxC`@!?F?=n=@}N%mmIx zT+{<;MagU~$c&t>S1t)q`yl{0-%s%L*Xoo*Cd20C6o(oAOc5|+Sx%C%)IAL8P5

zQ>?hTn>@#R#_7MlH-FENu%foCfOgYHTulvgme0j#cx2t8VR4Nh4*-eXwu;!YCZ)PT z$?qIQX}gtor6e<7hkRRa*13Lq+o=omeLom^HJxdF?midqZYTS}kQ9hDPzU!gFLYQr zY&lkm2zz^ae)slbXN<_Y8WSrd^P=m|UZ(x2QR0BQdOQWPyYsipMlc%7Nu;=;N$Dz* zu>}bGJ1%KG-cN7yz-;jU)T_!jU!Bkc-qQJTcUt1>ZPDU}Vy)QOgZ(vymgc59SR5Q9 zCHU*Ge`Uifk;X?5zxFozJX#G}A07gN>@zZleap#0Q2WK;)#+Nzc+qbE&cyC?&7qI^ zwGTSK!<;onP*}+3LLM#W*+K+reGSa@6sM7An-|DQE6mN#s)|kbr9{+_5ivIh12_;o z?qgTe6$SNNO$G#MS^E=tHjs>@{P|NDsJH?Gj8^~6vMQ5~=m>7p(}&^I!b8*cwnuA9 zEir-^@1+jqo#7{l@*dB8mF@rxEWBjhob2q#n3PZ@>NE#r9WYj*P6PUjLVh4`S#T=S zDbISfdl8%eshFKQnar!MObjXY%Ton^o`t-&#z4v7k0)r-m#`m9Eyp0rgAY{Kv~Y)+ zF4+frZ?awxCwSw&%C-1(D#cCFx;T_S(CX#PE&=)$*fY`foVOPU0q3V$&}pw7GRNy} z^>AOpd)htXcA#;kEVkoNj%WRDvfQJk1wz9pAnY&M`1E6Oog50$z;# zeQ^+o`B#R~!-eMPtE)D>1yf^F0zlN`ihdSqHWjxyf{abMm$T_Sc;FC1B0_+uK*C?& z(kP@t#Xz%dwrUqBH+$)L>&uS>jYMUo2$4v?dv|Xv+p~jA&r8L;q2QIccv`%kR~S$b zwz{$N-Y#D8L)s1RC4zc+7{)SFYEUtA7UR7?G&E#2L-GEzF)^B(o10{}q~qxp*T&%G zVC6!1Dr5`1W_?$MEy^EExUXdX}-7gU}TZ_`~$tI{mICIUari_dSj7?*1>=6E0MSc|-o5wJUYf_m`a zX{a<6HT95AGEo2?%}P&;Ou=dM=LvN^@9vTocA%p1RfCeMGoaY0MC=0H;9hIvy z8Ga->ISI28e1iW5L!23q`N$NP=4!XYGRd*DeXF7)xP$(1i(K|mik|-ZZ|r`=b4r|; z^RSQf-ef>|B2bKy{#FM>G49+o*%dqn;wfzwSz3~mEPh2wSvyryKSGPRA9b znT_rdpFuKwD5%kA(;IwMnt*$p!=fR zr87Xghk(Hr1rm|bN}y8HGjWpxZ{&hRt%<((qN^hzy|kEwq78e5C|}{Ii@K_!BD+jP z8UtT3C)$SuPEx@9K;2we`){>dQ^9zA)><=F5j4DCop<@T*9s1|#&VcFFA#=%@+Djc zu|e97gQ&c*dZ&Zmr2&VVK&%S$4S+slVM#vb5Xb*rK-9H*urj1_ixgSwZjlSXvsS2x zOjzQ8SCb(}LzJSEqPmV`psP(tv5j74T0lVHdXoUM*V-GMQ@iqAH`@fc0AaS)s#%`_ z>6xBxk!?-qiQ>O4SE)u=6cdX_eO!a^}-x!;2!iNem3Kz)Rr$Qns zkgmOG9$H{;Jm~w4H2^9y1>x8Z&ngxBH$*jQ?+Xw_cC9)SFl4X)X-egHZlX>UxqJes zb4>uy0h>}U2Z$>f7^zqrRZ2+~e=$LD7;naK)n^886bV>U{Ftf^!rD)&C5ldva(c&i z8Nqx!7Ca{Mr^Q!__F1|4u8q647UE4xze#uaf(YDd`(+WZ(qMDDcx^$T^e;G1McjC1 z6qUVbn3wcYMf|Q7gQMkqt31WFePcm;s_5eO*2|=erp<^u@p_gwL4C*rG1pQ!OEais zs~b|0ft!r%hF_0H1GRBuWrMJapDxy!qbjD;oP^)EYpkd-ni?SN?82v44f zx1M}`4U&%iWpW7_Ezg8ljpgc4v|n<9ml4PdkAUE1TBigzF@khh$3AJRgB3w7-!(jj zu4fCGIoC1R&!&*4IgYld=Cf%Uc}$!wM*iv9Zxr;FpkOW##9`2Qhd5Emag zNINCfqFxaA+M!>YN_MHL4-{QangKwkNu;`jgk2W|fqF8*JC5%)hGAn_I}S5L$1 U1y0G`mxpL_Qi_tr@ASX^AD?WUH~;_u diff --git a/docs/images/grouping_in_visualisations.png b/docs/images/grouping_in_visualisations.png deleted file mode 100644 index f685eff9ef76677f73ca2ed241d227fa45a0d326..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 75614 zcmZU*2UJr{^FIzDK0 zaK~PU?+o~1?xv)qtFEL3*Y)#pcJp+?z~D^wLf_F;w4)wKa-y~;ordad&iTK*Y7wak zQzmxCo}YVbGTVK}r$HPMQz0j>Svob9!359s^NB^ogb&Ke+bRryx2&K078d>W{o2Yo zBk|O11AcM~)({n8c7n1@t;ZhYdtp!NC_1crwU5;!$zmmVe|3E_cvqTxf8*t6TFJnw z0_E036Q8Zc-NLNPy`Qu$NUNE^JFn%e)UX=4Hv3;N^L*wY(R_wrGRt#2tR66rpUf@T za!d!T#5$Ppfv5 zN+4mfYM#syJcLguDiCO;9GN7L|F0r6R@OF7eZkZ7g%8BuVc8tLP8JrOI5p7;)@~lD zPgJ za~8nZ#!jZ{&f3}-NZ=ZRff?5#&&kRAzN?SFnep>5fYk>#LsNfKZ7nGWA1^*TM<079z5uU#HzXJ` z0aC!Fmy^F8JiyD-`@U3wEaJ9@6mWfWn;!wc?c(nti!jyJg)8~^Il;yF1o#9Ha`CX1-SihB=7tGss$*> zf78M*$S1)6U)}(z%*|aXUAF)yPcxL87hoP>3^`$OVVT?h|G$?1jre~kP5(zJDJ1xR zDgRH)|CiF}zLTGlj~6hczuf<3=3nCf+xRb`4F8Sh|Hl&lnECcDU}rge8UFvynH>H_ z`g9crhCGHkO2IGybN}sm1Dk3FJLTlNqtA^zqm4UnU0UASou6gpXMZxo%fhB?0kIC* z{)Jo@*_=dRC_v$^P2KKn347T;c7M2?`KNj|FL^$u)NYD1;`zCk9%wWfl>ZY|FgDb= z{VA9KSngbTe)Jy4T~u&(;15YyGR#YOeMLs9-jdJD>v$1jtPPIoPEnK}$bqD*^v4au zG2|s%%NVg9K7)*LgDR{UkPo1s>as143m$lJ&e~mfHHV$&9OekU*b2*9pRJG5KQ=bQGXVOUet?X{ zxRPaqE)doTE7A*xgDi+*EPCc>mkbk-?T8t!uZ*2QrRY_04|~i$mK^(Py%}YXT}DWH z)9eSwkYwfVFs$n*RsCg{ENu5MRn&<4V|JT#y&~FN!b0<Fx;KeAw1=Zs!&?!MorXc}8$WrE-CMMU208Y-t@jwpCvD zf+kYtWfS48gru11+_PRUtQ_@ZlxX(!6n!2WvPK(H#r3AIWGR9HQCt}@htk^~!o-jk z{pWvY6F|!9?6NGm{AyYr`dvKD4(6;;Ck3q5e6`af!8%S00(S^4o=`A3x?)-CvqE~h z^I(ZnzB_jn)}tWMFc7pm0mCuLa;=Fz$SqR`gG4fBq_OanG9*P2? z=%ToSOg(6;aC008plj4j4Y(bAi~$qIC%|~f3w0KBDZy+Iao~^kZ)LcI?(E+B0yZ;- zs9I*XVp|p=DFf$e`s+9bAGgOJ?UDTc>;}tKnPtA&RnApm*=YGb0tdodpWc2J8bh9r zlsbw+U+tb}>7E@h1oX?L$Z9A^iinSysLvR0f->#2PF27ABs=Q3gnUs|zKV#<7MBO}^ zzvWikQ`l6tI`g5F6)TrfHrX48+`q2$B|`+OoaTjs_knc|2aUsR!?FEv?P6H+k&VeO zV$67=tDvG-{BA&NRT2hkTpYtMfqoRF8LdW*7v+TKM?+`KlB%g}EiX@J>Ip*4%^tU0 zW-U=tu1DEI8bbs(jtu7jRV-B3i73!4Nnr*Lot>y;wdhl_+{_*rVvC_UFP$n& zdhAAH#-djiDq}vtbk7bAfnp-iOqh4j#OkadcIy2Z9}$)|XIBJmEO+tXe&xW?yv>ey zwyUC1sgP$bR6a{FCr9@b-&(C-;C9qIAT%GEo1sytuQc1%FlX!}e8}UGMg!gjx0Cv< zB|}5Mi6NeTG~5YD*M86@KZmMDHgpQ$3t?IRgDyt^x|BVus9z@yQJpVwRT18Hi|1Z< zYJCEgo0x=g`m@i9%~Z`3KQ)YH`_{hdD|)pw-wG7wk{=Oz-_M3pAAdXcT<)W!EH5514!K=-Gj}unmkPQ zRr;i6FVsq1)uRd;vRTC$zKN)4XVw{X6O6^cb3PKzcCIF-$xr|AZzTbrKDMlsbB5jE zq9V9)4Ttivd|Q_3VY?MP*6={>1?w&+6UhH|>~N?qjEp7&t<*#~6H0Zr07q!(4`(!f zc%diYBv5b>(Zy3ddSp_+obWY7Qutw4EOk~BdCtb=b#LbApjC`HwYbO#1RGgav+c65 zIH*Mp%yB4W6D9vr3}WgV`|NA>K#C}|f<4dA_`Ut@fKbe*a`{wZNVm>(F4p33)-}$! zP@>-GU~2YTN@WZo>^A!#R`>NuA!U()64k6__Xblfb@Qyk%0B^HUIo3PqbP=C?+eP3 zbhX(JiZLp_0cs7yF*LW#Wgr2?w6QsA+u#)T6lrV9HMIRu3H**uI*-x~NJ3ztdDHLI zem2R(mT#3~mugmIV#22D zisKhaf1JPl>Y(%vYDOG@8z%z#dz@J&)elq{4vgA`rD3|5PT;8Lk0f1*!97dY-5Zxz7mXti};aL=K=@CTH1TX60 z^Dm5sUJ$aI2;BzBN(j5eIh`QXe##TNt#X+p&R41Itw+ea{630-15^$V4Xaff*Ha?( zO;>0#qA}W2)^EmoidoO)|H!PB!`)#3ebc7D30_8n-r09TobY`xS zFo$KG=O(aHVm{R>`|;{$i`Jr=mXq$L%V^a5yUxe7iKF7#RV8Y;bg!j!_6VB=J&L$J zuFHpT&{VgGVf@+CkXVC(vVPZ=L2in$KaDmoYE9AR$ioSHQS{^jh!ZPIPsvJ+reFy5hA0dIycK>C<4Qgc$1J&?S4CtSX`AB z{t^7CqB*w`us#6vrNc}Xv?ksaS7_>W#Wj_Hx}>ftH&X z^#BSb;wV@#xIpv{jnY`wUMsjXpGYOp4Sf^oS-|kZVr`q?aql`Wvn<(Hwl|txKf#em zjl5+n0ZN8Og~n$*`8D7U)$nRwO8S)?Jk!%;IwfX}#dRA1PocU?;R?KjUmaqfv{HWA zv$CcP6m--mjA0{gUx-Kx1ZG<#HZ)TS;ea|=tW~{2Nnf8P~Pnie1<&NKyGg8d_ zdMCdy=|A2jdB1VBzSrsy%V_6 zk~*%T_d40ku+P~`5)bGI2Z=(9=xZ_Txke2*m%|ue!%V7NF}&d1#2n1>^~Y z4gFY`kS?Ux4|rHn26VNhVZo?g*HN$GwL#uT8e|AY?n?pv?kn3eCN=|dA}UP2#&L`S z>0M(mOqZrCT3$4wM@D1KIY-?bP?(Yk6l-``+}5U%&RyK(ZB$`O{7?Q_3+3!Bs7(vF z?u-QFVvX-_)pH;uxFIB#S_!IP0s9{N4|>No+@qvQbebpw+s%o$E2*olA@db${z zm+w~dmGw3R&&k8T$Wvuj&4;EA1I#v2@Iu336Qm27Sps1F^5^oz$@-CDc%}eh4_b^} zw+P7GY`dTby-jB7b3E6NAc|RkYb*i{z$GHRx0plwPA5no26dG zL@n7)*60DtC7ufCjaP1mc6)xsF>I_@tqG0913HsO%5NN%%SJ1j>aq+!yYWIOi*97G zSygguhA5xL#uEYgTd$?Yba%(b(s&4vjKRWGx`y*ANJUlC%<=$X$w88iBfVC9qgD(C z=NUIS^EOtPb2&0`=Hj(xUFyw-qcga=%~Fi5T0eO!j4((Y*emw}-k{WSkUbWKM`59S zGe%W3#>lbt9&{PW$4p3t!VSpW$wOVSd?s9dmPTOJuG+F#$cvPpOn=Yds;rK$m{acjn zE@G5WV#6vVKa-&QqAHyqMO(z z3yXRtKhaa0H=zHPe`QF^*X19Cvp0(KFgL zuljJ&sevh}K-zmsT|tuZ<&9jQhj?rsi_R;m+^VjPn7R_r);5;EDK5mwV?xM_hbX29 zZ#IjekbVfcZ!liggF$)%$h~S$On3@5V6Ed&45PP!82Lt|VQh&Q&RlODi-XN(#B=fi z%M>9&1Cx%%_0M8&ZAytiTSbU@%xhC+rL+8lJd9x*qC)XG)>bR% z=F=OJ8&3lS%VG%Ir{@s=lg%Kk58Tt`11Z;Q@y-pQGTmG=f;NWp|J&0v64E;U!q3V_R9zoxPs{*8eS zfWhu&C3zDAk@_l8E8C^D5n=#b&{$!%S2gt`eoJ+mYh3pv1)Oi(+nohXA@q`qV3KQY zDAMo!R&&%B7NMK?j0g4?RW4c-HE!JnB{s290EQl=#GL;Q!uF~7hlkd7bBN`lFG80X zWX3!z&#S!T7e$*r9i~epQpkEM(h=0PQ~*h0=?6$$#0)lkm8;xC;HmpnKlxb=90qVi z70H1lH#PJMF zcFe|!8HyS}McccOP3qU?S#*CP_?CRqm8xM;z&hi^2-|))JjNVF;L2eJcuONaG)C(^ zvSZXaX!4U&ON_vcN_o(%_sO-2E<#_yAOc`y0BMNA0@HerKe!lc0XE2nhzR+or^{IK zS!^>f`vC2<3Pn|TO0?ODMcTB$&kPArVpW7DJ?P;L$|%ByXwiuRg%buzW4Xxx*mervp7EGx+}f#O@A6NwCcMZZkD^eeigiW#L2pjCITYSF<~v$EMc0w$?8 zVACBI6%(4NkVkA9bN5fUJfJwv16)#VXFnEx1PAwxl=yW&0c=!XNL>9d_RnKmLZL7Hp_=d5fz> zYt8A^4UB@r=)Y;hG@YhffdDhcDAKSZ8V+^4U2%ylQ)07qH6M6FHoTbG0B(RX^WU9e zyk^(@bT$P;O$)%FV;mq;q{VHN!IOWjAw1H zvQ;Gyj~;+8b;LeINvwgpIV9& zxLql_oFHYMbma*A{NYXgCB>hD*+6=OCc_*l$?I;S2J~WsqlHBGj(oa_>n#ehZ)cqx zlo((5+7#B3WoulOO!JCQ)z;lzN|lT9wysqM%gQNuI9pOJD$W8ICe*jhi7v0~alDE4 zmJltS-)5t8D^3<6>7#q$!V@FgHCa)&28Ds{H`T{wjo0xXYP4%3U06oVDHQOMbhI)I z>6UIX0ANkzRX2$;w7&H^3+2NAId#9?yt zpygxl5!JBB##g;oD}YiB>FVX=$D^Wa_3o6~+$h7HUbJ_7yMJoJajY9S!2V(;CXLRBVrB zHjHXcQ_>EvA+Mi9wPg?83$WRAo9LTH52U znUj^8$ksq1xCA__eXE8p>^TDi(a#+p8=zPG8+BP)j3ZiE(0NEX!E_F$YGUS57w^F}$${D`_LncIsAk?T+~3yxoq?g92yB zg3zK1m)?@WsY@UD9#YoHiVni9;gMRoi5+#Q{Ffs#xFR=KYVWbICXTADKh_{9Qb+L`}JDA_Rsfo6`RTiHm>scKzK@` z3(N;C63V#bcAMq8xqG_lkebvOB(qy81;xgXk@?&-C9X)C8(TE=Djrey@dH%dt+Kk%V zzwmf6oNKyTLwLD9m>>tZ7)suSk6EiY!73frK_~umXVtR9-OaiRs45S!Cd;DrlC3Lu zL-m|8V%Rt%@`V=XnL&Y${$u&?0%UokV{SG=#(t0K; z=jf0s>o}8lVoGkYJDvFW*^g*zX$|qUkkR6NAEA)FT$r6LA1Q1=Hnn>gjynQ=oxusR zR#}%SmDX1(A|_63A0BpFm|yxK)zNOL^QdxfzuzXB(0X`ASYpTfh{O-uBwa@>3AD)R z>SyklyzeK=Ji0Q-@m`tHE<1Lp__OsZd*xRLiJRyKxlPdBnGxgTQ%f~sH-8^yWCRN2aQmt2+wu2KK5S>r0X3=F}9=Qz_zaUOlKt#7IlY9&1 zNx}4=j!seF-NKkx%O}3arCA8-7@t9;SX#TOu$wy!mMcQJ?jMXzfuRzaccW@KV^a+T zgp{YrdZf7U8CAYJqjtg>;g^0RGv|(VGQi=bK>kM@>0?f zt4!J~>!NRU6>2dk)3|Dy`Y+whW}=eHjRBIZLJ&VS3Tc{?oIHO6(pNJ4Pdi&<`wF5m z706MVzc3vaGNeJsr&^He&6v$32swo^BD!eEP89WuQ0;;LNMWQ`dWOvl<5+}0-8Da> zVrYB0GH#@l6zlUIzI3BlVn?a8SlEGP040`*i=Zd+P1S0e7?gae>79%=|{nr^cpSqYiuqo^=-#>ocR(U_$oIb~D}9W6t=kfx_WTz`ouRIca#q#?e0p_ROZ zTBi8itcexQVoXV+L%-GvI&de$v!H5_&6h{|kqZ4au5FgxCEksme;#m8W}B(xdVHd* zCD7*GV~iAt{0`}3)-Jf0+<7$jMUAGfokC*4J?SO$Skf{X?xtC20t~_V;JeV!mXls< zxS}J(Q8#*oSqJx}N(lw=8{y^`OkHYxL>&)D8Whq6lP4SsuVSut(U|<{+9fBe1SNIC4*KP(0vhbtEot}TGwmHObGNC=t1-q~ zVa#`l-&vnCn^=3fu@J-*#3d_L)OWC)JIt9oL&cOx+5=AaCoOU z+#YLm94m)Bp7-cC*zIPGd*2G%AZIGY<4zjdLfYs^AOaqj z|74lSI@$2lGyNS~;2Gjkq?lzp4ozh1!ybmtRbAZ8yFnd8%ppId%Hp#w(zJ$37PDDF znJW3GA2d*h?&ns%qV0r#dFUKHax9xCGtU%`dTKrh#~zRp~A9>uFK{a!+a`~$J(#N{AF&hn)gZDOU`ix02dok)>PLX6uk$1tiV z?%pE3lOrw{%*2`Nm>Z~qaS2}J98^q&pn&wn`3k2Ssv)uJAtuRzq5~9SwbCu1*9)5* z8g;BF{lHP~RU}VD${PJW-hy2SL|j0dGm{k1rjOInrWW2lTq0#yu}&iyG@AbP0-HQKdQQ4ecC(Z}DWRQL=fxV2<7oRF*WfGiCPXQ)Z#x z`{cu2+STw$_^#7jOsF-jUOkarY|I!3_ILGi4(v3BDJ{k`xIy^NqaF7HJarLIf8QXs zVmnXdYc{-9g3L=ViVrhWBYdVTKy7T^M=6UbeY{z~xR_}cZhM!BIv(`|?3{p?ve8TP zQQ#v)TfSjaJMEApOrSA0v3b4sH$_w5&o}x;;SA}p$wf|*4mJC%7sI{eZpJzZn)z*& z&H6B9QqQ-?e!cd|rs_D&W!9odx`Y?KZD|K+v2scdipoLE>{z+6b>znm* z>g*4}A|JisMe$QfKAd27XFO-;vSS3BAd8*9m|t`-#NcJ~IBxCEwwu&?a!Wh!&2}|x zAUZS?YsNdUIQ7v-RYP5b<|aWJ|1zr*k(L$d`qR9oj#91wgn*22l;TWOdK?t?T0jIA zZHF9?jY|9Oo=T>=GM+sJq{Pe58&)=*RI3rZ8nWBs1OiitvE^mrIv-RjCYy z;Nt$a8aP9Cu5H7IET2~s$fekzTl_*2wWoI&ufmHtN4Rj79}HxSAQBo!wNRPVS+mpu z(aEt+Ek#jCYDw+TV%kcu-)zjz&0YyWxX;dRqK-s-0SiWUVU-~D5QY;{>_ME)#!@+d zL<7H@U6q774F)WI(!S)>k?j7Url1h_M+AdgJT^jJa0kFys5d?vD;z(6@e64NkvKF( zE4UOR%%h{`A{#f2sz8x;0u@RSK=+7=|M$1$_1~L50ZXD26JI`xNN??vGdBpx1PyO< zjck7jjt`DC|K99>e0(&S!JT7Md-1iQq3a$NAA()$o}zc0XU`kInw?n0R~N}Bf=Cxu z`Q*&k0{gzkY$QNXO<@DQe4(9jprdJep+sD5|8?*DOWg0~)eeD8s5vOJb@YAavgrO( zYCf`DPg!LL>-eYjCnbA@K2PeufAthn+rmB}i6IrlH#+NY21#kNMyIK4#?oeK@L(%m zIJ~|T+47i8)rBgPq==Ful2A-3Tb9VwBF5pO&V^`F%jU;Wzt!OS7`E1&CR;wcj^0Mm zM)RC4Ua@xxU1>eS{4YLG0y=RuTPAzq1xBqQmUFk$)0K-~On>;XjFFGaFZKBWpOFo?r7V%Lie8CKbOg;>b$2de{xEI`& zR&7O>O*<#MkCjprYX9P*qRC08;X>Y2*|MI3_fJh|pdzZXyw77Yt8+?RY~th(Rp5^C zBtcA|dAd^gv&2}R4&FQpf}92i3q>+K%B@h5wLK^DqXQ=QLJ8{pg8{CuHGV_0?;{KH zZZ>9=oFFvQd|vtbHEtr6GIeC{Z~nh1pnR8r`$k0jgl5a7e7vEqXOwfT9CH|#OAZVD zmdiPLIYVM!W*QQI0QBpOZB~BO9-+C8;#&=!i3fHpZ+wu ztb*$1E909CF{|soRogPS_O9_HyU^Dp{=jb~`^ukXmey+?OMb^!zTC>0*b!T;r2oPY z_Cm;yLt~9l3``pBqi$>S_;f;3LM-eRd~N|nsbQ$t%!7F$w7Blf>X=A`z> zfDL)_Ow^7e(s@m(Td}uy(tkcpLW>-}Zx(Br9LkguelG*f>DOzdp)*Qx6)FE~cb`o| zT`p_V7VjCkv7C7>$!~W(X+P3Q)qtCnT7f0h#Kh{7ff819_sgT$U+2~+%>Km9fF-OY zX2B~eT2TpR4G|kYeaJ2(hL+>+)vHfv)qB-a-KeAM8MC^5Qup8_E*agAla`m0@vWk+ zPz}>Q5lTVI$5)j%#a|fQwxM2ZeiReTD;YSzHt?6K97jQC4YyqvLx@vQfQ)#=RFYOl zldF&a)6kfhRPqC8`aKZQiRfY~x;dq)g?w5crdxf0t!*CeZl+C|lf@5WuV%1^#Pl#Rz3S>;rwUuq(~y@-!CY_m)vUY+5F;JI@DdQUj*<;HXn+o<-^ z#5eUrghFJ};m9SX<|655nl8O1jT{l5@uZKSKgGg?_12qai@|erch0M%?=dG*G0F-5 z2tpA^-8XkRAq>FozeDnYvee*9V~TP4M`&e)#%s-vls4AM%=z*Uv}#_lRK4!wJ+J&X zpsgP+>CA$eqkN>P)oZ2{YOe&R`rRhe5dd2}3K^tG?Q$%g{5|IK| zeL?nK$&V8o^h@b?#-qN+{a|X|XS{4rknl_@!~EOWIaj#ik`}9{$l7E2P3N+Rxsb_f zL(al|Zh_pVUV4@34il&2wNh7Peg1mw5qq`q%&Y#?Y(n|nfOO?hikWFE*0rz1?Sz}u z>zp3Gj+eiYtqA`E1_^M^6K`-J%U@;^C!@Spr9XK52Zy6B$-H1+0+=BP&vlv=cXvA& zE0WS_V7S}-+basUZrD;0QQo|>T=RP4XB%~lXA08tseVQAILG?CdaQM@`nG_n2!BC0 z?jPcL)7)N*F09~l+*aQXSoQjP@S4Lr1q!bzIn9~_be+WlfjX^V3;TSIp$1naG}SB} z$!U3{tWFH>_o*t&Z-3fo{|+r&mVU*St=%EWQsG%W@*04~&}S0FoUHuGjsQ<_7#UqicFE4s61=Qo~t zWT)c#&)97Y+~K}MHd69C_9e+>dx9Rrs*4eXB^p!&$DE_2YTIlg#s-y8_wb^ z>3sf6w7g#eN;+qDh|au>3bLE+Bx}js2H$^EEhsl3uvn_INz}oAy?G2^8O_X}TCXi#M3mYKzdkl<(Y?o@22gwG>= zNuw%uqr&E!eVEuxBax+FdwxZpxVDr>L~k+EA59*qbe)-C4YO@V8E)WOXSj5+1~4l8 z)nl)t@|E}!brK>bXB<64a2TG7@_6iTt@b5nO^n*>EYjW%Pn+dH%qdT z^JvlaAmL`#z=;ZbKoOBH95bFaIfs205nb}iu(vr-+4D4B2IPyXTw!}*8g!;tFy)wc zI(?Zx{J}MAL5(^pZ6eFf1~G=_ckrm@3PouAEgbqQMrAKRJDA?N}V)?n?FJ3__jfhg5mRw>zyX^JJ!i)p2=YC#7pv{m%+d8Ww`9Bwa7${bLErc!4Fp5%){enxSve9 zrTF_eBE|*I^ZGi-XDr?-UzF2iyV~N*bn1)gQ@;H?bbc?wShN3GMdJ3wX5@?JjRGu; z2*DaYjMpgzTqs*XI0mzwkLsLtC#$mDvhr~*L7g=Qie3QUWcoM$52Q+z?lmWs9~Owr zt&z;mrp6P>^VTPF-Qur9*7cF74zmykDMt=(s~`;o+7zcybw04Lx63SpKd zrL`zRIb!ib@JEZm_@nEVSB;W!Z_Zp^Y)yYe1c)r`ZCAy6+b}+vA2HOdT@aqy^N$U< ze6DF3h%x|Oh6mwXeq^B@VmA1O-sc!aiN|gx%|tK=t=a#HRcn&*QbFOtN=eoHIe+3h zktvk%uvF;7No{>uN6)ZmG__@jXFy8FNfGud zB-#^d=g|V5KdJ6-P1S7_>Cec>YRXnyjO_RsnWMbywK<2ibeary5}epo=QAu(WN`sj@B{w zG#iH<@R%!oF1*g42kv}R%vKJQhvSu;Jx+Z8ZsiZrd(kv$sUHl~ImoA*`r3>E7i@&B zCG=QpEk&l^#IrvJ7(rXCgcti&e-6aIgVj91x+;z_|WYH)wm8#_}r7^yR_sKpAR zfc&b&)wz2_Zv-`BUDdm5*^4##D8(e#LjpoJ^Iqp3y_$P9mBzxH?F2X1dnizTCBVhpp;#w{A!;H~sMr0q#V1=CnkViKvx@gC-eq->CC5BT6+ADtske4a|bczI09KqkN7%Qgm8~>AQyTBFEfBz z_ZUb|TM%%cDp~!r{YwtP>j{ov8PNiDZYtAsJQ~Gbwe(1T_wQMq5aU;*#R7Rx6@p(E z*LLC#LU?#A>+2r$x+Z+Sa(6--bAS02h9kr4eU0XqkYS`G(s<^92AO3D)`oKhsOy7S=8j3~9rcKim#ZFbz6^HpCHGiFj0sy$ z18DLu2A9{z)0Anr3wcfI8O+Q}1;2bmpY~k|Sl0gGNt||C&Z>XE&PkG4K6x}g7{c}R zW#^Q5ff_;nyhCe7W}-#=#nKhJ;ZWq`)MSQ|^~+|nb~KJt-E$s>qnbD7{>(N9b;>4* zE@JiOW*a`=$1|D&$}tWl5%F5Yfo490Y!>0_gb|yAJST~Wr6Iy#Pb@(!QbgZK(BT># zy|^@fq*oPpbj@&4quI^j>Bd#4u9?GS!Ari!=hyqCNs-5?Xu8;|gCmvmGV~F9NH@Ma zg=uawO_TPtY5M(B&HUlk!Ki$Ldu7o}cd@?(mR*@ui;2q#uX!gBw&!m2dHef~X)DK7 z3JD6;Y6VX&yF-MiSwY&&t4w^Bha%Zb&GH}PCKz9}*DibQn|=TA@buXdZCj?y*g;-j zn!l-dfkKKJXzCK{p&&QMVcn`a)p-BDYz%SM_$J@JYe*W>kDIjYQMU%0yU@K*xgePR zqj_C{x{?6)nymzpvzFJ+1Wv~r;e=2?Ely|^yJ^ZZlTBmRP%({2s#pk_HXcXh%u$~q zgU-hBjGM7klRMe>8lg%3+iiUSRE=<0_cgdB1wp(2HuHOrK5@jZ*lTZ^3dL{o9V)hA zQJsl?Kb~kNXo--8PfOv1(P`tnmpuS2^f`uVX^p@3V0rba>Cfno-c_PU4*pY#G0AS4 z9$xGvlI7AbQh>7&5D<5Vt>alcFZYLbti853L0b(SEWh1*Bu?g+IzqpS|K9&7%s^Yg zxv(_-LrQw4X8(~dFf~ClZLG*!h%m_R_n2^B>Kc+6>WZn1AnlkPdkqh{ImvGwf&fz0%TN zp=NazF@##}50snNzN_6a8?o?d*+l2HrqZjG{>`!`y)T=!%^F*C@kNIB*}nN&JPCYO zc;N(x9ufBi?jgffOCP*?b1KXI$-v^gLsk6y!?*cX3Ozf4Nd_qrgsN7>)q$=)>x~s% z9km98T2FuIrS#oE!VRoCgFU;aFQMNQGMt~N<%-EU;2Tu(D1^Ana7j=zg9sSIS}C(c zUd=2La$V;>SI46t784ZQO0tiSizcI`BzDr!*K8`@_t$J%*}I2DkCQ}|C5P<>ZOwdk z`Drind3)_T2W6n4ikd>c-=G$$V4O*ELw^@BI8mnfI8aR-dFRWwzzhGc#Dc`(D+f1TxFijW;;_>g)cyL{%kval&xeqlzp`upK>l}|g7+?OL#_sBX16eTe8ovOdbYD9Mv-q_e&jnQR=f`^Z& zlDYTlt_Y7)+R2VV7Xs9sg}SCIN9YI$FfHHgI_NKdY1uEJJiy!khB^6N|))+ zs2}pA+~=y^QH^ffY?vqiP}?>2%(UP_?)}2*@3l9V!G$SX8`aZH++Rmo=einmH%W!DS2@g!S3=2Z&W3*J#qkqql4qbtRcpM?RJ(Tx?X zRQ;zq5c_=YVdt2e7#tcpj1g2=KTMhAgh4uI_B?5=rRK*E;&igM>uR?m8sAdvW}%_` z*}q?w3uo^{;>kw7G=N6VkbG|iqtCYTpV?lBRx?AW?#=-p{^eAyVzgv`XHF8L`biF2IU2rjC}4kZClHYUy8Khvtw+U z0!NlQ4}cG|D+&}xg1TZVc6v_sdYI#nLp3#Z0^cm($gLd1YZrL#tORxBtw!@<<%p z$LVn&0V1n^UP38P3jM2n^ls@_V(2keHEr`39&O-#^x7vZljs2{I&5Z?b)_49QB{=EoVMVC{o0jE=>5vp8Pfhz z+d=O_f)_C?$L=fR$ecd7tH(CGRLHWBb|z|cp#&y7QW`$;5N>rpzTBr{mBq~CLyHZiAJ2KNpB)df<$OOrAa32WbDh?#=YK^g zftOWP`ZoWI9r9i$6ccc<3>wgxH0p7ykl_Uc7p8YeSP_s!W$O~x=&j``3eg(q2- zJKy&GOG`_lNAR#s>7q~41Y;5GI>E(?g1HN)0Z5V3i9oFTDz84j6_rZ!pK+|b(7Q|M zsYnz3Z7VRoFBNHpBIM_Z{0uPg;k*2|(xiE{hzN(Q_nmFlH{A?9W zHBck1*uZ>rAq9_rFVERR^0=OuJ0jp&lBgITe;AK8l2KXSXAyztdo{qPHWeHnpY&DP zjm4U?RH0O1g<9FIKu#kqW}sy&O;K33e!3W=_l(L{<69zGxS!s~#mz{%Li&Y=4%s|^ zT1oUJ#eN^U&2V@nOseV;w)#&ECg_&k9&v($DkKz1`h7V6G*3LyZcU%vZI(NP(I-p(@h;bmTBU0|B>ms{M_DvIF6n02<%JKBA4tPK~X~apJ25tbV)M?^+TW0o+|;O8+1uPF-G;J7-Ia7 zE>5ufbd*fuU@$KoEYi&`8$CFq;Blh2*ly42+m#`1AGn(cS8qpD7 zcu#$VdHfs9Cc=(plwda@Y1&NYq$QBKFm!@0_2@y9%);=DDfHJ?i~0tbsyI8NG)Q1I zC6rvi;r3lPdEnR!5xB^bE%#DMbqFZvq>>S&8|Yi5TW zMb7Loulc5lNAz?q(~Rk2a4pLw#da9(`oVX8o`}YI1MW{FG)$!}uhUgmW)g4$m;6h` zzqqzIC3}k$``B?)4e}B)T`4lE_{h2LPwv!pPP;xPug-|B8#b*(g-r2dM^_Qbc&MTc zO&i%po$5F2R9hqT_@|$K@iqNu5cS}Bf_c3Buc@}S?LiNZ2Xv>Oo`dNK@ABlHdW9Or zK_`Y1^c{y>%s))%4BNHeo|n2=emTnBC%kF7y!6`^vP&ZIxjz2eF0(C%?*7c$^^NHs zbK-Jl@2mq$v9(#&(0pZ+2C75cJcV0ygMIf**$JtX4eCQ)21M^tioG*mZVp@u0B%mI zxLlZh2{4sfPmHY3yRf6tB)DEWQZkQhIkA%=G$|cFs-Y@OHXEav=a%*to0a>5KWZpk z)OXdnmNDk|!8^}vcHQB;RE?%Vdy*c}xClL9acN|EP(j*twZ@i&Yf{2D@H3P;=f4X4 zn=tc1vb@sAY<`tLnimqG;w%wwRzJ-MZU{9Qb)kisCO}r-oC&AzE~%HX z@pp>LJ1C&dhZ?Da#>IfG5#SvE9!VY(2U(LugaA=aGJ*-FSBlenX5wS*|A&31K_I5mH}rrR0Pf-c+p~ujNEX#H5tf#WH`I^x>$ax2Fmj-^AMM2YP(|cm_VOh9zPITVr>*`0qJ@}r;s^Fypm?=*d^0+;J}#(hUm?4Qw3RoBI%NS<|a6V0=|uKhLqm7212L8yiu_V$aUhg0N<_G&D~Qhx#aIrCPElgv6pQudg4i z@ISfE=?FUaKEGF=zps8~rZZhlaqdt2&KLspU&_2 zRo*SUpa1>)k7^F42j^cN4L$JxC0LvJ^px(^{r3;g4p$TCu+GPs8YJ| zsZZX-|EBx~aXet5HEy)k^MreKA6bjH#P>4AQfb6kTT@cA={e_{k1NahDf^lU!6&k1eUe#O*M?yAI_lWdK>)^Xb6{zmcm)`cB>Z|4qR}93jTt~ zFqk1r{Ezw0E{0cl(#|B#r&7)jU8x)WZsM-G2mQ8GQbkq-K{{l4e1C7FzXUSGhNZ-y zysc=-!&qYcz?IgLHw*KPY;RRV)6`httD~93-1-nw`%gxDQT$E%d#^_9r)NI&4!&P} zaZIWX@0GV~p7;n~BWP`x;aqv`G06B{{NRMBN?*@~i}OR>^8DQ<$=Mi5WNq~Ds{UBv zWHEe&S*6A*&2z5)c+auAxELSiwnKUbk-V+B+I})vjkhyd1K!}QZB3(gzC&`|&WRs4 z)q_k;TW(xsw?%s z^$GMCubT+>MOa*w%e>6Te*#{8i|cyzsu95G~zM^&OM$^n+}?QpZqprML%ojs7PLXUj)})%{Sx+#bUn zII{HVDN-Ch-t>B%BvO1+t5|1Af-vhTYCk@2uz=?gCP{H&VJ`x*`H_m6*7*j4v`#W; z+F_QwiiP{EC0(sZo;UQFjx_Px{{cDvmS?&Ej#OEg>)_8(Pv30i+dz(1Wd+DPvE{6|2;bo@Y(gd_ZbtA7b_mqS z{G5(YKki&zhf&pfftP^p0l%Hjy&9?Ls6hn+>MJB5jfTlKDLGJl-DIllwzI0Ns}{}c z+gMe@>p3^8$11(LtR-E<(-9FWXCsh?xbE1TQd5=|hnWQOz;jaYN^m8zqkopowYb}U zBlzU4#O7p){*Igl#op#7dFFPfGqg>JJEuynL|7%RhW~y(T>|goa|DEdtoTg=k z!FR9DVve}8YJa?K%I1+JPgoS>LZ6sao8%4M8fNM$xt*Q4HkGq1(4)LnozU)K=gG?Q z&SsnxYFe_7c?N?svBd_Kh6TdZ7CgdYOcnW~#oi~6Cx=H3-ZJf_JeBowF>k4K`^{57e?jEp z=pyi%q-??Bg(MBm4{-ZJo66`KpP$*qik^?~6+>E+bhn(-xauK&2oc}6Jz_gr4vK@9 z{XO(Dgp$)9g%(cj5A~f?_c9`FmbE2Y%_D~SthlOGB}Lb7*XVAVif~d@%|uyIJ;%oy zbpeq%5Xf0|clX%!;k)-M7fj=b`1`)$Ot98jPx@4pVI0IlcrUd&np zp88L;w0J6F!ukCT!| z?)o%=9KGb)h{|pUU#GO+j`e-}UMtTkVu1~Ho1nCYUvBndrK8GSmh7(m&r1&$IUz_G zohX2N{w{?X(bK;*T^&XBkd^cLmaj%W1W_fAbQa&y3YxBI5j1^D8k~`@Xvvp2KLs$Y zX3TdmHXf?KyhP0*5u&cS#J!fx7W<|yuO4#0oMQ;2N|~b3n!yO(=^xiaq{kcCaR5d} z`(OD^!u=`-UK?I6K7pL}tD2AGD~C6|Pb}LN^-{nay}Dh~Hn1w`I}KB*{)Y196k}48 zTW@OLK^}$}RrjCmIorA0yPE}OA(!Fub6x$SAO*`WwdND9O6N@_1+Prg())AV z@0?CyY1K!LwC=NX@X5V9q`H?QRY^W2V;o!4_ckapp2I_CWHc!}f3Q)`sZ2wa4;{>^ z*g#x7iJyz(fR0ancDguRrI=js*N-1+IKLhhflqS=uRBadl z2gH_)s%gS`(5t4>&v3V$s+~BiYGA^R|NgBvVzTivnX*#yw$rE%f&7hdRePo(k4^_q7nlta!fvZr5X50(Q`ZFTktXc$q;NKsJBdM{|7( z2Ay{}KyD#vTlW3;dG1Z_A&^X~SCylUw@n5Yo7JrViXPxfY4`Bd-gC$%fzdlNtIZh> z$hJ1B25P#GFYf#%-qrAGH)coFMK65Rcfn_*XsTKZ2y6kc;40U45H*R<-(1Uxym7kS zW57T2Sb)*0@_Y>NTnEzCfF1pI-6d{54tTg1=_O{e@)6?+$|~A?D|*zcW%33;l4*eh z($!~{w@W`eKAkVOpBql~`i=X}0mBt?eoyQ8v^G-mVh#@%zt$UncQm>-gjQ%(;`SJP zww7OkocBJ3`%R0V{_N8-CCNBZ3lSd6OF+#nrTSj-oK;bWmpklOo~^DB46^ z`YJsH(Nol#H~k!LeihUD%MOOi@8-@_@#|zeNpU^~08EW)rW>0~y_oRf^eK!DD#BCZ z_MXFK8ut+R{tzHU*9J!t-X9CBCzYGRL>J-r z|t_U2^=A8F}H)v(hk)?pTTtL$GiC*T$@2?r4C z=eCN5pf-63x1X)?+8tG}aCoa^vy+sY=D7_%GC!&oi{uvRiDy1v#ch00l8qZg%XA<81^BSp<@cPGUX!D4#_^hndCG zg?eUtIT;gU3^UuHU*y&rzogy&aqMj+PY4dT zxUC^z9rn<4>5CluKpMB^uC{wts@>%jzIJxdcY!p%?B4sBCrk5{+rrJ!Cgk+iBc4$@<0P$VrL#p#$eG=nF7{xmGo$30d8!6S40J9YP)@yfx==1Sx6ej@LkxB+Bd-qkh&!R!%SB~ z30!{4V9(pCO#kuz1M(yfiNT&j9s6z94b!yQyS==*R5Ci&v8J}_w?ghCOz@4*2TVx@ zLR-x@-WJCkh$KyR?H>E}dgP+tbc{lr-)YY-liZvBCEt#bsS>fXm@qW>{z=!D=0YW` z6FpmAL527D7FD3>Z26QJ@mHX|?7x^o(ASQ??pECXI5D>714b~)5{k|UCH%OB7Cc)Yw)r4ZXpONhaRgN}594k1_qRZom52^1 z$Jo4GgT@Youzx>Zmz*4xxwftld1Gq}0oB9dHTiqN>%|+iu7y?hQTJ=a-UT%AX|E z|DJXM-wEFgGRA1Ub*t(=mN~h$i1u3BcZRI(zePNA-|SI7yI5!_;EPY#vn2`gKB>Yp zeFKVC4jicME$;;kEY>lIcBK04F$k-eYc$OI$T{2oNbGzDo#>8cokVmS`7VOGqnViv z{p5jEJp*xq7`s*S_yy5d(?)kQ;q%l{75vO@4C&zVqx>{ohtE%JY@ZK3UwC5LY2*We z?+phAQ6*?OTJyF{+4c!2Op*iD{-SdFd*}c@ESH}@hBT=rwe41PXOx&C%&cS8x%Z3W z?>}-fH%kFX=@fjaxb1sRw=lo-p_i}3e^ufRuI&?-Z3cNSy5q7IcT(FuSmy81>U*l) z=-%mfsBd8UO}8I0D7iebJM(L;R_l1vr8nztzjpWORn>Jp!-gqnxPm7yulV&|vk!9| zp@K}gXooH|%g?w|kGjZZy^>&V=kCb=HS4sKb+~?`V+fqlD&R56f}!CN!$&K|5249v zB#P*o(0?w!Y`D~Dn&`x)1Gb^ z=Ji1NE__eK98#lvw(APD_?p9!7SwokfgJ>@fU|W*y7nkdPspFbw+>jvRY^`-N@Ya} zZWldaeyZidkJ)Bj77P(iEOQs9^O8RAclIQ~?H7r#dQ9@h7@a>Xpk-9N+*|LwPF`BnOt zobpX)wBQAASqq}S?M#$bzD^g!IEka{^EG+3=au*u_sjqOqZcG)BbQ5SqSoX!uXVrK z>x&dS;bM~_`#VdT|2F#vsyh0L{vDHuY>=0PBgc-RJ&se&t|{Eip6eg|$B|;3Xdwhf zN7cgnEGb|8A!YenvHqTHf+QCATOD*6ctN!8Ys?J-(+MRky>Is#yX`sVe}(^Zy(t5d zdsjns!u1NGYqA|FMdi^vluZHg)ahk^#d`lTlIZrO6bV@rv~!}Tzt6TS{QtetV{p8t z@8qp{VaYSxiXK!Z<#daFbHNv>e4H_F=I_t&-u@ixi2AE8^zZi2RAz)aPx%sM1$Z}s zfv=6n{;jBg1gr2Wz3fr+G&|Qgniwd$0uuQ2U(5cVFN6$HW+or%RpF)$cvxs3 z@SCkU<_-NLBAr(_i%=!M_?pik7WiLemH!cJzyw2-dJ3Q=n0>sl0{L1zw|dwcjvdXer<+de5iHlKXHXTxjS*5+3)%Z_bM7J z+TC-50v%mxXlR^i|776(y^qkbzb66cVdp$}<}HKOBilsUGZ1quZnRu0;MppNVb?!-a{p7ZI3^5!Ub0r-Sk|2GgGWF<0U8)7UmJ}8KfT0-|?gY(L7ChwQBZ@0SNUO?Std~ZODrfJZ)s^en)JuhIfGdr;8 z#9?Vy16@r>+>_LKy;fpGhUr*%g}R0M?@SaMtXvi^xZL<{glY^OCy_x65E;ZJUwr z4F}9_1OH6&=FERft3+?h@1%zciMn0dKuTUm-pv;g${cs}>m%2U>etbez0UByoo430 z)%L%NM4q91HqrR+hE|E;9`~pXU07r<_-bj10r^8!5^}eEwct)L2T`Scqw^P=kktQa zeYz~p(=y7+P}%n%cA$oA&`uGy;+iMlN3#KZb-t$sq6gm=;J1A7D}twA0?@b9hGln& zBdO#G|I1MCv%7P63=gH%0P$wbTEtbuMYibv2p?-tcbPNLV=Gwn?vw~}va$klF$csh zObjEnK+}tVZlklOUH1iqX07cz$d{r)w`H93eaQ(4?=T%(gYiJ)1)4Jw04qeJV+q`| z!f0jk@^Y?g^QZUrSNXA~*UOV_=hqwB3r_M8K1-<{*CuBN%<`^VyD|jSp&s^5XWy1Q zcF*IB?@rSx6O*3DJL`VGYL=Iu+iCRe^}W(Ja*GsmO|uyO2T+4fl>CS@^}6{3RI4C* z`uDRBbs%wVpY@{azSS72+IiGK<4Hbz|I`X(YoEF1fCdAd$>xQZ2kH;XsJ7?`?ea%H zwCrvV#Zn>9RsDC0eceZB&gc0+M;Qp-R=w@4aTkD|z6s+1xTq10_KF`&wf0y#IZdGn z5W0ZhC)=Cq)*5cYORO)O7Ne-*H|%dN-JIRT#Sx$iKoR=>73zIm7BV;900p5^Q$YPm z<2?QN7oeloNQvm2ia_U?Y%wyr?!&3Ho8>fw;=)C+_jEuhLv++$SEuYk#eMs=yN@g>$JatMmwT78@$I-{7x`|65P~3V7-TPNC9>O zeeV$Rh855&OF`);lm3_Aua@Z+TxssM^+Bz-@Xt)s04B@QJ`8f8joBC!8*>2_F}?hgWCA_zOsi zPTjt)=Ol>5jSOtmxX=HmnAm?5bJ4fK<-A(-Vh~m9oak)Z;Z|b6s;Gq`%HqFpuh6;> z-6*Mv)`yt(rWe)syPdjsu3~C~Y75i+5_!2r+wM)@Za#-CHQ}SdU&b};xsxm_3knn? zP@E^<0-MWdGI6pJ4y#s4e2~=}c<nMu#is7$^S~z#yp}_Ze$}IZ&D=JjcBAUL<+g5hUhj))I8#Lqs_rbhFRtO|L;E<# z3TMPqn_Qj>ael8>rwTVgITXyU#Q+*7ossyxQ~P73IOEzGo@q;}eE#I8@cX0unxTzj zv7x~JqGk*|)eGNNZ-@Qo8tx0n!ovzZB~RXT-b71LgZ4>RUwmu&tnKdGE&9&S;4-<5 zK;c4%(p@^X1|**q)N%=!vz``nbw{OB#)_X7p{OZYX^u_=PrYOFj9ARJQzz_z+*}p9 zJwazZliHw#k(2(BYGJG18)Dka$u>u!8S*OdKtD^Mbj0lEEB!Wmrtm&q&?dF#e2ptY zIpV^Rjt5-rex@~9X&bb2wX0z;P`EnV6>@v6Uq-C{jU0+eb31sqDtCoCkCzF1(x+04 zsORAPL@^dkW%~Ic=;-EZ?#BOAAOrDfHX%;W5cfi=`Emd;I{w7q@uf}3#x zXXY0Gcbjv1D%alXRpG9e}!aFs#F}`rE60QUY4}$Y?uU0uu zrW-!AI8}qh$4>RcvLo<>mtVRD%E<7VO(Sc~S6ILy__R)U+p7MX5xxgG-h1J&Im_vG z(q1>|_(|n1DLKARgLgOsU9gODo7fxTjUt~amlshyBw_byeZGkZCpM;4Xa@NlJLm~s zCM730Gd#ErWrRbgo(z30$M#}^g!T+XhOZRQtfFe_~f6?E9aep88$3VpEJDYSJySM3I27c%_{p=%o@#N>s z{E6LML>>~NPdk@a5mAAzYw+6WS*>f)GpIr1_f&BPrVbRGxYOvHgu5NYA>x}-=yQ>0 z{VICP$PKzsJf&=tz%;z8D)@;v%H<{?TG-3#O)LvLcHl+F!4t~%i0VR^qwA*r1mb)- z8JYRbweM4LgW`bt)63>wAVMcr*I@H$inur^XxC{L4${0qNy&cvAn86}5Q7&sWAV^& zN9O9m?6Dj_0}uqCB`fa6uQv_D5C6JU-%>PFXE;;FD$omcfbcovyo~Paf6DsV-PpLP z{$K*`#krmlcx7f*BEKK_f&d2Ev%Qh7bJ{8=&+vBZI6O`~s(npr!5!$ixrjif`CTNX z{-|;5Wx6qedt8JfwcsK%?{Mn&5$k$rqq~HS8l4_lsJ}@~?XB@&pf%rcA-DSMGCwhq z(1tbUG|FdM8e>OhBVG;r>7p>hQfaHFOST8q;A7C?4}3d+dQWmMR%1?!H(?Xnz^ulA zJL9fv@jh1_kW);N*q)Zk3FAC&m1N}bQTgroPL9eSa=5%#_L{EOf8$sRb-Y&0qv^*OVCER|$|qi$iIo_%)rXpk{g;Q||z5RYZp(;0B4%mxa#m$TYW zR)RHk9XD0p0;wAp!f!|y{o?(8h~siJE<-$u1MB#C_5EfoO9&N7fHX7gqE+)7f(tNh z++^Cu-)^Uw6>7$hknIqOct=)?YF-y{JFOZT)%lH5>WL3|fDl>Hmc8H^QFbeMN?G^6@yTt zU(kQ~_Lk0niMH-8%BN5`TXax@xiiriHuJ0X0=l@sYz1z3!I#UfUF$pTOtuxtJ%Q3}AhC;+geH!ju zL=|hs+GpT}N|eLax>i0G5HBTN5k7aNc#S>oYZ5&%=; zb`&;Onmmew3GR<5LKb%t)Nm%o%HA*lQEhAL&vak=Q8=c-Gxvn{5ms}Tz7SoN8$h8YD-r6Q)x`(-jW_$P#4QJD`drBBjGJyZQV)xMw-i@_|a!~vy*L2WII_ZsYMZj zM$}m?yoW}#s@F3?HB@bFQlcbwdLX{x$nCF-$l0n-|Fchw5n`UZ(b$@0SXuD1T^D`x zI1+q?C%7|YMjjKs^i=oJbX0t>=tmhL(;EBseJ1?G4*P4A>_5^TKlXuM??h4D?m`ML zYP7g)7{VGH)$CT%HLQf}3QVTwGaD|fuoaZ1b$X)2K*=lUGK;f|@KcACjWKQpw8j1-b{m?@R9H(hVF7|6wA`f-6F8_i&6 z{*@(caH&DR{C;#^BcLLDkC);1(bkolF0!dz0YH98x|0)kM`WU;hJkdlQ@F{zWy?-^sVS~K~Cr*Zb#!0DT=-z7oF|s{hYJN z8qHb3>Uq3aMPIXf>(nf_4f;R0)i1(JBv7d_N1SCZ3rG~>*QgY)NJ)A~EGdjGkw9~E zR~`9v?xSjjTP5M3^v+yqsNjv1rCEmtd5Iy1n0fZ_T-x>UnOPu-4GY-#jy919ky&w1 zPX6B@fXVZFm=!qMNoYuBC5|JK7+1;o5hhqFEZ3FVXf=L7+s(Y!L+jy33rCl?}WzX>14?Gw`OWKij5R-g!M z5GvW*jk3^8Xt$5giO+I5-RM`3uOs3>jRpt85i)nc#Y>9#6WPO452xkPm4xSH|!$6NXOsij);U==STJt3JOu2wX4p%`lh8FiVi=nxLNS) z*t?qe(NR@EutK=-ZKiLhplAmXcZJeoAbD_1HOzKXb9oToQ(`9zoAq$Y3pRPJ(woMS zYsA_c=xrX4h_KeeU-)UN1wK0>=#`UVxO4!-?GLnXZ4Uhk#JN{0O}H^a9*5>rK*J>g z7C}vS7o)0k{i0hd!`wDyCd#m@c@hX5Q`C;&6(@W8l z75f)G}Gg`Vtp z*D+TAOPbhoGtAa&q<7df)hv)FiX}-zo`iox|jhBjHoNEfZp9b$lN(4L- zt+VU31u`|R{YeQ0@chB}3#`cQwYDU61JY&8-+yfyIy3Ad9d)t z?>Y3~xEu6K5S$Msa+rN7A7>BQI~1qG6$3Q3Lt@jLVc+EakCQ;@V05T8(h93p!8qoW zMtCoH6(@FBA2X>^!9!x-Y5}*~HrP4XdSMuByQzX3-b1|jqu5CBxEYpAW!_3h{&nh^ zpsTO^U{_6+%X})JQ?}7WsKu=p_E{+K_>#=ZwHweNezSOYS%$QS`z_$_Z6wh^$H@0S z46B1XfWHb8obbQCQ)*xR2l|K3ltfEZI6%AY`}9bd66m^uJ5{A`*#w;IcX2vIZMk{s zv&S=?oOijG_T7wpp#DNPD4^yd;077pcy4Il*59?%0U0=}`Ehq$oGk6xL3i`KV?E!f zey3ELAa2@{MsTObZ}-;#r{4Vf)miBCctKnat{o$f9g>j7Arsx5jzIXab&Q)gELfMa z;dGkfq-@On=Jt4?LUc8Oe3#98ZU519x4Ts1Y#pPO-!cJTme3$L%crnrrP~{!w^YQJ z_Dq03H9bqF0ubNNNX*%EYR-QN(ibPf*m+j&x@t%d z0X)x@*RHgiiwRfLG!{H+QXJe2W5Vr^rh=?q^_rwix9tKVxNFXl4v?eXBhVcrZK6VP zcI~=wPNga1j^^VLFnavcBI|dp!xN5Opqq@6(J^Qk#$66d!44?SY z%A5-M&nAqHb&F|DvR=E%y?Ij75~|>4a?0>q5o+OUWKM!;LQ+NQJz6N*4vg6NtO3yzYu^;T2 zd68Bq3U&y;l$)-7>L55$X`8cS7%Ne*Qq{L)LxSssLVTbAz@XD;su zn|-0^=1jWIDI5ZB^%Eu`u`&$(lf%Wc9g%z9M;b63ih3zpD;D{dhrg^lvWBYj<|07_ zcLSYoRc3xt1~?xpSpaw59>9=ogMQ3VB818%GlOJ;W;^jbQqylj+cUB!nps&0mwt`> zwQc6Z@5BMigyhf!cT9$rXa11jPQ)E7*9ccG80C3k=# zr*nc4=wt+OZ;}NWm7ZXU_0pG+$qE8J{x!%K>91Kbr5Eo8lQdlf*MEQ(TLc8u^4hp1 zt~yK-x9SuvU#!*jd*Kg;_PxXJc9|+nOOCnhjG=@#xraV~0({=<6jD6*lsB+X? za??0{8^4CEWUCLY=_1FiWUe;cn;oFuU@5wkFO631RibF`kcNo+Hj3W#c-L02Z+|R1TTJs;41d33bDO9w=@dVI z^&!(k$I^VlMa?~gCTtdG#r32rTtR}qSHBF(F=s2xl*67BJ%&~D3sHlvN(4Gmfqh8HVpoD{?b&2c$Gm zf=46xdcHa-|?_-S3AN{>JI3!GLqc2{1g~F z*#lT-5?;@mhb1^GXTC3vR`x*Nw3bw7wO}fOOsZR&$t#XH%r03z8W^E{Y7^L5yF8V| zHfF`wtHzVhaMp^9b55|{c5B~e4N%eT$@C=z(^B(Olj9p5LvB0ByAYO`9hI z2WQEFfbL_wOTv4^(Q+#YH<&NXW@~nFO@fDCHY-?*gX+l^Fh=dMl_xUVuV{8WIXa)D zIA70Bp17hsQLXZV=g$Km=y=L^r$-MW}0p#*!wDetNFD8m}ZXMr`HcZVUh)F&;XX}!8oQ~S`RST}T9Xt(7n zZ^Qr^OWOs_oS6@t@x7eha}uK~eBfIDgbTX$5Mgm&mBD26Lvf(USNz zfF)E3nBN~wOU$;BsKpAO)LeTHeYqu&T6Iw28iVGM$5Q(A1mn|3dU_n3 z|9k+1u^!9u2E3lIXV>N@)AeHu^Odw$&)K&g z|Lfl`>7#yqOju0WW}>4mHh#%BF8np0jRE;dN`lC#8u5F%$+D6OeaM6o{dYb7Z*>A{ zh`KsmIzL4#{p__=<_DY4f@K(=BY{|yKnS7VxBhJP_;4=K@L5v*iyX0kju!_*5lz1y z9CHz6ijgw%N;*cM`L(pmz07xO@vaX7UeQN^ELkKviDAz&alhyOZ<>G2);L6}wyeP5 zTm$rgA<=dvO`|3hPVcnvf}W4{Y%eQ5^q(v9P6^8;MxUi0?ip8M{8IfbuZ5WSU?;~;ESzyqxPk)*eI z28nC2WiqmJSOFK$371yFaxpt@5ugXc=i4Z7F*dmt_-X7lp^gU@5?6V6C(VeV zG01w^cgMOo8zoV0v-E_Okq|462qWGxawH@V&SL#M$zx-pQgakS;P64NGPVE*#jXmh<4jOUp`xVxSsGs2P+^aR4S$LyKRq{M#~;$(Fcx9K|m;E zhN~cTC8rycoNy}r=uP~O!!()ltkG_n=$DWFt*){kr6h2e3YJ*Tgt|6V4HFE8L=L5> zFi{k^uAY1k9k{JI%tof)&r9JAuu(ozw&ALIjG_4WzEyspR<&KCd0e4OR_scSruSD$;W1?Ayk^w~s)s}9jg3d^O@ z-hF3c&a*x%ra7)i^GUO{!`;Kkb}lRo@w?aoZh=tZE;S#H=lJ9|yUYmGYdW(O&irrl z?v$v2zp}{Eywwo$FNj2LPINE#R|Yq?nCWr?33gNDIbIh0YyG6;aN2CNziT^2c=(~tW)e)$p zzf^cQ-f^DfCH~1N-VnMLK+Urzgw}KOo^Xl^B@L85ZLowlW$A5pueRfmKFaSk+}(a< zK`V>3Jvd2ieJk5d+~f!UYy zF?#5vjfogO3hplT`w7OthKdW^D+8VZEykel@00Ku^vCoDvuiQt2zG-V7!cfQMF^7VC3yt60K?_QDBHE(_M&60VhVZw6G7JjD zvj}hqlTORUD4l=gMA2S$D}khxzMw-on5?+e)s;UZAwg-o##f$bmSz?jrk{y};VE;^VXU3%+W1xWDB?Ag9jZ%-;>}J-5Rx9% znj;S5J8+o%!O5bOsX8A@rnpJO^tr21%!}Um^B~*N73SF3SbB?+vUj)ofSXP|8)=@e z1(m?q5EXl9x+-j9zR#LVyFsQ z9|f%bF?)ZVmpZ06i*tyjM`?Pe7Mvn+A0Grt+qww#516V3eoTw3rZ{`}!~HzswI%CQ zoWrSRozNdlj}8<|lpp2RNZ38<1#gR5D|yZPfE1XY%s;{NPE>6oHgQb;t88;DWU z)upIOsrVg7nIAN1b&Abw!!M?+9!)Qs5N4Y-`X$GTwsJ?x5y3T~&Jk{+?YJegn81OGnqnuuQ+e}DVOrZbnUd5}i+Os*MB%?Ob_I^Uqj=F z-CATDKiYnJU8%1WwIBJ&l42pg+#p2Sh0u1no_n5vL9v=__QR6f_eSpxOp#K5U}3#` zTe-Zho2OZX{i6^(j7O63d>1|yIQ+Ouudgu_CA3RyH_ocVKy%xA0+U<4O^)> z(LUdE5pQr*Ze2jOh`oJD7PsP3n|W~4rt8OndGh5WjUR*Df|2aJipsATpGTRg|E7Av zgnsr*2JM<1R+0|&g$mpcio#()O;ga$nFc`Dx=^H`CX}rnmuPy=AG9pkF!sy-IFLv?tEi*L?bt>5I2^vedMk^%|X846iL)xEz zKe2KTK_ov!?uDsz?#8pF3j2dS3dJ>r;B|y#7h6IiVeX^1)wX72q<-tw6Q%BF?n`bW z$&JfOKCSw0X5ZlAPhdcf~Ytf}URPItleTyevygaZGhTXkAJqkDEY! zF*sM6`vh=^gb;W0yaW2Dmk#39WYVl$1bHkowJg-XqFg0OT(auXmQ?)k7y+ZF`<=F2 zNm2)%w=PcWbiQ48eGfclzOZG^;Eos7 z3~8Y#yv-%|<%>6qyHXtESeg<8uT}gmbR>d>Xmp$-pEjf{iheXrm+aOSeXGg5O0s_Y zgd+3yVjJ3O&1^#%8en1jOFb5-4_W=O2c*t^C-GuphiM0(E^zyDN@7QpZjQ=VuGSQqRny)+sU(Q1e({nq# zo-xNuF5x`XpC+P~dZIc1rh1?5-Wzaz#yvDS#6gH%fpuk}*c#mKaa`HB5C)r4fRuYe zcJIB_fos2)pDnm$#1Sk8=<2PJP zsgE5>TaWA?5tIkE?^uV9tF$OJ)IF!|!uBxjd)Pziw{d7AmGK@(*z}4ju=prjGj;YW zo>Eysy1xLI_ZQDq>-VT+k@8-N`(s7FaeOPb*=uCFnd36(NwWBjOYRrt;-$#MEs7H<{N&D~Uz=5cX$AE8)I- zzgW$)Dl+pxO$q0P?rE0c2SNqI{*FNHUp9d+f2_zWi~|C_B850;fS~45$@S1FAMNu< z={glteS92l3yty8svI3ewK(MhY3nESlaHvmcNw&H)cT*;XShN%B^l%Zc(I>`wU$U6 zD?Q3qG7fFv-5dH1CszbE?LAr&cP{LTf*9M_C-d6{YeH z&BV48-Djf=yzEd3WY*EeKzpOmX-=mh`PwzUu?s)l!@Z`{=GP=#S_`=Uk?9#=lQ#NIqy+bP3xO76b9mb^{2O(0x;Ly{bOad$gu#Fqbj zLc{N_GCskHk~m-@&eChU%S3|eNKvGjSUJZ3sN=+SGvlVNTe^Jg-e-6P_*owO+pWj3 zkbvOWunYlGoyxoYaa6_wk5@U9q$*H;%NVv7lGvPqqn0%J$}yh8{g;+D#y z1$kMFz$Ny(gv4wRwUWZLeC4y3$&V}(gJt5j!U}M(hdlLAd&}z#D5b-)Uhf7_P|sx8 zTQ<1C^j=F6Vt4s90+*P?QAUIXQnc;-f&xKjoB7p{R&1C)&R+h-Zu+&G8r$<{`azm} z>^*qfu!CIFDpr)(jVD?|V~>YtAn7te(z?!q>uI-}qWoea9VzR8!XYiTM>z!qA|wR<8-2?=U1@5!exdJxmB`(MEPWmQJ|UOqhYhM>}wsV1VKs$J~S67F~oILLafgsd-7be*D|O$W3XkHG!w4 zUid=+H%@#{!pdyW@a@F!O78+8Ct$p02rM_yX@=lbqhl=Cw40LjS`(^SCOa(+m=6A? z1>|-42%jc*nA%mt^%f|pY2!)>;KwHJ-?shf#?%P=@+5P5ZmetP|B>|$j&*I@`*-7{ zP14x5ZQHhO+h}ZS$Bk{9jnTNVZ9Dz#o^$R!@BP02z+P+4J?EHfex7HHLH+C_+c}U5 ze)>FuTp@^qj(<(`-+RYjLj{)FH5gv6r*%}6D5gURHw%PjBU9>QNQofPM?qDHPRiC0 zZ4M>{#NTdp;<#2445!mZAwlB(HV*%ys*ORMaulBgqW5`hMRu;++)`VA=6e&bTp>!Fi8+gILwPt+>Ii<} zmmUjEg7s+ZM%m;b-{o}xi6Ba;mVtZI4`T)Vg37XSlWYztTqPgi?a6?X@ap~^&=AMU|Hfm;aP$#t*wWk4$p*JCHVwSsY8kbFR3%YZ#=l0!N13P$P zOXR9L);z>&FFkIKXKV41ZcFOUoQ>M;YZKe&{icbK{k;}6(H#>X#p9b9Ev%JOOIb;6 z=ODP1!y=<7b$igQSbMYKF>Vpf)&%MCiIF8f9H5I<5r18D4eE#)n6^t!-Nln6$i~)H ztk1Z*ew`BRBmcQ5Zgm6u8U{G?6#{yjDH3I1$CNQyKP}~imL`TBMVJWvIQRz59keTz zKT1mS#r(W_ZcZJqQ+qUMhzCnFgr(#7Y6T9Y(om4rz(wQNq+w$&XVx;jKgQt9^U>2w zIjG2Qf@*l+C%f)z`dnZ~_mX<6rSX*TtM)p=q7J{VAMo#5o;5rsVavbH;M$Vi)8$cQfdC&&|c(VfjBQ!0JS`XZT#TML)?> z#Q1ow5}@@B&qc3J>?3*mAzp+)4c{xLc6(3YTuPmp+e})t;UaV({zIK#kw9dm{1?2l?XKE7 z+`vx{p>nPg4`I|!j>?Qu#@m%2@uhN z9WhoSg3v%=rTNJsc0DvC0FBcXw%}yUF{&?UAP4U9+CK=1?VM>8#?i%sq=ZZ$WzT^{ zpUM{&oD?~Io>4=(X685#LAxrmVs&B(85RvQ+W12p=ifJl2q3WU z^)R;q(A|;6VKQjlUi!IM3gr#ueo?;5PnrOLGmp{47_uQSuz@q#Kw>}#3byeB9k<3H zC-}E>$+>a*i#AE`^BlMdGGaxH)7KqxPC26hDbp)hYp?RkVueL-kK_7YyO^)+7`Tuh zW*s+KyK%ZX;YO}48`BAuH&Z0B@C7yLg_*J#+11^}k=74kxRA~mlA(f&(;yoQ`|#z| z?uy!7VOZrlR319#tG^JSw|8b`jm1qgqtb&bIsQ=>{v$Ggfk( zQO`A%#qr$chA1*;HjLxz3tT7b;OW)>KHdUC1PS_?gXaPiln$5^FmG<32KMD{kp94S z1aLHZP%WxNQ5ZNm$m&F46J@?H;!JG_URNcGGlv*>2ElJvx+q`HW)a|I!Jlvh z2YA^e;>HpM#8iFmm!6D6zzHYp7QK~KOk)lW2bsgzSCNsL$P#xpO3l}p3A3mhq$)-2%bzb~Xk(qfl*D z1L+v_RWn8jIOs4M4zR z5+=~!%hphOOPa=&20@tKeud$(YrbZDj4F=su4r#e6CIasw^oz8QFky$xJ-Khkw0V@cIHl_M^JUUh5KXz|>v`a``4JE-_OT)$;-0N3MjW`R{f zdKepP{CFQXw)g<%Es4eDH#n0y3Ds$gbSVP0f0hM=K=1Ilv)x_nOe1}KGPnC7N_vEy zd+r`J{9jlO*w1}u&BpIO;`DBkK0DgTTFDX)HW2~aqQSQxyZCYHjW0aq*$ z))?W18TikH{EOCw?R>qH{BhfxIEcB_Bi2wT?PTN+K>v}`aN;}~e8G5G|52xlk4}N1 zs?&))i)}MC{ds7s&BWe{L&S$DhqFcluHX}28SG5ynEYyip>fNBi$UCnOSZA6RgZ>9 zHp0mF2Nr!+39dlLxSow(*a{E%pE2E*v6hWWDmunx#-%trUs!?k75)FHcL!mgLaQ~g zXkjOqw3M!Zw_#Z#*S>pRu??>)xE6*Q?^ZASz)3E4^OptZ12+L#)(0Q z+>u^)i6|CyP|`eWSo;y;!I_+ZWqwo3NyPZ%dp&ad-Re20s+ou2Eu7)A>hqWKfsEVW z+>ak`lW55UiPf?*DzGW?RPxptt#QRwU9&&b{kRP7u!`J=vPn0Cugv%xctg>IPIIS3 zpkz8vIuO;eyQWSyb~nCr0h_ut;-4`yHcwteUiYg;|A!p@ql4DgLJxYZ@I)%IB$ka~ z;F=D9$q@jXXTS@~)4ROQ2%1*pC5d#2t`LNr81Qs<5vDTz83LYR_}L`3;+)G?nIVcb zM~kPjm^4&>Z5@eK%Z(YPF7$^lSHXKsh1vkiaCqAEnbjne9~Z4N$9eVp-NK38AR~!C zS2rTthtI^tfy>!kWEzy=?l!V^ET=4ScB?;6EWD}CGsa8Cwv*xTsD^UirCE*UKG!@LeKtT= z5~INdp>r=^V)nosCi~Em#6?zYE<2tP+Rd&X!*S5#sNb3~*SK=;%OmFGkuBC<8(w2w zGO(?;3g=IZ-jJ!wL!8V@w=x}`)?K;iSL zVp2tf?GM#@Zf$AS&(;vZNw!D$Ur_&_=?_5onPuBOimsYyNn42}CHyh~X>1GIZH^4N zx`DS(P-hT{S z(a!B={tfFmVyji^xP0pF&gm{%YV6s~%bQcx1IHDtxYjt%92NRET~>2ai4o+cGNoJl ztQlR`cPz(^{;8vuk>l?{pUB7{hdQki`*o}v(;YZOVir)%%G^=EV0{G9min@KT*@l230 zDqr<2{-n>v2+hX?Mja9fSHj24#QRFbW6w?!D5J$a=#IfE%_(=wGLe${%uC84(@082 z3@`~1^bS*Yemt}C$@P`5GfGc3;dz<;#wssQp4&cr9eFJlJ8nVm{?3Hm^q@<={wI z#4L=qmCEdC7VD8(YNN4$?7vDwj0yO3|&(LHa*v*|>?b_ArQ2%$})1YC$n z6(j8%on#pnwB#@c&7vxU|2NEP6hfn9nHX`{*3f55kTar%N!t)7i+%>6NF$6u254le zrOFrw`VCQ76eo~m{hx5gKo5=tLEJ{Js*o5Vlo2-88i%TrB-L7m%Ld0EFUuI%TQAf* zUu<4GPE#>vBt`l`2LLUN+}$`S=Glw;KR>0w0G>LSF>x2d;D42tIIo^46>uF*pznR781Y6v^tpKwo4J2njkrYC1YwPxDhFdYIf%^s($c) z2Ph%bOLH!LLsKa{!}cM_D!?^4E5o{Brg;J@&E(A8URb*&aWak$f-up6F8{Mi`BJf$ zdldU7d1eJ{TIq13q;w)dJm1o@?HO*%-(hh2dz$0w%@1uWvi}V!zX=o^Tr~wSmA|lT zTcvK460+lOe~(@sK+&rV6zE0(WW&sLQI{OQM6^&KeP-&TA%)5fa^KzSn7=*8pE0;i zNjXTUtB_maSdjwf&bC-7e79?6!`(KG-wLa78 z{@$?-Un_HdM6Tq@+;qPF89?eNNjqdR4Un=85bXCxhXy}xFxH>ln`h~|Izv{`yHIR< zc?W6tc&5^A^@)M;05sdK%W${Y$37EZ3=WcHb2;Z!Z+42hHnHCIcI!44J2w%XO6_1MKYrSboJq%g39_WZsf!+k$sgAk4wR!d1q znGMojIcgffK9my?q5%ImeMLW7ixE7)w+f2JpxT~Ac;*Qb*=HoLn?Mfu!^v5i6s=jG z`7V&M1q}?%W(jn}$F{h*k@FmWP6zFNBdR5>1U$3LtNWI^{3Wh-Qh2HDb?Vb~trIAzQAB%#efkXJi z<+`Y_@W5S-eYf;9zq1IUQWn_DkF=6>fSn=<@};l)w651~)#J#y<6MsJDl=_y@L$~G z&$Z&h8=Qd$a1&x_GCRF_CX#q;kchbjW5}3J_=$$R7>tE$pE+3Pz@jL+z*#J2d}2y^ zLvQf92(y23ty2aioztTQh0-S>4AGgb+AQMjhc zRY_Ug)w23-R&U60Q#cQD=)J)omYi93s-+Gb0=oJ=)4^;4*zn!`ehbT}ZUI6CYwPBG zg=GnTD=$xRBg*Tw0;H6F&CCf5a2q@o&}OQ;pUD6@ z%#BvV#*y)dT1HKEs4c`nqJdgBd!Nm}kC1Xx*e78NETRzrx(?2)AGK+GH9`!%b3s?e%U~1t& zy*e;aCP-%JOKDO1&_etkf;8VeA{mBjgJiNjmYwrET*F@d<4sy520{AGirGyoHO1iU z&?&j!^x!S1E#Dh2X;%g{ZNqQan)TBzpFlE5FN?`;bB!*in427!FpJ8X%)oBSj0o^a zMYJZ}l#ZUTVo3XnrtqltT2DG0=!2ALKWSB2YSg|;%j4Qf5E189W&Wb^+_%Ujb39c; zwM(zStWGm#dNITa3uEy>gLFmXdaIH^9ewY6Pb*8ie4x37r0}cI(Y+kC5lkRVgY~f5 z%e%L~!NM;(E3-h4q#C$;*GPl@&4Jm`du#5aUlBDHCN4AqCUWxL$I5D>xY(KB)%E>i zC67LfAQJzHjlGE?1ieWqj~cH(q(2I8)Ne>!aIM)=j8c`N32FxskFc}N%F0|-n8t|>Z;ZhrYa9~(cqpd^+c$;YvilSUW~OCiiro0nf_##lv9V`)GRL}%>h!jY&JcG zv=S!4$nb1eVHpiVOjpO3gQxCm!bk_t3M@4S%s7fss%kkpX^yR3m*EsH2Txn&SuCM> zW?;2#CEcF>13%?B*4<6-eG=pew-t{g)pE;basU@k_yJi?axYzj@uQvM>JS)blFXTT z3d5d2?j(Ht&2|gIZbI`Sn(jhy#nRy++urw~&=)|*_MZMS6jXf0&?E(yO&ER(HzK@aFN`GagFi5M7o#q9NXMmOhz z^>pvAwYAmen6cdx$#XlB=p~a2e~yC$u=Di@CT%>i>n@cw&x*!fYKh)22r;vgMSW!a z(lymtbHSmT69IZSStDfB5mY__j~wSe%iE_U%3v32cF}uZI#o+9W=9hLBOvq8;_1QEO0OYFm1Ov6D9!$MIUH9?s4NM$+c)IJJ}ZyaCt7qp($ytp z=|J}Drt&HMrOs29Pf}2$*Q+5FbJZO7d6(z_FZwV0q~LOibGnnGeKT1xNBxz1mYSL$vR zMYk$4)y!3FWhg5BkAN6K;O)@(J6;9cN?VS?jNJ>?R|xGlxmWZTuAsC8|6dZlHd$-k zz+xFS`UIbE+b2J#>Se?XY%5q}&y(pX#!=Id-nZ&X?Ju5BT|!D7bpD|GvuS|0D!_sL zRZ{?8{_G%}aJ)aMzwyAY5rx0Di~x1_8naA6Qg>lSrA28WSf0pMkB{&Z6~?Fv z(kRXFXs8Nvhn!a`I~_mNv>CJ-hoRa#~x1<3TBnneXGt#znkL21yacqRuoQ7NlPgyY4Tdp2QHBnr{`tUnJ z1p>rOjI+E<{jTBJpV~6u>^?+l&B}_4){baB?RcIjBp#aa>5`pOPDI!#4eI@LbD1l{DQ6Ku;Np?X@ z&*gypk$m^>&lR(a83m@cP%uNqP!!^1W})o%Qs&=_@r`EBC}h_p2z9em{5+--BwozX z%u?YKb7EjZ6vO6^^JAftD9N1nV-9o240aqKGb==ATQ*d#nO%oXAahv#4E;75Ov_Gl zEi<6e59$w%7(9{8q6dIpl9?_jBAzx4q=+8owq)CC4y05p=^938Q! z1vzGy^P8W^>y+sH5Y=)Er_XSmr&jaxGVfPac2NyZ*^naL(zEr}a2us1xDMNVe)=XE z7PH(WM4-{6%viiN|GAgi6<$aCj$DVnh;hhu*K*#akNKg&uGcswygkf=T*H?ucY#0C zn}?khChK6itT`=r3EO$nMyUn4(e;je5$4$D#01{jr$YJA90=8R+d`jkrw_34hG(;s z%pMrx3aZXiqP~+YA7U+-rVi}DG#xFNrjR79%5;Cu`0NE6`CUnCp*509!*qUXzPW1K zDVfaX#t41tB-EI;+V{FxtEbgzTsZO**P0z!m>wz$Rc(bkpV+xJe7#FU7W@41J~6|F zQZSm*02dz~*hxFVw+c5Np>vuxm)b^Ploc}H`0y`%oK4F*fG--doa8>|?ICs5DN$X; zH=WfM3u>9V#*FKHxLeem+7)C)2!3Ihw_M_XLTakq{DFHOt)`5^&(d|oknzDE@y3|zK3>YKq&6x>Nzs<59ryFZBrK6~N^>U6sd zU4ETSCiXPr(8a0Ag%TY?-(_C5Z_onC4u~JjY}8=_*ZWw&8-6vaL0+aHA)-q%%YMUdEL4^aGlr z<4txrP#OXXD{OcDnr0Bz>KGNq+jT1=U*TiwTu`}JWUA&aBycDkfMl`uCNubMUG z{aB>MKAvAPKR$bwJ^@C9jkUv*CTx}IJ!Eq;D=?-=7&4oO+oL?FqxY|IO3KQ_hT^L_ zF+okxIy8)v&_YupwiKykwF8P$cpFwMpdT3`DIzF6lXWMHSal1PmRCM6Y4iCQGV&y*ucdu{;IjqV{Jn~35Z(l z+r;&vw5CyAmDKGh^l1bmxdRALPAhW<41$Qm8+1A6)eQ^ogI$UZx`+A?== zJ;83PNcOGoyC81V1Y+5d!|T5gMz8LUwP&|xW0aKumkn0gM{pWs@~xxBGXvs<`}Nt) z^ORv_y4~g%s5sZ!2}1pT5R2AAYZnf*@$Hc~6GqYl9ZQMz@2CNA=MEEUe9`06Niddr z6g0%6=9@N)DD|oM)6|#eB)aQArN_0(403ODR)7NPGv{ zd{K>eSffs8%fB!4ri-e&6fk(SIUEqr3)ZbtpQ$06+^Zt!-G*{4GPJD)of$e~*b12O zs=}4i7;Y@1nOlYi>8V*)DQAMF^XqW%ft8zgM;PMr?ovzGQ@R_h7|0fTE$5;4Lw1}9 zX&rCFMNf3(r!KLPt(`tO>B>NV3pJup@R?hi7XUgSi@pL7^m;s_%BiRq5=iNJyo1?) zmnnk9O)XSdJWko((bxRW`D4>n)~iXRV?c= z{)xJ|06Jc7{zhaAc#-7BQAYFhv)Ni_=dw{~Zv26&=wVBMgw()-l6dpeC+WhpYF(p# zM47 zaCZpk*w*^$XeiKCzAooWkh}GVZ}Qr8ckoG>K#463QDE1OoWXU=*Jjq7=a;99ALsXeZ$rzc0> z^8|};Sf60$dav+0#7fWBK4zna>5(6fR*9E~0I(^S`k-RMLz@6X$ojV)hM7A{B zH5x}{U@3rOvZDI|0^&|nAhD+!9faN@7>D?AO6HLzueYx#^C6uksjT>|${!R6-f(O;l9ukL26x=3fA)MAfVY%;tDeoU(0$l>E>K**ctl5dNBi=p-o# zPQ@Xcm;vP?x2$_P*cq0z8m9I++A+i}+Fw5g5qs%+GVz}67R^hClt-pQ$@m^whSmt{ z#~1iqSSyD3Jogg7<>PyRJ!wky1I6zkvn@?UInNL7Q=gX8q40lY?&+wiCNTLZ88~Vr zLw{F2$!+?^>9W2^vZwbKUG*e3c=swkX*kGEAR&OJK?Qeu6PQjj0L=*m=8lyd6nt~$ z70x;hi?J1Zdir`+>U9z1zeOy9M<8zt7IWJ^2)ubJi~HMn92NZ<5|DEbN%V`o-}s(c zvQfmw=L9YuE(5zE8Go1erV$kZ=i=}NGnEhSIbR%1%AUsejB4wDG7T7MQu;mF;PTk- z*z{2EcyA`kgzf1*TeorQaytKNHLUsd@)PjenG2uRDfPtDn4oeuc(1OrJOPoJ?NG3t z!wKB6HZ}CPc8aOM8Z+u{wFQ5t9;e`Rc(d>xN`J3`DJc4fqG;qKRW~MSYc!alP`>H< z1<@ixZYR#>6H%&CJrei?v_a~_{5rMEM|M*4`^(n{oZ>Jw`z_s%&lMk*bV3fE}bbh>sKbaAl@y=nH(I-DZMG*{Gn zjA-Q-gj1%!L4czT=icf6R!dlj=R@&rtdY*7j0-jjhn?O?VIrAbS1` z%1IPYPnZ``wx^MZGUK$O>4xX~X=J^b{I^WDcto~p-E~Yyek|6KjVYyJkdpa=C@rn& zG5IBER0FHHX8DnWDgsHIM$&Sv)fd(4VjczpSJz6pw$~p$W|D`ZsaA_On(3@K8=@6% zd}G=xVI1%0EN+h(Tonz;s_xo=WHq+RpPJWV+^CJmKdm7H_M91rc@(H?EEQ+fOXsYD zI5NNb=aSZ|kFt-7*U#5%H41)Kzl9VE9iti9m*S%%9XWJXTf`oBHjPXLv&a%+}yu#!I@AVi4q1gYr}MQqsi{D#+^SSY*60ul6kon|GY5w- zjb8IdcWN5tLhJLInWk1Ee(fzl3IM?o)OqVZ&5`S5kj^li18=L^1UwBrY1&CrAV94u z+kdftjHb1+e$gQ*{U1&!fCe26QGA5FLA|r5;8Y07$NWa#dC?x(RD5H4AqPKaKlOk; zT%(EP>$1+~<*)$hG=^pWh3ShwH(plpvKl{qwF!z!bA(;&{2pbYcG5v+Kmq|K!u6;01iLhyTUQB*B8a zxvh7&qNF@+jfEU%IOo@wzf9aaev#kDa4d?rD+jHK#$xpNzR!3 z+e@lX*0cJ)T2qOM;W_oG=9+EKeSC|E6|XpP|rM7BT#_>@in(^}~UhxpNa_SF8>S0clE7xK98a^>~vc;)Yb zCFhQ}r(|WAl3*+lqgqMoKi|{|=x?-%m0aky{J5cq=aJ0J^dR>hKcJS*cTyVZBt%Hh z&TH^(Ia*9Zw_P2Ld*qYi*5)ou--Ej*1t`ELM){PD1E0IYxK|M`eU%`U@UQs_9>jh` zzWds6)l0qsKQ6+vD!ZzMBLe}josByTrgzfNhs0DSKw|QlcJUPzBnyTg^=`%`(rxFE zH96EQPlD-kiLE~Vp3Xu&mp*$V1YF_<4Lma98{;+!evpw7o#($+xj(8g2J~K352{Kc z zME+4OQ;9%(-gZs7e2e1x6GXiB98+crxL1$cz)mBTs;aLEz25s_u&!mv_FL+!6Fw&U z%*&>f6ZTpFI3K&G=0|Fm9!REN(_TjP8O8SWWQtPi|9*5hLhTeCTAc+%lF32iwLBs< zohA(E4}nkKOn^=M9PAx`GjwapU@I-e1aCnDN+O2+FEdBUxkPA*nip@nDAr8| zj#VlsG0N9Is?B@ZW|MaqPfWq*expfpRMzgA^Hf^2bE5kG!1DrpKHfC3%9#t*@; zLjz4i3{J$%%)-GcCj8!M7!#8Y4<24_%QN_2RdNIkn8>X|CSPEt?Eym%jHtls4sye~ z(oFZPyCS6D|0nJNGqObuK%i29Ghnn1^AW`|_tLok;V1U#azN*@W8%$ZN$9PQAw~w0 z!esdeav4BudPC zI8RCxBpPFb2vGzI2GG28=zF=?#GZ-V#*p0Mk3r`N)#slZR9*>B`K^Ebae$$}z_ z+J!89C%@^IFp&Pnx;fjP;n#YLpnC1uW&|Fv53JX~x9uc%;AGFG)FXo+@i91oYYnn+ zcu2QK1iSquSo4NeR*(N{VO24a0I3jDRVhuztDm3UV<@s@F;!O3s1jJNzeX+ne0~4{ zJp@Sl8Fo(bwI%jwSLSruUY}hAHNB=J5peA?K!FPKWx9DdWtGxoq0|?Z=QO1|VPcYy zlEMcHm;qOH>7cu5_ev>KOZqZ#qC%j69Q4-u)Wdt~w7i^xG|Asqwg329MFYQ0Ak!y8 z5&l2`uO}_|5`$sZW>Cqj>!54ps)(BKx1x)J8Gv~q?m4hca;!$dBYcJYw;m)!V1T>2 zuM`@XFp)J6Qpi8Kk69ee%#EF=`Qc^Bq@blW7W{1qUp?3@F6yUKa|krlhQO*sw#A ze7SLAV#7drHPOm?&nI+$Ew;!GI2rMrp!Pm~L9y9A!iHoiX3WY+gf%7di^-XSh<}ni zP2vP%2gZC#|AcEJS+m8R=(Se)hi~)=7=oK5&*b8OUq9R-X`I{3I-AqSaLUks1%vW^ zmWgp#Q@oLjR^VWeB{hY2N>g`UBcrORCMRE=D>4kF!1=7;;Kh@%!2r>YOBqtB2 zy4aFfQXZ>=nqFcqr+uadKA&mqs>AX~02uCmiu|}5J=}Bira-t-mUd?Dy4jfn3hF6| zRv!cW9~r<*Z=ucK7g1J$#z3K%kJ~NL&h7r^tvo(rVw*)yF^UK<;G!XcM8A`H(mrF< z6g4GIEYD)O+4y)tGZe_6Ad{C%W|xuZ)*!zaNDT(L~#WlL|O=Us)?xL?*4> zlz=F1&nyry^+XnGxpkm<(sdU?rOW|n_0F5q6?COuQalZPpPz3_SxW%|YLha1E}6rd zamQK9YLnZY%_V*Te7`qJ-q-ovyO9AXjeJh29^YNumxI;Y`L#6()f7~i=Whmh?{DC` zZBE&G9v6};jgGc~J%67<|JE4c2mdU^l!mVpQj_5C1o)#naHI2;TzAuDZ0n9Ou_A-5 zyWIaeWtsP-G);E+StGG~lx@wz>Jzredu1e*e~gR$y}E|~`^LCF;?6QA!d9R5A+W{| z3ukTI;+c2on01Co$Rd0t=>^+B`K)^Nx{0I-9IlT6J?C?04XQ0|qxq8C%flNf7AB@F zLAqa$z9d7>^8+aF^%LPro$W1>crV4rIw2oYzd0veh`LHl{Xt(c|4dgr>O){1yrpU=@~bltM?(r& z$U`F*nuPtC(>guw9xx&zage2ePX37`7WsW$=17iW7R}&(-ez!tAb6?!2^a2OCl(#B zBqc<;*hkf@ArF&ZDrrq|RB&M*r(~I)#Kw1{>l!0Y@>wQMae7()Xd`7#5*&F}A(^&6 zNXPd3iud6T43%@*+=}mX9hGgqh;&%e>8$9d={GxjeB^O8D*DGkDo_}+aMCqC|4!cC z+rd$0my^?myQhM$Gr+o&=&L>l9e=MmlQi5%s zyj+8OY;0uuG_rsD3F_@7Mmy3V^``PVRrVCdFf|Gj>rqkuH^(KkrJ@bp{>u_XS)s%$ z);3M^$F(6J7-L({RcjVXKiEGZ)Hk*lR=z&&TIA^$g*>PhYZkVs?EbO2V=|Ek9jV zs4O*yvL7?zHTYXWaeBa!hMSJ?S0#SAhTU|S4gpVundR_#MM^WLAsh$7gzqVtU#af3 z&UB(!b6ciyi||sztz5MRyS%RfM6K{kJ49%N{Py82y!j{KI6OWSPIYj4Ybuu=Zu(~? z%7~_490-yQAIfYlwF?3Sh@UmP`d8klJ>3#i*i$soT&f4p8dx$8;wALF*{9KG_t^rXKcBpmP(P6nPl>!@fqtzmeP{+=Eo4XtF84y4Y+u;2%LoK>d<>- ztT&w)lOxyC{1q>*h%ULN5X^!ukU=$7S(p008ajDWsbWY_j$30{{y2cL1omcxbJYzm zVjOWRoffJ>Binma`W<7Rvfg+4WTnMbmS3&8p85MupL^0OZAeU1E-e#it162wD%pK+ z0bC6g)o{Us2P%wLRqo>2S$n)|X5hN#(eZekYM*=@7*jcWwXS{rd6FG>QaJAlWN2a+ zddB@cliWvgWwO!b*y>8Mrz0a^L<`mm$FrRHTV9(m01}Yfv2=SkJV?9K9*!oZu0)EsYKl-8OOn;77fHRw)DY!iW&rMr zq`5|?v7r@xn=*NT8JWD%!m_j#heMjyicSFvj=>*a0LnviWCQh!aI z3u9L!ZUo?*585utt*yCzD~cKHn3_BfZbBdvN4M~98QMqWfm^STpB=l6xXb!C$ z2am6uQh+(&Y$XEt4lq5=2_%!yjgp)U5epvxgH^JpKWkP6Mi%OS)J{$DYNi)W)q#M?j-B|jzUp)X>XHHQ9||gadJ&A zkxXbtJU?57gkPBe@w0N~E?V*5iQyA45+1xnijMWEPGHFYQ7T(-b8-F?+3ICGH zeIR$epnu{#d%?8Q`QQh)8WyFZFEc(z8r?HV&kGehXPYeTOU~;Fqc|Qy9qBtKP*AJWc?xeWN+Klp0wsK=ou6}Dl^L+6tfpX3@=MXA4ED@yH zN$X*Kbw$Vd(RQ$D@`MQ>OD(`A-&Dg7Lo#EQ#nmqJyEh|U@AAEH#_9leVs2^|*N`B! z*5(3$y=L{ z3kQ^&=ZfJ@k2Z2Z^m3nBo36Fx6zCrbV{q?_)Bqiw8P*Xz%Pm!6+2Q^{|r*o=#_k;Bt*4p3mxo zj-D6xZ%?(`adTr^%1X;FUh2^LS2$UcZ~D9NeyvW@_lssUd&aG`CjV3(*#o!SoOICc z^fGR)bVu&vM#}kQu6*lM62-&Wm?ZArJQpBa#Wv0AyI=c+@t;}%+?IQ$45onR@!7ZM zx#Jh)YU~%(D90;}{6uoU24AS=O1tkVaGg5CiFkH%_v8zmEnqJUbkVXC^Kvyjjj=+h zw_=D`=OXthY)N2O;(oyAw~sj$*o%RpB~{x$aAfU`=GpVLHpRGA@5`bl!7j=99{!|D zlI3kd=IODS%;oP2Ay-N=#&m74C%1@usy17dTdW$n$JUdx6Ms103xRsV?k3mYyh3u~ zU>Lm^d3nu=zSwc>W1fJTiH>XhqR?W4tpyTUYmx|_uke#db0})XJmUXmz-| zmL%p4evvk=0+pThS;fg5Y0)S3N;8eN?wepL*N%^D14=_Qf6l$k#@V8V5GuOq;d!s@7AgLH}LIP!UJjO zgmRQk+r2C*>0mx8<9yb$%j+eCfa__?wN%}m5V)AfHelVP0G*GAn9aF9U>&J!?#H9M zbmzPN26+WzV6w)b-x{hnf1WsyBO6K65gt_^wfpkYz&q(_H|K{E+#jUlId1>e<1`k(%r#oz>yz zNUqY0qLQV4diIeqrn*gyNj^LRJT1lT`>X6r^&|}%#lJ3lSBxIW$G5P%OP}T7g~xml zWIC~d_46VxuDu&PWFU?MJR>pXaR&1pqDl&m}(a6eOQU?Zu1_*~-n7 zzA#~3$=x{8qH8v}3LzdkrnSg;;FTZ8;Ieg=3{Z&PCJI_4FEBWDK123t2O9NSgtqG*e2iPJCb+mH`8x)tPR^8jw zHKm(`x|O8%U!1ab2~D#VUk~Iq14j^*OYa+ni6?O}UN1Gilh`jhvC>F{=_@Y?71cwg z=nC0CF6zy80m8CFqu|OlJ@eNDaM|PE!u8&sa!00zi+TlEU4ahgyc1vt#;DD9yRTI% zjuc`HAI>3?!19j1 z+8LQgH6J^}lnqa-Js*~V_~on1b&(%8)Bed@bpI#UCF*N{j|4Lic%kF#JlaRpzMl2Q zG`QT(Lz$#92x+x$Z>t}G5A|6m)~67O3RQY#3Kxy52t(y3RK`6V6sE0nLx>lt}x(y6QKh8au^zHZw+ zK~kIfM4!!hLxW*z$_YHX_h8rGPI#LbW2@0(@s=H~Oq+-+ z+@f?fXCY@z**J)V5{MfLM&awBEDM)4B61!w_ZuMrcS5SF_6I?`ifmWuIq86z4t5m= z3CsbX=A*0Z3aJ>>QyOe_`|TLdhXxfEN8?n&4OKJ~Z0<2N#=gOedIq|UR9vM=L_P20 zUAP2-s?Mvh-_`S$)*k1kuD4Wb9kwM-d@m59>=D|4G*Q3k(0bHAD-* zM>;+e0D8ND;*u>Ut-O05La!s4`;`BbxHFDC0YJmQ?V{ItzS)!CJ}2qz3AeKeD9{6q z{?~c28xo4xHfShD$A!yG ze?EWpFs^Ku9|6CkPK~`Pe`;O6w$a``u~GgI1XU4%x&g*(Sd|Me^$18Xv?Nd`foeWx z#UQew02cPM&NNUZtBp$BQd^jpvr`NEK{F1Ezq5CUYpke`BR~7&+%|RE)@JXPMv%v_ z77x|jxL*KC6J0m14Cm=_vj^8O!HZygq8 z)V&LYJOtYzC+TBtvIW6qhoxZg8y zxXJ$!c>8DG%z8!)>bh#E64;%Tkw5kIib+fM)qt-KVw0~l%z-j{Z3sAUem^KMZ+H`e zZln7Vk^QsvRqc?v>x}(}YG)>-#Fh;#D%Eef8Yu_?p3Ez%B_?LRD!M)MvCkXJWG;OX zi)_md^>|)MnL)A0525|y=oo8x$EoXRHM^&EALN#FPIr5AeFp|xl}@|p%z{J>PvDtG z4Vw3>8ePat$JeDg@88fziMz0ly5>{t@*JG0S$apxJ?A2Q^+Gf15w)O}z&T8;7|Zc| zb7IKEn$Mk0g-36L*pB)U0okNqDKgdYDSvqNny`3IKnTgp*W`O5QZn!QwZvS2^r@Ur z_o)46l5a>k(=1mz%?!BrQQ2XUoNy(ehM$;}H%QVlGcV?+rbnZ2(VL zRbvzH@qGKivOg7tD44YS7cN3CbEHx<)_Vo?2Bn`y47O!&ZA1-M+ZhQ6@Wp)nQIaw> z)<@z(a!`JPd%L-hWoze<>0lrfGqjZ#rc&0}U-V5-jL+fpuW1P5UsU_0??na{M`c`x+S=NF@2-hZ5=dL$ z*aB|Oy&Qk+FETj=3;EUQ*6e;GhL8UrAysAHtNqnV)5ejh!R4Ybepj^nSqeu2d2L89>x2jC>dX$`@Ahcj zf@4E!K$-ZrAL2YBpH2L{f2RXngKcm2jS*5Uz{b|4UqrJNE)w+%znNcJt>R$U8Komy zhJ^kO9xaqRRN7{g7!Y;y8`b*Fo(p9$&~XQ!{40v9N~)a<(@^mS z>ZL^({6V{!LJZX8G*@e{(n7uhJ{fWvR()7+^gHwvjR=o)F@Z$Lc6Uvz@79#0mN0Zxq>kZZ4L7QlQaY@v3){{H*DeD6{g3 z8yEX-vdzU{cibBy#{Nm3r*1mqkEGhU$*&SL3r|@yjm2?YfsgnVo3pGXYv8QdL*nN* zD{Wlmx`^*W19r9DgUJGo?UB{Vx^ud7qaWjeB~ASM%8Mfx;p%o&`|uuHIOH#ou<3gQ z^ptv!xxC1pHCBi0i_^fCU*vp!ZgvXCV2%}3J9%LI*r)+`i}BbZPRnNB@6y_^RFLCV z@H@2-cA+^3WwCmgvVV9L{!W=_TK&G&XfUbpgh6Ke0M{x%-&WzC>qR#X4oxu+Y^L+C zc1m?xi0w){LzX+r14f^8?bUqMN>fm@MNndEQt*5>#i?19>|E-xNS@a5(`X5O{652E zRz*uIz7UU0#Gf(+zXuPS?)r)OAHV%D4fj>#*qvDXd)y@Eq}m3@F$$+Mf^h{i;s-27kBkHoA}+E*w$3hux3evY>KiBXkrF064T@ss{%X!ONnupVFO@kCb8Q)rhlW$-Gh978?5}$9z!O?aVJhUy? z=Or3A6RxVHHk8&Fnr-Urci85AdmXzb&>zbfL`YS|l(Zn>xf2i-S?E*4U(b4JO1*(_ zyP~F&atYP0IpJDSt5{jd%IcR>{zV>OVC0$aWcmje5p?V)d2=54t_-F-@+nQ}pJ4C) z5zRl7hfVy#wJprkpS?kn%z{IJo9`nTRI_v48Gb6jyU4!)o?(yY?#y6~+j`?IF5`bR zOYnRxsaux$%}xWjGG*?B*Y$)SyHyNyLuq88 ze(ChE%YsXcnUB%4(|ClAmbXu2QODy5)e`=5O(=OAhiaGzJ!dd!a{4%SP3D-G-Re2m zIm;p4o^@v^nZ?VT%xSn-dMIA#DCKp)^za+@_24b$*%Shlg3C%{v&E_dQczXpmbmI) z!;O{s;yXenQD^w$SqP)s(+}LAp*oUiog5)sX5F6dp~l?B>(eX0KzZAE`eH@DZ8@}E zvF_pNJKNp)(nzwCNc{Jn#X0-td?LJF2CupObh}W#iGT6gPjeW|%~RtIXqfG3Ev%gl zalgOP<>?WoqB%;dP8~WdjC<10`z2KQ=i zOG<-`{@++cRm4;8PoMPWp9m|PX~-$cNNaSz%4nnK5fvR^WdDG3d628jp*)PupJBz{ zg^3lg4BfPPFpU_V*sI+xV4+?S*&APPvtgEcq(Z0!QH#Bzc%HIGiX`YAdQZ6h5Z-G} zLAd?xnBaqgwUG6Y$-fDuKfJ*bodNo{i~CGG3=^Y5k2K4`@;+TKe0GrWRwB(cWc}aTEDt~ zv?F&zXAPUX?qjE5J?|M6zlNc>(FY0Vz1A$-;@nb20VErt{>0BWCzUB|&~PIFfk01A zwd0>U>}zs!qUGI-6!-lO8=2H0KR07}gW_MEwCFdg|4jKh+XIyGUW7S(U}UKS$CJdn zub0c|w%LD?Q1Jfw>a#}52igy{UdIi#mh6fH&4D#IrxC5$2~6_*yBOaB!D|OsZ%(`~ zHnw#6G!(YDjn{nA)dIQ~I4;<8{TT^|jy6a$)G)NyBRmH=7JgD>_x?$ZD<8)?8d5H0 z&rYjt@U1%_C+@laM2T8u-!=VtGwP;VxWV9gIG^Pyb)8u1lHvAaPPQB`n1|UNew9W# zo{fDf(=0GDwNcj^a1$E(0t_eNSU4LyTDGG#W}4Eqk1eLG zl}bl`n|vD$@1^?k1HFPk{|?#F^SK)da<9Nb{LA-y zKWV->3Bm~=)I9JG!}I8JRI#{zY%tq3X6}+3d?7Y<@FI4QIcN7iNQye^#pGMBjhwAS z_k;r6U{%TcPeudpaIp$!V-$rJV@?gvQyG)^Y6fpuP4EB4o6_@s5&XD3O78i~QYhV| z1A5W;CiAhu`umksd9vb>z|X`)D!?JRgdh7hYwkK_@Aeh_&T)!*bj7|=b@}`fs5GC- za=*AfN<9A6+pXSdXTNlDXHxDyq0SZQcW_PN$A}a!w{Z4T2*g4ANN3JY5)3YVy-Hah z@S&$eyfA2w(Worspv<&2K)6y(?Uc6JR9#_%F6PjGg)rFGX2$+3DSl)w^l`Ao&odf} z$yXp_|ML5-yQ@owx{SizkDM1whn>=Lj0%ybD{Us(jHb#jQy7$T^ z8OOI7bRvnxrbG5b>Z<>>OzB6zc|h5&DeI06b519760K6KhK53#;6&vo(BXN-uCGzr zyK^(1Q(-AIE+LWK&Ooiy`qP*Zr+l9?)2#G~1u?w{UBV99f!~ZJ)7Y^X--EvvwYRWN zxV5*?fWMYtdZSJVjnypnUKHufCOHinePtVdB)sPNXVNv&VtKazCEX}3EnE(XvJ(7T zi4+KIzK=ToKt%*6W*N%&$X_#c#=BTXA1tBMY+r7BUL7oyW?v<@?3Vq4 z(;tnD;4<+BeP%Rj#0>d)OE*p;e0DZn?(kAk|JLj85(PIii%1uvC412l11H%l-Y<3$ zLPUi6-{-csMIaFCc=!4C0H;QwkZ;d!amT4J+~=hp2_V`5i`{|0uXL6_t=_j)JOc>7 z;`!1_JzXouDc91ls-WGx)Tj80hg_W_26qCIKkQk$S^n(mURTxDns%WrvGy0rXPl;k zoEQ)R@W;Xx_$|GC#M}D>10hH4^R+}q zX#W>Hj4(nPK#M1Tq4KKU4|lfFuGrAw?G|wxp~uKUd-jc&RU#RC?$h25ly)m|#@?hy zK1g1@8kw@NaK7rM>T)s+6LOyONt`^bc&$XBSqU9dNI&*}`|?&TJFNE)zSa00|3z}ZN03H!m{KhJ;{$Hh6Wo=3{g0oX)XV?+0N09DL>e}!4WHdD z4h$buW-w8zJ>&Z>I34fN-VQ5!b4EMVVs%pCax_#g0Ls~fQPC72{MK9=3*&d-3r0G5wVA?e7OjFeB-1PIA3Jy9wsK7g*=ipZA73c~+bu@*9K@cXM zsu}D9M+?4(^;?T5&{3M?mZQ@-;nnA)w1>3e4m**g4oWIa)h`$TS4h-HS^vpbA%f1gpSRY}m;K-Ll(!(h_l zciV=l&-}KQP=Myqm6^#7!@!5`p4hV<4tFWj>{sXAZ?lr`)0YL0TKX3P2xluSQaQG^-x{Z0)U*Zl1xMYW`1@}TP)J#GT-f^t$2iJ~$!(ru^Pv1HAm{HqLdtKi@xIxo7=M=M41K+pP}uuG zy)^+=Je%Wwa12iB0c)_oc|-Z8*G*N{RN(!M9K2ZRn-6O}}RWz{@=a~emxKeg%mSf5-{pP$zAvI~vUTA+V9c?eXNH~3Zn1DE+^{5xdz^PpV z2O-QkX3&MA2HW#52ckz>wVELN^7q@_j_%eai#5aA0vkObp_kqEyCp(rUTF@*%OG=A ziOQN$a?RdClC~^r@}*@k^gx{Hi**@yqOaRw7Cl4^y{?EdmAlFF9M!HqEx2+V+i#cm(Gh2D;NR^)QufW!r1(8;8sZUq@3o} zM{Ki10^ZN>dK`c|Wor~N%)wg%0}pRh!oG5_2Mv=#Ggo544tC zh)lnYp?SA(+$d$2fgeI12m_r|dQ=o~BFmcp^|KW=^=K}7H6@5ODFUcREt7V6Qn{*TS;g`_nV z@xr|%975oJmf`2I0?bJJcm51=1aqT(Ij9Pm*#JOjX)l_5j?jikkfz?^WPua zXqZlMQ~7%QMG+^PQe^kzh{i!QkC7>oGYNlwr-kSi1!vg1)rsC6Zbp6 zc`APW%m3+YmwI7izutPw?^#_<)Slga5Y#fs3DoU7Kkef$%6>*LUwhW?Vv&2TSL2?N z(~Pi21thwx=rQn6^o)KAXKJfM$x=ryDA&Bf3rNRMG25*p)wddfpJ|Axx+U{O}t?uz%9L32}3^WJN&8Z>5;ECwY1@BEEP5 zAF&&dU#2bc{!K!0T{mq7;PTtQSwyJLQGbShha_-DHTB`Sr&kWmuE<1Hk;`8yIK2@$ z-<}+Td^;aQpIA3>R4T&mE)%LE`(-!s;t}5=h-1Z#)mYBtBCq=Rlih+>LKip)LGHc`qFI)O25pl@=vn1qSK3vATWg<+Iil$Z%0TSH01$$)_m3`3l^L1)h&hMex<1N+7YLDZlQ zYzf2CgSqwPCL?koAu*g3D(HjhWNyfUu-90pkk$IrBB$vtrWo_*{##%)gp3}RDX|4a zTj4wCV@i^@Ay9`6AonYW+C+xyAKX&QWwch;k?EE=U#ErNcVnppfKF8J?&|FG*7lp1 zY0&+&Lldx@t$_23U`ko{Rf^(X6G4`9!xaC=%rP@j5fVhPO6!ys{qMjA-G9!TSjISu0mkU3;D%&Mn>;d-BahooP`F zY!Y%*e#9hj^FoQEr&V;Dyw0)R9LY!?#t4n9e{UGbqIWayx916|3wV7S4zgA<9&avi z>J=8l)eCV@?2H6~+j6!ZUh&1VAlBocT7o9eyJ#WtE~~_@BODk~iGA=XvDD3)lYOVe zfV1_^p~1tE_`z|+T>lTma9Y9GK+9~OO%PelJc1jtF*rhqZrL-qISZ$(o%!}K;U8-W z+2VAfXl{XeyXX?KtW?PD|FixTt9Lf(a`>7BtJ3M3Tt{NUT0+zwON?LWjG&(jekyJ} zUjQWrLspd0z8$P-`&VYUNfKdXzbUZx3B%it%96;N8!1~Zgxr2O-prG3?plmOw`LYC z9#{drD(an2;WscT>q@%rJH5MXs>ENd2sN)B%GjmbwAy5X2G4WuhaHM$4wiWE_K@ST zrw)b;MQ@Vq!&s?b#ZC)fFw&mvD#j8qRQtdee8wam7}}io*Z_H1Z|!{2vuUpx9&}3{ zq0;u$(&<1!a9L4Q_!J-c@Bzr_mh5u5a)E;tHG_8xLD3-gSx~O}*AiEYd#H;jDW8&v zR=h)}xt;mq@7@syFAs6t`*0-vnup9DdI*~rtzjrYrGlH--qI+64m`m@)^1Xw-q3(0_=b0R5O4+?D_bLXrRsc+ zH_nO)AEk7Ycih23NpqizfBjHW;%ur7ZO%)5h5Vr{RkrId9pG5`5kLT2`yl>IMKH1K z-RiG_-PcgjwQ%sD^Qypx(ax1S`mq;3Nrbd*DN`slBcmdlh(a05Gj&4~k6vhT`I0sM>C~ zPF>@#v^H^`hZlH1)KK+6-5BT4D6pKbF}GFye&rv2uYM zZzCV6A&$r*f?19`q>0a?`RY4V*+K1BkSH1-mn9llzKbB&is7rJ}8qfQqiX=R2GP2LFfA94sX;XvR-doGc_$NUKVpf;m%(fMa zqKGpru-9atG9+8qddv=rZYgDalltbmNi|G&v85;iy145GbWvHST3b~)mTM@%8Y(E$ z`AQ>9sxPH;?|a9kvMaa0oZ>Zd6&Bp=nKTa>7-lpi;n=#!17i_*Tox98G4 z&^+TaYuY$awuh0%C2OC}ijgq;Nk#v5|GKHTtt4h=wB9GsG=aaF_c7qv(Q9O-9#^4r z68>{aLF*g4eVJ;ZOgk?$*?b`ea#xh2D-epz>z~!&@3m#nwfRIZ^y>e6^#&>&lq95iOZxL+^~-J8Q$aK$}Qe z(peTm55D#3UX_1{`-UX{b&79ObBhXA!OzJ))Xs1Wn-5A%jit)=T`iJLXnv6ACyK)8 zqLFyUa`26@9A?gfp~$#|dLZ3 z6*7KX8PgMw?jlyk`R|P(NvL< zt9jq3rN%jjHzq?42&&32mGh|@qN2TODgugE&d+xU6VYk-1kMZn!aIpn7QJF!oRKfk z)5x12qEkVHKvlJL8HjDtau3~Snlj>$jWV7@H`u^W-dF8AEuOQIpTCou7>3X4cgczL{{f-rit&lQ0KUj z1D^0*OG%8PCb<-2%eT?w_B?~P&bR{R;eou_oQ;u+*jt$yw3cRs9m~Vr*~u` zZrwu`jj;JK+-qxpE;y>1IEfdN*MhfC?_Ykq>7?DuAONV6(*+U*LdAZ3L-`as>pFVY zNm_!4^OC5K-CS`$;rw#R?WWJGSbHS6wbz$tyn=z5dW_r|vrZ`&Bb)aQN6_?_@}RD2 zYSAa#GeQ9&k*mk?+;c50Zs`N8f6rcu(BZW>FSf`CjhzX)6-$~&BDHjk4^cCTdNL5# zn966B2Z%FYCyE7dH&s?b^Y%N6^=tMaFpYLmYU}8=r@F1K z%?CTiH5(;OXMRhudLFj{jvq*!eJY<_9Y77>rnjpBT~14~wG&i+PDw54Yuz-6er$Py znVP_@>m{)=(+Q#sJhPnx7hh(fcYm~uP&;B8ES1y?)2e^1Oo;tYp7U%1_P>V~?s<_X z@jGFrUk4)XXQt$(5;4ppog=6`{({U>g?z@LzfQZqthgi??RRHZQtmQ8(j!UEiz{h( zeFln*4}GaRYl){=lE+Z4C@%qDYq&kZX8R@1Wg&aUD$dFIx2X3c*6 zo>wRacC0j))wh_!tt)CZLxvBzQ8X!IxL>cNO8pY*-|A0KM%W!iQ#nLuxWmsbVs__X zhU*~3^Ri>>g^H_bB9?3iIc|6GI>tW4j$!)6V;;0QpQbe1dUbmpd_N$>-^Fo2Y`?RO z+&|;BLN|;c)rBrK@UbrWO0UX2!+qfx$Xd27DxT@|fr8Y@sG&Kx4m{?_V?~Ff*vr!u z3s;5Xugl&W6u&O`k^B!I`RARg$$6d;%xkGOwp}U@dDim}QK+n(9o7$Fr%P@H74U?8 zf_Rhis?QKc(1}|Jr`-h0T}x_0pAb7&m|PriSLhv3^k=?g!QLVXI@`@lXr3GdtkI-` zC7-q~KS2>E^{&U+;`6KobIiz3TI)1K`)4qCAb3xc7Su(M&{t>VxarbR-cybxTMQt? zW{@cl2XU=$Aa9B)+9GjQ5qW*ZP=k5yWZ$y()a0#i>BRwChIeOX*SFFHLrMD#AL%IP ze6m3b{_;R3iqEaRt-Thx=}w1SGp!-DGe1(>l4|HJj8&MCa)=4krMzd{@C+UpumoQT zZx5FSRbJc#Egg#q4k4@+ezt1Dc^|yRDOLO>*DNmEXKFs*<92gjv?9Ta#iLECLp2{? zJd~~suPs*=`Uk{|Oe7tX&k=pics01hZN)OgZ=Dp6Wm4=ekw>}qc@`Jr5)WK-4>Guz z@mViRMe7MA-YSy}V+4T{?9 z`?(Z4yUG37>I>#2+cWN_yVQ~Rgj5>^yAhH!1mUKI?T~A>H;%n%LNklw_$3e5!0U%>wJ0*Ma8p!|~zq{0igg9naiZ z>D669nwih^m7(np9fmLm?>D7tpx!$JzzG0hLewtPD^Du2lr*fV!y1T5NeZj5U^L5 z7i7Be+6{4Bl$G&tB{efR`cJC9Tl)47ia%RNH?3t+8G1HkkawKAa8Kx&VnlL;Q)HO9 zVsX5RK#!u|-A_l|F_?4>fR@3hO#}<1JeiPD_T?v%Ju+xMvYM23huXOqN4HeMB;}nT ztC`B@1m}6*`;Mo!aomr;LTblqlSGpQ6e89OtK@ptGDgOF-_UzYki1Up=%d9hWm(~8Y)#mW>kL$}>5(YHV! z+AOS8m{qa?>+XDcz((~!W9cU>XEs8yz0Wxng#gow@hALANTJx4%x9vp^;3ty8sXPp zFp2y>)BdkvA+SY7EQ#NJ1=PCl*d{s`^L$_A83ni0@Nj>mupq^s=Zw!nKG6SnC`))9 z+?g#t8bB_VG?`(Qv_I)n!z1SETr)7M?;9ijIuXyG0f$sJ=wM0vnL)_3bPX|$^pb*j z?Ef?4XVWWs=hN&1e4$2HJLq?N>r`2o)#d=OHrBDU;APEg;K(15qy1B(`S|R&tIjKgxG3VHY*U5?S&9;%!R6PL5TnNV*b0P0lJn}MMqGL(Do*! z%1lm5ktJZNKUJx4K0kVWFEA_mK!YNwUHSI9K6O<9K9Ussd>;#w8hE?9{W_28Si1CF zWNJvzC8xLctZCNKr7iE0ueKxnf12Sx)=2rV{D4vw2vb1Xlq+pJtYcr{gU$1b44^rmNeDd89CO-MGGPFH~P^sB8?*(C4oBL#^(RQAeUJZ+T7Uyt?&%}sDSj;yK}x@shrOT@vwN77(5fbA0cD@xC}HnEkvC#4U)ZUCwdiUqvXH+filN$8a1jU+XEH`V)Rf$_zq`vN%x}Pv2SIzC@DEP zDXA82Cy28eX>_S2j)!-*JKBq^{8Xm{IiSz`pFH)|l#_F~JdMudo>4yv$TE)-b8sI| zRlX!W^S7b_l>02K*kdcL=0qALs;sU|iT@xvzA|-jABBp~Kg2i6Mgg|MM{I%!Z+y$E zs@5y4hvVNQ{lD8w?o|tuzHy{e@tWx(>H;OlLStNWRLMPaHDkW|>?Ltn<#Ya?V!TKSVZOZ?XliMk;Buj|EQZ)LaAU7Xz;(%$ zHC_5|aiGSSrBq+9MF_{1_bVuYnKV~2XUIWFmb|w@z9v=HXUv(rhET~JAeRa=zi7Xv z?d=4GQ~rk{X_4eha^jSy`hsgdmYvDg9CG+6WBtx1yhpBBKS_%eJUiTps;|RYo)Odj zB~>3H;kMIJYU((l=bmxf&64xDAWd~T9lz5ilLwIxNFR`kJa3s0v>KUG{5(;N& z5=vhGLCEu>2x4@+o9S!9>CuJ{BXIplBs-7G;*v zr31je-G8rC~)Qy`uU{I)lynT%WNx!WV^_u z%Iq~-gRDLQdLVh#E2pnmpXI3;a(=Z~NgHHVZ`GX7<7Q~e64b&$I_wte2jvp|4QFukbcXzpdF7V>sPjm z$n+ps)2p!_rR7-HpPMna<75|0qyd*&%}2u%X8cg+AO8tw(Nk6RZF#w`q8?<6{~ky<9$J`kzL@%{78gd1 zC6~q?s3nKid!bjTwGkHB!|iUCGw@L-fkCe6*E>tiLa5RAI8KMyaCMz%qxDhizBsrX zHR201W=?5d4_^8;CsS6cMJ(H?Jju=i-zr=4b8@xZxu5!0(L|hTDT*|~@nGof1T?=q zE>f3Oqc(W*Gk9E4KQ4G`zK8aWaUYwOtvfTi;Ou4myK(Ax?wnt#x5OLyG8c;Kby-h%a94aPOa|?)N*@SO|#Sm4T0}%14h;KftXqdwRC_P7H;P3#nE@O zw0JK_W8VDJQivCt0z|XljKF)MMx!-O!{XlSS;VUss*Qe%$$U{$OvB%u%a+ASc8mTGi%y=h-O559G5k{P1?5n5w^qVzHi?#&M4n+jn0*g2_Kl z+;nk+oqT4MmG9U?pk@Ra|CfyMX=Cq&suA2ocITlQP8E~G-V}Oe8Mc^^ z=bi?u=+j917yA~1R!EXm-T_nZTzoQut*#y+1C7uA!2VvwXg9$>!EWTQqz6o<@H6__ zvWD{}cEH~81u#G|HOHs%4CU2Lk%~ZIG`Ui$vayHn&V9Bn-`vkQ0=m>olGgN{E*-oi z4wtfM5;qa=t^}yI;X@nWkw1Rv^@o?X!Je7MLKG4o^zu!5i}%k zZ4WACBE5Fm&-F`J8`v_~zvVBiZYaEp8WkKM#|GOPpG-Zfdz5+$X%JBNeM#>dcVB%` z?H5np5Q>0k8U0hF=6ep*ZxVE%jM}bF6;pwab_D(0rBiL%8|lD+ENE{7lkbufs!l_Q z<0h+B-EuecpjZ&8VjYOdgRJFV!?G4g5cFm9>%%J=z6s-1%y<$ALSloyCRsp8JBw zwgPbiWoJFX#?{Sk&E?r2UaoUwYu@cRX-+S(vfq6}hj=7RHK89Y&KTtPv+rUjdalzU z7*e^hqG7;j0G#C8^)fOs%H>vc?LZheY?8C&td|JjjC$1zV5G~_@BCmx_I{gLglSzTT_a&#}s;?kYr2;y2 zJPhSW>x#X_aa8Xrp-LVdfjC90?um@Rz=0X3UoV|3Wo;b{WR`Y;n<|^r*tlt38rf&x zzNgeiv^rw(#`|OZ(bguM<{*#--bp(ic*inNmwx~|e5-2Ar`RFCiG6PW<4KeiI;mWz znzi$cgyGYxJIgH@$J9P7H-Y=knuJt<6>W6hRXZL1IK6y7eq zUQmbL{Wb*@b@8smvAXskx|Zm*pbK4?Pm}QooyGr%&>yd)>FVdE!bBDWBoqSMci4m; z7Sn$nef0s_@J>7{kt8dxWPl$>%J#XbVT3=~&TVZ$1G6$^Mt$sz&|86bK@|=qluAQp zA+)rK(jl*%PGkb6w%m&Mf1XhDNT<*zE@Oh_Nk_i!CQ;S#^}q1Yv3_#eaE&ITA;}Rv;F1{R;n(t|9vZ8IrO0 z$8Q^R<8{K_?Ta*8$qCZ&Q*lkHdXV0#hI|g{R3->Es6lyKSMx{imD7L@l0;Q%>7}p~ z&{#Qvazbru!t(Y8NNvd|w-ImbTf!tCI(AMpizFv-Z)yp?9AQL8MKhc_lm(*aaf1eH zxw9Ob_Y@c=Gkh6ZV4#HkxpOqfSVAa&^lS&Pk+pjm@1q0L;emtA`iBA-^n7@OqY5sN zBitVK=Hyq$N<%ygxcc!3zR>amf~k(qLQUL91I0>2ro_e%bf~K&5!W4K33LtDaVE%U z!wnY_O057A!|L;SD4|VMPoE%`x_qgJq8$N9%o24MpCm> zZo<~s8ed2FofLv>qqbv4hG09=mR%=BsimtLK3VWWBR1hkh#^>6C(RJ$nmKV#ul$Nr zT}{QMS_Tj!|4`?nrLA+q+MKTBr5V&0QPh|_RY5}2aB10=b$fgFuSlsE#_GUs@xI{; z9`gMoLyr~N4Gs?gmx-E>Mz~4;B&F^&49*LAeOVk!J`lAuI}%8=^Q2JlAB9-Ut|{^L z{Bai>jzOy0LnUL*TF^7bhL73#Os7ps2@c95$uyGmuL&kVeQi4HbEdd8a=QMcc;p5S{#+Q#?Ges^=IgtmR|ut1sT<;bhRK4pJdGzC@ejNVZ_Z_w^3R2^x{e|*5DcJXrmCFgSTkzu@I7cip5Rkx;7m5dnF zX@b%vm)>7~Ofc-UTXYc^VN$iMD+Hg63sf5cfcgjdusEjiJ7Ai$%ZY67p%bTprQJh= z1h7{UWSGnsQ&hK}A3nNv9k;YanpV_TcpwNnwFSo)*Z`BjlHM^3+zdAtT7Z~>3SdLz z)lK}N2?}^_Ic~Emh&a9FlP>}Rjg8>BS2uR`g|H!w1lWyT!>X-fhEq|6-2>b{r=DOU z%kOkNJ-L?KV294QFNDjxu+l{3CT`|EUT?k)@Fuxb4Xh znkmn5NF;f?I=dltm)XR9;?aI%6ulZtOtsJgA6s&uVbic?Uf;OQ$qpO%(UJE6CxpF) z$oDk*CRQfD`&#n=Bfm>y77|{<`oi)|9)pX!)golc6!nR`v6NA*jLQVCN~uNo8Uw;4 z!wXnq8MQ_l)#n^LQ8c(s21#MA%|JJzr zqo^U1hHKp6C9i8|2_U{;E)On)_@~vQxgaAOU7$VX$|&9^OJfU%-{rG{v+&i_FXXAG zE^f()UL@>t=X5-hUu1@oH11`Xew)`#pHto7Fp;&V3CAt+ ze;anb81h~x0XGD+GrnBnu=m=rRUR&~YyJK8G{sNNhGoK9n0o%)a(ss0n+^^t1BVvpkF%SgxV`k>saB^c)NZCBG3|Y^!F^ z?D40r#>~6k^(6wVzT9CGW?YhK7^hcuVDlb9{V9C+LcK?e!j{#xXgxo0)M)WfDZohD zqrk+lClnfYIey9{e$9|`=T)P~ZD%}T(D$0%OAb6r@dyw_xvGx=u%^i?oqQUonD-HHxVv4OO9MlFi zk-g)kxq&5}52(zw$;wFNa}iHLFibTIhd@XIH|J(CN0hlKfRhl4)3-_Ghy z&?3p!oS4-pF$HD+4{=-oCMk<(ZFWVaJK#bNqvr( zXTOAgoyzwhR$E+4xUC^u=pAoxAXjpSBa2nyRmMtlo zBdQKojgbyj|CALMI~G(DbkCXs1HM}z$dN>@LnxK9Ms%zMN$3@lDc8942Du+ap|=h# zM!iI%sIL}vgVxY*0Yh%Ev1J^>mtY2t75ObEzGOqWskIA2fPeNe9bDoby}{Y zWmL0*Rl%6J5Om3@a!aWBU3w9j!lntFU zwmgB2O!>&u_}|>$TeZe|4Y)f%M+sl?9eOwMNzzCS7Q#py3zoQjpnu+-2hVW3&h`mR zf8re22gQ=+{C($t^_MM6s5<-iFsJ$F*P1P`kD8OWLuML(LN))=#Z$}9Ws^0#+3LcS z-U$8^V<@qt26NxaZ%&f;F}DrEfQaPQYX>T+?dLq$FeeKSq1OB^^Uh_;>#%16bS2lk6eu`E&ZOXw z-SF|*_@Wo}3OQJZAw+J5A_@~{!SkaI>$Db-dnUhoaoA12&3j!;3b=RSg! z3>qEDHvH4H*<8fiI9lf_GR>cjoT!eZX>~s|6^NbBBu3L zwwgZ$@ccoFFpzG>(D02?sRhM)ueox`NRy*=Va|(N=5{VB7yNoRnwLf0w|B>(n-d25 z8+%o&&(+9RF;C%kjU9XDC$5NWyzcio`|pVgyvmsbFU=-7e+lpZIN=;AhG)ll zw!Dvcoq5?NJ#d1PZxd}jd$#lv7{Rs_=R7Fskmb$^=N6yU{5Z`s#Ye)Tco*uX1zwQd zZe+!~NVzOH=$NR@1mne%D)VWoxLXiCCUCi;(q|e-a#GmMUfp%(1uE00Q)4TPS?^vl zzxWijBfotw7M&@?%2j`%1)Q1^Lo9imb{L#ptO0!)&6_J$X>8pPk|*@46*3eF+NfK< ze^;>80JvJpW0I*z?M+cF-(-loD>TsY`n^8kkne2=UVTxR$0e6;5$2>gb$KLbvJ1^t z>Mzzuf%12Nh9n`m?hzTQprm7U75Cn+`W3d4CtiOXOG(P=*^&@@U^t0)vF6s&YUOEjcJDyL&@T<*uXqWCC!^igz;A1ca}~Ehwcd zCve1TLKWf-4P{C`bdc|6nc|7TVWS#BY6-$nl&FEYUWu73m{3+DtOD<^6ovQm%bvMYy9ZqFGf?tbDRoa?EbFB&^*6(N-5Z zR|+I&S?r)Tt8-=0>}hpll^D`9T@t#te|L}I0eTXVYq)6^*)t>5wBewI0v;CzOO_e<1plGOUKE0p#^yNBu;hk+l1A5wV3Q*)rQO@{XMl&@6W9Tk0C8dpxc#>6wn ziXOk|zu(5Oh{F-RpU*Ys-~58BZa*cUI1^ScGYVQr<=t?Q{br>;uiQoKHa;7phXn55 z4pQT&d9-VEbkMB~p>_@Vyt@+dMGCw%oHbta<_WK0UM~-Sb}-~Hrx^mpiMkR<{Mfa2 z#Ue?|JpU*S_v(d4HRF zATlJ1Y3jT=6ffqeRDcvybHx9WG|qgN`fx;vVnui%29^lr-1#e$h` zA7DfDojQ#=m3rx%A$_s+_STnD>o==1*lmO@pKr~JRmnc8t2bxc>f#nV%=@_YL?BAn z>7K&vd*WXSNtZ-XY1riO;;j$o26)`FGcO+^+oe`bpZ1Pe1B>3Y2gm+dYw*qGU6ET**j$qx`>*Lj zl%x1cV^q_NXTOrGTSNqDV@Mf{VzoQ2abIoho^({i?bzmoP9HJ%bDKMc<}YNii--*l zMX=F49^sPy;ce6NaX!WKs^+l<1766!0-G029>?h{KEh*dmmTrdbFRjkv;I8Wr)&yKHnW*Iki7^g*Am5}p3tCHK zAw(NP*Nd|3G~Y#J&7783li7K7U@!`jBoUSr9dgIkPU61KGR|MqG-9 zO3w`nN(?dcBJzu@EDig%&#Aw0{m+t5&BQh$4EyO~9}f0b0H`%;JN$qYdP8$~k@cVV zg(K|w6WYUhwf=68_@|W7rlms#X3n%48=PS=mjw!(q*W$Trq;Qg_5KaZ}koL8dc$5_#}G#dfdsDoLx7ijt;hlHrxnU=zyf4IqWl?@4}dbh$(g+kK>?yIU}m&c0#- zGVwngdrBo(tv{46t=sN|?A@A^a=-{5?)UC;%#8 zAcFvRYo1ZL?!n~ta2l??l(+VSSN3aqVB`X?3@2z7E;aCk`jW`s*1K7sQWe)%4Mi2? z;yi}-JZqg6e@|t(6sDry8-0l)q-i^J2!@%(n7VBDPeFN0kLh*#y-PiF5ihqd!3e%q zD=9nVaCDZsr#dTrkIha5#IsUjQ}j4?RD$7B0pF7L#($?veGpKag?Zxv!!oWiR=JBc zCvx@Ap2h(C2t@K+FCT4{gkyV@+HZ~gdSxKR{ngJ^l~Mt&;SXEvMEI=?H&z~RcX%Qo z`94LZkey20XZdfS#NS4M* z`9R4Nr#TA`v8282IkZ=5n!>E#eCr&+rxBsL9*}&)^aPG{+ z^_FbU+XIEcAsG`t$}L_<9~b0T2;7j%;_8!BiS3@0<~bOCr*}IF5S<>F5EUk_j}^`? zBhDd;g^gfdgq=T~LkR9a0)uTH&yF4WJIKz!UD`)+FajnjF zZt9u{3pos{gU`Q|7|z_hFrh@_sBl9$Nr4Fks50R?irKNtt3vHl&(qarTV=9^16Q+w z-*=$RD>i`hx>MShbyBdk+=1Z|P1~+gCraj93aWS>UYwgz>R(nE4Y?~XnBH-+u8Y*> zN#EZ#NVe*RZ-w^l&Jn&o8S3hbKYfsm677p(5dGf5*;0~uhw0!b=PN~;B3e|^E6~z( zXt&Lk0h!;ejuXur%gL3%Z?jiHHH{Nl@XHlbFB0U>yG}*&dR!UavML~Z5r72dGjnyi0}8M$jUC40C}=jF=>6# z`#4KSSFj+&(}1KdsA_iZ0Qz%Cgk*WpZaqq#=^8vpK3);MI*(_~7hS%PlW8Fgc)iLe zRM~Gwa?khem=?fA#mgiYZ*gXD_}6b3<_;R0Jv|rTiX4$VfN^shxWxQaTTD)hp{$M= zK}9#!XzbY>IgCn8ke_@K-!Tcl^+*{{cJMUdQB|+Sz|v_2Lf*XaZymkrCOUDa6FJgT zTWLJlw!R(Tl0r|28)TFSKoqzIe+Bl`6j`i9%#HWz&TvuBn7zmo*7(O7I92pdGr zeFJM3EOpBmhH2?KeagAFWg2~dp&f0u8Mh0S=Po^cIKS&k76~)1h7XbE3kU_1=h1yDDSr5grOdo5n>JfMa&GY#U^uLwi6rdV$+bK-PKrfyaV8_2;wP8 z5PmTfQg&f*(Z=bR21m4eNJlC1P|=(@8pgbI{rW&CzBkuJ!JD%uDT}3z0x`lP&FV+M z3EiUM2rOc&ZR$n#J5-l>o*|d1k|}B|`+4gasBzpN?mr&PRwN%cN_P&y5O;-0o@~oV zMD?rKN9nAens>#e#?2yAo}YAy(=3U%Wr&1Hm`W$W>L2o?Tb!580Ms8t`UJ^xq}^g} zy&lw4dzDe~!LQ9v>AHQDu*`0~68d$`Cf`txH^6C919-9p>w$@pnro)=)zKCORnFLf zJ%oXzY7Fj@O8L7gC3--AngR%ZMkgCnz2q@tWNa-zwj~WeLun{-oezr;e@N1Bdvq)p zoFF%aH&hxwY!^TFa9q87w63sGXd>y87kYh09$>|q0zPztb(ZDs!a8oOPcMJ770r9? z?mR;_Yd1zQxQ*+2k~`#Vf19yKy2((B9A*d!NPKA$?jWi#V4gR4!^>zkP>r@zsAgCe z=&SA)lg|nR4YaX7-vgDP7UURT6d&N(RBuQA?Jc9&dU*_f7H~ zXUo(s!w~RL03=mFEb;aq9gJ6UW3jTL9T*!~Km!5dpu^m87{*>v68LmL4N^{OWZ^uM zTdq{C1{3}9JRoumqMQ9yXy`#B^9;zcb5vb;Q8c0 zQK;oW!(;AitgZ?`$d&Ps&Tn1X7+#X&lksUq-~REbQ=_~q zZ`fD}6wHfzpW5=p`%VCP?m&0sHy{{SOL7PJZB)xBvf}^oB~F}Oi*3L_doNiP0E6Vj zq2ftKEjPqrca+bN=)aUvf_j~mxv6r4H zOOyWlYkTKZGHx>Y>wx=Na`?8*KQ4aExb{TNhem%c9HknsUg#XIB42R;F;t9e2}cGV zBsnvX1xW*WIwp}bn~ImitNE1F_XBgb4ktMi&8-F}^9E7!Rqwh^08@7#OlTZ*`k^4= z2FzFp^aeO8OV-b1RYvaynWvdC;{YU<3+c~MqOlyLOVjFY!#g?5NEA7}t&AhRCKh?p8zNY01G+k{=hHR>W8_)s%C3r(K zI10Yi`Yw|}9~g<2DXS_KFX+Rv7zym51L75&N)R*kXMjAZ7?QC7X_PHnEV?dW7v{VG z;QzV<=v0J;QUY~tr7C{Hee~)>*7_sz%8kGwb&{cjnBuH%a(r!r7#2s7kx-of8Tecn zP6EfeBmcYyoTF;`3w++K9CDDJWq}wLM*h_9s86P7?nDdTOj!;hen@MhslG15oQ$7p zHBdq>`Rdz{X6Ssq>B3#y@hOjk|F`Y&fET2u9CZ~4o+e^v9yv>x!c(NsZVlls5Xv#)&!w2h5!I96Ng z+M3EKqc{^rP(@mCoOa%be~bqLo$J2ZT4U;?`uV9a(^!>kw?C%-eKQNoOQSoNba_gB zF~CC)1?btCQoBz`p$r39=KH8pQL3SUFUN%f<+13o;|i~}XSuoj|A;Ras3)^0!iBEG13e3RqXk6Vdwq9EsVu5Ai>$FGNEelrRc&BwL61NjeNeCCS`AHt zT&wrZfkd)9m1pv~4P98);ybNW-$~N^;9<% zsl`xd5|S;T&?<8IIplvC2(&PotE{S1wnLxRMxD3u;vU=mJB-Ga)Z!v!(^m(roj={6 z)sdBm(w(%jLMXe^;uDbyYLKfThAU^=8@?wSP?7Bz2?3s3nFG;b{Wh(v9xh^9u~LjV z_Ap+>f~PEAoUdVcEQ$i203eRn<{O<_3n~3^vR`^jAZ&i;q1ZHz3f~EPG~$eu&l{vJ zOi2SQhea^V*terzDe2pd({s`dT>X#fiJ@Zqh@})VR|hgDADCSln%AIt$n0wYp8^}# z!|E)q@rcYa@xGmP?%Sr4&LuYl6d6iiX~iav;!(tsN{LHkD>DJYd^CI{)n(-%J2$c zgrpe9-axBF4`;aO(~_vVgbb-j%Xd)`#$)M=rgO%Gd(e{MpS-jFQ<;NEQ3=7iTLNYj z12udcR>`h3pS@h?Vrxvr1yG!}M$1FRFgGl+yX`x* zAw|URAkCpp{ij1$Xl@Ou!oC(OuoZ?kJaIQ#orah#q@w8IPY^qC3Rn@k z6tBi*=a({k;)fz2St)0a$9dk|l@_#^*sib7U zGt)m<%CgbUK#Rz}nG<60`?aXQGz!sMMK{-%TGEd;Hy%< z8o4WS*Tv-3>APiX4r*{XG`JRJOFDc=6(_u;&`!X`l?Gt_ee)u2+VanJuel3B*LqK; z*T4u#aD4N$V)^U40^D; zmnP&c$5{HZ5u|$vt)gcBZ4WD_6^9AC$T!2Z*o8kV-UDgL6vrZRoz#Jg`F8EOC0&n2 z!X86`RsCP5CC{4Ic`py7C_9wHsxQuHG-tTT@Ki^SiV465(XyGSoeLXxef}9Ml?bDU zE+MI$e-93i8=#)h3t+Tqn=T%C+0wAp_x{2Pp_wZ>MYpf1p?0iMXJJ*)#lIMPJOgWF znw51sVdk_>2NTym!m9*Ws>KIk9(N1xzfov=-Al|(oZ>T!d}gmi!G7F^Ri zP6kCSlMGLU{g?))uIE;X>nc#ry=vWIv_#b4Kq`erDg0%%$gYl8VZ)X4$EKaIPhx^* z?x)A581t0d(wG#xa~4?TkP$7h3d~F%h(ZFWaF%}=ziXP7bE&%w7DcPZ<4=h7El4wO zeKHJ{*F1lT>3Bo;h|Y8Q(Cw8ianXLM#DAKf2gz!nht`_@>1+HxS}KcdEShJi(>ylA zUx&ftknS)HYpbO2gmzJ6p7cMjdKz@u&!Ot=p1~MAT|i6x4&&U^NTtuKuZhPdB^SlX zna%+W)SUS$`}HIP0b10qEBhebYJ$jld%P)!C|-UmuPOl<>_<}MYRuM zgO)oaW}5BF7$Wt3b}~oc1-(LlkiYrcO7>{rPT76JSB_za-a*$>5|s&F7*@=t$u`XK zSV4W+{JQ@$?7vLa@Udn|V94oC?ZEn?TWC^i%hiCC;mXmi!B{s@&5 z+r0QiONl{W-;u&kQu&vvTSujflCBh|vl+`i_uMy@W7M!o$5j43_W(E$2bA)P}=cO#8-*APSg z<9omFe)s?X=Y75NoWtH{pS|{8d#`oYUPY*uh9cf0sz)d&D0s?BaxYO(FxpX2(Co1= zkS!};o1IWlaG%@C%4#Xg$}(sd1FWIX&w~9Bqi+S%$ulp{B zE(V+LZ#M`0hSJ1qaZ%oOi!!~y|B5eN$_Jt$-qWPdj8kI=KExV9vv`9C7oC?N6y)Tj zk){^AUsyB_UK}Z%QLVoFc@I(#=pJ50eJ}Sst*d`^L&gUMr77qM(I%R7+=Jg$2bVd`FPD*DZ=1yDZCdCb6@{SL6v?#2k_=;%{-tVyXjN{Z%YROj9n<+ACGN4OG z;#X)o9FWlc_(EVPOHcUYrLV#)K#bCFT#b5a%~2qz!iPsd`w_ufsPi+yyJ6=WaQ|R5 zZfAL*I;%Df5p%j=$=u)`hv~}_RHsZnZYCl#^$;m6h=5d0EuOy9`1#QXq5h#+LbQr27?);3^Sgfwa8|gHp(QJyNsaro9=ykHa(VYOjBM zj?yDy9$cdNMbW}H11gOo%?l4OBe~13_mn;D6t;RaL-?qPS4xma&V;@sy+3*#u=&CG z7f$lAtk_M{@rta=$}t-1x=VM)@yFweN9lkZpL+^~UK&$h=*!F1f}6BA9N1IY7?=rzgL6+3%Rf8bO;%YJdW8700!aw#AvP)v z0|w=Lz#i$qNQj(%6ak(2bH+qfwJ@q@tx(-7lTW?s)`ZCp$i5rVLZkr9NT7AVLda{K1fe zR~mJ_Yyx>Ean-gFDCiiK?dfyDF2U$ZNJmsk*nnNjh7h^3VbM zsj-vaJoQ&uOC!u_%=0>&h>jn=rWU$A-$^`Gi)HSWufc+sD-MrudOlgiNqpE-thw{d z`}*zcZh2VMl+=`BhTW`VvwjCqs@wWj%a=|f_;xRpyZzkUx}11MbPsC^eM|4jRD|0b z#e4|F4Vdt)G~0&%yU+LRPs{YjK?fyOF`l2!J~e*=t@$Euw#Ph#-l!7}65t33oNlXK z$}f-qlqv0a+z^`^D~K|77=Ckh#%6H7AnhvF;(~LB(%R_e=y-JG!Ba*0zWLzjSPGtA zY1OJ3EP!GSaAN(1DjKW`K)+1T3eZfU<3qJNy0!$Qy{A4xg)$HXeo!L7jA>;_@?|sH zG~>e?Ks|kq{TQvk?XA{B;rD}Y#AhC!`?EQsr=b+KJ#@r2Li1SO*?zz)Ed{}pWX6(_ zDZ;`Vm5m_8`GM~wLlFWX3JGN9S0aiDvtW>s`!FCw#$c%=`tqZ_%+BZL9>z6vXZ&p$ z2S&hWleMQO*qvIWuW+8qagUBZMzhQ@wV@Fs9F#81`Dnx6K=Mt_ZZzG7*$cJ#y@_n& zDESr&2A`!GreND1KSozOQ-uW=EwQ;vIr5V$?xZRwgJhPyS{V>aK-)kfnTMuNRv1=Dd=k8{ z4nyQ}@JGY8@H0DE%*dSBoUol}okWhGRfJ!LJd4{VS(ItA|Co#?M)_R;GI>DcS& zadL1H#piR*z4}x<|I$-7|0VYq=!C^vNjHw_PhK%znOD!_3wE;lUax-{()srK-K*x3 ztCx`_R@q&zQuAIHz0R%y?dKR|is>)BOwS*Bk(q1q4XSh-boCxX-8@1ePocDnD3X?H zQz*kWMu__<+EdSz&Xm-rnr|g@Ooarg!n^Xhv)*N==bYIPR+m)G80Z^V8Z=gkRbN#< ztv0SAt}3+CwWFUrm}+z7a+?to73+6B-!_^?2(>$+yP*61_(h1v%o7DE6Ms3anOJ7{ zwbAe*<$xX7V3K80v-qf)t=apkuH_rF>Q3nP?5Yrct?)JyPSs1RFXp_|Glx;+|Lu81 zn_9pi1}z3!kU~&f5K~8W5If#=gloi2#P^8Tl(d37PYWooDR3fmDQl^u3hl;|;WS>X z&FPC^vo}O$O#DAB#%xc1PV@;aR`s~nZUY6wC_A_o?Bn%Q^0ZCY*W^0@Q(B%bkz z7~7Vv8j&~D)I;4|Jct{g)}1w^HWoHa*DbxV;m@H^rLYEK(cRIx06#%|;I5|w7xSBl z#KdOZnrZwpYx8eiC*2N|*FAF+sjJPsjdQ^Vu{)Kcg>%zC5?2j(uSbRlqBd(M4>`tz zk~`;neYOv`c+aJ_?labVQwGK8-akagjKgrnc#F}6`TF4^Kme}~>nmUf;EtC;=_3(H zKt%SPX$@oU^PuH)#kK5$taWfr@Rz{OAf1mu+*&;H;Mxe;?vI}gMGqVTlhcLP1MvOnb{>r8ZEKBv?^3(_0~Kw$zE}<_>Qp2GjC}f>pItm6VHA zA(<4P^)hCFQ26D~RbG~DcI=pxSmj>qUc*>SHgpX=U^aW_(|nfoE4kv(arTVVJSh(A zvC-bQv7)gTg+wojwLS8nD{{_nMbT{cs#2<;JmHN&*B>^!4Lf(&y-)iQn&Zvm{o|RI z5bKhGtwH!;NzWc}Il9gVU42G<>hFuzidNu$x&h^ZpXtSMsVUw{MH~ZUHJbb>0=_DV zJsPi=b~1KE-OeVUPDv0ux)>4uGEorDU5|%S2`fyAj^vW$6}eAR0^hrP*U0VmZCXKl zYp#srD!!tl+T=^MgMk`-w#toRFTPY!?{OLnjoGxCdMlUk&GP}Aj9OnwOX&H{QaDX` zU-%-AlF`UZdp(J=%TeAo*hFGcLWrsZ7u=xEl(0pqyvU{E^jCE_EdE4gI8ih~C(c*D z-PrkVnjiN1POMJI*LG8&)^azII1wii1X^h{^R8F$G)3gbuf7&8%_-wFK65`?o806y z;uJ2)E{QJLF2yagH?eDRN6hl-B?PFhFUGBDAw*^@WjUbMiWvg8f z6}?-VJl{GW(l#v|%D@-%J;6Oy+toj;R2=fm5O>XRYT5oU_pu9q`cnX`@eW!({;l#j z=el!4l`hesq061NanBp^BmVu9!m{sWCUs;^-*&xj&Qe8QI=C*aE%>-U*_Kn>)vw7^$$i+?w4|}mzM_dP|ofB=Xi_C5>TZ{ zNZ&sLycZJ()MhuQ*n>EpGROq+;Af_Fkk(t=*ndD(M)v4sZHB$iVRdORMvb zA#I85cpak2Zp#M)F4P^QI z_ZfNrhWS^C788VmiF_hL-jFQR|Lu*@o`v?mbu@eAJCx_zvdYTHQrq0w($c}j2JDJB zur@+AU^^=5yP%+uvHrdvD8FPmLXJOe`%2GMPhCyS9Q=;Q)BPc0eXQbu9*2u(KtDFb^LOACu%G1_lNR zXA3K_mvRdK1CD$GGTFGgI*Re~dU$y7cnI=Y9hvYL6VTr%`|Nq|n-;DnOsrP@7{33#U z{|WjZul~QFIxd#Zvfy{fIb9|Hk6!-+{GTuX2T+3d_tO7kEB>|5f3+evTJn(u@4tyA z`Dn==r5H&^8e2KdSI82{Wxsz9YLI^(|EomSA4q?#?UM(iph%-A%RPSud9au6@y58b z`rv|Nr@23dOEtl=zIS1!Zbc?|B#5j^a^wm_;X(rY+P|vp+LMwM$2HO_vnAT7FkEku};UC zBV7Fd+*#?(3}F_d{R|$5xZIx?$#TT=fU5l&;Ey;UI|Q*Jy9TY7f7kwRwofR~3ID&^ z3f13R(Qj&5_}}1QgSAS-@PO!#7exZP4Hk7mN1sOYA4!LTJwnhW`d@Ga3m+GN3UbRMY4A*CS34*ENKE>q)+{{JBfsw@QH`79$=_=))!S4U zW-4s6E&&oRt@R(E9aB8M~00x}}dhFwn(i z{sSB<&AA-KnyIp0y~*D$)ZRo?T@ggF2MSX+lxP^xleFFbw+s$hs2ac?1BAppmD@I z_rc)vrtf=hqupxHy}PVB!w+^8fRZHOkMganJ*J9x%yX|*8g#Db&o*lV3kGwm42AWKsv_ zzspqW$i_F}t)$|RIZPlE z8Wa%i@AUza;y6y%IK-TL(Z7`Xyv6g@CbZ+zvEN38B8!CO4O4V@K@_2FA94OBvmW5- zoxkhtRbn>~UmGVD-Jj*3WUZTJ=6>#zu3d9a>v8pubAi*=WUcc&6 zi2X;BrLCfS;hF9bu4)5_8z(t!TD-4ynDbtbl6uw$0Wwz#8y`bD1Y zsf3Qx^<%}BCk+dFR9?m&EIzFOP%H~#+xPy7^N?k2SW^}SohqgXjP>fknZ##d5=Tyi zK3>tiZyHE?L}S?WCSmIngKW}q9)HHOj2abXk3(M=0c9%YaGB}`dH8`xoA$f)C%hqx z6ymSffVBa!g<2dW_em}&w zsvJ(-+xjyXRr!nJ;P}B(G>Qp6kYaV-_4+N0$hJR)?Ih-*cDA=u&Foj*4AN$f?^+FI4o3p7a8?Lwpp$PoIC;o3++r2X7gKh73h1n} zcc|@QGV9jQ{%{Vag(KxIjzGl-K~Vqupz>@UOr)fVrx^cdf_!dGW;>D$DkuALy(x89 z(ZhYF%yf9a9VKV=V|kA|(<>-B^OIfKljuwO`BPx@Q1mmw-9j#>}VZ`x7B$*#vD_%UK9y)1cxf#g-GEo~p3$UMu#Ldp`ma^J=#`Py2?XvwYW{E$Ru1Bbu4sRYv6uxAR z?8lLKO?SV_%PQ$RRVc@k924Pl@vGz;PHCeoykdwb`u-dQ2$L8^)y%CA=Ow-^uJzNf zSp8(llsSv5nGRm?O5Xya$n6kX1D93^*A7dgk1**kD|_TYO{!~aG>{z#+@3eDhRdaE zI@*|;#W?b*%o?I|>t6Okioq+xE6`Y?Rta7ZhQ@S%vK7lTXMbdK;+C5p{YB{_-f%Q3 z&~c*9k9$lCMts}6`Ds`cDmyyq_zLcQ4^QdgU2;n8f$Kpq_D!z8ZfQ1se{JFFQ_}N; zkXgQ=xL>Y-bb!>e!wpCN+$%72_Ov5Lr4=Wt1~eb#qz9oL3Q6T>lPAJ}aDan}_h(?o zmZ5$tv=9s5Lmv2PC+t?Go!ZLj&4ryDAkHu3GyVEup-t`wHqlUUKo4l)9y1z8 zD%6wz8_MdB${utaslQb(m(d7Y4O=ppP(hMfP6KMFEJqKpMhFySlho*`+HJ7BJ(xxa z&L6ziwqpHTrH_@M-0xuv0Uq|}Rz-P+D#n3G!CX4%rKhc-70-|ur|5&I)KnPmFzuz{ zS(CI!Tfm;5-&sf=y@*{{&#j?GNYnm7s@&BC^PV-Jnd8b>>V2V(N}jr_Ig{UwCLk>o;{ML)E@CTHMNZEHN{YzRf4zOaesYG`H)eu)j!%ZX zlugo)vKOw(tu`zCaepZFhN1p!*CQ;0EHn-(9Nzw;!0EL=)E zs$9I~m~=FDo+9cVv3)2HgR36(q>2iw!#DaCnC=gwmfM67W4z(e-NI4HRYEJ8Hr%pO zjJWH$V7hpCX2Y#FlOkJ=d{-+I@-$)t?T_vg!8h4;LvOlZP*saFcL=Uz3kIEr$C77m zU~q4t<-XC!V-qOBy5GfOHJtnv$TWD9c%euzeLM#zUyT8CxDccSO+}Vvuvq9$n&aXNT#^+1C=m(73skwu}5?a@CfT zj%7qEZ!~z#Gc)lB?0YN|&D~uacC)XYDhEaI41`;p386n-CFfASeEtVD)S4S16k)yubi(1K%?9u@ULd#gEbEa_vLr@^ zT>j3B)2PWK+=jCqGv$j!7>xO()bFEp^mH2Gd9VoU&F)gLqTWvT0CUM*kAm&eAxJOE z9ZH;`f{mXxO0q}D7V0JGBNCeXxxjBc;vkA28aG$hz)02624pJ0i>mMciAXz3XUp;tp_SY{g<%?5HI%3bC z_jZ|UFAO&uC>Y}4uMaGV4$wVu`8MQ+MT8AN%G{@ftC zb*Y6aueFgzg&TqJG;75rJ)*Y~=vTqpP4Wy<|DXzMe3UN4IV3Gk5f6@Q_6TTbQJl=& z5Sab^$lMIcGmOY{6)TGGFFAJcD4Q|j3G3f$aIIRu&D&RIYMQ9lpIWae+IRA&mTriw z35|W2C2HSJ-5a+98cyXFefDLdc_qRG%f$p86DFT(ulzjem-?1?3HF7RA<63ph)QUL zhB#|8uY^vlYO`+B-!u2AW{3ZfY*W zj439}czpqks4Q-|c?vc()$x1P?sugK3G}_r5SNo`I(ZR& zIMJcK^JKb%xo1~FoYvHo2)2_93z1l%=QzRfa@T(xRbE=)tb8#im35=Jh!Isj&jNW# zDH&6=+2QzA^1J$nyDJ)r%oZ;ZiFVxJ!h1N3h@StLGg@~jjM#Gt&5sPRZMf_ipNQ%p zb^8FGu!T(|B|w>><3NA@5@JkCWTF#r2fgmLDLg!Si|u!rPZaIpch466;(5l)77d8X z-Id?{<73@|W7h4=_Rr~d?%SgHhKWycSS?YH z3?D8s%BzX?oyW!RAX-Op-uO?nn*ozZtEh5{hq;VW8jHgfy^)B-4>3dPHHu@!H9k)lLBY5@WrIfv;K~v)WQ)GVX2P z4{xV_8L>?IF$Y0PcyonU$XS!=zAh>n^1#*5KpFuAbf!XqxAIoFc&1)xW0|;ljC*T1 z*s_1i)5}IIZw6j7ZC->lUGE+> zT@4O9T8+!s-blAAUcWiMn*@E9Tqbp>Kv%g$&h(-8bFl!)tZz0 zFZHgY^6gN*NT{SAlSHa8Pq5-l0TCAvq#MPjy(3L$+V%cG1T=s4@~-T_S81(@x`oHt z3fiO;MNS4uE%12uCR?i9E%L{-m||#}6eXPw40b3v+FhhLlT-06=YH)1X(gN*9?ht@ zW*Na~>D(61Fj?>XgYP*`ikF%UE&9(l#sEiB~?u z?@U)NLpP3XY*!~B#!F8$ZEGo``pDI=1_u^@&0FiIFqRtCyh{KpK+iBv9Pa&G#15L} zJlS2Uleeg&mhd}uapW;Vp^H`MQu5KQ{gmh&87Y51K1RgS;yR}i?Put2v<53u)XVdF zjB(fsIT?n#qZm9FF(JMGoqG%o4q^`bElov0$i9;{(}7z1-c}=5SaOywV12 zm8a->i*4F}fKnJJS0%{9^ZHl1d!F|WVTATSTOz)~p87U-$?GCQ}v>|DxVA^tsVXo(jIm<>z{sNXth*LO>R=Q8I?Kjc@O!qm+X;phR?%u`bK{rx#KZOe_2D zkR8{#<%*MPLrLxx?(RiGM0cU%)KvOKt1N3tz8q4Z6|>7hS5lvubBGKLut3Nbu5<4b zE|aG_h~FJs#QEJ1`*E+h@U*;GYYIIgm_6c@0M*2G4WZ3(8k ztlvVMmXdjn?x{uJA9gGG^$sqP_!`h%ai|P;w?*>yPj3om-5mO!vW@m%H1V8h_G^aR zj4p_TSM?WKKBZZBymU95x$Ja4et)GqDvn=9jF_`tuDB?>_X^&k==6Y@DYl_W-9!f} zYRY+o@8^w1y@Bm~CT&fN&<9OZ=^+X5rRyte`SbhtnA5}e)VI6_Cl8gK5r~hzF%49z z@_z8pM7i0tEmNO6iBYL)*Y5@0O*g?A+=)WRkFa6z8-6M<`k0Qch>Em=!q=YFxwh?! z^=IC@b4%ATfr>jr5sT2AyMR=_Oq01VxG+GXil+ttG}lqC>5JCdxL;e7I@ev`7P&@u z)9u1AJ&Es?&dzh)5s#Z&lY!}m4F~1Kgn1F@aF;I2O|oALxAPAYNRcmMoIDKbc&ZZ3 zTRO`nAodirrVeU%qk7jpL~M@IRir}nPu4N6G(#NYUJ&L{OKAxSovG=AC_Z2MO%J8s z(G|#{w@JJ3=w=r^nW%7s{Ms>3leO`*08;N89G4gNh$OJBM97`21`zUDeOP`O;m`GK zG4L9mIATxr#$y?;So!dDi#L9ow~w+hAQVsvE^h$g@SWicFV&}f3gQ!7b4ER20izTj0u6myOx1Zq$r2asrwzfABnaogk*0oGZ18%p)!eKi=N8 zz)*$r9()WQ{;<0uD&!(0VSHZdsp9224WK7P1c2_JuZ{iUigw%agg3%EPPY#3!*51+ zoZz)f^G~+VYw|*x?oLkSUenAnpX9Ia%0qWb@0p#Iol1J{UjlL->iX)yal%XyJU{CV z;K6q-GHdZ7J|=5v9P&*4HLaC9$AjrPOXfoaf`T&x^9&1zZ{y&wYXq-cjof;;(RYFb zk4BsXM0|gOY8}unp$EK#5hd8TPINmh4D%YRW!5zB&}haBxX64>_}wQ3V*+K6EVdP``SN)^bpzAkdpw0u0myZk`MPBYOb zkt>;d>`T+@rl505lchRJ43WYN#*MR%<-8#0-7ibGjcfPasmt(X=EqXvk1#ms zlSE+N&iQ#D2zHmLy;a;6xaBIX=e!Q-SQ`->QxWDSzFkR-3ctC7waGqF0k#iRVck%a zP)~OQJ#NDDYP;IdcJF;RRdd7#qHZ}0yXih`8je{&0*xgxPn{3F2KxQD=6DdLHxp+} zg3K$}=L6$5;HiiwEH{Vi0DLunCmlsTBAimdmwc8=c!}unnry_Bl z^<)l&%b!8i5BPh##=nh#qKOfg?#)JZwkR4GZ-d;|dInRZ5DJCdi!z~Bi!>bHxwsK8 z=JMM8xSk*TWTZTDph3JneUaPKIh;*Yz8h|niq{lb7(ZOxaQA_xDr4-agurXezF-ip z9oS8EQdpfn@%_cv0nZG!SmWoRIQn^w(-h#5q?jCPA@SjDGhJpLRQ0x(BThg%+VXb5FVs&Y3c zKkOueF6e~IE1;MUdz5W~n=t_SBPM9jrek0*9-TdM;LlGNl^4xSOv(stb=AJ03muzS`DhF_y)gO%}(`Fg1Vq zd1zlP<}!J_D-?I*x8>iqlHtC7cB2}zCI_sW^C@C~>em$LchZ;7#5}qnElMNeLn^kcD9*;K#zvM;(1fC z-u&v{48tAY%_(Gktf+ox)ldRmSH?b6K|fU8khyZT3r28s4%+D|HEhug#A4?zb69V5 z7fklEKyNjSblq_hZt`f-lHDgs$(4PK>OwMJ+bS9l5*_^*KPpeHUvnPqw&-Hcet2*{ z;nYJTrP*#x8c9GY;gAyg;ctbc(i;MF8OnA^@B6u!>mN=o3KWZe-arVwr|_Q5%$`TABgy1sp`Q`_#RGe)>@YJuOm7 z#Mu|V6`-?ayRPT4#S$!)?E0Q9$TTDUS0Lt4BXW6L2C1~S1b)B&yQt!(0P@2a8X6VB zVE$bmQ@<@29)issW+jeP}<+-RX9*oJsTt(0Au&M~jZ~z7c`<*U@Dmd5TGIDB!{Be%J%MA2%l> zGrM>v2UXj7OPaG_G_Q>)*ey4#TD8koq(5$XxASY{(n2z?cgfF{Ac@>6YsS-&WQc2P z_wXvS&-dr5r}AarIw4a**=hP;j^GBM4GTkPbS&aOq-h`SRdQ zvp?u=tN(JnGKLe9A=>`Nl<#nGG|A;KHmLkT*G&Ya%D@25xm+$|$ze#~^29J-QT-Kr zA!7-z*4w|M6tcZA{CBiCd@a}zAF09e97Z+NAT6L; zABk+MH7SGJBXMb^>dsS~Kjd>v2Vzdshv;^^ZtYMMOuAh50hXG?je0SfbZIf=dU+#Yk-khAjLFXv`j<(z_FSCf~ zd5xVZ1kUM6)<~m0@7FDsyHDgL3Ac`M5bEJo^lzjbe&=*RZ$|E59(7OHS{1JM%UE5EKs1_%sUml4$z)yUTCd%soxr_jM zWT4G?#2XL0=M4`Hok$9g(fJ zf`QvOvs5B9n0J*H{#gw`yY!yWiX#Gnn=L{sC0zBCi=_+)NZ`6gUpy+CTs!lwH1W_x ziWml+hm$Eq6wvLNi=8uuM3u?UMFs?!dOy)m6K(dB{OWinaxP9HQC8Az51N4PsUN6m zq*GImZk5DmM}Nr!`BzqAz|Nc!n1*k~Oc7(Kkp=x*N_tkqmpQeLPwev;GPNH4q+AB~!WP6veCWrC$$?bJCZ}=LeY3s8! zO}C^I??G@_Hu|cvC5@6-zr0v5u{Bt9ImxoVfnUPNe&-o~e>NdQ?#m=dE#5tB zS(4|c4c2vC#1G1Mn8>g?2`>)&-nqX^W(UMXUQCw#%-?=jI9>!Rok3&o-qe_=&F~R^E^eXg4Y5u=t z`eQl{Hsq9y}3ibq) z){2)>yQgxXQ6X6i9Yz1YVw{0&NO!A^a0KH&ZWM$6=ifo{&>%vVqY9*hcBb3v@eIM= zs*=BRo%}09rOO#hvT1{TD5J_xhzG~g%drZTU{*(l?)z-`nBn+#BtVg`uPkEOpIfNt z1@wfK5@H<&30Z&m`R<4$_Alhp;*i3ey|Z2VA7^?%1o1;AWHn3Ccg3`J`~UV_1iyGg z{SV>-`D#cE75dCoUzq0B(yeYe`>Y{l<*cbLyW{j`+B+ z(66n(%^GswdRZENRBF7v1=b?{r)E%9V24Z~0LNwz9ot6W2O!TZk}F3E=Ovr$VF zFm!p9BosBs;P3K#KQ<>ED=Yt52wA5f`&p;(^|Sl85o6h6onHIC3|rDGeJ4D6Y^yIk zsjdT6r$D;AWL31EYk4w`7e8D8pS{!Ef)|Qf_3Q(IXTe|3^(v(tbyU#bj+~Y1;moScC9}heUXnbk9t~JQJDNpD<2r{&9Gh#pW81&Tn~YMN2VFKtGN~~c z{JviJF9+dksXM|yR|fYHa7xs*YfouPE*2Wm2>vJKaeoskpdFqeXMNLl33O}Tv@3c$ zC?!CD7XJA{$jt^M>t=704{ri=NRbq#25?LZZMr6c`}X76@4L5LtC_WiD51}7cSKK{ zyn352sDB?<{7HvN9!RzcnoL$Yy_@!37Nh#*g?L`p0Z6%bjTJlHAKgVVEsxzheTv`q;s8vnl{B#IY{A3w$JHe1@OttN~?B=Yh6G z0Sb($+T*;B@XO!4DfG=r_i57fe#-UvKZI%)!2felx#X8cMeH*QYr675sl7J&K(7|u z_``sp)SEWI4P!@j8}R*_A&gv%Z9WeN`d&E0&VSR+SDt_gltueI>*^TiAJ&<>0-!d`LAMrhtt!6H2fbK{mWIBT%0ZJKOHE6B) z-!Rqzl6bXRr9rMO7{iSOKd&amrLRAPW7C1Y3ERBlUWHAZcIHVdw;{ayMYacupKh^v z7x}c+%Op-yyKpYaxX9WT_}-4Ct5{m|X%?L)J8D;NM^VC1tX;BG0t4a-ZlvoOr^*(O z4-CtD>6OwAm%-H8U@DeT#NTAk5!KiAV;)m*$1 zO*#kE(4rOMxTR-ENYqK>V!8EFkH_OSmB;bt^Y_fgL}xS{l-43nFGrNB7*%5)6xDKyKc zU~$=1K}66h>ufrY-sf6F@*b13yK1^;*%LT%Q$WLvnJ)Fii*M_uK!!PhSB{wO?Vat7 z^x4O-Lvp$;z$3bwXH34Z6V!bvMB?4HrX>A`vPx-NF-A0xi}6lg3sL`+Yajkwta=_m z&r>;Ab%NG9X8Tj)Bgk1-rq6C4{!-6-{IQa!~N0k*nD=NRn)k8tC8 zM;xI4I!Te)yaT*|Ps%sk}V2--Z;R8|1QL9u56@3~^ zB(>Mn1P`|q^lz5Hjgr1bo7YOgK1@7##VH=(DN{WhnEF-SZ{YIbvs95VwiSkaB(FMz zkXt%U23}It7Q57<~=W)ANaOsgjeE6T@aU~oR{{&8_`eS!iI6Tnj#M|aQjO+W=5t{Cjg zNRJ5to80=yRA|-!aGV5zNmC~6rzPWvTzpo)Af-&t-Fo1bwN@i)=ffqKCOPc$I{Mp# z(@r?^S_93*-JOvv+|UkN2g+bH{xETl+V8||yaZIR;IHxVEtuhEZT+mf;Pz2TZc$s+ zlULqoE6*PW^^x0%!2Xq2hWqan@}ZZg?8r=9`|>_w*0KDc1dZtE7yL}x+OhI%KRUy! zxbn)tHY7kcMtO@o*<3VKK+FdH3*z~O(31|PT$aas;Z7gMtOG;-YCs#I;{gdkbxi-C;vjsbLm-Y&RsJRfoK`4~PmrY!sIAZXnQVyrt5^4AU=FB z>U>i8ac~|>@5-L8RuNfXQR`-W2tF;i_9JR;jv1>&)6xz8iy@S@wx(u>0rN7vw2nO+ z4?CQz;6;PiFPW}HMF4 zUeQZ2fv6g#Z3bpWbHw8g{n3Kuqxva01Oz43)>fFiKl2EyuO-dnMsLXL9$n=}-^%fM z^atTHGMo$2GPL=Q8@(mN zIj7F~WW=qyf)KGvV_49Fo!E+*RS|GG$O4%*bnGw7nYOa zk{lJN7ZyU#dgwwusS2jOkDBhYBKgh&<Y#s(y=rvR@I?2V8&MhCYti@SK#h8@FfQ?JLEE zK{Ei0GQKjR$-cj!Jh=Uer*nj|0tIw+tSd$mnlfIAN{dFY{fFs8L4}mlL0$bw7x;vU zEBd{mRrxpp29Z_pch6B|dR;POA)750bycq{N-8-(C@_822dBE_BPaKz{3E27Nh#Tp zs$JTwND!|csh%^y2WYCeT>J_c)j-(e1XJRoiTk ztoOojX+PPd7Hbai@6UH2h{$xNZuMkVf!Qe9`%znBIbN!#G8Xdckv)MH5G{yXp}DKf z_dvyu9kFePo%k0GVsY9AVd-}d%}-dm=i>Ft+3Izg@t@KIaW{~Dq77B1GBJ!i+Jfvsq8zg_YBcsH!ou1$YGzjz zS^b(1Xr3hT>A*|bs-zex#V0x@CfoM7%D_J~?gt2$#}@V25n|jFabqzf83}Ai^d?Sw zPFCat1Zj9t0Q(Y52m!^8N>{ul@fQlB1#1e8Z1z%)pden(jWlPz9*|N5N zGP|(SrBSuEhTaQyZ+G)(BVHb9GbcK5ZIxw%p@?VA&5LD3E_>9KJReg}7FD+J#yRQU zxm4V_Or%A+x-5-t6lJ=3MjOqSdj-A}DY-TRR`r(9p`phV!N#e=Dn4Gv64CXcHpl)% z1BKDEho$GQL!%DJGF<1Dfboq#F}k1otfMjYJ_r{VqWHH4yN*K zYo|Xx{N|RlWFCIXA|XFVOB#yUKQqmMxNiDA;bDFPB)zS@*_!T4%#6L^f9N8oG1%SY z<~?cx!<=vQP0IYDyu7Fvg)nn5n+NXvBq__VUFmw-G0m|qiP$n{>gH{EZE>tLkgBpy zNB0mY{776o-Bc`dV!U@BgFWh@hWlC3PW!rTK1CFU)YZG6BX?KC*Lf{xhN^N3KNuvq z3#DDHz2kd`pDt4o26%NCH^|nIp0eR~ydzahezJW!?&RxQvwHP*Us^UsyS$}djBja9 zY%~Kd6zJjh!TRTe0T(bTgnT_0n1G4M@ICSTV!dWDu=|+4>j?+Z=}z@GMb^8%hn4bl zK&W0`e}F3;@5b|!kZ2;wYMUx050R5pr^@ZCgHtAu%ad8_aoXKyEAo~>W7>r3Q#DhJZx!wk;-9hn~ zdXx4R84D+J8Dj;RNo-VVd!#hF(W>L03_NSFOV0yU)+(%#OS(iVc~Ex^H}z;}YDPPj zmBvQCn+2W4+1quwZCA@HixuPSc9ohx_Bb!mC!#CONVTH%xNhSWeQ?@TkGj&7xk(qYpQFyJ09$F*josv%JMCr|qc; z5SMt;{Fw>R3urQ+UG_;f)(cu_$&jfI{1la#s0!rxLZO)G)zh^lAz4G7){Olz#=%H< z_C?`pLNrE8dSA1AS=0nci8t+jgVs+c+J?zo2BYct+2-r~c{ad7@E3iG`&Yh0HsCg2 zcD4tn%Q|9X0lUB zo=2;DZn-xFR#og=kB<3ws1C<>hYHBEx7NdBCL5<;EuF|3Y37vAF-r>h;XD>5Vztgt094k9Su=Ea$T-_0z9 zB4%bokJU7~#16Eh2F02I?&3N58S@q;IA`2FiC-_!$|N_%1~h55G!lnimq;x%NamqW zajSj)M0UhGde+?Uk4U7%X0WTFkM=@FapdU4B6eN2JITWxx;QxLPJfi17LEs;bnHJa zoSZM5(5}*%7Crq{U;Is_Z_cI3crE8=(tVc0L*c;q#O0PLGXHaug4HVzeF|QX;m5V5 zvSEavwK{QgKHVulC*7{P8cSCv1v=F(zr!abxRfyJuFgB(;x$c;PM@<~Ij61LC5p6J zaXw@!g-vi_vHVHB>s`klH*Oii*g$3ES4!%4# zQ@i}eexe<@8PV6D-pub2DoK4InC`53I;_;Vx2-qK9??s@uq}ISx8tSUF#bV#4C^?pvp&|A(^ojB2Xw)<$iJh=LTU0!lF|y$DE)3P=Y9r5EYa zdoK|IkuD&e1nD5XcaYF)=%Kd&34|U3BtSTM-e>P`>>p=;XPiG78A;YiR_@HK>z-Gc z;W4D;eP2lhH-l$?j?I#k@tLGdX3~cFES9iJkK8$khN0F^fRzvk?ztK}ek-obc-XfdwDP^a_yD4y+ zZ9&Vj9KHaEl2V66@TaU^^A={TNXixeG2u&t7z+D{J`|a;Yv63cAZ(X)%>Ah|!1t=8 zq}u}=7j&LGFGXpVT0dSx&~61b9A8OdCJr{QVmY`-^DYXHi`d<01l27cJ_Cxe!9ERp zG{EH2eb8UCD$A%0wcL%tu}$wdX^X3@bUS6#j+Y%K9==88Gg z^tI3qwNucS$znhWMew|<(_cD>z){06^ydrCl3=ycFF$?w_D5X~Bsy~3#d_cmqYu-i zSh1}0_1b@&do`%_#Bc19!_QSdkxci89IJ+VZTrsuzWSP%o2%&UWsswYxj??}L{?rl zb4m#@BR>2LKRLm)B!0a3*J&y~efzykf3JDrhln4kwY zets8dd7b;@9>2TIolXg*f4pq_Be$5KpDS{nM18ODDkrT?9w+(`W|}8DvY)659Q;TB zHo{135rTzfhhre2x0cNB1mB-62%DJkC|H~?t`xQ#D0wyB8l28b-&lN0vgAm?jI>Pp zl{(buq2ra+dbY9VSAh#2hkr4*gW)^k$d9d@%hP~8kC%5F} zbML1QqMqJ+^R)_VyIVf&fM_U1M?mvSDLw;eZ;UdH&zF6fxH<+@bpdU7o8=`lyJUu9 zCd=}3-(r&FpPcr0YGRViN$tM-`nsbvpfzmwoCb~KIq4B{E>D54Z#^Rx9* zoOHVUas>;<^yApAF&4g^2A=1#epL$e%HH<$$FAIOkG;uhvj5N`7!pFj!5ozzCg!{f zjmICZTmSI4yD6Rt1ht_`^P1(S8(msyV>`rIfiW(&TCi_ED&=wRjH@UZv(x8ZGiAQH z)xB>+15m7%P9@vMw%)xd2@@-$JL)vTV|xm0gq+;LG$|d6bFv-9{vlaX+ZP?f=9I~2 zGYxXN#Zr7#gWtjReAw4%0{1tDCVdv(2OoJlnDB40*f3nJNg39c%beDP)XT5JJLge`f(O0_E2XUc`p;NCuse2_t{Vn2+nmVIQLQ=k7mqvY^^*oYmX*^ipb) zmF#FA-5Ju+s7Sh9BmA6sm#42={2iK+a~@t2e^H4`DOgIQ8!LVxK&c`rKw0pRqb-L5 zQ(tx)Q`8+9sKE$SJ_0}Er<$E4O7q+nG~>ttc@h40-Q?`%Rh5J&wjgke({5)I@xp@n zoPN0TNK$ru9!(Kh;<6^evgI5ec=l|%v}9ITUZdu3&K|?Gipkrg5dLvA_fsezerdQo zQc6Ged~SWMC|ieRj_1hPvboQ2aTPtza=c-=lKMfwcuhKyi`@WP!MedYCkL|DXzXKl zYWifM{EKw8I4N?$Ao_@0!7QMh_ohbq2(nTy#hS~KE55CoMhfY_MmJV%n8MF5L-c*Q z&|_4>ve2xcq=ku=G2E`Db70Cja3cC7f7I8stmvMp_%P zZw#k|xXiRL!d=pRUwqmgIi?~>;h$3QRPr^U-gHoRuSby%3dBCu=*BMVMWcUbGiJC_ z3-F!mLpd+MJx9o~E=M00VdQ_X?nCdFXR*Lt#_pBSh%Pb)?%df_v*p_awNRpALF2dk zfiKur)twSiekuZ2Ko=}PUPI#!y^Tyvaqm&vg@4!P>PSZP^+s-`o&e9re5 zTjw?`M7Hd6;}j9axwCWfGzh_fm2&qA9vr)=8|!cSBlei1Mc?Uw1mSFQ7d=h*RjY*S z?v`hdWqmE#GRA;>MNFURe?9K{me|6$dv&11M?0%df8@Jv$e-gaYU zz^g+Wvdq9S_Bh_em4)qYx1MZr{p%Yw-T$m^GM7+^?GE{V-L+s}i;9Ksc4@~2u|LjwdRnjvA1#;HYn0lxkr@Jvm^1&@?M;}}=){an?YAlxboJKRw&Al3Y@*ce4wI?*?GH=jK~ zfpOCfY^;FcYtTK4opxDn+5R*}`N@2-Pq7nAn+Higr~IVsKcZN|LF&0n6VTxy7MUSL zjj^sKWV$J4?)Rv^Zl1q+Dyifc&78n(@`o}f!&YqiW%I_b14FFg$&4UtVzeo>j1V(A zdxAOgTlU}G27;!-z%v#NQt=(Bub#2#H)Iy^SKiTt8;Z(3w9k>*BtMoLLB%MAnAN6; zqsfS+(Qx1LhHarS8g^&tQiH>I)cK3in8@;r5~5h~{Z*ufG)I$|X-OYD%hh-4l5*^# z8ui}T6%wG{_u%rNqm{jRGFW&a7?+kFi_>!1sp!)2`rO)nu*NOVmKufp0XK&Fj*mur zM)yIU9_k6E=x|RHJ)xV1L$T)PzYC($o~;V9q$K;PxUg7Q$I3QTzgy2@niQ4*{X%WU zv6rxHS3*RyU*C9VCHKRymclTyM~$wv)U>_t?4$G6sL7qe(l_V%sEdqW$?##c*< z1hG@Hg?wMBo`XCskW2S`G*XE?*5fk5{2E!tAdxH1d7`=ryl;9&8cjrS-dRuXJtAT{ z;HF4O_uxM;Zd!>6D)S$(M^uY~?}&s9C!vYRujAje0;(5jf^7e~oKuO9l#vGhLl6FS z1`sJ_XExIlC-Dc~Y_bfV-lh7DYWP<+_%UV8mOO_5e$id3cL#@94CrPRH& z-*K9fep>AlAzN;+DeViN*o>5FvkUGMrT5hA26V(5x!xhFsyDfmTLxpnZqZn8DluPL z&(BjHrT~M4y)XQa#N@{Tg@C>zc%_#8$ita_daYoV0_HkX9Y#cB3(nB52DuLUG3SaU$L09*tkosR{ zVaAdCddC@@HDaOew1VXn>2TT)|o1D-#4Dv#uzPC3vr3Q}W=xBhyLNpEja zt#*toe5Z?YO9{nC(2vBqR}!@2U~QrP@|#0!(l;NoyM%PnZ{$T7*3w<311Wc1;HHm6 zliXDahIi7}iYc<%@{+R%Rch&6Mq$39#x2(_QIpjZbsw`A`!|Qe zw$+t@n$iqjj&hguMj&vA*dqhLIE$pQg(J1GNL$;z49z1!%53btm^q0db7_39ZADHd zVqz!0eIS-485w&s44gi;Obh+|bn$e6YBjf#>(ArFVO$eN286foh{_d+fzXBA;)8P5Bm%1hy zjVOgC7W7*imbuh?YxYpfb)~kqi3XCkHI zKDbTWX!)=#`KH2HI~Afw`OHVyIwERXn1O;t;+e0XIy#!t3{01qSW#lN{6z7ky0zI9aZ_4*X$L6=C&wWYA3O5KRV zw*MGvL@~3I@2(t7yW}=o_|}D#>tU<M7X1O(wjY%ydxm;R4lgx6}JBZb>Pqa zL^k~t?r%CJ?M;>)2g}ZWD2XNCx+B`CEIY9$U5G2WhP@Q!NnwR|v5=>$ zT9FfSZAaqxDR3}OOpN|gukj}4GhVlZbji7dGV!HaJih`wHG3=t04`-n9;c2nPaxfT zp-d%X!!!*SSTwyl5h{_*#Em59wro2PAzBXq8=T{>Y7f6ql*^YgkI(#j$u{y0u@>@X z3j^38wF2J;T9ky5=N$wK_z~a6NA2GWGtZpuO6rx)&Yq_@)h42lC9^1a54K^s*3%3U z1wS{lxp^ioRS4w0es~^JtL%dqVtm(xk#Jk*A zdC-zUG<@Y8KQ5d9v&lym5!rRg$04bGoTH#D|E~M2_k7JS>IMbJyn=5!TW0O6MKDwAR$w)i2?6ha=L3glp|rZ zymq{!p>g(1$!pfEW?z?VyZn$#*<1ZIFb=G=f_T+neC!}$Qn1BX_Y$k?g+!%VFJcqp z9S5III&rNK5>vx{rb;1W4}GVLUS=zf!$#hmo9H(y9qWY(%f$>ToY^_8`MOxeBp)bo z2sphsj$&>1-JX?V4bK#?`_nhDI4?g({rBZ_Y8s2h5o$76l>93!KJqq=u#1VbcDT<( zmi28eRH}qJ{d6=_E2Lm(DA9G=zVzWMYuE364$PjBLz!fOF3}8Ot=ocW0%VusCeqP^ zl#c@vSP(KY)mlgGjW^M%5QwQx4kT1tH>0cIOEZmDrTRymEKqHl<4JrmC%BpJbb_PF zQNmw0c24R8H4wDK8OLqxXKdjoRffQjyGXMxV(LP?#4DGgVB$}GWiQ^w(Tq#T$y~iC zgJq8~z^$Y^dsnX^ouxSh1%)-nW0`^iAI*i~;Q7`GNqf)$0qac*C9%2H2e^|ZX?6fi z|FMwvetp=~#Lk78p+-9VH`{DNrQ@&i0QGVBR%&GO2$&b2_E4Ad&vt7zAU`a;qzHuiz{8Chdnxi{%CC+C&Lz|BY9)I9inm7{80E(xU<-k5-lgp^y) zmKoM-9}kHPu_Z%3FlVOlt~yF{@YG&IyKYIAXSXPpi0Q=zj`bpg&X-CV_zgzn$TGz! zHh3nGYut1hfK`L(Rf*w=>YxNHex`*PcJokXDBbAg3ea?tq2F5mbBlp=e>RK{>e1x8 z@nnpi55nhqS$y?CZ&$AAaGPpLH_T&d8+z%sNwTtq5`VIl?9hXC$Gw%(d9-vI6VjYL zw(Ku0dw@+W=8|f^c6vRt+Q8k!yQxnXJ0o3Y{e*8C*?hk^Gx2Qu_Ci6n8*%5lX%3z# zZ+HH%92KbkUgl-k@-Ke~RdR%(6vZigig`fJM1&1~ej@#4e=qnYbzp~KiM3ku=zhra z1~$v?22R3XQ$vmDVYO_4)#oJ*CT3pz9=KV~^W3F1tyFlyePJ zqy}=y>0JGFaAuL~g?D};vV9&rMpMx?xhLm`wl4&YgeEJsZMT+38rC!7+RnHR7726a z)JwlYutFbTbv!zhhdWT!@K|k)(>_|m0vB*f{RZ8fuoCPmg3@9;qzOR6~-nLV2njw z@^D{2Z3UM8#S9I2Oligl-+(CuRrkJ^0Fpj_U_UC-FB_VE)-e#cF(U$CO}=T}OY-PS zWC7KIJ?4hdioI@IaUFU19|Mp@*~EkIAXQ?|4!A86((!-@;*9SR^Nz4YjMq}}Pd{&y z2nWffh%LTv!~-rkH2%}sBbdLDWw`fNB!sBQ-op~XUNh~#L4=+E*h4$bqhK|rMJ70+ z-nx*+n)q}&cb#%@g!SiM(~Z@sY=yjNVoFa0OJkzwPM2~_7kLnkUu8A7&BYBRuR|a2 zpgKFui!rZ9JoKrBkSE&Gp1HLl9n=t7Vdb@I>Vq4uXw#jG2=$=6^A_kBwaL;F&$w$x zm9fEh7N@d1Ex(`leV4yDTcuW_hx`Cd(oB6bo;C)osslZ56l|y7HV2pktTxKjs6p>x z@08SnxMW^Ret_1ObO2j0d~M3dWF&V?E(apB;l5D0nErPlTie+1rKL@pRH3{4lm1kP z*#$(rnW5%YQfqs)P5BwATdeOsfi0UX zlMkkk0@&-5gXSN?{k4y2`8~H=n|xbQMlv-ZIjK4L*yY4c3)LzgwbU7v%SP|eN+oftcBZDb=+re4g;`rN)| z6rR7Pi+d5d;YHMhP35R&;Emn8k$?T!a;%wZJ#a0yWj!8D=94~{golk1<3G(Peg~{XPV@7TjMB6RVwhjlK485Yn%rM5_ zQo#`?@XTw=V({I><0KldUvVS}a>PPRzf^c3ANxt8Se$=AZKMk;{sva{=1J1Vse2#X zvRn#K)plP}#Z4h7VLlA}8*x;Luto$rD?8V!;QvSrVO)ff;WDzYV;^%8{HNd6(UYId z+G=Xgxr{7ndajNJts)5*%gK=~$F@A$Dts{ChZxaXdt|8GwmTc8+0y4kAM)xkC@!vyC=Sx;ouZ?9=NT-+Al5JQcqkkQT6Lm$B zlN=Sz#VW_swuZ=RdZVYlC8U_GM(gBo$Gq$-!6so}_YY+u^T$yoRXGas`_sZdo2F>? zTZ)|$528FvI+;b^j2KC1Lo;#nZ12@?m+=>qNVaBcxtI*9D*im1R<9vm_{$#BuQd5u z&fX3;ai8*Fk8KaeuD$2LOM6jmepXb-@y^0pOnf7n=RvC~jK|eoBywrD+XH2H zGkM$U0O)ig5?;R);c3-;_!#I_MF&IFbl}cLrI{yPV*T1E8H%^nEVeKjE zv!nsa0+iH3qh(!+C7sVX{uaMMh6~?C|J^gv4`eD!fEMNCwT%JzX0+l1Z0;76fdQ-Y+U<{B3-%5M6}#~a#iuz{!C_o7@1!5mWLGTF7Lvjt zYTTS{O)LxKJ-;tU_=bwjUp55Z?fJc^Emjr@ZboyN9Cit^4-N>zSPoZC!d2*0yv=7F z;}re~$e79)lFobX{XD?wEVEZBN{26dU&pYEl3zOhxqYS0KiwSadt&!as>cm6|K+N~ zd;mzbO0xX~Dbb)d;Pe3oYwBEC)wq4Nrdrj0FC9Zkt`S*aQ2XX_Xd zGVj5Xk;__`PVAu!eu_Q5nK&Hp2<-(9hpUJ825=mJA3CF(Yg|bD3JS92%DD9f8j_)G}n$a+`^oge>E*eV$JI zBvsP0Rg$e0+I;Jp&?(bL+w+3u+W`#}Njy#O#}&3)3@VQt#^#$oIQ=REF5WMMS+3%F z#+0JmFTGO;X-~Pi%7yYxGVO~I5fHZKi=M49IJXU=0+~SKgZ-8 zFga~5RbBOS#I6@FUeB;XX!H+WR~h;1ude?0V!8Szdc4qOB{6j+!JT>9iAqo0yr{2n zTd;X293WRdhQwNkd0VQ#^Be!j@6dhW!l<$8>&#>#MY^E|C92p?sG8pj_t9P#5V6-2E~59v{^!7rGvPAT?%xD*C6+ zAM1-WxJi<`_FcT-i|f0!Yi^wW+ulQHkPOy(%&oxWg;2{)EL(90K8-32m-0(mcFpdz zg{zA59@?}Hl9iG0-L?3|0Ot~05Khx0+tA&~AJV76E3ILX3bCvWl+F33cet??AFOIhsUgDe4%RyMKMv_aJg*&sO ztXx}~nm=WrG~7+xR2aXECDPdB%-0Pg)yl1b)+m08UntB+6`~I9`F4jTF+nGv)zlAb zk7yJY9Pya{;5faIsu@@nipHlBmCKK|I5_>^5%Z_a6%f#+<4wD4r>QG$OjMZbpbMD> zH-u|EpH&xY#E{8%nHMkG?z$y+g*ifS1{BE@_(BC^lZ=0$g+5#XeLsLYa#ZRS3wqZi zP@^VMMaA6`+Tv6Q#8#IS?+4109i9?lAG~qa2iT^ad!q8?)FR46|8|d^oLou>+Y4EL zd-1ugapdJ~kH(=Ny;5p}9apef{NVF+(KZeoHjJUgSxlkL_kR2|1a1h zAp*aDsNI|Yrpd7q-C}$sgnx30{~r9)^*dlPC(7jD-f2rMy$`IuMIHAim#OPkbRP3C zmNWC;aG=mFy!3td1OB~LMTXwfN>s#4g>ZatCnWOyU=jTOpojcJPtKm=0@Yj=?4+o9 zn64(fr>2jDer^Uuy{v_@kf$*td4Y~v76mg;F>f^XOFf$;vP!rDQL8VVWdC7iED>^V z!dsrp7$yHMYavB(l7=pv<+EdHd(-V*Mdl!|`QmPAVeidIr!?POad&bZYrC8-_+$={ z1M_*ysjLV!(I&DOj{cxh-I?OKJD|lo$htTNFZ9=RSAcXvy&D3&4<9^?IdMP#xx8na zfd7LYTN07(%*r8?biFj4u}O)KVzKK9G%_)Gj+2n8P_!;EmC{ceE$7?yvX$_x@TmJ1 zn}^A+eTePZifL$Ihzc|DVyOQDgt809LOTUmW!N^suwa~4xiyq4-yHBc1u~V#%w5vu zy|ccv^Uk+@q`Zf2sG4@M=n-R#3zk{quh22foAcdlM`a5gA~7-X`DMM-ozppYcjEwWZV6^`IzScw>(+Tu_Z#>_b$EaJ6ERndd{Nyy8J~pUS$hXYQ=X<<+tPJ zr$Py{8DA7a)NAS-cif{Qd;A@op#EhJhlpG&(fHgb6H9q7?KYdb_&&gyajDD34*An z%>QO(a7+o8=C$b`d3g)6wQi?s!$TP*^9mK$h81#7a;8GPJ3HtYK!#z0;kudB<^oqz zDS^@o)?4`RMCHuqn%duNyrm4WxgS{o(w(DQuWz>#^4}V3w53xUmLDgJX$OCou$=1J{|Dspn*Od@r@(R*8wISQ#we z(_Q@2`RZx*Bcl=Cu$vfY0jmq?=}y8C_p$1q+zX6+=1V%bwVm*^i7;dn9~&*}cWKpY zFFc*oWwA4Pg3^(OCo(`9L*TN^WuQz56tgpPFWVn_UuKQr)+EW7pvIc#qZvc zghK8p%&=Lib@j1H3CCMQX%Ke?<9AbjDoofGO)c(3(<*(vru22@2g|c-p>wAJAgpLG z5;Wpha=yL#>EYeiSqHtO83WRoWB_Kf6@b~;bGXmmj9o9sCTP@8ch$5nH04-%QeQq8 z>h`Wh&i6gue(3rJbk|J~h$~?iMCBM{>I4Uj+L`dp>1clQnJ&G2aM$$0V&gRsX?5ry zjgHBUGd-YK|EBYX;@HycE=K#k#usbSYi7RGghmOc5%q6QR}Va+K5h4J{MN|45-s1R z5NfByDY!%GaL;Mq`Dc>D4m+rRX?+Sksab4d_jjt#Y2BDwX?26CAHrNsS<&zW4o7JT zP5o~^4)(XO_fX(qJ>y^S(!lOVgy9ugDUt@ z=CmeJKDd;6ZnH1;mTAo1*~s)E>jVUs<@ar4z|)YN!Pu?_y=K!`q(;$QEML35M^K->@|n=# z%{}eki{Fb0)(Tzn_##QMSh&}UWPzAZ;9JPHF%pHBV)^YW0*vD)Ti_fmjy@o5?}bjj zuTZI%E#95Lz}6!nWB|v7N)WQ~gi*1tKD_O;2nhpt<6?lK&L8d5 zcVEA{`}uc)(OOsl3YO+N#0~a+`${1*QqMRl;lptG!Zg@8>K-#aN5YDZ=2t>BIK3Y$ zIgmM?&~|dc&#%ya>tozoU-q6H0}sT>hTQ%;^mOy&A6vn_n|vsccoe|}H@eSCiHCnz zl8W$jM~7!+#537|T=?*o`WkY`^(TudGWGfFg7DWmhk*0y^$ ze9gxRkV*b4y_9>dIV-u=;|E*XS3*oSu8c|Ahj9wWTlvJG(c2x&7XG!MRV+#SwaGUL z)+`UcpQ>mldSmtY>E45Ac}x zt3Uct9C#mvf7X5ry^w7(R=>HwBHhyGT1u}xEg_V5a1 znYeX0I|ARv;Ea$i+DC~VUX^Uc^flT@Ic;Wp2ksO)&|aA*6YS#lLElbIAa`gUsSsd$ z&c$E;;;Y{8J{+03nT09lej2yBGh^l`(42QYyOjx_dO){O?4GUAKa!8 z2?+{zc=jLdT)D`%?*c6JwEr-_2O%`X>;kg=*QGM|P3>~nCTiD+QRD7PNoY#)g3G#1 zS2w-gEqi1GSl3_|>oM&#d=d|?5sv&`y{gf0{s!xqcPRBGK*&QuSA)=13%uDhArjD7 zY*0M`m!t`IU*%p{68B80udPuIa&y`FT;wqGc+dXIe5pAtzp+2`ndjY8_k~1!%<$tk zScx5?*^4HKx*_UnoVGnGW1LfO>xR(1vxnU3UKd_Q{2?;7^(+N*SGNp7MPI*Q zTejrReN&*b=J49ENh)6YHOXH3@oMdPTer-`UwN}kaF z=`}#orDFza-;V?U2QL2xK#$d(C8_GPG(rO0;{Z@rxx^hemyfY)SM)$B&RK`psE7+p z>>)X;LHfZG+nC8u8|J_Lp2;UVHdJ_6UV8?Da;;gxg#T!3EBL$}cU>Jnweq+T?MtrS zw9E<(C-Aj$w-nw2?56)YX#LGjxx6gX7<92iuM3$s;=;E0lH)QiU0*K*Ugq610EQ#A zF4*pyaxdWWbwxr-1!hQx9ft$^uceSqH7E99eq;M57ezuW*=wNX#J2Au{n_0KbzZwX z@;-qTof2^-XfFRmTDZ*}l__kfzqaZV`hg3Z0|UmdjQP=|*BXVeeqZk{h;4P+od!e( zoCQU8smsn>lzGpf=W%(ZEp~B>ZK!X_>BRSsd^hytUkkU!1EPBd@_R)8_aBiE-fNck zeM?iG@H9T?G3lr84Fz7GjSK-la6_~3B*hvHxRrnVws;}Tm=cf6uIC9HXTu7TXy6U} z(U!%h&|M`p>%*4;X};E~*4>g8c=sNKdCTr%)n5L9K*bb3|4KstHVo-NNQ%VeFV(=$b=AWY`*1ifYauTIKr})93 z?4=n0q2+NsnbQ|f--P3zUN?w8S0041a~-{mwN$oln_l*$4}ZzO1#Ew8jaS7E&;qs2 zF2)neCf(^a8Lqa$OrTZoq)06$di1+N*qoE2iZx+VG&RZ^VbuoV>; zGUe4L2N@j^y{k@#G}t=tG*hU_BHi+U!5>50K)PkUGMoW!#2F)&D%eKT?xOr6#FA@# zpxS@fAx`sx7Z|+~<+LTFG`zWVA#PGGw2`b>&GI98dH2OfinF>3IvunCW|GUs6abNgZG*i>=IbCDsgNlFFw53GLk~$$V60 zAYJL9WefIzw;&!l%QU=%8COP9=G5|yq2&cSNdNL#y6>xrbjdi4Y!>p^;O;UnYMjmW zBJ4|PRW0=@v!i5eyN^L2@vAB`B(L`<+bWn?7S9_52KcW3dIszmyLggtDcCNr4apPp zstUwhDYI$#Nc60}|%ZE?rCY}a;+1&+9HL6f(gaDZG{Hcfoz7$5Sy zF4~USI?1WYS5N%k_?^EAYM=YRS6qsdUAFsyp5D*AJidAD&I)IWh6V$+rN-z2xae$P z@#QvP3wg}#CFdN_G9b*CqMkKJnUk4YDs4ginpSgH*CiTG}>l{ z_+hDhAMOu-9@|QY;CN26CBnuH0Jl%UjlYz(Z8~l7utg>pI#E|}HI~<0@MyA|V081{ zH`D#!WWc2VUn^_U#iQ_KO1B2yb1n+!d?O69&1ZtM*j8~2U!IvQJWkyHBQ{f)3H8FM3vMC3g zo=;MFBd=8V^3lYdk+USegc@7U&1HEa;x34=##SGd$dFyR`>q_+ACol>dFnSlZxH^K ztQz(`RZ_5h?12>%`}o;YJa;Esk8moV$0q&-d1Ug+-VdwQeCrV;;Jzs)Q*4^IXLzB9 zKcO9)9PMZA>jpSdiV_Ym-tzyl@#>s=)rql4b-lnbGWj^nOk8YJw?)n~#;5B-Yt8Z* zeEb#gO!6{XtLb8*KtVnHgiAaPXi){+d1Fq%AWM%o3S7Q9e?8giUvl*po~O(pdQ<%W}vU?s$b=PV!U41yVgr8 zBot85n^65*byt}g^3mdX-&!70s6CHvISs9v%;#T3NCLgJ+NM-!{&Gj^qUEFH+y@D%g5cOaG{tVZVVI;_~w5g?xU-{R*_4yK~t%JQcH9tt}{H1U%u2i39`XtRvQn3HNZIW#n>h(Yn(fC5YE@K zjk0)|7o_}O5hva$x9FVibh2!opRB1DfZ6~rrfh9`!uiW76@sN$GuDgdZ+TU$2#3>C zAk_aT(gI?(UpR-&v`Z2)LavTxek*1!sac}M57$A@Z`of`k*&H`l%6}Up(PER#dI_n z02Kq5y6qO0rqcd?*8mvNk85SKt4e3Ro6hvM%RFoCO*w`G7h7REa)HNO>aLd>pc;h* z_+Cx;y^X{lB@wc~G+Sr(oxR5cxZ|gLdjXi&IbGb(-?lPUyC7%0CDqF=v9*q5?XIZ+ z=&cY0kO}(eHHz~;wo~1d*8`-vq>DkV&VrP~VtE9S5NVNV6PWiu-`VU9JlerzXqhrC zP|#A~KQrBUV*mOFce^4R-7V)YkoQcsTzRe(j39|BTbu$W90Bm|Jz<4z)sy{{N?n_ z?-n5TWLH)%)xTW|5ca!RC}H7ITP&u8?WZnRk;2RLxN7qp_JB7T@7KZwI^s@%=i#Wr zB`R%g10EN1^M(Yw7vB?nNb8`>#a=%5qt`5ST;9B2JEeq0WJLZ3eFwNe?E|FuD44%= zhL=H1&){M!oO;%z7Z~NASA=~3exxTdrLTehQd}a&J)J3zZ6s*%y#Mgdv6bzOjgzPx zRvLX^EZj`lQ{xguJX!3E*Vq2H)BE@F!GDsBTnnWMBE**yWW0a9B%5Hiuh~=?j|TPY)i17&2Z7W$ z45A@tAS_t9%=-}_g7fE} z-q;+A6RjvE&;s^hZ1%zzT?}SRiBEbQImAEqpt(w}d3LR_HZa`#LiV5OAM*bnBj$oE z9}tJOF^+1RQVYK)c7*RrT9f>dlbyNy+Jf%?e#RPXK^sg^+tXcIU3y1JjgZxt3NN%w z;sGehmHi$dtZI5n=`7RuOg0V(l;Mjf{>D4wuc|YZYeGDG)4=Oh&X{^{rEnSxvU-l7 zJU8#=AqT+7-XbBfZ><;@zcmg%koAug;}>KhBie+x-XHv50#^Sm87U&lq=VVM>{VsT zeXkKZiq)oG12&B@7AwBje@&BpUsXJJh$v8KHq^^Z-tE>)w<;-CKZ0ik)s2 z)0ciO>^myW97ACV(vD(#ch0S()k7}h5OTUa5#Ak4%^W+iTp-9D6?d|$$3e8jkDB*5 zi}Zh=Oz@v^UKanPYgxUEdUGQ-{q;LpT`8a24?H{?CN706=f2zE8z3(YUGX)H!0l_g zOXi{zHiw=c$88br=~rfXhoDh^I)kO02tk1UTDkZYV3M49yBJE1f*_~2on_MX{%`g2G%c;qaS7j~rAWaw>J?%gQL z-@qExeo5zV7EpAF{$PU@-SYIi6+SO*!XH)L@4m1mxT7e)?Kg)WyBO#4{(ObQ*7#87 z>7)0jWarQSc3Td-KIhFJA9$Hcv;%ai0qtA(Bv#kh(_|Pl(kbYY@k$Yv2u6><(ZF#> zL3_$;W`V6dIi#hT8wuKcmDlqDl&!`#+(Z8z(52gaYX?)IKyTKmNj1F~-Q2t* zH$#vnR&4L`EdOCz7za@vED+P|zqVvD^V~HV-O#5ia*r`G;@+>7m!7EMD7%;jf5TsEFpIhKG5O8Uo@JA0EcuN_T3ZC=N?)%1$LI`5_8 zowC9DDzYtUlKYPb&=pZ~4^81u-}DA;R9i^vnbqeJq1KgIwO76dvhE^dx8`gMIt&EY z9B&foZ?`D*+@-7&=E^*uey+l&MRcw1RX|=&jq6gAz`9%&|o9 z2G3O???Dfbdll-ROX=@>XD<~d;|$JuFP4%F50$53bCD_iEPvB9(KZXE0Vk_nsi1Gx zYlH2rf3xIb9ZVH1oK}B6-)LTOl1!nwc(euHt@YId0wxU3Uz(IwR2!n}<$yMRC5!5W z{-cBBL-o}xR!`S4XWh&3+RoHWVaOCbH$ltx@>l&71Jh<&3RC`s@f+KnA1?dEWA$l*0GiwJ2gl(`@2Msyk&HaT{$j&}4 zHv@0xi1b!Y4h(cWE&S3IwL2D~)b{5pNg%E=h7^p93huWM;Ywy$zN56g?_ZxMW`oPM zYsVS*7h6>k4k{1a@unNPQiw#9&Mqt$^4q9qdCkCg5Oy)Vy9313d!|S(daJEFkrX(0 zU)XQ)ny6Th4=9b$to*WPGZUXMkSK6>tv{kUtZD1%>`9pFy_jg^WwUcM^Vj=ozNC@V zUIBR;zs06qHUX;Ky9EGKMk}zl)&X0M*{!~*2xVR5O_Xxa0!KXamla@=^VSPsVXA1FiC{ULeuZ?hgTMJ?gP{`0 z2r0hlQk*P(i0>NY0hBBy{^nQ5`ZH%0k0*KA~ZxcY??TXOn*M&x`Q%3gLJ z0~%%0VV&cts*@n&y;L|RX(@NZJddl##q9H|dD8kR$ywNe2H51$LwE5~)~60qoDmu{ z%i9iHs%h;?1??{CbrYK;cJ#T}@=`Vg-q>nza{Y{?@nc|Gc`I9<)M>5h?eVeC6F@|| z=TfD8{7QH4c7kHTVTn<=^8_fdXE^t%%EQ0EbiWiZUnvpoAdgH$o#vYs8uXh>KO;=B zLWWyw1`_`bZyyJd0#*#mRKGhz(Wh6tO8qT3<#NSXHbAZFCjITza!N-7nHfI~o*1m= z!iGsj{K?>h2^uYG*3=Fq5d$Dk$`1(V!7t)eR#nL*+>I~%4^G&>(0qV`;_jOBbDm_! z`;Wc3z3DWo=bcZf_MHE(1Y(Z7Sj{_}QZ?LD;=XOTj#PM@f6z-1r-;l`tpP9p2Oh3f z?jtAq%``OrYd3*Ued{;Uy$?TvN+BERC_sR-ZZr5IVMDKZ{9yDbo=yJ&a3V4nn<;&b zSYh}ycUR@oOoS|vZ~peIV;J9`i@0g~tr{a+Nb%+T_2&ife=4Ag;E`YNuljUAhcaD( znvfP0Ey~&mhnZ5_2~+QG1APCA=~vn1rqf3LG@A?^M52wC#MbIC zDspNW*D-Y@NT6FDH;^1&Ug+uAB>A5;uxjx?D&R9)3(rF8(gk?@S=y2=F5Fv`Pu2G8 zRIhlRn}N)eYE6iVDTnch}E87L1{} zNq$H}M+qjq530&kTYjJIM(~>MT+pUWPyvH@!2LwBpP){pp#bx*K!F-v^(3K;Rm8nM zU$A?jeA8j(F>%Xk%(+Rm3t)n7BJ%z_PgI-cy20t}5i$C1YErUW7ECV}$f&__y|+M8u|*Y?tgBubf+P_}MQ?)xyxo(e zMMqy4L!h_ga6#SbAsDx`l)o+ORVkwqKY96ET-%^Cl{w|F zV{{o3yObTpT(rFHw=Sf_$m((ROstD9RDY1tvBNg5Mhq)o#IPPm!b1s#io#BLc3UWc z0T}m-#AlxG^UGUh7f4=umsv{!-VRr^*BcRzERuilaCfx`jo!b~y@oNgWQ5434ZReN z@@>BOVN!_cnGx7rPN6)EB!3_yd40rs#3-KUsQ7mQ^Ry{gfaT43aYPoW_K4ZWI_I>H zBfmJ(O49n#j{PH+ZhxJRAud0kUv<2hN*6*!ce61u#sO6#>62sg3~Hiaij&t>Ps@(p zx_{OXYe4g_l&o(8 zNjgL#${Klfx@1SwwK6l4crGll?Ddm6Kkg~~KkU6{R8#BrFD#&f4WxrqX;HcbP(zbm z6hx#+69G}_HPi$IL5d)vfFfN5rT0$gMLH-o5C|nefDn>U0wi~_w`ae5pYy-xzF*!i z@3>=RFcvGx%Ja;==9=?2uM8xz%q!RqEs9sPUZ0O_*4x9Zec=+o$YB{L9z^@y$yO-l z;A@j-`bj?fJhnl>a?8Z(%2G|exLXx5oOAT*%G}_i^o9BUjsvr|b=5@8AD)vXdj7NF zQgWecFcI>bPc4QVU54)G#ebMT0TUG*pB^8G8-BOPgo&+gy!`~Fl!PJCst-Oug{lUY-3om4YWTYJ(KuQa{jL|wx2=LFe1w1a8+O? z6zWco(JO-T#XN7Tc?In(35(5NZ%cAk^FBUB7EVG&$X)0`a>ls;D82!%COcNaOXp-f zCzOHvt2q;3z@&8GouJ{MS#SEQ7g|24C87aL;lN0ir*tWDicjebxq%MDku%;v#nD((+pU=ry@#(R1aW0mh7c6P z<;3vfJ;F1(lz~vm->DzdbH|s8te(=Dp9^Za^(L56>p}~my;G0AMx~VrtqI%T5vY>i zagHy!m!jqB^12H}=i}3XFHR^q&BbV$R46#p;S4^nuOCbFZdUpZd30Cbh8FrWl;_Qm z+1gWyymtEW%}YK%&%JJiP4zp!MY_@YlyBdi3mr%l`I%ExXVQZHx_Nue;*5_ToV=y0 zHRf&dS&k2^pLfPRtKiEyqG-WG(42|XC#DsPp*Z}%umCPkUfP=V*>$kDiKx(rFr_Ks zJWs(DUZzeCthe<~4d_+8qHH&qU#xOsy7|*x*AB_zGwX~T7IFcfl0ii9P*=IwIDF6J z*mEvCHokFt^SfjR{d%0D5@>}%f%3g;^Ub#Y#odCU%d9XHZg7w}Hh4;nV|}Kc3P-9l zKo)P9?!@q?NB0eeCRu?m?Gd~l(Rz3bRtzHNGHJP#{H?mubTEHTk(~&E<_qX%mpFfg5_S7I~`LJ%6Lp4bWb{f2kVDp$Vp@uUs*$RyTjU+;uW; zGlOe=yv9ECbIK5sgMPKUB-3VD)l6d5&@7Ax8*ldDV3em^sp{uKhFJw(M_s?Mx0|4evxqBeV*kdv;vOCE#i+CAd7=y<$5R{Oj> zFYg@KbyYS5?$RpnH&!#4K>h)i5O0ZftU^exD}UB9H89tHb+3=zlM zw%fQTOmKey*;+_^WFa#V$*M3R17?0p2%_Q8JYjzhCD|7n<OjM~pIbZXYCxvc4RQ+dQk6jBr^wPiZ+#fTZ!Q zyfAxn?b-;FA_6HqoC98CZmw&Xj8U_@FZ+s+-3-b_7=b-wX3`+FGVzG*4-gK6Tf{`Mz!vvQ(yJdSEPr-+02{U`dt1AX4QE1xWQ zr3haezL*VHtjY&Gr7*g)JJ_C@8GQl$@RNs-a$(4o$8wsfsQCQ6eKFTzLbktA{=5V@ znEZi*FL5_0fieEqEi%~r%E0SY?W}b$M8{X3mXuRUb;z8eL0WlZ(t@c_l9yb7%$;$& zB+)8QZr0?}sTY(AGF-UB*WqeDkXy}Fg=MYzLPh#H^pdnwIqz43e(4}oUvxrVcT6U- zu9O3>hJQJaa^Yo}``$}il<6MlyQWlXzJQp0)Ah(Eq^ntR+00$0!`0~2fqwlCMaLJm zZ5$8BUm(p<_8DLoH?pRSq62Ysy9+D$_1>F5U3K=(4yeGlu@+J|PrP)T@w<$4y`U{e zTpaqrD?*}Y>yHvy!s*_E(2?f*Gy-UE-HXFZ9P@DF+bt05 z3{)5#5m|AWZjnznjP=XZ&==Zy9WES*@6d>Ea2~A7P4nVfZM(r6cX2w+5-eoZnHnts za=5} z)8IjNu)*|HC|a55-wSWQ)!(U+;Tpo->tJwLKrve{$~;wG$Im`*CwZEaV55lPX{(2O zc8Xkv*Rjrfi-!RSVR3unpdN`i2YqrvS8icvR>@^|^itMLc58Bk4zcZLSbvdW=pYhx zt2bfhCIOomN-NahP;I!-4u0yO-DrYH4a#-UzBsJk5#KnZCwX%7AbBL=IkUfj=h)IM zZ5X=a+=BJ7An^fp#R8t?xJeO$xq&QU6VW}-1d}}0Kz}j=J|CJ4DLZXI?yy`gqL#4> ze>{7H3eaJAOyNRJkl7aILTC#-kmZvrQjH?(tPYD^^@Qk+d1LaV>GeL{xV%zETqsvM zLz;PDElhTrnxZ>G03S49KB8l}ig~ zCFwHM$r|fI<-8j{bsr$)2klirPSCz}02w*|{P7gw?MVmMcbG6~PsW|=_SkQ$?cEE60=jzEeV z50{2QnTi(K2$|Ji4G@?g(Q1>YW_W{?6mX|H_Ud4}v`khnS6Y8fgcGto2jM*CL*&L$ zE+*GYF|WXK1UKiq6v&hNyvM?Z@ejw4*GKpz!I~z)5Vs zc75vr50lx0;5{AggSdZWen)Qr>A9zL%&Y*|vef6Jwl`oxd&nQ9I2TjGi*>UA{LZ;n zDWFhCSqCW8(Hc3ztukT$91$+b76g~1iv==V}_7QpwEmz#S z>8!vw>TwEu)it(xv!q5|7ZrEcM$<{}*viR{+BPNl^>JiWn1%7jvdb`W{lY@?bO25Oe9Z-=8Uh&7V`dUQu^+0a&=D2Qxm-tKBBS$ z=3^j#ke2;9pNHGq1l@zsf%;3O=&c-q0Cb=Le7_FKesdx+^<$E2MO1*@b)nJ+`qaI8 z^Q|+$KpB=**N!-w`MkWZyx`O3bq+$)x?`KoJqE|ns$d-Rc`mIkIHl@5gN3AYD1WJ@zEgD;qdS`Ig{~>&mHsM^l9~V2tA*fZ z2hDqFQta!Ox3giL5lwP$tMs;dhI#Ue;Q0FLobZgX&RCnAov<|V{TT>ccy2_&M4cBt zDB@vxbM;!Lrn&#*5G8`%IbqXHiQwc#4Pw~XZfSraeNHLuPjJRh(ZBG-NUVizlf127 zsl<8G45rJ?+!V!u9!kDC=v%=E$hn4+y(~0ul20!?TPkev)VkkCd8-wdRU@LIo=Iyg z6o}O^%2d)oWSt@Q)kTz$)VBp6DXD816#P zl~@XHm(v{`kuC^8o(rF6E-^CdDyKQMwXZJq=3MWwU>d< zs!1N-g4b+=-N9b(?ry!owdTrBsq=qqgZ7kq1^yYc=g1%BWAuR34zKuPZda2wo)Q(R zdj}+0#dT2ckN)Xc1k^l`-XJ6K%R4XRm-k~fg88~t;D?($KVkK(2b4K+LZHbB!gtuo zLq^_+#`lRCR-q*Bm=0-xH4VtO9@#XPux%4!D9KBOOe-IN5tvu2%|0t#r`us!wZ2c? zAo=Yn3k-W5kzJNMFs^pzK+`)APA18;_Z|>+TE9s8@5@<+MZjgEDvnJIcKg6fu zchjHRzQtS!SCt=1-XUaAzIqH6&ub!ce#R%!*bKiC+jbo25? z3yCO@qnWwma(IHaPHU6GY?ci=FwD~L-}&8NzO z%?~vqrM5KYeBNx9s`Ht`kcCm0f5mnPMBSjW&2xV+tuT?zUDM-=e&Pv6*rVh4{%iYk zy1NsG%Mpl&y^gN+7R%k+!T89_Hj&&@u?)tFQ7Q(VE?c{G!j`jWh4lwoDiVD9qsz1W`9 zFLYlrSw&R~86CaVT$aax_g2;?oh-|=p0JA9$-EMz*zm$XX`z`X39+tm%lqE%M`OoM z<W)D(LQx&};&Fy;L-Na@SG=%fa8V98!Q0%nT11k?-L071&NtCD}=q2D&z+|l7r+?Q^1CRfAkKoH2Plm$YHra}7%BXTYM;V_XqC24? zye2O5ttLM7J}hiSo&94!sH@kj_V>dXi=;~RhJ&z1fm&o@oFe0nBNBGkt}czvabtr8 zG8CJn#^yB}>bUo00k(A3r=K+u`)(7x^Ed|?M_%nj%@F&L%r(O7;9Y1SHF#52Zk>^$ zfGLUCe&8DJG}rSFM4_M^_77EBFUZ=!FM zYCN8lwdSEM#}kqH_0l`s0g>%dQ9MV2IH{ z52mT%0mLIVE=#cnx~3*kgx9K1WZT5C+2o)?3eKS@-9?IQdo6N<13^_K^QAKHgvkMp z#dzFqXHJ{tWbncMEh>QvA6Y1Uw1W(pifhN#fkeq_ism3gHqH2lDSzg0u_Bno@aynF zDWhMxuKTHHQ1JO>Y&3VxYo4M)rsd9Xr*{xleWts<2I+;e%kA+F23DU>_y=iYYyA!_ z%ZqYY!AYU^gLn;vn{NB7te0I?^xxejWF6WI`=OLDow0p~btN?0gzlYoxFg#^+(tk9 zjzbbQ3Q_i~p$jm(gO#bY?UrjTu`}CLU7`DxQIvu+UD%(NyX+WCHb2%&MOxU6WbStQ zL1M-Gw}pO8V8^Oo*-9y{%GQ7=J$S9z9I&H{)Hs;udnLa)3KpnKfwSDaN*^oOI=kDO z;u=L+zS~QaT{8>MW}C+)NGT?5#!9Zefz8qR(pTAX+hMBD+`R}lQ<%#(DXP}#$;6t} zW@rX*1-(T&uuH?atZ2Yext;X)Bn`jKVjm-kGuvk zfM##(78N1|aL)<-Y351NjT;1Ir85M*cgqsXt+_MW_unwbd)@SB>Ma7Hw($4*ccn=e z(`Xxz@N4^jBxiDmyzi6a_|DoDU8VuUa~qzJLH(ov zgZ}V>0o`i37(aJ>EDfqLXfC-6=NrUi$|5?)PL+X^&)BsgT`O^!+rL z&`DHthcnE>0@BR4QeLYL*jl+26{y3{Rb|0dzHp#rJd?-tKGpNDJWo^I-(Hy(n9F>E zQ&NgK_|cIG+Bn&pGuKnV1l?vst^0HC)e`&jH5weB>GbfpWggba{?x5K!$*1FC3Y;JVtK zCXvDr4Zh`PZl}x8F@>#<-mZC^TxH3-aBZ9_h@6vu|rCN2foj*1Sf+J%i%Ab`)<&Y%OLNMG^88t=3&wch)Oi;=w6t%r(w5yX0jGc?UH^ zPK8NcMT`7^Gp4ic3^`b{_|12)#((*h?C|~Y5Y-rXW}wK@{9c??|6}e&V_7ZVJNoqz z^~>nDf%)bggu>nr^1TCf1p2}{NCta?f6h`!!(h@z%HY1av#(_RenXWo1>Xr3_qb84 zXZMm1;ZIcCb)s1+8`IqvIxzN1=yLX(bo&Jg&OAoSSjB~w@oD@nG7v8lpJ^3? zyvO!qV(56#t!*+b6Lj`HM9tqJQ_iHZ{_=*e-iIzh+R7*=*OzczY>e0_?ZUT#E3w-R z#5yJ^*m07V!5Gm+j?m!7L-H$2%dPRJntvuL)NS$7KWilQjHFD7)u|iqCqKzyPY!JJ zE*m(XNUO4?$%PnSA=sjgcVPrF=q;3DKyXZRe1I_Vnnvc~zvi7@2j9DKajr@uQ|Ucb zOdex{;SI5H_xa&ET3V2F+&kB4u@yuEyE>G!IS{w+{}#-vPNNAbw(@v+QfLP4Aia@2 zna;KC!c3{2DUr>>pt7VVr@r_z=N?agD7CuMcQWa#$TEhVj|}Q|n2yK3;y&1l>B|2> z9bYg%h^`{2nc|&)*1;q-Tku4+nKU&0tNjI6^6iDpsz$M`?LH~>O0NuS*#|Z=`2A+b z$Kv91H8oFN;pE3E{HKGa_j<1}rJ+wIonbGEn&OJ6v&4!>d_!C!%f`*rY{sE@FCT_? zg%U4eP5A1iHopJRh?i_g8R6?xG(14Lesx>&!*3FvQe|2nXKR ze>f&rzz*3EIsg$|)^z<*I9k^R@wwDKUp?=*r*)(u$^guxPWfxFAMZ)3Yhmq{rXYowtH~gs860&~cc_~D6c~Qu z*%A_7d~yze7E%Q2gTooTu7}C=R0G}Te7(TL6tkbH3XLez?i=%bR&r13az%5i>mF-?$0uu9j{6!yxl*!$x;p`ls;r8NCZK*B_%HE^I#IuYu<)k1%JqkY=H&DGr5?G-tz4 zRxNniDu?wTqqmXVDh+V_x~sNwWZKW0d*lFA-BYsRsc)xzvaAJK zEtwQ~n)L=|`Y*aCEz^&ntpZFCH6yuAkpsodn}svKO06Na^j;ZOf-Y_We%O=Rkd-Z? zczf0_0x3ndXq!G@OiQ5qfCdgb1b#WA6bXGc9>bGtX7er}n@4_!XB>n(v>{*yS$v+b zooK@J+6TJLcrN6&iNz2j<)KT7T{J!p_vC!u2Au9`hhrsI`6SeW=$$20Yv-3?CW@<+ zVO{Ji*!vvo1u5w3)MVxf_054$MW^ww)P_v@wPUH5wsD_ennCCxzdxG1{AVf`<#I_RA58QdA#IsI9jtU zXy=xqeC4^YwxC@)0Lgvk1<40-JR;?A_CpS6u+(F)$WM_2nCqscbTy2jwxrbiEi&& z`~|+}o}8C11j%bWY_{)UXc(_Lb?A#jscV~LffPL*GEK-#Z5WphJ!Eby=A+JMF-g_k z4viS>c<-wP`~-S1`YFAh)lU}HIE2}(4^EWOFBi(wm8sHez5iVrUJf8r%ULzuaH{iD z-*U!w`u3VpVyf}A(n>zHO%PX}VfYSao@u7~4DP~df!r~64kd4JGqF90BZBXf2AqAF zK5O;)g51y3^jr+<2?R5Pca&!Bn7Gpo``^mx@uN;k1jV&ex(9fNOeroOMbJhPJ@)*~ zQKaaW9F~vygCUKAVlk)1x@0Sg7$8)ys3f{YIMEAC!xDtE%fLfM^O(p(-6I0gmGV+s zFK>O`-?z=hx>C0DP_V6r^jF*r8I-i?(}&J3nlKi$ZN0@X`13ZeJU`B15tanpMJ2$q zZWW>wd*^|{5H0**Y8R#b6)EAgx?+QcnLgkCvzof?K~K33<}dc<@deQnL~y|Cw7SKWkPMiIe)8r zZ-vSBzqr(0Oe3~u8a#9mpaDyEvwJg_O5JIeN+#$CK@ZU*X`F6K^<4Pwmw6mHB`c4$ zA)6<5t#1ZAL>!i=#3TLjDFW;C8F9!^-tstQ>ni8Ggw5s|tN3~Uu%{T8WoN9jyrzc3 zAm3f{OxIuPv*29PwQLYE#nnegkvK)K!loA~@3-`^tDsIgO~rN)KC0Jidk&aXl5?hM z1wh%L3_x*W+H#EQd*<6vRYb(cCL*Fn47E)wO|kk#)NCEiMo|#W8bEpqF11BCN9gG| zm#gVMn!9W595OR{JtMs=1Swej#{(qs^};FGRfqV zT*kXe$B>+-!pV5`p*I~8=iZVHc_QX#uDUD1IQ#<)(RrE2R^bgN1Es7x4$Ah9O+uc6 zJN$Me^7&$e{H?aShy7jhUyy4N9PE|~%jmgy?Z_%`sio|pI+J#V4V420E&~@`F%;&u z^H_UI0~2eO?zn_ECAW>U|-AxW@2sZ{jWL( zebF3-Ws;@`%kLs^R~B!bRygRWf(w%0PYhz1JC#@=;%S1VPXs4f9n;T4E}c32HR;cZ z+q$6Mcz9vyP+V@8vcwKQPa&K2+G3vH8~BjMhT}W;m^@yRsg1Bz9Tc?YCa#Xw-O0X% zJeVy&3tLsCX<@iH8F$u{E4x}!WnbS-yp5N2!-Q91!UMvC0b7{}a6&#V}3Jh2A`->oL`Ky6#nj*cJQ?sXks> zO!KpVY&hci*2sn4N5G+XjM1i=0Zijs`8WqP*E-(3(jG2vA|7+lTB|C>u?hAFzE%i% zQ%$6QyNM8|uBVEJO8G2FB=4pQCoS?fhEp-Tb*=_*lHP9sQgE`|fd?F1hdA4gOUYmyRnCFg#S3ALg#74Evy$9tE}& z7LXQa*Sk(5;EiWwQI2T_zvSXfh$Kgwo;^<&Hq!bpTyhI&ZFW8#xuwN%xP}W!*Sr~~ zGDykThU@BUw0j-YWyuyc2`8jY)Sn-5pU=;!m?m|jX<;dnF)1cBW(V!SatQD#T7|0$ z>8Y)|{gv+U@v}TQC*DX*;NrazwY5Rv6~t{*(iQw)NKfOZNie+StHyE+2hT<1iesa)*Ur|P`* z<7&(*UL*?>mI0eX+lxn`^-OP{kWuRCOq27pDObvvm&(Ft7pNYD?9C&FCrD0uSheS) z-lhQzqgCJ?p2VzGv673OKV+b?O8W(&#F`rlq1)(X|DGQypOW8-mwMpU9$xK%_;d5E zD%4z(;?S&ni@D#6VME%r`F0Fp&1xGz{MrdVUd7=nLR7=6R&mmgA@U0c9w3?4%c#8% zIYx=G)@Xxy)K9S#lQnv4t{u*FhT7P)Pi=wk6VkiWy1vNeD>;>gE>3>CkY~1ke7Q-mf03hyg!{-SI{TAYK+-$H$Iw|SQ}(8#|ouI zSlwaql${|2J?WpZCe*CpZ@zjSl(mg0KGhPO7qc8-^`Hja+0YR2!Af{ZJt&T@b5MWV zB35{`d+^np(UF{i1TV}n&5EnH3arZfuU-Rj&G!;6eTSr-OvOkC@s*%oB|z?t$y}=~ zEJi1qkJ%eo((dzadEO8_rt!P2EJQ}FsbtN&uixhOs6rHR>B4i-6cuWHZXn})Rr~Z|?YvfBEya7I_KbyCuPt8RtU^KOYMh9ZyX zF2DB=Y#C+j-)Y`{G(kGJB)X&3b1bsk9kI^X)l46V?!KHioP9wv?mM?*lHu2pxGyC0 zMjwGLz18Du3*}{*&rZL>bn8}aa8w0e>%Kl=uhX%q&SWZy^upvUE>(4{N`fCgZ@3@C z)*o1cW79h<4otvEBMMk{=01P&a{^gT6c=uyY>xznz3KKJMO=xY^v|PaNDUxTlcxsZUU+ z_yKeUC4~UToQEn1RbSgN=4_#;z1ul|XUPVkw0kv9I@0Q7^R zb`GB|vC85Z-8Cjh-LE4NcM8hcuT;(FumSiQU$=O#%U4)^Q#_MYGVXgO2Wr~b?S14Q zulVH7wYD^_1@e(dch3|v@Vfv#Q`08Vy4APPFTK32zmva2Q|u~k@th<5u2gMGxZSje zsMwJLpd@0*wi4;|)STyR^l494zWulQju0>F-Z9^@i9gzj|7v~&`h*`pKUJ1@M>7YP zK!EQTDaAjon{+cN8pB09tgOC6T(YMXy%)?m{uaLbMw0gEXKw&py<2fWt+dFS<{E%s$HJq{eQQ9YAT*WTb(&ikYkU!FMmqY{V$@;#^z`0IXv zU;P4*ZA_n0TSOFGH&_B4-tz7$hTMMYn~B4Iu9h`QE!k)c zmmP)6Jx|V7i}8cl4+@(xRr ze|5Yj0#BiQAD?pL*>3ZhUM;+lo|9JxGX?*yyyXv((FeM@Du&wuTD(uQ$mIdlQ0*o3 zA0;sWV$Hw3-h?RMQXOX?%TGs2D?IL$dG@HE+0^`q2siit}b$`P_( zdcc$>pZplKx3-*IgSJm_Gp*I)0MSY`VKfyiAM)iTzBGIRB$9p}|JN@5HsSX#IROq# zPXgpgq;h5z0Up1x`usR;92s8B8rGfvcaHz(aT+hRu3XrJw&W-N$(vBCM~B^nP65|y z9ksNrv1kMnALE1(uC|L|Yx@;9k1Jz0g*PUcv+1BY*sk1}d3PXIFS0J^sosJyk&i2# zr3w^WH@SskbhmcCt)!lHW3B>fTeHi)KZIm2I`<099WpiFs$B>)sn#QS!JHyP7A^{Y zPl(Yk;|o9E(if<(Oj4R{VP9+I$9=dFVvsY2-Ua{Eb!a$MbtT2}S~x(s`bE zL*^Tq4~!~x5fdSS@#{3~>fxvfFK-rgju1?+>F^+d`)v`8tQP=V? zAg3Mv{q!N{hmVXqcg`MijMX*C-)H+HR` zQ2*$eA9!C4r!4u$v%7A;a&o%FRFiYjd;w0vcnSzYcPY(SEDNN93m_6740aa*RA@x? zepqJN!!uX6Vs@bHhZD2SskZZ9s%^#P&cE|5yrk#Lim|jFn{pfONeX4QxoL1o!};Qm zI!29#^a8Org!$AU0m>rMikoi{+6_{=A_ z|MR1NKjRpw{6v*wgBnkA-vWtAi}q1^OelQuww~4CHCP=Xs#?q=T;1xzxQK_x1&E4Y z!z&ZxYV8C3i|Xj_wsa7~zP{JdO4!rPXE`aJb?z;q7pTUt^%d&F@B9dM#_r09IsOeV zOf>+Dq3`cDHpW+9LbVa+CV=g&xb5zG^B4u|GQhY4BU6)$)?21sagmpCQsZF>_UyOZ zOicAEXHLkzK9G}rr>vy%Agn?nrZ13o5K0q6F06u-T3txnZ_Dmz3*(fbJW3%mKgx z2DJZa5&m)J5hvhR%}8BpA}Rc;R9OPW%k^cPjn@EAY1Cx!dr;i&F&)|!>` z^s}2T3|n)Q9pOi`U$Yq9`o;Q_cBMAjEuFGyZhU}b^Fcfm;AJW;`x$L_w8X zQWB6jb8lJOyhzZuISZb#=Div(K(1#MI7;DaI` zRG2AZJz;CiXtuC8(qI9SePYffPV{XX>i>JnICZ8zYCNX5Sv`Hjh5)bMG@;I{rvpWk z7yD>Xz&LQplHD~8cTJHwtj}DSzKsv(fo)fgE|xA@BR)=dUR#J<^^_XNp%nVvUc0~5Y-MWSwAM8Pe`PTD3cKW(8y{O~KMoq)**_S%!RTX3HB=aJsvO&GqRV-Nh zhRqtU^yp*kiIr|T0Fpw?$N#s=(jxREIP1v4^q+okew2L0V)Qa64=6E}KEPb|mO7*{{z>-X^20~-CVGZJX`eflltabWcjY5zl z5Nb6lIz(&#a~c1(NaG_&VXUw0(>;C+7b}+4cG__NJH8$!2AxY85Eb>1u{*N=oT0jIR!Nigs-()KU*mT>lfvo?& z#WV|Q0Of3xWn+^>hVQ9e_%(6`7zIp-zC(V;3-yrV9Rp{fss+WhsX)Y|(Li=s;3oZ9Kha!&i${oeE5QgHw{~9xefIbGN5=plcWm45E)<)ah7a+M<6ffyaZDIPy9b3*c%;S84pAVz&*hK5Gnriq$$mjTcb(s68SG7 z;$Lrl23pa@-vf|*|J9`Y`R?d3V1J{^pwd%+XX5|v`2UjmZxQ_{U;2<230Tg&Z*r#W{~M(Zi2*dV=hZ95zm)G?FxW*bV%M-Xp<_Pt>R(Fw zZwKmc> zlZ6hg|Fg55?G`#e#B8I#g5^^9klOL^UwI!}fg>MHJ@EK{{#x+y#3NvtMR!}#fBn*h zQ`I0>%lCcPJVS$qp;ZI4^p4y8(rc_90rkWE2h$Pi{s&a$Q#km#_{UGDwY9ECAv1jH zco{_+uwsF1BBOFKM>qDDVTwk>xA? z?%&CA74U81%ooEGnnrYih2~UYCp>qU$KycT_boXoUUICw}_$hAk zEKs4DbCJkz2iN za!fY;_ns1!o2GFl6pa}Pk;WS$-3YT9E#5fEizy)f@2Q(nbFor!X>?PYAc~b}`ij~( z^Pq}x{J&Gxr+YPi``@OhKPkv+AoN7#Z@T+8Zxt5>$ah@S^`75eDFl?> zL>*qtT`n4%V5kpet~enUC?H-4iTvQ@NES)z>DwwJeAp`6{eUuqzWYl{#PpjAIqoVZ zrP|My-ZzgmeR{Rg>dAAeKR)m#Jh+cbWL=@j?xP(+1fW%j%#moxjD2xB|J&iqUk4U0 zfmcgz@cmfMuAk7eex+w%*x|U%$-xDbyOROI-7gJ? z{s`(ukIK78trytP)ke(^qa?iC~AbDRJ6upv#s*H z{Y%1j)^omo3rPza0OD5C658+E4`4e<@cxNS3Wz~dHt5j+v0X7I71wu|A!F^d$MBGT z1P~MXThwAQO7h=NWpZYea~-e@aPMW?F3rgbTBOVKY_OaMbJ`h zQhXq_O#?K0*NoV~pJLk+;mc<^0j|!LFq?kcn=_CJ!w+T)^mzdHsenmvTHls1*Z9pp zv7=~7_(F?7{3}9pyRL~kJw1ICqSP;;s{<&f=s7H^%Q1QT#K9p_TvD{w)p%s&8Xkpz zxz$+Bp+%kdF*v9Rb;Ih{blZ>k;Pb`I(?002-L|mZbS0R!oww1;u9g<+c-|rtJ9WPg zT~ApcB|ctWQFV=tY&dz|_&;0zVuC$`27gTp-tOyzsBKJ?soH6~mk4JbX?aM_Q6f-Z zU9K$tHwTIZ03`vC4Afa7KLGYm{ssVASx7q&fAi=c@gr#!FYN`G*QDK4qnL5ASNqjb zsyyfY(PbP5%BKHy8LuPx0PsLx>3=$~Aj=1lV!B)#@rhldl|J!AqLf^0D!P%SPb6t0grJfsmgbLNct#(1NV9sex* z-o)knYd%iE)Psf3yHnb49MTmoxqu@p3%}|hWZ}JieUV^}wgaZ<$En3I3NJ3M-R-LL zlPAUqKR;8~J9>AU3os1sn@RwYI(3>lR+J9r2fpxzC@X&+h+xhcQ1moKfQSlUg3({*K429scuR{mIs6w5cef+0sd;bwW74u>xKFW`c}cJACeB^!^TZZ5V8@HlE4)tg^wxdSnM) zSmXr;=>GBE@v{Pq%pJL{aCx?|Q~aS<)*bB1`up*zJY@0bnRI+D;yIJe$~6aFy3abnYNp?X%owQY zghZ7E#0@SdsvZjoWaMW|l+yfosP@PAA1wo4XSx&S2iyE!i94dsI%Fux%}}6?}|ZQ1ra}drrsE)%QQ| zzJ7R0HYnUU_Rgn__t}Dz+Oo07s3TZ6p@ogBiWF?^eq8B67>-0L_&yA0(9wMMvb8kH z`)o-hGtqO}#r;V-*7|UZePItX=K9WeY8|2@zka=dkc%vW!Aut+*?IiyE9>!#`B_)O>SxT2+(T_j4Tjoi%ISEAnM+3%eyd{JIf zqCJ`TlnZPu)|3{s;rBt&{)b)U7h#g(lS5Ha$+s)hg-pGo@X=bh<7mMYKYsntvGwF( zBeNH)6JH%l^{Ucx$G!3&5A*C&XE!no(2eMEA5LAPabJMbGytn^oCA1%#CU!KDkd9% zbqXe?^i;?1ivtX9&&a0_xqjLg_C}a7Q6o_HrE(gbFVaCPtbL&?fvzWk{a9V3GW8L^ zl^-)6$qsOx^T1U??}V+p+xm-}SE}&m-1#7c>jqT_!>JMWBQ*OuSy`3Ns{gQVVV zOTmIt)B=*_wL7;`O*C0XNPm={MEM!&u(=*3inEK;SX-IIbL5hKW1evrK>t#j!Z|KE-SQvbD`k0T+f~xbKfkA z)L~_G6XnI%Pq?h9!1X)DCEOv^#aBAl_M?n4PEyw*G^(aO`xOmG%bfS=BlE`c-|r4F zz?8G5Z)Rt!irwEaU(CZqh_|WspBhK!2Bqy;sAmUlj0ZZ>Qs2_>`OfbYb0^QYk~q2N zI90LI*2@Cu>W9vkRu=({0f-p+hpOA7{It{0cRi!RvIj8P+zhIosNrVaY>d?oTU-u# zQgyxyaH}?)Uee1y-kezTe5W@4<}%*@giy;CX|oJZ$A5GwAz?sVn$?m`WVq>jgt&BV z3CkYO;7c1Xtqlz&ob%4-ed7eJGqdwbl@#CWJU>(roLaV0Pbdq2q_r1)aHUJITD4E?-VuNs)DI*Kof3x_mvtZGZpK26w^niE4w+8BPTa z3h(91qa}e(3j5o?dhpKTCEr|n`95^fP}A9!2MeFgS7{e5Sv$08KByUn*NkwUUdmpCPfxw+PP9tY=Zee`|FS%q}w>0pI{#Hz8-3fib{MP#DB5157+ zy7!G0VA4bV(eNV{1uILQc|#}2nAn4s+y8y$;c@Xfbpde+gwyemdZtY>zrKKY5k0Jb zJ%1-q&x>~5uQIUo)OWjd*B($E4~FlG0>I_r`Cj8c6}0QbpBgIcziIyPp}j#}>D3{0 z2{$#}Li#c5YCJZ%tdq{}<1wu22OqU%25Q<9TZ_aGQu}_JT}z#m`p$}+921|w#UHDMIiGRbyg`+JVqn-e)O^lkUY&x946Y_~^HrhvzN6+VENIuJK&?PYj zuGD_!kU+nnr5@-~_p_<0l$m)Qf&92|%Guk&YUAfOeMSGgjGxG#Qg}GGp`hecJAL)y zg4bIXUJi@39~q6f56euo~9iPJn?^5Fm>! z{Ry7ie;WGv6Ix;MbUnKX@8|{ov;!;D+pUt3#dnnM6Bt6)*nyn3#9O)^vhBy7fI&!F zZJ1bOv4!H~3Q`V;1mql||5Qc0Jmr%jEeO{CMcG>hM7ecg!-}AQ0gNIj5|YXw6Q|KA%;{ChYl$zB~==RPGtZk1*A(sVuWGH8DWTT58!j~eD9C<{p0cAF!#OJ zUU98!t+lri?8o)*Y*mpXv2 z_S=at3J9x)VInsqH_&|SygDm|((|cy_37ykvwU_|ciETInZ14Lr*n&yIaeYCfYJ-j z-1~YEmjn%brRfocA(9GcmVIS8@Fz=EM-YVzH>r5K%_!I*#zT&y#d&e;pNcUryAAgj zAggNh6JiWQ#A4tRw2u~fS83=7`J^S)T_b0YUx>~nFX7YGE3=P24Rb-)HWC)CQ`78E zKXq_BQ0;@qM8HWF&s-MDdaADp~LyXIuH+Kx(EUU{`%eYnpQgJC2(u4euYVjPtiDvsN& zbB%5{ESb?j!0P<(T(&+jhCQ8}tV@Hd?7C0G$*;2lG(hRhxv_nW#&V2Q-v9JH8VjE% zAdLH##PII>);(qLmGUN!Aa84(vYkl1_CuPL2TEny@BCU?yZ;imXwaTdYIu1vl(&46`Z`oZ@n3mBigUjdb>=x^j^gO>lRnYVws{OpXvXox@<;4qG1dL3_@bbtT zG1OU_1AREKx$!GT!qgOj>+q?o*-7jrmK{l#yAz+dPdRPuex}eSOC7sCO`+Aj9#gQB zIquc-poA;m<4G%EVzWp!*>6y>o=cI{EZn>rhS7GJR3%|52yZ?{dBxoi7A>o8Y zgQ2!hWR_OB-EgOJNkS4*E*UR?pbZX>9$fq0#ZguXM-V926!{E!xO=0$<%?N)(Ce$D z|1lY3nl}(zZS99;53tLX)7kZ}Ty~eT^hSl8BQShE=#xD=b8-?a-Q2sL618N?SI)gc zSK}9A+%VY^T+5{cLh?ysuCXZQoq4n4(5I1m(GKrol9aZ?_YVlcFSX0D_3QNmihOG1#SMN8q`d7 znPM*Co1{{ROZnr4Q8q_x*Um$ejJwcQ&)dRT+QrYEPZzVc+ecnWzPV(SSPD-aS+i1y z_HB7%QfWU8tr^`bur1*uhs~4gb@pE$eAfzN9P^vgv>j1`)gBdwC9eCtn^%Gn#;5HF zLSw^aKIiS~goho)o{*ZyVkV@zR`Uae{zRZBbF9#L{H~Mjv=*8Z_ zI_e=h+(%(ERMury%@m`(4#>?2^ z^|t}E*KY|P-;V_RQ6y+J|5BSw^(J`f3Y6M_n=rwUa<$0w_Is39J^Y?YA6$a92#v$a zFN_bcbQ`|Yidv7c`0|aE>9`Kfd4~=dpOaGIxpQ;zmM|GT2M6sGUG)sD_#s-mw-LOS zTBsqq<0D~Sj)kz|?*0LWehgg|6dR?lW~mi-3*4rOO|U1->!;dv^`~0xV%(2ib7&jF zVS>J<801m&JV}{(yiI=vw>GzW661Msj-p*|-{4M=R#n5z_!h9ymj*dtAfFXfZfJg7 zjK6@LAmChUyb6|fY8@t`1#QdcRHI06wS$Cz#F%-8J;kVOH<^TG<3l$}Ejnz9=ZadG zIF_@R=aNmELm8lUggPs_;$gft)}wyo+P2q^{A#30Xb`^`$q+4Y6a&j?<@=5zBm+p5 z6#8kBk)3ciQ953q@csd=i6bRZ1@C>i2t97qmLQDaFQB&D-#!Q(u&N4LC05^t??flu zd2JvCV7Y-XD+>%2qOe_*Y3=x)XY^A(FMpS{9aG0}9opZ=dsgwh&pi_mf%v)&sUrt} zwe+`VQPIjBFu(~adWko~~g&Yh{5rwgvfhMu?VOyb2{OLS>3=~T^o z_nP0aMtP#dG8Lt*>~O>F+cWq4Yaa)`4qn+!;IHdc86bV=TJCXE=Kua#< zLmNm%bz2uBB|Mxf?HkM&7J`Ix?v<2<8ke~i;GDvPO`AhvXX)r{%(X#C>nZbBH#LpU zpBQ`iepo*;`>aZ+mh*WIUlkj=r>mIt$}th^gHNxI zdep|~$3~P$n>%Pj8-C6ARc1(wLq~Vq3oaq~mNe0p5@m+c2L_U^gj-9w}`sBeb&>K9u0xC;L>H!(Egy6`HqB`h!MrsFej z=HYt7-F(Ax?^@+l0sVT(Au@-N^7)AkocR0PngxD6^9T8q+LP^dmg7FVkfFZaiXYXG zk>O$Xx_Ny%#VuTU9jCzf^SrK3wP1Dsrn7DNXkel9ZrytOFDUx}fKnDH2py5+3}5JY zM-Czb4Zz)qD@CVB$WO_DPuyE`%hzgvXt95)5kyjP0S@K~xANURoj&5%NRh!uGqXC6 zGu7Rg=KI!~(mm^=o^>Kvk6lR8ts2!(ah4;NDUVh<&u8N~GJR~*)36~=EsJycyEn}W zot1fSJLy^DaXz>CQQBTj1#{YmVz9-i&cT?z-YnHv9F9?REMKZbF&mNppq)Dzw(t$g zW!cpu(5snekkjR=CCeLMKxcClsR?I}0z z?o>a`)I|36_sbK$JyeaVu*e&S*JfsF3_Dra_y|?4f2)RyY%ktaPI{;H3OiD67;E^Q zdn{LQfsaa(yEj{{cgnggV06&@?Y(<5u1Ht;q<`GgP;`c#IwmgbHxbk39x`()F}lV= zuAR0C662WN7pD_5^ffdtcZanBo+Hzaw;*qV1v3>cCTpUm7A{?V$EEe$Se-_(N}`a= zOsaF5!DYVFOb02C;L)6lcLf7MAs$+l0_H31L(y?@wXDlOqt7cM71wx1RH}jjgLH)& zF_+AznXh}TcBvZcCzRD2L@QeBiQLhj`1a0q>tz+z8n^v%N1|Lz&aFNi^yw6%Z<7x$ zmt+s)O>E$2jbL0cK3m^r%_3D6;qS%}(}DK3{DhrfUUha|Wm9$!X)IQTh#&*MoQ~i3 z9T^Xapp;)^f~YD=vkX)tdmJ471)wQxQ=OVLpSi%_Hk^@XC$yBLhpzM7Hn($N4VI4o zLLJTy6h>aO{g1*3QxX*>99&FM3dw2EcOR{G%2W*fs9aQC)oYAD?LbtP}9xTvNKeC3yX)>iJC=7GM}mH9_a1M1}l3}QKXDlG@qLNjet2h1xpj2Ju=8@sZP7&P)dI)z-*_?PWR)DFB-4= zss);=M&oVD#(JV4I^$x;{eaJ!PSNlmawbgn^`vc6khxSp)Sn*6DR|tZuM)~6m!n+* zow2hO9J+ZxDwrXBLz^m{(a@eL5hn`;q<|+VRd8b5S7#J?uJv{4ST7NgF*}Qq>5&ob zR`J@}m0TG>U;PG28^o^t2Pb};ca$L(UFzbI9hAc4HO?b^yoBSy0@h6@J}{SViAjsW zlrTTBT_WEQDzcM;uTjeKS#L9xe>_n;@|Kn7YF&taytH;R(?!vPB)^#=f?TPP zwH^Lb-XBe;t|T8xzM66wxsRSd-vWA(;Ho@FLsCi1c?ZJgmKMW>Z_BXSy45<_Vc0)C z#k?$*+}E;GsZtjq#`ZjX^_red!${WL$!)_|wcNR1Dbu!h;W^0kWEwvKV#qK%E4o;?zhqTQ! z@1IA!o8l2ZA3ydut>#gSg^gWbQGI{GfTCFSBw?ZCe4B@zxTb=JfCW;Ss(O7`Tfe`) ztV}4ufgoU?g!B32FPcyX$1@?|_{U92q1P<5-eAW|v}Oon%kQ7kI?a!28)yn>&NP!> zZ;3LgeNdaNB)mSLPUjcHi*rV^Nks2b z@r>PJc}`k`y^eF;%~H|Jh=a*dGBlQ_Kdi?O4%VHVu_61QQjTSYWm8r+26$mg#5ByP zkLq9W_r=!~X?X6|d$aFuPmEw+Sxwl4OL+Jp>j}Ha2kndZAP(YX62ars01PH9gn>{) z_}vZP4>dhkiG)WGKasdK@G*`8PGsclffM=Qiw~597~iFx-XLfB4*0yT2=Z0RZiyt~ z^UUS_6G#RAjYxYiy@ofUPFlO6?}5vF?RcK5<;6b&6wr_{Ry;-OuHiRsO(!*`YhPzK9 zqwG495(Fn=%i*hZbk-cHU5b-t?|)PEcS&P^Fe4t5C7#|m?`+yIl&6u)Sh#wnGpl0+ z5_h}2zD%-=$tE#yeIUhQ(NU<;Y+qKz4;mz}pNtuUTO_hKM%!8&6|!kQ%O8cO7S&Ik z9Mx_T8r#_^!(YY{)N0TdDodQXt&fUPEv&X^E+tNk^X_hcQS-hmaH)Ud^y9I?Z^GkC z*Al!J1mqOfyi=nQa&AlZaY2P_M&{i-5Mv$Z!np%Rij7F4e+(*gYxx4C0LKQjAoc6F*zd!H@$p)Jd_BufBv+-Od*)Z?H*>LeV z>39X|XkxV`r?hs$rA`C(1!czc;1SKtm~)NfLT%gWGP@YnqIY4H7Fz1Vn~++;&Q0s? zY9>AAKeX7NY|l@f+^xP~XLs(M`J`#b`Pap3k;VHdz4QbvKuMm5C3_JUG5_*Djiz;R8$8KAhjj zKLEYaQxJpT+mz}NcAD7gmRRxqNXODg@?Onk3qtL*#={~^|KTC1rM|ly zbs$+-=5o&c<*+?+n&jKJZ>&VRx_@VMR^l24UpH%l7@uuJu`|`s{OSzr)^lv+N(_jI1s{G``s_LqR==RGbsZf{hAkhU>}~PcYer@Hv1g<>wr0)*sD9l}vo z>OMWE&!L}6q=wPV@R7G}X~$_s$iSU9GFnLI>orovCk)?=B#KC}w&zO`Rt=e=Z(xS> z_yoXtmyyj>y#`jppfIC-l<>A?T#ND!xNbX4+B^n_`=xJRI5Oo9gzrm%f*Vp);@?_H zPb8#i8e>zeuv%qItYC5A_u$N;_cqyb$OB!J(brW6in3=rQ!e*nysj9Ts#C$9-*V6< z-K?9fF8Vl-H*sa8awm0HW^$%OkNrFyol;GEC>hROSSVgu`NuI@4k)fPMpta_d|s98mAR+egeKc>o(%@8l~kYm@=vh-5z%#F+E8^bx-w=L_+dA;yi@ z#B1icXoPC&a`k~29XStJJE=61#yIj4CKU47$64?0&`QO^XV$>skeMp6!+7C3CSR_K z#tzQ)hQ-2G4ek3jatvbT_`X4#J^~H*x1wM{PS`wK4c5qO%#LpB8sVbGesGh0BMH+ zwVh|?{VDM9w#6}c#&g4sI0pq!G{^S1q4qo1koURYrZ$#yB)C^|K73$*(O3)F2KNW( zo?tdv>=bOdR4c^^j-WP3b0y$TVVyw$|38I1Ti+ml!X!wWle0O9(T=8&`5BPM9q_JM zU`Ksgk>C<$QtHnVN8vt>;^kOV5HzRmd7M=x{d7SUd_zOiXd0P*+Qq-_beO9lMb7hKtPDU-hz8)$tJnc<$rfPlINJLQB zFOVJj38Kvwe6SaL{3!S%<90)$l|m!ukTis3d}_7L5Y1>{zuB#3e$6~xRv|=|4MJE% zPI?O$3RG>U6iwt>8}4HIgD19{)Sdgo%sXER?7FP|)e;F`8ef7k5ySFbsS^k4brGo7F?E0Qj>wGk{dNA) zmavmRqK?)$EWVH^30zx)^q{jQGMp?Wl&DbOuf4dMAH@X59mccNA% zQFWhi{^JIVWf}-x&D>@++vN^AixQW{hrA3Mb04%+``U3WZW8KR(C2N%akunyX$ zQq**IRB5C$Q1Z98d$R&p@|$^=m=}J}p|R+)8jd;p>TT78oweRB`BMRF_?Jq&b@Iaw zqF7r*znVipLi3Kse2`_uSMQz^W8}RtB5_O92qf z^!g9W*?kp|2aPZEw8jd_{5&Cl44i09348$Et%lQx10VesbBod^8pl zHP6T4AOK&#-J#vgJ^VcJ4=W+X+7WHM@LRs3<1@a-VU$h7XE#JygJQ??=%`3k_ zbIrf50-ocE;{fbu+Dmxcr{HX~P!Y@&?&@@}`SA>p`ASffq(^+}CodTx+(orR1I7j=X zkC3xa6HB^}E?OMCy{{b0I?x6RFV}M04@Q0lAGN%Obb7|YrPA^|5}2pJCK&kyhWj|W zXI(!QXtBzU;6M9s*YDJ!#%DD3S$=YV$z4&-KC>k+GuR-@<9Ar>}yZ63R{&#dS7w9Q~gvSSQx+z_q*px6S@Tlw0!Qezs{Es&Jc5*mYZY++*S7K}!$p3>Vo`ykCdW*7k=Az-Dx^+tylx1R%tE zNG`l^D)v_x0fP^`oj*8I@HXEeV(h#1bAW(^R-brikbIByX;MUUgf$gqn9t?{o0w!`YfLM_+eJy#Ac z&tSFPTzkI~LTk@cI99!`dg&w`6IZXW!!T=6cDa_x-RGLHjwBKN;dDip_SquSoD8qE z`wabgfH1UoQ^wN?vUB`l&g*tbzYEE?@b*<3u88|`B^U22pltZJ6hE>#sXWh zWY>dR3{?IJJlTpa&;|o$Zy3{_6#O#48t>D@exqpobV$EhBE(6?Ng<#BD*{_P2U^iU zy0q|FqFv^I27OLMh3k1@Gdlyqb8$#heZX9H;OJtl#4=2uZKR10ht1I&k@Z?AiB+iq zTXL?Lt%i@ze^R(5D60(tx7{9An@aYtz3CI>lqXM`my3#u-GEtLn&qw;9v(LH_~(P+ zC}{aawzbNxC)&?L`S_yIWl5noggQexEZS&kX}>%bs_zNCt@(4a#Ad)g!6C+?Uu~~l zgk|YC@cj-A-|G)n^+X!{zq&u;GO01=;jQ=?=F5=*I%HURT*I!xpGnmLchOeP*12;~ zcX9JGR`v(LE#5$6Zq;U5YuPbd!Qo`{Ii&?%f-6FN1g5w~7an=@*Jv9@n8=0|g5a}x z4KYSwVBb8cPnNKs1l*&EeFw{ zeNQW>vgh0qV5&sS^lt#7zw8&Oc&ll|z6Q;PYP6t{0^|lT_OBn`K=;>bR?)D;@hO)j zSD2eL)6(;vNe7%aa*pa3i8x$SzIw;CKJMn@q8w5^q||U8-kMo> zDzwHzlL-Y_$sWc7j`rZeemoHRe7=7cPrf01GSe%1Z}8^s?0l2}9^Bv1ySqW9x|AOT zid#S5gV1wJd}-mJdiR`YUI4^;-Djf_dRY>Z{g)74fYZfF6dZkc9%jy$=MAc3o6jT{ zC`FO4Dt5~r@pA*>nEb-ecwntHM3o!L^yn_Mhu*tdw8>m|O@P|qS`j*OmOZTU`!UE# zn_ukBpE^Jodzy&C(WSWdmKL|uol+c$v*n1FXtV5Er91cKRRRU)rv>yu$>NYyLDyX* z=#aa^7(EF(rks?jTQ&R1?|n# z2o;}4oJCtvK2bLpF_ucB1gGSQQjh0IuK*6nHrZu6s`YM-C=Oj3ivUYIM*ZSxd1+|x zR{l!I3{|P#E#`k+6!C9TWDBxv0{DQOjEs90=Q4l6FMkF4vJM1PyhB}lfD$r*z6>6r zHIAKQrHL(biaNdDOST^=q*4G3ZCgF-J0{0+6j%ZUOA+~j8N4K-qTMBzA)~ID-PpmE zHBG=edXzUO+<-9n;IAVheRD{Iot4CDe8N%M?5y3E6Cuc$-|20(#FvLI&h=21TYY=s zQYP{rq5AzecZK_#nEyHd(fIDhN`d~+BP2SPL12cSIh%aY@4yB$m)P$hhahq&f8jd6 zHQ=$83WW9UvM>q>+!V3b0r+jISrNj^zuzq4J<*S>e>QWj2Vz_M@z&`;Y_A&l zK~0N5*GoZ@cO-a-xnjI&vaHmso%t!Pkz<_FlNTd(^>5@;_@hA``w7o}-2C5HM<|eV zzZxvZt32GohHLVwccrZRP4GdL@?Sp$KZxrI@jZe7 zTqxU<;Ua~@t_&F6Td>Pc6cQ&CSZ&`~s>8%nrL|##k+jyz??Wttfn-(rk4#iDml zjG1GVL8_d+u9}4GR4_HegwVN6y=%+rp3e`g>%L7@DaQ=0Y@7#Orz13$KKsIk0{aKm(dtarb2=e*V3RYq`$t<|8`Ny{sJ3OuKAYG41s_RaF?zcux+8-9Zk$xh;GQ{!HYq^B2?nSAA_`yTf*N>ZMX zFkQ7n(HkC#Bk;njQMGM5tjkn0f06oTgZEyrj8&e#R@vDUptt=BE2kTpZ)+ycyca79RdHV&^i_8+O0F&wzaC- zJ$0_&j@tRwA1Am!J^lT?*k<3`WoYm96`o6dkPEuz4+nadQj*u&#JyNp2RuQ1T@~>8 zIQek8#)j7?7^N*un4)^j@vWa$_riJ~^RJb-I;^73Vn=pIv>P_BKI-N) z0Gge_xe;!wUb?q&Z}Go8Qr+DU%97|iUOR(XmYH7IrxbN<6QcS%tJ};IoXcr#1(9w& zNxFzgd36(h`iP3PNRV8)m*ViX4wCnW!^OAaQROw*Xb5z~FxGAAnyv^wtZf{Mscmzq z?=RC-B2Pn5oX=r(=PhM?7 zdvBp}hVs?#rIW`!pDniNMLl@ejG z-iBjjJ$1_$=_R3JHo7w*8HHP0MY7tOtoHWQZH%9W6l}lJlu%*Hp|$(?Cf~IUIvg$* z%M(3a#U{!*e8Hi2y&jFS798Www0&79B}Le1-@^{%;_GZ>!rP*~#!>1EV?_hT5er0Yq*+}wqGc9hcQ~j(Le^~m-&T*R4 zdSauPX`;(ZxrO>9*6?a?J905(KhwOeANWVRV4=ELi#C+|SJQ3>UJ1>^aUvg5lL zuH63rVoku;(g^N3L62**#1?AM)`@rksj|l#w01$yFPeB2P|kq}w!CehmHaay*J}t6Ecjqm4_6 zaDBj#&+*5pJhx!kzAoBl8=m>kiREN87 zacJAbt9@&IuQXe(NWgblWe$m)R4mF~H|m|m-BnzGUJsE>NA&Eu~@g~cBf ztpgu5ji~KxPh^VYa;cP(D%7CJ{>`u`TnnGLib-y{%;Y8`xXo8$Y*D<+HV$pL)vf_? zk-naa?M(GC9DZ9VDm#)^9NJT784!kEM~A2IVHUlh?Bh?`Ac)l8NlX*V=DK?QJ#S1= z0mrK9HE4DHI8V-YgSwKtbK#K2e%N_&g}6I|)M}SgK=uQ*v2Q!q|8H$4 zgUp1NW~SMDrCN_|d`X+M|8NoAo^*2A;J{0;^mc7Ugx!EWUgx#;!N@X3V-{BVB5*qc$kfxBn>AhDbGH(9 zrgqiwY1Ui{a9y21lw9fr`|_$`-&Ei4sIVWn@1l90)r+m=ZJwz)uc`@j9yLPFHci6` zEogcxD#?|1Jg%TL!@HbxHcP=Qgx`3tDRGbHxGB8{8t$r6{wd-8*)X#RfOkdciO`^S zSwlf)km1H}$%D6k0lCHfpblaY&#y zT~^SRig08;u3^{3hjmO>0k;$tXuebCHC+FGH9QuVNSDfTf4;@DZXKEujhis=)G+xt zcM&mLuMeI5px9U0v_2082xVu=*MF@=cZtdk%cRqfe_ndsMcD(AVh0f+xV?OS}SpmUjG;$o#pNsKUL?-yD9N!&jMJ8GB)Gd2b1!_ zdpWJONcZ4>xP*o!N|aJCDp6u?oc;BMi)DJarlEA>Us`E7j5j}KPVRrHh!KL<_48RL z6B0yW(#?1|S zI+#7{cz={r@OGPbN!}bQ;VhRj9L~aSRE@sfUQx#9E`EnOhX&gE_+l6z>F>@mC*|*o zRWRD&*L$nqgpOt14d0mLo7KTeZ9A`G1}>Cu*5$zo1Hx=-J0K}mJM&NVf$S*(M*(8a zM{5-Ke_pQVnh^z^!ySL=c%>(m$0pZB+>+$|8Ihmsc0nz^&Qv!1Aj`b!C(QmSB|_r2 z(o-aByZ;!ih95}|d9}_A;EbgH!#5Gtf~AC5_xR7WNCEiHjI&X7e<$&KdUcFg9Fl(t z8nO1mr4h-Fon-y}MY69e_!cwW1`YqFG(bh@@mr?lkgrw;73%DI1TS2qH5PI5ANn&` z`!6&5*%9C!5pUli@qN$#V9)bwQ>t-k{;hj^Pdil)xY8fO7AN-~{xit8-Uh3Bb(^wW zs7+$ynBSwJ@ZmI1$?cdtJ$H%jTijAKBa~424ku3Z6J|Lo2iO(Ascq?}x!~fA7#6`*h{uf4i$>I;>kUZ+cbFnYja;21?XP`xT-nGK| z?_H^6izqNOb($qF<|033z;dZOsPJQfpXEVbAXNuQFaTNjWjzLH^g0Up<=843nRJneVuP6Z-tW|Ijo{A`CxA< z{%QYrZ}HJb@?;XxW1BVb)VKa09; zsr%y@LN`7uSkkoR>D(^&p-0mv=cz^i6Xp}xrDU`@!9mf75zrmY)hCw^z|z6vUQp`k`D_pUJuiBGvoBnwLF0;bY{5Y8gIi zdQHFQ1$1K}wFWO-(sM!Lyh$+_D!8z2CEWfQIlzV}^bQO?en=_FFUjr&%*Lei%6o4u zALG02YZVF3i7?Yq<2`xFvv$tFVwehBY1>tI*$CK-^0U8q>i!$X6>{ z-`h@nyt|35>t5IJ_u{DxD!ki2%jxD*h$v5Tt-=Q;TYU>PK2N@;_pRTdO>g9UF}j~~ z&uGm8eev6)BQ|iK^66ZRewYx+28&U_^Sk&yMQ9#u_bW$KqDf5R7xCasn$IVWV&}g~ z#MShkC@!2mjU1I)eSg?H?^y{EOVbyS5H;P8<{bT8;9bJoudyXKa#(^28$alX61|B$ z#{TKd4P#1@Mz-%>jKi~0uA5SN<@;Z#;D4GO<$2gnK!M7ZwO!w;#u6(b0$(_3sITAg zrZWr7fw>#Fx|X9pd{9IrCnrOQWAVgcvRivPXBH==q?F@a@%HU~6ENR*({Yj%@qY92 zJ!z7;bW(f)nJSdVj^*P6N%2QIcLvP8_|QvcAAYhr&EU*WZ+gqMLdu~|8s~!9#Jdj zzoNn!;M8q>rQ<{YF%}*zQp_8%uUC?Sdw8((in_l=SwGB{KXrUPXg6!d!dff57kb6+ zRN+1Of{f8JufTRbXIev0SMBj$d0($^Yp250+57%ml%jBbX`ae3$kzrdiZps=j`}Hs zWsG$`oY$*C3#Go45;{3Z6$s-X^xJJp_{=7|w%LbXNRPROt(haS4rkKmEGpHQ7^tqQ z%Fx&SU<%XJ{5AV2j1ll*c6Ozxv@}*k#23JX&PT$ovmcN8n$b1^lN-8ceRqK?I>UpR!y<=DHwwB=%#sq0}gZ+ z5nSuo0-0ddS2+J=7YJMAOKAe3a~QW_QQ)fc@&swIdV>KSOhR(efJ!NjH(LDlb$Bew zsY~SHWM}eb6%s^b*$j?Ki*aghQr@1clu+0BjFr+DTnb&mRL2x~u9_qIn zDXm?)Nf#bBw@m^)>n>&FPYTZJFlz%BgVKJ2actAOPS=JaTHM9%oOs!BCI_^ndv7gg zo59mt*IIwqg6mtW^J?`?0vWCsw}giNQ}qa{&J8Vnwh%xU*ZR~lxl(&_$kG~F)N(QL zwVB5^jh937HaxVAlb`NdoOI)h_`MnxnAxZ%z8->dHQeMyXkaBL$e+<><&pmEb@sb~)ng8P|m-k?9u&X^kqu*s>x1Zo;=w}nK(=bq<{cY5V?jS2 z08NAdc7|WVjQ?g3nxiGGj?vQmBCni_AI0=wIo@b*g+(F4|FP!PnMuVh$pHP1-=NI zeoO2dxiz;Scqsh2vjQ~yMLHf|v*c~O)|n0Z2LPs?AX%2+imffaW0a-ZEud8e_sGzv zrc}5jR>ocbV-QX%D8({9FMO;@mX4ZU$j?>`3tp$}p&#v`0zt%eV1^)>Z~xLBMvUeO zSE#WkWB{^vL(ZKg*(RH;^(OGiob(%od@fr}k=C|P_E|W6=*1d|T@2vGyabR|rb>e! zmsP`M(*@gNOXk2CB(PwXRK9+!yU;|6!^moxo#x0)8>-GYb-F1@!X871(yqV*`?0NDEtNGySTi2;S za~u`Jj^XLWb}_5%$Jc}1!Ld=;@OE{_kNpRz+pYu~z%HJjzT?VK-}IYKp!6D@+J5$xMWs4%!qkZ-+X zX`3zuJ5(dFwQ%c@AS!`r06}Q;rjRb2J@j+1O`#;9$9d|0de@ilgo6 z!yb@YJ`#NSx!c7T4~5aEpnx|B0%>)rs*PS^((%Z`upyK3UtfMWJwF)h*uzCcby9Dr z3y+D7Rg?@0q9m*bN^47=xp?TYEKleGWCEDbNtgd`@`&CY`~#cMskx(vUVey|e+9uW zOz*^OrhGyHYm>bxX}`U5FEZEN4^*@bk-3vlNH=962bDN$+rWUZ;wf5x_TiQN(dI)w z!ss&z&Wi`YnJS{=M1TV{zyMhzE6w)K&Gre_z#7TiKkvVn+sN({T#;gg!NWE{zW?%p zw~Y^q=lknArD#M7G4>wleg`Us1xu?N&w6ly$ez|&r-8N1syoC!d@!#6@V$i=>u^lq z^PU-n!}0(suW*v|`KFfuHTfEx*Yy9Gc+I>A;1d>K;{W%rHjsmKh~c)U(4IB!p%mbI zP7>QRxEr=~kDkZyQWpnJ@kVN^_j4Cn_dSGE>s@5m4bXn`=4+|`OSH$PnsVBW&q0Ok zWqU&m|0cReNUW*fu=1S#Y)kU5a`^EO=kkqYv}2hqtHKX|nEYoFP?{vMj0NgLn|GB? z-jr3jWh)4V79WGs>0c9j=-RKxA*&0Mw;g*EW89IG`U=*Pat&fC;blCv|iv}@EW^bW_pVo&Wwl0mZO(b;ucnx`=^qb z9BPHU-gvtYxLPH4CEQhsf7Wn>1h>QAKnSjtc!>94d}G)y%W{&erhv+Zs|q?kkbrjw z4LGa^v!eUDLS$fgzJRd_)|r4yo{7v?PB^q&2R(g~0Pb_Rj&39=bb{3ACO8T(r1yy5 zD+=w&wmLZ-vF_8S)^35Zb;V+EK-B-T;0Zbjp7*rG_nfXj$CL_2lvs+5C-Nn_lZ3Tm2BnA?WGwUDw>B6jhnnReb z<&2g))T4g=a=bf63I@phE>jK?zTg#em?miM%lVd3$^?<|8eaf+e9F8j) z6c9bV5st<2TD{4Iq3awk?p#JJGl3`_Z7h0diRAHn;2OqD>=yIO1#K6xeSzVfY!ThS zrweW_eXZm<3w~yPB4qJUF*)KG30oYP$BV&6s@4`u+)LBykL!?7)3)iVd0^rgplL5t z1^U&i7H=cqyEr(ameC_%M@nm@?Nfnd#yi&Bk`g7&jp3?w2(e+Ap8HC~V0ZV`qIdU3 z#1~sz%7kir9Q)hRqV=Cc-8rxAw@pH5m&UoRduOh#sN;pO!Bt>`KX$~ruA}O}88_uM zsv@}f^i8{A?q(Qv2-+(b6RWte*xi*bvZ%OD9IQr17HYmB8;hA2@@Y}6ovh8M(2j*V zr=BF9vIKJnO)FZl1yOE22;B>IsWt?hjd^_gt))VM$2PE4E)49N1L{i1pd0h}1sxBL z+IC{!?+bP#p8@fWZ`X@cz-Yd%iN1cGG~B0X023k998L3C;3(lynOImE64}Zmv0XmP zp5nQ32T?sXo91O7?le)51x^cGovQ78M}C&+ug1{trB6F68i_H^}En$5E*0#2q6%fPmf8Rr5g%V!-N@8VLW=WDZrrJl&k^B~)5ztC&u5t{R}7&_&; z_)Xycv$t>B%Liwgl`m-J#k62B7(t(@7afpn)npzp(MYg6W0~UkTA7MnEH>*_Fi0xh z^cxJiG|{CV>p3J3@4q$OPu@ms&q1f6nI=G0Rxx zaJ*}MW5pP4Fo(h zqR{qM(3;3Y@Ehj8BHtSR>tD!!rVvNg^Ut*xm=;Qlt}EhymF(*LW1}XbU_vOPV;3s$ zkT;o^6`oOaEeEGxFhZc6HL8;p)@Rx6Yo~G`jRB&t;EA}Dpu$iF;Wk)YwW6QSB-_mg?HxDV-qN9HVrbkhE)$Y^Bsv zSm1sS&V*o_*R5E(iMZBr4T4|j6Q~dsTi+hx&arKT{dgX#@c`4WrJ-{**mmecOkES$ zp-od$1ZF(bG=%ot3p4lXm0F~f1daG*rPKTkK0mPgb2ae)%{>GHtm zOQh8Nezefi2k;)$vY_?6(6(nzK|vhu{>d4o+`K-q7btl0eHx3jziJpS!C@n|5yT^e zCX*j16X$Mwpx?KR_u609Qv7VM#gWxu`9NK4!>YsqO>}+sj%A0~Y^fc}3~`$Cm~QA~ z+iVioua94u5P9>4vGj|eBQ`(=0#45RG)C90Cmzt;8I9(!Z;vZm?@|;yf9316m#+KF z#lRQ0!8oV>{qh|3k$G+k+f)1u!5kO+ytS(bn$xViDgA#vt}QNlBL$`%_rW;-O~1}g zUUy<&krlQvSzoj^L%Zcwh(DWPeYz6#qes=)tg`$>TyXHZ)4TTyP*3QifCP{L&X>0q z_!>grU><%RJ{_u3%s68IIj_E3rM!!(-jKi$%2Zc8#N9%2d;8I7i5#>;Hs-N;f_NAA zm&arD{~u*<85dR8{SPamjG$5yiVV^!jfylVAT1UlHH3(C=MbVa(h>>`C?L{9cc*}) zba!_QHSphq*DY{e&+oEH&eW@)$VfnvJTI(kn>> zZqKxpq?Z$`jpYoba0(GTh$6z`CKPN?{7**hsCGjV0Lb30m?J@)BIQm>S)wGM#1A*? z29}E|X2&|7c%Wnb)w6rWpp@8cao3X@I0K5X^kiITNtObQQwNfGSIy-?frN_d-TGom zF)!JbekadT`1s8y|8Cs$ zD17vzK0-yv6sb^t*;z`ynrVv=P1bEyx9*DbINLC9P+8=|4}9e2xxvmh?R}4h5#g5C zN4dxHr`Tg9hkY9^U5+b8{etf<*t<8Q(uTXVsbC+_{3~hQ{Sg&u-9=DvgcpPU;$D;s z4ilkofGD9kwkr38VXwz*rv>N9rMG;PGaGfM^~BOKF1v}?6LnzFfissukKARgC!e`! zTxx^Pg@QflSeZxLAcfUI$y5dqZSXEEFrOe<)g8=S! z#n+c1GPZdf-SaD^ff;#AvYAt)pd1rYBIts#@|B$N4&kEaPu-aNob5J7p1(*OxlJ^KtbF@)yh#rGZ?id3ifV@ zr95XI>LWrdl}h$*k_!NuouG=^& zB!yr9SX+~FFZu1hmY$qlcNpDntS=F~pO=obTPCPyV~mB!MgYy|b?`J%6vmvy(JPLs zxzo#0Ic8K_dxg(d2ZY+z(%g6CPh5TjxQ#@iyY`AAa*Sl8m)E+O zRHAcO`qn&}^Q4H-#mLD8yWC>gyxd>@4=^QIquu2Df%i_TF+jq<1G7aV)`oD96!ibR5Qz%q+`ut=fvMz!v4lPFXde?XY))QH5exz1J)+EUaG!i=D6-FVW_7U!u_U++{+D| zd=7S;SzHWBu(X<;erjj;Dl?gTVQp}*P%z@v%eZJCS=nEliQgXW8LfK(v2k*F`*K+n z>FoT$(4i^34U|8|?HIn6>j{EeQJUSI;+7Ib5 z_ZtyuuD%XGwY>|hNE>>RXkL&!qAWRP)rNMyrHim$2V506SoY>wf?Tn59(VtVOc?;r zbd>`v=g{`_MsXtP)#;AwWu8tCEAA56@H?c7I^U$@c$xKdEbak}+H5$w^max`yyQ2b zxJKWXVoHjNVH?_wp+-ao^ZIm4JsHwk;vVX4+&YrN7S7}K}&$U#F z{Cv5ryjfvN^(3`eRp3}D=13ykr^+{it1;;O(mM5xE~aKa-VJmP@+nj5f`Z59W&4@} z-&Nb+SgFE(JC+M+rs)do5AMxPKhbn?aH^0Q>HAf(-lU55tG60C*KXYAbZkL5 z5=l!-(_K&#TTdI@$hz@mdAR zg{7syo{nU*xlcdAY7>ZFSTWJd=I^Y`%yEAqWi6xB1N5|`(Dhx?SLd(_Xf+8k`fD&SI~0Jw1*cQQ zxs$^&+cZFhfV~f(`WHz5axeCXB0#>QvEy8eaRMe!FGc?9;$Le4ethX6Fp=!td^Q&~ z;$Arapny;5>OAh0q1<~tFK|e`m}XDe7{8Wn5T|A_U`CXO9#*8c&NGM)5&AU5QCTdM z&sD^s8_H~_w5t<>t?)Ak-lG0lolE~yby9}%PUp-Wyh7fbZz&z}p+>_QFG5u;Gt~)s zOqLAw;CYy}8%+L)`zb+6h>8B08VQ34YD(1 ze<(4Tr@lu`hAD2q)vbPU>-ke8geb8UuViM6oJTW-B*=DnBV{9U>-V{A-1aOVloS`M ze(xvO1Qm3{a^?McmELR>Jd;n1rfmyXP)c{SieeV(m4~X(M;1id)#`CZgJ6Zc_+1HN z!SPK^LuY1YM%p*$7^#p7lh3*|0ee_m_DLxz0Z}228=QLAe=8QU|62}U!ah6zh zrV`l*+9!y@gzJ=6cQ(9jqr$6WX`ZhOtr({6r zoSnLsoFmJ0rJ+I9ExahmcDNM1WampnhKM0C&B^I(-#R!$`wxd^h*wJG1Xm~Sa;9gR zf2{7i?kJ>IsuhxLbSW)VAys&&EFBamx3ZCDzLV+AP8n-(=oAH0OAXPup9Ts>W^ErL~AIJ`(SIR*M-Ey$bw$*mLUlYm^}D5LArOn79B zud$4v&wdf@dBdZQNycQyTfCwfadf6845i2MGk)U+09FdOj3p6Z=Ra(6i6oGK(KJmf zvXgx);Z;zY&9>0l?HM1Y<4}srvz`NMe`yQO2ZEoW*4jRoK~by0!sYT9&NU(DAQH_j zOCO`ON^tHs^>wm2i8{!Qgo@!lI#0CN;GBHxM{*~}TSMlIxA$nk7Zm3|Pb_)CR8vCE zAH{3{(rIA<^Pd?bFX1*29>fBUUvtD-8KyxMy>zr~tO__Nj8f8rh*E`(t>?2iWDFNL zRGh`dJq%m!lxhj0c*X@$DbIUq4{$G7eQeylkcyq#az2^cOLW7cLZw0{n!@FsQ$XMJ z0Nr2SM&$#1wxCcm@3I25A+b z{CsiTg96MV#RETDc;Gc~pL3kM74I+A!7=b7yQPRV)sdkuW-d`$&qrHEEGHa#H*t9mc$RIg{?B5d@)(DJGP;k(6>Wlo|LZ zlo{Z?+(U7qZvY1Oz-olfFh}f3oE@ivDfhyWdIs-mNJDAOH{MXmU#~DxDyYOIuE*hbFM2lO=VYxfD=@<&?K zR}(#oPmNKwjwV%G1)9Wu#f2hMeS1Ywt-04DpvxAc0VH+|w$aOj_+`Vsm#0*(jAmR! zY_@}H6X&oT*={9hriYcHE=CyN%{EFctucJB68TP89k*xx=bkVqemRV#SU>0S0U$&@c*>k=``u4a3N z)6&EE241f=Qok?T6@Gikm;zq5=2x0K%(5{lGgs3+TRv@`RywhLz0T}Qtz_iAC+*qU zpF)XpsD-H-&S6z(!w9hG5cytM?`cLz=nl?6z4Ilm%0GQZP3Ij$PfsY@P8xYHjKOzN z^+sKezvGhb8;P=DL?pf|$=CfGX5Q3Y+@6NbTC~3@tVwyfK zTWil(7W0`lFIrEu$<^4#z7iyi@6pR6vPhuJ;3;7oo7*8KgzXGaiL0us`YD-!uibYG z3fD{+;G6I5_Pov(5Y(Vq=%Z+Tf97x7;KH3chQ^S*A@||C|J~Mr<4L$mx*9Ft?HMA* zjNs4D*)y?#2Z7I&nEr2MXR#dd4DCSn_sgC9FMED9PZphL5@?s~yZ30h=1jyQ;fs@= zn^U&cU1K|*>uf@#tL;oJk5f9$hcyh!qCy!_6kV?fx!`&nxybxaOznlveX+xf2IB9^ z`LJuh%oeHx(a=U*#D*Bk#31(gDJTqTy%iMJtfmBWIh3S{w-LezE*~Br#J_*M6k(!s zUrkr7EVBON85b+aC#o~OB?i2q2!u>DSz{7irMIiZ|7IclPMGbi7gCU^lCIJ|>d|-N zo_rAS)m~0@Il8aT3GQHnAIJ)4<6Zua8V)bHl-vQb8Z?pK6e`eCI_&#B(zWYX^7 z1!S+gV?!>{1q?$QimLl2v$yJm4LZVw@mRmmM+j6w`d8|Esa?| zZ_Mi=h+UZ8$j?gHdz`ubAepI-A>ff{tX4L&{|uOZV}FLn~m z{yEp2Ebt;ZiHrKhboCDLnwt4PG!nXXlW^<9^#g{#Llhp7!V&?IWNF1*;&OVIL((O_ zjTx%ygQgp5zT16a2Y1FAw3xI?+CC~7u!*adtURu^X8M(GB|sg09mO#);f;)s|E=4* zy=`k)%wJGeTud|`9864D)PMi_&#(RhU9K3N-6gQy%;}EpTv98dNlW{_*Vvn7QnUS4 zxRZoh3N18F_9cS1t4quSF3 z5Dku+dbbDbYU^ImTNKD;ub~aM#^RM)YI?JW`c2AMYGKafGS!Z7lqfUGH*;umGIPlC z@OD2;O?FR!Bk+4&xPL}2MX2+<)U~gS6y(HeDbyH{5(r85NVdYmO19Ma12Dk)d)$G;=u8| zG@Ka*lJy}kWB}32O|ikJW6m*x^XfdqhC12U4Ts(it80SETEJsQ;`o_-|S%3G= zURHF7-xS=jER5#g7FIU4*S{0WXUEAhTt6@1G+e@gc9!F(SY2W9pb5pz7+Y(FQ+du} zc%&LrEXTjqGoFzNUoPPr8?DL{W$qqyKa?BXPE$VT(ty|0(o!dQfEtJS*zRu&5Vl0} zP-F}oHlR0}`IbFrOVaL=XjW(+Q}$iCJYd8wpwz(#J)w0-Rs%CIqL&`V>^Z)oVMf2y zG6SbkDka|%)6xPp=Je>pqkIqSF+qUQ2`}Z+i0zJm7^KIs&3!jFmt=EYCgt%{{ue^+kPz=Qp8__dw$1Rhb$@6H?HGk_vnYQwDs~@Rr6}r7EML^`>F!jI7tycNCvY=@ zw)ws=byzQi`)z(IZGj$SQ2DO5KX~<#90*N-upR7nh&tnwxOvAnZ){Sg>jO7RTL+C} zeBa7|8l6uj8m2yf{@p#KvSTswH3HvVB5^>_8l}cDG|&5jkn0;`K$z@bC#Z4ej}I)A zrLQa$`v|=J$S&?DwtBGms3k|Uu#51|b<&1>LV>J5#kj3KNhfe2$z7|+2gl~v_%+7l z&;3kCAOcKSWU9A+Q5{-(Q#sxG)uQ%3J}}S2E@NvTf@5}KcweEqpm&{cUR#^cpr9rF zUVEKs@GgX@O!H6(2EW6_8@lIIz#?>wzYIyx(P+|N_KB%>sf2O!wpp2A=WGUn=p&!cDl=?<0{c6VK8YsL9Hc64AWHz}3nGoa5Zx5kzys|^(*wAYJ900pfskaz z$r}fktE4oJUh26P0 zHPu0UfVv@FX6Edstx1G&zJ~9G?aG$aDm;6Z&+S2*pGN_q( zOS7lNA&QN#MZlSJYzS4xIF=0CUiVC9N{mZEFg0q8-TWY%1fh5x+y|uTuLXElJ_S&| zQEB4+r>L`LwWthPYuoXENVhg%7usvB`M-pn(-Le-wC6vx~yF; z$0Xc#IlykPQcx~x0W$^>?BgqJJC^sMQ?E zRM~hVNqA@MDX68hz{RBn(DY}~9?z&V>Pt^CZE`UXD$t2yQ4rkP0Us5+d{g<;-|3!l zS-yCQgD~_?lJdGXwet+4laQA7Xf&-lx0Q7D2YjfXEtoA0^x!A#Mt z3=v2?WoVGkfIacWRYnNQxvb@bjZ$(ncmIk2gka`{1_UfRGHz}}EG^c!g|n|$z`SkO zMe1nO9d=Z!6F+ab4zFn?ZTFeI<^3MLztE$C=7Q(2%i!v zd=}9ZKknkC!XJ%jfIj4V{Fj5k#uAc%J#}s8mUWJGom^PM)(hF*EypNtX;q7=HijNl zFN+PpZIUj{$E8*4=O`rI;9IA1CR`uht#uYl@t1v^l6qez))9YQuIJO{4JvlR@BSX8 z@%QOWWnI>S9}Her(;cL#y_f=v+2gfvOdW0y!nVJd-)#Rg{E5ao2!ygS-*_QusE^g< zW~;RDQB+l+$?L*GHnZvG&Ni19IdtK%#8DHztre)}9tEj8QmVP)6Mbe6QLA1@K73^m1Tb6A}N=l3bfvu^!u z1zaQn{H744ttoecoAQ7>VoLHYvU_5GM+cahj4R=)7E&j3VrWC8ni;B4XbC*<%t>oN)W7Ijoj`gk9J)0@{}fPemt-uEY{hI~pdt+n!s?|AyRpxGrG7GvfG$~Z{M#pm|xcSr$G~Pf( z!*`r=7%2p%HW5;^#Q2r+lnJ)S*xT4Q*N!O>OK(a^q!~pQDdMOFq+mhly4iG*&<(TU zbN-?WO=VYCH>MBi#@>4)P1#Si^aJ$ZyL)Y9^LS4AxgcKlMjAxZE1!(4W8MRMK*E2^ z+Uu`v6RyDqt|d7^aY+4%S$Bq9HPr*>30;~eOMK)R_YWUe_Yxn5j^$DL=Wk5SdKLsQ zAE94^XbQ);ZIUHH(PT zbW!~B%y~Q~ogxr+r{c+Bm9EzAeogOhW9Ga@5_P?=g6^OI?@4lkd3A!+Rq_ExrpGaf z((;Z3V&3sepWsPqbkPG7!pen5_?K|xw=vW(hpA(H``O~d(P2;9nGaN+wyQfJ8}S+D zsbuoq8`<1mKrVFnn~au~ZE`2xJf+KP))5~ZQk9LTKG}Q{GmwkPSnc5xav^dg7x$Y* z;m2u5AQxxBw|OsMcSQc>3)oD3nD9w$I^lg*#O+=A`5}=;aIeoYIxD7>4eSS7g7mc z5Ry6_r5yg}dV7{Yul;C9pYw5_Dr^`lX*l1)sq$9>z(qMJCbx1nN&eX5=7eZ1NvCv4Eb`)|*KIsFM6=PdvVtIB4pd9M*c9-WoZuq% zHUPF?>IRcf2)^f$Ts~|jGdj+x0h(RI7}6WKe2@OJC?@ltq**B0xvw2h#&aGg&FD`w zq&45)-PQjXkDH;)g5t?lf9~j-s@QCPOhI5AJ^|wpf5jt;TKH*S%^C2IS5oxh%m20f zRPxABgz$4LUOg$hX@D8lEY#~K#u8Jck~DCP4gPv+~Lp6Ry~jcZ&`6~Qfs*0=nEf+A7~9$mk;{*OcH zrN3Ff8i-H{{>7lOkdstcm|XY@epdcg4DtMu!h0?2-_vRbew`m%fb)~X%ak@gJ=}r{=xoJZYcj+E`c>Z%GESc zb<0+dp!(TxjQ??JZ>RDi-|x1rs+U+_WiZWxk;E z`*8M6?^{?jH&6c|NwMOCN^EvjCX|EPOaAq=|C6w~JNvcD+(hGKrGGz*e0NE+zxcg8 zKOw={<3A-Fth{D|-0ZhwBz|ryEB@%m5D)y%j0)#HGScF%GEZ7~q&N67QCAw2p}s{?C`+!D|@RE;T=^*r|X5u zN_GsY;f{+t1fkMPdbxc9#S?^~@4GTiynob?p(GZktI<#W;MP+VL4F0J3>NQkzZ1zx ze1agDIk;@n+!X1t4}8gc`W45E1CK<=TbtGm5>;^-d)o0lSpB@B-0l3s*|rfHdaero zlZ0J&IBLlL-Ci!;O%Wv(1s_+UlTTc7K{w(2m3>mw^dJ8{?0eF}?#MTiw-KivShBiY zW_RULRV`O&EDW4i%9?GUO?ma)oAI=i+{7}H1+V9(K`)+uV)Rhho!!ng$Bjk`@^2oz z4FM98O7z0v)Pos*EDBwS0a@-E#31ZTz>QNB0m6x70OU=*7;Q{?YHEHrkEX`^s7+qt zRC@$2i{fBti;4+%0#8jX4X|1QUpy6q9+7O7(4gg(JTG!xZn%t ze+BL6f;S9ICQ1c$r{Gj47^(sV`O-;J^B<;TxS^yX@8L>#Y9<)ogkkNs0Djc@wK2BWwMc z%JR2PF;z+N553cHcCPdzmjChGi$GzJTPb9c^rz;%D0-x0 zeUeo4KBsyH47rD~;oqO#{&wntC9})^wvRuKKeAVv4F{rDgCJlXy_O@}iku{yoSVDj z8U(&X>F*v;(q_&xOv~(n*UNP_M(Y%RfvlBt(E=C8mHd=M{1k_b&mPHF(RuxNx_^uD zNEgtRg|52_S5B)}=fw#Vdx=r3oX$p?oqxY1jLqu_xIy`{_fFEOd8A;Nl#HFw|8G_Z zV{>7QcSIws;FNxsE8Gl#C4KrJu9U#*KIxc_Onv$)=-H{!W15PQ(#Uw32%QN#)f<>U zv&a#tL!aSAopQs#+PiEq0(sx-4y3z!%J%i4p6;WzAf1rDoFh)EAj5w>~>4 zzNpNsWM?uL93JSax<_fO($I_k75|(~Os1PS<$D#bWKqH^o_UMbYex;aY~Cc;o4=P) zc);iT6fVQNF+Xc&wD60&eO>qN4<@-&ogE`U7v&?JP)H`^{X>-ecx-m1P8}K%B}$^G z9NpZ~h}Q3EnZ$mal0pg>J@TJruY z2BI2`MD=Wly(pxYxZPU6f@hjKTa)$Ry{5*H}^rD$`=a^apI!4-e0+V0wSoeIdBHtmAPuo^bGKOM73##_~nA;QdblJ|5^;nf<5( zq{x0x#1=IgOU=CQz^r8FBPN}o%2|LX21mHo@1DjIC)Gds4?KEk1)!S_Ub_+IS%BD? zs=!N{E&-P`UwMC9Kl$^M*Lgw0PD^gEOVY*CVFOK4pZDH;AJk!L*&E(n zP8kq@%YLC(jr>^E{w;OnFjfft!4$pZA$YZN%vVulJ1Q84uc)UBd~mB)MYUDrSrE;#v5hm`ZNNkxpX12${|X=NBQ?0d0f|PqNw*> z{P#5=(L3!_9xMH9{8W{({`z4nxl|bnj5)avpjNqm=RwW`%aL z2$o9s5CoxbSY1~dTvLAwS%yvWbq$j>M+<09<}2r}tEo*r%w29(8{Ms}A$znvaDM&f zwz$v^s%muxX-7Ik9B|g-07N^6+E~&{84;-IU((K~&rkajU{ScEd{8@a2yDM=*=@ye zXm_~efE-Gm?PRr`OFL?Bx26waQ;&v>8Zg4HjQa2YZgF4fO*rIrUA8|Ix-^=|$Wj)@ zs^U~t61q~eYB0JR*bitB5(dK^9bC?y?hoW>MESt>A8`vs+-=D@hqJKrG9?mkS}yAI zCC%mXw-Bc8CfbExR0jv9{3tcJ;K9!q!b~9 z+so2x(jB9_R89^2m0OhdbT?4U>bRpFa)-{;DVNH4T(#9mol7+kN;{JM+LQWWso_+M zS^LX{)9^?8YE`+<5958NIINM~{AmboCtlSuUL9~sc99)Ft>Uao;9)81&@>+)m7P55 z;tY*6U1^cM%GD<6T*k%&5%H?k{G#udj2Db+?X~ zaY#-@2a zE%OMd@J`@jB%|^3!Lz14s27{SUd_|KbjrMg9a)>QZxkKLUr;49ETspV@SRB^UG z<8&FpQ=JiZo&4VLEB)$W_)FI=ql8u`86PRJDmmS?g9}=QE$%3-l{C1chM;31Px{vv z8J%XeN4MAXiVk1E92ssbXVg7e+D)mUaH?s)CiDi{C{3L1ZtKSCv)y*Ml2El;f+Gvv z8dwODRvP){e9{t}y#DnEJjUGSbiLoLaa9`QSijI83CXWH@3B(}f|EkR3xs66j5PF3 z7^`!?`Ry+Wzqi&QjeKG%UI+_+w(X8)6M#vUpG*Y0rnfZ$AeAx!xA-8KnG;;5W>;R+=zO`_1G{hnor|BF%KY<^c zI#NI*?TK>nlHfY~cKKe@xsk+lC$4Ih8{Ahb18bP9qo-|_sVy$B79neAZl`%PTx46( zd3T!HVPuf%%4lUTG4(>PF5-1JENgl!hjkuhLWOiNabEEwNVh~ALZWTwdI_#jA=j>K z^l-=SeKGq?dDnj$!2@54wAXpAKZ{68&8iZ8%k*W8h+sujz`pCgJHeqYaNA zfOlt@E;wB<=)fBM6Pq9xFE;H$16rcFDI4skMf}}N#hp>SVFDay(k$krp8S6e?`Xiv z0Oepz+KkUX0h8e~Oq|r_9o%zL&`(|)U~&(%BH`np5}hk7#5>h;c}^>fiSLbEMkL&C z5-nPTx-q}DK8v=s3}Fg&5|k^nj%*}*RH`N_lT2^!ZqM?}qqvy)mir~m#$5a;48V4=0&qM0b1r}kHl5GkpCrV|>qY{QU6B;& z;auR_ewq0kDwlFO^il6012CYBWra|f9~iFNSd}Qssd+Yc^37A%$izR9`3sV#pZ^T= zH<73N9igaA$?CqMFGAk4jRal%_i9c-{}cGN2Q!0yPIn|rvNnu18r_1ze9!mqEsW(|dmUO4%C~e_L28ZV;wP#2r)iCfwIbY{{5L8q zDqM_SsgwLC4Rzf0`#)W~B8-%wUc?6XQ(4wzOPcLKN+|5hGzP`y8ac6*nGyP@Cpq14txP4W;)sCdl zt}kO5N&8;WGCxJ7`0&P4$nZgKUW&A!)ae}G-?@Pc-oT^joiEX);X=D=#Cpx8>}6gL z1}O8jeoG^PLZgUyf3R@uLA;t2i-=OuZ`Xr)Qx!3da1Zc>-qUpHU&mv^)xO89pzjja`uw-9-cUQ(ASP z8t9U#w)SBIgr@d~T9eo1m53rg7D=x&aF=3-F^60Fty&XE%+lS45^5x5wS;yH%7~ZId(8d9QwN1L*p70aWtHo;#p92mO4i?x%wp%~o+ms8v9a~VYJwqOtM&~dlm|Fz2W(z1y*PLk?RU&I_W>YcUYXoJ71)Y`Vlf;9_}V4B!_+w z!McCdn(M4$_e{RkSfrgYx*{x9K)~Vky)(OQHaAkvx`~r6lDD+s4Vhfth+v#)j?x|# z+@;vMq^fjJPMTklD*teZz<*06xR(>BdysZBD|$~We^=zNLi|zvkgHxnsH9fS3q7IL zF|+x@Ct$<-61;;J-)*J!>p7&fZtn8st7v5v8VL)2rJ}r0n6)msBF4+OYI=HGj927 zH9|_I$bR^ifFScyN4pNZc*Eug^+$o+3m0&(=(gHFBXR}4lTQ7z&~q5rYQ1hMm!7Pc z?zU~KH1f4#h|5-EzZL(>bal0Szt6&$*m`lLw)Oz(7N4!DvxLcjK#sk=VLHdwZXpU$ zRB6S}z5?0%9etp~U8Y?p0l~SDa^rz<_`ZpKN7d;5Wz;(gYy9*&szWJme_aSd9&EOM z$$f~hDZA?`?l%B^bnt9Rdg-BiWLSC+RA*4Ee|#pR4mui25IS&wK8I=QEY~Phll%ga zN8uN^BCqfgvp+k3tAfit!c2u+i?gkfJu%(CI+=7i*W z(>}WH7wrO2?!BHpfA_c*VSdM{9Mk<@CQeMQC|l=ps3zKRijeDp3Ea2s32LF2ax7W^ zF6bINBv*`1ol2BCBw>&!N6m$90~PG8Zr^tu{VH|1)%pSDVL60O zv$+>Cq~P@_6rNnq!t)^P-NqY>9h1(1Hi`+|8rnKsF%5dG_UMqA8D-M58}0$9g_P|m z`%-=bnDLKK4esyA+8JERb6SUslJ+8+-c-eYeegPEnw0J;m&h4(;Ltr0X|tQ}hD--; z?}`*$yzP9w@&kKG=}w)XNTVnV7RT8-GaqWzzPtez()!p&T97Y~!M#MM0~RV4tlR>q zo8S`XF>5x+NsjO5@UB&cPRC`@tnj*Imw0+Z?unc!pEmK(6%yvLq+za^LpIomXol z%ANBH91D7Gy4X-yogCs4;m~Gto(D3oTj6bnc=tkzov|fJVdZ98vD^BROIN=ER5MhX z)n>78bA`Ai-D#NktwSZhRDSe^J)F7hQ5%0)p{m(R%ojvviC53Lk5^1IH900aI0a_$ez!b1kFS_VhACtd|R>vt&>ew`l3>kC+mgK8!?__OzQ>vtsNd=mIN zWIS$XnQrIqdx<=u^LzRpug{r5UVE!W_tZ1!2E3_fc81FuXV%IWa}~)gSyl7Noe=hu zmJpl8foqkCdIohkTZ5#2Er=q5N4s8Vr-Lzi>1d}BKR!Qq+g}G&vUUc70?+M59jqbvz)Ub#OJu*$Ag_IrQ9##jG7g~B}`~8 zBd9EP)})_r6#WQe(t(>$4OofiFR!RLH7qS>qB>2HZii}{Y;!9$6uZ$Zs&rnZXR&+M zo!-=z2HfN1%sg9g$7k`8hP5@BhZy(r2M>7bn-}rEDi~d_i zM&Hhzu^glNYGjMg`uUt`7&lZ@(E4|&D;KXmx~A#l?Aey6QbAO{aX(fr1Nr7{5hV{h zR}Mn3>R|eo;~w_4N_{?pOQf8xo#t(AbCBPqTSNCu8wp53=@9mjPt=B1yYWT59{?7K zde&mVqO)79N%Lhj{gS2u{lF^}5ZYIpCF=1Z)XYAwjqq7Sde$OAFoE!CPLlyD6S6Zi z*8m*m-E)~3B%V6(yvz1J44G(M+3<)yuHI}&O*eF(!YCx@a-_oYwc6jM_~pF6X$^fl zL+#+aUn8!W`M_c#uYS0=AXUR(im+?uAM=jQMfEmC!r!NcF@@`@P7~&4v8nP{RVWB* zZ;Ll~x@TV(4CztJzFPw>nwp$})3rPTwvXo?*{mQ~HMf-HH@I;x?T1ate z-Z+K#w`iIGNe%OMg@w_;3iYVZ4`$v&2I$xqq1AYJUCux6is-lDo-Gw_TSok_eVZNR zK4uMdDd5?|!bP_%4RS5b@e}EJ84Q!l38Bh7AlVs z;CcqHZae6Svqy0P>{{9NZO-MuW)t=n&U^LG3x?Fx7#$`sl}%wNY;t z=s`8xMkX(CfCX;l^IZ?hKzYRdv(h|Y#c^mv!U-!(FHpJBAVUB=d&3k9!n_9MV#n8E z)P{S%Cm)Bpdc6g&1?_JAlm^ah1n zd}hc@h;)~WdIV<)YyQ_TH*Vi{y)9lSnFu;pvCWCU(!n43rbCYlnu^nc95P*HG z)L~h&{p@wPWaywp*hYg6O4O!C-u7#^TbsK#?44U!$HKBo#05Aby|Qq@1)u$2*o&nFaU@Z0EBvsWX@5MPzoLLqqo4?S-8h zJ~&mB^xM_iUU_FJ>2FSu-e;Ub9XBa8883L7YSGoUzQRW!`jVF0#<%(Vkux6KG-96~ z=)q=q(720%X0O`pi2TiIOmYNzxN*^ss76GDLuss$-5exScj_@ z;j7aHz1_NS(Q-Z(vdBd74bH8`C7!4`vej0cK9P@M8y=<~9_)`cqT|E`XvsDeR<WdeZ$|m zB;cycTvjKN9uQ$YD51W=l&aV_KdUQ9=*?v{*-u>!a{FyU4K4ZKZwOREFNIwhJjA1B zzG|fUt~933ceB;}2UA%0T{QiTA2Gs_ty_e!yDb}VM>aB6i19r2F^<%v(ktFFAG)&IahL$<0gXk7e0wwT`} z2$i80s^w_GYul-z5%}>KjBMakY z#JIKx(q&|oZF@r`l|=_bLYFm5HP&-l1X1s!%GQ-2a*+-^u31AS3o8Pxt$T{?HEOreDdwi0GCd~EoOp;mF;}t zHKaz^TO0b)^^)p!%0_}W=XkDF$^?($d4miugpI%WOr-}I@3l%*lQEx?lKNGxtFT)o zv12v9Wb`20VfqX2Wt8Smn8at>n^0nujK-Q1j*a>!p6^gwD7%Xszxq2Jh&ByPGyC~p zzQoKwu|*c}_s?FQ&My6dGv{R=BhXsLKKhuKA5{=-%i-9K&k$p~6wA1Y{(m%`dpwi> z|NkqAqL2#FghV;aAw(NRMIogeLR%7&^C9d+%?GBcLH{37AGzSL#Rq4$-|{{k;kk+jYh-Z|EHp6(aW zbmR<6a_0Kwgx=##vaC;H?I(T6M=u9gY*i{^LclE0rgp^?q7%W?!97+Av|cYcb-2CA zA1A>sRQrA|2dPc0u-}N<6NaV}Gpau#<#ZCF zU@g+Mbu(!149m8X7g6CyvkFIkl~)L-yxv(`q$w(1M6v54Y&k7UV14dCxUH-CuLEE4 zq_o8I-D>M#g>wpLLYCRLJ^fu|((&ZaO>ow)m0MIJzcI)^oTlTm!2s;A+PD39|1ya) zKU`Zhc$egV_k9&2q3ayh-ubctw50Ix!u;#w3T}R+)Rhhu_X+4fbdV$uVc=)V8&RIg zk4k}J967(1C4#IOdKEi0ZlSfUTGKLT-oil3Xy@z+_s2ETk$-G7!IAci@{Rvmx-?{Eui|eXIYhRNInfA98_I*%ug9h zSol-YEZ9QRI&62qTZik~z2A%x#qp@L2QdGOKPii(XPVGyTT;@d!|m2vcn3_upZrJ6 z*ep$$Txq-SJ&c%HT;2}@e^an)yZWx)QXG0pMy(^y9-|~iE;byEzdfWC~n~7zf2~_G1*V3%vQXBiviAVcSNm84?D~ml|#<$HJCeWa) zs^;cmZG zta9;IGD|Y#!8U6~1Jk3xY{KO<<}J^5j8Wlc155D5g3tQfc_gNMQXiUdbdw^jbvjps z2Xhg=`nuR^;R4y+KuiCxW1K+w`HwuWTt`T+)8RQK!ZOyF?M!eRxMH`MGID+yv?jfO$}kMS7_!H;?y4ne1BVk?V$ z-g}O7$Gum>tA%fiq9#!~zRMwdS-f+YcmIOIOLTXYyC4FcME9lw-qd}rJ@#+F)i;5( z1F!OIVJfWg#8X@j1`fyDt5Xx+M_;eez6Ucw!W`N61V(i>oJBEkU{H82F$TjOKWq^-uaJ$)Z7BZ*r;78s$wJPdsUFTW* z<^Rag0DImrJ=NX;?-(}(vnMDhl0We9%wnfodCxuU9|-VtgixxeTrw=0}uVLr>5CoN^kgSP*^HIP*WyBa9&zUueygH1of z@gXI2%yax|!Wb_`pDptwCfEEf@iflv2-(mRg-%~5#PyragxyP7Fx-eE*maP!{cSn9 zOk$tG3B*H$B|x})n-HAFPzn@^FM_-D`>U<;yiP%7;(NRLwHUsUNDQKe_F*pzpCZvP z$|SJ@-1V<=Aa8C9$A$0Ma_YGL%Cp!zxpX$^Y8 zwqIhzBu8RGF*Y7NZhmWYv*Na6t+EsGfn$7#&(ktL^(&Hm!;m9fTqW_q?M8Fo-^@R2 zdappf|9#+o^UZ|A21VMPW)?i$Im z|AF!{JbJMv&+!^H-bCJhEmyxk|Kmf0@wnevI_Or&nD#YWOd)z^&cJ#YyNhG&YpzT21L4S(ii}TYB&Q~+;S-T4; z6OOm_hRps)!^i-q_41ObUM*B*tjdLrAO zRl1V&Rcl+(^4(rH%re>xR`l-4qITl5TiKk{!+??C&m;1Eog>P$lI^V)&$*E@b8n23 z@BFBEcjR!9_b;L;eqs(}omZwSm{Q_^$7CDITMS*;>8N|z^vyqQB8J2q_2`)x3%WU? zMuRHb<__N2v2sPehMpL)u}1H{mS(Q!HzXw$&g=SMSH74~Is)~77>72&xSyh4tF%#= zZybp!+sguVasX)}dfeJa4aIAIKg-#ka%=f`GSC;$TcQIFg2K}`%n@6cz2MbQSISZ0F~#%Kg@~<>!gGh)FyZ)e z)ZgRu$e!r)S6Wg8R1kp!lRdZCfOd(>q4c)4)89k^?dT~)W9022{@#N>{%BJHo_E$i zN^pRs4d;zTkTn7kSoN;h&-?s;C~CFRzVkL!onrZEgfog2)NX6Iuzs<8_BmM0sT%J{-K3XH^vGvHKTs?OgZL zF-9r!OI6MK`l7tW-Q_!~{jN9>8=Z5wsuwE`d^|#oCv`f3hU%7a5;B@OAF68a9&6W` zUuBgv5s~xpl0aOq+B?bpU`6C^ZTpqpJ_viBct3x!f2+xofi`*5oj^9~5KBbG_4^UyKXqa1F>ne*kN(vFedHBXoylIM# zst=cfowBY*y`3ntW;IPt-n_1*<;ohvK^uL%2XTGAvy|F_8IZ?W4()xfov8q^uLJ@> zPRq(#l)Vy@$(rPqC+zA%d-hdE4H9?Cu`}18oq3wLfoq_*Psur&n3(HTT2Q;$KD|iO zHqmOKRhjr+bl;3=pV68TRyfYlqZg0qJaGqdx^Oe_^F4j%&#umucgcA^&~&Rm*v!K+ zqLe?R967Vkd!JrQU|v0erxU#@uQp59E@?>%kbgAYoKqz#b!sd|K2YyNt7An(9?Sc> zYkq7}Bu5$<1g5ZBK-S|%m9GWaPi5$V8+{JH$d1@6d5Q=#>+nZBc;m5klDxf<;MGSX zD|%d;)~_s6bGW;`)Tef@mqvE)ql!zby==a<<5G;@O8s||=y_>ELUu7=KIO9n^ltkG z8aaLy-g^hf+(>;(mk4+~h#@1c*KTeUit>;jz?i0-mPCo=e{RI+5MW&9zOM=~2Jtg5 zpUqoa+?Ed0eY)mtLr$}sO_I}f-V>~4?l?mTL|6E2@vqq)CVf(Oo&S!*KiUt4eZ?7J z)BN1o)_krI&E3T1!N88|oKB^POtGTp`7(b}e>533g;Q0V0=yn0)Pon<|q)m+rU}8c67$4Pnvl^2r z_0cTFFZLzLqv2KCkd6sK(4DkVi3|NW-W(4aYARHo;UB8yAqXUZ#WYcQJUk<~k1K_` zf~S#!h=)W%t^>!tjT}EccQZ@Ke@s*NJ2X$y@Z}GM11h(vc`}EKbb=M?TJ!G(=f5#2 zbdCp*qBb)JjfXK}?K@{hdtO#c4>anldvI@hT}%e4iRP6H6b)n$oyrqq(zZPi26sP| zF0d<*K7nXQo}5ji-vK_x;-CiN=UWH} zYQU-MN`c?6tX!ai43u3>Mo+2*in)Dn68?!Q^YwqYB8uk8w~B94*3BR9egEcp-02HX z3-3J8II_YwC|ed8+2qN;@+Dc(C^*JGC(X*auI>GOKS=j_{?#*1u2o;uX&chz8D_4f zUx_MCC}wh!0v6yser+`0FY5Z3zZvg--_J6e|ry6zUYH$gcAT$aA0FE&Zw8uRfrYQy(2H3!cc2!7v=B z5;BHc;vWPp@o2iiIepejsxCViaqrePT;6jo(j6}Bs^U#&(o3uPYkewNa$=S9xQfK6 z63x~h`g4!eZrJ0jlvjI-eX#BTMyFktSz79Cq+p8sBQ+el)}gB9iYkngnTz=tA}B-3 z#A^32zmD-(R^_KgKx@~fB_{r$@{Nsx-VbPjy_TVkT#77%?`=%2S=nu>N&63 zYPcPR^%bF^Zv~idn@St=Tn1A3&n%7?Y)e z4G}hW>Ng*tyT|l+SGW(U>_&}o48eAOrizF5=z?R8^OaGweJ;I}0 zn{RQ~T-1sI+(iWhYenc4n3Tl2XReyOU=Cv}N$^LF{~ z%{%_jkq>s#{GvGkaH)0aeX3S-2rRz!=X|(98av&pNkK{XjP+A;3y;JO;Hhw1?ME(lNecsQp-Rsh=(`%!Rd|qREmqC9T>h}=t zP#y&?WFd7jzJAMFIJtsF_j)w=!gvfLjg! zLKs4#H75~YIA+yvmA|U)=VDoAb2K_cWI4pQTn}QViY%}-LF^Mj{yqK~Gi?5vfDru+ zcnv>E^T>XkR?=*#I`sGGR9|*jcqQ>Vnq#&UPEG&ix}qcN-P3$ zeQ=Wlgx$Cz;9)FEQLjbaRoa`~zO7kcwWq1QufKB_wgsbsBMo4s+s|e%YLZ43mCk&q zY^%O~dwcBi%i-Wjvilh4DCj-l6vgJ#yX#fs#8y})qQzv_XBy0d6;L{M zN8TRi-MY=9Mt=5FTj5Da(B5Cp{M^a0bifH$PBvm|FZx(3*eFb&osYxwQ8gYrGvWjyi&O^ z-$B2?i*d+Fjjp63d>Pg^Jsk8nuULdFYpfY8Tu~%*w2T^RK%PIDXh%eq55e?}{sg>QU{UcWzgjb(WqfM>t(IUoPbM z7ea86u>onkl%ck+st4cEtUx}rMcteQTVg-?1*wfIJMAar^!qL}M@IG8S9>Z3vheYQRX#^B&Iqu((Yw0r72p!ml~VkK+WpBN`S@`O)d3J~ z%R1HaGk&gUfZzsOvT~Fcb|`+Oe*+VB1)G+oq8bk+lt9+#R42C@h_0hJ`Q}k2PJ;&z zf@KDvwdUJj-2)!@TzXdoC-sGLajCA3l=tD(E*#ela`|#7SOM~5q%b7R()4<1a=r^d z&&`eVr|d~hNH|#v_%+lH;Q5mMR{6!~vke*A!%UDhPtZ=J<_lCH;57YLoXTlADb6~D zxN*CkHN6+W{z_K5HqA4xC5NfHfdzAHZVaO|X~;_vl|#8Bl{d3M$o>p&YbvKs z#u-(>mY*Ldb}%bb9#kcss_sni)6~(Cb=Axk{u6?lZ)WC;ugUQo_ifrn^dE61lk#gesofB;Jo2O6l zT)F%pI3(w5t{KxoBYW$+*1f!pChkK+7A}auA1~jGp8%eP#rJ`7_rAUR!TFs7L7UR* z{Jj{w+SFUfmm#*L5~Bc$2n!3T{Y4#BTUK7>^L8Ep0cOnM9$i1lmk&2NvpPb?OYiGd z7nk2$Xnv z`0*wQ2~{4IS=LO0K154a2VY<0nSqI3uGzy(;bWwXg50eCEoPy9%x=(_yeItMdzM-@7{;7SBSuS zYNk4G55zH39pJt|U}MNybtL8k-6|YEE0Wu~Q|dS1;b?P=_!=kXB&qRt@W41+!hS0F zrY{91c3`PkxUDb7Kf?|bmmA?Fsk1~ahZ79Z{rsHf;Wd;5X7l*i*erQz?l9eRO$8gj zzv;8QwV1H-j0)B)k!pT~D~9U-nJ2GLP^2;;wHCjtAB2lES;E#2$l^5R`1Y9Ss>;xz zt0}{vb}=P2RVU(2R^#!)SuM{-`q8D863$H6jF`6@;DLJ6b$Ee0mP#)D_*^Q z$5F~hRKX~R0eQY+|GH6@k)AZCtI-jR7I)u&Kr_El)K+V^W>(pGF{(rqNiN#pzS;Y( z<@L-DhVzEI1uiUWZhL#pkHH9#_94Ep=Ul5|f2<32aPT#kBP zz0%-KPhPn)Jme|^wYSesu>qGj?3=2}1eq7qAxx>=1g>X;@Hh;q?H{J}OEaus9Denw ze_GsT$KbE&st1R31Z5ijRut#bG2ahW<|Mvj z5_k7h6|5@6+UcA(=73dE1A|q7ZL#k7^)O7U*0;NYPDt+%-XKKt=0lA(>$?~2Ghe{# z$y#m-R!j?k z$}^943-@cShW*Vno?y0@E`zM^`M=p!Hexr=gY13fU9H;J;}m7JFoN^jc9wuk>lH;( z&@GU%)$*pfqy??vq^00BA+_YBKMZ-nPt%j(X1O?4}!7uJ&$CEzBkC#k^WF`Y%4&SrVb#i*ZJ|SoB;CvAP z+ngUBw=@S%ZzXOd=hOvY5BO(4>nh=QuPXEpZmKyZ=0@Sc+>jwUa-FxhEFj>n^4sSsH z{JN8kL2t8L3dNBM8bQws0ZM4;`&dWJGHSJy?n6#QSbgHzE;%pGxS3bXsNfkbwX5KA zG%Po{cLsj6Um;V-3iuoYM_YDY8TYF=O`NrFR72eDJ?A;hPCG4P*PNoGQKvI^yi-b= ztoAq6{>$cL-^53L%x9gnoL7+}Y$q$OkY>=|CvlFj$ZH^wvv1`;<%!21H`dF-Wn!%S zX051D$riOZH90fc>b53~TPjRifO;1FLx5t8C~S@Msk->A^$vdd-qUs8M=GApYq(^IQHzRwk9g_6U?;ySBP=Tm|^VD>6b>_qxZ7Su)0j{ z_{_W~qERW-Z)*KI-^(g1Vc8<&e^;nKCdz7S)IW#QyKnMb@$Vr$m$YtSh>s|~h9~Ha zS;vMW*WW)PyjYIUhEWN5#<@>mt#?p!8py`&Yna8VQJ00hUuN@5VABGS6|D6U$&T^8 ztAFhi(P$@i@6Se-1w1#t0Q7p3t4a(y8%pwd-u&1b%QkzHr_bZg1437{CQAS)vXWMK zqQCf~jvB#9)cAi238X zh@KGnzC6h_|K=2CD7BIPT*%|=++%Pa*?Pv?hRL2GofjWYixtIhRQC&0y8&;wl~vd0 zcyE`J;l2gCVIXk<@}JV>$Y*G-P2U;{r)O!C}%c!s5vJAE3-`)li)=cluxvTxz z`R7LJW>pK;zUWznw?1WkZ)^@HT;v$(k85kTD~Vvt4)L zKHV+nnl-BJiJdcO?dKtHBReIleCnpCVpqVn{(LQlbj6>C;`NHh zN9VvPJl3}VHpJ#xr&qEPBlnLKGJFDfMt25kdMb2|;=%`*zcGZ`crP1BUbA^#^SiAU z)FGq}GF|6yGI$45q`z1_+BI@v+^E`cUs>Zd4YDCoF9B`T-;kJ1!2`HqFYJ}p8(^u7 z>lBg;?Gk26Him=1YZorD80GdF!{ohQ>!q zOd2Ahl4zMCn=?X7O^Fy$!#*9XwA$t!$YRR8H0WkO8+=l4=HEx^Lwu1{5eGrEC-1Ls zizkmdFdbS-bFFZ0B4&S^qySlle)+abC%npz9=tS^p>uy$_eR#%^*1kv=PZ3z{#4~j zcl``{OFdEMvFOB0+8BayP7!vpQvg!|V<6Obw_bm0>u(p^l=Yn(wyt@F#9}{WM!Zky znxyyYc#xacF{$fRoaU$HH&|F#`!FrU&wEIoCSth(W(U*>->8o(`OxOMIVV5nfEk=? z`xF8i`^>ewdS|U#&1!znEx%oB<8>Y5AgJieXm@6b*1?iLPl=WK%kJm;5&Vusqx1HCS4hd{Hdg_gw_POY;(6pFq*Z zoh!h~qXquZ!X*iY#fE#-hrRUwK6~ddu=q3_iu1Z6klZWqMLN&yD6sMXrFBI1RblyUcoY{t+_7kVW{g=&*;u;Q_72#`vf+ERJSpw4+L(txN- zjz<9HDbr84s#jD(Z9c0@S4L{hX5lcalG~aNdkTl|fhKEwHI)dH&_e`(1CSP~MUVe| zlyY|i@x{u$`^KcL!mQpku~gT5)2s2p zpH+rf*lh%loXARr)GjEW&6Rjp&fZr#WAEH>8fOmKvgr75xZ@O&i-)JM+OJi1iE@j4 zd3bm^o;JjU97u(RGipmAUw_S& zo`7B*ca@R8%kj4^CpMgVEeSUrR^u&RQxhS8I{@-OG?gYjZDIW5LBp?OZ+&}uOaS~P zWMMfQsylMS$*X>J<}6Vs!d1nHm><_xr^6=3Wje{d(<&T^IQ;yvohhN7zI<|@uEU|N zF)=}RUI@CgWOi;&PK1h1h)Rd+Nli}aKw4Aq59$A)i|7;F{^z&V~waOY}(4qvu-soYGljstW`l2Xws)(O> zPRL*1lN;Z!>RQOl_@*Jh!J2vtbzEU(F7r2!bZW8A zR)cTnSHhvyLi|v}NuuMMq1*`^ucX*Bu5v8;UdnEnW7|SJmx20kQtJ5Kr(*j8+W zJ`!Er`YS?kmqV0YC*e*Jx3rs6r%^-yqW2`{;EXz@#S#BYR+%(TPoCaJvU#m~{|0x!w!cJ?uFt zPrlvwIK$>6mrjVzJ>PZuZdVrNH3`_`UWxY0kX0{W=hKMh-d#S-3v^BiOs%;*q`-GF z8YjTL9i?`cw)>~G3p1+=X>HiP2E%MSjt%9U7rpkmZZX<7QzVw_K~7@;2gwzIo>Wua zK{tOAFw(}wxAPnj*B$q+mhvI_EMofO}s>J}c zsiPwYWDCGT4CG7+EBD_X7H7M4uvD7fh_avTJj%J*c}R}bp~yPJW^+uhUw<R{n%%e0-hP1 z+dKOU@ZaADm{epZQuCYIPf0cCPUQ<@_0W*fbSi;Kxg`f!A0l*rOQ97b{QzO<+Mv#m zt5EG}`N?Rp>|@+qzZOJoIrW?3APEuOi%rTh*vGx|hRY0yPI~i)c+KhsQFYNieZt!G z^^W2f#a+6+z?ang*o@--Xc(-Z*B`tfh3pu}rdbh}6UE!XND4O{D(7MARO-Y3t_AGAj5%j0; zr9;fL-WOM9>p<3AtGE6kj%nN>vPBrFtX~P;NTQ)FMW!g6HsFGPhiQ=ih^a6@-ZYi| z1CSz&g+$K$+88LW&uWotZ+HaY3w&!NLEk0>`Ua|a=1l`>q3WWpJ^y2?I&EJ_=3&?l z$f{bhqd>|D>o$;e1?U9h0;(QT>wzE^wknPN*(duP<5*#pmkvQm=Rg1Y?Aij&&Bd^2 zQ=Lp`?fFX!U~UWtHZYWHCSDGhsaY1P!k1pgF9EnFzk~p^P3hCWZ<8SZsvYOGq#*ry zAnk=S9F=05Ugy9FJdfxbtNVi2@o}@&52=KAv=0kt0?)ZO=+nCJ-9uGV7*V7Cll;$P zl+KGXs?JOVBvB$s5#bVD!E?dDZY?tun(K1)-RM->|3F5Kt2E~a zZ{M9|lLv}nL{OIRL7K*J;`*EA4uji(fLd@h|L1$<1GO|!!F#*|sFY0*D@i5)UoCCl z29p0OQ!m*AgZAx0z9gVoeVJjSDb?8E?*=P`I$_;r0BtIKibp;n#tgu2!seZSFlA=E z(Hr^Oos~;|mWrCat}^IcSn=5A5?pf zm=0zSD8J4h+IZvAv$30p`x9rNSa(dT`vv!tWpXi*K}Rmy(m0o{jKa{qelI2U5$Dcz z=+M}(h>s(f zW;v{ap0w4;!`#-{4_{*Q|K~CUmbtHwhe}h^4|F1LnFSZ(HCxWM-(#a{HJeI-7XVQP zy#dIhQu>MBP$NKg5Q`A-_vZt!qgIu1&&gMz59LQeWPQn<(+>+#i?Z7pi@`jW8klAF zg#Nl#<80!9aSQ$V9KR2h(^9MCYt$!hYs(2ilLcO&^SSMuuYg<7vSLrw z5_vh@mUC=5aoA!Tkh)CZ#mBDxPb2{XS7_Gny{j}oF0`})V_=W$WPkd<=*l4#t<6x& zyut45cUdF8j&Y84C#^Xn#PVNo33zl>zu;e;&uE`n`d8u9^@+{qoaud4w?(Rv%%@W_ ziq|_&QJ|FnPvc#3oBM=#|E$su6fTFli?}ZdS1f8{G&7lD6gSeAPhLoVM#ViI`CeL8 zg^O^ZE1*mj#~Bb24S4r4FC;n#@qy$xx;g(NHX01T6R zA7!)%Gzi-pWah=fks@k8o_$ae=FOm74+a3k+go87*HD3vG^hFg9Pw#k9KBd2SWRZW z&e;We+;d5wJXGb+wzHmeQ92CQ8V_o!fQb6$YQkdBma+oW_P@HU{{c|k+pZ?%znOR? zI8_%ki*4%vMxJ8Kx`ya%PbtQr zjwVOLYU5nN+V!_m5!9i9fP3e%TKr>wI`QP*qjNgG0n2q|FlwTs{!Q20t?}8d2|#yF zeSs|VmAqP$Di1~lB2eqlmJ<>c+8Ul_xq>x6`wA9ziQCXMF0CE<1y1Yalyq$+97om= z*dup989#oj8VJkm7p|7;h_^A8)SOp;K;#ci0iNoR7Os>y95FQ9g@Bg-C7$siZTyC0 zzjQ$K*|eqvJ5>4_)c^H{$(X5FtRQB?$tGOqT&B<(ry64v*7)BnwEAl z6e)c)%CM-FY2uJgUapm5m3iL48Mx6|M2(W>6e@5Va(oR45x}spj1SiPsgZO}WqC^$ zKzCC)#}+lv`oIC@ASm|t^ZQmu2{(ZPH{j8QZ}M7)j*Zwg*rYR3L`=gj_{~x zFew<_fp3mF#rOdra~+K{n$s~n^8kQbNS_2J3?M=`qp?h>^u5QJNgxG@O9uQ0Sm_N9 zWn01BB%O*u0MCS<>vPQ6zfZe|%?f_^tKe4bHBeLY6`h3WxB7NfCBvdlbXxH4v*jc# zErQ_n;D?2tAa65g1eJHc zY2{&k!kbJUMUYbTn@v8JctB>QG#MGkfNja?pTZi?`gE1{|7|EIt@kSPwrW2Tw=V2Z zwjU3^^*LqkYturPWs>}#HxYrBh90tWb`Oi`{X8B&}0{HJuD)ir^UtiHJ` z@6MG6m_>4gg3TwZexK+Z_{h=O{0(uJwNfe{czx#aXP1IkR|=KBC*E8EQ|*E1g<9`Z zU*=~E^Abazx`u=7Vr}xfW_Q+;+GE&^O8y8W>^lBv)l7x>{(`y6ID2ksvcKRjPc0O7>iBBi z`y^R|BgcM|K78a_gxpBBAaHP>HF~=tH2k70)j!ME-%Q$Ey>}y%dv^7HFJP(cDZh%Jv}971X`VcbCNrmecYO=b@DGAfjV@vqQ7XI8-SwFy+bpYUCf}$GN}Y z_ijvS_TF;tr8fC?%Ebvl(E3pbqBwCPHhK#b^9Y#Pjyvln3&@XX5kHeG0j zxa=iS-(LBt$16P9fq=i2nueJP3#@#D9L|TaSglJk_x1PVHayd@RtplOoYi312l8`@t2_(eYgUtE~aH*tgOz+&9om~mw zEYNy&5q!Mv%f|1Of5yLM;+LMO!0uL1eAi#{to5gfwI=oJs9;`{;R%Z#l3mK9k3>Yv zVC%Lg77;C*Cs~f40Y8IYypaLl>bNaV>f!Ijj{_nseGx`C*i7OW-;15pYQx362i1u= zdB-S;L*N${07|qUlx#n^z^7UXpg}JFlLBlh+W#8U)P~kWY}W7KJ5Q?j`d#^`i_+f= zN6w*_s|!aF$KbuUz}D3g(QJtar#~JqRtwy|&C^}@ zr24v@$a24{Do=(pV-tD$-Kmc50YAp3$G3(jH-Du%TM%Yh(O%JN zaRDCgU$+!tRFONbQ8D1ZFF(d-f`hFc%6sR9wk3>W+3>iBzu{jf4`q!K=F!<4{@9EZ zJM_)%D4Xfun=y|c7Y8e}-r3d-4$*!9xP(mI+1i%-zg)C;t?rmVhjQ9GySE^`X(m6m z!w08NwcWfT<(6hvWZ&Ds3zr>5E1{=+Sj;D(fAgQyh?Q6hnbH>Dp)8>8y;=nJz1UTJ zkLG4)glr^LHi_w`@s=OlieN7BjJ&X<6gZNm7n~pIa_s8vF(8$(ohb~vIDKgJTwh7&ElIFFIkrW<%{}zR?UR^n z50F@d7LOKSUcVU$UM^;y1BAnOOdu1n<>@kq zui45=M-E-pN!a9A_^9Qw$XyETiPw5+hegx7)Yn2^au(v=?!9G3iE*C>F}a;U2aePu zg1C7|2BPzMH;_74Vyg&iK}M#&S&vw=*?=nrvfo}13O=)uAL&ZPCsA`mGt4oRGcBMl zUx=(SPGRN=4nDwmVZ1T_iOT?bpm!!@Mp>>ugq-ot5kp!m6u#RkgqNNbsNOR>x7Ta* zMO*7HkuJ^bt5(#XikEWY`Q%TbmAvI#cs5ftdk?6|b240!BD4r@XFVoI3ku>spmrVl}D&*de~ zyZ(4dQ<61*^-BQ;zd>MP#9nu~?3})vtlOa7t?+#_tY+sd?iU$kUAa$z31|sb4lXa9 z>EXZqXebfCO5{DFyvNSIk-m7?h+dR(PUalzqL2&r!snEWprJ7T@H&b+kk5WaYeWgI z41``ZJBVWQEuNco`e}rsr$_*-;k0%`+jkO&4T?fm`BIFpYx+;U;N-cGk05fzXZwp% ztGb8VSnr!?Z!F6ZDWaq0p1NiGoi~7MT>3N3w3~PN;4c3HmOg0>9iw=y7H&&HD%Lq| zuyw4RjG$2y7GU2Ij9ilM#F9Z zT0B3$Ef7YOcfC^z4&-DYZhD&nq!SRRbdYd1^7*=8#AE{+pg!*226Uvf7G7-PsC9jE0$4OJBo#Zn)ywT#@1Ct->x>7L7V0w zVAYCI8T!(*KC6Kk#M^2BB@D-04=E+NV+s-H_u{>)a9=bX7@CD#pF2hUS1JxKkH1G) zl-HSCed`O=NVz($`~tA(2TV+T=9dS1DCWAvf`%N7w6^Rlg}PVRzi!fllj~j2Q2+L= zfLwh83qqcz?Ywz*v_$#vG1CoxB4V!m;dmE%jwXg)vLuSsuI&(fa%6(95jXEAdu@A( zrNmxjE%22*myzed*q$9a`=RFkQH8()kBB(CgUFu)E11`FxudCK*+haCMemt@;$NQ~ zAX!8B=N+WRtPw*+L-Yk7A`)2zUQxnXz| zaW$N78?gv_{pS1v=?|^4`r|Yo0E-~fPx9Q?ocf^Ku&}-!-1d#TRQ{b1aZx%O%1kAmnGP$sbZZ94|MZdOA~|8 zoAZM6v!2r$x~knEA~XLQ;zPD-dEhrESz%zVsVnrwELALK{%e!AMhH(*$SN039`sTd zJM0;-(UpvltG5q7Oh1zJMFrK}9JTUKb&a*X2V{qN189RHx%(g6)E;fMr^LQ=rK%OS z5yEqUduZEB3Vv0bTL7qW@vrM3fC-STsy64KI059P_qh9wIffTCLs=ar!TCAQQaQxmgK$2z!m%-x$!Bhjm1gC0%PNUc9z*{-K;2c{hlFFHH3U$<`q zQr~ar`od1n{W>QEaJ|QB-XIKtk#u1{ccolK*%fES?h`gGoSA*S^|gHV#f3G+D*L?r zYV;x+h$?AVFPh%`7QH?jVsBE4N;d2owF}99_&WB%;HIc=JGV6kFpsGv`R3YA#N#p` zu{(I35~a*8L^|b-?2)gxFRBDqc`yy6_x88_SujpfB6gI&a_ipidY1)KlIV?5YGiP#q0&DJ!PA<{EGzO{nu4U-)X61~9nf!+b39FeWu8Y~arm=0PU^$xpG{KxRaDlby0#WG)S+WNwFcyz6Xx1H z@C>u74<-uciI}k|x6Es{GZ}wS&q-Wv)YHZfPv76jS?exvvz=;f;QeghUMKsru1vy% zB1);ez!0q%>Mi$G4g7Ishx*tcWd0=elE)8)GiX*S}jFYjZ&lb-g`t* zTWw;;3StuxNsQm=^M0S_>HB`azrP$g$vOAA&vkvS&o%Dr9^*C5<`_8TsEo#UJ-Daf zjVD&bLPTlJ-j!2Dsx}g<_$i_v5nQm-TvDI6U2FGQBJr@>dK9_Dy5r=-j1GnEtxILN zd_!g44v`I}n6t}myKIx%PM%f`-+IqJt;n@{*9VSfvp=dOxaLWf5=Bh3k8qwl%@1h8 z2YiUMezsolse6QBv!uI5&Qd&5EBw=J{5*-p;Iu(oZ`n5Y*~EfnHD{fv8@<)E?3vic{mNdH1^c`q5TVdFE8D#|XAujMwI5k7~ksQ$sOI^@XsFhv7vL zQ;r2pn+qM!XJ3yKAFZlRXO7vfuIa@WPM3E9D<>c@q28HdV50%?2c>(68n59*gYHeO zI@IW3d_783t*%-Ozs!EQ*mG{1E;k&8ZlK>d=^o>qY}DYe>88`#CVvEUQ_3`{txLM( z&RE*t9}&0nJn8BN6VS|6MQS-&1t{eL4&!q&evUsrJ?A&7=n8~AQ#)U1jQrjP=<<{K zs}099=Ohxw-a96jLsSKpvqer@ETGq{7dUHQZW_2rcD-MV)djfjN%fVE)Rra943y9l z$Kjaz#n{Oob6B+j1Y4`l$XJ7X~23$i89 z(M{~$J)jS!%hL&9iPsq(ToRB@x?b#?ZLjSlq}a@5x^}wG$9cTqwQfd2firoR5 z?4Tr-34RlsPVKsbc3_K$ADYGirtz{(ctSZk58jNoJ+}9Lmxg#A_v=Nb<7nsi2quH? z&u>k1LdowDnCc_`Ht4g zjHfgQX^JRTN#*7DM#ix28eKiy_G_n>=1YvH<}_g14`1l)k1+??ed6*G;KgPjhMs?6 zbIAL&OX*WukPQQbx6zG(ue~k!`2ak{_=L;b*$+@IHmr#SujH)Ll#WoQw|@(HXYVAV zc1p_mcB81?#MQb>E>cV)ie6us?|cjQn!DWcn&HG}a@MpZ|9Pd5he!DWi21FXy;fPfFZ+=XmeGXxp6#WJ$x6EI~OH=Wdxbby-4iUt(vtHD;#HC`C3@_Yo}Qir=B?1;!?RYPlt*4 zrb?k?jF&2$@%gTw5*Jm9cOdn#3N(E-2`btDP}y3!$HWgKur5WvIu2j#on}l$%V#BR zT&+Q+%&TB6+Egy_&V9)bx^iXO&+O{a!LW-iPRln`nxIoww-xKqU!@^Fb?gS#hO+BO zXNiB%-YiruvQn1|yfGPpM9o`DZxh8q_;AZtQbuzWTXRLSGdFF=Xt6qi)2i(uT`TZ}5jO$|tq;F8`(H zB@@WNn<5AFX9XMCDmS`nrXQ}(3O^UiaTL(K>pxhQrgKQ*RbojWL_8z4s1WP@1s?lx zKjK+))$s|18-Z*3t)^35yRQ0Ro)wV1WxTsr^S6^%jR<|OIs=7Oy(#rw@6w;Y97Y!Z zT;LLjzqe~={w=poH+=H|qr2@^9o@HCqq-~EHJvGRLcZ8WhtkLeij4E(;K?!#sNKN%VxD!qb=2ZQ%pflUcC% z^&Kh;v4QcgW%4zugY@5l)whuTRdEB&eda45pnvDjXM&^y19WvkuGQgy$y_wDhx*Rg zQhb4n6l2Mz(is29D){WEU5qbIfUBqr2L8qSQ(>te$#rF<%9`#Fg<3#YkEc67QaH?i zE#<5I&cc9a@_4)%uQksb4`E>mjE70F3WbUU9c_Ne3&>->rk~9*+Jw10k+3z2+-sA*rf67g z3G?7q>vuZe=t9u563AyCXsFVyGrLXiI0bh7K%6a7IoJC$4XEH#`9okY*~pYL3bEn3 z+f0zBEGDX)-oW}iIQ=JmT6w0$Z?4C3Od!xjwxUhDSB69Q-@}VsR>Ll&kD13N4+^`xq<3fW7vay*O#5HMD z*DB%cn$v?6MmO5yL<1b!b-?@QV*^+*U!&UZ$grGIoHvR#E@7ZVI@UrGs=1S_Y?o37 z*tES!nz*_hi#;<4S)_m!(vn<|BG;RDu-T1%{LYe>+B%y7mOVULf^Z$?jsf= z`q{Jn!OODDb1#l|cgu#0`PZsIV0N8T6+>L!KaTAZM<`09(qUQ&J&}2rL2JWhg9Uqg zsPv2K&P;alcyUtx<1`~pQJW?5OYvd!Te}LSTaqw>-nscqu6HN{xL-84_w<%r#FTYz*vBEA!?^s%6+UDBM~WmaI=3VZ>8CgH+1E5bb~b4& zMNT?T`42iUMc^HNWp1z0Pw#MZQhQrwZmNfk$V&tYOHb#+^iXr(-)8yHZ$IPZ@bbwz zSVQuzUX`2i(^9|AxvoPJzZR8~Sc0qSk$$+?i`|&9O|C8NinJ4RY|nnpn#F8&EyPci zMTPC0;y^yN67!VKO*dZ^8r3Um1{65;OMV-sxiojj#Sj33<#wI70-_j*>{FHx&HLFA z$qTiphrRRjP7kiBCU0NNehf0R3S24N9^^p0U8vZhp{Mk}b4`53DR|ePGL}(zE1h0* zUc`VYJcfH?_ltBPhtv+SUMXfu2E%f&p~g%9TjSHMmC1a zHPLDp2$hLkHRoT1su)KETb&Ahh{!^9W-SCWo*P#6LEg9?{Yoj^e2blZFUB0$P)V#h zlyWzXyb7)O`h!1(QYf$+r8+!_mpvR9UqP9d95UI5-_AI%C3`l==_cw*QoomZ2p#JP z2^>UGRVy^mb`7GG>Jhkz04B-D7?6;PF*t)1eBr)i?7t6^EA6d7h!yE|Xbr z46}D_8+RP<>3%tP?wr1yRHZO#2xTR#W#e9#<0Gz~%u=aUWHp#+D(s6Um9_)~FCSe9 zMW2%;3^*kyVilUlT)(s5(z6Nl!b!;a?!!Fla&s z-Vs-Lp_uSIb~=)L|NYKVJvhNH z&Ak}a$-n5dHrn534E}t|A(J@nwvPjri!IfVQr6_p;cC| zZNubD_w<7oE&E-p6AR}_P5p@e-TwK2K%x;-MlhXK$`l)FF>`Y6C88f2A&dF&KpY2p z5Okhg+3ejMcH^YFXKh#en;)EZ9_A|FFBA z$IU87Tf%lW{x&>4z2Gd8@;bTAqvE*z!I7YMON>6GyjB8-CSjRTr7B5VIj$5wFjcv- zOz%CZ{mm&CFdfE|!k)X=&*kuyw2})!J3lyE5YJOq(%0@E;6l0(2{}jF!fl+F*rbQb zJJFRtc=fV%6OT8cNeA_5H;G`v!33Y><*kISmW1@Jq48`fHpGCkYBhHV>_i#<1qyu@ zQeE~%bGQ36#?5wi0-t?-*pVi1(&Le}$_3Z1GvaGc_}W5bb3cG*;`9&lR@orpKvqgRU(sc(7SXS z9m~up5z!g^mv?6&HzEpLrr@o-Q_hb-lKSn^ET{ksdUd|m|2gXy1t>eg8fLUqa#|&T zy@)rg+A-$c*(rI>?XO?)ko(;ri-}PUBn7Z&>Cso@{fc}hptbU> z6I;z8(6iL!;(BlY=xHE??a8c@GRmcijbjg%H0jm#&PS?SepoGzv2&+PL{h}N`E^fi z@tw+jD!FRJZpY5B@dsh4`Ch@P7~#!J=b=q|w{i+tlU*Bq6n7 zw*t4yk(sNj`~8PseFX(;7)9!VmCzXFpm*Vw9b3@vluy$S&RW?#eX7|gQiLe)@!uX~ zUW9kec5!N;jPTN^EzKFwkRJqbV>y}Xw!zym#~SxhD{>~7$GD&F8CLsfm_zIQCZ0o1El z@i*w)U@_q=u7AW-A;l*6D3x|15kRZ;YCeGRJz01LfSqIt@C^;lYLj0v8va;k4O-xY z9Yh%Z8?hA8FSOpKzs`5TE|OoxKhiZGaSBMqKEg-w8wxALUP%scCOrw}M$&Y4BP)N9 z3XdJ(7s#aJA0DP~=z_$uwb5PB_?~nxhuU#92V^C-L|xx z8nBi^DEYegECsD7uB-cOlla|lZ|4lTah(ru<5@=xK7cjgW+GR%iZ=O>eb zIaI6dwL=x9c*~v}L|?XD-N5hsNTy`rR`H~U9UOVGV(TKOg=Z0mfClfobZoo)5-0t| zsqn5t$?ys#VnPIyZy531>jr_K?FSDxdPA8TQxv1S`<uYE?-;F$j3;ghEiV`}s6|Y>CxO;18m=!FYsaB2MstCPpW-k8msu70BAz3!S`wojW zj@^_zUV9FLJ8<-8dnpW|r&E}P z0ar35oU>cHIEYh#===zP2l?;IasW4)q~;NPWPO7X@Ph9eNd!Cr@aXx#0kuLbo{16A zIFui!9c8<;`o!8<1^{oq0gPxz{mEHJ0GB@Vm#c?!3dDrSX)asIawzD=GN#ZDUKrC@ zAGDgI4o!lSi4s7LM-Mg>tv9mlg0Y(6+JrSfail~zuH&ahV` zS}R0ninVDEtE>kH<@}hYM~2lwWqA$cV7};tL+Os^&v0M0Ij~>wt`Iu>K|Hv60si1K&x|=?{qZ zvMmLrlym7pZLKZQK!BE^0qKoYJ#BHWQKy(fz13?(wOo;S%EcN2q%UuigN| zZY?(0{fsoSx+I#j=KL_62;O%wlt{&zsrC-@H*)4_O3(~DPPE$cA8ynW!J zHu1^Y(KdIvuV2n@@gyD(^}Ukxik?>Q5)8FWtaRSwdvRt)i2;d+SNtX4ol8*8f8 zf-TptNgJAAp3iZG@EQT#2RPH_gU;7bcNCw6Z+aD@38=C)`a!eCfnu(G_W{-8;PZ)$ z^g0wbq=E-km&kVktJ_9N*-ych`dKmIa(c#3m|VB(!Yz%CqjF*d&VoPg<7FjQTLhVv z(RYmc2&}NYF2fr}mRCfwzcf@zU%^xGu0@hHJG_4OJs|m zz=;KlDs=Np;UuBIsvmF5t@~z*F=)@J`*Jc9CTFP9Ms9}tbS1j|X z+3XHlsuq|LhDTcj78E|C%tWeb>4~cZk(}@2@E-`qI4-3oXK8ec;=INoH@()cd5c@# z*jts!5$SP@W^plDb@k7N6?=07jJLC$xB`Y|XSmkdXXV|WVfg_daO3VuY%`hWNbq&P zd8lNNsk#xaW;C_QL9Mh{QFNi=k^pHJ<*}CK`_!cH@H3>LH57pkrG}DC-y-Z_DAzl1 zCW}yX4BhT@Hbi+jayq|}b9Yj&vOPw@N{@g0k%`g{7KD2Bowz$|EXx<72#_SkoT1m+ zz8%hb(64R{2C!{X&cnVH68TYNCs_wwEs)iPJlrTR!EwVY6YFvKu#I`2hNtJTWS%b; z%a2||t}YWHTUO9`+OwBKY4l#Ug-c9z_?VU>=`b-D>G zIpJ-ImT?jezbSR%r+X-;EfB*~nf|(7gi|ylFMd`upHN zj3xA{R0Dt`7YC3uz=v#89%V9N0FHzg@B`-!Sq7?PnRqy>HG>)JJyK}9uzsA~tjj2Q!$*Wm{`M}n*HeMSjEZjcF8;3OjzzN>(?=BSU& zO86u{Ve)G-Q*>`$r6VQt$8_~NO5wA;!#y7O>GVX)O2p2&is&7BHB>G1sLa4rxrbCa z7UfX6v%`+I@Y#4zsk^kY%^ndP({vB+Gk2r!{b^TlzufxJ7Yq$*rxISd=yO2OQSl)r zc&PZ0pC<`rvp)o7HG|iMK8N3}|FK6Tsd6Lfjp(`JUfEc_N{|0`7G%1EO(Sz(^nn-b zl2Wm@-C662$9ct&V8eTK^ycw1QubzNgdDbK@JTf3A$>C$-9K6N_P0Sk6 zonA$Vm34xreO^mjq(I}(+#x(`oEka;v|AP_RXTh1R*pO7DTP!@INO_lICl}7xh(+y zOc4%Cr>*tHAo~~?NR+5VopG^z@&;N`acROCLwBg1O)2TAjn}Hze}_{o-|)*>T12*) z?XA|tCGHX5g}(BQa7@qZ9ewo`=UEOv%vj1zTTCaL&-!d@96!l{)<9NB>g5#GyW1V+ zg}Ga|uD_^~(+s|QOGq1ylqyf1TI%pp{h*UBXqED7h>+%^A;l8?aWU6b)Eh&Gp71eJ zBaL&bilg9wui@FHs3$o)|Ip^?EqJp&I&U|I=cnvp+EUdtC1(nrgFz{&ypp4tIvzmh zo%QggU}7cr$u2yQgcZY~6HZPY~p)fWUrDWvd^8ElG3(l!oy=KGju7 zd^Y7_K9=R=bbo(5o&ohlxL4z~RlDGv#aA9oWSnCIxl_qK@yG|x8!Utli`t2--^_y@ zS{OvChWfU3^;golWoSOb@BlpDKKa56{AqRn_56^uEkLV8!WJ9^sK#hs#a1N)G31IV zTC`~YPdNSgVc4aCkTxHPP%`a=!xy_&>$+tH#j~s|CiG|M6h;?y$8broV|9NqZWa@X z&}hbCBa9a|ygLhxP8k5Ep#T8+=rcf2vOOfNqH z$_nNec6-F^&SIkA7Lv#oMG-Q+OL(7t&`u3NC4yUMKJ)LL$bZEh`&PNzQ3 zAQ8be7M%_IkV($9fg3S6H_Tb)VRcLT@f}{RCpn!}F&NU^lAuN2l!uKqO}zUxhg*T~ zGdPPt?mj-RFvw@^?{c=BVnURNxqHSp#=h=4?YD?<=r?`kPWn+s-PPf25STq3$5%m< zWFbw`Af5v;GQUX|#>leh1WvwOyYiVTPgs}1P;$h~vqqw>z7`}yMJsgo?b<0(LwISa zk1wenb8KeorsEOQQBiacyLpt5R93{oNC@Nd7@K_V|>?uI_lO!m;8LLo~W?5L@H5-wA>fgR!c-qGMulW zf?+a}7$vS_BWhdb3{byCm4f-!2m zq@gHA^C_KOYU*D>QAh12#C7+rAI3%7SEPyM|a;?ej*UsrD|Vv+4w zD)Pfacu>9jdSHO#bd8xN@g(xAVlSJX&AD@44IC2gKL^60UUns!ZA<(f8`Gt)bTTnI zyA}yy=aYz5s63|!VpzETC+gT92sKKe6ZX1i6?3_>Jo3vdFC|g;UI<`jES7nKvmTyg zG10uvhGyn#3Z7S3S>*hLJdsLU8iw|#SI~7aqG_oBDd-mejC+9GJqqT`6Kj*L)(_>( zGrSp}dyU29*Dwa_AQ)Wa%xoXFqwX)PD6NwdrD^w_HkW1geoP2w-p%AO;?F}(|HDOa zjl!tT#{NamSGcWNUe=1jhB+FVNx4O7(q*(L$GUwf!`GRKtXF=lg3Ce7rhps%+O(4U zm8D(BT-!@+<<5ayy<1ZiAHk1oSTf#aqm9GEmw?2{>=7?!FQIcswojj@>#h;+Wn_)C z?qi=tQnNPNjKQo=2(T=+1G)7AdvfJ+VI8Hel=2+cP&lAuj~c?~W7V zM@mF6J8G=HdxO$;v&|-%FNBcwCZ7~y1w2|?4+kORCx!0zIjRg)W|yZPbv|bkgstn; zmX|&;F*m!|=i+YNFYP2kwwk;mE{2W1GX9ni&OonpREK(f^f7%E=LCm_J`K`Vpj!q4 zBz^*o<{xf{G>wUY)vkc~`5Ol^+XS7%gA&5~cj!de-j3;2c2{{Fh6x)=yc9+)NXX(T zjk3OB=K`1XTqPf})i2uTL$MO#E7AUbjf$}dYvnVTq7uGqS6tzjOP<)noXZYqPQQGo z(3@)9@3I=UStaeWmUZ%Tp%${kYX6h(7~iVAfIu1!NBJ$$Xq%HqqL={8p1`Dl#CZa_2urM(7>@I`fmPD~*ehxE#7 zuvbC$HS+-4Cngt1BBCGju0KkJA60amf*9Tx+Zw`sJNq$|pKakJVdZUrw6D2%aJNxT&a26U_l<-!S-KyKwOe5J?Kb>vtXTU}vuP`a- zR@a0%=g6K=&~+Np@Mmoc8T$3~It7RpzdQwe<^rRsEx)2L>fkSWbo1>pl2u_e(sds$ z0Ejja4mxC{O$Mrl*8)xi7uEOKPS@${K4u!JGc$$=Dl%2DdA(@=EvL(XoCfRpE99gH zY(Lp8kR=o%f~?!73NBaPRPQNDd#5l8l6z!#v9Brq@vos2Ujx!emchf@J`WVFj|XO( zL`Rd#s9G(j=GMA4t22B|#spi&C*~%SWLSs$C0Pv^L0{Ove^Z0Hv^!sun2|_o^Gi3V z7O2>@M-Mi`j$SqRa%m6$dahDVMfWxXP{8Y5t`7#tQ(=mq(RS)R?+LhoHZzndF86rFB zek>5J(IPo_p0-3!89_0_VP2%fT+MPZ`zX3)6j#7w?*WXTxrQicLw>4}s9-s&QKwtoa3VX431Q54IH!CAFxxr9 zrwB+G@W~YLN&RA*rd2X+uD06HlBcjk*+w!^;P;o4NH+Pzm%kh}{6lNiK1YveTV~`B zkZ3`d8+6WnzthgCMtS6n%kv996;i}Iy5%84mAkrOxH{fm$Ni$pF#2>2kZ~B7CppmV zh32AMNR106E&K_OU3L#NX97Y^!Dqw8BxfX;;I#`F{}IoOrKth?$~`tO!=)I;@=VoT zy^*jzNsxU2NEt`~pFAnGw9CoNn9=8r^clHQ6QDqxy_qCQj;`9U9sgRz~@Rh4;cU&ApGzWhdDpec$X19Z8{hN^yo`U%>L;s}CHk6I<_QdJyCr;AJ zoS?e!=AT0YTC4A(Ue{}kuSvna7mbu_)r~l@6jV%#gcQ|3lssGV`jx(^Jd?Jhg!7Z_ z08YE5V!(5;gkB5yp?Z23$hj{j#R42_&}#P5|Kr*!Du6<3Of@(L-yOa^ASG>3BgFt`7CCn%EI6cQUV-!G}Vlj-=j1F>B|AS+hty z-Y043Fdw2DX75AwV>77K#bMTa<>$RFUbrl1CUcR_%FxPi7!i_dBftP)=3DEGb-}f{F+e%*| zzfpWte#T7d8=J!DUVYjGKM<%UU7&yalIKFgh3~Ysi~Z`T3dOb;q-Pm7|9o>o=TB;j zUCo48)19ukD8p0{_4FtfspF3=e3l+=l?`RMfbf5D<+XftL$ov8WD}EAx|g4ckhEak zu&{CCvD%scKC=<#A2k{G3T{y1`XsX+8aI0Lo!X5TTnXFrAzjuX&jNNk3th3FKg{GV zHEC2l@L_)*_%fj_UXu&rruu#|_9Vbn9q zVICI_$|@l~NkusF3yMY+qPz4AoiV}d_CDaxE~8;RY3T+=ZeSC(o`j0K(tn8KABX8o zy0AUBSZvY8;4l_`Rw3RRRzDjPh^=AIPA@(Uz5g%nm8cSO-e z=arm}42W^RXm3}A%@ybxpO~Uj29*{YXUC~}Ru>zK<$ARbC}V{=ob*rsuM++>sePTL zh3y4`wS~K1+Z=TVYiJ;~YYnl3L%7SwJ3afORV|FWwY`LLf*XBXvv|kAz~_LVzyo?I zdHGWy4$o!yuC>ZOTUQy3nUQ{ozbiL-V=tjL(YFu(iyFMK)RS1Te`>Z%T0eZO&@Fb2 zqz#nzFewAB)9oQ3O|QuhEERYI7aR*Z*__FAHCZhe4J2H8U^=Y9MJu5SJq&NXxRU8; zgNwXY#a8J5AA=_VR+&Gbe&qYU5NFb30gD46B*!fuhp;=BLaMpZ$vWfrm1o>0BDn+R zxVzR%m9dZ0cd;E0iAL_Y*M-~~qH&3L|J0}d0Vx(G8U7}RxUDVnu^IKp=>w@qKSkI> z&%FTn{mUWM)M&~kynL%E#Q-6AS}7mT)}w!5`aVWM*U~bxB}v?~X@NM6?8QS)hZHx; z(zh|g!nO9PddXg$bIkcD)kzRTK~EA9ze^;HZ66-VG6gD(`h-^pii3miZmP1FoD$xNq2b&N`7k=VRIw(% z*iULbbizvi%pX(umWL}jz;7z9UI)x5-V5s*%TKIj*OB_7O6XuKbba!V&Z~P;=|>Qv zmO3JQ%`&gmV?ieJLBMnOhe%s$;$sae9Srst*K2tI8m_48QCYau*+w23`oa$8fSPMU zM-?AWD#i{#Adrde5$#IRNb0f4wQoz(l6Lo_cHHoOjUus~!*$OHr9W8@IuaSdCP^aQ z#e04yJvQFt7=zVa*)P5iJI`V={eiD(<<;Hi7XOS2FehtrGW0aHH*LpO7}K94cUt(_FaBd|v=U`DIsx0<^xl>uDEuzMpY@^XlX9-NKo=VKgQF_jpF|+_ z78aHBLsqZGLT*g)jQASngWu8m=-F>21;In1!urSXQ#UQRaj!XGsVEJ+@t2ZTFS6sy;g1zBX|tsfjLBVpkb7( zjtveq5wUyLv&yYH2u7Na0#|YS?UGB8)VktnA?5qeibq7EpkH?(f!UJ$3(ZN7ngrWf zrXgPwDovR7Jk7!Yi8)u_D#`de+9!Q!tfu&}Vl@YCu#R|(V)L^g|9>nkpyX1_fYIx% zSDd=>f9!CU1r=Y@+0}%#8UXlvuij%Z2{?C6b6t7n$lt(UD$$+3*k%(kSzQqTej%Z0 zjk$bxbnxX@2*)aa-KYB*0($}C-p%yqI)rad>laTAD26)TKQ9@T`NW=YP}MAe zo3(IvyQ=Oge`|VAA$uo~UMo5k4i1k$*l&YB@LXSUi&PBfxF>c2VfzT5oA^0;zZpEN zq}j%*Eq?PKrQs7f`Ab5}p|nT(FK`$Vej{)S0A!0dx-v|_v%h(C@y`)|dGc3b;l-fy zV}HXy);(a3>g3h^0nS&fREo-tq|10rNu>h%YDaWTD}y}FsL=?#u-$1j!jKj_{Kyd5M`AVRdhP`f&<d2ehsVMh{IL_p9gDYkZm~$}1{ta3D71^zm5l z(ffdKYWh+>Ux{|cf8OP2gpBT|Au22PLr;oZpOr>GNl_?oH&{pXwy>|3ct9#HW!7|1 z5zlt@F;I+|H+oN=%nn!vdXbqQe3;PRxw0bmJ6z{w|DCM02XB|%isWfA_P=kW z@LNw9?y~?9^We*nG{H|YJXUjxJX4mVqaQaXFTZ3?5C@ug-SG+|fTsZ9|lpHl=)7r2+La8E-s1aoAa)jGF|iDL|M-2?rZ+so^O-9<}R)lNc;pqTGF#x zwNkaic1FD#k?Di54&~N)ML+8JhYRdtUZY`2k{cig>7)6ia-ehtjrTZekS^O&J22ol z-t%a%oW)rmQ~8ghCsvn^k0{_#r(eV%Msgh-{;`kJ4L=%=5u6J5*?Z38yB`S_$tHs8 zb#!n3OXHF+o-W%mh@I8two#9|{}QJha9AAeg< zY}f_4zv&tP=;e?8Q(b%|e2Du0*pIjOFIs65XnsqIMO`r8ZSdO;&&unc14dVBHkH3@ z-n}*B2JX~Rt)5R^ilQnM)P2m(?u>yqAKocViaW)=vESf(R<*rnZv z=4j3!GOgN2QWBzn*A4L9YIjB4TpP7xlu#k4_>!(vc}*d|u#2soU1Nj4ZY)`0zJtf( zK~VR#_fL@&U(Pj2DUZF6E#YC%`(x7^Ajgh0CFDFDdOkXOiYosB?wUSTl@65r87uAD zzIuz|sgrM#uVYf;l zQDNuQpETh<(|ZR)%8E{d33mg2gXq$;)g9FZ+MtWp-SLc~-DEsOBHax)g;#A?K_ij} zRz*KQTSP53#;K`M)0bHMYLGxe^N1h!X3X}FP7yWS56S2FkGsbPc?jue^<2;GdL!?A zBSM5E&!Sq-pMk?@&Y#yqJ?B-6Ma&CU-mLX(#)urPCz0tw8a!7kfbDZlx$KhbeK8FS zuS5}JvYTQ6@F&gBA|I_&R?rO=L5ZH@Vo-MTFAY0fe;c|tKO9aEHU8Y7*E#YH{ON(l?*j^6=H-gF7$E5!=!@2XZ$~P~PO4e?{@DG2Zz@E^jcEd}6 z+2CvPxvQz}&+1

Fht$LdMva?h)&~-;%VxNxNY8wAYu)py1c=32R7bd-~H5{f%y1u%$yVser z+Wqx;wC`>N<@QzNvZjPMuU`v#wXnekXHIgL(ye+r%NWN~Wb$EGf5B-Q@dtmcP(PGvH;5oP-4I0F%E_ z{E)akco9XI;(TFsSoSe)gz4m0^Bzbwws-#<#cyg0=aA_VS&+u8A$58l?BHS<$1q z%Ti^bZ3}+M4~EpB4H+3P^Pc8}uXtSFzpXB%1+&}=O?GZMMfWFc9A5uK2mhSKiVR&O z+0;&hD_Sj|FZWhxlC;7uVnfi|auz6O7PysIn&1E7smWjItOC$Ffj|eq&^;xOf-7J4 z{MwZFd>7mzi)UPvP^#E?Hz*=oDH) z6q-T0DdM?^#!kze5m`otYBg=7XKronL}v&MxHJYrW-F!<~Vdy|enYaMB( zJMi@%)QtkU{=h%^{o#c^%Hv(B)DeSZBJ;GOO?_q-`0vrDU(`*)Lsaua!}Xc+PdRu- zNxl-zd_tm)T*Kjt=Rat}d9~-#6)G8kBtwWG@}v@+FA}2ti+*0Vp@akRt|P_P-C-p7 zW82*A@ic~$US5X>afR#*@b=C`2rqj2)EEgU9bhr>2CIHizXRw&r^09FzX|kT!M?Zk z7u)Y#TPsgS_7nyHNlpqw;^5yztjH0VR@Ojqi6o<1qV(ADZg+g*gISc<6*Q-Skkke$ z;xpT^x2;E>+x1UfDYrh}%)YKJOI329uVk?%u-fRUdmE7|P5$utwR(S>UsJu5)n251 z^_6|AC|kFoRqBWO@Bn&b@sxm~H>j?qWl_f~Dzj*XIf^u(FrR7?6$yd0Mf|O({~ekH z942PwJ}PI9O#Rhc$2+=1bNn2jPiXYvYo(CFn2O5U>6^@*p-Z=Pem?(x@M!C4v}3(c z!X6~?R>IC^3=k*+lD%-hP&|v83=wdwCQ7?J%tAAw<+2qj>SkMEc0TDko@W(%Ghd-x z`}eJ0S00Fm{VPiUGorZIH=s{=zC3k*(&&48^AV%r%2^O^gxg%}W!dV$>+!3z#T9*z zxvjqO41Oka6~UwRC~k@5)sr?1e<xPLw)Kp(bd#<45t^N?G|Lbr_ z`0Z#=(!xO8Ya5!f7`fFz7<9%AQu=D}xD zkD}z?YV`ZjR)D<2D$cbvC!gdfRsOc-f9~-{#s|20T6Je{dw4SKgY!U)@G9T6KSrL# z3!GocuFT^9^QzZRyq%*%>{~zDlic{IQrKFuJuc=poqDqLSyzl|o0(wzF|hr@LtxoS z%la$B;b>0Cm#ba)r|nZLMqfW}et99@VZSQ(uiFa@)8^Zo=|D}OWUVz9lkIh~Iz4`#V4#$SGi{l}y{! z_&4VKH3yAAU6k$C`3%qh`i0CO^ZUcj3Cw-2tgETSbC2uFe|=vLEt4&J)UTlFjYfgF|l>reZ@Qa`z|qni*$H3 z1a!2kR&TsB;aF$wy!<880Nh|Z8xVRYa{F9mw}BqP=Mr=Vq&rV<>wfUM!Qfli}F%17tW=5R{kPUVJ zF?Bg6?F{~4(?5Q;5)5QMYgX>u{+}>xvK3Xa?_N**OHMaIU4QO(3c4frbCx+*x#T5h zAHHZfB3tG)mC$zii_E?*qMgu9D4svw1S1+3Y?BUXc+8$-9*}C`Kx7rE2)ke1Z<~Ux zE-;}ys9a&nq?vlR25DG@*1`}Zpp{8aW!*Q$5IhLBwk$%5IOSmSP-GKiH{a!O&pjP2 z*ko!=lyax6_@{4*;@0(6oV$t>zqWxe&P{^7BO@b%ljV!s&sQC+M{sB0g1z=F*oCtYm|g2z5m5ySAOSzy>Pcy{^UBp zl}hM86W1=wq&-gk=+3_y^p?y6&_@&{eEfevb2LiS)EG*6StE z@u?o-Gd2gQn}IfGY@lps`z=JW#Sx9jkc2hYB)H4G!!7s2Fbb7~+uED-1{XqHM?nRi zr&rSV=Yp5xr1?ZF<&JkLDti^5G;)OhFR#(-2JqA{uVAnLfk?hkU;^L&E?#Ca zNjG}7@a|t&&rYJ#f0^}v2t*T|(09&m!O}Up${)dGTKYX>K?h)C#V67wC3DcK z&+Jbns<@{D4c_OUPBQE;cc>{BCLXdXRc+=!3WZyC$ zg+y}AlC8>VUU=~*sL*wu=N0OWp&!xw97KFK)VZqya@2y+CqWQ9Z7MJ^JZ43Dz{)ZF}fq`KY(3V4&{vFLM zm1WaT&^mVNfek&amXs=mq5FGhp+9zzpEV%M;*J&9JReNN-BbIuqd>D{`n_(lkJ(dB z;o-YQyWUJ>iq+AdZ{4_o&MGk!2v$cfA^ztP_ksY<&0=DbhRs1a%d0UwW-(FwF$4M6 zILg%j4#;gvJvscxpZ|}*tO4u5bt3@J+R53q@O0W6+m53#+YbvtGN+hndA{nteE14H zDD;;WW{Cn%$*R~*_Xn8$KGcf(>)tQe-}FaX65wOf{Ve`BPQ3kH@1e(X@PB~uw2U7jMf8cmz z98p#dk{yyAqRfUQGqN)ydnJy&B_l$1R!Fjry&aB_Y_j*x&K?KncOSi8@AoUO-~03Z ze*Yt#^StltzQ*HvT-S9!)e6a6 zpGntJmamiNF?0Qt-K=(wfT9^EaS8|Iooc`O>T=SB#rQp<5qdS2_0Di63iN%4wLcwB z&UfVsJ34cg3`*LkTgeV24P?q;t@M8ULl}$e!AD5;M(9TuL3zmm(ja*J8tV=9=iuuv z2Enf^Q-ArV&o~vaKM5vew>1Tde*D=WOaQTNOt0+d+od)G1`7SR1V|d4f-Tm3L@lxii0t(L>+1 zZW`s{DzBi3iowRa?^cno&WR-A|1Yol8%|w`KDC&UOV(TfQH?-}!%040z~VXr<&g^> z3d8!~_ysirdOo-_rW~YR3xd1XcgUPEI!XO7%>OE9T3M?hrD0mGC*z2;la28AmkRb= zY&4M%6?LTnZsyBN3 zqrt2IFm~A8&6Z^bM<`%DYi^CL?A4+yK?(~-Yu87hiEABu&*|I|H{E2DaJ+>-xWDh` zZ!=nLwfQaFAQCX1tob@s2Ag$v%Puc3u9g0Jn@}cq(#0nJLRn&yF`I|@daXv5*(Y(a zXO{`?Ew{M?YPCO>;Le6c*7ysw{eUJO2h41jWi8g$X4{wJF2pt^KUxWPlgcac>k(9!*b)5 z4$bLq?bbLZg^TY|&|v)JVhe-XecK-kF^7fqVQ!l<(VouEL$f^*t!dK7t>=}04ArxF zY@1E7eSCRhNE+??Hxcw(*+5eC8ps21GZ)Q4IUHuyn}T-@$OlU#id7W@BEF<9e09J? z0a_TH>OXQU3})#1`diB^*;is~T-x0^zGWS37lT6B-ipetBUjf^{D!{eBx~E0iRpDb z!h#2)1_qk1bSj-Xkc7e3GLFl;w1kLXqx`HUFBarN-&XLvNvprNGG2oZ^_=oSg$TQE zmire#_=%1r^)Z;m@oU3f$Ym+8lqcnnh_IL$f;rg16*Ma~Rckc6u#+Y(BzN-F!fgqZ zS+YqJHlpG-`d%Gu+@sm>61})lVRlh(daazT{x|oK3}2g(Zt1nw-5Ct~T3J;o_kAyy zv$mUzf}8z`0B62;*tvEcovswe9#T1|BLd^kRo~hH0^17EeMpQy3$O! zfmD*T-&W_b?-vZBpqR2>s$>C@w5|#bI-{JX=3qNlo{^T8mcBUe#<#Dep|e9d;I`E2jm0R*3q;SCB@lGf zXxBcJ)Dk?xVr9pT*79ePyY}vk^)V>P{?@9TXuJ^xhj6LEeD^6XSx48WP=ne?s$h8H zPrDpV$XBh=*6%KNp395>SQl5tIA|v@J0(<7q!U#1V(PvKqY{xfsPnfN^O1$M20!7; zcn8I9my*1|+wz$yXH?*3+(i!M<Icj;mOHQbN`*w=oOn*)#fm&U=^%V;dUsAz%Pd zu>0cEk4+d9xpC>EivvaxbsQ+8a!G+tlL7HJJT&#n*}VWOzic4?1=5S%WG!M*av!`v zXlpLGi9=5|*m3hv!8OBzAe!rjdJx?6MB8T2tA_99^Fn@VH$Q*cdXdl*2vBZ!z5>pcF_-2`h6b3t4^X_~bICT|j92pAFm~38u`|g5#vu4d zcsLdI2&Msz3(CX@b^{{a6X3Lheb4Sxi5YWhSxh;@Go7oN#d_r#Qcwf*Kr+Hal_pL@ zU}*ex7--w1SjeZvJ`^y#Gb4_~bBR!^@Z4W)WhLHrhy&LiB&chw7JJ7_rVQhxD=D-x zaX$DaJvjd`)O_Im*8LPm$j{2a!L$P2jz;_~s2_C*yBF6Y056|MAaDJ))74MpBi zTnK!uvj?=YP~3qz$gNB1hk|z{2@kI$%|D8KevnAg<>1Sd zqi`q0{GZVJ6s=!6#VIfG9+Y4&XB8(N=4OYUw7BB6*Dotp+ewRx%zEU#f1*Ckh+AaFpVY*HG)0iO16jsRWp^N<28MW*O$c!)L zm1|oSr6fGEvb1{7vp)hJ@- zw8bbkt+!-<-vwY@=Jq)A=y5(gRCcKxd62$ofu$=lPm#=%{5|ZG%I(7+p>BT1#E1hf zj-{q=AuXZ1YLPeCCY;{{Nb-Y2C{B7wZxDcYCwB-v*I8@y(y0#iwbiF5hAY9F$jVQ0 z17}m)k3tW6o1u#nM}R)^{d(>O_1@}X$Bx~7J1|vLX;g4ExMFTFcLcWLq@F2(P*YRm zbUWN;2OwsPm5ue2T#|$*s~?;E?)IyM4~aXkES8s{3YlZ~R(^&zK%1I00sd)QN|-<-dh`#%4)dd_@M&5=A@I56T)sc{WdmFTW>TE*k55gf&@co3AE&z> z=yh2?0+g@(BHR8YOhurYsv4xFipLsznHYa}ysOgYC!v&XUkirolYQD|Nq!eXVych5Sd6+Ek@5IP%#-s%iJ$JK7-1I{ zn-h@pvm?iA1PzQm*!Ep$m+V`!>0Nhn8q3Nm6kEHc!?@g5hvfm-s$uO+60_RWw(%HA z=d4O{pEo1q;pB{!W33sTn=>XvpvFRlB)~Rwf3RQ}=J4vN<(L~Pr9rX-ty9PZ6(k8AfyGs)eb&{%#01K*2P_sLAS_*3 zCi!=+f(vw2jZtdw`_dPOI@rWU;+Ghn#3EapFw`&S^Ev*0vi?I0`t2k!Yes79y8JY5{HG_A1#eU-7T_F+sf|r zp@$t4{F$MsgZq_6pAn9evZTA&dQQDPR$6`lf%#L4d?&__qsspw$LwB6@D=BrN2qU_g&YC+cMSWOdbwb!7M%H*Ro2DKF1h z?p03YMz=QKtVTay;p$ZMkTe)U(7$8!lXQt|aG4)HZ4y_5C^mCC9NYy5eWmeCm z!2*QfAdQv%%G-o>{=6jLWmw1Xkv$RXUG8f`nVjfv-}c6YSQ3KI`ITmpgtCW zboY>Ntyp(ypXpBmTE+5eOI!ZkJA*~xk4vTHNPwr6+ z47jl%0eh_UN$yN&B>`P=z(XqgwexUl>ACMEt|vTu_NtXrQ=vuLhx6MVk+Ff!;dm6Z zYV$p6cIlEh8EE42G@c6)e>p*@s8?$`m6xY*>Z@E`$L=kI8MLgFtt1K8;ZV9X+-FZIci;ov2u(1C%9kmj%?jO}BD8e0F*qC8VNH5_sIBWQew12G6 zc&fX3hILNF($uyNX<=bK)Hg9ZG5jng^ERvNh?ku-5{ zkMqbDd?njSyVySV8{ZyYhsGm*RZ!;S1>lWJr#P0%+Ns%JOua|)84E-T37BC)c^@ks zXR$?!`BN-xL0JqoR;Do6wBpb!%gxR0pC1~!9Z5?o6WNm9>Lv-LJSM~q^y{Pqt(OaH zM@K%!PsHZZg!FE^Sc9w*+yHhatSu#+vKWGVK7g=!Afyy{g$-=7N#xB^-`_ND=|jk) zf@@&A5AVD-KNDKL>Oy}<#ZUe|w5|pTzFNOR>24H@&JA2r*L=Mat#|Nhe5{8<=joRZ zW1Ad_mkrRLES(if&?J~YG=`KIdmA3|*$aveQU9-vrzs$ZW zw}j_|J_ublYE{3*gKLDc2VW`pHO*^w`bVG+^KI;rY(DFQLKBCf{=oiBR{7PFl>4t% zTydNASXhOLx+|8o5K?x;9nF^=5uR@jrE3W+tGgu;&y#&Ja*gpHZA-sX?4{UKN!)Hw z4`P=xPrW~NFXQ_V7osN>!ttJSF+L8&y%%fl!@AZOy_bK#8Sm{i?*OnueCmK1^PhB? z_aR1z$RPM3JyVpKH&L}=suMfX;~0jp;!6-mj+*#EpWRTQdF(IgPSUj#@fbz%3O?bU zdX(v@E{=4Qc4OWD5jmYBt~DT6@>KDbN`ggx?qUcE65J}SQLcYW>!af5;cO8>pSly$ zU(0uCVs6ICb!25gv^8ZlkES={TS_O3vdgN*kl#I*`)LVbj)z+o&c=;MFnz#x@U#1Q zWLg@x#Af&cm#Db7K_Q!lM|*n(F&uCo!JU>)HF)^=oJaNe1M;kq9w!UQu1&}<`2eAU zh(SPgOh7V^#QJG_)n;oRW1SH-cI>kjN9wCZ^N{!IZN^IM}3xmO&J6uVCY(zW4G?4bA9|-1$h^udqzKF%J z$Nwbwx@><-C-5#vv41nb-amb40eo7AyY+#I^{}?uCU7g3`sjz8|D-u*%rpMOZ}YSx z0OOJx7Qfh^kVkzaBl%2@z06+r`NyTBJ6X5-{3KNg(i`mASm_OJ-pw=56~2vQo**es zZxELxXU^?(q6Yv(LvXj(DPnZM)CUqBulD8L z0AW?Nv9o3QJusU)tHNI{o+%l$fauH-$z;iF$?~>wd!ukElylWm)nT)bN6#&_MExYX zoqW!S>wUmwgTw7mN4%MA7JN1=$SfH|L7_NhqJLgw+Mb*g6n;vX-zl^XgiDkWy6al0 zL+vo_XYqS7=Cx|;s{_^4!El##nI+;sAFl5TOc>O4zg>60QX*so_aGwb-uO#OVN%WO zx)*FL!Jn^Gd79}MLrllnfaAOQft}({RteOjKvu317zB@sqF4@GjJpk5@QD)SGL%`@ z$7%R(3kc}HbTj-u>wTA)UU;(hf|{B-*U5?RlStq5?yNDHK5BbCfa-o;CcM17TCfdf z4bA%d`sU_F%Z-&+6EE%DcAk!Hq`xCR22gX9 zomU5>_+IIc*XyHWSIQ1V8<{MH)c)D-f}vuSFob_9q{t4;N7M1>Esd_=+@f5ALo9X+ zBvHYbsNwWt*6Vi?N=1Ig889djgHK0&h9tx%6`UN8c?$ zv|hrRYLCKAR?9it07rer&D7W@V-P^FjAd{=TM+uEERRNYC<0yYKu9n8v$lbiRZPz_ zc|bNOugF9}qjFhjE%vJOPw}Qh7gzhuva%8_joP+x_w_IS$>18e$gSY<+C7Q#7gK9_ z){&curQr65A4a5X6UJdaQX>VEtt(EyZUe|VHG_{Wg-Hi5bCca?098%+)vI9dB$&F; z76;Oi+xkvhT2+<%$!F&!%U=c~(D~Gat)Hu{32_@d^rk0cSKN#hXDeuDNZrDUKKM=rZEKD!7<1EzR@sO}UDYO>YcX8u@#l}Wc0z}_W@b`!q9Y2p+9lJW>fQVb)*XSYRd7xvx{#h zyke5y(rK_&7FVI6!Mfs>@Fdhi!_SIrmLBH<28Svsr~B5a0Z&zWlMxTQinL4giE4K)*$8k2m;k5> z%B4Xpie(da1vENmwq#^7NH)QQD;mDpaGwZC_3M# zcwTkx^RvcGU&X@qL#GOJMb?=P^4X%hfN4w`PCZQT)eQ}m=302=u@Q_f`8adJTU`Fr)*Gc^wPwy$EU;ZNEYqhpQ zKE&fubE>kijp^Hw=#D&^4#{drmZ|~C1(Pa^$oawCdqP8JY}@wslH+eT^c~>{*E7NCOXm%7G7S^ z;R6A~i?8rh|I-0*{SRaX*eX#FWkBmW+w1!~C-W+P6()tz(Hc8nn&KFhig1b<*!8?O zr__rmJ{gjHX2jk!028WV^6X!o)_y3lJ&F24{zjL0Q!qQIC3E@Vutay&9Wldz;mWaQ z^^d(=weNL1b1{V5m&~e>bhn=!?I8T5AUcg;!q(nw9#2Ctynx8+=jlk=HD5WXk)qMq z?)rQa87Hz7_rV{Hhk&8D16(?$FhOMSS7D+9Vp>lOK$64NzFY!ey{FrMivh+nv=4Uv z2_H{8^B7K%3Wb2ujl@TU2a6%=U*87g)@ylXZ6C1HWA8kWgho_~7pEjYnq|n?i=Zxks|AoSv z`2I^aGXRH)q1pQ{W9dkM)qc_bEccfDlznd!30nGR7a;~1)Rmrww-HDE6=)W&6IaMe zv`5*@p}h^OrJDa4@#-ue~@A(qy(BB4P=iRvu$t3r0dQG#WZPmMN+<67Ah2@0xJL8Ai@aQl8|qj#TV;d5Kh!W%)CIa>Zh;Ktw20j-^o<$0HG^5`Lj8YIN+# z*)-$UOV3#z09rs3yHafFu%3xC__YMdVAN^ng)d8Nl1kN!Ygjm-m3iJSV(1{A?osza z6;iN6uCE!Bc>hbN*ZBF!S2w`ql>|k2yUXt9v zJ5-25?xvhpmp(!`{H~b&OQVKyzI=l8626iR);4W4w0mAqKw8_LPccryBlUgU8(fu3 z`5KI{6n3_?#jUI?2@J(Q@-s}dxfw?^g~S0dawJ8wCVO8xI`+TZ1}y%M>J8uQ0WMLI<*hbA zO1B^+MUb>sqql9rNbkV z66GpC{^1ILMRDnim+R5sG1TA4Jl95P3O)n}2eXzG?TsJfLlsI<9it5a0bHWIlgC+! z2(5DZtK0i3Y@yD#4NSz79|~MO!r;NmBshcvLK(>L?!K2I^ZX=m1wIf{It1t$$a30e zs@wc2)+(`+iLfZ#I_hN&5I>l?J!gKuFB#par+I{_ByK06e*q_HU|@ z2)nVlhruYaqHhr%VA}-R-(IaATA^TTqwJAFHe-U$du#5I4GsA6p^9?xACmO|&*^%= zd-%1vCYhMXSz?B{jd$a`_eW4TL;_@OdF{0q2u@9sUZ8$7+X`b&J1EvR5<5woC`LAU zqV(eAl4|ugM`N|%9sNKG;E z{dZ-!0Mqa;F94~|oBelTL!qIg2cKAm8#?E=E(gQK^sk-m*N+E)lt^kY)K`U&4pW%^ zdKdE4|F^oSE}m1+8URx5bJ%-wa04uc1aQrFyn4^@re2aVIJ-|s=XYfDQ3|bLNv_>Y z9@U)^GTZP*m=7J8**ro!&7`)VSAtMvs2K|zt^N6)pcaimO>^&$7^S*Ir%>gd(L2(C;3bBWwu!bILy z5Yr?!>H#-V(Rb1G2QhTRhj?5t3z*II#)Szku6i@u;uW1s(vdMD)tJ04XVj9N_)PHR z!URt#4Vf9RJ(^bb14yGXMPvOR_ze^D}&wm1W<8NL0+e3ebc)P3k zW$n_$6(6rIN|g~tOt~%pA69=C!&tiGbu3=-!Q_*gpg}ZO<>aRuxQ{g`_)}+0-r#=w0z0^G zxsX}xPjuz&0=NO9V0b)L=0EWnNT@n0Lznu`0UZV--LDxBYSNQ4kUL z*$;w0qw>mICTi?^)1i*|c%j<+0mR#}M?GW9tOLDyKI~)C=b#37g-ssC3~?R%3ZqVg zcRBsF->SweNv3?kF)AzUo>qT!XXYm99?DFWqq&7qX$I%j@z2We`U{(i4Y5f^kFQ_h!$kjOJ4{*0;rYxt>J+ES?S2Eh$Y!%K$Z(!wk7t5Zr{LGM=IJs5fVM)_SO#OInRb}$Vgrz53n z+geA*%BUE>JAL1ngJYD*#DaTm{P(5!CHqfdnVzrIJoM%h;uMqgYS$xWUf&(`9Mq;t z@YqSyI+_)^4grl8)hj{{8GE50Pm}}N?t6G0PA9r-xZgwnx;>BL2yBX9}Vtd=UlNbeD_dMw_Lxz#N+TybQb?J4?B|X=E`G*Kc92@ z&{Ds;`|5tV&<(6(eiI2pYP6+E|ETAFf5Lq9@g?|L{meWY^9tH&i)Cw~ZLXbyxlO-I z;vZ}M{T*KCDBy;ER#*?DDE_sZ6~oirSW*fp8q5E=fE7+`WxrL<+6eCd?EP;+IQ@W# z3P@?Rb-un46QnjD-rYNY(y*l%iz-PdXI{yW;{EDzAe}Q1|>OZysxg7K}nR24akY#ms@fH}k?;ADDGP3T7i_27?VmAFZ@z3#=pD-v+>a%WhcW8>#flE-Vbsnap49c^vHTLsx}V=o(+C^oQSPcej-iBTQm7ri}G#zyphV+7XL&dC+$dN@m99~0fh6Qf?|M=gTW zdPLqFHt2dxj*X)BK0J9j5QN&y&QEaN{uNt6OS?MH&HWMm%F!{_6A*)=MmNpYRz-fA zm~?tE9*^?t-wRmO(8qlAviDy8v$BZeS;6fzZ*ku171nYYb(5K%MmQk_Y;+P98$a}R z%^IA(HAXP4FrLqw{o5S=RtXYpVrn3luMpR7@(L}htT@Pv57?28Dy!FdsxE?MF@YN- zvzg~i))|3}$Fqx$W1q7lcc15ekvnT(5bqn>e zq8aQ95%~j2Ti1JDU17T*iV~PlhU=}pRpyAPx`-88m7)6KS;5F==Fxv;_Mg4i^^<@W z^$>V&2}9#}FT{`L4bZm5rKj^SDsMOfs8@rR?2)&mWDxxPllH3Gci^vwH zkioKM)#|U!=#bLz)KD4FG|TZ_x`55HuD4$8IutZILC8Az^C$ekW}=?f(5Uk2<^n!0 zeUu7hG)ywf@8EiJ=g9LL-@kWwDU^9RKXZJ2H<bw5j6#{mIG6KHg7f=}OoPq|DJN2m z2~=bMUQgYcq}L3rMe*|>ZG|%TzpeS6e%0@_uA0k6Fk@CI+y${^Rs{+;M)cGPeCsX) z_Ekg%WW+ZrlaugY>+Sch3uQ;fI!4v|iv--rmT}z)jO>gRQTo8U7iK+nQz*`wuk1=^ zbwT?C!R!4#@Uj!tf-asvH*E_C5?aw8Ks@I8kA(hO{E76bD(rf4s1y8Y1Cr-~0$H33 zq5Joeb_q`Xih|Lr+~~)8fYAS2J^RfmU0DBI?q0_^BSrI&Xyt@WfvIeSE^PkbP0* z4G~_xWm>uGPt7s^T4#MPMeZ%trFVn!nku^gUf?}_LQD+3`w&D_ZBwhD8^8BffC;d; z7$@ni0~#_7stUE-!*IR21wJWdlp387fWzsV1J#tYaYX z!>Igim59AG6@`(3hv_0cb+q+6ERydm_whR#eYrX&V*|x+Od;bQp_+fslg1M2re}Ac0T>`@|WNG0P4fbpM}-i1M{yHX{zK9c90rUY#^Z(bsS#9 z$E2?hFD|4$EXi|DBfaTz_Ei7-;9pqS#7{`^=GEDWCnel>nRjObx8GMFj>nDdIXu)g z_9pGN&^0P-?Z+lI=&z$K_qs>hZQKmf_`>DlK1^t3GUXI%!G9HP$<90Oyh=!Tb65Ay znBmDhnxyvW4aV!$1%(MmW$AY6THFEK!^6YzZ~VOGIH~LtSM`TgnVqq@ljlBP3)f3m zyO^u@I{?CqAe<)ioZiYrGqxroR9yt2t*KIXeOKPg#gtI|K)A}2JUrOQoviVBQKfusu!GEU>F{ddw-Ko z5WK{$TjhTqkasR4di9fsM)L!%_ht=IGp2=(~NY9a*pa$(%D zBez~5N5hSpMq89tF{Cu-NqexwT3uG9W;T+NVno_>3Ct8in5>AUJVEFLKAg-%6A zGm^Nx9*w-PDdI>qN2$_2*^S97c6qTyhr@{G8?!9b;w6q|ByN>u5YFr?b$&c>RdDMc z?Y`AUqf?_#7o*N6&YE~o644;Ky$Rz>cAH*6e`%D>)ptwU*$_x|nn(b}zh!V6 zD-iZ`g%uR)N^vGC=#-!4ucWEs^@LP90cltanvfLLb(UlbkA`*go%RDDE_N_V~ zWtfQ5wqk}Gt=qpInWG+^E36c?no_TxxsqQ-pf zvE%4yL+A8?KDC_JIwH^wy^1&~+C9-blAZiDIK4ft%Uq}~6 zVKMSNGzm88_A_#!9lcbBFj(6mx@?Ue(nIsKdA@|my@rdgWSpD=oLw;6cXPhr0rt#@ ze+=S9MQy3i#-YEWd;ihIVH&z`bYP+WjaXmcM$zQVX4iA77<*WKbv)NSYsV`y2Qlb0 z^ysvn(_(T0Y96=Ep6k5+66>%iJ$1;km6bmB#0?)!hdkn`*0I>k8Dn0AvQ(Qy05Ng= z=sIG%umao?;Ay@ld36R2^L(?wfBW0w;=}#=3-bkg+&V?SXrHsSt!`Gei|=rFHXaSp zAS~8`C8S&yr1|pY=k$se$kmlXx9xZ%N7PMLD)dUAs5w1!!n_0wM{Z6D%Zz77@lVX~ z52P?z$HX9|Q3oNU;Gtkg=GZ?Xb<}T$P&@Xc${e!z_2UuKalYs3 z9+&69x>umX_M_wjN|TA3Fmdo2g;a0HEy^vGd4-ABb1r+SD)XIOsnv?^Key&3JRo!K z8#EKVo*s-=){CZL6|&^|>F%2q3+;$P?52SzJKkCG!za8Y+|PWCJzVjKyi2`jpeKaM zcdI2(z7x05D@>ace8T!CRqD1TZQ-OEqp(oN;jIG^{Wm&Qms*byC>p(jg^43~jWtDX z--0e(&Y`Vm7BLkKtG^UGxMLAc_;aXzb#cR!y@@K*wQe@Wc-I{y%{+9t{u(L_-IE`W z$RDHj`OK{rP}6%#dDQ7jrYN&(-+_Zuy#q2KTW)IK;Yx~SUfw@Oun5=k1gIV!h=wZ1Yqe+* z38jZcJ%;0it^T4luzo}rjL$mP$f7Ze*yxaN9SF2HX+CKI7L>y#7 z^$$IqaN54m%)pB!+^%kjD8ET=Z`c&Cxp3oID(>3%mEsmnd04{8NYK>|ln#$?L%9l3 z!SjNi>1#bYexqz1_1K;-k1EBIJAFuRbrCxE7JXZQ^MBpEJ*j)Wj!R8R(L~{*_L0Rp z!p3^x+Y|d%S@QXLa`+^@^?k9i*asE(B6V^7Xid2>70 zi@M7lYIWc4I9#17)vJ_NjQ1?3nc}HE|7m@SJZxx787i0e3V+_ejc7jEjcBVQWx{!A zYD+1@Yf~42$LcUavKeW9x3-m2QRKzz$Csu|ptb>X?9J>Kg*l1;AA=Snb6a@$X}BW$ z9j$45lI$3wkk;tskxYI3Uqei`9J7?SFF2P=5J z^DWZw1jaLE9mVu81# z^%fJlD#Tv$aGCYoV#)uGm3bIS<6#J|TBq(r#i%{#T)dHx^b7+vD6w6wg{`p>|Ignr znaYlQG^yqAcpyO0n_zeOeEE-=?4ojxrJ~jHgxTbf8SV&#!&(m3jtHghEf`aP$ld9{ zc3nK5+$sltq=tO0uco7rQMzjXfhdvmv+}#&XPIJnsJit0UVi+=_dZ`4E0ZhSOFQe_ zz!zb0>HUXuQ;C-ERdz+jzf6gVA*$ZWRbKaWqnr2b^xeF6ODA6yXIu6(Q%E44)QO`A z^}Q-A*4w?mIOFj%>_9TKTL?N+-eUXqd&ge)zD^=Ze+b#@{6jwUORX=-l-PD{`O^A! zX>R+~s@(Zv^te51&hF!O=QK_ZZC#lD=NU5KteM^R*xHG);#lk%(|#>|GwN0hjqV68 znNS;;KN$PT%sm>G(~tl*bsp~Vg(fhh<>Ea{L1k|iDXNX|Q{8YX2I&{xQT7()JQrZ2 zt*V|b{V$g@n17nG-l}|zs}X@7ouL<$!zUbQKTfM~v`1$%mvgMpPf!V=CvKzDD-dXI zDg$-(m-C)KLwIFX(P!P)-&%OavF%;}ZcVU?*)sn}`X>ATvG0F;pOSCg{il9YpKJRJ zyKmaA?eou{w0A4mqit{4tg(sIQ=!Z}`i}JImiYG8(c3Kc{2t93JC9ggtGzw-KUwXE z!Y`($q}!zm|egE>idtC zo&BXw{60ow-)LtjmnLVajpFVO(0Ps@AqMe1TPV(D2_uhNEo_ERXxro06&nwFM%&Tk z%$8e&?DM6}B<$7kytSgwGD19_-0;?<-a5IgSfbVco$s5>*C|$V+p!T|)K3b&urc0P zT}-y>3wb)&S#!T|!a517#y2j?^#52HT>3ZPBi8d2%+&y1CzB%Ekih#bh7)h%Qz804 zKH5d(9gqik{u&TsSkcxEwE7G9uUA!VF2MZSjVRka?Hq?kUsAJfYL|sjGKV-Y?2$5b zJ=jofGv-q9CmQzjptj}!4fKN)@ee>ZXan^ycI1#^?q#CX}sI# zBuZh*+2V>vaJuKcNk(SLM#ZlI*KluqlfG;nxqjYm^Z%5)t=I3}o&PZkyZZ#}4mT== za|MdSgiFa^EF-0UE%UBhP|W}Kli(2R>QB$@3SWhj3Dvsz7d7t*tM`M}O+i!!sv$ee zPnh91g`R7ElN-Gygb+62rq-WRCeVCP^mZpv`0X#4O`I&N{PcD}yF?uB7RMSaAb0w4 zfrck6xTce`{%c6Zy}TkZtIhzIUrB8R<<^A!&$id~nI&fpc^8eSAY$yNP^}tV^*ksfh z{v669BxGS-@l-%)F$A8)xpord>f%wNo6|{cAj<*Kd-a7XPA`|XL)4-*p}HZlJlGPR z+j`WEfIsUdJO(ufNd{9Pf8&tlnf&7}rX5-lV{3F^k>EYG#6UqIgnp-p$Z$K?<(e_J zu5m)CHo{datKHff+9`8CDRINnqp2jvk6|zO>luu8h>si-okp8D!N7clB{z z3%Ud5slPTj$Y}35$H5buFj=lIein@3(_%^7F)reDdX@CFSd)(rZM_i4MHAET)~j9i zvrMnzn=I#2M&hjkDYvra^tjbK*b{bBu+i5H6_idz6YezfCdX4{*<%lA4UT07{D`&+ zWQXP7OV0A^QT(;!*<5loggYS}MqWN>^=K(1>0p2;$DRpu-q$XJ&+C6Aoy&VUeZ%sf1RZbUJ0 zg7-Kb>nduiU4BSw5P3j&x{jw;{@<+w6l;QSGq2c49LqFJ2j7SPKty``qr(>LqGN4ZU*U3p1{v+rm1Gvq_JK=4wXpO6exSIb4$p1-r1flkrc||8y=@{*F%wwigSya zxAxm*Syo=G=n+Pf0_;y6scO9SmyGMH7pbUj9dOYm&SOeG5bWaenR54KRo;4C6eT({ zklJ-OZC)Imd_-$cF2h@6J$BDCF0OG*lY`@@VgRu(dsJttSiX@xG(WqjVKkC0EFocd zI#D-Hu4&e7d1Qir&tGppqGC~Ct)IX1)`{yL=$5_`XRy$j%#T)4OqytVdhPL_*`OsE z)|GOrn}?2zQfqehw-S8C$asdSH1s^EKcFrw2bb*KvnoC=h+BcVG2!WJOg>b->bFH+ zdBxx3Ri~yMO*>X=S+~O>DiG! zpW1?m>1_I|x*aJ$6)hiTz~0EmaD0uS<>YkYN3;$(>P*u-a5sk&Xk`1#SMzz|j%tr^6^9RCM8WR~GW+lM7e*p$u z)F)`@s`uQY455Ji9AL(63&bK98=1*z9&d+-hVYJ)s(tsxQn7u(LTymZoU=mIn&-$% zFQPT2z~yzfVXCa?Vn~4{2bEBE()h*&Wd1X!-oogW2cEQ|&izL^%+D_t*nV?nd_;lqco)!ic_7E{UY z^D_349i04~tS4Mt-s}f8>js-cMn4_0`tDh6$z7OFB_NuHE@wuW}WkqwtgcxxM7Lep;^J5XK^3Z!4| zfRW^TmrWlRI7G9bmZ&xH5XBhisH>&uEFnRr!#KMdr>5N8k*!Pf^ zZjYuOq^coW6Z7XTc$fSRk0rzYNmir)%9TP=KCW}%d?cpRV~{0P)2UW_kJ!o^ENtV0sQL-3+o+jUXAMl z#$J8F#cUKN&t4IwOmt0ueiv7^_m;}wcnn_scwa}qw*w-}Qio%)>|@;PMiedK>mj5u zux}Mvb<+<2_Dftm2^@R{u@{~A3LmnZiNj6^z44iqxa&XK9)5R)!tF_-!xDYVgF_1_ zp>~wxdk8eM>-K&{(fsa?_dyBVYcDvC#nofCjorSgvQA&16MFLGWB|RL!218A>AT~p z{{MK(h_aKF70T+^mF*y-BC~RA5=SMQLyjYxtc;9|6Do>0_Fl(0#z82X6FN2r$FYvX z{d|A--v7?$^EjXLI1k7B^?tpc>y5WKKb6TcU;w$7R@l4U`Ce%)d#gF5#czS1eHV&5 zN^eNY)jdDilR3*dp2#-xTN*CtepG_`{7CtJ*}wFv*}o4@0zM3M7RcqI)ok}vm3b1+ z?m-u|-h$GHJLP|xXr6AnLmuq4*a!h+hGR%WFfS4N_XY?M2z2aRv(k2uqB#<3Zf5-E zj#LPrxKaYuen($gS~_VgY1Y)}NhggP;GlXfBnwU=+%ALGzD2iNz1+k@8(zW*DKD>C zt|~si=_xWb(INpIy*X2nm(;NMO~NsJW7#*mqfXvyYIfIyqTqA8bv|Kl?81v}gRj#; zARPljaYK~{C2K%J|b`;gxw!D#;wf@8k3LIi=?kg3C95-zEA8 zHYD>cr&7Lc^s;l7*T)B!ZQkKVZi+ETRMKB$W!6_rbrH&w53dhMD2X4%}bI&W?s za(m6I<`SCj-pm|0PsoQE-Fnw4gqHtTY^m^mH3p^ zTo#UUyGU0Kq4gf!D~2nd8{IPgYu5Zt$nA+~*1(}Vp-;6Bd4Q6VuifAYfOW{bo*dA} zGzF1GGDm=Yn_X1h?cD|N&VNMq2Z8ecn9tYfg6PLUwc6~s@Q`i!=mFca8I$^apu$K= z=NrFAU0{6ha$mp=uaYFSqIr1 zz*%h<tU!FCtBCzbe%9SDA=8=ztQ*FVU zK(Em7Rw6UEw+v!KHGO^*9YHNty&_WAmdEu?f;I=3p z7qKEm;k6ZWyJrUpZkj)jS@)Q$cWYcKm5HQnEBVNX-m*HpYY<#sU4D2*3h~hGGqO=o zOukh3W$I8m3!)Cyc)oiSZ0+5nrS-g&5 zzzE9Iyfq5$9VKWSfcAXw&OYo23yZFts-o8vYK<+CBMoE-;TFRatV7%9ZRye)o!Ovg z2YW2Rt3Vl8?g8NVWt4l|Hs^Ej7rt|ZQ;TRz-rM2eQEhBXI3c?-LKy(EXfCtv{(9eq&on1>G^++Dyf=r|wo#N+O#_3Y_In z+BN$7w+5DtYfH-oQ39#@ACUe1)!p_a)%C@PaQi5mp*o+R}|LU(sb`IL|R zg$CTz17-~G0dAY!6=t9~FR$#}rVua27P#)m%%i%) zA3f&81+EkvCkfD&O_YW9JrIRt6WT!K4r;GnQ?uW#s(!JnGK*UvtEoAk#{xGlIE7dzVs*&pr+J6r4l>Qw-9+02q5Sn?)qJc|FC72DqA0$ z6{=ImZ!O5ND_$Rk-J)Nqa_jRJRn|Rg&S5E@{2+{d%}I_-C^LqZ61OiK*84+x1`|?0`AP?>OHP!rCkwreKg%*PgN> zHn#K(jY9~28u@s2NOSJ=5{Ia$)q~UYM7>!X1~brohwbI3K2YfvYMmo3y$oJ6>#jJ8 z=-e`=C!%Py{~D-DTMsguWj&XxbX(2-T_j|DZr*6W+-;y4Uz!UIFgD5#**)R#S&{(H zG;1kmmWPh5fKET-_+115px`m)3 zSnR{TE@h1sfmnvsh`*_c=wYet=(76AU$oFn5(!<9$oX_`&Q>%D7QDM>xeT2i{wBb^ zTIZRDX`1L^4$Yd_f>q!t%*OJoZ*4T96P^ktt#6APh#G2)NoAN`wX!1`RX(}0#F3Qp zrNd=(i7PN83m4k6KUo%_FHF!gAlE;;GS05Xn;Ty*Ycn}N$(#jV4nKxAtnY1L{d=rQ z-c>272)&@YZQ>y>IgU_yS@!AS$F_dU_GqcBDgH+#nRKIx&@}rxalA@`QdR5wM0P@o zQ^RVdfH)E_8T6Ke?%lCt5CGXU(FaVJHzBu-3??4f`PT7s50=u6dq7ya!WS|Tky`@; zf;BQ3!`=#%h$Zcu7~UC)XsPr#lJ4weV!hqZ+Ro{>#mgCYyxwbXc|pH6tNYGi4L zJP&bEOILkm|Cr3AeHA=TJuvK@^6(LZ>9WkLXatuKo>itc?u7}*Gyso5Fod)4OHq^0U|JmoH4WU4O9N9@=` z<$i?QIFW?~Hbc@3Y+R2Uo134P$CziA7xGA>zps-1QesGbyYETnjOeE;yy=3J5630T zT$DV#V+j4m>pz&8VgWeBp)GcAgJ}2L1CDk+k6jaiHM;^au<&oZ^ zl&r!!O_(vxi)KiBn+SUM^Cy$thFkd5e z-Rk}PeIeb?$RS%tgZ@K@IpE3pw9cl!`iJ2 z579Fe>0z)zDBh$bqRxsmJcKv_Ui7Jz9 zLNLx|o~?&;UqpG+*bDk&Kj-ayn6zCmt#`m3XX=Z0e%am<*}S=~JV$*AhvmhgGDl(| zO!&|E(i471Td{Wf!r9Hafe%Y~ywa@ZthzS$wEcz%usQVECUkH%Y7T6q}OqbLK;g>%p7sqR>VC^Pbsn zj6%a)SqPISQa99P1l(@L4Rji3=1ji% zZC*g72Z?0AH?McDocL3PJ=Jj9SFxug{!mO_rr|7(W+!?j+ORB94jMsn5)3)mB0wID zD`q9d3pAVs_aFQ@-{;!;1ME<*eH!K+1LkSLs?os)LqR!EWn;iZW|g*J+fUDXJ`S!q zO$gb5VYf6GqBa`r$w(~HtwSkfckvd{M_?&=2LN{e%ua^|9<~@{MmLmq2IqBX$u1co zRbKAxv(S4Y{-?qr#Y+9BztM;V1en?)D($AnT9|~?Z-P3B99(K6ddc7<(R)GI%>uD!n%YF zlrf9ADE1%sPIkDEEX=qOuXp~HzC>5l?B)YD&I{BsGYm<+ssB;3uX)N`f4;eM2sex1 zxe07zHSy7V?>6w!-{_aJx+n;)$>I1#?0^gtT3E!i$FfkysKXoIeHo&IJ<7c`2r?c| zx~@?wVH}SliNH|z8+D^g{wl!QpX4+jee2MU(_`Lbl9IT0SyiXZI={lhskO^r z2+*g-c!%Ru&$yIUcgU3&&m1JoK>2*Ob0!W_Up><|cdvoO_Xu{ffep@TNuYP1@H1n) zZ%UbQat(;J4Ox<)fDM0LhZYqpR!)Y5uS!X%67eE)!NRfA+-YPR~Sl+ zL)MpgC54k%vk$APGtwQrIOjN)8ODC#l~2T^>aAxh>;4+b$oo|e-BI=8BPuFR7pS7u z)TEN{rM;w`KLiB$!NYtB^@P_hL02G6kER>3CIXndR(dH9>q%)h9l;{Mc3gF2s-G2+ z8x9ohYXjRv;$eB-EmeWB(dJE=6eV2Tkq!H7oc8 zaGAcA;lB8Fvp`qqzGS@Mu`M%k%5x#^^_EOyWy~2tc&~@RMv9Q$;k7lfMmlc_zGoH>~Q*3pY z&I;XZ6WGeT|K-*08{%7+b8GK!yyW1*Jz2FZz2=hA9J*FZ=;wP*vm+l;V0h9=F7(Bj zbCHJ?+v4Ch$VsauxYB-k)=ua88$Z zT+pI&_VxU#7WZ)Hu1@xGV7yblqvXufXe6l8n#a+Hs||{8qRgFRW?L~}=k4U-Q>L_; zfq_)UUPe{_)8ZCr)4$wJ^|`r&oQ+vs`6)_Q-n>8#y^hU?n6s*u2W+BxnQuEAS&MV6 zzR)vh5-$TC@dd6x!I%pZ%8dVr;Fe_G$B+an9ihYVB$N$+3I04WcUO$koSX;PHEu+c zy6=|c%Z&ymJOC5=8L|}6xU+hm#%|O5$fDGJS(8n(1S5cHo<&=XGgX-J$Rxi)5@>eA z^9%FQIOnzR?)z0w7^s+sJHp(@35%~^Wua%yfUG%e4*DXx zBdX@8feT=d$9lktGoo8vfWnQkUVfHxJQbpt{QHw>Kphv;Ud+m;P{ExK@u&g?bmM6v zicV*wggWMbe}C0?2@VXp>B4RdfBF9wCtP!+-%GrIR3dh>74 z-Tvqh*kR6jSl{>R1*4zdLUCz@guNRgXTgTb&AdOjseN9#b21`V-FXpp_h#Nb3aETY zWBBnk&vh+nVVQ2CQO-~+B52}M$KeG6`cY}>cQzuWrnYl9GY5YlhLys1H2;N}7A`8O z9sXbwdV8sT$I`N=?`k*S0sE(I_JGrR+{5v)Bm|I9ZFp=bL-nPDWt+jDv=g%x;@W-qP5Iw>3)myV<=$&o6G1K$5dsS3=w>ZpSSUnvp zr|7z{5h?}wbVIDN8eA?e#p+QSpD~m930+G8W)N-lhC88Ia=hd6wXwZWx zO7nfxOR`@F$Rg;xSY6^Lwqr0K{A8Cz|2St{pto;D)+jk}iqRfXWC3r7NE9HZQrzb!!BpXJLO19IfCUl<=A*@958iZzGH73Zn6zGD~M!IC~jO{gC*wG zG#?;Obb|8;>QhzmsLyx!4zFZM1f{yuImN~I6;mn8(d^>q1Zb2z{#)Xc2i3(C$y@6Z z+$dn|l>9_p10eIVd+uUXHcAiJmhGo!{=@2LXufonGF&`xLI6p@wbGNP_~zbfe@; zAw`<+In!3b)I|bSY0tiOd;u{b<<4ISa0YI@6yLrCtQzYvl-e30s@tTMgVTc=QR};T zb*R_w6Y{RIT4C@U-aC@p>y=L&@c)Ux{=1di2TZf7p7g)U=zq#{4!n>{Z1ZK~v@6nc zw1oLHN?%;G#8{Nu*6IIu^gL`)8kAu*@ZheD&ntnV=7$oviYw*xJvYifSDJ; zXy4U`0WQbtR!YY=HgGosv@dbXP7w|hy5noSNQ}Jq<~5)`q2(?>*nl9cdWDZlE`%;4ra3owzuL zERfB4#+6B^(!nI^>;89{zd_;(w9DpUIDVRHEySW1%ZIMBnYa+fZ*zN8#!)ZLZa{zU zFfSBoc+Hw!Z@U8LazV*t+zglOrTdyO(5r92>#0n++3&Za(n@}2&}#f3d|H#a#YQou z!f%gn{pF&|8}+-_mSi5ah6JqA>?Q9vjo^a#k3`MO`rO{h;JI4zm~%Co2C#(`qgfji zsK|P!WlGafr~Rge6SSSaPkON_z^i{Fb}LHrj^}NT8)vh_f6FQonR8yG*lK|v+=Pg{ zX80TBsgeNadY{X=vt_}DyE=VqW^LN+dBvZnzoEky7QtsivK8~e`1iUGm8D7KM>WSH z3Y9Q=!@@-AYUFooSH)7XWmPN-(NZ$(rSCpyFFA{@%)D*|^l0>ucAZEao6IM3o>hc8 z|1ex&4_!7PB%Ela$#~E=OL{t7+k%}+?wN|;K$aGvY}{b(9s;jlYN>808>ivE6cH{C@#!h2F2NG*kj1tEopEOMM1Sr@Rn!IQce(bJdPS2z#eZuGZZSx#i0i1)r$QE zy<&ki&*Z7{Iq6ud-TBisM_2mO_9g8|USLw-|CLxd9LHY^13Zd>ksdy~z#QYE$r7Uk z7*ihTdicmS2mmbsZ@F2-&$)I$w$~kr3w*NwfbGBm{)OHt?xGRU1#ERM0CR>RN*$&T zdE@6k3Gnw(LNg{2{1y@2i(BdW#)5R=_%$P0v-iJJyGPx#h8P-ega*s)-!c$CFLc;m;$54BTDCymxrRmhS1Hf-Z#saw4)e z;!2#msl4atDf| z`(DZp+$XdPvHBKG-p&|tKmP+O=jAl!k9J7NumexhHg*5x!>F)vl}zI|(dA zxn?V%-@C6Vs?x=E=WFG>3?ZE`#Z8Pc4OIR&V=Nn&r{>qA-bGFz&q8q30U>7=h`!l$ zPOQ^HPixC;I~XB8dUaC_960zKcfIY6yFT6WFj!x7T7@_WVl5IpTYZ{A#~{1hRzz3- zWww%7rm%i>i2*#JC76 z#Kcpr@OfcfU7bc^9)0NNIaG`1>Dp!lt#7?Fo2T|)1kFK-@aDS3IoIuF>X`yr=OoJpU!h7fiG6=O3G*4+woSURJLBvm(92* zw;NL0d!8j*&|ZT>2lz#2U1#&DKKooSM5)3$HXHWtwT4?+B^x6YO$2Ngo2|546Z3jt zzmnNX$#Fw!vEmQox$CjgV?0V!%VT?d2Mkv%<+r)zS^v({+k0?51V4Q4PsOM`AKMKt zm%@jq((FWGvxCyOgFH7zecz-_ugBCv#oPXouZBlgxGNE9b}X~B5TE8obd*brY6bpU z^%u6_Cm*NDN3 zebx@Mx?4A{wO{O{{mEG|eAoXvr4bdj>$okwuBvs(Avb55u9Q$w#a+(%ZA3;vfv?;o z#5BAl!HyKz+S6>moFSX{Z1?9STVlq9A~AOz9lrOzP7r5dudv+`-IZZjwvDL9!7s95 zTEMqj+A498d*adYO`)c;*R6v?&ZlW}CfVggcuvH8SEJFe4SO=qo2p1A7%LLVf*S zz3Lc?9xLEdvwW=a!QuRks5S*1ER9@KIU||IIkA@$+Qz zU5T;(Iv1z(^N6i$tz-jtIR=K}-3i1C+S|(xyJMy59*S2u>SPONLiXZsnM&UPHwfhX z3=(57_^t&uS6)dMcwtq0i1z-jz{HU9@6T&dsMl3a=pTjNhIX9Q!^vT0@S!RD@A0^* zWD)kLOPs9M22U$syi_(jRgJio$Ve<9STOy$F%U&OQjVb7%A~wLy*G_d$flnlz^;H~ zI#XWxUgNZaZMRc>$7DSyEEKuavB{SSUAx9@gGtmnd%L^9?+j3dO`Q0Fwj-bA6jRRh z*Dc;Wi9|cdJkWof{|Zy{5{U1YK`i*h?`bMxhu|xe<5&jz+&GsE_31#pi2?$518r?lrD7r=0u12~`!i3{ixiYPc716;dxQ8m zPIS5IA51|sH(#%ro@y!M)a~SpHN8)B9GO{VX6^^hQu7kufWhf;==J5gkr5h3eS=3< z%<}f9p83w=12yY-VPfJj(|~bKK#}b&h?1hDMKHotUIReWnL$#1yivrpP!d~IA@T^- zTKwzAJdE%;Kz zN*Yde|K7IFNg4UW-qlBT?3a3z#WK$I*vxWXyiH@9weHn%GJCqn%7#qioO-5W3^m?V zW8fhiBE4v+CegNdEJn;*DB1J8dSQkdkFpsgGpRD)OdT=#NFcFZG~rDQkZ+5}z<>QL zmw}w_soVAxH5c2pJfCup5!{XU^f7o7C1Q6Or<63!MM&8_V@;&y%dkAhauFY9tbI!< zrAuQdo-@eZ`ZdGeDRuldbYVJJ;C4_O^FX)%wT}ZE;S?mP-Los&f{3!~^fnb3xZez! zKY@GdUFq?_wEPQDY2Lh)Y@ilvooPR0{0Ffe(0E#GlV`e|eVp*`Pl8X3$(v|R4Zb!@ z#3C9l+tw9MSd+IMr=F3)3&87Kznsd!O4ki}hFLB-~|syyyIQtyE$CFxu-=Xdf7u9V`aHQKX>y{CV()*@8X3Z-T_%MP; z@czJA{yPh>S6@dz0EXzjePZyi?Dztnds<&E$&Ybt>22!n4{1;5bAILbgm=1a>=JeH z!8ElKubQXryD~PS&e+cFAlj`2VY%Vn0vsYH8guv zN}I5qcNkMD(;xc?zXWNdCR@I6TUKyYOb89tN!)N&>=o@yVXVj*a18oUF1Adg>_qWr zE&y|!CK83Sl1H>BJ5@C|1vm9eqZ1K-D;Hr0A9L9_3i+tavlGO#z3ij8BD~CJVFm~}f#9L!d+l?1^?>;2|m5jGmN+B+dSMe@*n%>>#QaAZhQnTxD78ef#&4j3V6f zyp(Gk%AL3eDUZka->++Jm380we~TAD*#%5~%Ixz=pnok)xhu`1S}JV4>=u1$WhB28 z_bxPR=1dtY4OM`F2fpzh&?RQ%5Hgv^oHa5-+%umMZ|ibzeCfd-N$WzGKz=~f=BpbE zDp4DkfERxo>foILl7RGi!8_#&6L4q7pjseJ82c_+800Fr=YAy=0NrPvZ2RB53U+m< z*a32gw&?rGx~tfaho$0G7BX49FoP%Vnp;nl8(2SgKQiFj-g^jZPx(?9(wkCNihd57 zxaV*NXj`1gr={}^w{r0OKIVTC?c6|hQs^)l;`|I}l3>)#GXcPOqB{2Fu-A)S{iLgE zCOv{?%a+Eq4?ZwFxqWyr4fyR^wxoGx6ctUzZ-Y~{z{dx$Ru5Ce!b+QiG>_xP$1!m} zMgRKHJIcz=TIV}St?t`Z!)kA~^}&1jdcp!nIZ(j+O1H$#;}h6sp1`YFon!B{Y~jHI z!pR$;e&cPQSNFc%JGC^(2uNY$1bD6lSYif94E!Mr(8UCnM1|9wSWdFm=^?C`^#mb# ztoX>?Pkp%JX8zk5Gyk6MmUO=?#Q#{-qWOC-b@f8M@pOK$Gjs;RYk8n{5DBWJI0NqyXl1uwlBza5BM z7M#@%E?hzA%O*8$y!OuXI|Q-T8hKuHy4R>I61HtU?gITVj-Gt|fU3ZtO46^N^M}P(OC7E`pu9 zxVJP;P|e}EF^BEhF3Gin$K(zxeZkWf>358IzFe8IFoHu%V?Z8pKKnG=N@#<#k9#X ziP8|lUfns9wSeQMWA|or^;__iL|Mt0EdHLtfxWB95xGq;NG1H%N<8;+_O5ou-pkK- zWn*eQVJY@pdB_?sa4j0CTJfy?sv+1YK zlE6hhopCNA+euKg$wHM+dj@XJM(j6Uj8!K*N2h;@tAl>&vN#qYqWD7$Q#Y1n6PGB1 ziPqaa&bf3ucMf7)Q}g`X%Vm_{u!N8hx#Ky2(C+VLlQlL52li@v^DQYUtiWnzuvKm2 zi$mUi{!}>I0eT{$=@SP2@d0(4tAKw_fEml-Q>#;Vo$aQb;(%J>+8R%s@;`lT(O|ok z=A7Yhtp{q>6lSpeTwoaMAu>wBxaL-1s2ONL1LR-*v2`M=I_SJEcw%|3()k89O$+>?ul?pMoMY+mcR(RE4xDL% z%W%GKAFZ0NKenrOly|=%*P@5-hZK4Od}kJ`@uF@9iT{tquRNgL1=yzBbFPxj&xIQ;{U-1fNWd# z&}j=!U1@uMcH8_{GmCGB_P_5=C=@rp_rM*cia!GmF`)S2`%Oe&lntp-5?qpGfX^7 z57S?Frl?Wfo}C+f?=|LPmFfP>P_5zaHzh(n2-G3pGREV`m-GoAw{TSol2l~XA@0gq zz7W)QTCgdma))u^A1zro)nNlM=v}6&&H7>E^zosX2c|krRAWO%Z2I-ARB7tAcQE^l zy6-T={EPwb3HyXT?-qww+fthQSOhOkOd?|TAMAReZNTx5ud>R_411De#rGCmpO6Tn zDGKisb3(fjtyFP@Zdy1j#Z+65+Uxzl`T)rvbf-hPn^%_=x?6R|eB;g(2QtQjI z%=$;^bz}kYIW7^xYWH8szkag5AH_?m@nZ;`NDwV+{w>e$dML*nzYo=%xs-sMqa&%^{34fCo@8Qvm-w~a~P zE}wUgc{Wnh+h>$e{~As2gb4V(?!dAh8y_F&fq9{Emk(ycnxwbsPHX;sH6CSi*)SvK zAvYDf$tnctWLMT5SZy!=8DhMdkz6k>7=Tu#2|AG-etaCO4YE&jyLkZ|!;s`kc!hxn z7qbxm;jQa^K5f0DfLVQv)oz*^l_RgE9vH|%bCP@EmA1bJI@rg@799VHY%n%VG4^DW z`W+F8C;YGhguY!5;f`C3#|OFV=}fArp8W&|Ck@M_!R3Xty0LU6ZpW#og3y3ipo)u# z2(_vwdPFOrMJW+^35%mM3Hvj-mO;=flV@o5tt4w(oef? z$nOMT6nP>U1d}BA!J_2LAl^_{;R7##ooTT}_EW;y=x3S$%C*Pfz3kskCMpT^^=dBrHc0OS1qoapVm1z2wRFIGR{%C4))OytLKb{4}U)chj zp!wI|YXeAyrNXuyiukY(v3k@qFTgh#E9VtZvTlBHonLnuK8#Vt^+kD8u@8;gK^UcR z4X(Suyxp}t;&ZTb@w`5C=0D=))$a7`<#YyAS7J9jnB&U;6RF<1IwKYJB=Iob^7QER zu1}%AbL-onz}mV;4KIX7`5k8K1m9v$8?tx>s`?mp;K7tXa&LPUyUlwo{1@d037Gu{N^;_V?83cK_=#m1>*cj9H1pLQXP7m0sm#{S!*x>^m zhP`RSSz@5#0_?#I>$>t96#jFTg!r%{BEC*@M7?N@K75GTc^TB<{Q{nIqx1Ilay5!d z#o62_c~Wfasn^T#S+v@Tc^Am-Ab2UARAS40_}s@LIW0+W@Z{o*a#r{p23d8Kl?|Ac zU8FW7u!)^lYchQ4K#kUPNmlSgwS1@{DZc;%_O0 z!9?aP+u>%6+w@NRznoP)b_wKsyZ9w@_q8FC%!Ww3aY(l+4Uc2&pUM`i-M|FJsfcbz z_`Q{sB&3MC1FE{aqq=?#z$nZ=bnPi1R`)0$ma;9o;VoC^*f@LWDZQpsm~8g@t|1Br z(qc)0ap~ud4G;khW95%=_)nP_jcz@lM!vm|SnTSe+8aYH=yhu+9tA7>P9Paui0w2# zj_On4xm#L6CdWg)N$11jOE$$i7Q4n zGyFra7An~JwW8S(honQtS-ajsaB@W_g0&kKiWS?a>Lkct-|SNPJIassc;O$pnpDvrjHdiSsHNFB}j!3Fgac1T<=%YW5gSy$%0AN;hLA`g#IK$=%f zjD_xg{bS7P&=$YLL@Vo*XSyA?f1K-?dlu{+G)}nVD=LVw)GIQW6<;}`&ukga<8%3N z9o8m`mRCfT*){J~ek`vMj7N18wY@;hbNH`~l9$D*UOQY^k|mT03ZP>hGIEvu_g5Vm z+M44L@^YahFtV<;pfy&JK)Z9Jp03H~mimmsq-%~fN5Av| zE>1+)6Hxhehm(cN#1ep({D9xlhAuU*+B!)uO_(w2zun=07`@v0`#wV}?!UC$=WXQF zg2<&K0yP@A8^}+C{`uX_$`JEt1cby{Z!=L^U<3i(KyS9I1dGd zc=jj#!(r+tju5wRst&OxHT(b4Jf=p0?BsGbhqk|ZoiiS7ukjR?ke$0ez}b&1*<>R4 zF!J$&<|SY-)^ZP01=+;``}2M$`e!#LpI6btT4l~%C~dIAyKF{ER>8fG_>bMe>GdcsgHa=K63Le387Y$3xmWHi9oX*xaeC2?g=xzvK zzdAK@_bd=W2R?NUQV!V-T9&t$voe|J)6!Vv_*a#q*P2QVSlgVhW7*}0#ve=x1_t)h zZ$#a4wiX;W&MI+0qh^`#toG1ZQqFNPZGtM%d3VoXM<3=}@mxC=r6Z%t{*8PGBocVj z25}<#?@J5#_rlfw@V3JW zeFySg;qx~>sM=SGQDb6-PdZ|`C%gA^n@5ZSQ_-VL{psA@-_uENKLt{Z4UH;kIsf=k zE_|OQ4>LOE=B%o^cr3m_DV1TVagZ2;Ye;bOTmS+v&`jHv&LS|gDsbLE>;rhiy3nFl z*WCYcErC6TwNstjBfWCSEoK|lD6@JUJT;g( zKPlVO*QC5(7`9|Euzy!)QbZootHk4dX@DPkbuYN^Xo2WUd-RoW$nC1oBF&eJ&2YnS zBM-QGzSjz84%E5qv{eMLuEE%tdm^_Isd4_&F)B6oWD*u^aM`?;$b zTL{I`LE7qUm#s+e5^ob@UGNlCBbve`U-BtI0rbX0_)P(^)u{g%&bNTRG|Y&yC;Kc1 zl`?F6YH*G(3WSycBugQ8V^;S91e=uDfbVSdBAJ$ zJ650ZIJ(kx*%EBxb0`)xdXpI9@25gcL`!JJVT~TlEALt zE@RK(kP%#PH)b73jOaUBJnAFyd95_(0WnMUtt+|3md0(XM9ITwrD2pU(Y>NU`FBVN zxF=}-uK%t&yxa@C)|)JMTXG}88*-NGU+5bGgdzPDvu%uvoPV3NIJw5Sodaj&1E5|$ zbdaSyhcVzXy3#sgSl{tz`5h49e<{>_Cph5(nU?DU@Scrzjh#q_|IG~USIr_83@qQv zx`(RO1L9CUI6V3*AjxEt%it{r>U_J|idPN*P3T7Px&W7p+Q3$%LnS>C^uG&1s2>pX zLvI7@B)gxJwsil?Ak}bXH;br%x((q^zZ9}{)6dv2Ov_XhukNxS@mUhLr{?PH?q;M1 z&pfj+mf41d`H^!S6hlsJ4W94iDh@tw&}CBWopO9R^#ns7bRc8h%uwgK>}h-(6mO&+ zn!{3tUi?lnZgppIfjZ>@uj z8J`wCM@#MK5chxEa`7DP95GbMq7LiX=no*q;R1GTVX4^<5J^seiDJLNHfje(2 z|2p#(_&3Z#M7l|{YQe4CO7D+hO*dn#V|gR(hT|=M(#d2X@yNZZUp$G&&|uj%xSgk- zT|eQQI63!fX^7RCncZ|}B>u-T7iZ{8nTa16ad=VYe6@5Wtb0T_8QQC0yJ*mSoZr9q zwb{-x-tm%z7u??X6HeL|-hEIc?yy;;iKOLSYo%{ucW!H+zi`uTRic zOBObPL?B6XO`r4^|9;2M<&u=%%Pj6br=T6x%SU;5nFd<986l}j5r#)~z0D^*Gf~4~ zNK)RvTs`+neZDDo$Z+X-t10Aq?H31Ar4ZGwNiz-7oDs%4TgC*zVbf9si-7L7ViXt(F!#SmZy> z71odMDn;rwYw2ngdI}$bO;CWGBC3y7yywyb~s}0j_++L%| z&Ly7Z90sN>sp6jyL+#Tn4$el_vHuc{u+~0xWmfGk8oOsD@5j6|DHtFkuEH)^N-!I2 z{;}zxLd_RI*nUY5^Dh^jv!0lH(bn$_*)85z2HA7iLob{t{ZXJYn8$*aSLDg;B4#G5 zDnnjvao@X*pNQ9gRU<1Dn(}1}O<0shrzv!(l7F>v%~dKrk1#dKWpFqO{=K+#kNk8< zY9KKB22o2bhKo%8fphHk=Q4P=P^A<};H)irb=t`IM{SklXW+<_-WPaK6eVUG5IAX< zxo~aTvTw#9eyO#Mh1hv8u<}r_sF5O_grBk;5c4YO+ouThAMU$qX1c$wGPw=Vs~C>O z-iwpjeJvB>TpLY;StnE5fQ9Fkz(&o@u_iFfAw`t$7BqrioknlajbR-+&%?=Az8!bc zj--C`p$bhZRG64F;?;FIRM<3_I%bcQAI|9~yMX`gl@rn}iMfWd;BC$Ca+e+k?uuGdN zJlY_x2?H^*?Dk^-!08i{95;tZ_pA`p%E@{n@DZ85YR99`+{qc<^=ASvH!5N5JlGky zpe{YaM1u$PVz#DkfsAil;+;#l)>ZyiD0ZVRpZQ<-8Eu>D$K%o-Ycki$KpyvUU04#h zfqR@53xl-oD3gyfmsFd=4zjJG!9KG$oL-~YH+ChU^%b_>v&;tnho<+AXY>Ew$J^Rf zds8A*wZvXU&02k_RTMQ+wQ96>t&rMk2CZ3C&DynRwD#V67O{7T2*U5~`}6z$1gX z-JsQX6YcC!gEZkbV8{WqWOxoQYwt$3|B$tNm-y*_ie$5b7cB}2WEx>S-NhAnTF`%M zPh6@=cBiR8x7)u(^Gt27a_zuviPzMl#8Q}Jm!0K?#FymMxhp$N-FvH7ukW@t)jjmw zv~rgdmx?=^-1K5m+jrWmI{HojZ{X%$AcggED@yTDtl@u~LM|m+qwWGNtbD=bM6W3D zW{PE(?S0*1g7@=C34WNl=;B z;(AezWcX)2(C7N(Usr$YN@EyX(ZcVqTzdo_2bVc-|BI}+RQ!3ZQXbg}#GtosH$op$ zG--$p>Q@9+XYi${>*Xyyz`qvv98*Vc8A~LQdGM91WKNBv3s^Ywk=W*6d1>L{I&%Q*L zZz-$I)Qhz()!&Z#%pF`|4ZCWu5a02^OVEj67oC;AEKeG`Y4)ykXVq?Y%O9J#i+zyR z)}wZQ{s8i>3$dkV?e{4RXlee(AiU+PYnN8g$klafEE&pXIkBwSl@0?oA-P-gsm ztoktc>}p7sX&=`^3OQoBifxjtL)hg0FnyKfw^t&^wf6Z?YDdubV)^8}5Kky|Ge{OMyGxJ5RAAxQXcAbw)b=D)K%LkBf6QsJ2OZ1u+X> z=1Dpc`zgD)>gU69nB{-b9Gas_dq~P(ZzCj-WUOtQy1srg0t#CrkrP;F7P{BHIf#-V z@1~Hcoo@8Nfq&b#lWbjh;I`R`sv%+vAHPQ3lNY_+^YpE>35Tuhi{yYa&DB2FEL>jm z$neq1$;hya2QE{c`wSZ#I5tK6@RpucV@bF}0Qj>Tv*2mf6+|Z`V9mP*ZNL3G&Y78# zG0mV^v}Lf734V%H&1fc$IrW(V_oBI{gJ-ekb~9 z2SS?C#yZ;)@77+pBIJHZhTkvu4Qp1wu|KL>>!Iprn>_TFZn)u{pRSl5@8i1o^B*xr zHB6{oL=f;ZnPl}+Rws{%cF7{`n#0PN#MbdYZ>X6WtM+u3kg3|hpa7jIeLEqS%$8u+ z{JDU~;NR1hWm9x>n#ZJQvH08aS`maaRncDH4CaFxLZ;QiEE79p7w#6Yb|z?5VKtgY z6!Pkdl79#bG2E*B@**xeu8BpMC~`>n0k_Dv8|hZpYscfJwXpHuUSllEHf4ux_Xw{a zDQL%QH>AhpEPiL0+zfjAm1ILkrw%x{dPkmOkG^%u`D+o8i+ zr!b+;1ZlU4L(+89F7KLwruZ3GX0S^`rUs5Zjobf;($v_GjUc zju0_7IKo7W1y=?nTUYtMh1HgiDs^}2yzV6)XsK~OR%!})AX=-2M+M^Sg%^73SG+qt z9>?WKw|n9iE!v-*e`pc)oDX^_zb4@}d(hZ|KY0*xA=}pWO_$59%#z zg|%3Y=biPplSv_@&DSMfH%~7*a5(I8xu2d{MO#B_G-k5Tkx?b&Hso4Rc;wK%!{$xV@=S?890t;_+IZkFXU)aD1mgvfx1gPNrk z+7T1MCN&^*fbYTtS@65`LpdvmCv_HsC9{@^R+2PG1K6P7#Y)`!n_(eKv~Khd9yPS} zjaZ;IauIIj_n)jLRBCg2xhpFV^PlcEkXE&>Hou+bZZm$wqDTg#!rcP-Xg4z|k36Be zaX75ICTbCu8}9A&%cR?s8~z-A=z}zE16G|!RxENw#T9bA7?pHYQJpa|R{(x;({^`P z8%xf?j#O2R@x(lQZ7JdJZ&kP|AO8tg8zYX|L~#$f+|3Gi9XrkrYL@)cKeT96hXgsU zPdTe(>on{;F!7G+0p4}IB79V+gY81oD=IrhLz{`g^620MyzHk(V{2ylF(R^JShKff z*64)a=(n1xu^gOP{ZZHtE(j{Flt7OrpG8f{AOuH|PT0j9dN}5ugxjUDtdKa&r~Fr&Aj3RoMa%@5nhyS6{E*O#D%&F3!$%N~rS#dXZh#s(0$yV***mxoZc0F!L{l!yj;r*|eN(k~X8JkC=l( zup-g-&!Y)eyl>Og0Sy`x83sO%zZkf8lt0DaWPD9V`Wj)hpu+~ z`>DSU0q+m3I>~?2A0+;x9-*{H6(Y_$E0o)Hk*_K3Z`T`oKUZpg+T}=Ioa;d#LS$Vl z^~Xh62*a$5yr=`?&dIp#XLClm(|*&W1 zi;K3Jatc;Gq!-`;P?t2I?!VCx+)el0hJn(r}fEXHFR5I8sV}Ym#*1 zev!Fu8_4PR?2G5on?DHBDCM$}F!{DE-A5xUqA&hTuRk7iXM>*zB)jSN@WRJ6?yw^- z-IYlx*rm78LN{Ym`$Y%|4wEU)Peq6!Dn17tRr$}AiB_=|h7pBxuzik8cy#dH%gw4Y zeC6pGe0^*orD?bA8$#x2m~Mm$7H>#+%%)`ur@ER2HPW-8Lwf@r{FLvpF+}QxL#qxe zCx7X%XAI8TGfB!a-O7$19b^yPv~b652qHJziasE|KgGKA!>0o6Yg!L&=9vZ;8*F~A zlk>;NKAei|V|$9J?w6`~yU7!!aGe=t7xD#5{??djiJ8>eY`dp)>W`6C56=}J( z3>QRNJFDU%cS2z@RW?a+Q=G!X_|bzn&ULi2|KNJl{QHx4&q*b^lpZ0ALYHq@qx?=j zby?vu4x1j>fWIU3vxLs|)-QD$3NVJP>#>O=c{qOiOrdgLmUH zk~g{Byt*DHC3!>?bec%5-Ogm;<@{g&nOrLj9~otbX-V&3nlqiMU%;Z7%#adb*69Q7 zdhgc}V;#pGSKQJp^7c~8^a}Wqb)oY4i;S_$ko|!c*@hY&>V#t0`IoQowFGi8<+glO zVtKawkt+I`(BdFs;b{X0bb zTl2?`OA1#D#Rr}GP~3i4rM#bT`AG`S=Q8&AQZUc9WpB6YFw;DabiVRyFO@yWE%lq* zu2hfoc=yy#8LUSE=FngeKzhD586H!=NI|yM|Aitso_fFB%9T6J43-#nAX;FqB7Suz z60AI>X0V(ZhRvv`8Ye95etN*yc8Azi*YXO0`WbGY(PV{910bYaDgF8!1jGqMI%hP{ z^gvAs$>EB|y>e^&{MI0Zh@kri0Qf!RW|iyPnQz;d)Pcz64a5vWBIKigUylIhklrCf zuwa7 z%CvPFgvV_d!^y(vYR1HG0!i7Pz$RMQ;K$HLm%TERi#!V~0!U9foLolN6-1Z+_VrU1FkO0A?qJJc}0XsL!bN;2=J47Q-gBnBzX& zx9a>G(%VMhjg}x!PBt=2fS<3#nV+9Y4Xl<$9nVE8CSomHy1Jd~?=Rmp!Ch8#?z+>H11!d_hYhqK1qh4W<)m29YTHsMAP_zU>+0z?C(F zV$5-ZGdeGtPeA4p1%vE0{j@#1opKDb@u!It>aXlm>ZAD-jNpZNYbC&!H$-X=fRJv|m?5@mtVPFix zvZc^L0WnGz0F7%g;b*H1hvo9NQelF8Pv2b&o~EszRZ|;q6r#kYZVK5+(`^p6B957$ zbY8YjpkCPQoA}*clhFD*N5AE(-Yn`qdo>k3oZVSGoO!f1Qc()zQltXq@9V#C%F|Zj z-Ww$&q{7vrhccwAQq(gO&?nylwitid)xSyF9!F0S-aH3|_0S=$!Y%}E-Yg+>qTc0P?9A}@>%)zZ^sAJsS9S;`Aiq4~MUEVjnxuxX!a_x<_ymXY7 z|2m7@`E;KDmF^!znpjk=PT-Ac@&U!cAxjb)0b1^CQG^TXLxGSsU)X;i?)npb-tTQM zIn3!rz^a}a@a%fgq&8irQknYPfe52Wd1T}6+kv#YY{h`g`X=Ys1YeNrt@3{P6dSjr zD0Nc}c6ha6yTDJaIZz<)f7H%zj7s15JL{fwa|u6a8;cxl-&T2$bj;pi^h%=)$+YBx zOJ1(Qdl|}yr-LQNl-0h3Q`TR7jejP%*LV?6UM#?6Ty!yX;J5T4=uwn{SnGLwPU5H* z-(&IF1N$|FbFoLL=Ns)=4Jtg~hL_5(c+Tk9%kVvar{UA-2-9ZOs48b3c zU}i0{mCU5_g0^C)8`-OXGcUmsaGMi5uh%mTKTkT<8=tk|9TEi*nKT93Y3G`Py9t^- ziF?`Hf;X#FH*=xi#>Kx36Kv7%f8&8)t77wCR%71yzv#ISu4Hbt#%724zrOmJS#@Tx zSzw-U8Ul8I*+X$rL# zmo=&#w41i(Io<3lZJN%FE(b!_J)tb4*a%|=oli49GTp=VMhyYabjt(YqPqhcQ?Fhb z9JcLtC65JV*fEp`IAM-Y7$iuQ4GXzKw*N8(O!64F`V5A$-4)Y9*bEHY*-^@wi(0+0l{l~gOJI7ErSrBQEDrCfXz%rul$t<=mRb%1~?^hqJjS4D#;YG z_|yLn|GU5ITDD_tfDh2)5AH6LK0`|O9xxza-IAKE^Z)-fB~xKfFl6+WQFRp0-8QY7 zn$l#ydc9_WRQVEzv;X|MEi2f39Ng+@IY^QkC3#a26Qmx(Eu`6?m5RfNS`vdDXY4*F;s{S)}pN{jK6Y^Px3Y0s+s%1lkf*7}qbeBsG!o z<6(b~8RcQW!f{qtzg87Zk^+o#4{E!7RA#6KUheEe_aR(+?QsJy_hsQ2saOU(?JT#I zL%da0kCSK4pRlmgI+W~ttM)D_#x{JTW_rx zTq>**BYJr60NdX??)r?EY>h9AaBj{FeTC+D85ZMX`SB9Mt@C~J-&v8Y-=@ud2r3tl zO%7L>q&+41ADOMM>nQuZh+rvZl7!^0b6Nq)TVD)EgK_d$ha9J*4NYa@PjA4`ml}R? zcV~qQd;)yTdnzBg5tt*?a(tdOYL(3RD$4!zngPnB6;CG<#rik=m7QMnuBKvh3l@Z} z{aJzKdx3&g1|X;~$Z|q#fT`>8uv@{))FN>G)R^r#5hd7(%A=5XZMzrL*7piC*4ei7iWpm$8He0B#U;A7HpXrv&b zAihRo{n*(!>6#O4XOLAPH$qWtH0C{5es!6sooqK>AgO+nMwUSwB%;Eu)SSa4-*tJu7;~arC7+9w_5e+d^GL+P`)j?|X(;KZ-^5tR9XCzA( zjr{OuCzBVYB1~93{VS4Vo9j_u-4QJf&bB_sur2M4^79|ZU$(_MuDgD2n&BGyrk>yKRx8a zarU5=eDkL5XIZcJ*H4}nVZwbZU=}7{zuC92(7R=xq&GD97zqx$53tQe=n6{RjfU0% z?4bLeiR^c_PHHa()9L(0`eQVP>%%Xx_4EY_w$N$zQxSOnHOK zFZrP>xsY@>;nTzkQ75Ck4p3412BnXStoS7II_n3QlOs|^HDyiHAS5;01PBN1*6Dh1 z4jKkaXW1$C3G;l&rX;&_VzCG=bN%;39<;G>7}~ngRt-Zvcr98z^AbXTL?L+%L;-20 z53vo1rckFcElc%Iqd&=B z*@=5AUdMbauh&#CSMGC?k>I5NwdHNDDD-u3xcO?1P^)X!i{r_}zT1pN`?XoYXZsuT z0^15L)=8lxXX$xUJw5V95|mF(YpQSGK0EOHX!n%S;PNbWT`&0{mdd|uF+)_7rw>Xy zX8Eq?;2}uv9iut{0lv&)S2?J(-;GR#86Qrh_evwM60%c;#;=V33_KV9VPVV_PbrUp z>z^L=D*2r9?hBF!-jRbP{??iDr>B)Z4u>th)nOwV8x@3=Te8GaJ>1c1(n!w6rvwzY zRY!T8JLNpxa75jY5=PLTyS0lZoW&2-L1D!vNo*vKcweZu{4IA*zL5BZbYQ~d$)Df4 z&mo$tEALGD2x6Z;$>dvI7ud>qtNQoL!`zQxBTgwr)E5NXKKb`&3ZGz{%jaKBrdL0w z+gc`LdUzg)lJa<;YxiL1Wip$rlD4DPY)vwc2X}LZv}>I4>Fm_`Kmc_q-Rv(DXz#(6|bYu^~aP31KWAc zUv7lT(pd>+>dE=HI5Je7Mkd!#$+(O_3i&JlT9~JZ$Z&E`DDJHEHW*-QolnPSPY!yU zVJ>9?L!V>)pNubhh`FABP2{<}e)cLWHQmTOfKpr^%`;IUq-G%==h<5cQ)I-RRJw%U zI6Xz1Dg5?w#KMGix!DqP`}2TzaO{jymApIa3J2zFPG(ZzL3`K-+jq6Y>KuL1 zykNDBPz@9FYS*QK0vZoKnI0Kf+XqGCFRDIzNsT4?$Siw=^0H1E32{eq=;Nkew=a&Q zdWM8Ge`R9&Xnl;4ZU;f{s7Z<~bfalu`2jtuH}bm$C6HdGd|or+DSdyEbQcl`}~#sn5t=8{>`*bQSj5 zs;)Y*@V);|Nk8Srj>!P9Xn6!|lt(j2lueiWJ9xZSX&ce;!HjR@nk4xVk|*ue#6yOR z`w_C#kkD!5&Qf`^-L8#^e5?LkvbQu11B$2f+U_?suMaNswa=k?Ql)ALk$f8;Swuw< zHG~2~x}(ofS$NoBw2)o`!~SjO<3_oNsTdo&r7760-MUU%Kaq_Wvh)`}q<~}U7Sb8O zq;g#M2n~Z5H10^~*!tef9>tC^MaNQqHpKCv@k%($M;G?{rWaXN9|g$&1PN8D$ejO9 z6cRd5AHQfl&pB+QRbu7ACbH)ms1_Jq@*`|_r{6=zC!}ci9rH;YA4(mWpD5lqLO*_q zLhl=9*7>X41zF}6z?9{NNqd@& zgPMc|P_93&h&>wPGC$%fi7pQamA-D2t>vB(;?1dFmThpqh^TnwZ@GP0d$cia?k~yP zWnLf9-UI1>Ms1ZGY)~pqBNGQI?DGMkypEd%fD`};jZ9a z!prl}JR2a3+UA5R@2JoG-PgK9%=h<~QrjIHV5wVZFy8O1%OGdOST{1bL|cF*mlo4?#ljCX6H zwhC26Y+{i`-A5Jv<-wdyE`N}+XWP=3jOatIscFN`X)(UGrH|2{BP(QZ-m6@I)?^+V zB*52}Sr4w@XB$wiS?t?CBdRy?`@uCp`2ip*Ww%yuQ4ukanDt2C%>n31gA%y=k0^-v zQ3XIf)b$au)i`BzkWG0i9Qg7%5Mw^NjJoI+y0g+Z0K}%XO-v`J5Qtc7RCn_LzLU)K zcAynl*sbpL1GvK7dt}PTy#M$N?IX2+Oh&F`6HvB}cy#Zps-~P1Ky&MXn5Ot4O(ln` zge;h2%<;@O6w4E)B{@9&1 z61QS&=>la-LuLu`zRyNCU%6e;73_o`@ka^`=ZiYl&kqFNy@os|VcTrQUG}}9iafEk z{KlA&t?E!?4f$T#vCA$Q)xTDrmX}gDQo0_|%3(#h#mx9?sYU=p{*YISy=eO@zb%+B z;Sq2D3?1))GAL97@KaB)vegyGwR9pj3J^D7bf|YZ^|s^2CToWgp;IB?Kf@4t}kr0t*@xQ^7pFfjFem^?$B)L2u?dFUh4hz z?sw-q{{;K*hY^3=ogK%N325oKSR)voW*%bP!2=;8;AB zyv4UP*EqpJ=C`>U1T=l9LaO5iu?aiIiSC=d8#gjZ_=P`HeyG#)-myk`ter@)lImJD z@V^213{f=-K+7==pQd&~`4qWcuMXp<85~-a+nh+_^(|gksO%9OESLCsP0apT9C5yD zdEMUn5yvku_M9JXl2q|if4K1~RrAnPuA-#Ycn#iq_^83F0UvHQg*l0{sDVmI_%yFA1MRs$IYZr!-MJqE)b=0W=j|!3uNZUIC&}(nn^A2h6@C#+hYNAy;{=6%_`pe`IvbCkB5NK?2nO9S6 z`xu1c?R#Qe4PUDLcPd~-sMoRDPn4Sg($S)>F(AJ-%tZd>$m<>y zl`VDEHEf|_!wj`-PX~x(RyvTZ*_$9Eia6|1n)d=CVlRNPx*Nq7V25P*Ro$y{6_wbY z>{}z=JMsZtXtLY&|0(zoCZR(Ew+teS4+f8n?t!ZV{02Is=2b#OKImyUy;yMZNV%b< z(Oeb6N!NqC7pX1#57`omA<&e^8}91{OMgT$l`!Hvq!zF>Y6V>2RmuDEzELxm&USn+hL(G zPFMng<2$7}I{`66pK`q*W(327uFoPWHYr5vt^zmYT0xbr1b+TKPj1oVUp3IM8A*UF zpBu?3_wJB!LHA)_&vvO85>-d!NJ0{C}JT|#W11F_S16OBS_Q2V-zTdRq0MnmUl~bK8<@=4f zpH`DAg_IVV@0AzU4G&RWu;q?A0(w>3H%+~X>%#4e4)3w6-o`d05UwO-?!AN3;78mi zi#d@c0SnbdD)D;Smw#W(PGO4rvKec1uNVLj-Mt-A!LZL=8$;^2 z!wpe#1)YxnEx!sY-Wk0)fYv$JVRxIb41Oy?C=fAANw%S}SfZkhdbG@y`d4tch zq2q5StoM{Zug&jvX%#aKi&SK!{yH=n%2GRy02j}aocOQs)sWxd zeAQHD=F9xJxSW{&+kRH^5?~esQvsqt2?N>j&Q$t0@xzsqyi%L}kQAsePI#W|*Ci?@ zQrLu)?Ke9A1htex()l!@r@%FyWa}AWl7M6s?Ul?mS$W`g>5j-F=E_`}U>Rxjz8 zbXyjX3>4&)``8n0Jf}>z8dq0adjfeQ3E)6&t?^7-d&zaB!F{;?h};=z2^%@D?iso% z?{$lyP=Z3Q10#Y+=fA9*W$Su#%7~1w4cQ~Txaq}GT~-|{Xy+Jq>4Ahjida>&ZA9j;&wPD&F-WMd2hOGW-Tx3ARJOj6+iyl4oOLuFqV|LTFskXQy_f8HVa3rK!ygK+Aiv@^LAT z#FtCJ)V|m{EkRqQH)w13998x}=WSAENX#)m;}VCIj21%J&}70cw7$Kr8z`ytI|wBe zNnHPSF&dEj{&p7MLy<8I9&nzL$m&BWmw>uK4BCM8fiw!{tE^KZ zoGARt^699K-9UnLPJju1=EKZU68iZXCsA7)LXC3)m{4PE9)Fd09P>r|@Q)zam}L2) z(eEXFkS9LLA1+Z!wLfwGf^0jfF`)OqBT`10kf2~h0IN9pL0f;=eeD}K60Ac^R-r2513y9Qr}-;7HdXv`%My>lT7aIgLh$Zk(52j*?^$!N5ob6 z2>M}=rsT&XqUXz@(+k0v=a(M@21O~|l7yX@PQuQ~+pLdb${SBL53hp(tjkks94%M- zYX7j)%R?JK;kDwKbK;(pNXym7ZArV8dn#uUPgT1k|BQ9LEOq#6g407*Vpa+Ba*c}ab(@!{#}!C8uC<>QWDhlhw(YUK~rS)l8S!$v9oteF7olUOhb z?RuQ=-*JtI3ZR$)taLD{-Q|YxfGk7F%URho<|nApWNQg$q+mj*VjJZ8uWYQv?r!a% z5zamAO=(HG45DyF`I1-1 zG!L_Kmeh@3hUyyM?M-4z@WaqOgBY^GLWqLy!6hsjDM9Wr)=TM^Q3|5hL0>e#$gWZB z(w!K-y8LX|3;nV1=QU28u)&D>?ZhQ%(_4+fq<9_HJDT$hSZf*OT2x!O>=b(8ancxMjDa z1b2Lj`9#{TKBI#?d?~6R)mKicr0ynmG-b39HDGUg6E(iZIQ_&J^4kB^lmJRL!QWhU z_hjotZS$uPZ2T_zs^FQyHTT`Vxq{NW4GTHAUu+=XqUj(6^nByB$uFO93u(8RDHfO~ zX8R$H*`1QIGU@+_a4*)R2fOMd<>&o;8yAZka70XJJ>g4@NZuxi@;|CO?pO7XQHs$@ z@VfBpr(FMtgFgd}Ws|wJtbS`DDfxL3i{Sr(KkE0hzlsJSa)b}Nxj0xzuDbL=ivOqu zKnF~EA7pt)JYu7jJpyXn=d>Yj*+?V+=M&(2GH%IbhCX?>7a3XMdnSwr4&g z&h#qd;2-ca_iFO}j~;aWV+Y)?YfS)k3!n)<3rXGY0gp?J0jA=7dgX~R zk5E6Y<*I+xUyJlC&wWk11WMa9@hmFhQH*@^l3%w?^W`y#U`Of`f?s5lbB>aCIol{x zR5!P8&fuQ*`N$KH*^`{6Ww9mNdbQPn){2TpyJcwn@Kc~s7x{+KxKp)?o^uiZ?mbTX z>W^E!X;Nvog;-Rt**lSrFkj8L$CjwyOB=V=vW`90cTyZjyjm~im@GyX`=Qrkrm_z2 zo}Umg$}*VTq7C;pVSAsM7<=JbCvHTGpi(hTh!Y;`JnG$0d~_HW!v(2$(tKHPGvs-? zS9je)e*AuPLDX$A?@;=EM8Sg6v&s^)>-Dp(cX$rO;m^Lvea9sD88()(C&nScMw%BU z)3cM5bR4Z*ecv0Qvz_OMS1IV~(v=CyCNVdH>H{DAO|t7}Wkuz)2T z_H}*t6CD^TNeprC+QyK(-@!XZaGbkl-)(OJE4)w~im!1KU%97c-&&7eid%4Z)=Rez zq@Yz}tnmTU9PQV-ZYGT$YjA6C{iLLra3=~)9^fUB7nVdhKH!##_*uXu%CO-NKDaBC z(uqc^cQL`>e~ZCRN#z+Ro^ge($gQt=M`@4=rA!|UVus^vzL3M8i8@VE4R{i>`lA*F zcQCS$)_>s-N2%Xql+6g_oqi$^Q28Qgm>jP*r{!V_{!9;e&0VCJd>_GLI_n{CZr{H3W0bos zg+!&WmR(9_DLEaspV#DP-nYt-UjFn4n4Vc@cS^;2!1e~Ks5i3bU+b6#f-i}4I zpMr-gLW8eHvJq0Tcgmmt35sk%J;$Sq-$pZ{U$wIJ1=I~AXDg~wv`N5j>`Yk*(Rv%E6T>3v zMu$pJ;00Sz7iAs2pSsy27yQ%LR7>@9>s#)u_gjnghZ#$DDx1$_jh>T%Q#43^(Nuzk zLj15I^L7F)j%$^YltCXK?MxF)y$5F&tIl_qT)K`_NdzAKJlB`=Uut{1#r78|yAln}E{C#Ff zgwsvO@7|!cz{3HpNs7FAxFSuBgJ{HK$7H7r&CQPGuwzu@^T6uTqO7~+GmV2<#GS6D zOjnJiP85N2hJVy&b|r^PpmnbM@s|tM^tIh|6Xc`(%}$udOZ6Ks4W?c}@<2LZFj>V0 z3-#D;w^o4rT5ViUr1Qe9m8eY;eD2xleYy1|>kz`%J~zC;QntQ$kwPkuYM~uzd(0Mx z+^Q(V2hglN;4+-fmrLgi$u8@K`{Tght^Tot&*DalVJORFuq$*7dE7zNq_i1Yj*n%C z{)Wih+56>U(}~J0m_9R+{vbGSwLkNIQtSU}(URG)6bzuR_lR;mZ!fe)PURdH-eKD$iVL@=>d3;fmtrb0<~zM zJ^{S?&8NLbz-LeZ;@O{%a15Iz5l!u52P+HfIiv1FdO0fm%^HkHCb{bZuDR9iFZ7$l z?xW~Pf(4j@EhBd19%&AoEMNJnuP(x|@cN1e%L+@$M&7Xr2ArohKP6y0kCSOTrsmqd zMY+3VspQYP&t)X4f=-npEN_S9sf+m@`=fqapl+>wIzAoGN_CFWOfIY6XgTqgCbI#rwL-lVh3B2Io|SqL>{uU+@T3&SDkLqUAk}cxCc?!*}nu-~N<<<|>Wl zz&Dh^7DEybmJ@ze5A3b^+jm|cW!G#|4)FX#-ce~=kD|pe&c_0!tme3D(kk9gKlSj% zVhow1j=gI`tacBtj=GSjocV#?vfge%O_NyCgFto^wmdrr^TV$L_Mmilrtu})4QfHg z`es4S`l<(264FVf;KAa69Dgyy_Vf4O$`)41T(z^mEKI{CEX&eRhXLqKE?39xHG8Yo zG|dW@qq^HZcUTO=)2Z+3WO+JIZI;0M9Crl|1P*$cLXL#Ep>O3bqZM|?s|0yS4_Jdb zvC)t8Xx2<$C7sEI0~XVde*bOP4s}cOO#WyVEX8h@j4r3tT%YwM5_Sn|^P_DR+($Nw zU$kPTi*^!^<&E2X_2`uOTMsMNms4u}hc_x?3ZlE{U=NH0=-~#-FSFR6*l337{>MxC zos|fyIXUpr6uCsRTQK?jL@5Rqes!;Kfnb9r+i3~1+a%5r>9sG*fO>Yv@9=Zr95-%| z0@K9h#;T**<&}82_*!8WX8Pp)?w_v6n4B1*XB`u;h3Y9Cx%M!p1w>p$CG7hI>LDs( zb%zADgUOIyvnUxhQ822e%3C5cIPkZ9Ehn}pdFV+skM#8KL%QR=-q8mB^^vyQeg4?W z!*AM2u6%?_=|Z^gYQ%4(%WC^V$2=j=3$TGkV`=igWj`&t4;#S%y+Zw7XaT0Ab+P=% za8-^DvqKuTWH$0H=tglqT3x~Z>g=HE+M>mG^6SWi`eO{|MB`l3Fv=T~2A-f@&w{Oz z3xd$yaSc*(c2LiizV{i9#@P5`k&vPMQvMba3KKFer{Keahot=omxkptvF(JI>AkR+ zVh6E?z}DB!eqm0T#up8}Q8|7%hgq z;wp-%G^^RUv4gVejN7XrXkEw9X~`t{(5cIR_1qw|=(Q2L0LYJ*8%3;kZP2hh-@+W` zWdDl;^Q;Q|=|;&0S=;~_Gu_APRlJVeZovDpIhlK_C6jpZlZ&FWKXP-!){l|M3yPYf zh;^mJ<yHd*37OK+RqWMQaX}q<|DJXDzGjzQ{`0ZW8gCER^GeU~U-EhibDB?K z!za0jtD|=A1b^ZkrIxFx%j-`E{&f4R$^WzDHyJ;bh1LK$s&|PGf}b3a8~*ATPoZ0eHqG-f3;wbc!6d>8dun9|0j2-zx;=<_t<6u^yOxZ6jJ8;mmhm6 z69Ep;=MEl0JzkauA)#(o$Nv)XpdWykai?oSJ%{UFK*fjjphv*(YEnDM14x|6L~r)b zF8Z8${TpB`+F_w%umo~zAsQXyk_Vc}^M|vG^}Cu;u>^wcc)KgNdXI&t}OBlfkFoK=z|U1j0!wn+b<4<>C% znjha7kKUfmkR2~;CLmEWtLM^OyloNyVv*a*qyv0CvCdr7mZA`}#yu13WSi{hP;dL>~MdM;jXF|NMj`oZC{CiYv2|Pl}Qb+tKAvA))-~M(SGvrfm*Su^=hU!J?fO-~KL7 zHI2}R#97#T#HHbWlqu_5UElWO`gU!z=ZlE=ukQO^gg9=YV`K#(<>{TgXx-tM;m#EG zO5az){o?~a!0Uwt>gSv(h!K@raCiSCP)O&6xyhNRC88WW@s#WOj9sMP|GYv*WX;J3^QOzmI!+kH9BU!RbUk z;#=gL>25(O%L@g&P{=NeNP|hbc+^^00Q#!%=FfG5UF-TGOQnnb0wQGl6^(L{ZOt$> z=rL!E@`8`Gitx?F+`FKkqM6#MRMCSxiL%2`lfFwBnL^4iv5u)i>D_q!*OI<9{(f}V z4p(P;bv{+z)92*=8=YMa#^F{gOA;fS2`DPoAP4(}4J#qu1S(KCr&|uL$`t=?yYlwy zW~;TI4Od0-X!{BGk-0>MjLGz{?+z`kG0u42(kw~wSV_ivKGPl?Vf&|--@$ETtU4S@ zHDnE zAwTr@j)LvwD8q4Hb2jEN%}VjvcWOrEdMqL)xMsdqyRFU^-_iVPTLdRW{%f}7Ze>9> zk*WNfrS|XOD*K++ul-@)|8s2B_K8t>kkY7Jx*3r{{v~wpF+=AvicI-ICuo%Aso#Pe zG+oqZmhjgC;d2eS**cU2W#ntBcjeGJHa2S=YRz7w>%R!Uq2}(!#2K9m)f4Y)#0JZ; zyU$f^&gNz~<8&~`V0yKcm3EH?2HxJxQmeCW5cZx!o4by`RtO!@Bn)LXf^T>d{O*eG z)iR0b$oDXai$>VATy`$or+1s&%(jMi(uGr%@cXMfnF*SS5`Nuu=CVS_>W6re|4G}g zIh9^6yU!SCJ9KV5!%e-}PVr!ZcP_+deimyNTC9QK@_| zAyrg31RpBN8NX$pNwl{qnCE4G_&+bA7)?;{D4z52i1^^lC+>leYO1Vt(#y zkRht2!4t2}heobm)OP4Dub3-mYVTay)jU#3*l;6LRK>~&Cag`w@G`KA<(9=P>-~! zV8XQWM08@b@C&9cy7BGM$P?o5rLkDwkZsOFY9H$ihmR6J3Jy=^sV<1n0tIWgVlIe} zUv2v!<8Q|#@JYf)A#XMnSll0{adSsgUxsnuzWhmO^j6p4HrW&X;D7vwYRg+Cg|h2u z!gozl7FJpmR@2@5%bH4G|>gSyEiJqE9n(fum ze*C&UV@N19ts`C7t#_}emV&AKKoU`Q^kw{Y2aP|{&gxJdxTQg28E(oNoNSgJbMe&%MlcuNmt$uYU&aD92h$MOG5h& zZ>>U-xD_Ex&)uIZ-TM8cis>UPBy1;PBkxWvReP~i{6y(?2&S@kE$}iw=SdwCa165! zXA;60#UG#9MaOsb?4PE%O}d(}uQqdkb*~DoY`ofEQLP2C9H1j8pfGtwuUz;b%TEhe z9Pk$T_I}Ayt!IM&UCakYbjBU{E8dz9yuD4r$rAtB0s1FX9Kh&1^Zm0VrI-HQY7*g3c5zijx^>!9nHx}$HL?8v@%0~IO+;YUS&&MTYv3_s=z2AB;D+cT zhp4$|C9x__|csMnb!dy$`DaH)nPRwujk7Dif>@+l%=wMecBZ>I(B#c zJ0p;XoJxl67i@L-IYzePHt{Ayyq3!?ut|dri!Hg2`sj?gqlD_V36P?Q-Z{cn(r04* z0`=L)w0cI5`|M>mDbH5uFqDQ*zz^6@Tn1k84o#0qYU!0ZN=ky*7?;T%5DkO)a^HS% z{~AO(`5&_0&|&%d{1qHqK%_ZjCC<|J#}c6UE`o=rOkJND13k6@OUS*^u&TD*TN=cWCM* zJ2>*_26>;f9CKvXp)@D^C>d4$7-%1x1h)o+=G|#Me+yI}y<%;-gC=B`Az=sY+p_$G zn*|jsc9akOq9kP*Y<0;Y#G1~%^S}o2BF8~3-|!EF$f>pHGMit1Adj68dLFMm;|iBp zP^2Y&!Df2Uz(d2z#Y9W-h}nqg=1-prQN>}MH$N2jkRl)=;L*jQ1Ls6)KKVz8FTq)l zZY&^aE%q9|;^twdMd#~AWx4NAS3J~&#vW%0A(!6D*;RxT7gM9)w2o4elnPK-qE2n7 zSC{TpG3)%qqdvPPHUx1adwzAtbp}4=Z7~BXW1?R#O*+mwx_BC2h-$gN0m{sRcvngM zz(?mJQZ&d*tCdn*iixLQ@{|ZQd?pGrsB;g?SmeRryYzkYDOFj&f;+Y#MB-_*RPjj= zubeO!BEEcChe7pcpnP?ehNeei597rtA+cQbM}I9VW?-aM@L;P{EP#YJb1oT z3OjSf6!cceKaV~2oTvVlx8|zwAS%g6K-Q0_Sx4t~bC1HOP;nUQadJ_)LE#;-SMEti zG}~RD;pj5FjFM>>RhNx{(!)sJ)TaIc4_R^9ecOdHXdW_(ItqK3{nSwF3Cyp8l!BUt z%gB^=M0Li{_`?!~${b4uDsVcOokyQQVzN1KyCu7l`F68%T{lg@&=wQ_El#N7WMy69 zC-{VOA4+~#cM`&u-+dKw^&Sghd#NH|Iwi^02h%RB z*j<@$Bk_G0*&{YDT4pzjq9{N)TS0gqEFY_0XL5dUyeK6uJO13LQHn9E`LZ_=<&pz1mh zF70Wn{-&t|dy(AlMI1^^eQw31bys#bD~`L`?nrD9>6+qB<+wt=p%+L-XZW2#j6`LI z?jPgtKFfznyPX)IlDA{0EAf!h9eoo6x}^%>0w@A8H0H8PyUTD$Tq68Qjbeg`TQRZD zA3wbwNU?ehqQNSRE*bGbKw%qDbTHl<8nM+1=rtu3cLT}LHxv~QgWyD=0#Jz{PWD*} z5a%!70kw!1hXenAR=(N06pVx*v{1PHE1&>vW1Ywb0Fn(k4Zc~(GYQq?a`%m107x!| z8(B}l4aubvog)?TFGRIqlbY7}u_|7f&f6SYPNVYd|4!v%mpY_`jRs zO`hY!HJE6xudL2YHgOlIr%0SX9~b@Q=bJYS?VgiKV(W<~v$i_t6PzF%NT8H&+-$YpGP=rB+_qKzyFvE#&7mhr~GH9ES;afrk_y_m@QxV za%%FVmy()TZ-0M~km9#}yy=%0-dU12!C8{doSe3Ulc!LI@MGCh(=~RInvCkUH?hZP z{>|GIPMs)^g33TnQtT=_34TV*ta{<*?;zfHfLu(tZIBaH`JLh>AWXB{YO*F6S=VuwuWxf%to%{ zMyXB5B}0BqdPIQ-Phj>|2*vmqMJaYEG@->)=R-~EvoZEOU;BvSTSmCd(X!pPuUIXq zhbxZ8ZsC#-$x{G4@{ic2Neysh6w8~#VXY|DpX)2#=%i>>Ir7-Pm1n&vJv&Uox44vO z$&LCqSzfcy+&RAg4oUIoL6|iV_D#`J0ra*H7pFh8h0cEF?mA~dAR1@+gBy-W#@`u!4O!g6w)|Ra9RIG|KqJ_i} z$?b;%mg33QF-^OM{6C87VfH?P3brGbl9*HKHvI*1IOmFNi?A-o7DvD4SY`mBz;lJ( zE=V^YwB@b1NRN_rVxejed_ufK^zpL$TWqk|$}Cdzc)ZRFZt+XjIA%TZy03a? z)=9`XqQHFqSbpj$TUZ_;{RBR1i_Usz2kwp(_RB=}M5hnmBd;!$dmiFaYTmb^7hcVq zM_(TM)``0=xu<3WXad*9dIN_+@O8&Q&EbXAHM5?JYT1|cduG(G4%aq2X2rV97cK9M zH-lKM;aAI=`jVNK1MRA$6wYhgLT49kwkm<(;wxyK%+CH#kETOLKOQuvtS1D!JIZ~% zrOu&`?rvA%mV`~gO8fg~s-IfG>$nUp{lD$e0J;h(n-w$Dwsp|*ym-~xBUbV+Rn`dy z@{#5?*V~hNHE265w&^-O^sI;Gkq9Lp{OojE((bB${^dGl)e-YW2()E+Jjm)^UV~yt zxVeVkp96sNJ|MEqKT2KmHVisVX8?pIm7FH+x;G5P4TCOt4+o}YSKR0GF^@TR*Ww16 zny%6mm?PCF9$kGc4qIzXu2GbaKkAIQK_2=y%E)(sYNUmR01%Ii2Zt*P|BJNZ&HrJV zf!a;H6?PM)dEVl?2M5xMypOthfyw|p1;ylQLr)M1T(reCWFPUcp3_LJ_Jr`g|^8Mt8V~jziXWNk_a_FLct=+Lm9_`F`b&Fxe^mUh{;H7O`9tVKDnmJIj}~#2SSGEu*L5aypT2 z6^-~M2MOyfgyt$fAwd#{NrmM_k<)2UcE@_Mwj^+a$7cmJbLUQiCxM$JQ2UlO-5Tr5 z1*PngJ8;Mm^_jMXjoV)?0)f!=yk8;h=DyyyPJd+aDaCVZGx$FEjU z>~hS!Ll_Qq_Xd(vV_9nGw#GKjVDANpIRH}@sLf?LpG{Cao$Rwk&^YA}&S$?qG{I^X zGlSiPk2%sdD2&!EYC&y3$f=(+*!+@{=lWHjdRck!+^EK7d?Gz|E$;XZM1j_|y(*bG zPDbM5FR!OMbEF<=kc4V>BO@svIW>ANYA{;ixt12Q+MV?Tx^ME-%^8L(Hh7F3K3r$+ z;P2IVv7I)$GEcLGlVxkv`L)T0m)NSJa?U{sCB0nz6|H`7&Q%b=zw!rn`q zA)e;-Onp@$=1!ZMeeb2)`8X?vYeF(wAvH2n`t?|{d+W%ii+ubUg&C6RPMeNYR9Pde zsG0^Z_GrNrRfX zaP-P#3_((M4{1oM<#3xO~0D=N)m-9{anXE%GVQ*RgZh->TOg{-E;5Drd&<9 zJVo8-&$Sqie538baa6M!3iir@OM3Z>a=)H}W=y2=ns_i=Iqf_>vo26y2>jS8$|807 zu#vDhM(PVTa#>#P4wcOeDbBR@tSYy)PRqk5$C8b@E7Wa>C?1b?Du;dN#?J&HHbR&z zCNO9I!Sx?L2}BL%s;&^PwR5*_^CZuvR&*mRj@!`D7WU0292#-(N6M}ZcC;jLpZUYfjn>vm)wz4ej&g+ktPqgv?d4~Ao{-0eMuo+~S1Wa*Y%OeT z`QgSDXG-ZnRaEhLqc6`5SjW+ZGJN6yUC8Ex*8u9>`Lc2NdMa_Rd52{i={ML~t-9%@ z6#{550)TlqO;~}~*T^*R7!VvP#G?UVhS??3+C~ED!PC||jb9I$fuK{BcM!nuhPgCv zfPg=Dz3s09Oz3xhkof_r%}AO60P6XUo(e)spteE)trQFa4uXRtWR7?nuqq}rX}pn_ z_XWQIE(m(SZmiZfhj{2+C@3aaQTuA8&QQ<6aoAC%Hj7KIFc%S1u|9(XI4n`so6`%q z@qOf&u}pfITdV0c^n;khz;DN3QUlEPJc`~BJo7O0V&>h!1UH;}@$SWv+`UEey==o`zh?uqKg`sDer=k`IFt!F!M{)< zW=+^Ht=koO&Qt#US5vy;)e8b znq%GPBkYDFKd|7BRDAz>@FZJ7)#2XBcRD-rtQLeU?ajDZ6rfyO?{_v}3Jn>nk1@Ony=UF~b zkYa}VykMv!%zvEAF9z<$8!5SxpPUTCiCG)X*^Y9DrhEFG4x5CRS+gn%Z}c4}*e+u$ z(wV+wNcUvczYLB|w!yf-3_=XI$4 zR&H*5!^HE>4lW+AZt+or80Rgcp(|b~m`Yya2^jH;<;|DY$GaQn=go#dnNHZpj)#oO z!W03_>3U8FRj0T7C@$aW#%UZCr@Z`|(ezfxPXQn&T;C5`>{v_{vJ`r@&=4bwcz&bg zo)I4-HEvTUG+Lkis{eqbdOI={Mz^Bx1_<0F$x3q`JlA|o6KvbB*=6%iDWG&U{*v-C zV;e#I&FRSi@BUpjyqHJ5r(>F=QE+5i2&4|s8z_Q;@ zv)<=#gQa|(hOZXn0v>-z@iTa_<5i$fbW&budRv3J!x6s)AUgtmmFT zJot1%r8XMVTvUfEC0**+JNXz&_L*iU%n%`IM5vrPt~$*+d+=`3O8*0VeUj>^DoQnj zqtU1BSm|T;Lrc?z!VkzH;S)nJRxR4F;X^6~W!R-ousM2}IkNWf+p^N!`bFL+qtI6I>`7A{~xAFxY&b{5u(>tW8|Iz#^U zXQi$zY`?ItzxwIv3Anmgm#|>|?O-vJii)r*YU_*ZfLe=#vTdXlnovUW3$*9Qi1T?( zT(6YN0VBt^xJLvsebX%}-(G93E{#@E0J%yq99dV>2AF^>0JuKSl~rOLK@ZY0pUwf4 z;itUxdR{oapr25ssnozN^c#SkUx~a<9R?WyoPOgQ-YvQBzK-_<)hId$1w3tU(x51r z0g$tX-`4Yhy9~jkAWpzbkdgQ6lV(Qs~+iL1O)84VMi^l zG-e-Vs!NTj%l$xPOb!PaNpnwI@WCbW4mTO$DI3F;vh8MM3MN{jU{WZ;h;QoIEyB}J z?>*T)+?RXVeSXVa*RxuKbHL7a>WES<6?@#b+zCtsoPNzRH8Q#GYAV$=Po77lsi9X} zT2hdfB%kF>#u{#n9+rPVe2s)Yk=rdj5 zb||^3*tx@s(VwWVwrPXid4TF9n}z>OLABD1_+M<@lX}cUBD4M$yg$XG!dpgp@p_WD zZD>89U!;rYGz*4SNc#?F>|>f`^F^M8lv7U4UaVUz3q3JtHF2ITQiBBB@=k7yO91$y;|hsiOkvTE^Gb`8dwzHl z?abTiW8yWrm%NRtf5^6ioNJ*wvTqi3X%WxH@UQq(opPZ=S@7e;GZ&@-fy3;1);+U% zGq3h~MUNSMYf8wrfRI&Vf*UfR@7W2xar~Ll)i1YW$tQ+N98Vencd^fnJ0~t=J2ICd zjwU!exX?dQG{P4tv4-1azg+_`ahFsu@a*uu=;axT>Mw&#q041JK?pJ z=%m-RCn=F*JgX{&G&c91etW`-fz&|DyRNAV(6;RFI!qxVNFT z)6nk&4F4>~{v-Ho4w7&4_L~tnFDZrTVZc9!r|WKj48pWAuN~&E+;3*H@+FLUW8yy;8>5co>4!7jUlyq z=9E4lKaVh~9ciN2w=r{Aj1hJnI!;_eYVvo*&7LN$=TSBSk>C9`LjgAl4=-$Gj3L#n zy#f8QFb~vL+4qz25_)b)ul*-9#uT-qcC8mIw@Um{;>(Y^KpZ>#A(Po~amF8?ERsE1 zGxklJJV#f5XLm*#ah7&@ojzp!^G8e9!gg@r?G7L7acQHq^N9`Nk$~VQ>OKxt274hE z2vWB$SN=MmaLL}hhdfuyDIzSM=WdULotE>E^Cv^KAI4;ept!=Yx(qN-{BlsZ4mXEG z_fo;&*{dR%R#kszT7LM;1wPEPT=;vT1u&!F>c?zMi_25urB+b`eF3;uQqsD~ia+sS zEw#Y4LkN$B4%}>`0@|of=XI3iJuXJJ>(ipwqE z_NolMPUX)U=U0M4hE!?4^A3Kk_w)IiFd7iF9RpT8u97hINK7cR^>F?&LFJPrhTxz{ zEpx1!Uz3Z#IA5GQp5;7+$Ffv|KN$*0nA_Q-`jktZ9+*N2Y`v^5VmUdAuC#Q7pI;3{ z?lBMKHq8j9e#6{#O-L%UZM#rh;Zu^ec3IdbZ?wGAY`20k)u(W-fV*t>eLlMwVokd4 zn%uW-uU>x?SVJI}v8+P#ocXpA2uzz%qkd|nZ|YeGF+!3eXO}bfLgACp_zkOQ`qSHc zCLVN6M%YG!J#%V}h_Y-ehVgAyyq8KL`+{lAQwOhAXJNk0U^`qxCmn;b3jqOCN{iNPwzkOtxg@O!9~n^$li0>`Tb=5 z^XhMP?EUlLBf-LhxhRiH#K#5K?cFDxkx?Eq*`S>lT?e3WfkE#`6NuXzx0IfZPEvyM zEs23qtGkfgNiNIx+z08S`xw01SyEsY2RJ-(3PdQLf4~F4W#>IqFq3Wfh#WZ;GT)6W ze9Q6{fE*2%fIdQKVcx7N489{X7< z+1N+t@kv$sm;z-vn7D#Kn~M#(){nyRe3OZ9`c>P7=_(vo$LU!8FpdX7T2$7`FhPX2mS!Ty4=b33Ic zZN{#qZCngdNw2l(?8tpozj10>F?Rg;0Uod)Om^h*hVLzd93opoA|dv&xpNH`)Bwpp zwTrNc-P?dyocmppG^7Nuw8Z)o&Q1wt_oBIfK|!XUy{@$7D1i$vgW&6ziCLG)k;N9W z(1OoEoo|hO;TB7~_&a7aK6CNnfT`sp+$agRP47I_>}{Wm7Py3Zz)3yKHNS9f($9sC zjv)uIEp#>0U%s)d<6#(-R03c)teRy{lxp!V$%%Mz+I|LM*HXUj31F=ue;7 zRT!R}dstfbwS#V3Eg0(Xua18^=ScyaqInv=F8J@o>MEYtUq3pSb1cbNJwy2wAmlO6 zAs#*CLgud-4?cO&Dzbcf|DI$kcyNl8^`k12)OpQJ)iuYZADg94*MMt*x`bUsV z^Iu2)u)TdAa@sx-`m7L(lhR0bmd)?XW%f9cH7U8^mCp)Y?ecq4JcbSH+d^)eX~YrC z0;XI+OHPy78LqeFTfTJ&4A#_E;zrGSM%mt*29-4#>mgE$kKX;6f?b^FRWco34yAAZ zGFxTu`}HtJN2}cRHYPct#N()!2S{GAWB@I{ijF1k&H91TF0(IGiaZ;HdUUk^F|XV4 zz4&&4#~L=skCMn1LO6brdR?~&%&+!XTCKOuLQNE{7$DR1kQwhiQ`8wzR z$cTd(n$)UG^SVwU7_JQDkDWGLt8>Fay-(mr+^}!TycZkIf{1a)#OG~nmmD;I=EMh) zZpFX_*8={)GjoA%ANT>VLzvl75YUVyk-*haQmIS*Us;ae*1e z>BTCJH()$&mJE=f4>F*u?tqKPHbyoKKlopia^r$7)dIL0`ZJV>?g)bb4)y)u4acwn z!mi)E5c72a)M+yX@igd0@@E)ylM3S%HD&MoaY1W0xr) zc`t$g5fnB#?)Z6xi$Xw5+c=}eb13$)mkwc>PwTqM%CVtWubN)H>%70%Jm&kubzka9 zE@o=UkJ|gEWJ#)__D$G9y@};-+Ei3lik_x`H_LH4O5K=<^r?u@RC?^JA^W z{#b1^?m+3CXwH%}9zs;J)3Oo%1Dr16_nelTGMzo9M)9YcH+e!TA2SEbmq-cNX!&dl zrDyTgT!LUIN=%#3SFpv7oLObVPjLGlTbOMpZugX@ePa7*XU)c$u^H;A6^NI*tx;34Sm4lGWpY4|HCdGrSSXV2P$!Ux4$7btQsXe z9md|Jsl#NT>EMjxZJ`~W!U>o>bU!|B76x5xFL-Rq)cC$*)nuz2Hd5^AGxqp|UN+v! zs}4&f*1<9PW4&pgX%^($=Ygz<)2El7LEo;}QqRO>SQ zmeo3VFB2~8&zqPiY$|4lS-2D-CNzm2snzdz{R3QJ4j_vy1cD**>eCtN9oU?hoM&v_duHEl== z#J;EG+kw|={ydUtCDB%8YTt9}31q-kW>F+F@Ib4>F#UrFO(eMHg8@&Eh{V>p!xe7E z57-GlR=+WOD$sF@A=%-CCdeSN@nn}xU7Yz!uL5BV&?|F38eRl6Oaae4$F`aeN z&l;2XOL9iuwXHSsjF9FAg`HwhpPcWW`1wOn~e&c!Cj_R0tuyFcYGJ z+X8{?#dMY+gZIr$=Hk$&y%}H#?|Us0gKz-sfEh8a$N`Q-+nslBQW`)8{2xH@b*TMA zh9zQb;>`*$@+&YeLi&3!+5Ic{3cg8koZ7Y4_KyM+sn@)N#b6-%d9Zo~NFwfgi5>uu zf$deHM>@wt%gRb3b+4cARp5^R>-n?SbU~rXAhQs3FO>>*5W1qYCuQMG<9;5G zmi#KiXR<22`nPo*hq{|#tZPWppWtoN`hBwR)1oWLO!d<>U$Wkoxlo4UZZ~ZmtKs&8KfNp4Dq@#0EE|%Wuon${zLVPwP9lI;` zD$5dLs-1C_vJ74eWL;~4|4b8LdC+o_5~3baj(!`#IKfwF6<-Xm#)rWlBTi+WDsOF98|8iOm^&BAJ!@IW(*EPbDBOI4gRE3| zO}Egnk+q~aYavAesz!FHPT?z^`fV(uNeQtPc@#c3qKbZOlI&d1^pvH*^*b=}7Tqm! zngl`hm_=@_{9R0=O2?ICQL!9xb#1=YG*5MB(;w)r&#xWan82B|XNauZp}z+Q^;H)Ic97RFd!_4{ zU90G}gVe){P}jK2ci9{Fw{gD}>k0dEp@i76Bu6-K{(OX0ZF=Bwv}_0XvRQlpx~|qQ zfaX&9lPP}5n9v5#?J4S_`Ji)&XZP?4;x(KdtggOJoL|?u9#fdi+T#kJg!$@~!8cDD zLyum%b_uNzxz0RcM!mTDIv1v2?ulKhl5%|IvQ1EzzEn`PV?$TtWHr|SkByLyOq-vd z-xmvE?~pM-^gFNSS-DKDgU@|1SBFNN5ogY;?mzS5j-FNJ)8o+|Jj8UEK>E9#pAp)g zuT*FnI!P7jHLT0RCQi?$!zIV=;)_l6%V6%TCo8}co-|@zz%9i^lLJJlQAL)UZzIfD zcZ{C{j_z6l+OG8okbuU&SbpW%VTofD{@w--D4gL9P)m8~+UN89-&>at+ZRfWHt?f? z`#lhr;R6Q6vpON7@Llu+ zOanC5Cjg9AZh{OplHhsq=hjhxCKMR?1rOU(OK*l=baW139lU%u)p^%T?J?lp^#pJS z+l}hZfhMy9ucv>lxn0UWIjAM^cBnY_dD@ z-_g`3;FRLTF&br-{8gs--s<*a=tQ&G?5oD(pr4C7LM|9ijMrB=Ujn4!Y` zx}5Tt(Ej(PFOAKIR2|sLqXat>TCrk~*k6~Aa|ftLX@o1Uw+S#~ILE-f!(u<{>7!4k zN9!6smv~yONWq*|YAZb425Es`F|5!C=#MAaf0RE*W!tySrVy71mtaLQ0E1*`Z>KyvP?Y zcihJ--Ca>7NkAQS(&)Q_%9(sQhC*l&JRiZDBT zuWKh=uJY=pgEL{Ea-w$Q>tW=!JPjw`IBi}kiLFu_CUt(FsS(yhvm^SFxRD!IeB5ko zTx=~+4(cPI&IRa@3OETh6P(z8IsDas7RPwGknTZEHj`2q&72TX8f;j5`m0zlA0oavp_myejtyP<{rhK* zKKOU&Md3%`gQM{ux5UQA>X%rwlhO?I{0Qc(DSoq@wv~|my3S!3Z=z(Wt9 zz|&Vm%+E3d$;8F8Kgy7{d{tRKS~BVN=_l2VDExlE#r$K%CQuQXk8|H?HK<>p^B%M^ zESPlm2fp646LS6488li5!HIsn@}(vG6_#69yE5<40Cpr6mwGu6+qTl$8H=BmzwR0*2u~{}*XNbGC0d@4A z;+*{HY`YyF<&H1Wb#eO5st|K*zh;wLZ6TZbsO-hFDQ7YfTJK2XYd%3!=u2(QU-aR68nwfU^!%J%2C510^sqm~c2LG5p z-hf`+)SU~;#XYiWjT@)>{2*s##DoIqjhz|v5_5pfl*L_NAiMG^EXbK5N z{noknu`h(@fVe5i&HQZAA6y8a^rc5d(idO?R`*B5$xC0f7}&`?LbL8qz)fNX_~6I0 zNucD^$%}dKHyx0Cw%!h3cLZioD-_sV;A^-A7+(W&d`7dwg$K-i8tnvSzp77(kyN)^ za@E80Vqe+AM^g$fLAwJ};Z$`hFwZ%zwT+IKa!n;)sE4%($G1PmvO@69Sa}_m!`y{n z%jLxGw*&O5#Rb+{UTNPdXCzwB5xJ6pEm55nf9=}0J3Z|*P2*F6QHqg^759q$?SSdW zo{a)_{Kl?r`u(DcYusD-r5B$kB!%Cwh|BuF$jWfkr>-=rzki9o8vcqC%F9Jn64d_* zvgpcfuJnm(yta0i>{L;GM{7HC83&1j>@VkHkok1dWgL0#^SF(ToPg`V1a0~i$5q=< z#B}Q?SJqL1ce{rH)`sg-u+)9MkODvaT^{LJ>#l5M8aZuQS!I(EB=^g;&qFBo-X`F( zvWT-YdKeC+uvJvb9C96Y?ejNTXKKA0Fb;VEG6t;3@w2J9jRfu0{E^^*l=4Q zH+Zx3(6%a;yPa0^0r#r~JE2$RCA<8$WM^{+slHLk1^AHf+!qW@yEqKu%q_Qe&WQ!w z!G6BT{Wi`~koT$%`?3{23V@fr)8sC|AY={3uS-26_Wrs5-pbv56~DlyZNCPNuDrRS@4I8)03C++?;rHW-Z?N*fEsUZZMXVO;5G{b=XcuyN_HWWS*@>~HacB}_qO~WbK202WYm9FB6;*OqRmZd z?*rcIi#DI(%u|@<_=B|3i|;4wAOJb~d}=WAiYvZgDJNE?{8DngKG1kBt6^Y3pE+wI z?64t__PK|>sQZ33(fqN(6zX;-Gf>|) z5bo9PpK8Nc@caQ20D*^(Mc;50)*18Ym$>rB_1Cy4YyK+isWLKXBo167wk$IxoLERT zP~kxYW(K0@8+uK+x$d3oYw1I#3e3o#g~(|5RdnUV?_S#+%(>0>6iRryjK+-V zmwucsHM7JB-*O?9=Gp^s$vtjzdV zY<~zRC_|1+xf^>>Qxp0>p9lX^irO}?*lT*poJ1|(ORaqQIW!boiCSnX8(dm4FyDKH zSD@$}P&^^=dzXSJ66gPVO52l9*~pD~PBx9IWw3??6sL4_;l2vYj(N7A)3@=n^&|%T z&f3(HC)o;|{WMh@M3%ZiZecN5$Xs*yE@tl!lN|2rg%3`P=;GD~U%d$z9Xj8Vu9fO* znv~?c{YyIX`wSnhk`!a1;v#-azbmqtN?Ebh%7fc&V>qblu8tU_vhlBdzzubP% zeaAq?L*;d~&0SsPS4!T#2CQ3VW<4N8N#@Nj#NxeV8sbH|%?dnHQc@EAoYLkx6l7M^ zJgux=wFZ)f=hVCH1@w?My?t}-y|)LIH08W>K*#v3udfRk&Q)2YH5s<9mF_)^I3H?y zCKXZsQ<$l>^*2wwdHqw@9{O`RIa*R9)%%Y?V!;8$wcnwnMvg`%tdyVR@dW)UmeoGO zmAr5L-_I|s(l^^xghg+}cakuuH92?F3;ID6C!VFz3Dhk3J`s>8NJ+%3mcDS|E|*q? zmk_Tfl&nDn0$!)6dt7!J@Heo2AJn=Z8vTEt*Z-`MZl&yc$@6(OcE2xYm+s{s264XM z{FFiwJT4mjeSKdfCF^QyYXy@B*WR_1J&ECmY^{}da73>YnU$5%W!YpZlI890mBiGV znQsWfHuh<#5wm&xaFNT0yGM=tkg1D>-61%l7Wm>uYRbOF7% z1C;!WL*(zRxPU+5BrD4QPYw4!O-V+LOV?tVM@-j(vYH!Zw?qt8y=f0spDY*IdZLRj zB%0%Hfbq1!2-&!Ie194jHCmM07ESuhVRM>_k_Gp_&rdFRz)j6g^x)X(W#$iZ-wueD zclKzv-QPn_CnD^oOz`%+Eq|iYQ-1!ZQx>SQcnqT2UZ}c86yqXS#T}gVBqCf#uP@g? zbOyQts`=@x$oQU*_H=Mgw=SOD~(;wX<(;NN$YHE^q0KL)T!MZ=)3_F0>m%grU}8_DQSyn%m7n2k|6BWr#@{-0 zXF_pHR?!HP_>e7AEEGKV7|b=VIt@UMl2bow;r(Bz^4F6h?FK_G>D(I)fU|{bdv3N z2sjO&#%ZYb9lW9r?G%Kq^>92LOc9F6dtH>BnW?`bAug_AeGX}QuPH!heNc=+e0Nge ziR<5gi#lDrdKxD%Sox`MTh~AsTwKDQnQQ)WT(YT{X1b-`H6-10mq?hOe;05H8<8fp z`2;#6TwyX2BB3$+qu?FDTjxCjba_AC)c*q|5+iUPk>pmuID9F30+FmtZmnBEfg~G> z7q8bMdAM57(?CarfxUb$|J!DD52fYe?{|D6oZai1F1t7(oE7*9Qd8?{{i7k+do^dy z%o$!Gri&D!46PJQDX`PVPEJdu9Us_5cMDMz#$T(^(kgGf08mm z{rc6sn%EE`+s?G@y`7d}Rl}oF&x7D#qS-v-s`;J`k#Z$ri}TyJch8!wPbDp`V9=tc zQ1oGGkBMTZ23f=u(|w?hj1GEq?DwMazh5AoclWP>{&ey@$EjNcza-ih``7)9`Ef|_ zN~eagYRUVhGOBn;5R=gfp+yYerSZ9pT)f?H*4=gzkqO!V{%T-gR*?Vec{&|L$p2jB z7#INboi6#!%4Oy*)*vG{)hvdEo2VMmCf1$n7JPI(PwgSxKCvjWc7MUzIQ$TWI=(G^ zA|T|Zp$nCCegE+6mcDXi1plCG0#3v5ErI_D?<(2Zhw7M{u>T)SNJ&N{!0ct zA|YV~4%T@32UC334mhrUarrbP*~8sX;N7~CYVq6_94RQOU=Q`F%hTc9HR}f%k=*Xeg3D{{xu*c zq;Fa5J_)_X#N--kYri9kDC(4qzqoY2H{z~SP-s>@x1Adk=(D$*FiI!oh^_4D?v8$X z^x$y$2O?=V_L5B8>q;dt)xbb4n2Nu&CON?U?UR_!4lC6Vf$W!vx&!?Y^mtgs%0$5| zUBHHB+}T&`gou~n3P*$aYh*lj-Rnp{rgcbP?xuwDHv4-CZLf!dKxq{J#Lefcp~vK+sBO&lB%R=7Y0d z-MH^D?*mpnWb+Z#vS*Qw*rq(BOY<4imQl^@#nSP3%fGg?vgB=~#!KhCPiiEgPif)P zBl(}p*8eP2kQ1uj8zNVb(|WcN;QF7S#DKwP=)`tBr1i|PE69beMfw+1`6f6y4QGhW z4VD&e$iYzC=)X%ivseRpKD)Fc7JG@Q=AZa=DQ0?nY7=7>-0F1gxBgdU9XFPtqykxG zq2NAzwRg+&f4|ZK%PtGIc=^5|s18@pha(Upxl5R_El5rytXZ<0nmSgHQH7A~#Vx4$eF*{^f>>Ik4PlS2yBqfUjw*VMVps@cB zp8e0lm?F+y768|N>$GYk@HQ7uV&{9!o^{Q-hUeEb4cX!- z4gbz}a|n(K*9cyh4@QY+%_m{Gnm&rL#4YxHE{v$e(ZFss}2p-Fj+{A1~L&7twQ zEOeQy`ORPr6`_cL;#l$IU6TI;d;|r7fRyh1u-NuLzY^q)Luy27Mu??1C*%}AE4CQr z^-J){StBvxjWM=5)_SQb;^xQboj2g=G#pV?9H_}^VX<#+wyWHKiqW?E$ZD=iXlXTb z7k~Cu#8fsAzU=ui0+sevgXRZsZbOKgG^Op@xOTgZqWAtRC{k%|b!H~e{{Nk)Po{XY zO~l)l4`M&eaY8=b{{QuLb>9ly{_)pn>GjwfPdXY1u!{YFQG93yZxl*FB96@KRk2BgF8Jjyb*HaomKS-e9#8E z@P!*Mjkkh4*w1NO9ketvtDWn@!kU_HnaLtw0`T6Utv(+Tzg3m{b#6;<@0>}C+kE8w zZR{?$JZK%TGpW&mB3eymNjHN&LEX3RCOl1F8Gh;{C+2tq8|`)! zfNjYK!oNhFF%K59Ry#mGt-(H{(_x<h&}OaG)XxS0{v*H0w6C9n4#uW z)O#v!xo8DYYR5GmBMl$&6wnBlZi|@+6|%4TL5PAv$|ijOHRJs7FC))-3XO*l5q

CI93bY#xM~2K$Mr30~f|wXH>R4)0+^C3PuV`Q9Cagis(=qnWld@^I^~6wpi|y*>$|bSGpy$ea32A)7R^ zaEb})z4eB4?QF#u*`Lys&)q|;hBeeB1t{lsl2pFS%N(QAl^%p9F@T%Z&}h8<=!_ua zpMgkp-9*_&N_&8ZiQ?KCa}>EQn@NY0zbg`}{lZqp*B;8{WoN5T;jf&gbo5w5()G(a zlGeY+Z*2Ao0bZx|?)Zr2=8l@#Ycpr{Rn8nnPUj*(X_01$9;b7_0el(`4%ru0NSxBA)gEoSUT|>Q>2Fle&1F~C@wiC_MJb8PfORfzbV_pDHY=-%}slD{M33S4P=|LE2TSy$CdrnI(U;Y3qelb=k75M~hz z=e|q?gs)(9q>s^Uo05&Au0l6feS6nUrWkQ6r=B8AD2;wWY;SE*nHN<~0Jwd@IC?`#9%TB@q*KfWtJp^V~e zm(!orAM3fUNw<}r>%U_Fxf`|b?S(7=Yij^b-~Jfk{C7kBKMCZ&N#UjAikJ28vW51rt`GrK%#XVxE|)l(b^682nOkL}6G) zlBE&|mY3b&^sL6EX7L40{rJ+qdG!C&ti0fDy6L?)DeTAO{5E9q$Vp;TriAtpmaje^J(8uRTl?AA%diaSWDAg}kq$a>8EvB;mbn%k`=a1~E#p{g zy#MXzu_gelI|R>Y#z5>*A6KIo^YyT
%_?TBYMM*fY$+s99;_PC4aSK$JK0=tvgTXJB1mq{Uw7e=2cu~IigcR^*xKbBzvvJPktoiLKH3)J z>M#3q|Ib5tlDX{Q^$gwupR}TY#>cpQ<|^P3y|Z$sPtKjMQ|m!|xP(z_Ym4N~vZqBwq0S@E>)^nFh{${o#6T8x=fq?q#cJtb8{ z&Aj}m(hm*=R$gt_G~##IQdL^QJSe^Wpkj2WhLps9z zzB=)($q%>|lTjo7Ov~GK@J~ z9VY-TMmpHUIr^!IdHM_X^Fgk;AG;X+1Y)4!)?`=m$1McAPcwX>HE=-}7AN$a#S7OR z2omnKS$RG=NT1ivN+WgjNzpV^$9iFLxaGKIj(--g)Tv% zvNPuhgx5%M@4V+}{L9*f{Z@6z)YMc$Au$`U@m@KCIsvslRQHD-fyr##!TsiHERR}K zH#4y~C@U}Dg(F9)t0TP8u!%77r}pQWT^i`v4H<%9{u#(@Zd0ebi13abNR*n zVx%v;9n)Hi zLV;8P>Z37Koj0QMsa+!HH_z~#`yz89f3LN_h^p;GWVhTDWbWRXwVHqd5Z%^M0v3e} zCILw`sg!RK0yj6eSFGnpRDobJ3r0tL9=FwIffL0?xlEimLNF^9h?ckrkfaxeZ_qjS zbp*OFfoOpXL#2xSMPEPigI_HnnY@zOS?Vpd?k9omD;dN0r>%oXXU43Le^&)*(`Eiy@nxxj7Ood#=GQ(uM8peSJVev~eZ2I%vyjEA)w4Zc@2TvJ|Xw}eaezk*O zj0&E*>gHuvVSZ++&^+-thN&M%EnEfluyJ$C>4&>9+xxd%l0q^Cd8FR0?##9A+tLH1 zl|yF}ThkV1KbA(3?7Jqr+7=E+lV;p4_j>~nbI%1d#T*h1ker75%1%hGJDj#_Um%~z zR@lJ44uXDz3C$y*6KAWf&NZZdLW=My%fSQ>BR^`aGf%Y2#d{wTa}9-7ioVGv=RjcI z3VzC4RFjr=#wWq!NL;s2#lxeT%04D6D$CESD!@Y>B4=>QO|KV2>pgtQGFa3b-;$etB&wM!LSUw!M9*;naEJWO>-HzDo{O(af%j z;l~`4tY`sPw0RYKO>$RiYetW-`OWp^*ZgRX^Kl0J!5$%bAD8-$y~;N7fIz#WO(!QO z*Jq`aCg_GEdLI5cYh^koG79I8j%isM!uS>^y96X8a&LQkEZL`Q0u$6W?Mn)Xn0?=L zzAQJ{twt3%Yp532a3jS%h$InP5Z1rJdYy9l(i+&k(&DJC4}O-& z1#&cv5D($vp$+5`%(NPT6E6x8dc)xL?V%MTG+rQ7szz9z+(1)eghgY##u0G$@3|G` zzo&_tzn45BJ{*<{5K+G1fLO$U5NE+0U}yL{ZLdd(AeB~?Lfe&u?}sL&yT#aZcV9&o zS~!)x{&4B{iIBU|p4k`=jx)$OckZ4YvAjp zv$(7}GVtevY#It|6S_!hyQtZlySN)UnZa4u+1r{iIh#0{nb|p8+Pj<}vAbs24`#JM8U>IVQ23~!OqIgPQk{;&&tKm&hxpz#SRXR0#5dWn7T*W z(XxA*o|fm{+h4mi1i#+`2Q)T1)H_4~ybCqSK}Wl=n3j z1%VA~brh5PKpbO9q*sy@2a&?b;}FzrRV12o!XsR2;(Kpg#>sBrcv{W1j&+5Qv-x$+ ztXE>3fuMp!D4mR=0zy_xooAXi)i*40WXf+?#?3{W%kaRDf40PzJm0NR{I?NW81EnW zza7YwIf^eZ{yhj77s~&d_wVq3{z0|>|Kp%bz%GuE2{^MghF6yMwuEY*{<~jy;n%#O z2b{eAS$b!yB|q@~XBEd?z+4S>(CY!yZh7i?9hu1Yc=02M{w!NLqq83&khtE~P0p)K zqTLLX|DCB}I^ki%idrb~t+6&uSP7kizC`JJU-@lsUxhR)a7<15qMg&|e^0~bvrM~K zw6`I2T^5*0 z)^15K(F}|&*;o~&z{xZ;(zII$eIN6&jqxq&+lZjAUj--B;vIAI4c+Hhi}*XUDTMS| zre=AZ4(DVA$uP-cXz7psxzA8t346}C#KhIBwOyjR>S{_^%Wmo<~H{!_xC9~cs)yOZ& z_X|Ws0s`aW@Fd*Cjq{DBre?-5VSSsZRVKT3e+F+RS5K%&P$bW6zG2l9r;i61S7z;9 zE~R$=Ceon`eS3;^E?_U_EspHC+y7@kQsb&&x%}+-52=KP2AUK#3ei;^mkIxlT?57} z2eYwD({1jQMK1(rW0PS#u5aO?LfW@UUGdO{=stS=_4VhAs$xay$gU0{;u$vZF{6u4 zs07T-`EX4*)p}$DYFlvT^D3PQ{dS40y1F_nLdpEkR8e;?Z((_>zX+D-pXXP5U)ZO&jGuZ(Y)_W=tZMu=L9M4hDke@2e`S|n2Or=B4(ruM zPF>2U5+C$I7)-cLt_9Cg!mSFU?CjzfWxX^p7-p8`dZ0KwEle$3uO%%SphuBXDz1h6 zIP2}{kJ3M}#6L(leWdR&42>O9jN(_AL=NiGW;DO|k_IDt@aTnD6XH9%Rx{-jsK{;< zW8-|#*>o9#)o8;JVR#oU9k=e>tJwr4yen_YUuFPSYK=t_o5czVup)JMLl@_}zIiZ& zxp9QCAs%X?N(BZeYj;2=E%#jkCt%$xvrO&Hkwh)Dw=tbXBF7kj8oKjpdyo1yEZeR4 z9GTt2VC8qsb_qFjLk7(WQ9sFgE!oc=pC6StxjE6AMO>u_t!Gx{RGsJ_9~Gm?mPQxt zTe&Ocb8SWh6D#zkRaH?GEm#EVTlzBe1mMOFu1c33$T=)Vd(553rl&`)Z&tR)o?7Z3 z1SLOA&vO(u4K}KP-u`gPF5W2r=(I3C(|Js)+xPj&t53$lCDOZc{f(rBsD;Z?^)}w% zj19$mnjiJgm(rgfc`6j*=Z7voUC1a5iWW?cFE4kTNg(YVA2wLoqEH^&NX4i46);Ld zJ^?G}*MQr!ll!78!9hc42@tz(k)!0)BIV*|BenNcE3-@ZMaMr9r{lkHnSNQ`SU0i7 zrS+18xn77wL!(NYkeDWT$`&Gc6M9?K{b zGyTy??_j2UXDvYD)~8jBhl!2N5ss5nYQGU z@o;E>g^XCp>l|KsNTOM)r$m9f*1}V-ENF!i1HN~@ZPr)J6jU^FWWyA`=51*aO5^uS zh{6=?%rRrIw6@Kzdcy6A2VD#lWaJk>A})U5)gKDtNq(nc!q+35nmD)|N*0P)*e@`>cC@VM#-xus4Rk5qTge!kKWqzN)@D;^D2dA5A{cZ#(nT zEQ2IH-`|is?@XO6$`nh`=2-Q9xwvZT>g;TWE z?h9!k#R%$l?(v_@dsDL@<^DiINq2#nrrs+#*40f(1%6NAD0qX9BPWWGKH@)+B{ANq zeQ7vjWf@MEE*2Ajh1i14gw<=r_Dc;9m*93yCN#!kB<<7TQWa{&D5|KD?EB2;a{~lr zW%bS)k$X(P+d~mdsI-^V+Z&-v(&ZQs$B(nSZ6#ygylmn4^7LYO}1lZT6S={d4$RRSa~zw7=+ zYx5BUQF(bm;7WZ3R{M^Qktq1MqM$W98=+xcn~o}apTxFP;(-8h`N^4$K!G4iDo$0^ z^C)js(!7-M^G9PRl*bWaMH1omIE@3(%^$0qj*XQIHVMOeGOAyQ0{k-*d%dDb7nE4B z?(~0ZtBao{SP`Is_L&er$<-Uid zr3w3m<_GsrL~7hDDfudJy|*Il?xn>#^_;J_76{6Vmz7nJR>8wKhQ61ZHb4G`M!|Un7{4cBoS!HMAfj67Rs!eAV%}Kz5q*VPtM)X5Ho5wM=JT=*E|f0 zJPAqt3M&wKHoH&vZHDa}3}w{&ON(4t?OR)0TGjhia#b6ix0V9(_N@tcS083}+2`BtqKJ z#l`ZOLYbv$pT)DWXroDT0hgjzB>(mM{vr1F#+x^Mz7NR4_FK+%J3cgdY8Hl7^NxJ> zkCAMDOQlE_pvW^a>y{_JdJOK;57%7iXXMyCem$sMO( z#>Pf$n7$jY=|?im`)1sM`o-kzT;p4((eLK-z5uVc%z9$Fa;SCFyYJ~!x;K@46YWJV z>R&#<`<+&-lCgb#xK5n)@E){AFc2VNgY#GdqN1j^DUq~=g#cXC)%Ty}z+`ZKu#!wn z66>19fq?-80&dikJmR>a!_U9lYF-6)^b27M{^`UknXkLDZPv$>)2b+_bYbtq_+i5S z^HZ%4SI8gtNo8+%ZyQEA&GMezD^*=RSzZzlmr!7Md>`LuvQM3C)*Y(2lG|lk2Azhi z?C#^$GK<+Vix)|yxh21%d?CMo?Yj)=)<&i{?>HNdG8=Dhq_A1Qd%HDDTg!3GH{t+W zWUlzdA*7JVQj+kGpc?N!&3o8=vap3PaE`6VdIMSxfusSBKXWaQLQMh!GNVK09TU^d z&({Yo?ygx@M2)W`4;Sv=>Q^M0S#wwV93fu&Ri*<)8;7S3;iUP9ne|1MlRkycSw-b;&*8X9CCmyY>K!{TD=-Br{!erG)2y1sMc1NG1!u7j$Dqba?@ zouJi+xYi6Zl<<$CQ8Bw(BHqy)1&Wp66T253G8^hYmq!A8A$)$f6s~n#F79rpTf4$a zUv!9=h82K3LgsU*mY|p_PJv}OdtGMZeZvHoaXXZ$#%_gTp_FcTUP~Bw-vnLn({A>` zgX8nWx$D$wMQL|$d&J~TZ|Tzi#n5&FN=&G>UKDtV0Kdbc*O34GGBp;i-r)lu*^0qhsr75mX$!e${4#i zXYB@tH0%%>6=u{sG*Dab`X&=AWWaK*e>~pB9emjwg4jQ#$sng$w!PQkJEg9LjYB+` zgLi-&B%z+c_bOG&+>H$B#3#3FVWzL_P_ACWTk06 zoeKCpfS-O~{>IeLTv?g>VA^a0_S5HF$6`3GP6@47@KAyd0oK4(V!s zURnI^rJD+$%mK!hiVtf<#fLYnn@1FSd|twT3b$yz&||NzzB{V$6E+Qp{rFPCFy3kO zAj~qdLbjljdg`%cnJOjiO?;g!Ge%9@7JGb*v2R^G&WUcJgt^Nw5~r)os;tF}n_s-a zsb4{yt|-0#&1EE=KYH{aZ*^XJx{(9HY!fFwR8D5?b{zpo<`2T;1<~Y`0u^wQD*gQ< zd61gGonFMwY%H$b(WoYFp^B{J)P4FU{)ID`ZyK+Qe{uLEUAVZu7`E&5F4V@JngnA~ zSxdrQOCY7u6QPfXXGZ!w*pevysLVsqZb6rNb9rUut5C0_-liMV4%6qMuRU^}&*}AZ zjYoPr%-Y?xDK+pi>9M^MF}~rzG*7VIXE8r9Z0i|&5)aI*1{e0#r{kF0`)3$hPhLFS z-u|KCAOkozuP7{`meYJBHE{IgS3dun2G7H=g7@j1K?ctctMljk<}<4|?d?^ItKK0e zf*0;2LOu>M2JWqGKX(0Y_28mOg}X5`9x+5bt_56NYGa_EOGY)&hD@!jY}(0i1Z*0s zK103(Mm82F3Bkyuz(vWPgz|Y7e~pZM4VRmzK*7wMc=P+nxG!2rerU8~J@n<(ivYNj zR!HFaqjc~TF-YDfGH|5a&h2DH=_-gnJOUIAZFW9Kak#!x1xgHF+?;}vh=u)+)y^#B zCvI1m?+A~Mjyn(BqIiX^QsxVbqk%f2bDj074!@s)j!4abg8f&?wGUp4(DKU%zi4tn z{}omzvPhf|%q%(-Vsg(kB=Tpp##ccJ;0Cos<=2#UMad~ju??5j68f`!x!=!jQIl0^ zzhAE@*?Wn+Ndn_oKTV9IzUMFX)OwG=3$ms1>qzR;Kk57MrwI(&3=@gH>pmIq*|^CC zZ+OOOiUbOCUnJJrr?R4_bDbsD(gf3TkaSlX%NJ=eIlu2WjGAP76hrFMC-kY&YUun3 z^b*GzSbf|A(x06iixS zzA|LWERwPT4>Cmf>M~aNQyDj-Cd2X5lUPMe;!yvN!`PBG&uQK4LH@BZ213cQ*rasE zEq}V=Vf3I_07JbbN|1P9D@KU;-c$#9feC57wWB4NuP=tI_sA(eHo5yAMn*wHBzEUSlfX#ak7}9nLzgu2B&D9`v|#H)3jebyZqI zZ~ylcAaKj0RT6ew$e;)9Em8qdF%n$*m3ye_KlD zDPv*-Akk2x6c>}xKVHYa_>v5^@3x3fT|)MnvD%3WsB4CX8gKMW6H`*2Dg%#JNuSK` zRdr1~pYkLmCviDx-ng*#bjPV^i+5Sk>Zij`lXn)<&l#I2*TM-8`@d&8cVkDrxd_Z`{2RR3gg9YTS ze5)~agTah+>J$Dq7_=3cvc$tO$4xr#Weooa?YnaNsf zSTkYyfmT`!cdtFDX8Pk79Z>395bg81Jhi08z%WbJ#^t~|W^+yjiUdyc7iu3J;z+4# zXWHtkVG;C~OCuTlibhb=3HItjavD*ZZ&>5FF5EbK<-Kt=SX$HDZE}o_5zzNw3=?s( zFuAsm7Yqh3+S#tKOFajb$4-BzW!;RiRBf^JrSS)qW42+oe}jQTA+2ex)NPU~xD#YB zE~W~*@esqKo<6(qAotqrHQ(lKqVre3Oq4!hoH0RLAJH3DH)xrxR zC@QxHF0YPyUk?|_h25vkrrGi^2;lo~N@GmUDN94QirTk{my?qT;?&eU zpO<;&uSbZrOW(F$yFa(*T5+s}`*&S^RFvK306!&t`%39|-(q29OPJ=*Ld_B188@J= zrKzl?+qGrIF$TQ?N?arMl)FU>Dp}UH$D!5rHscVCU*jHKz6U1<)UKUtAAXtF1c|nb z9A*r+MhxPVx-GUVqMyA^Drj!JPa}ww0%BH1L>TFnmk@soS>|lS>?Vkh%T_r(I(bfv z1G9YV*nOkHc%gB?2Go|796m|wzz0KYK{AX9%WE;a%nhqwc*GQu5;uPH{7`0ZTrU7r zKwjo+Ei??8YV4l$&v)@BYM$3|KG3hk zN zOopksxXt7TGzsPxG7#SnFR;nc%jt?y7MA1ZKO>)=tragsbJ;^h+dGm~QHn7P24&G+ zCnXhqs@^dk))R;6u2PU(#x-0%cW5?X*l$uAgG65Xe~G3fIW_zkJ;XiPXNKcahl#=s z*FEfo0u1(w5saZ^{yF8HNt)ak+pu+Tsnr}+vM&@F_UaweGibQtiAE^IFR09ri*)e` z+yC|sEc=|o)KKhhIIJfR_{G@$f>yAQ^z;_sjYg>kPl7t_5w063@>U$k{HxK&hEm^i zc#K$Dkqr9y#%i(qRyFQ0ntH%dD;Xav+ki?8FP#e;JowspFyjTTjy?>fcwBKm*y7Ap z9c!;x3^hbK$}RQjG)3kSaQ+n-&I9RgFKp^W=Zyna;AfqgHPlAd15zyp;r3-5qT1X} zq5_ki**Ds!7T<}}oKGN9{I~{|TQ}vnC_#l~)>(6863XN2sEB*c{I8pYzTqLXFw<)O z`aU&<`+^LgFlF9Donz-4S~KOVbbSep>3{-PSJ$hq737%wgAM(2pwrD+g_>?RT>&5* z7JgED0+a&)LOYt!Z`4|MC5lT%u!-?whRwHqG`5rX>$RB}bsOLMcjubI0qDP2TTM)S zUv#xGfI@;Hy&i5W0BE1ioPK740!1=Nz9WI+Q4l>yf#sLSAI{>DG@vG{G@Pd=+PCKO-q?#h z?=bW)A8|vG%b%E@4;U~7wVj@qlPv3zy12Trn#}lM9Ko=nSUJo``;4p3I)2v!)q1Yw zg!)9alcl{C6>XbC0x@NSvTO9G3;aoS18I9Dd^L*^5Qsa2gEq#ob)UrfEn_~AK#t2X z*qtxJlw`KnR`hrTnP;hRBYi~pjZFX;7$fCt`7E*W6@Ofuns%inVSuRr)N3dZL(uMJ zuqc_C1GYppP7!qF z54k@1)$lGZGrK4|!;rOqU{jioK1JS33XzBi$n3_e$C!5xecbFd&ayHx?_kE~X95A$M6l?PbCiOFeM9Vt+BvNr#s zZh%ZBy+DOO&~^FfV*)FMlC^UJAQMHUbr}Gl%)#M=`D+KoE6F^%@Q>aHbH9b~#6vC5 zru<|M(?)Y@KyRGfjfZuE3%o2937uy?FHH*|BT>nb>+RNWB-e&L)!6$NOK|lWe`M~M z^+9v)wZYYhVQa(%UyPB4%NNB%1@7440y6j?^uE*7dFiq@C37zAQo|d9E%3yY@Pl)+ z`CJ!Po&;(g-c_Dh3rRMcY?+PduvSZ?GT9RzF96t=vl_bL@_R-B5Q*Jw5gZ$2-M_J~=}du7t)oJB4Y1@!IUW*n7qBwf*vl z1EiN#l<-Jw{dwfW!UhK#2pBWG%k9r#PODr9ZTIzw+xJ-V#@9{k9b3{@cRGDj_5LF5 zMd2JFBd7YZJJLxzG3ISmF}WhFSoY<6Pt57J8G} zW5dqTV#8gtJJNUL=zMrexzex!J+)*sXDFGmCAeH@4vK)^JKiVp5KoUymJ#3Bo`*|v z<17^P4iWk8VYqV5Q$v&+1d^Rf~{(3V&cuoGefXR@>hoC7iUL z{p84;9R$!^0ALLnP_x*;ye%vdR_dYah(v&h7#`>3+4$T#-g`CixjrBRke?*=IcKfU zteg2r%4l$iaKKxP$(e-3F3+gd!KRA~C9(=~U0>={)%3WwgklyYt<|VKUj>mY!6@-) zW2!8BbiTp^Fmlw?YzDcursMS%n~j@536D+Z$(6(9DSVu&nsi!~a;vp~n#HiuvM*-# z{^jMBON}=S;?Z(!G>A&sJ^Tj4<8+3+J+(gJsiwkY_><_O?kb6@qD6QQyC=r=Mue^) z13jgZ>HFe}?RWWGK&Kyn%1tg&M`I+@-<6;f4tp3I_3p8xJ%l_^Fdaq=y;U2oD&(ie zA$zzP47xIR*=eA3)vn$#WLWXf*%O_PO05?|y|V(J=M%;4$j8yTCcKY+ z#DHxfS%G)K@P_h?1pVt+ZEJ%sz4rG+F79JDZE>`+Vurgpjp&bbpW$_nHzMR-%uJr& z&yIZ!w7AFhYfId0_zIOFtDv)V;hH3Ga`xDWL_Z{;yD5FUTf#(b^yqMN}!GvJLd2jA1-I}NX z0APygM%|JUyT_6(mn%bhbKnzMnMyHAAJ3d|LFLx-ILd%s#gIDbwnH z)4=~N)lo<0MC0asfMcuby-8a>u=9$M58u2PH~(z&Qh`}<(RbEGdIr*)YwSf(# z0wH!HGdZqVbacfTbDxw<E2?f?CK1&R6|SC(7n6T=Spbr6447HFkfSG&>o2dp!>X&oapXX7>9W` zJodgT-Wt`yNrR>abR{&=>A1{ zIFH?ZV_3GSY|vjx3;m9TpZVNPspEIUKpK7NE+dv7ixu|1$F0Ez&cB_vY;i*XdaRq5 z#O20i^YEw>%b~_l=QZ&RBh5&$@p$0d(@A_~Pgj`HpV6sxRLgIH@J{E>uYr zlUY@f9la+PRh3<4MTi*|YL)%7V#WF9+uV&o3y(VZXUTbLAUfQ-a;R`Y{M?*&BqH_73fVQefSjfxJgNmQ*38$e zfWFOwrhIs&QVAgI;2?h!zr2CGo1^H~lR@kT%`vN1HAE(vgt!-raG# z&L?Q<+x+IUy8~fi5|r`T#Sr}pT0V}5~D_Y;hdls-yY&5bpcig%bh!AokD6F+Sm@r*ZvihL28cq z_=O}m2K5LUkE*hV&l+8uCRApwaQpbYu{7Qfm5M#0(h5(r-KVll$m=aeR<2%K6avVn(E`m zExSd6L)`vT^i1~9<_UAGq+``1DOHC2DaSlTggGRu0{x{4fBEce_jqE`{NgQxU?p&w%E3Kmk*MAPN zCdL1YnErDdGNthEODSqAD<~j}SR&)eHgsr)xGbt_;7Mv!B@e$0girnX6Z!tpg#TKx z6@!Nz5aj{=@~o_hWe(T&2AHe1B(X&pRFm@Q;_dgeR4G>6t%v!^G$B`?p*|Mvrntm> zL}vAL$a*V)bN_AnBw)hL>rKKK+(OsyPV78i#Vm5I=wbh55ecZ6DX~Mk0>(|HRO}=> zR|R77t!{nw(-dii^wMWF`qDi}bJ&=TJ>oc3KNn<^GY=HuzyaFO)-Ur1T)x+W03BZO zeCDoQ%B{KVEJAuz=2BZHRfhhL^78C#a&r1TParvh6KQu{EP!~GaZXK-&Ch(~CFz|$ z$%WLALa5zj+B*z6*{xTo-o(efei=w2psZ*uM-8W0lK$g>M_;f!sD->4xF%i_wge_^ zAiL2JpgCNM@&SyRe<#qt5By;e)yO(Ov>Hk0<0}-3nC=a~x~YEdO85B8yu+vyJZ~(f zg3GL~i6(%$8K5NGlY-L+wEO|{#(7QEU;l8>!UqA0m$-}{Q8{$A_1w-5Cm{gU^+kt& z(qdR*8j2j!Nh0FppV)hkZ7@rWHk4N5-@S#~na!$!S5Q>%{6Bid2rj+ITyh6DRQex>kaJ=Yc08>!D52In2tuebm zh0Dz?xaj!pK32HMG&jfLKEa{2K9BfWHW9VT_J; zSJrIJMN569He>1HC0$e_@}x z2hiK3u?cOFjf41t9|1Y1*O}ZVoGIF_qmM4GwUdjJJ*7c%ytNkiOv6#~jPzpmtV_+P zwErr28x8>d?vfjt6vBy{j8ZjI^{iP4!9%C1?AvFjUiwef7^w5+~Q?vRMxML0fOLXy!xH}~QR?k5<=KvGpTWKf-E*scW7Ls{&gh?I7`6tjvY4v$lL z1a!%;gxMngW6!nm0QXBTfXI0rZ{?tu^c4>-Wxf$$#(p8Oj8^k{@ADdQnhzU94%lRG zOoc_r(FF71uWtLjLhu6+Cs0k8m6@|ccQ?R}FBTQ^BD4by=KFO1z-?=8tWy}D8*8PplkfUhxgC1;S8`0O0#K^CtvfF| z4B;&7F{51Ta&yhlUi01x>dTu?wjUx%%QG@-J%@663z2>8fU|Es51~BCGcz}0|B2N4 zTiX_45zf`!)#*@~Pfn|>pso?SelRHCNiP? z1h8{z<_YkXkLgU7I`16V9Q5^Bq%jXS_X2$7WkyX`CbpZOCQhXMmN(5$%5R|1eWEEl zc^eYMK*u%fmKA?}T5_cS-N2qo9|S=>GF{3}47*1yKbsB(&<@l_GI~KE!3j22#k6ge zxRNRWuW#COANA|_$GRiL;YwiO&oC0zqWy?&GYLSi0G#H0plRz!|x zVY%`$fOGwtg??&$5@ysSh8tbDfW^1l=Q|NidAqlf#NTbzM5`-)xz6R)vx9|ZMZ=RkIpC}tRqcE`8#X73XF zU%l}SO9k-x|I2DGN&aUmab#@QxUO}gej>8}b{pH62LC^K59av!MU+Is>a8MF9C*(N OPF7O!L%F!&*Z%|Xha4yX diff --git a/docs/images/rows_in_visualisations.png b/docs/images/rows_in_visualisations.png deleted file mode 100644 index a9666e71fa2f7ce2f06a1db5e8a80ee431affa68..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 136181 zcmce7Wmp}-k|>^oy9Rf6cR09PfDqhCaCe7;yE}mp2m}cpEVy&f;O@blgT9k{@9y4x zyYKIt@0)LWy1JyRYpT1atD-g3-I5*p& zH}gxvsYZZ0s!Uu`xny!OgMu>G)hU`fDs(_x(o|~r#PIvD@|aN`$%@-k=tXC>kWpJPVd7^%h?s&sRTwK; zAbuHj5->+J5zhU-C<#7m59xbB(B1rR49Adch90XAAKH<=f#QtqKBWfAF~K+HXnc8? z`S#tB!vP7N%~P@HY@F9*0Co^@GN}w=%s-AKa@?`c(If#&Pi{Uz3~xXKRkp5`zM{3N zDhxBU41j?J*})({OR&(J1bRcqB_$H(4fKfvy=98v{sRgRDuVxyGTdJ{jFdJ|Q4#vo zws5twa&)tGaxXc$&xVrvZKtE}uCJ;hY~kd31+ zuy=G5_7qY_1Uk7|QS!5MvU5_4qfk;(in>}_3v0>9 z{R zKWRfzMgP_cYuI^P*}s>ubAYM`%0rxwOGxw|?f(blzc~IIrv86n3UTuMJLbPZ{%_28 zZdR^9CkH4?ck%xknSUYwJMdqKq8xvF{%@N2r<(s!3)QnYiYUi_j+rY+p9A@V)=4a>g-M;HlQ}^=lxDj}MfKShcP{^Wi(>{oVEuOv z|9UHTEeHQk_D~=U)?^+q0PTMz2bI9)f0sZE^nmui@_~UxXPF!P-;w^GV$Zt$zlE#S z`u`%_FIsB>q_66Q7%szbF99o-gkW}|s4EmaMoQ4J*Kv~SBg1jUfvMk8r*D|bWO)83QtxP89a0wLh%_T#|b zChw!@;L6O&O~BxBqmloy%R2I{U>DMgNaymAkHl)=N-f*0sQ=)OA^3uK9w;HwNhn`% zDsCg*4mWYL3c7X^zTya?+@HCdCtGftN9;X3eW53KJ3*)#C=d2%2U^}VJ(BwD_xbhC z?(}+LPBhietX0Ye8y$;hbDXgN3a?LlMG~GJLLZke98AcY=Nkhc`D`tT_47RP>ra+r z8;{mDXD;jB+)W)EehD>BoMf)eyk~-)ZY}E~PHiXRZzr;;UJcN8itH}*hOg} z*}|P7+K+ml{f(_NKj{v)yETD2)EkxeqHyA33*LiC;!=a{UZ=NK6io^)7h|duS4P05 zfS~rPtJD4T(0#0@)#ddBi$c2P`R8YceXP5~4vE+=alJwt#wUg=ft__bIR$ zfv6&79g$?Sk1I%VW`j+4TaOc0$7i1g8^E<4n74|}J_Bg;;0ZeK&b61@hc$6eipNE+ zV>jCMlg0p|*6qb-s)=n#hWJUxrAY3bFICOgoZvjjsXWs|o#b zrHf!L^J}zMP)78S)!3rn`;%`DbrK6!t!P~8uw716rK@eWyDy`klXypD2kx2=g2ggd|kfla~Pxw^<8z66T>yK^SPyOjm=63kXKk}rOfiXWKLJl*}3=m$z zGn(k#w)s%{M%LH8>^hy?)%RFMno?|uibB|9CDP&Em`Y{?vG_a9!w^c^kRmyiP&0~gk!uLORi-gPnOnM`y_ zvbr_h?Me1@c_z-RzY1XSz6P#pA-Lj%Xn-rPNc|F>6MJELd8Czr87?U3W>`NA+rVo~ z#NS3EPSpG_bGQ@sw^pvT6L|!{Oa-bz9ALFo9Ryb_Sa8_!M2}Bohx`fy;oH)9=bp06 zfrXjCX5f|Kr{D{2Yrnig%c1E(0ay`C8w^i+&zd_Gzp*y;X8e#m8Om9=5y<)b#?2ce&e~-eZ!vTBS6OiD8bQ0=%d}xsfYT7!@_p=<4qfNk~Sbb zNcTByLnChtE76%(R3!>wUywJI?~bT(f0FK{=zZ&>RRIR)af(K5k)i^l>G@`-^QHv=F( zpw7Q*0T=c%%m5JNl_QrER=y#&d=h0$>J+Wyx1Dr)u7_1t3?Q9{J19!M{yV+UIc$$P245&0&~ zsLKA53g*=<^>0*K-fF+@2+OA6ul%7f_Z3v=m zpAB?*NL4%JvRuM$Zv5MG3fN1E$oHs0DBY!1FS66o&04lL*mbT4`N8>FWHQEB_dV(c zVY3#t$y4gGlvuFbJu=9}E?K33TJf!BmFekB;Qa(djga9kj02rR49Qpu$`tYz7BuiH zNWEMqh^mq(||E5 zgXK|uiVeD+KBxSZq%ocRg>5>~;m3M&SWMAm?pezhuIX}qC=?J6a~PS>r2SRB7`}V} zXyO|Ag+pJ8EGLFTOty5`rvtBB<=tMa1fHQfjar5o+}|ZSWdMT0J*~IqeY?)tVw3&+ z;x1O_<;=CqTuBTJb}*!$>(~9a%oJZ4h5oO*W-scXpo@0x1NFec*T04+=?j>I0Vc}& z1{`xqh$WvstslEUjR7yj6oIw@@8>2H^0=C^Z3f5+v1>#lwVrUlv}1X~Ymv!-1<~kb zQ2)IHbPtdu4u^vz8HQyWiSoIGb;-@2S0*gh+4#0wqHsfLN-r0>NeGt@zU~W>7AU1c zsXJ!B?n9qWa-wLmbx-c3loRTa_(wO45W)vqR8kYwTdRg~iuUbCKwB~}>nufT2$NCXB&CE; z)~A+yIRIva{y%!g1=rK7z*EWvDkUYSM?*hqGW!Zt#rR&Q(lzW`+}r3hqsm!R%u_05vzr3{vHK6PUT1!9zj_T6Z1KWB*!|!kZ8s zELGT%NXlGoM0H|U9x7I_P#Ws+a{Fb;zOza$7u2nGauGus>@(Ki3B?`CPo_e>V<{O* zHAZvk-Q;E&B@L(kz6ps=i-{d8I_pm$HXs5<2u~YBQTv|7Xh;T%LS>Lvbl zCX|vnux8zb*rqMli)L_fH5l;L-TE%-Gh+tvbm?D} zL?OV+H@mvCqJ$=_;XjPoUy&NXsg=ZQVfU>ZyEqPc6~9cT{_cQUHWpO9I#ME~6nY}= zuHK70S*LxKn>a=r`VXqmeK8z1W#%Q1?sS&h%5?gpB4Uatdc&?a2K?ZZ)8DTG15W&> zIVNa;lztcg4cUuaj10y4y1U#g5DMG?Zt%KoMp% z>^0ox<06yC7A(Pr$#mB*cgv*CiwQljC}g*xGrFMYpg2C-?6cvO^mU7oB*i+%%C@Q{ zoulJ$^kd()_q+4P_)`W|GXmuXp0lg%(57~V=l$W61#|f7D0=2NVqB@oU+s{>l@fD+ zQv&Tg!$m}zp3TyGCHoW29F5;ibvb;mkAjU(elKVD>w?O2N- zq@d^5s6h|AtA_6;%cog&V_m*atCg-rv)zF!D6Z;(Xo37(EOVmp}snqYm!KXG4WvKkq zK*{@*uCT;-h?nJ*Ze#%vr-9Df$w%PS%NWL=%arKt*Hl^DIWzna9%NVwk$yHa)LHVi z%iaRfKY5$D4q#fwYh%0+R_R~UXdv~%Is95uy|}#hykum$*n-;F!7$1spSxw_vTns& zfjM7f+j;|+wjU~>;uK?_Psd2C4t32Jv;DD~9bGuKIk=!+ew$(ub2AIvyp`sTprlJ0 zq@@KtvpvguI-GogB3!QW7UqK>@Q8)D@(fqf=D4#o0c!i-fGupvwvqkg|Og6T}EcDbreC2 zW+{SXt)W^iU#8Hnru!EA-N>%XYH2^IUS($z$V40i?_GiyI|IJ9UXF;Dxs)K;sl9e} zy$+U^=JD3FKiTJ4WUoqrZIqN^nDlFdnRLoEtU)tZ_#si)lojWNK;ZdATSKo{LgAzk zQop7#pmfMtC;P$*l2>EWHGKVQSMHC^x34ue$q z03#xT_jhorz4iO{2$|P=q4Ij(*$(2TQ>Jfy^Z;T< z;lY9glA~SY8J|FRVjkV0-lPyFD7TIgDjPdyQsC2*#-Yc*@!Ruw!7dW* zd6iVebJoyvk*>@!-vD;-MtM#8S239@yM1(n(&_HGfK~?nM0Ujo*w*-t>EeCc7PDeRh6h%ndjSFyd zV2ie339vgx=M4^9ei?rAde5*=s_@Ez_&d9PFN;b0Yi@_%9q3rpZW@oYkl<3^+N;{2 zW9ezPHFNxHVL<+3@wLA!B|Sp>pMo!J7=4Ta9;;zfmol{0LNoFI;=Zi z_WbIdx`34;UZ=bkgKE5P`{Q2V8^@~m^%HRv62tcTT~noH1=r*$4$S4BrfgR3k*!yM z-qJ9*>ohfIq^KB2P^2(>A&a6xq_YPa% zuJ~9##4TE{cLvxc93_Z`!jOCH`!s{wpWXK;esy~TcnKxlvDfzY*glM}zg$pUoz1U@ zQ#THg3VKi4FVs%?-)}PP#dHc}S&iz-2x?8ZFV|UshFVbx*?1Y$NHMbze6}CZ--hc| z8`tx1WCdy>DDWE>NOxNMy?=M5TQlF zS=Vj#t6rG*_rV`@yfCqnD}I`Z#$`~E@|H+ZN(*kRsC5@|-6=1=aUDrJjFdiYoHw?M z!Dlm%v0&v7EkG;t6of=ErDee=t1D`^)Vfu>PfEl{(qmD65qu@hDX#1P@lLByrnS|N z+l4Am2|U117-;tK_cuGowi~&bdOy93E!AA{nWu#ytoA#2)h|l;<6knb2|lsb=;B>p z{|LPFd{_ew5YzF{~2p zJ+x*A{&J-?EAMPgo>*BR5@kqeKsk+=5dRnlVefo33vT`4R0yLk`sPE6ZFF{*smp?k zdY(eaFI0H+vflk_?+f#yDTHQ;Ld{OXkqjmp@O7QVpbFO{VZcOJ!TbmB;nU?3fCBKR&0~?$h81KTp5I$U(%W@4OoL^a*rbW3a{RHB4 zmB=R|cd7T)mEzD{JVNTcME=MbAh3q`SW0XiLjG)3b$x(LOv59y zGYzYA_+#8BNJQK6iF_HVW;;)Lc?OFfyXh$}Jw;y|CBA>5AkG_()i)+4T{e7hJF0=c z#ST0oYied`z?CYjmLTcwW)2RR(>|HqLVXJe-KV$6X-Z^l38NV`Fd^g-m7O_uGi8l- zbKfGE{`gTPm6xgIQW+-(JYu5MJFc{Z98SL2YnRA*@L25G^SI91y5Z>NvVCaE#*}zK zD|Y&hwf6f%)>#VO=$L5BgWZ&(60@BFuhU2N1OI{wjbi`bYefkK99Wb-$p#8$o8@r< zD|?Qhqmx^-g`%RHv)6X37@*L@74R&dk~M0?E^30$#Qe5S0eYsu|M4B){HOs zfx^oe<3a=K2|G#YCxea)xBgaz3U3kRe0hkZ2hKk&Gs;vOH2x+Hbt%>Wz;BnSexMDF zMA@m(u83^-{qvpj%x761O@G0OL(vgxd})E!dG|v@`ARac5u`bgJ~JBpFk2uhl8x zC@DdPtX7L>Y65y{eR|kT#Moii>$Xc$ME3%YE391}iKj-Ysr2zX*C_bRS#Qp|21(_8 zwJN5+$Oz>mt|$MXvMX{}t}k6DmFZL|;6^{YHP~CKd>nC7`q~Yhp1D-ATb_Qzs@mm& zKdBUQDIY|E-=~kH%T(J3d4AZ0e>5$Ez;A93CQ$Hre4OJ}&SV?pX;Dq9{GBAmL}8E< zyZ6#_vl#HVZo0~v3QVY}jzar$QNM)z@39UV+U?@KFn!44h3t1s zM)j(=-S)-?JHBVywDSzSulFQ7^-1-4sF1f>d-_gPt-P4^lwfBv_f0p_a24k@Cl;Q5 z#n2<@H`RvM+xr@-hBS=AEvLhGjL$Z5o%mWprEijsd2$BUrt-1J57bQ7&iBSYj1igy z+R#&=CsY&#{n8BzHP(-N*1@;tWbcxB&-sAX785O4FDir81}^rW(VK&N%E* zvX+Q=9;XNpu+e?!wjE+rRKTTI<1Y-msMAa?1InOA`)lib0eBJhJ?Y*Jh5ASpbdMFi0EJK-v zW9aQjkUdD@H#8erq^Qi@Au6$9BI~Wn@~+yJUMRvnWe@(kI;VQJH@Wk+ zd^=t=#2WVNe%Qt&`)Uo^Rn;Tc->&AZX@5yU`A-BDW z61e>h293;noZg%II}hxk*gKtm55&_`YXOhr;4n~*bre?7e3DNp9&d%9t2iFXTLH&o zW{`;23HS3OCf=751K%AY_8E zkqZ5*ku@35Lf-a)4Z|5xPuujDq7=3H%m$alS^F!64iP=9oyFe zB$t9`dQ9TKPaK&wot(f;l(2ts@3)#-Gah<@u1@()0-wd=GE+@UE2zkO-}CH8xoi(J zkn^v$d2lWNn(umec*A9o5_yPkRPQUMB^j9uqWGy-;L`aiqc`gTx-R5j#$Fn!BYIbB zH$#7IWTP;+6YYO?j9{|OC*N(S)#2+wl#?=6wJ5&$aJsCzKanp}fFWeInr#ID1jtqx zAr2*RO|X`_4%KaOd6&AG3yzjc$kDhv_~d9OQ2Lhwj4|x}vw0eV5oU^e7x#YWIwfTy zMKp7CJrKNh@_aYo7f3g|fRMGm8?J3y@f}??cd!EV9B|==R}}Oq?}VZXQ@K}{zyD#$ zWXwM|Zc-4qk|tR`ULf`;LsXi6>j@ZNZ8L%yXnC8lT$oR2nnU~tLzdDPq33++`b|th zO^(Moz3CJ&BS=*`!N@=qJs(JZb-EJUUbJhP(U6nEMG!Wfwi+Lq8xc#;8`e6y;(MgJ zheLZh!@_;A-wg;;jO6rD$y({`cvShm#HV7y`CM%TmcJk4!cJh2bT$slOUU88XEplS z<9~I6SxZ09k16hqiEu0&*=n)=JV}A_wTlRhK@`4_NM)BOei`g-dAni6?S0OvNq;n7 z$+3+Hy08-9_wDee!h%nRu&<(#f9;V)$<97EoGg*Vq(s!+TXXEcgU_L;NNPpr8E)~n){dC1RAY5Z z#%)_;$3>vd=+cP7g-kMo@DLbE1ks~wz*d<=+!jrv9Bo6a`Yj5qf$r(rLbRKu3ZKv9 zkkP+~)utTPv?*nU1tc%jVn^;ylJqw{-(vu>BF3UqnY0?herF)v97RVoA{Zky;Mr*- zaL2b;kFBxEME zSrP9q@H91~$qd&i)yYe?83&L3<94W!0t+@BaejnSuh!#;00(K0%;i^+$p$g2`Ojba zibpgZG&g^KCr`>psyRuQ#=XNB&U6fsN}CH^tRcf|YxL&-&}dJ^giYG4xGhIr#myWU z!-P2YT_LwE~p1L2%-#DQoYD!B5`8-4Nfd@>|6`5CHVW@UMu|J z{ye-M=y9TGgeU$lK9QSe*D)HJ$G+VVYs7X&d%VaBUJZZ^1qmoY`*$#oi|&!GwXkT+ z%triifEngHjG5<mG`_=*(y=zHBTpiWSY(q*&61p>achLJ z?*b-?Hcfz?X}HL{;eGPbU|WGPig-;Jp6=#sc9*$#0XwTb&sLgZ-mI5`cEM&ACm7Sb zz4jtK7t$|k#5u_V?HJl@wt||w8XF^oK|RbM|3&M}yIT9j>Aj^-)oK19)7iqH&39ge z5jr?*h(@EFK1szUbCeCPoeg=MYdNy8`afQq*X5M5H!krWPBTaQZceIO>y*Y=b626?uI)t>CLoZh_UPv`=eClpFeXi zO0J|JY{apvjV5N$nhCR)y|%*0shm2g7%`1p0@r--S1tzIi!CdSoe7+?XQ!@sl&tAU z^xV>gK6#2D?ApTOQBVqIERHQEUPN$~&NNq13b`U?G-r%PG4lLxnw2zZYqxVzr^?7Q zw7vHZz&Z0hfu)@ceqVTw&)(u^n!vR;Wt*6$ z<-m4+sP=zP+$C^XO3XeY=QQbj?!Ko{M@dHGpFnxo1E&vbwW~V;-CNpPW6TWX)L!(hK{WI)`0z%TUiR^LQAp^26b0$x zDaOvo_KIav)nrzyB)(J$;l{JUK+jZO`m5mgRz#gD{b* zqu-vFXhPn@QJA9KlCD=ozLW6VREaS*63(&$hboq<7@|-7m`A+)r`g(&q2lX>j#vQf zG;=)nwLUjo$ePZ`!H!~|DZ@c1qP5zVcmmDO{WOjf8bq~(XN8&~sVF<`CTs?hY?R>r zx+#6>5|s4enl4B;U)kjXzxP#z%;{SFAg|y%buwB6I*|`(G6a~ zxl$D(BI8zy-WA@?i;PK;7U2xq+Tr@gmn14!f!K8iW32`qzVX>0&fLvjc?Gqh?L_gk z$oEUAS9G(;5sbEMW?ZNQ9cBgEudrcBgxuivi^8r-O55&fa29q{h{Qmt;*TMebaG~a z25Ii=vE?BE=#?M3-0@R2(XOtlCnx@%oJff_9;mLuN=s#p&ywMVSpDNbnPbT~4*Q!X zG0h19lL2iNSLA*jGs!$R`kXDYl>)=t!@?;zu*6+j_zV|=C3L4^-uE7+W&pa+q$2>| zVTsF?sNsgE8cnvQ>Z>xS7dXnrxuzKaj8WZ++Ws`@F$CFdrXNj6jRJQu_73b%Ov26Mzmz6 zR8r25DCPj$u+=qP=X-<243Q^F>r#7Uv(Js_NMAcU@R-PRspAu&lip%AQpi%JVcB7k zNU-E_0}hk_buf=;N<2BATKJ*7$dk(JRDhjvjQH7RLH`P+HHUnM_J50 z2*+2F95kws;RZNN{>|urZSO zc|b@aLPNjILb12OvNP)QHeWlqei8&?R6rf$vE+rBQH3MPG6gcO3YpP32B@7 zU$C`PmC#bqE~I>P%H^Q`IWxS|MsppxDGoA~eK@Lo#lobGeaFkP8(zQUcCC#)^c^t! z{evEYh{4huv?p1Va_@a%bbP@#MR}RJ*uzdM$5zCiL6Ges2@jQVMkh=fTsU;NU*hwEgrrGOhmlg%dR1YOY4p zdwu&$`eSbDufiyzsp%Cx$p{gl{ zdEqFBr@GA$S?1@WUwRGY>ur0U=k}8=vq;4mXxq7=Pt42~bW}38$5V4NEGO1XJFZio zfJ^pMpIgJL>IggV@RnL%m?|l?ifk+Zf)NkoM9s=d3~v3qnb{#>f%sso%B;(PUJ_WF z65kyoM&`jMZh|3me5+-mml50G=dc!xHG0M(Cafqj^#kZ(4O;K+qPMz#Go5K5UY6hW z!4}Gd|JPbmWH-4*^$)@Tg%?xd!ENU#NSk4-7lo_US?3XkPK+ac$)(q}lTnNFXK##Q zi}LpKR?`py0%sv;o`l&u$4C#aqv=I7h({LWAQimpb>f_0aa^J$6tpQVbXWGaIwJLR z2N6aOu^91>;hrc@^6TlbToIEzTvlJ)Z!T&&T6(M|bp825;HuBE>QB>OMrqyKM5*-_ z4q$CI1qfsbv)!Q`Ngs%6i!o77A|GjStqbUsO#ZI2!$od>e7@7%JMj{iM4bF$-VWJYrm*U^ zAmMkCoRi}Y1+S6)*Q9dx9zkpov)C<9No8u6iI@i|T##FhZk zKHiFNk1MD(Sq+z43k=*DHd7Mt;j{ED z;rUA2X&@k?IFIfl(HCccobgKnYkPM&rDOd!>JIXqel$WG#|DQ>H7R%4j*v9edo^Ma zPf@&3j#6JcrI_vFO~Lj;jQxheX(DBWw#@lN#x^8q1%8_~JwZf={rh?Gt>1Q7Ds^j8cxipted792>_oHp10usM z>vNdi_SVPZ?fs09-=!$ARHICZK(Q+y_;b@0Vlq`C|0Nz@JiE<+9A#bTL>!FOTR~U3cPrevH^Chk?itk(v_i^Pc<$#~o?}#@3~v zLs9S{Y0QrG!SG)F$3nIOx8?5wlwPNLJLBoN9L=Qru!jQ@Pv*3QG0B|kTRt84KPtPs zlu){gURng7^+wk9$jWE}JXO`BJ3aez57 zNLrs6xX-vV9R&?q5=%C@Np8I;3;c2X%glSf0-+Xwfj{085vw2;0t-F+Z(a>dta2Io zf;t4=EePP`l`&p2dUi~$>y*DSdnwtEitr>7wtYMAXeoHc5{2?GD6!6Y_H+i1-CjZ4 zt1#&x;4G^GyckJk*Fg8nbI_8(`;;_=cU=OyZO?xX6LWi0SvZ1GK1KgKf< zgxmg%h?{$VhP{11)N5~~=@<5tAk=JM+O4*q|EW3{P1JUhLu)0ug03$F*u1ootw{tS3JKXf8(zxFx z_G^dEl9>NR{T7AMwqaUoF--Rf=p}4NSYXw;(JyMPXHkKjT)>RGs+u7Qtbx7@YReY( z_&5xlNXWyT=Ou*<61^|1RmuLL)s%bcDt_F=l@UPtjh{{07Bd@dzP%VR8qE)dS!3#F zuaaF=utH}0jquXdjW%`^B2=nGnw?!D%Raas4TV0#{UnG)Mp49Gk_b?E|28^J2jGWX zrc#09SZG^4?$I0BV^NFaE~QKZoFK|k#QfR(49F?z-em@;S+W!JO~h|nr`9Gg0v#En zxCD|cQekDM^?L$)`YLKsIIxz!17vHjAY`&cXySzgAAI2i9M-}~(^87Y>&?h+SnNto z2xc~W*85}d3C|>VNARsWz7jBg?v6>od$@loeiPc$qv_3+V?M!x75KO=u#WEp?(kZt zqN-~bNA;@xx%|05R(8YjO>xfX=0Z}-hR~n8JoydhORmWUP0c-A$|u3lf)dLRhY^rqqtP93N0VM>2pq(O3&lj)%r>*oY>0z>6%R-(5|fRsQa3=-Zk|o zHU^ohMT}(@1`xTF!VZ#4U>|W%Undm1dK}FrPinr+*zX`9{LUa@O(Y7uI5;tDNE%PK zPT-uk-QgycEkc-_>0$2eOE(K;!|oiBvtUR4U2BVsKNN{hLV0Q0=5t+VBQyLwFJbJ# zp-c|Oc|mJriMl%zA_5)KD&{C3o8x^91E0Kv4STa|)A?udT4Pz0jP*Vpk%kVOckcSo zDHB9&5eUU!JX}*>5nI1Jor<+-`j=HP`k`gs5@1`H=>901j~x}6Y%$G8GSn%+FVEKP z`qo~ z>zm-h^EE%E%d9jDA?=)Ru#$lL&~ySDKqWvH`KF=^=C>7k%7S}t`rDJQev||8r0*~+ z^6Cr906RVi=2{q=bSzqep1YjjFoMCiMZd=U=}~^J{xpV(sHx?AHUT|FZV{}Hq#!(R zyr25h=Yk-X3mReH<;-}-MzNCyRzgE-G@4U%)TkAjOQN5LOf;+Mi%6sn`z%Pg0 z;IyuWX4noY?v=~&+JtnGlao|K%Guli8ixyB8=PyoUq9<$#H$ObNX+xO)yKXr8t@@cYWk9jvSz%2~;h~8t@_zHn7GT zV%p`j)MpYSdXg|Ev9%7Ka>Iv}{RM)t)%xI%WqRGcVFFUrfn_1ltJa!2UTc)Uq^=LjwwVIdHgZgCBMO}H&DQBADo$T&uW~W+spReKdfP#k9zs@ zN3PyKtzy<=g5Ij5IV=x`TODGn69{nEEpHlN3{V8OAfI{nU}=;Eh#ffL3kJbm_axZT z>Eo?Yfh;l3nk4EikzN#~@9Qu?O+1*eBu>FCH!Lf4DP^>`@SgWC}46(gY*8e-GerpMOM*u1mBY(#PZxV<(X}aA zFfu2+fKfEve)Be*Y{@p~#O6b;(WMQe(Dl*~+cGQ3T$`RiZyHXSxoV*}?v(@+qAz>@ z&(-EN|1h1Waki^DpFYfxvCfj-$aI76sfG5p+D!rLJh^T|bh?ce?xVfd)@VNISA0_dg6N12PphGux3?~)RXKf?4KVjNi6=+nF15J%?gk)SRe zFEx(R(%dD{J+tV23m5HKxNN){5wqDBWx^dG&?WgWVdlB^q5Kn<%+=78g+9-9TDaNX z7gEt`kD)J_3Yew)BSSM*)sDtLK^k3(feX!6BCZ&?KP2`!OZPb?V5;xRp<$&lFxeK+ z-~0FgsIB}WK7NS05U^hKe;NH0-`|j;G&}KW<~L+d3qgN{DFx1<)#U-XJZc0^zX_o0 zm{&5vga$_(*%>axk=h2F|30x(ud=NCv=@M6e==Bg&$%Ml$`6Z4>RB>{mTp* zsH=`(Zfc5$-!WBCr@|0e0K_-6=r#ds{xh$6h!4O>Gs-6sp+<{Ii50e!^X63PYdK(t z1d606ovu&L#={m^&^tCx!*f@(&kW~-0h^*cON)Dh?1Mp&UrUW8k3bq49nw7Df+3tn z?MzRDC1WII0^Sjs_tQpjWr54SA-U|7W(L_YYwYSGxEsevlFJ5*>OgGCpD)~(eBfX~ zQq1YQ(GPmzg^^g&T%rC|iME%S8yj=Eo zx%yDy!XG0RxIlzjtlEczXXk^Azw(>oNT(KdK|c#+_;*Y=sBYv@l!5;N}U(Q70jV@WR>Bs<5Sq+f|o}{0%DCLQu%$B6bud zj4E_JAl4Cp`U6T-ERC`p#G*e*Hq3Ck&hLH*X$P5g)a1!g*2CGVflX>^prcfbt+C6= z%l=aj8X^6c4kk@fQ;HW6-&FmF=QyAHH}e(yqHs!*La%QR&@RQ`c$f6IZL3VfbubzY z?5dpq_&`VbZ_0TqZU|>erA@QE`dEH*Q9U%xOBjyacl4pG!2Ko>Z;< z4SQe<3Hll-72%rly>*64VG`a4+b<>Bq zf%X$Ecsndu8EV!})U>iKQtPy&aJ(X=G%Csd4O?C?)V`%z^c51X;h&RemUF@_+?$-n z*i=H;Y>+Ru9dYM$b$rrCFrDZYGcTeiJsZjNMktRFz@(Fb19aU@~2bIUc8-F`YUM(2F{wP%=t_ z`zP1E`{0*dTf8Be7Wq$%Cimx`4Qt)DaXR(RC2O4?c@_F4i52=4g%vtQ;k0mgw3=1g z65yDp*UvZm{nRavJJy=jhW3va8;*1uRaUZTjP`ikHdc|?^frl!iELBU$kfEFKx9HT zklyZk!>Hd@SD{_tTRP$nvxp=~0s&d2--K}gAB5KEa?F$zA8$;j@!R-pvBrLUw_S-& z<-0E_X-I;x|J|I@Z9xto5{OUr6M@hL$HQcxrr?&RCf#wvTnTJ6wdRRb%V{AyMlDxACS+t8;E^Azk#GK4wQ+q>9K_CS(UGbCYjuhbns>^Q#vu$YtU|*MkjyzLXI*ljo9vv z7+KW2?Bp2KNAJ(prrz(aYF7=w@_hPanE$yb1RgWxi$^eXnCknv8Qr}%Duwf8elp#H z!IvUnF>&=G<63}lOzT8aV;?;+(?V-7-L{i{!&0qUhf-f&`0Dmk6H1qHg}a-=vJD-O zv(9#-<-+2iob@PfZhsQAlZIgW0oH1>M0W%dwdJo21?9Io+(_cFkWcnM62V0ieNE3- z;Vee$cBV>WvcRp+s?WZ{NJ4+SthA4K4_}w?pSL+853GOR#!Tp;8zWhD# zV(_>)h`YY1qS+3&{CMlpl2$!3o67Ig(R;NRR*KX7Hd+WRh9`Ay8JKh$IHp)AWs_O# zH*x_?z2~Mbif`^@*kKFAGI4q>cI-tX(d;1JpK~IumPI-Q@`-Be(zd#Y}{V1s-ZKdN>zogvc7-}koVQTOVPM5O9Or~v3dueU^XGbN7FvV;z zmf}0ei2U;loz`M?7R_QR(+x}vK=IT`DCXeaV$kUxC35|*c3{#S_ICju5)A?t1Dowi z4G;zp(|$T^s}S<~Am+B@7b((0CL-yu{T_C7$K1mTq5+f2<9FedwM$n1R@U}%H(JiH zf4pwlOkb=D6^ls=u?BpS-MwfTW$EmK^$m;1DulqNbnHmKn=DuBIXd)SP%X5(P^(p0 z&F#to-xW==UAX~gh3Uz-KetLue-YJbblC|TN7|Y&1H<>-A(KkSYr&tqmPf}@Ji6#s3E(YKs(=ZFWBbc z!p3LR>h*5>UhkDzSB)dGn`%Qa{%G24V8#~|7XD&e!~h%Uy$QFad?&@@Fg2-|i>~!^ zVFstys%8s_#*K<^3QG`*~qEu&LI2`LB zI@E;ULDTp3oCg<~kdx4Yr_g;A36`bI^K~|+nK!Q zTWY7la*ctdf6yQON{a`?Fg^I;9sj4I3>K$I*kJ;Sdga2&DLksJAdvrPR17jb?rG$t z{(777hq&;4l~$!DrdJ)U#mB3H%ut3!i@isou7oIo0OBdymV()+vZjg&4t4j%{s}++9VAlRZ{&=mlxcDz#6y@Y5U4ag) zSuP=8m$Qthdb>sLhl$(Y1oA)e5on{*H!Uspx*7f+n^f|>G?1n(|2dHQ>)t;(b}d`~ zX@o-%`9L67%P#pEAGjomFS<9y*9-hMH^0xeyX)9A6H%n+TK=tg7X;)Pex;aJ^ zTZWG~T=FrL+5qOG#u9L1MF(_mG|MCumP*GV?9%osCJVDU!%t=paPNHX(na_@or^mB zMO@g+el$L6-n?t{8Sv&zjsbArw(ol*x>+bLm~^$;+b;d46kELH01bM=UseWLb`Vc@ z_rNVo#^GJyY6eSGU>Lif~(~JsTeUv(w!^ zVdS2*D_qe5Yd{lsoeyQN92c(D=kc5qpWDtIbHMp=*+{sl3+1{z~f0s>BpM=AkQei32Es(KsNJJ_~ZPM5=9%a)@vaAVM}?| zT%Z?(T*K!RA5Ct14sag*jq>g=**wniiN#U*ynEfC2|T*ypAOn9e^VAH^=)s+=y&}3 z^g9B6LQJ{mvB{BJns`#3QjDhTZSWpoz}6DzPG?r+i7IJA-a>=_LUpxWuA)sU@hHar zUho2bPbHf4vJ>G;SL^JFVS<4XUu1s}r*b!1t`y;}xh_nPmX8)xz)%%ztGB{*ESHN; z-zzzv9%YUXHTPYaNr#km`vSFJt76wnZ^0sFs(D2pkjZWPSJzQT=Mu#FgqE3?WbimO zZ20XJmRMk3a%=N$_V@u`K7n8s=mN3#bn^|H_*h4o*S{fKL1=K+2Mlt)hzw)JCyuYc z{#73&`Z@u68#mSXq$k}vxgJ{nQ*gT~gM=A=)UU0$pO)}>Eh;?!Ay=yP@yE&{=5iA0 zCw<~TikLvxVF8oaR@<_?&y(uj^Z6+GRtIdzV$9jf{`y?M&)S+qk8d+KpbqNfOAenD zhQn0-Mw7ig)7h5X5x@WYASn4E{M-D%SmZ|7uA9JDmy5zmO^%Ar>J`+XARD6ZWmi}t zvlQa!4(N>?l$bDuOJs9Mc6sIULU}8o>qzoc-|)D0vA*{qyi~<^;Q7{;N4mukt&JOr zDf)D=F(U3zY0#N!Jy%#!iF5nyt(CVj1;h^jt|V~&+B+CHk_eSje?(bI51G{81wk^M zKoD(eIi5<-c<+ZZ!fsQ1;dE`Mm?I>PSXhGgeWOy#0}dZWC@suG8#m+h2V*Ap1Q(uJ za?leue6AM7&Hz0ydQ1h1^*ds-5|MNu_+@2)Utc!@JhaAdO?M-kOE8CcCV`lCD#W*6 z9Z(b1Dk%BX2b7SBeaciyx#0xBAqO7X0c(f$Q|NO&tefiDb?bo%ZAy;KL~Jw^oI*3Y zE($p`RhxlOyELw9y}s|8e>4y;KG{%_K@6owpmQ6s*tZN*Y1nbi6AHEe)J-uNLz;f} z%JS)SAvpockIS|(W#zgU(x8C1kpTJA`5#BkT80gsMXyafFG`WgC*anb0X+_fn2_#& zRvX;6ytR1uyJq-XL)1kOdtmS&d>&7r9X-)Q$6n}RR)SRe;kAo*K$b(OY~5}tH;HIa zW(49|(2Uze>XZUIjtbVUPHPN@qzP-0{w5x0WuN%Y(*4OcCWnf6G>tovd)3dp1*1IN_GFEU0w5jK5M9YUM(x^N_ z+oG5#@X=eM)2O3T;?l5CZ@3rBD{E;tABra(*aBxl1hgNW(W7o_GBda!x`j;k)-i&K z(YO@0DK3~F__BmLfL^)CzG>DP5}M>(NSrjL>Va0~Jaf-U?)&i7WbyhyXwPXm^x^ER-r}6YV2|JXkTia#Hs>;7}p0MWk8aDi5(%c98#@st^ocSc-Hk6Ur++Dd^ya%uO zJ|P0sea8*E(A`-}sK2KU!D#f$IGrK$4t*_qLAqtgh<`I}MzXn~|EbQ{7G5x=RjGUq z6VY^|Z~ILYHZwZ}G!j>*`xRT9!FwI-NP+Z}v15EaN65A}4+`lY%k+2JqT#M?%m{)T z?^9gtrNK0DtC{1wNqyH_p@|VqvdLsLs%9HLDb&Y9moBFTi$>?L9fTh z`)&V8p3A%sK3^M6*7h|$xA5#1=g$%0CC)#DCZ6QV6pu3zn0R&&@p!Zm3yj1~?&*NV z?LqmhM;7zigFd4*7CZQchXU)iKy~DHtDmk6oa+-d0g@z7dbec_GIG|OF-z&)uoYfzq-|8 zE>^Z3SixzKs-#L`V+#$2b1|uZH>gTs?tQL0fC|TBUKH|1rXBUx12yvGooK@M(vhIx zyj825M_ryou7!eS-CGiLa>dfoRsuWUYBnUl86%IYpIcrsiThiXzgYia*8XzpIfZu| z1`)1(J=!a+WPR~jYf_wZUsIP4{!&FU-ZKjqn_=G&D7*xTvI%z$Yt%MlT!EB-#H1DQU~%T zD4{o-j>H}$@g~Tr*o|}1*&`+)rOX?@K?XPsdq?Q+C#U@Ka^McNZPfkuo6}ar$Cgqe zOZNKp0l$vx^ydK^R>I+QImU?Cg7XJRDVtom+j5mTRK^_Gl@{wg=7v0p@wz$u5-;CO zj&Ge7BTF;zt~VL`q_C6TFdqC)EXm>+<4$mq*NK+j&u;rjP!VoxDeJg{sijZHi|KAu zoX78e>DoyozB&%tck4SA`+UR45Yd75#lxz;@>mHux>MST(ia^Zu+HcuOact+5RmJe zi3wM7dT+3@C}=h|#%R}3l0HT8Y79lC#M|q-=JZgPw1LI24D}i3d7hJ=TF%V8TjJQL z1##WY9yOpne{OfK+?cx9_-?n&a*8uS2og*WDrI6cx{R>if$RpE)q1U&Wx3vq>cH#K z;p3$HKT3}DYNbt{PhD^4Tu>%Vn}nNIlY5D{dtEOXXeWw!vSCi68RRaswCUKu)!i;| zyyi>4QWME#N6!?1ks+73%nv~(KwSI>xg1%Xu^oR?U74kFkg zUnxg!11m<8L1&|}L^}(T0T5Tr{q9|@qO2}d2MtFqDvGsHto^p|*-04FGJHi5YA1)+ z1^M>oO_s-p$6M)2_p%B_`N8Uxe6MfO0Ut?qDg$_wu6gY8!$m zWM#)wI<+Rha5P}@m#LewCVXk@R4%)Jzr>CACL#)13OyH=<1cCcNK^qlhlWB-WQFX`a7KUL}kv8bh9UV-v6 zd~~UV#z@#_DA-xS1UX?)^I1*|vXazxZ_(dJ;3HNHJYw46y`-X_jgfaz%5x_+wdjk* z?pei2nhaMvsc(&K#|c@^If$xB!diG>9SV-bhz2>8aOWTS;Z3UaI;ZPcP;&kS03`dydl~jVur5&z_;}| zqeV5zOHFTU?YsxVuY7j7m!4qI$-5N?l3NCOuwcCYs|`R!*_`4wwCr&GmFuW#_~th1 zsGVt1^^enh`|lwvoc%XS&UH-~SwIpMlF7Y+?e^C-IxSD5=Z$K?sZa#;dY2b{AcDTjnsnF-n#-8GU{`=~4yqmJS?aTcb! zx%4=Mxt-N)cw$`(Met`FY|~sQa(v0H5%Qd%;}1P7au%eL8tK@3;7)R_^7Osbm@QU! zL<#Hh)ev@Ws+!I(rcb^c`F7|6*v~a_o8}gS$F;1Q~Mnhm|6=c@eR~ z)e0g?k8kq7%Q}X(*1HN-{#jebvz@G8mHGk`p7@S=zzTYs7qgm?Oq}6FL`Y2=z|+)! z`mK#P-q;=cwV;|2pfs#k3}SAhoyNNbttf7o3>__HU)#TWI;RfP4D38eduyxOL2e&P zqcmttx>UQYn_Q!M=ad8T8(t*9$MI|N{kG5D@AE%mD5&Wn_}%Y1huy~lj>D>Q`VJws z+zsV0^p1I90I>h8CG6-3@r~ERyvN!0(?Aa(56Fa6C>iMGuCePR6oYEP#My);6|q#g z5~-E@?`b+$P%GMZM(~XSkwI`1^=v=Cx_+N3oqNZ7WtB2R+bL_W&_4cYoXn=UYUM~!*y36R<{9xgexm^DP?nVlLc4|!W$@b(0B$(d2&w;89>!>ugdc4x3tm|8#7zyY6vJw9c<-9ekKVP#C z{_XNDFTzv;LK5UA=olg2GVURY>QKHWPa;X;^QGY}To@a*S^C+3dJZ>Py^5p+;8B8e zA@(2(o!X$&q+#x_^B^8MGX3*DGCW&wg}U5|qjAvTaY6RP=l3e#h+N=wKdmLD64$ul zoDucs#dBoRli!)RTP<3lng!P^v(rbJ#cVop#aN|Pk&u=I&E^R7j2;kM1%OJ+4>>=P z%o@lD*CfGQgo)GccwA$U=z^ihyBSG_v#rSn=MtQsO)EObZ=7xqzwc|g`UFi68}NFX zCYIN_?HppF5)aa}C`o_H=NXUEzN!9*?SYz;Jt)TdD7lZ;|Mji%(a>!PQ+4Pr%_zJL zel8pdzu23JJ~>ywOE$I2n5M%1{_h-u7ZW_WSNCd_w%?p&HwEM0eI=pREr3@Er|oj) za75QH3R&Cz;i+prCS;mbsiL{!v4z7teikmA?>>kElRJtCD5Zv)70!~h0w=;2=GCgT zcg9P+^L2s+f!<14_vodBb>D^|4HbMzg+(&8PBwcuyl=dNu z%W|r>sAyQMPsIER29bLqm$G$$Jn~R4#JNxOU~f z9OE1HP0)T@O43qjneU+Y9xnz7KOg6YnEo$_Mx4RCO%(|$5=z)M+S!nUCI-?h=4e`KqUC+amq^gmqsf#}zsil}9O>4I;sa*L09Z$32`w6T&xE z4oV;dzFMW#*ctAV=poQs%t6$6ED>Nq>b%rl&EL;QA5s&Hk3<15)(>QyUr?OTZH{$L zH|4ThJ-9`8HyxC@SZ@}`sx>L-9ge~G9%kFM94Ve>dBGcKWVZqBJlRG>SGJ`fj&}RR zyE?@j7O2eMmLO0pG+uwkpmBm$m=sSMV&7|`o9W)C&k+l}=xkpUmfL*LOIG6L9K_50 zwtCc0v!n3;Qt&*ja@+Ty-H`uF#=PduhNptOVg)FtqM%KmW-+Di#U0@N6jaDfVeF@DKRTT3+dlV@p~)gwV%#@0h8qYUeAOs zNWCp}XouYe&p%Lr zF5*ih$Dn)`*TBU<32Ui*22&Vg*Am7LdiMC8k+8n*>L2^V)~QJabAW%#7vCx4U(UL= zD|t5%58pmVz($XMQ$ewvOcC(jqFm=LlrnGQOaGY}j>)s~2m3JeUz5}>?)tGVI={B> zQdPPjj&i60S&rlXa@bn#d!bdAXad`N7ppfPN_JT=ye=5YCJ?eg7q&z?GA zq{r{g{fD2iP+e=nh)M>c1HlfSzy+(&{$?8Hy;*I-_Hjgl*<>-TnnIZ(VZwwbt(Ylr zV3Zg4-=`+K)_prc0)QS7p&tq79$^{7KIMooetXrKLCQT@hmZ*rU4RYrMrMB>YZ?H- zA9;6JjG38!#IM~%h;DDEWqFd?mrIS6ovBN=nDkRxu!Pz`9Ct^vRZ#%LIiW%nsVYh4 zUb7=IxiZKa3AYkyjyLI2m}rS#**C|h2cA37Ks2LA2-`L3Br9|t3UmfDIZ|J&QWnJ~jg6BC@HDDA`e zH*Lr=;b*i5?Tf`a`QIPJgF?a8`A-6v9DS)?O!VX&+k+8ZW~ygz!c z(tCT}t8kckoND-aph2b*+wLPDTsYwa3&jU9y=!V`Fedz%oZwfk!AwyXXZJ&5>jg80Vk4a5q zZ--)s+=chw8mZXE|d>N{>8Rt&>zHYt@O17bb3EvK{bo1N3wc+XzivB7S?9c|d} z>>YeKl?p!+2ZA#I`k1E&T#O8#mq8i^W!g`yTw+HvD~~7(1ps!pWfk(clHUC3 z$VY}8o+x+n6C3y29t98AYg`I6q14Y3@@v5{IwA4APk=$HL}Lc8Eks`G(4cpj*=iko z1N=+1x4`wJc=0$$q3t)|Z1~7n+5>Sl`r~3*WbwqPBw(D@^N^TT>zTae4MS3*en`%+ z|0SyoP@JfiB>p*3o4hpe@x^R5Z?<3HJAzMEF{v`g#nk6r%fRHBxtJv_q}_C# z$obATFkQ6`>hPpS=bn3C_SB^{bJ>>K zXooPf@2R%OTcEsACn^Z{q8|+4OeaqNThFA1N>y~^E5^xY?CoS_Vjt*KBYrC+uF)>T z%{aiYJvUNdfjeHu5H}Leh79fli;&(E6%xZmen6TKFIclH zI6ezBWcb+;)NMrunH`4KnFuiahyFr>Ic|XLoLMUOwAI${FzfBAU)LCV5x-J?f+mOj z?!w~(ur-M>D#>3L7p9|KvADt1Rfqk`BjqAwrVk#R;$j&LZEv<$%)R5g($vSkQ*Pq- zt6vu?vly5=EaPaq)sbSGeDFyO^9~;OgnEEMg!x*01C%QGFN{I4$m!&?jEJ2&wyYZO zoDlna-pk`#-r%fRig*u%;n&kn2|iL~0p7r3@5d)hh4I(Zm(N<=DEgfb%7CX{ok%c_ zN5+#pktVDe3&FB2Br>PPs2}fOBB!P=(W9ThpF{%4ureyH|I{Z?pKoT2EGGE)JT6ctN)z#nvY9UHKwIt zQ=_TO>I)Rmh{+%RRIAguT|%tr$BZHRsRwh&n5;i2R9v9v*dy9s@{$vC?+Fs0vlQ^T zqx#4Eibp_^Y`=mM3}tV{G;tn}CK`=CULS@Q6riGGR!Ug&x+eX1dcX3c$@#B=XgmeC zK^IPMWA*79MCTX?Lm}PAzK<{57EIC1-QMov56gYXLJY z%QDZ4>=nmZKajbvTvB;&Kqc?6n{aD-AC|*T+-s)9&zo44V|q~j_K0=vh9JYK6t&Si|7tB&J2mJ)^rq{7Zj9I z;C21k32|gOvri4RsHCDA0D;JQ&tw?>nQGEvGpFDG4VUTuWPc{}*vNMY6v(L(iSjdM z&?@W8FxjGT=u-YRX?*l#YQ}}DfjtuxhM*b~Um=SrO7{X;C6V;+cGj9(^mQPks*%iSYUbOCD zJMvp6Ol;RV>EPg*(uw@Y33)&4?RoXM8#S9TuI>nNu4UjVR6qk|#lI=OdOf5Zm(XOU z`L9xg=KBMb@j2+-HPdDr>P(D($bd&|e6`dU-gEx;S z7>F$bwvS_1Tw>7^udx;+EI$wd^Rap}|8{`4V%C>ct}b-{$Iqdh-pg1oH1AH3#o-+i&w)IkJ` z0Cj3=Vj?`~$P?|#@4JlkO~Xo^7t#OH?$!1Re#kQfN*W`;Jp2Mcdn-DK?(&B=U2|KC z;v8{tTFsK!U823Q${)V|tHF|t^!h%@NC#U>ny1G0GjX*skckZBs2{3D~F620)<|+81<4?*=d?_CUTmb5Ar$dKSD;#TKZ)Qg_<}O9A}!J z@ILs74~h>y6GhmQIF+sgsvtFGem1I`Zp3WWb%w}*k~)=inZr}td$&;vPd*sclNFJk zS?G&nncF_sLLhblmhuJH)C18FDqNZUDfM4bm<A z_rsI`HvJBh`f^>#{#LDOeMUKyYr^+jwTo#OiJ{$<5NZxG02eVPV-V8*Q=%&Dm)_&8p*7otUUJ( zL7V}p|9o%^htS!IVR6`XcwHan)VU<^qyxXMh2eyt3gq9lx@Fq~o$jN^;_ku38 zM?H_H2@_=unr#5E$QqRA%#Ba3_a{yi)WicUzPOY;P0*%fH+ub8nIUsf#WeTs;LE3E zVd(N1s?)D-895=jc~5Bh52=Uk+;*GM`ato-$`R#E5T+BfR!WT1Pw~#Emm?W)=ji#9@CI=E2W!ZBlrcHbF)F+QzkEl~X{qHw?lLq}?3_TfG2bSoOA(M-vEw1qZPLA7RNbq6-Q`f_Kd=ljm@UG546Yq0qb3jDrai$>d!Dj zTQ!~4JIf&A$sqW}V6lW|61W^fe41XI;|GI0@XZAto)u9tpH+>75ry23cdjg-70yc- ziAWd2wjc1`^UIZKo%szlpVgVtDk2YY!lK6B4a48$rc8Ss3&Xa6ZRq%x1)+sxC2e0L zR5ep&pM8|YktsvH#QCrsb0B&+?tv$!9E7k+ZXZDJs;a_2*O4eSMUvL`0^W#l>aFTR z6VSs68koG@#%B6yfdX->+B%6lMgKKLG}rgO2-2~Q8}k}2-k3-wd8)=qRpv@zC1U@e zYq0)i_lj8cmxv2MBqA#c**QY{SL&zrn`~B6+zO|6#Zt1~w zT!l1GXQ|WB;4%ni$Fg=Ttw@FQ3=zIVnhPN`2q6q1Wc&xmjv&4fFgDIxt=U<*WaBcO zRJQPb^`zN-c?LQuZ*xKL&aZPp`K0Jj->+$%0VfYqCh)%xo}5UYedf(QV4rFyI!%6oOMNGgk zaX9JH+0=Lfa!G@5mGa3*D|6vf2F`HVpuUrUfrg=!{9Chf*$Rh2yEe)9bW%tlOHMp7x;`0%;1;t)$O>{)jH9)$-h)rEiDRI}f#>_B#sQikaJcw#p`nG?aPcDXB6KP9 zU{<;%!*9pa?d^Zvg<1M+TCt<{;sS1N+J;>U+9|=l!;-TkZzW?}_#uDt-fPr}Spy$5KUrRpi%17x$lkz|J`CY^) z)PZ)v4B%cGt(lahK@T*n|1iI|VC4`P?z2^3LPF1|fK0UEB#0B|WzZks3MhsTV>wZ^ z;U&N&MDcb4l^sc(2w8?I?j4ajG)#3Lkl7Fe(Wd!}t+Jci-t!OciYPN7=#EUl&Gz9$ zji8UcX=UPl;!ocN)@~PWs&8*@iU;?TS@YnzDNtpN&CNH7srlOHf$4l)t{>V~6g!RU zYs^q71Mia|BdFd4Me#J>7)Xxp2ivw;q zCr_&N^AhJxah5e)Fu+N>nyhDXkK(_}2>({)e-d*24H`nt2ewEUr|pbD&C#~^2x6~6 zNIrnkR~2)D^dgzo47YfbG>8B^J|+r6oY(*I+efOP?U+oa$1rHSnf2)7`IFraVuv<2 zz5}wIGDt_}8w#!T@FFTI4y;&szJp2D&7*|P_k#Rsu2XY3BGBd6wT(^!BKm%3d55qv z9Ubfv!24bH=SQF3bMt{plL1T(QF_?i*jODV7oCoc53ne)iGF9y{ma_v5+@aj+9x7u zu>#t18reK|-NI#;2yW5={3Hn)TKb@W266+v79$t#* zhYRQw!P4>dB#~4RRij@bU+i31TDUHLNgmt7fgMqw^gAZmCrFsxFkJDhbP+Gfp7P*@ zuWDk7dF@t_`H!Z&!yYM2k_QI}-w!_<4p^35p~I>iy?j7-W87~zaz<&F@#$hS2^OlLQAT-`0ZWQgaQ_u>~HN?tPu0hBaE=^BG4?o;Hww{V<0>wtq{Ki-aX zw7b_j?>|wgiREh7n^;cgaA=oUJ>oFY@VgbZbeQ#7qd%&5yV|$rmvED;q}BNf*TCwc zMi}8H)xqPjtB%5-(yo~OJ98LPe4l%^ zZfD`KLja%D!2NfAjw+{>cQBvu$Br~m;|Kcd<@YL_0h<(Jb>0v=$&I4riWbo|wHMY5 zcvviV_USZc%OPpua3D8dr@CTg7-W>?y{p^rXh}*ujkTg^z^s$y5&9nt)q4}OBBzvE zm7FuIwDNHg2|z)&py`J;Ed~kjxzVX`TuXMpKmO+<0g>}?Nf~viUwSP112YdS6QzAP zX^>Y_EmtyGdGcvqctgi?PLiS83!i~$Z>>8E^vPwk0 zYJ|i`4@Z*FxH0BzY@1-Ut^-B2-XwjT?J=HK$?QM%xq6H7$_FPU2X;7xdi0Z(GT6f$ zI%+$A)4sO8kN2NEHIKgjnKCF$8;D&30y~>K#_78mVgPtKew7nK+E3u57_a;px@wniTo9c(X(7swYmQNN3s2T6p`Q3o4`e7cxr7Q{ zq*{)jOoajQC2$5uI1r|ja&d0EVA0$1_xjNKBK`4lRJ6iF6DNgOKNXy&IP|jVyTpHhtPFLasK+$Dp1@*#km~A z09g1;Lzc_OYiNPG8Kxgvv=5Aw@t+W-VS;;0-*@QaF@Umm2+S1 zY*T+3^yy|&kMkFcfUTFRxK?hB41L|Ozei;nQTr9+=&3#Q~=p&b19*O~eGsWZD zssKcI0Ha3f#^t9hd-!vXc%r0I7(T5=!h}<**cE&7Z_37N2 z41nyDv#S=~3?Kmpg4VgOOd_TaCt0oYEi3~5J;EhWqhs}@jz{f>Y^+ik=^o%8v=&uwXao!%lRzkb?sVf{BQ^AW0 z&*c+QIh>XBfG;d#=;!vSP?mo8QqnKDuz+dSZrH)9m`kIlrs_J3@*_%>I_gPKm{@V*Aj=N`CXnUMUQQ_&UL4{@9G0_X+Sr&n@ zI#8CT;7Zytc(_8}(L{%)=i_XS)tv^yz#$p5+!MjXvF{cpjwo$=Q zM-IUyO?o$*Q3`knN*Dvhke1cxY9j_-2q^w@>R@D~W$f~C8@PnQqrG!7MY#A#pY?eP z3v_hr+|}KusH9iUF~zR5tiM~rnrJo}=}3J^$<(aa`(07ltfI9RA3B>LmTvM-4UEN> zh;J?euFFB=c`NFjh1k2H#GrgU@-1{|P{KjsCyEFUqGySLT>fdF*C%ZXV@@f10rP7X zTZOfC{3Kn!7l7kMd{f}70y(4v?otV}EYambzBBQ5kzSGZfq_z<^AMqwc(ayj%6T7a zeC3kV`}^@-&RCka7!e6F+D3oj<(M{57n#(I>qAQIk1(@f84j7`v**ZiK%X4p0o-yl zoCf^TsH2~{E=ICg=Qa;_CvX%s61hiZwFhb+ScpUAH?kzw(U?-etvRh1+(vCKY*NAx+|*MQWnKxs z+;qj1!piotBa@#|qP4as%U+d6c-#;d+6#Q1oR)`DuLZOsYlLlP$%d4Pb~qlh+PNVgcl(XTpg%@8l%uE_tevz=lbId%i!*M*pRa88o}-1xph1f;6o!5g$D?bf8u$^Drudh%jP94`Wko-LwO)gA zo|l4@!NY8<3GhQS;n%9dJcVRiY z2abMDkGK?toBg)bKbI&hvS7(pyY}XIadFHf)-nY~jSfhaVnTTnwou7IS6af^CynGr z)UMHAiJ?e&VO>cV!WTFN@BMS97gu|!vI?yzNdy8G@{Qg#cX};1-~@@K8Di0_DsXlA zNYFYA&<~wY_3S-;h@4r^lCn) zSh3$~DD>i3F&zn>r~-a`ZA(kJ@EcUB7e#Q-L>iTr%-zHEUfL}byz7)a$*k*Kl6lnc zPIq&?(O8dV{JK{Z?ruc|04Q9LCD)Dw_u($-ZrCTDHH8u(!3LSnz{}7uDA_*dc2SGb~v6^VC7N?9U!816Dy_6If-ndzJPN zWOn#MUHVN5D%S$MBsYTc0cLjtLO)0T7~}_ntSA>y zzAP$MyH_|;qD~unkTxb(cb~L7LddtTiaUiPg><7Hqdto5lxoE5Hti}4Jrst5MFElo zB_5aACm_jsAh&lsLhz{jR7YH&=C6bT4JGA|dyJE491>r;m zIJ~k4#O3Yw;<4P(i2Sf0Ngd-CnjSSG;+_!QMifg~-=MA*vjV+7(#I@Yl>L8qupR>j z{U>jBTQXqH0rGNTJzy7`#Uy&NqtMwobAFavfk457(C7@|!lJ92;&D?i6~FddWO?YD zePH7nGpbOIA-wRpHyvp)*4uMXGGO81(Wzf9=@tshbxOuKF}fiBB>Md^nrbt=nev)A zfDS)bU#GUjA8%RlUmV|x#~PTwz|~}d7ij@r``>XB84DV|vje$WBaBS}`Hq`5jsL^e zS3p&@ZGQ`bNC--b5`uI}Nq6^Ay1V<(?IA=!O1e9wQ@W+QyE$~jq2t@$``-Isz26vn z=yG_*-fPXZ){Nh*JD^6O64uy;45UBk+^;dqa|6+TJoj{rSt*I^vD3wu}vNbFq8{ znJun?5aHuC(rqG5Qn}fbdY3X1yO)&4?t)ptC)eAgOs~IOcg=?jR6G~J`r(w%ZMtjx z(mrMSnmNaSHIXj}oSBLYvUBhLA(>YD)TM35(W#dFbjZ+e!QYNBAC(Z> zZOT>O7A1T5nSOG^8`&g#lvGOork{dMx1T74?>)(MQX1Ydh^nAi16K}N_ff)OIp3^c z-RVvs62+F5)v!5l$gXMxe4E=H=8tRs-8}?!y~ZO$G+vxKo$heSuaqw5x)iTR_+w$E zjUKgq+ylaxrp)jumI$c+KWqjKJFs4!LOyOGq0s~!2{q$5guiACJ=lUXq}}rIjF-eT z9JtpMAwV)Pyx@I+r>tnL5r>x*d^0AGC}qH$0}qdnoPrUG)yPCj>WaZgU)QTvoMp5o z?B!#oc8TIG^%0%Kr}$lKDC66NA8R==ZcWcUP!j{U9Q$9`)XKbanw)scL(eZU*qMFE+?%zTY76ZZ zIT0{I-8g~u*#y)b`WUTVaTnhXEh6x(>8&7bX7>L?CNk-TAixkt-!&(pmESupeuQ~5BQLAIT|v%C zg?k@EN2Y;D;_dcG-;et9(U2np`Op;aryhs=BlM^#r+u=1atL*1@eytdt>JX(dzWVf z!2&1RBxmfoJ5)m2X}VnT5|HHE)2nSnpV{L2_x>kkudebyQMzu*l>%3qs<9Nz-SR-4 z>RVMez!<+dgy7paoZ)gHq))oEQQ896_24VcGUdbQ*q4q zrX8W)T->IjR3(awCG2Ui>(`8k?lyRK6Htb^z=^YKX0>6$Icq9)<&Jpo>V{mbXpu*>;*I! z)tJ0TKApPL<%n%EQeN%?b`EUEd}Zomz4WcyFg!6Wnk_Oe1vQGC-B8=@=}vB-$GjIs zsM08RFSYm^qCxdZ$gLI^E+xo#)5h-h=*p|rz|Xf2jfp-q_X{FYjLWqCTGc0^tqu{- zyXi>7e*f;Jx**-8EtC>V4<=@{o}&)AH)!9$U4ptz#6oRzh<2RyX@g6l^rfgPRtr~} zOKsw<4TZ{=f)RIAt*3h5Yrr)}t?!%|mLqiDJM%5^KPNYt@*g@zBX~oI*SU{W{WPHw zJX3m9eS$>u0?p)j{4GEI&rM3n{i?^ChEr$PnX=Ew*aL`VMFl0N z4zA17P#^~(P$1rRD=9cpAwXbJ4c|Wd7-*b#LByxO)cHkXT)rDMJAgtbA;|4AmoA*! z<^w#A5JRgyht79eNluZ~=h}*_c{PZrtAaku?&h>6+`kahc~~R8;xHJYV_$(um2qz^SS&wAb_4X0QCN=GUbebccsh7|ecxNT1c`Fa{=$J%TgN~S)j;|{; z@qIfM@!sh8_%MIgw0l1tP&-_l)!klRiltU7JfGuKyeK$hnf-oj+!htvy6$qeDrG(( zy(a_q#HdHAn24llHr17+;siRyLR+I2QNbh2Ob4<}+UhF5?~kOsgE{R*?Hga03T*F* zJT|nfD~^1O_2U_>LY$7O=JiC30G~5K`xRlt)Q*<#`E1FZ8)ZXU{0&3fl^z&dI9gz6 zuFajl)@zbc79IPk&Z4zsZ@L1S)~F!j3om7>=7Sl^l41($=evmStl_BCpu_$b;2vHu zr@b`%m~@NHhO7UPhcNeW!{PrC`3Gt=2RhL)x`r{RP3u|4|7dew&;3qw+SNmt79`kpDBwl_UJxr^x!iK z$uw7kuj=TMnhEO(e2jV#*3pq!5h0SYFWa)1Bg%9Uq`%9~T1-HGBuA9(J(}o|1r>*X zjU=KpIO^l`8#z4>XQ>vsS`&%nb=g317C4BYAw*_Hg3M3u^{z__i3QyzFV`?tyP6oG z3i>L0#_A83O!n#>BbtHocwUG==0jT6m81_AQ9Hjnym_}GmTTq{mTxGr+~Q7C2mz0t z`z|*G+i-6!@M0w8_t(A<^5V+Q*>9_*mwFLn+@$l)gPNQXmv7Hw7~{q^FZXn4$&IAE znISYdz^aU6W*T}3w2LVbO^?!4vu&EMVUWceBHY~EALRCS{(3ZsaUt}DB?^bWiAoG2@zB1ToZ_raqf|2dy~FF((zIFtG+t!nG?D!u5V5Xg-b%F7u-qyYgk;`71%h|UfW(M z#Zo>fJ=5Z-7L6-q_1)Bp`@R#Cs^WF4zj@mCoX5!wYJ-}+-Bt^(x6O`PIvJpG!ku`P z&&cbxC@B(pp9xp7*8XWlpq(4vp`&FIW;V?@%TEG|FDC2LQ%#^aYLYQ$V*4_&h=Sh$ z$Kjn7;m&eo%~m{$9^+371$qJ!BFnHqKxMGkRnCJJGYmwPJ%JMzkT%aLn7;23)!B(mWwgrvQ7Y)0`;+b7J+uEsdRjAGXOsj~Dc zoeiZ|&9%%Myq9Muqu~sYB#Ed}0sG5YX(~<)d#GHQ_f zHgd!2=KIx&-`j2xft`j&O7}5_oM;;>Ps*Gg4|BP6HPu}Ee614@6q)&;tH^*ExK-XE z(W68FS!n8Om2V*gOT*IxM&DeO8P?~FDm%;-{o1GL_nZ*h=lw$+>oEw%%#bw0ttRfI zj9vzb&`X&Yi&%P;I!{%>{og-AIWbLNzzYTMoQX(P&&(L&3k$xX`Up8dZ0vJjTwrhh$koKm6kSB{Ir|X1Q+Egr zktu^1`(O){4N_YD^lg_i0t0nX&r6SUGz>xAUm$a~vaicZ!ylth629sU=+KE+hQCH9 zxSZt~rYRyk%=!W**NpSB;%kMkKxt9COU}-!Uom>2lnze>D>+kvK)#dd;r{ldN>-9j z-V0{0s*M;|mdtrSmV^Q^*0Jw6vlVZIMndx9OIdKM_6<8q=jUIh{Kpymw~H3|(-;?S zOLE^_Y4@vRUip?Hi>X4&y@^}Q!Obb_N@5u)sZ3Eat)S$#5Qzw!7D=N-$`i|Gj@*fBAI**Y5v4&wH;obI&Y#vU16P4^GiQ>&Y zg5nKh3)2(+Fw-)l~qCYnFp3zci4P%}rjrAp^#5mWjwrBLF z_f1>b15J^!60ByUekPsr{PFQ$-wzg`Nq&DvW5J^6Ny~_sn_6qNxE+L^DQfV2BjK=6 z*K6C7Jh>8AgZ7g%I;~@_d}>TGx3iSEc!1?hxhO8Zx}w=fS;E8HtJ9OcilJVhwQ+Vq zfizHijv?{ARk>T{vUnI#bgYgSrvlQEDo`1(P@`JT&CRXf8%T=*UmocJ!l-XQ3Dsj~ zoZ1x{tYLOp70l z+Hi@3<14n7?ds?IH=k4TIn=ldv}S^60}xNav$WVks_2e_3C|-E1Nc}aYmr6FY8NWC=W|oN)bH2j?|(+=j&ouLcF)(^Lp=}O zQ*TcgAIkTe&qk$Bf}1acZ9V4<8tsFWj3cmmcnx zQjt-!Pq0!i{pMZPLON}?N3-MYr>_QE>{BVZzCqzo3CWA5}U7H2PfKpL;B;0 zJtKc)k+!XpkH3?PG2m(u1!Q3<$kB?Xr^SDcr;#Q98J5fr8>U&lin?$=nCEo8J??@| zsOYd2%-9d{QsOac(=kR+U^D`Sk500*TWnG55lSMg?gy24ZyPWdAn>s17@$BQk zz`#g^*#c=XxEo#Gw_QdnZT=^?Xp#%{IU7?aZL>MXM zoUqhnJ@Z))7cUrD3SN8K^bDe><=E37jDw>sJ(_FWdyV=x8`-lUt{AEOH}%8#rmj@EXn$xxZU_Xyk#7D}0k6>rZ%+je?G{sdG1>(*tCF?Y&fB z_TDh@5_`9QLi}({3=O1Ac_->H_ruEAN~0E>?O$)Z;^VO`t@EwKbKkZ!qcVyaJ|du@+nQP-QfB?j+f zJa3ZI&7rASnX&h5XH#DLQ~ig@haS12aK1qOJ2AfNk+9j0F4noFtK_8@s<+|djfB{s z@fR`OWo1mY_t(47UnkP2=NowpTTc4@82??Qte$N4$CLYu=B3`9Uc^q_CYvR`+U=Y~ z%h^3t#s*#7kE(2XOdV$`sx&W*fwoE~k^EPY;L`#2da~b{4P-`I07jFitU8rlM6XYf zW>yv7#OA91J-Gm`h#H8su=GXI5ADoHY}Hi7&eufhKn{Y(#*~ThV+M}<2_ty91+Eqv zqp|mLj41ux-Tu;jk$_oyWv`9*&0LO5+p8xX&!mVJ6-3-XtjoZ~dbl~aCXV8w3UTQw zX>MM^?&ZJE;)RH1*Vk+44tU(b zrVtg_(m7gZ&rzF?P*0$Y-fBQ;OOmHZq9>bP2b=5cUTf_Avzw|d8AwoDpeSdIvuzz^ zlqgjefC-`|w=?aaRqM9G)3&#?e3}^Y|2}nYW#gWx#?eYVrrv7a6-szg0_<2X(XtO#VJ0{$O2yfBlCL8;|zlt^od9Jq5B>h6AEu{vj3P_7RwAVw$!BzGoY=DpDP#epD%d*A(naS5VZPyzEsh{2}1b^t5ytJ@hfH4<@Ro zX+IZSHBUyvql_9=O%6$6|;=O^)NVPaH$PD;#rMn4f{H%B>bkUZ(v2p@q``L4GDim|C z0pdiHCwS6Vi1G!4r47mZy3_Co+arjJ3JY|d_DFE0-9c35!LRMh#Z@Vo5*w@G@JTRs zp`vOMq7*ir)l*a>%%EwwDh|PP-*#6jCy+xM0XByWvSaUCY(^>@ki+sjHXQFbxgG5H zNf*f^Xorz_)jki=>VWH+#qrijEp1L0bQ zgFDInooZ^b0yuPIW!P;Zy8K@QslR${*%C6)Dc9%-LWdEZ@m(|&H0doaW>Dmn{BUTX z8Bq=X;K$JCD8x~m>_(WqB#YF3%ulnQ2EC#CbU6=S=r!FeT=WT)^c-o9_&S}KSsD+U zRYt|{1Y(x!vPr+hdp0bbvp#Rz{>+Cur2Aph`+if_PFR&-4a4rZn2^paP9M4B$>ES- zVA}<91S2+AgUM4U(&T&9rsAgSoumsSJ)HJc&OBN=Ban;U3;zzx!{fV!rMu)t{_VwT z;Y;VnU9FP<@5_KI(P{YY3oFGCuOC%En=FHnea*IR=!bun`cR~EXbwB2Rz0aiUn zmz#&Q3X~)6!d5SBXKOtc=R0{piFAtqAyb%g&i!K)_L7|;0 z=*be|PrfK>Dm_3s@wP<4!7a8M6FqFa&~EKoNM9E;gJfgSei3@nW*(=9u1rrQ7PopC zUEhy6G$FX8WsIp6O_0x%|W&J0tz{H@M#(Y zDD+pv-2Xkg@3B5TF?J(%QoQm-pDZ@;=I;K~vtuSFULYn3_^BQ)>QlS3lB=;~rj25d zeSEH@-VSDeG)tD^BmpAiOnk8CAo>WjBy`5D-(yPM^nxg{u~i>{6mpwMCJz+&7>Wke z0JAT)Aj}s;+si!nX)oLI5&h8=WXsAa79s6S1W`;fH+~tu{8UV;KcB$-M+2PK(+mZ_ zx4YYdY}3N^NeEQ;yr3#x9duvf5&}Kabp=}?@G#G%3r}M^UnQokwD62QT||F8Tpp_2 z(#jPU!b^lFC&FssxV=Gj0h|q80oTHTLJQA{aN7%t>w2-dsQRsU%--=~Ge$igb2$#g zpjy_2_&by?4{|A)M^JFIU=B(ul-QfGpK2K#m)v1=k6Y;u@V}}5B5Y+DDMxSP*9v&hVNtar;fJRz@yL-sgJ3G!X10kJ$>C-k+WYN89@0;p< z&w97mbeu8q#1`&^Qa_=BVQxbUNpLI z*0a<(;MHVanP#-&pEGDss~F}ql2t8n)mM7)e*TzfOh$NzYHj5&-!D|D^$vl5vqlA2 zp1&k`6)mA5QuH~FW)|H&$(nafiv;={S}ev?c^NH7`%E4E_?{>yYSji>jwn$LCEW45 zSk=7}(qd}FRA4OILRlC`c&CMP$kyieEUDtIgZJkx;8AFH%-l4q_pDw}|A&9QVMmi1uAus{l^)RgCiQZ21kO z^F^MrU>10~#-bzX|Jcgk#7yIWq`8*5n4*3tns^?lc;wiIDcz;}PXq7o@w2y&`t;a} zoqF{gp?NvzU!{LL55R9&0tEc)l&U7%XQ=~l;`mGkCk$l&^|2~sAWW@bf=lBys9*mf2|c_quT z0t7$&vDONIfjqEjs&e6Qlp3n7fq}tEi*Q(vG~;26bMu{S`CU1E&bT0xhvOmN)%oKv zDY98>l;t+WQ)uy=O$4+rMtyRKuUR<7NqRYIrMAR(8;LqF75D*V1! zhZgnPKDtLeD&Fk3a|L8$2+(3tner7lHJP)4w7sB8Ky%DE0&XXvCr^+%q7f&5mUy1R zsr@jFXjr3n?n^xI%0$Bm>&24i%U$_Q*9Wx7ll-Amr&ip2E)_`m4ZL%v7TASV?mlGk z%1I=~bbhJjF;*HgfKHw++xtj@}1**hKLD1ox=opO-l&ZN~OCtAGHTlkhj21F%2xkRT}9#|4w-U(EfQ>{TP6r9LR@_P|bh%~ZLU%saGK zmAg%#D6PYjC~^`<9sqX+G>GawP)sve~1!m)gnZb>>hor?;NKqQ?;7$#Q#G&-7)D zru#%R=P^9B{qLqCaP-v^1VG~Xm81YSj4BGk{wXD$e*F2&vjxaKRa4H_cZMm&`sW~M zG4ZZYL(<_qhOEqaf3C7I?oZQ;hY`j)H^H(QtNN4=d$=m(K%Fn|3@8njcg-@3y!(?;Bv(qRl;H!Le19*eGn0 z{vvAhF1oTh7eIM9jZw#IqzoeBC9%Ef(Xbrg%SzLi2d>gpRaO?$82&xJ+0Mipew;Tbi}B*a8_RWY7Z z%R0CkhZnMDc#?$4O+2fsQRCU_ z7Iq_+=v7iFOpI1_a!25ZPxv}^a4@d2vfm<6mTc5bM{fI$c6OLAYjV}cg1MNPI7AG_ zcs6mXZlYFwrkU!~Do@+TLzLm-88qGKBG%oYjm0x>ZL|rarruY`pkHY6@svXA{H#pm zH4w!ox*H*pW7(<8+ZAEjZau$1)WgPFRc@)QaQ@dt%gq*q_SJc#1%ov7t@(zCsZ%3S#tJ{zVME8tLiA zg;7RpxpO;AWtaW=R3b69JXO3)K4Qm@H zlq7)onVr3;(q+|O*pDXQd{A$NgXdpznGD1TKfqd4sqJW3_wV>OJW`L}dp)Gp9f|=j{=HIWoLP!_@s}@NzH+%6={1bfn zYfJ?ZK#URIvYB{wiK31!O~vf{2laq|vLZvwpLvXwx=nKj;3P1&k7g48N#k&VK!hAg zJk%IEd`l6@d7jq-{-T-h$qV#wLYxZv@F#`RtPyA`36wQbOskN`neQ)MG|>ro=mOA* zqg_ZzP_J*GL4DOyHuCZmiDk!ju8xPh;Jsk0_q%TlexVR{W_#VEY zp+D>U4BIvABi|k1kC5nz0NN;5R4BwSYLHgNMJ7^XJOAtJ$_O;21p3*d=8j1@WduU5 z?si?Y;0NEZ-Vp=J_0*!CUBk zqz^D-izMO$_tW{=)IiDK_w83NlJO?+{hL>@!cXkj0wfUg-5GU;i>241i_=D-UG@)td;+uKeFJzYOP$fv z_Xq(+aS2Z|=>yt_&inf-W-ex$OalYub@oN4NRRX8Cb}V>n~XxuCPn>(1K}_}>gvXo zCu-#`A2JI%ZvVCM2MF^PP7{XXti9<4KmCL8*6np_{>(*Jpr zSbYTi4+)gHt5{XWPH5HlyRZsYs$52dt|Bm+hv)*9COXXc?&61fy7d;=88Y&ssca=Jn&h^MC+-3xqf;WgpU$&cDq*u^ux^c&YMc`3 z*;y5J6>8k*$gC#u`PqHcsW-_9aLgqa^xa;}-%H@PEW?x?O?AStc%m$g;*lP*dbv`_ zGUa6|cMwOw?w(TW7qgbUkn@;W*L`A*22a7ZNVg@QQZmPofItU}3+nJ22lctBuUiVk zO^O>>MHbk0%sPjBh->@t>-kD(t)z;aKfADA7rjyM%4UyM6%S~%|8jxuy&k~#ruoME zL6gYqmfE#T;~+-#?sT18>HMP`OOQxI>+(#+CRs)h(kkLY*%~D@J%A{-y77vE({{Nu zX}rVoht(n(V5TWt13g6t?kO33?4)M8KA8;byvdC^iuMx}=i_>>EjhjslnE2qWZI)` z7*MJ?k@B_h8Or;*y{W9ekk0UyCCxLP2;{Uj8!?2y9`s}4WMA4y+uuu-pL%=;eIGSd zUPRrqpV|I8N^GHG zIJ7|NxiE0XmEOb+k!V?NT;XZQ00vfM2-h=goY$i^I8M%bv!?ZgYxVvZd2QA1L)uyq zXPE9>o=3wUH2QN&Y^*72Nt70wj`t6H0CRwHm#yfA*hN(t$mcX`E>3NH`MSho*#|t3 zIG5N{Fv$)279iGHxmYHNVpDXQZ{h~ZSVN|xU?o{dCX7D>O|lHRW$zO`b=W!ED5jws zgwg11Z_CBuAV@u(RS~Z=``LU(b4g++`)=BwM;})p%Rl$)+V(-qa9$OCWtp;L4Mm_~ z+Y{vlt_9+ybStHRI<(#TJwn0{^%&I$w8*7fS&C}J)lIB9Ff*k9Kq*EY*PCM#zQ#VI zEMhnXjdyinjj}zyj(XvlhuAJ`LN_^DLXs|zPe3$L7909jqd~rveaH?&_@>P#5@u`X z`G}+VsvldWNdGB1qI-}!nKt@X%7OKbVMqJ*_aIa}hMkrSVeOeaAX(C8SYADiM>>{n zQvO3>xy|d0HKLJbt$ZqNdlP#AzYx}^IBx%YxIv>U6pmw-#K&a~4 z&cOjqt|_Np)l2*Wqrt!g!j{P#*Dd#`K`!-*tk-cMckU-aR_YixT?+!H1ch3&w5_&D?ImgUs37%Hp=r-4$5_;Tv-! z&Q?`k-t>|-)0;LnGiY6!r=XmzYz9k){77BpWgOxZf+xzgE7fP1xlWM>BlWniq6M#I z0-hr-qxzd)Wmp|{b18_%!lw9dx3HMsagZIlP9-|(C3qEh%iB~pz+|1LE62o%Jf*a~ zjKVa3SOs68r}J$?d`G`vEHoc3*p%h+H@-qjtv4M*heDI<_qhZ56nnD%)FvSDB5CT6 zbp-qLs?<$t!;dSC@9HLU8lIt{C-^@OB2<3s7;QO~%VjZD_>K6!^`ft(gTy@}*ct1^ z6sPK&=7+n(UH~byW4F?zq*bP?vLPIdAIm&ecixF9psfCvtdfQYq=mZiM>+L(uP=sD z*^RL2_$o{zOl12pzFbY{*%zj>u7>?vozi87`1Gb%Ov;7|{S~AXw}9}u3lqGz7fxTJ z2qcP+wxDz`EEtSNTo6u4jcM1KhW77=t|-0vpLz~a26BZwT?C<}IQZrLzos?(6kdD? zt!I;Hn*ME_lui}8bm*G9$s#;=)i$!%@_|*k=RRp5h`aFowcPFvlnZ&=P1al zC-2YExVdkwi1+=D#5I^5=Qh??6;kNOX zypuJn?8++b5%=7d>6488KUbGK)-+%Om`~o5?FLC5m!W+ZN>);MZ?@ga*fLAac z!!m&T196i`n?aU|WKgyhOfcT;IEnb%^7`~PTqYZOim@M^KH_(pug^_#Eb@^w!YQy) zJYRzHHLM(l3Z0deCZGIp8E^TX_2NGyP4j@Sa@j0(`ej8{Lk$ej{+cr+UhGY@T%SUH zXrHK7TO;nEqgj<(dqx3^e!<p${P=?GVqh?gB)801) zlR+sUHJ|`CKS`fxC}$I9_r>64;MQKGKd!l0SqmWclnN!}{*K$h;CgnP zyT1N?%%}2VZ-J8Axrs(qj%R69)mjbz-%+Bk0I#mFMq~~IWp!)1hJX(&6GN{>YU6#X z#q4}Q!0B|Gb=#ryz|U#78da!MEf%`Vgx!77v`Y`3`9Yt<>IK`qC|I(dDfJ4W(<+w; zCE#UXUvgu|S*4&DK8EOl7 z3{Fl4wE(N9`s?=&rW{-e)mO(}tI)aX*&nS+22TIsfq+R9i6^!`{9RBodyKpb`B~oK zw82Jy&0wJ*@#_#VA>Zg-*Q+|w(Ya{P)aLn1w7(r1AOK@%LiiADmi1O&dMA(PPHuXrTFDULm4O zmh#R1@f!0+v$PJ?yu%fxf|5FGZozW@Uy!&l2Sk0#rZz!2@{zk_k=KRi9ryLYaupZ~ zowJ0)mkEhK%8kRNrN~L_gxTW&9YeATwQGg0Z#MfVAFdUcnYn1#HQl4pP6D=ousZiBLo>CZrpWe?rPRda%Ng6-ul$~0IFU#KG8M13)*P#3%cy^rc znM?;U5&oFjSx94NkD>aUin^F1g?Ofsm!?TL>nU4nyW|<+w&JlhdpZVtVl9K}+q9HB z-8_-Fes|B+ZdI6cRlvr`8~I&@GbGgQDz{Yl_|!OwT?-zX)BTXfrSTK+O2V>w7FJVP zdaDvXOMHn@hOl>eEyN<)!1j#ht_uR z(p1yi*X+d=X6cucBm^||9y9uY^%DMdwfY^L@`>8d+m zky4)j#>aBHRN4B2(dqpmU*VWc*bKm=rolfR5fNV~i_ueRbL!be`shzgw$+jB?5ckt zU0lTx)H=&ph7(nP_+{9zWO$nKQk*rtBiu)I6_QJw$aZLXUwrZ1)HhoAP1!k)4NsB_ zyzhADriS@ziGnJ6rj&0I$VM_|)5gWpAL$ce2T1KTuOiL9U6r0F?#7PaBiu>Ra#Nn# zd2);iRHZX?4>wWFj^$l)pshTW=|k6QWX(UM9ZY7SwAXvFsgQbK*l@^e6Wzo&)GWTFCGsls+JVAa{*I-! zZ`N#z(%|lN=i-2rD=66aEwgyv>tKKFl=5C~EeJ`!OWjvQf57`hHrghSt%qF8@y-&q zwPU$2`tm5tO{7HH#yPB4WrcA@Mx~ybO{bDkwR3iMHanMl(w252sbawD+2Q{FH^e*p z*EG&G6fSj1!-8@)^0|vPujiUN74^j3O_isx7*R zF%}X3+}B+x>lto^e$#e%{rqBO-E>UxvgNcI#$WI0Ag36!DN0$ zyg`g^Ab=PeI%hp%e@f32Rls<6$iBWq%Q)7&|314+B{v>uf-R)&x$mg8Uny*(A1zBg zfc=I0f9j_w@*an+*ivfYy%HK#oL!>-w;1&OE(<1!i?Nv_KKE z;!(pRDKZ4ap^)g-!;fk(|+uc5hnOn5=z4P}MVZ-V8G%p zK<`lPgZ0xQ;!*}~!0k`%M1Td$c1)^(+5oUD5=8L-<%yI?6Z(a;s-muG=YhXCqg$lA zDu3}A`KMO?Ypi>YX`17VZm2&H^xs+lCWlJ81CnW1PkByGKDeGwL|$99?UBkx$6#W3 z9$6LTG0Z9k=Sov`i7(mt_wTL*p+{?Db^dMJQKdfW9C$cvB4p-Z*7jNtf4TL#48_{r zJ#T@GtaDsjW0Ef1y+rM;7P&{0@lKRW3{c@P?Z}5UUOtZfhd_S_P=7AACD8uu$;oam zd5YzrP0Gqz7pWq;eaWk^zbC#Ut2@=o0`{`4T%1vi@=`Go`FLGq!iAX^CxAF66@iBa zH}Ue3`Ke3RsyYklpRigu5XF%Oo<>uF82zbsLTHc`4cJ5`0lzJ77WJIc^XxsImykb! zS7WZf6k$9Z`pd!eDDI)E`6HG)pK`DN?Hh~Fqea5kuL7m>+gjD13vnfXgQVL9=FXDg zmUyKzWi4bLRy*#rQ4$0pO4_F)7!yOxafF`(wuN2BY%G4nlYhXRm0XZ9Jn?m%rmG;d zaa|)BEn1ldI&(RItofqtKui~C3b`teEQ}mPOYnds_X(x z@KtfjKz)gqMk$p4)yDoqJBS!&-ZG(yI{Ir@NE}e;@OS;ZUl%?-rag$yh{>0v%=~`@ z`p;mvA7STxQDsOl3Hzy|$;_XJ@=X8`3G+(=s-s6p({B`RM8*7>I|00?16i?D-He`3 z6!2H9-gNVsTMumo=$B)fLQX9MJ3yFz|!E8ik=idGT)EzqYnde!#pm}I{b zpg()o({vXA9qCGqk$ztkS$|NYM7qBZ?|*zWvUbv6!PvXavZ=^v85{C?vUfs7o8sZ<_Hz1Y<4;XWYui*vZ`beY{Aa&}G^WvmX3YLVMBDr<6-! z?l^i&?3HRcTRKP=*rO<=?S7Z0S>{O(f#enXxyy9l!x#HQ}v zJa8MH%?wt*owMtpzWqUKdLv{0zVo$}U7}^s{J-%u!L(Pw>2CqI>kr99Ihvy3nC*|n zT|bIsGwxXxVm(-2jf|SRD!KaY9;Px@FMxe%zDja}*Zp`dZiB%?S~gLwtt6Z-TVD#b zDx`2t6AQn|^FMe=tHDIKJ&n4^Cny6EB;`QHpLXc)m(Yo!AJfXvdik!8kO zc!9$y)d5mURAr^fh1p{Z#!8Sm?3ii{lCl8yTUOWTUjbIvjuy}iIY!T;^sa0bev2~a zCAiwPABhfn38JlrQj68{MrdeIKYp+4j6FUVvCh>L81tqf7C{nMz0kG(Y}>2(Zi=%C zQqWAKWTWx3!TQPRW8~t zh-afwoPWX*e@b-xD6Ld&VR$%?;YhiGh{~Hw>rQyg%}!$5cRJX&{hM58urX6s>X7+h zS%k`2*+@-QiD_1u&!(Z5scF^kbXet4WbKJx`+?H1 zp-&>PyMZTtmFyELa~%%rTG9tE_j1PUtV~{1X-;(}Xvke19c7M86(^mvx}`E=L4TI8 zTJl6x;uUkVK8SJCMP*m}B$FtBC%F6~U@l!nBVYTwF@nBjx6 z?H!P(oTvSaHRGc7qft}*E`%azMk0HhJmccQ*l9l>DAST%2KDnv9z}XIMsoUo&+^DK zC+YpC3`Y^^NSv=@2{S7xkW)X0+Y_pARH%VhP zW}7y)ZQHidsIhs%6F0VXV(Y|4zjNOY@Av-heb%1`&)#dVwbz(qjyYyw-qndkKB#=S z5;z2?&6|F&S6ys!jKF)i}5nG5`Dm)93B`yE?Bf8E?~a?aPaRN!x>f9O~xMXj_akT45YD^>I| zQwK)`#sUclv~T`nYUM-0G+zxwpi3oy5VU`Q&yZ7oG&&{LbI6u=jo4psJ-Gizjdjgx z%_gIcP4t+-&)JD|8IVDHIRayW+@2v|lF`Z7U(Erlicsxuqgn9Xk zr?4|2&G)quR1i zVXO?fL_UPjL}@gkCHObi6Cz{b4piC4M48>n`FAFcJP;nIOcbv&^d0|svVcXV5SjA7 zK>NXlhWCQ5FW@_@N3eo@Pa?Gd$ z&Gm&CO4;HT{tTzc(9-0{$t!eYXh++ZxVcO2r`a-5FEU0$sj;_~4~$PiuE@%e1v@XX zIyV)7Z-@2LdQ~L?ndBY0qrNw8 z&rc$!NI3rrH^X{{EyTm5vYp{p66;fzuuSE~{-4$~&Vwt{5oM z6kWROoOW4JS|0DXn|wBz&HX`1{{YD35Sw#(>#Iq_GAEhrZB#3bD&+qO6-2GEAVL_8 z=p|?r1*Uz0@ahFGEA`couE*@zZYz>p9fR$}Cc8CC*~ljK%SWnOOplLz__hy+xraG> zkoy*ugiT_+c&uDBY=AI@EE=NZ*zqz&QYbGjZUz)VR`NrSkhK*jI$@%Rqwr@ATe+yI zTY2%!*LD=x@f`%QZo{N6BQ|o-M>%))su<8=qPcuz8rs`yORU)J>=WgP{8{q3SOYh> z<3!rsSBS%N7q7CYw9%lkx@k2=8oDv9$GJ8q2@-dliz#tqDjcXji^`}|L}ZGqcaFQC zyih#oG^%-Z@K-Q=+J#IDEaI7jt=N z+v-LWFKYH(B*DhR5W&Wm5cKPc7ShE}i@(4bAh#z*#&7`q*sU20)cE(ctLKlNmrub~ z`}V?_L!oV_C)_{K&23Rk2eJc2j|9T$HCXg4Y{HNmQ2%>J{_l`|`a3LRMt~~HTQwxK z{C=sS@lSx6!2oM;k_Run@9-&~Oa7mqmeB-45@#~|b!qA$mj7c1|7+O+AVGne*7^Kw z5R>=3_)S$B((XS~1U*$$D!om!5W2OAc(Ofh5c%J}U;u3;4je~yVCDz5HSG$KLNkDujG{O4bn zCG~thW`soF5N-JRCzZe-j5KWB*A+hdm77TrRC;_AFzVoq+X+7S+qo;Moe;Jl~3>8G+-tIb08GVqs51cgMhKt25D3x3(;?xz7%Vh5vHN!ZvP|qmzDLw%vbH@UmIQHTlJ|8 z-&e_aVj)Ht{^DDfhYbdZ_8T%gr$F}0s-Nv4x35w-6B^78~8BZqHokmK~8tl%qIGs%${`q(; z*aMM23(e70>Sz=fr$}g^y&T*g=ww1P6#!f%899RAfgKQ<)#ceD`_F(jyMKEM~D z$p2li?YZI{J92(fB}*0YpZ*RI5)bi*5nokr&~KJP;!oz)4uXl}VsQ_MSBE<8?&+Wk zIYY+OG;@6qS#&Z1iU*KqrQi)Hnjdfr>~wB5eB;-xqTTtO0$8Agq)|pAcX8*4r)c?Q zPQ-)a#UA{DPG`ct!UOz4gtHcPf z8*!?9Q!g<`I%p@f3C1&IjygF>T6yvNjykiaf4Pd4pS`ELPoY(!^d0lB8J1@CVPJ41 zx3ba*&L~>{T^M)m-Ek-eg$rFycq=L#B+FLIU%jw{mnM7^r@P2+l5*QwTR$E7XRQRf zGMtZDYfh|nadPGj$9?N>Erf67{oE*#E%st%&!m?gX=bO7EMR!fRQX=?!_6$Iav+_y z!KH#m)x5dPMp?OqSjbDTv`C`AzuAgGjTMa_82q?5Hw6*;>(C7;|4Qi(j~{z|^1Xh< znUYKQ+b}xMO6}dEId?xQ^Y`bbJLfz+MfA^{PHr2$3(v(JHwbM`N6d|p@fBdDFe{MH%anZp}++lpF2wiuY zD;~2=(D|E`nkT`Clu6IB0mx1t-jV?}^`M~xjJAm{oOy8u_FL%|%{WC!*+`pv7wXOq z+$2p+Y!n2pcg|0f_I+L@@WV#7Xk!^I-tTZ;bEPFTLWf?MCb3nj4#irP;O0n(QswJFC*D@>k7d zw%G|pO}??*<>PF>)+h>%cd?h=yE3#pJmNr2wxN@)R+IOsO^#~yS{{eBYYjivjGXTo ztnsG+!lvRwR0BHt%0FsHI6qEt1>i<6mEEk9*tWOsddTh$S63d6fxvMkXR2Q9{6OJi zmbKC?if_`NwZ8kW&~Gdp1oQtaq;7^35Q<+cvl`lLgBI`Kj0N#}-!^jTw~n*lt96<` zh*^OX{^qJbjF=0*z-dRitjrFi4FzL}utMrUXfFJQvYm0ere0qNOeR5kZEwxld%Y0B zT1J<@$Ns(T^@2T!&0b|}XFuJRr6Y!3LcE$9nTpQtdtOouq~+W4o#((=q$Krs@$kTD zlBF^!eoS!ks#vVPi%2uz{(3xUI3dSVI&Pe?rfT#e zjwUsjt$twq?QPJmsp&pdC6mnFD3h&Jx!0G_SB{HcFk2$;`zU$E%1a6>q=KRNo`F9u z@>Jhh4=-_Lx%BhPmxd}~I4QF2Ov++ z+xk+79+)karroRDS%px4&0j_My;8(@PTtn=)6cE^KYe|KKT!;5&`o>bM%_8?j*dqk zY$tX#s!X%Ke(TZA;o8+sv(TT_ZE9!1GN1+2+WA8B;eZs{X>+*tUH}PCdZRvbkxMbh zs#U6%{6IWBixN=xm$<5ph(-fbh-&qf{u0_ zk12gCp3gM=2kEL64=L~Dul}sH0Ra>9oG$1TW({dV+O56G(H%bWhUJ*R1z9>}Bo=OA zNE@Sn096S@Sbb(2nJ_(CK(-pcBAx{~lbPf{W!-mlDuLT9U*;NTp%<0-s+wRSK=GgV z!F~=4p*tE%QRm{sx|+S=LRq}_W8H(`2Lr^UN>Q|S}p4) zbYR6@_T>96L{>cw$bTU>h3*a$q0Vx8;Z+IN!MSYQrC6N{Ke<3G`M^9 z>&usApkwfO<{Z~ZHx{V|iyMUfvP zD+Z}BWB4rw(?pGShZg?r)Ko}bTn-8W{GMyI{Pf*aw)y75+1a=s=1D3MkohT>?hCH4$8p@$jP`wJ0jDr4hJo8Mj}i`AMmzR$-5hY&%z z&v`b+FyxKT6n)FTm7Q0rl$TmiU5%~0pG*QU=LDomGX34p@N~eCDM)l#` zl4UMZ)%>>bEK)&_r2YHS;sjBOty}T-y0>031l+7NnS@%HX9aV6zbveq>a`DuX~da z?G4axDm6`}>)0?qVx>UmQn;59c>Uruu%{ zW}d;;II5eMk_-6=SLC9ffArNAOiXpJqVIZ}W#L=--TlR9FGHvNjY3#CbYTdCgpcyv z_Ix$GYSicQ<2i~esI~!n$-7rB^~qE|ooBBr=6$QDx3HP9o#_?C*9oaSlLo49p531K z#LbbE3dE7nDcOwa4pgYwmrcsAMP z1H*?D3G=f3ogz;h8Z)svnC7V250rsLuII3I|%0+mzR61%_zekS`B3wxe>KqwbqGJw{y`dwbDt7^NLs5G$eYn&!+A9qzB0r@KNa|fTL_Eu z%y!|c@v$I`b~FAR`W}(Gz@hbeotqK}ti(YvU1#ysONSB>7qv=f=S3;9SJ&YjQvAhU zqw&)<)*Q3*_T&_NMMuz1(MPZKW&07yu1vuL@_UDE6uW#uUeSjfyvkcX&OlPnJ@N-g zKBzrenZGxO3J1~xK}}64o_)1t)3y6_u4RPVEVLBr?WK)^5;nAtBKf}WP|t;6f=?ap zIbC0OFIV#ss5Gsv$Fqb+d=c6Yae!+hdws;u?91_?YpV6W4^;=1)8*|=3cbWA8P-`W zMYDB-vz~d7jlr2`fwOrd*MiV1)4c{)XC(^48x-S{-acL4-~n~eR&THqjtJ_WwtPAt zEIVNfq<``6xe$qr5|-uuRA!9E!e6p)}d<#@~%fXXvbjZ>Lm26c+??^!=5E;gCibfk@#o2(uKJ z`ixP@B-iLdFRx?ZwnKgFL91UK*Vk=!4)@yy^zG`G_5ti_<6Jicz^zHax6keeRdcZN zUQ6vyZPy0(q+VyTExNd3ZwR-$0*Z`}idYl^xaci5>nAFL`OJn+x)kD@z8J!^K_go3 zD>MZ7xae3x7wv}>)z+X4j0N9UE)l`kqvW{yReytPhEl%6yc{}Wr@y`72W=lq71Ryi zs*A_gsW_D)y3ck{a*)DL7wxCb1wHEMl^Vb@5?_16DT_DyC={ONrUXmBtO+pvp!xuL zSi7)>9@XQXjb^zO#!r!@`0bKO?q|#2I7_6McmU02AURJx48iLVfn_h1p?UF4{YgIO zFag)+`F1AqqcKRi(Qz2Md`gaSh^&a#!Gp>dpSwF=C-H4z&opI0fapPd`qu=Kf<6jy zh*LhoCU%JsYKL0{rTyMzJ4(30zAuJg1@uq-UcEk1tfV-68l|$YARr|E>NqsD%ha}_mdV1SDXSkMyNn5GvfY+VPF2^``c*T?3mi-No< zu2W;3D+Iq%RhfV5bl#+69C`c}d>r4UB|fd`y8hjc9AUj!?T#UQ-D-{Xtm$vTHi(Xc zetfeEAiB-rKMs+#i*LHCr#pxy?-1|$xuMJvV}2Q_@7Zk>J_)H+5u(1KzS$peo)oDH zl{i8|6S!7_ECz-zVXLYiCJ=D0wtA)8$JjEf$9Vzy+|sJnP_ZBZqeSr+EvfDYBB z$0kW zG-IaFMBAVCJ_>bi@jZ-MN1Og8&0p<+dBLfEtA?m%@cZAuVGp`gmP8==S|Io!8k6t) z27n4%4g#s#HBUK8^mCNZ%xfHsrn$tTIlU>MuB>4yU`yc zo_5A+BQLk%3_@T&@8sas>5R8s3L1(7B@?{jaZ7knD+iEcQ!RgKtYNYHJ>RT>60cbU z;X2&t@N53nz}XgG%oz-Kc=Wi+{5eQ7-`_lkgNnJK;T?)d;?7ZY=bBAKwQ`}O1HV7C47BN?w- z6HVn47Rr-XJtgF#i1FZ46>-JrP29>|?oRIdT6rss5Vv9AmSyT)0&M9iW}ybJ%b%vA zFrR9646Lo?`DG_+wTsXGDOYY8yH%blzg?@jfCc!tW19u@DjI?gjA%_JT zAxT-TGWw%&cI|6MIk`DY@$26z4e0(QGy$C|RYE%#zJ`+I5$6(J=?9ON_2u8nN@7`gY0Q zLLq~7DfN+`8p|sZW>+ePuw*y%>5?1E>m~ZTY5Mr-cr3n3*aLp=*|RmcAkL)VZqu(VEJhzosy=pSa&f_2rIyXNe8m2@y|wJbmfnHqPtJT`$N8i; z9!}4Fr}vtXYv;4-gVW4>3!Mp`@A-&a?(aUsh41Fx0@E95?)^Rp+UQa6CV5Kj?5hK? zh=gm^Yb_mIU$f)VOceh5sDIW8W&LtEE(l-UI1WE}KGPsiFJ zTTI@)g#EyR9LlPS!G5&pVNiPvK%A@H31jS1+1heRoKYnnCZx+NzH!W@^v#x^)frL? z8mi5NLwAMG6Jbq0{%kJtgynwL$}yV2US8|ro_cF*S&A60vF5-%n4~j)ju;A)r2=aJ zYA{3Ycd1e!j2CGmrz76M#^8z!HOW(`!4P>4acxwM%l=v^Z1|dybTR*%H!bRPLuN_+ z^U1AoGa{=+K3UGg4?Q9x)A8{yrWIB`hN9E>80qG%-$7?548%NR8Gqmq19xD*dEByc zt|Xvu<7?gMIPeW*eVD^V{=t5M7@AB+LN_(ZmBns$3scga3w022bvop^Lz`CPeExhl zszbtUQWq@SbsZIb$LDv`-Ib?Qv4ohQ4Tn-1Dex(6eG+k;;vvRGW@%0p z*ii$dLaVvV;^L`#`M{O;sG@{*M7`@RbirX2dI5uHS_i)Xv%(rz*1@TGdWMI}bXQ znUtCwSMq-DR3M2A>NH4HjpLZ0cWwc>QbmH*dsv8o;xpnN$NQ4MLvo72nV0OrUsw7B z|5kYrE~tJ1(FKv*#gg$hAH4vSQ`9{s3%)EI(q1g%dUluOeAW~M0Fzu}S|O^Xdt_fy zn6C_uS0EHz2~ymtKvKM-i*uy&@wCc{GKUQLZ^yFI+TSgO*1xRh3cdX7h~y(fL4(Eu zb7>IROrQl5+D^J0=Gf1! z#Ev!G0n?B>q*xGRab{c^v@TZZR^rer2n4vMXvk~$dzAIr%?KM)JdG%}Sm$9r8mNgw zVT_TVihVGrorak}NGX8cL$shG3W?mL-mlZE={_ai#tcI|9S73o&5WR&AAZ~^8KTCA zZ;B#&yL>T$PQJtcohZc-$jykF-TZjyIvbh%Ig0`fGd|(4U!5~d||O}Yv05#4qZATX9*e(Fata9FjuPu146R8 z+#4%q3T6^!SAF|^y1Vxv16>PNP5RiM!H}sh{8G#a7Tbp7UL*V!?Bku6I_G&DV8ISR z1MM+tJ?lKzC9^{|d@Z=^fda6oB;**y9+G_P+tU6~fSp(a3RAEC%go?y2egE1n#EGT zE>4u;AbymT_q8KV6QXf@70`=>cjP4x3st;qaKS2~DqdK3Fo0uIjqTzMVbdMZCBUxP zYLG;?PF8h}Xy(585V6K+Y+q(DY-7lHX+dN;bTU)09+iLt$LCvAlgE`QX zdZQ;)k!sLG9z(oAY$b|wKTurkDYT$4&^&zOw;VO`jk{|&u`s=cx#@B}b#puxz4$h>vPJ&--dj=l%V`Itz!X~lvw!=chdDy zp}x!C?f?q?`ddM|2qJDhDWo2w;aX&-FW@ zz$>w!v-27=aSBKbukZIgB-(rz$t1@Kgi%M#KzDZh2C|Zh-}q27#!?X1s-8TU1^C6DOZxVr)GUd-D)`YNDcAnn4oM0_|T)+g*X5Q zk7h#N$fb;?|DOYNg{C{yTbKt+{NY`Gca@_@e@&Ln-2z4g&HE54GQeAFm{QD z(b|&?bEk*TFuLf7R6_z#!4dMbP2E>?ylr_KKGKtvGTuFnkvM{SD>w9C-8&G#GvVFu ztGp($;Z~b}e70!`u8hw<8 zXkrl;>8=IxOe$5I+gF~N@}1@n!u2t~$fTC`iTN3gyF43h$ZyidH+|QA9Hn1J6y1+X zRMn0lU;(lD&MoC&>$xl<_ae9#mY+!xZNpo!rs;Uo2 z)Xqg2m8)65@ig#(d^FL6+%dr&o6i?yt?GLgfo?NWi$$wGv+8vtq$8Xwr_d;@edORn zL{nx0#7&XK*NTTkAWU^8|26w8{bQP|hK;ET=w+)A+}-^mfhTi}aY0UMZqoykC;1`% zif5N(_x%k+xMVcXQgv)M8-F^-f3+*l)LYetIcv$E_st;c2T$+^rT+1#t>+qpRcmJamQ$uNiFtRp4UF;bzz^lQmNzqMVyI)mcB?rf)dEFc*V*<`-5|KT)&B2PESOpIu(xr!-nq2>om^pl?Nh>1 z0wb%%ntS(Md>gTM2!rQVuV?#)ag;@kbc8lN(I-QeszLtX;(gX$a0H`fo%pcg9n?@EjLoNHApU0KL*mX3-9d8CWH#MQG=UX6U z<<1KfDdaX&d4GX+c7pe<)o4^9UT#GCF6vgsf+=8u>F}4P6ZV^r; zzlZ4VEOoH>O2+<+Nc)Jc^V2|k8WB7(3Ja^#J~X}*PjMSKi-|am6`E*C@NK-&u7dvl zgdyf~<8^GQE6JKNjh1Jz{qQ|}y)t?u;R%e3)#YC1ip7MqtSc*OVAfa-d9RODBUDrC zd(RmZ7@aft;}aH&ydJaNl8`Yj3TL=5Yb4XroR+iLK1X1NW((Gg5sZAYVJ9+$w`)k2 z)U?UAE52FSdH%XGyvOAKEZ`|AMB4<^Ou_Ilu1f@&VQJNCkg=Vf$-zAm3bv_yhrC|8 zRbKmupwevt)QgFKLwWm1$PD8Guun_0FPu;$DdH<>?x^a}h2(gIv7f`Bs`~l{lTfOH z&P?RCd_$$jaID%=zT|3l;`VMa6ZK!2Lv24~|Gg7hN7(+=XjT#QNK${#sV7k>aQtml zi2E|Bwcm7sXgEe7 z^4HQ4?-#?VCu@@Ag|j5ieF<2~+|>0RD{JiqeV1R!XS<%iK$nUcYcO6CM1dKLL%;&! zQNnW1+U_IvJ9=9}&QP3Qr?yoenmj_V<1YwJzSFY-H_Gu;8B}`bLfDrvP|R78N`<0@ zQh{Xaz~?E?Qbdz8v&H!%-DbJenM7|v7?6J7m19tq`haf=OBGTKPSuCj4A+GZ6B6=p ztR@QM7G^7d0s?5Vst1@%u{{TGa#Kh&;b4T{t}rUZe{Z}UdNvJbWvi?>KF1_WCVa{# zg#isQ_U#GlI+W{dwO#vhY&YgUhdt=gDDxO8f zwrS-QXB&2xoxQIXy)X!3vF2)1qWT^!EbL~3u_Wa;n>>~xP^XiLJMj9)*vLnH;JmYw zh*LpSUvt=8q>BtVH)69)XzQCSQ$DzJFC`xRT`ui?Xrewr%D!!~zwh=@W4pxbm{E?k za`N>)OI*`R`z?Db8W}9vUKG=rrI`4Nb%sqgTB@vd-cK)I%i7L%R!-uCrD4Y*dq_R7 zz90Zluj84zVJ_S&XC2u2NhwEIk>zD=U=_n{o1q724^3_9Nmu`4^QFhQ9TcwUY*UWP z`ioxg9+s$O>jY)0r`<&LNIM6>KTDe{`{>t;6NmNM0LY73DsFhfaP}w6?{{VcR%|%8 zYN!_`ppG589gdu8|C}pul@`AqbS+BBXrV;TFA%qGHdEw0rbN6(T`3Cs{ykU{i0jgN(aN4t$#D4Dpf<~QWms5KK?Vu*sD zgl5%#d^Aq2b2`&ACxI%b`&v0jEj2BxM~FmgbhD(-OcYM;va*NT%7ULx)MU*Z)Fp+# zM#hqc(WN`!jMBnVYcBHR(%ZV+0<@8Uv<3rpN;#eXaIvQUdXr6@J>K&gN5e? zR_p8cbCgOHMaOv*Oim~s+J-R)3)Od+-ueutQ za;_#HxZ2D}EXsTM7k3Bdf_1qw&6(>?DS{BQyXU#`QH@9qJ4plI+4YT|xR!*3qoIw- z{EW(eWFNgiGAAcyk(2|A^l5VX(ca_z@_V`g%7I|md!&4}v#oXQ5L_MuEjl9JdW9mL zo=>%}u`ygI8ZD0svl|}}&h%K~>1|v}%^f#O(O?%V3yVa)yY=n~nSVqgYOUM#DDUZr zz>e7`D$U_v=u~&pGwu8`g}XFVa<DVC3~Yw5>_Mi15$=t&LA@rXz`jBQjyPmZ0RZz(|B*=_xhK z&-T?^AKxv}XuG(pC{&rXuP_hDpz%1obU0F40m5ARY=;o21LE}W%`6z9)$EGqd5w>m z_B`NR7Vt-DRNVBL*mlvk3MST>$V7l#r-^upJ^mx@dh(9=C_kA_UPeSlNYQ_ zFj30A{29e82u(%9zyIZ`0a1rui4lpN+h-S5>cf)LN0rf-e2pN@0-zThq0XW;l}`-5 zB!c$RE)U;b5yQ#qeRJz102!vwu6`dHJk>fmM+WIEbDJf&I{=2cMk36$7J?ba1xK+o z7|yY;`}s#3Tp{!B&L^AxB4Ysi%l~{K^Mk4W;XOSo!cwDkW)|fTN<`5|BcQOzRcDBp zXDn8?yJpiVdE9>(pu+xp92&!5cxc3vZyV7q^s1Mb?;;Xzhk--!kYYof=h8sn6~cXm z0%7Rk%|>!RAcl|I(tr0@!Xm}GUv?N0w3GuN^yUFfZQA<>W$ug?=WInsBI@3gTK^b9 znfJ5dB2-oOYr`}9S*}p_HhjaIVDOQG9@r6j5IQS~bcc${;ND>fn61a&=3MWxs?jta zJ|uc9Lir3U?)l9>_M>4koP-_(ynnlxRyohH!^}-DoDdy4x9^-IVBlJ}ELf_JD z;-O;?7QADvs?Ov|+*{DbD;k z6H1ru5F4WwwLpmPSwHXI!bpvx&F>zg9XZ-G;J9nM!Hcb)sIZT`fxwINp2V?_+J|#Y z1wz}q4*w^qOW%CkhDW09N-?*bpc%=+vBen*%*Xkhn`lgrRCci{Z!ew2(w+nZjv{}m zcs?oaqT6HuJkRp5^I|5~t+vY4sF(0grp|$mgIzAW&IM^cji7UyJpwq4)95G4@MNeB z6MFyewb*Dtn@Ufo<=*8szv1#*Tf+;8wVv?G58Hu5WcT(Xe}P7p7fB}Oa!$h&jCkStAKw-gQ6>?!MUG;aPpToDT~CW24PPJYf0ySJM&FRreUnyN9~EybisaF87(yD zl6l@4hGj}sSUk2l6CZ6Jf+RIJSqeqCse!x9H^(C?vjh|Doq{+38?tw+#lW70rZ)dm z1D6RxH0+OSmPVcKXXiF^UPc<WyUQT+UFY-olsdkaol#2*xJE@QwWJR}%i z^{qQSHvdDS3fhB@M7f1K%&CSB+^-x;bcYV@rJ@w9n@sd2@`|1w%P{}dhgpdF(;mw6 zus=Wv)|#8pRLtEGj~K$xk!44^s)-^>F84Z(^S))|T_qTz9e!PT`>0h25{4v?gA|RV z4RD1Hx`u)8evVYWKXAFULs(;;go7yNlykM*F(Mp|rN*>68-Hv^e9!W`>;fwD^z>Id zg=)MzGMP>|7WAwdt9}Szsa5Vkjfy5oq=4rtE*40wG8_{* zCHVIjgHCW&=A7&6ja_{e0vjrd#{N|UM3$r*B8}2I*w85WII+CO62)Iff>K2GP`Y&2 zcBz;DN1Qzb15!+fpKBd=W+EVd8PEeSUPXY`pXGXrSDGE7FEwKoIAtHwNAWl)u#}oQ zw0IvC53~p;$0b0=5Ht4jN>x~-L!3h|tOTR=*>HFmMnUO*j%M%H$mPTNpT9Ts zmM~hHAy^w+tD-$Yq4)UkKotY*eedvN(HAV}(Khtr8`r%oZY(+l{>gJtr*>#$;&oSk z4voS2evY}3d^l8JQ=O+|p~508?G)D^Y=~RW$Z?U8B184LU2?%FBB2BiTs-Tu|Nr#@ z_@YH?dx^};>`fYj)?74n?(T$Tm}75mgonDMF@d>{m1XT_Wm*Oi#wd)H0wJLTOg6tk zXMp9-i~H_S?5v{iwAQIo=T1#Lrapas6C$4O@#iZ4K&69Esa^VG)+yrZdT#X^3yVkh z&xn$O1cHPPaC>X|=95|FK|bwzu(6F_3vd}fV)bV_9=0#$zNh%;0vo2RjJ5y%Lffju-oYcL^Pzj6v@3 ztcAehbB~$2HLA^IK$p#OtE`2v=;5=Az6Gy0Y6vod@JJwZKyxYYzRY3mKDRT`EBs<1 zpf906zV1Dyc?KQUt!myT={r4n6MJ5WGruu9{}C6~Hd!&Mpi1W78AKs27 z+jxt&O4OL$xG+8Md!Cl^Pt^o}%LBqC>k4ztYh81aLGbg5?@vTr4Y#Wwu7^}IpxL!s z6Rr{$z{GA5D9DRgAYMjS+mnj70bSe&jf_37V6$q=00AliZKF)?Q^o4jqw(uyc34CA zEDdp{_2FW!HFZl}3t_B2N0C2@B^_aCl)Zq`?~`FMqTc2a!=d-7#9pjAA7sRVF2ynI7;Ykp=YiJ|BYYgi3olC|?`y*W518 zMqStzc|s%>cMPldYw1E>$h>qswkYLp({eOjdKSZj+EVOAg;ClNa1a&k z8c*-exVbfk~!i+AlI`5s=o0w;xSgiD!>cDlA6#^(>w?MjWJYU1#=SXt6?9uU( z?(S#%B>mnLAd}!$FrhJWV^->EH&}q6gxG-JX1^#(% ztIhr7VZZ#XfiA@BVp`Mw(;aRvCjZle+-LK3!CP3U5b5dU%L)Omh~w?)bq=O8Wo1lM z*Q$tU(b&21?1-`IwqUCyT8PnaB94aXocLuW z;^5Kj59%F{clpkEX+-&5=@p6or;!DXU~>Lw$K6a}Q$Igdy2Yii58GXl4p+jIei{`j zQKa@V#`6um3!ov$LAvTTlihsg#6ZoIUHLj@NYMo=YoJOZf_;=mr()VIoSIv)> zZR0xve$0%-SxCu@ea_UgRUb}?YP#wgZb+div449EgVW>l?Lke7aT9!&ExU@bG+&Yb z)3{|uCfDEgY!llrg`rd&xfXKcQSY6Ow$@v0@H3Wdx_LF`J2mn%}B`UG1sv;KLKUL$b}lYJSIBXi&+1%+PYpy!(p9Xrb{FhVyxCuKPV|k!j=F9I%3Jhn+lMKe7{E;Brv0bHt8U(z-xqr<63(gtjo`A=Q>*c0HOlu)A|Q#Etzwy zEN9{Xb!&0p28l`)eyX)Z!Hc1ehhCMfuwq67*TLfVLcpcB;!D3;*x|AF zz_S+p#%R5)*p}-# zNX0~2&2s(f?Z7C~?wYDuo8a-wwyOteGnJt7>~iLiO9%3tn)gOCDw(R?y+t-#`3iW2 zqb*q^t^d*KP))7g*l#3_QKVUi#7$)6-1uxYF6CsZGEaL1p$K>M_`%}pA)(rV;=DRH zosy6z(qNf9O#%z^Cp)f~Je*AT8T*<_FD4!)+*qf|!R}p)N^I{rvQjj1_>U}1Y5x4! zI&8q$r*v+3xkFzGEW~1Yrv>^PD@PVgDSl7~9@6&+W=#sf6y4&0&LxJZ9Z54qkvsQS z3;QmslL$+19=JYtdclj8&Kl(l{$#%#O?BTgJo#AMqjp@2sYfg2T(9r>l>mrg-1&*= zkon9)p2}>OmSE-AI4kWeWbYqzbia&$sBYJZ?a{#YR}ElhB7d7=8)0I;-5)bg;yIS; zn2JIUPtjpt!FixNX9R2>HlI~Zc5#eR>D_RCN4dSPq(b2?~4@aQFDHWme}Ca$Q&=Vx8t;q zXe1LDmcZY{)6<~-g*)7bMeU!%2$Nu_wZ?l|w zvW2mmKuvsEY7^r$Pe@(fuo}=scTr9eDde6vn=bK-jkhRTd0YD^FB`z;NoG;7urEaa zDm0dTOJ`}h=KY7-_wJ!z|8G@)*Rn2=>igd8S?Jb zG#=(D3q#w9scp;DX=dLg@XK@A+T41}V0xy$wz&Q*?L$@EWrn_&IFY_rkmGySW}oGm zF1e%^^~##*dGiA!!`KOuwvud@t1ZWp#Z)8UA%6a8H;WKuBs*QXZay5B(GioqlXk;etNVFlXFdJsLN!9m_7&{z z!nY1SH1yp(vlG|1mVYNv7CDs`R(iaaSf$>jV_33KZiBV%2C$GMPe%)+Wwj>}cM;Q@ zPl-h<6_a;&av{~?HTTYa@l^L=c=v7Sddz(k=#o69OZ#7Jy=7Dz%<~4C1h?Q2+}(l{ zcXulkw^H2Qi@O#pQmjaE*WzAWN-6H{?xi<#mwWh>L$bTGvpci<>@zd#>`Ixc zc4~sch^s%F$3Aj>7()<|5#7o&yx4Jbuz1*lqR)rEPU0_3#*=(bclEH3=c4Zjb)n{DfHjZfST_PaH=)P8%pr+{SlBpv<=?#C zB+&U=Qr-BpeTHxUJm7v(S+tw1Y_#W=9toz7;#3N8nvTU zc?WZ1HLmsGTK{9`gtcM)t-@gv;Jtm zRJ}p?{^U3P>6N^^E3Kks<&R{5qgt-y?i@>XMN5tGpR;jSKf!oR?Z1k@433QJtk!dd z2S>|w{JpHrJD=9{cAN8t=u0(1!kfP&5x&I9;0UO9LPy5(Mm3W4YT8EHUM&Mrc`!3a zj=(9+`yG|e)@d3AD0cJW>n?%^r$O?~(YGXJEx&HlSCu-GV|EuqpNBy+yO@HflnXhmNKe^ z0&=P=vX0&LHs9=rX`VN!eR_#_Oj)?=b{iZmJh?FTCZ8wCH6Tt1)BIE4C~9%*q1PoT z$I_ncnY2Dj$XrqA^3JoMIqY6>rd*3eG0lM4r0Kr0Y6oqqf^B$~(6(iDTem#nUn_eY z9>&aS-W&mr7U_QP4*hp$4cc}S-c^&u7IS!sjmzmvzHw0gOkqfaPe*0I?+V7`@nh2b zqPE*M(+ods17ABk^j;PH zTn-Q_`H9bxcvE~EluwPlCGhU1r^yp#JX!x*Kc>ak0I-K zWmAFZ90@B^u+_|rgejHG$^OwaIX=}OD5h?M2+nj=w9 ziFAGPOUB*d(pE(AQHS~W_`~BOy2k*et$uE${uxP0%vh#?My}biO65_dZzwhW*X~4z z$BMHNHYZ=q1&f|-Y!p6=GO(XSuC~zJqa4~%7`%MGfwxnldt_1AR=VvrBQsmO=rDY$ zMW5AQyO|k9`ME4`UzwL)y;S&1uIobBDB%~;JYk92`oE=jHT#=jiqlBen?o3Lj4_Qt znQ-rZf0G|`YPqD+M7hqlSH5;8p)p@~sky4*c_Nl(Fd%*m$8@JN1m(L+~k{}*D#&#U5^e(%YCUKg^G z7T!-oTc`5+XyIF}gnKQG;R%N?hjwFc6@1Lr6lV<QLb zR;zZ|8OmWrSm#Vz<|*FCfytBKE*>UJ%+vd}miH#sM(orId@I3$5OP6bbDkal;?2)MO33Dq3q|Y3w zTG+Vh2?xA-Gv=~0&9*SKP3DGA*t-23#cyc<%qKCi2EmhTm~_>pU1p^PY)T|5g$1vOX=fH7#fOeHQ8l#i2(D5 z@LqfRJgtvzVH1M`DgW-VXY#=31v@$ir>Rz*MQAJ}M!U_SZ)_u~?`?i(c~LN@%D=(4 z6p6p#pPK;_CoI-|@CoLs`0(AE8+O*nf7a;vK&sC^9)sdGkL?t2uk)Q%O%07Iaz|Ol zK(7n+L!}m|qKIrbCQQnN{Y&aOgg`1xVtvNG%3Xgeb)9(uYaJt7cm0Gwcn0*H!@QJ%@i%Hw$9R5vKQbrojEyw0iM1dnt7pGem<8u)vy%G83r_@LrwsjkWwoSJ z);D(V9kSsaQ{vQ*kkS3L7=o6LMe}d8-w6-^d?9})n%Fwfr$pj*k{6?q6sqCPwJdQH z;Wsx;8jcI$APlln|SG1Dykd%2n!d7SY2_Gl%69_h>Y>@Vr`pBerQu4V5 zlJSvdm$Q9Af!bROi2?JsArvs`DO}%GZcA3+G)73=v zmU-CU`{OX*+Ba@d*=gBA?N_doT4P1(cpTt(s-9;B!Ej7?za$O|hJ2&BJF`uIxzrs^ z0;MH0ZJ8$DP5sTPq`-T_f6CS=2tsO^t->ym0~9wk{c8FlxjUb}RW@?XAod2{z zgV4icnq=;FE%DpG_RW-HhK)=%0U#EtHI!8RoITa!Lyxhmm9mv&^@AE*Tt-my??+r@BGF)}z$AW!BvyyfS>CH|X|wnKrAwxhIpI##rt@ z3{Mc(4X%d;$D(I(f_w&Ml}J)R58pQM8b(QNQ30t(TpM2Ppv7M zf(2Dm-x8<(P*+7zbs#DOWi?9&p{Nm5Wm`V~w2goV5PG_?!NX{0y%<5LvEL$B8ScGaN<-*mOwvbvIZwC>m<@I%Nx)Hi4HyjivhU zo|CVL$_Vbw*fopVOdL*=JOF|90DVufA*g2D|A)oeG6CFgPH9H3Si=AuuN;j8PuYDy zZ3BOqLm28}Q^K+eATHlv=oFug7uUt^H2?Z<@lxXf^ zOQm~-*mcq$t)j%;}dGTKviy*-65y>%mj-2|UV>KpQRY@(Di zHJSb!iF+J~A4+*Zbd4|%IonA?r?qg2X{@?3BKNdS{694n;+bZuu;eX%3V}DCGaRl{ zXCyFTbf9xVC>Hz~iO<|aTozJ5Nx#l~eTEmVIo$eB3G%_COhI=nG#PzffvKEum+0;< z(Q*n*I7FWSxJY1`lJTE3ud=Yk2}c31P^ zgo#zVsgV+uY|=kQZLY$5uHU}6#t0o(Hmvjn!>u+uEU#=Qik+?b?B{fBC5qhX z@>xxi7O&r(F0ZDji88Ir+j#Eh1$GHN9Td9R>`!Fx8~g0y-}hpEoF;P{=WO#;G3GIxKou2dm;tt(l*TXDtK8(;eAxsySl8jPt2B z5>?FFYph^RDNW?;giHKdF)MbSx*o96rGD^)fj-oh~)`Sg7R+FXq4kbI*RzB)XIE zInMFk9{--o@jGkNkD&Xw5sb7_Z!xy=y#Du@IV%u6) zw&pAKwnZOD)b`@bI;6D?PZk^Gh99uyNI&(by5GT4AABb?_Ldl?+rI#BnEyx&#;xgk zDmQ3#E+Bbht3|R#V`NG9djpLho}5hBdm4j;cRc6g)8S}d5Xgq!8fBV zv<1tHR(Vwm-+gaw?{9vpvHX4SlKznEcQ(US-F_y>w!9@EdbeO6Q=wxL&_p8k(Ldq5 zh)wKyajG$4jH6q49A}CK;YcxxT^eA+%8)K<7qm^ znb-v^G?Z!B;u9|$NMb*boj-(Wj7I@J`y3QRqNeNE6hW0TIRXxqGPe_i*lEU%WC2Xv zzBdPP$Pt-NAFs1BjoLjeq#+X>`y%Hvf;PV!ZGQ6PAXjCsKXqxdbSm8+t-HHA?G!9oLfq!m^uqU~`O53>A zh+y}bGJ>NwbfE1}gBT5Jd!|?DnhZ*60a+vP3n=pSx%;n>+oHv1Ci*C>bf2TLZ~w&H zA#v*X^f+!Mnu0yV5h=A10xiot5B&Q~ggwhOt&pmrzaPzzTgor(>wLjt@~9{azc_w9 zC6waMMeUFYt((V~r{}*87fgSoMP>w?I zgn{RWX8YBg{sOE(PiD;23rSP_mucV4$R!eKiAwWVufTh+>liE<^}Rkcj`66kyl~y> zu@@$PZ%tyPE(pRw<`*T|j-yet{Fsr_3h6%2r!8+{8DqKrzMlWB7RH6>Mcp%Md6w~G z^WY0fZ&rH)x-Ps9i$7aRi%&*vDRb^M{#1SY>U=a;79(Z4Q>oX$_4gt1Z^mMsxtuKC zR*X^iQ$=@{&;6>Go3`W_X25|I5jHJ1^~2tlz~)Aq^ZEXqy#zE-}8UKka9=5dI z@)JgB59^4T_r-87))mu921&i;`p0Yr&HRnKAYxAzFT=X`;kL^&?_-m`U0NT_P_KG# z$Cn3)U5|5<5p(}kO+m)^)BQ5m&0iVPeZ|tfRf`<6u@6uAhGNNuM?dgZCvaEVTC0NE zVOaC`rwf=7nfmiEEanMvRn1`dh5A(jFJk-;%);c^me*pyKooLOfWAGtuh%sv@^qr!0Tq31|7?18i8# zg~=FO)Wv!Noujzef{1keqLKD{3!FP`+V-XNbmeT2<`JEdpCpv}NtR+5kcMG?O~9$T z)^ososwC*Z%W}x9NsT#2w4TTtjAq=Kv=#lbM-17TCidlYX0dGa9n7GLS6}Op+d| zBb@CZQ9@{n)yy|FimdX09`iUaIH!6DSPYfYuFievme;=55}AJ20J8v{Nivq&DMR8eHZ@4Bf^e4%pcAh+lbg$umq3*6qD%Buk(^aN#N$DxN%v#YHP)1^v` z&?Z*wP{7t+J43FwBm$IKLL6TG?~dB*0F}F5j|H3#LeMVe>jtKK{zh*yGE;&isshRQw^1oUi8&=W#Jhvc7`w`Su2 z=w}v$R%8!hq+m%hbV^6hAmZ^1>+2PY*G&rBXCKkPJFCDF$8xAscrIqZ2g%LHs9lLX zk~8AzY*CT>6}K~k^{4djcc3BU`|j7{?z68Xaw2*5zgb9xHPA;T02^J z4g7olch@kRk-}27GU&*di5y|{VpBC{dA_P;?dap*`#=*S*hwgU-TAACSKuXKV1crX zoNvsSfa57NV@o1ml6<%KrssnO$7x?@YLGKyx-g$c>IW$A24x@Jf_+FWePuu9&EGSx z?g~lXI8w=jrr*ZLuLp^*^2;%}R&6G=REtxufMT%$;ni!Z2_D*V*fyfT3*U)D;+z?^&DfxTGH5nhC! zy~0{6s=q68B9S8@fX!i{vxAY|5=`9#!U-gNrwD=0_3(kS=B93XMs~U=ZLR7ji9%4v=fk64LtT1jD5{Z_$pxm0 zshh$EW?sgGpy}wM18&hbs35>@l^$%p+H?NjRt;uaXUq9&$02ER*fHi zzVu7CaMVxjq&ZX846R8zDvpB0@;gE^xG`f0maJ(ttLZQE0BUsX*ZrWm-`%es7RUn# z+HZ6p!U{VhG|WwV=O{O#+kC6p2YO2DtLYaC9@lY>1 zoYr*Yt&T7UPjnDb(8K4z$Iss#(SorZgb8pUvepVFrVHMp!a`4DPx26p`L_kwgNnT$ zZD%=7gq_t$cM>h&IW_Es0~#fnh!47(5dd_xkXjI@P1`0Zy}yDayYA*xhzOQ6&t z5NtNGErMuZs_WfC6uSY=IyZUQB4oz;I%gVymgPJIzXn7mR=$IBY@qZNBBatY#vO2P z$JI%Q8%#bC;wd1DZ6Lca4vcPMjmI|S)teqzdqEDk*8t}M=YIGMr{v~fH3W!ih8q03 zByclknutFPD;5E0fpZLPd%bJvuHuj0M?jU-i^-2+$F3USKmkAv@Qg6ckO$lHqaV-K6J9ygeTt>kn#4Lf~ z>b#qu!83zDt^q3&qSKL0&_lbYn7X)uER4F(*g>?8{8o4F?E5i$Q_m(wkmmh2u|H*7 zn2O}^g5H>VvW3@dij-&<=HtVR#ywQqX;`WmQ=1O8<%ROY<&$ez1%&Boxa9q>SeUsP z_(^t8QKs^%jLSVrXd9H0rLBJ|Kxm@uWE(l-&!ybX2hGclZ$IM2Z4d=9A&1_ez2cY= zg_G}JIIl2(zXbo5N{W=D7IOpfhfx7u3C8GJRebkQmlNSQc;g@!GDFYBhgda!lnC%| zxiS$S%{d|vd&&7}dnq5t4;{aDjNWysNIzRAQ-abyjQt4yTC)Ua&Wn=||JNO$-*@*b zXAD7#*3Q=T_ZO)6bSu`h>2_BSr8xi;p*uEhOa=em#heRCoG7lH2uM<%Goa&uP~srUkZs(PCEm4DUdJ!wR{0sb{X`JAp3xZqyJA(jxl!1c#TFFbRi=UXsTZi7CAEI`TtvnwcV8eI*w7A2hW zW=C&Y)H;|DS(*77n7wi#Y&yBH(+@%?Apx3YrrpYAAx4~6Y~2PWAy*GOXQ)#mvA|HI z{yTA?e=?W#5Yk8!m!o3(m$?OY>dVQ#pQfE)xEPkR%Sh+2EfNHL5d2HO^k(!%yt;CM zaGx)tQ!nY*mr;ssL^I5BGcY|yc0DC!2q!@g=qf~tN;I5*;E$pU@}O^2#RV&}Z|hJb z(7(VD&&&)E2?>1(2TlPWP@%ZOA!_1DG7sfm;tFzqHqZkkf+f$jl+ySY!N1 zx5=S)uCsL}qag{6Sf{k`8{YBt{e(5`&zieStmZukaVkU*-w4yb+Eo2jDY76l(xcm8a?t}jjFYGy&{xdRj3{71x-X9Qz|moS!!;Yl*kLX?Ud-vIuQ#|z|FA4|doYr_}el=ToxSpcF@z7eQ}iTgF^|G$v1kL zAqdE$O}KW(*$_>Eo5xE9r004@o-yc~z8ucrsVmP=_?d{Tc^|Mu@DFaWFyNaD$4j+_ zhfu*c&USPcz!C&Dc5Xw><8v%gDBBrzEvipPN^_dVn+ytGOWcy7hVX4 zwEY}cKI7i49(`)iO6vXeYZr+xND^f+w7Ybw=Cm;!5fN5omvKJ2gNB$#Jmws|9*nGm zhDg8Xw-N!dx4uL{=Y55AYzk7_ab}TZkOslgM+alTh2Wz*G}&aa1+XO`dnv=;z^U*n zGb+=bks}+n+7lJZ1^|%Q>j1R*xTq1+$U#M&4<$6ZZwYWgOE2$(zzxwu7%C*=1oH|@ zp+jiXgG)%zS^9alX-n%dU&;9o?|;GVU|G7fm|ICf6vC7tyr9#s0gZ44d7dssH(=%81P64kq;17_F~Zon$NBkXTS;eIPiAro7N4i zZBPWtP{cFiw;t-1d;zWmvn^)B>cCHHwm~!rGzT^Vx@!)I}7c%Ml$}CfPp&lG(;0Y-45NVr?iYSY-i|F{! z6cX&m&M!fZr`&qpcM+TdRo_5&mxvBal7IH5Z;cCiyE9mYe$N8o&yY3@MG>YM1?^j- zT}S`2I5p!&uf^#AnfFpddz@csZpn)9g z1F_&M=ig(EG|Mg0j4ocYm;PwcsOs40prfm$GMQNk6yPNgCy5K{+b9%)GN2RC`}4{J z<()Sr&C#PKGr8rK0qOumWL0!W&oER5zaEeSzavVkBQ;O&7wEJYUA5&-jYrUkycgIrhVXWK%IA)y%a?|q z_kg_!#W?SzAQ-8Xrjb>{=B&;tM7pcJZ!RW4_b#|{r31fm?fL~PgQ(y>_z3!j%}6tb z`ABbogsfBIHJpLHsV;i#L6~tK8MF|sA#O!hc;y4RK&h3cD^vbnF?dA?`$gDYevwpZ zzY3T%WUW;%SVfnsS147tG6$sApmB(jGR0DqgqRuL zWDwRO_ms}mK)~FnI}h0_3h96i@W##}r7ji5;fKWoeX<_OJ!{sT3!x3{-*J3HgfIl( z>=G#!LeX&_#}$e$mL>uVu;Uy7~L-F`n z5Gfq>?Gr$zKw@hvQ~HY$!~)HqiLh5ZUF}_roK#1hTp$8 zFs^!CI@4qy(H%J!q$(eFVU`2*pMwFT`Rq@lZhOR3xy=KxH4G46Zm{Y`4Zy&7e|jH_ zEe@>5edaxhY_y9U@tR3x zM8|m?2Ofv=0u%w6a0AKC8e6yrqtYGtsfQpjR+>T} z1_bI~pyWjNaonSJPC>!&kv-_nK>*xAei`nm1-jgin-&rVlFI1E#hs~0jzr*KC20L1 zZ+Zx#{Q+DRMr4o2!RQjxJYLAB8+?CBXN3I%+{W-=gzHQeEM}kF=`5d6npTBu-B4Ad z8zf6S%cOm2A+wVn$%82&LoJlZnJcVc6)Gx9WJO%v4k}W0I%X`4_H?- z;0ri%EMQi1@LyASIVds>C}1cCr5iaQlSTc=jpAd%z6>!G5k0hqTFjyl*=m(1L)Lh* zmns)6*n4z~i2HYt4JWB6-a?yQVn-sz)xHl!ZDifLftolY0!@4<^UAgnU!^TavG3{P za-}c`UD&n(M1OZkRnIfPE>oW$t7(~1hzkoudF;W8Fv|oX7HQjsl zni0@!ztSOPbn^UTCll~hJU@s=B46$jNq6*z5RBlWO@C?0ca%{8ipnZF6YI!}(^)gQ zpd}lPw^(zjEuLGT#n}Gjf|c;i-KeR{(!W2bc-Y17sICs3oA|vkR_&rNV;xVKrR^pV4nGFQGXVR<3eaQxdoMbZ0Ya z%#lc$!#sX9w72?!BUOf=!1L6TZ`W3 zWSmgb6~JhDM>_&Jh z*(jHAgaTInJ2&lI1Ez2;Mz)8w_Awfb7ZK$@N38;e5xnt23_BbuDtxePnDWCh@UKP!(6evf-3OM=jeh z$<`d-P&OAeFb3^nwcHI=?qXFGI2-o8(6V7U$`jFC9GNy;NaffIDC^@)eaA)6r+PgScnE;~@R-BoGPT=DVyBT(H@wvKuCUxig~; zf4M=Ka&4ikXRd(_MmtHYAUvM9{09+iey!1;J6Jqy?-pek)#dr6*|qGbvRr!$DoN6| zeo5$Ax{1RN)D;R%RW-&YG4mGY-~l3aF;T#2*Xh<)_?!lO--5hY9B^7@N5iGQuV?`4 ziVSQlcrfOy(=4LOz~-p6MC!12-C{;c>O4Sp(Zv_t&7z}au$OEUWakhokfpe%z&Wj= z(Sg%Qr!WYK8gHvUy~KH&Hu`IlgyyCeC$A=DA_zP3>IXIlss_MR!+9o8k_mMvldf)K z0+rgWuRt*q|3j3*|H5#OWPncCmCf$LR~2xRwsuj6|IseRP_^QjwXOJHtcm?d|52R~ z5S9v@HANN652AuH-iDUt*$NSB$Pk*({*R`U3=>cgWKD;b$oKE})RbJmwEy2+00_)Q zL8CqvVVyUpHy+{IgCG9!!9Ib)nVh4<=@>|T$IMc}Xks}Kl7AFeJ-pI2RPU(ih6ZGu zX4Z+yix?K6- z{zOpPHd=P(5EiUSEGB10rfH4dq~`swetkSo#%S#0gntb);YE?YQ}ao#qxb|`%>xaJ z;Lgeylh}Ct1rL+|BUh2`;r&2~j1(YyfBzqy5E)?>UFXpf-)e1iKc4A-v!|$$&rdD0 z!z9z<&GBz=?V6No{BiUBXHO9Gb{YgB1TFXHD>c?bEo?D*uEl z4FZwDC}s?#@6=6{|9#{C`?fh?Uh&A#FjPo`4D`)zn2LFlX{snaE z7LF{?n$SX({=YueQ4nT-;PMrfh1vd(>^q1jAF7N%v^*@gOSl3tp8wiY+u^#;#>RG5 zWpUmLhXmfCBNMVrCGnk0GF*wk$X+3FV)Melz;Hat_;j}5V(xmMm2I#h#G>>4HraC4 z1$Tv$CSg9&`sZhr?3PwCSjmuW2J&nr3blU|`JEkM>D%Q|Mw!dsS2)KPyH#c%K zdQzczGM@qLwpNeh`F6UocdeoUSu3q|g{v7F!#ii62w9iwJ+g%^!xYXA%;XL`=jY$G zxNKXts6p8Wstkv`|C{qr#_5l&OPy9V2A5~HUeIut#8v{Y|V51@1~05!8BEM zL0zxN%K^LBsrF}Bkq^~hH#MDI3!QgQIDFRA;`cW%`zznXUM2YaAE4O$*{d{(BB!#6 zqV%Yd0;5APo_4hgFj1^@v|M7qvveNBWxw1d8qcB7|M1nFki^(w{p^}nYkxO-K3%-{Az z+Im#J@Ux>v0w=a@ip16O0gP#hqK`ViZe0FE#GfSyoxhE!UJvSOt29kOiR9?I`rf`v z=+$1BNM7Rq_U+r0c2(yecpGXHf%8>(K(~YG!j_l+ksclMI<1}Lrus3c zWbS-*&Y*D+j>bEv!#jvFMb@|q>z^!{m8c_iT(9fz{QG3Lf|5eNQ+~eu8*cmVRA|+~ zYlS82VdU)TnB8px$$)gj>u+e{cMY1z_D{p;UMxB_E>e*gF8ev$N|QQe?=Uu4M)Kgr5en|Klf3i)?xVmWbqs7#j*6Gh^O*a8q_pM=Zn)) z$HXdo-*%?excldEf%VgsrZJI=X<@$eORE*=Wh1fhhgxr4HaBiHkwq1;N7|N+MZ%S% zH+JDVfy5g9~w~W0DUFTgPB6QDXKRNWf6@Fg< zEa{S0c8k3SEa@xpuOm!io}L`8KeS$dr4rk{1_#mDKE`gSo0}JIP4@u*-1<&r-JT78 zHgU`QyTUMs-!x0V9rGQN6vsa9A6Yb?4FO^vUq4=SMwRsHJK|VuqqQX{KYO+Z-SawM zJ0!PEWZ}=#* zKKra_i#^WV3$ezhMWnNWHy81x{?VQdP|=C`#fR*FFMlsCd?)4WE6)~5!skHnJBr|6 zDU;RJdr{hB_lWOrzo~h^>P~I@qV@i+US`aCG;_`EIT!bV&?FLV&Q}|KQ#%S%zztW( zW;hO5OTQIeUe*4L>D99GF;VF63U_hGht>DX!%MuD-K}5GmRn3HcyT4FBxOAX`W2U^ zr3}5^F=msw4a*797K1%mo?vUeuf7t5u9wzsSAVR<7SBev6KGCRP33MYSJ=r`5RdFAPyG zJ+Yir^#^4adFVmVOE6(mj+{POs{w_7#jv4~nEzYSWR#k^A^&%>d$!Ovp-uJcUP~W_ zjfSIesU{AuZyVE}LZk}fG`*!gKC+s((n!8f(8rrwH2eGd2lc{kzVa=W0W)ZgL@9kF zt50c;FZWHf9CCg*8GNa(A94mxiAv5^LMo3g+VIHM$+tY8c?bObj++KTZ?#)>i9v*1ze4wcz`6+C7i661(cL6{guU>^2 zMwwIBC|X}_T`@ z9~0YnDSP`yskJHnZLHCdQz7t?;2(Wap*7$hJ^ZBp6jhvDij?hb^{;Z$wZ(*pFV4u` zzrXg_61zXeyC`H`dZ<@>`*qHCv&xcSD8$6G-aAwPt9X;1LZ`K^r7 z%2*A%YxnD7B1-6eNvq9CngrhuGCmi7M+vVtr?EEwj-tN22&RpfT>MJ&m$hh2W>vbF zfmg7KM=Uk$?|yq^FwxgQd&YyMbW_=su_ThaKN}m<^51-a-Xat|HV!z&usBK(w5`pC zezczyS-TqezpylMYH`m>OnYOGLm9$WSjyW8rldvPJtVO%nNIAB@;=3^Au4z=3?Nt~ zc~u1kEzfVUlWojN^iMQqwAVcKtvrN%H;zoGynL5eU-#udr^Jg_8qQViX&LUBgfV7} z>}gNS?YLrXbUjRuE&sG^!O%+zP$aWgY|xoU#u#UxZMNl$GW9u!OKe4(5;NcnYCWBN zUM*oWSn2pi&Dff`H=6Slv6kxd%lQGTtl1J_z%hjE zg$4EyPp8!VD97l(N_-r%I<7_tB-$u)(vlx(TxzEuKX97(A8n=4TFddwO*;nNngN zfA0jr;3HtM0Vv}OySu`!RAHdgq)S0&h-Bs$117?pQ~gnW3Q?6_Nk37QI@yeG7*|z! zZd18*OHUHzbz%yli~-L^_o$&B>?)~F#9fEFVH4lU(N2(&lZ-t_>^(Fr?tAE*I#1`F z7K$$IcS-*nw^sq6yxx=Yz0mjJR~+kg4fZ-B_=T&p@;CL4_AMXDBRzCe60#ZN7HPd2 z{3k(E@bgBL>Ipc<)MqCIdmR32r=M@tVMPpe3L{1Z2Y>HAM;*gQKD-QCFV4~b7dYgo z7%b=@Yd#kg39I9-GoaZzMn-r18P-ds<>=0~mY%4LsFX`3V~YN>%_JvKJmn! z*q+#&7!!M9dy;&)_df6Ux4XK#YSpgls$F}pwLRjAiE`$&bZ?r*`QJ>f4sPf_HaurP z?QC*E+6Xp{_^h`;nX&6E!?4gQpkt=3$8JwH|Mdm%`GC$ zpIwoWVN-gn`94l-!L$GM_qPZrM0k4@_!VP1cjt|V6oB+$69JE^&QG=!u8MIWsLqvU#beDsjONsAN8B3yLl|G?Z1)%LLa=V&GAP5Ts)hEu7b z^p=m6+>TO!0dFfjcy+cIJD`dAhP(R7Sip_YP;=+@*j1a!eOaz7p`17KPe{k;|A0k< zZ>xhmK>oH++yF&b(|V8?m%qFB)wZO6aG?dPW_J`BE>L~;m$=2Hn$BSMY3e_XK}rsS z4JuGunSnlUKRe7Yjd)hmqSaSl)zeP8SJz9laaR@@85XxAiPI8;h=6KofU<8(RaI!O z^~Vn1jpRN`?Kl3Z*2d%5CDQHH@)L=Hm0S-;YDs%(gy0eh9v6M(1s$~PV!gT>L6}Av zyYd2Nx#<0G_fP|yMGi2T*Iinz*;oG8VZmh!s2j3zrqcf{ai7ww_IQ#;5E5A(xK1xeAmLo~LLH$X0{K`Qtk@^zFBIa$&h66P@Ebn*N;W#P+w9>PPLakZ zL_eYQ)oCtv+o3^!3+%M-vCpB3R{v}EBJgc(%`MQE3)T%}Krx6cEr<)oQO?U8JO;M^ z*nk*CoybHMG^mY?%RztP6O+#}|9S4ewH>20raJ^ZcQ`yBDFnz#-u~~hu^I#ncM}cv zp4@*sCmu@wu5*Q#%ev`5j|U^A1u-x*{_AW%FtP__#ZCODLB`U(Sn%{gV&tjebh~WR z{~6=|f&0Io%H@E^)$FyZmWq32p{RqVtP>$nMA)8*;#m&~9sXaP|9^cV&@&>VIag$n z0PPW`Tos(3?*Z_@oSfE;89IMtWBZ8$pLmFx$jsO2Q$u0J^kj~7 zqQQqk?Ap=l={W83;WHsp=?Qal?^8&ky{*0N+V^sAe|tuFA~BS5J2{!{<#V!p$g>bV z8{uO$G%>L{YyROSb>p`xHZ^_1wppoQ- zEp8ojHXWA^j{SE1Xu#Usw*KrV_*8b(I5K?otX9i=YF3?tt#e9l*5YbuIXq|Bw5C?p zt@bEX8~Ky1sihL(_zLBSPcYN2V9U)qmr>*D{qEGl;773?<=H^yD&A!Ii#!D(+R5rR z-Jzy{z*1AYu9JVkFiUPivzH{j&!{U>Zr8JW+T8O?+zfPAc`LDQkvldCj9X5P>*&IE z)Lp9Pc<&xeCTEs0iS9dr9i}zaH2^~H)md8 z)ujdy!Sb(WWj9G%$%mtfm6@xZx=rqX8Z4HVS3K5Y%4JvNO}SlYve+rpI!IxmU?|$d z9pPm((5@|u-_xpnUA!f}w@dcraNcRcej5=a3?-fu>oKT312=l=S-6?Xme%*}EDC&W zb_i8X$DyN+!Jr)78WAAdwihJvQ@mTivB&J=BEfh&ZJx|OR5?+2J4EHwJmvGG^4ol! zGo2Mno^eo9o0ki8xlNWpiOv}LxpkL3`8GIkMRGbf>Dy+b|yo+ zS@u<1@O;X%*}&v&X=}+e@r3i^LfYPl%VJR*B)iD13Q+KDJHTALLe` zYg1X$hsZTt5c?}c)W^-$O;vh0(van24RTZM?wCge@KI8(UN?~QN$UD4xa_G!uK)a- z5;kh=ZPNLg#f~koPX>Gs=oruTiR#?;IVP)iwsl4O&G8!V8f_Tv6BV-wm?SfFe8_Rn zstXugXD1WiHi9@?|uPA~tRTD~F7~cXDHSP*=8?$kP_*IJO zgly8^=Yd4vD^*$9BCp(UtFSETY&D*E|6e$1Egqc{vm|g0!z^h$TCZj`OO02Vr6yF$ zNAB1b{45;MUB|T(gsj>sOj9KOOc)#fy$#G1-Xhf0!*VyLOw#)g^sN%2cnPNSb2x9M zt;7wZ+N5TWhlx6qc%i8ZtWY{$uTRpu(QoLe1T@uKhRN5{#N~k>cF`+oG={(ngAoUl z6ZO7+jKOJ^FI)=(gRn$OB|o)xL^mKi5kCb4ey-*88@`lPZpj!ZbyiT3(aTCwQx|)h zD|c5g4(;|SAs3r>y286NrWU}8s^0r3!wyRwbor(iH#BMtmkv{MuqqnTtT4a=EUT%F zt?&)kmMQZDx)~hAx^|ED=xBCS=J;nQ9qN9*51cz4Y>|8fi^H_FHVzFDdoFgZc=FQc zt^}qEINV4a5S5=gjCA=*i}?NcXFWnDgB8x-f799AXb1s_Z!|RJR@An4z7cLIY+?d6JUvj*EsHStp4Qr%vqp# zL_3$5DE&~0QF{6Qm31U8eo$K`;5c#cVzqQ4MAsoe!RO}`hCrU3AUTxorZ&cj4wJ9& zFqFt=NOno%hrWb$FUBzOW-jB1PM#QB-w%HxI zl^@@fIJkMe&8Fw|u-A)S?2zl_eOUhpkQTW!C=bko?_Qi`c$<}eF>gs+GNjCX?0h7R z1)CiA7%|kt#u#9Qp5GE`3AOz8yj}~}i5Oo4L@~-b6DiR-*d^BN0GsLFNDN=fizB2a zuJ$v21%7m_+j~)<@MW1>iT-#p0k-MLo`UlJ-JaimX?r$y#()E?1z!e0o*pq*`N~aI({Ge=0iICm;8}%;_M-be{ zlB{p%L+^xnwn}fR?9el>$rR}0r2sRdNK4O{P13R~XBL?L&vRr8e0P)jV>SoVpEI)F&~ zL?CM3Nt(hvG*CrAU#85mjFO8{0w~7GJcuKXDwF9__FNAkMN}#xlMtn%SsvFNY}4lG zZ{TjE3)@MF*LyVdD+iqfoe}4hZlCkdtN*!JH1e19uo+MrsfiG7;~Io1P1lUz{g)(TJh% zkTlWsy1-U-rW4R&fi{w|8GKb;1_|!>cwZDiZ`UD_At=2&#crQ_D^D-^kT?G!D4hAU zT(o;cSlFiuq};4j2bTkr7;}oSiJe_@8pQEw8)H^DQZcjW?xI|Rhf%tdfI-wK_UhpWCBZ3_ihd!G483DS=}AbK ztMvRsrGOil@zdhHSG~3m;^u-Kh2^b$;Y=V(WO=!PC@TgQGdqXpn6_`LmzQtFb+zw& zI^EX|CgaY2N;dYsNEOa9C`(km6)4ZKAKf0A5m_hf5JMwCFvPYZPvn+7XtDU!_6XFo zZeQN_7%&blwVDLefo&pF8(qx-oI=5;`zAE83M$*wH0+`}Z@K{dKs_H320yA&Y6}-j zmcLn9SZ)Vb4|l_iJo^5?;=ex#&{4mc5cdJTo0$@mB&)RfO-?6ll(*yI1#^HIsS-MW z>|fT#jbERgH}LVO^#e$`zP6-23PyKVT%4kAI-v{SWUdo|F>><7@v(3zK3+XZdIegf zBxe$KNO4)elLg160FFY?w7<~l!S4I%G_t!Pl5Gy_1^+5^qem#? z*Ls!z{4oQ69~QI_;P2ui3S&2{V@B>9a?|#S7~XH)5(Hyvqb4{irGcxg+ltYnR$#df zuWgP=M5<7FzvHYILAbeQ2HZ7b@ecpiGIs23@}W|cV{=}a(hYSt4K0f|-?s&Ga_F~i1wvYwve>9KP# zQ^a#=rDq)Pe=0DGDe-?C?gk`@MAP< zJK{-0A=6xPaH6+Or-oe}AniSdNpE{(cQNq7Nmff<%0$NPH$blv%SL}{odRt0@?rA; zlK%E#HCX@dRY>nEVyt%{@Z=l%4|)XS35L{z8Y-U=Du@PvFlekT^R~l!n$UYN_W+{} zM>0BfNDDvMo&@ZhpB2u7*VG(3k?NETc;n`mT2Kmqz34_s!Y|i^T)aPCT3kmEe zl=Idv?ZK*TeLqN(!|J5n^ZqQ3VoZuA212I|3DnV2^>)1c!Zu5`HS-N{@liYh!Z>Mp z%IYX^?V4Ir^3jO4SPhMC{_=_j{@g1~M)8mp>On4qs7ujoeHeJzhi)Aq?;Q zHXrbBhFUJ;JCJnps@A$p8AxsFTBbj~Ho3WFlQ`M5$$3k6qT3HJXw9Z`fKWS&J%Kg4 zgSHqIyt*y9xQlSdas0JD1@rTvp#dgdQGQ|ww%X;wk!|`~`CbiYxfw+khdw3cGFN|D z_{e9>QlLgGQ=9$vU(ZUmes<$h5wzYTzET~}MED&k_Mf-M3Jc679H+z?1|WiF|5=v` zV|PIxdN+fZUkJUSu-@ZEUR+v&`=i_~PC5`w{|~#%a~zA$Mq0A)WG$EA5zFiQdQt+x zL*i_UVq2ESxU_pHRPPk4t!KekYxpU7bSAH~DyssypY3?`g~nJ!w!*L1a9NG26oud9 zMA_2NOVBXmO{f5Zo!vho|c<(nErFdgp<_rgj z{*a_yBFgxlLJeOXuBxb0e@M#2;4wfjozBZYAaSG# z&#!q^N)mxK+HUUjC3RLqqN#PpS2b64{oRc;-FB$Q#dnqDUpj4CL-*Aq5Xp?qT+R-| zf?(mOUapznM!W!QIW#Njm~RGQ$EI?|(k;!ui8oRX`wV%K3@DzZ$Le#1mo@~srnj=u zd;d{3Yd_7uSPd)MQb?OyN6UuXC!~3w&T+98++c6|ti#J~M?r){#(?*GTf}9^m>VJR ze2tsGAl#*n9|jzUS}=3ZD7k=>WT_Z@qC3qb{eE6K83pj4T!{YDPvDQpvPG%_dzUAH z^U$G#&}nVzV$qaYYpw?nG(aXCp$eF}XkLu8SuYx|Mr(QS`7icP+49C(xtc3KmPAlZ zo%x`YBc<~__; zg}sV|E@d)?@NgRyTR1&wRO@2@}0yZLynP z0FM!$wl(kGesrLgfHwT4x~wt;{XAJPE8yj0w#9L<;(1isKUw~5mSWcTJH^2wIUtI_ z&e`R?CWp@q#;2{PN><*#u3Mx>fnxYuB?f~^R>4el!>uZwK3(My*H`&}{bH%U785u) zLtON@{x%WNvwHVh!<}VA2$xd~2CVvPUkBW)Syk8QtBv$~hlNYTFKJVL67keg46i~( zn;H1ChGF87OJnRHpyH+dAl>09cO1$`*5Z(vFT)uM;}%x3&p@L`Dr5*f&;ef;&7;F0 zY+<@!#urYJ-#gg;`XSOLR%z`OP#T6~S+wztj_WiVr<+$7sA|MRPgdvhsKN0?#9G;{ zSp0Hy=&c&fC~T4H`%?U(;YK~KtvgeYm_TBwX8CnR9u!;yZrKuC`rzG9FK^d1L79+) zXzV&#Kvlpz9KeKPMX2b&*fw_%I#LFI7ilcQyR{h~o5RSv6)vR{V1B9rgG&CyP?f$+ zKnGm$Gk4O>U3hetr4c4nQ+(=UU16OGh4oPUjz;IrU!)8av0B4Hsr*a#%ty(|t#0dE zZwJjaZ(Nt`7$XN3vwi2Bdtj-? zv2G+qDZp#!L1j5k`o{}{^jX#*oc+#yK)?(CI-~349mNWphG)aBGL&N_%y*5U6P+zr zC}>oJ87)r5EvdKpyGL6@hz@e}30@<1)W1-u$TE)-Su|4sJnAd(3km1LIJx#IF~=Pc z>ibzl>XooaA!e}z1Zc(MaXk2d3E?`7oT^cFu~BtAy6uY8d(XHOf*cFL*%UjA)Lh{$ ztb>A=j*Bv}H#I^u$HV+Z&Vn9SX-}A3h#aai0putCvxfq(aFQgZg0pj?A8lhV+wQv= zg7{}!b6j-d3}6ZgpS>EGLLlNpXr3A!U~U^3EwjH?h_JOlZwf~Zs==e7#lCHDsoze3 zChXfm#4g$cq0j*V>j=HMK|b1l8v@_Z4pVlV@dhrTQh)pFNFZGwl@QccW?#i3xHVNv zbqFiZ>FE~qk{a9;K43;Mt>5Yj_Q1`|P}~PT;cqi34|i-gL_z!9O+x^ro#{ zYgR*si0SqBnsv9KJNlxWM$4Ca(VU&e&+TT zf&;?Z?PYzVgdz0~T{aa&Wown^mQ~sU*V&x_XCR^Kz^trU&>)sYca6~87Y_pA9l1@T{J}h{({4;fA#qf*{f0q9X{Cd-AbM&!TOe{R5c4yoj`f|9c>4i$o!@BG4GGtFSx%gB zz`8C6d!!^-zb}@%lsOu*Agcx+z=_Ti~J||jikP{fm3C_u>7erZUc8%6R|sBDz9kk z1WoVdey?*p+{0JD!cc+j#Cw`TIkfnW#Hc)#jM)&ow-5&&v$l{88rTaRQ>gN>9F{UqdnD`RT(ldl(IAmURcH>u7S>qGss%qH1{( z7&~D4dkOC%V^%&uQHjfOuhT~wpCcwnzI=a@hCWPdofm?E3T5G=_$p)|dOK$Uz@AGQ z)*NK=ppi3`_Gy5K?k*6)MeziFwWCD6j&@U`WIpe_Rpxc}M_*$$2-CDKA=g3V!YqyG zr3=QyGVjRQJH7h0`%Yy%78-v_5{!j$9a2CBj=C+9bqS-d=%ayGeGlZIo8kU5%g{Jk zDXnan&17P2$NdK%AXh-mImW4>qdtqwHDO>piog&wkh=az=$Pc3?}%<(rAy@UU;xvb z0UR6eyMv$s;!-d#eA$rbDoavB=wyy$5(WBJFU{HVDat|rG`{M0MWJ}x&fu9fP&OP^Q zIdKv371V>M^X0f#f0)!vp11T(hi5=djJTHoOPLDtIMW~RyL~DCcCO}@?4bQp3liXL>Kg(n ze4w?)y;1mm>U9=>!e=jg`w=^7z%jY!3;coj;2Atpsx zaRMp)QNrvx13`5P#?~9w(CEN_3w193aD=gbaq-7?N?1^S z6dBa}?9LoS`ocrwGTPb-Ia^dxZcYXuBP)f+UVqA@C`Me$bwxNM)G@RWT{nvdxqVGB zXcQeB%wfd+M}`X*Qmx#WX$ha{D9sPADmt~(e05T2c zfNh(1#4z&)N|s#-fjDhv;>|Xyz9gR6ku^MwHh+!*y?fmPi$ee9rBUj~dw466z{c@j z8^4p7UQftS?7=s{42$-eH0^-swwUJ%C{LJPwUqMfBt+Um!s!)?*<(Y|-hNI$u>$o2QWyLfNbX9O&TzNwy3XZ@+!gsk!62W)cVIu;!5t z!UuCh)DZkpL|Mxu$boy@=^BmXE;`{w06k%wQkuELH28e}%NKwj(A1UgD!#nlsnu@W z3{svIyjafgBbv^Zu`VO~0;n0Y9JgquACkjVSkiRUlZoftRM_Th6s$V6qT5oQ^SDqq zPNA>1pG&!qyAqiffOV~)Eo^}Ty0lj5fuTXIEuBu39WaCUWzq$~K8p!b{2WSUN)v_| z3e@xO5G}}rWS7(bz+zB?c*uX=JuSAToP}(>VGX%;`y0KfNACtF9`@p55ZP;@bEun? zhD87gBgD17n*gQoFZlF5msm($R0VB6iLj>u4Gw)YG=G%3(fTV0)kOXT2^%cC#Smt= zD)#iK{uiqWlsnJJiIF%FEm8s~HhIl@?pDVYhnUVo8zcF(KAo!4qykN-;i8m?VldjOkaz%`a zSFYei z)M@_wm|JYA+M?}U#1@P^n%Wil2~9wA3mERNa3f_fDh#1ViD%o*r#n!RjUWH;Jy0t@ zu}!M2xE!k-WoyH>z%6F`G(F@n=HvzeGBrgq|1cQDnDJ5El)Z3Z?G_xtJQH5R?eBLhGuDe;FPlm@NQ|E^0 zKuK^E?#rNx0w#hOQ|p{NfR$=&r4Jr=>aK+HwPVtk@IP1#)p0T9<4iex4UsQ$8&HTx z1{a_;hMCS{hYijAVi_*EFx?p0Va12W*}DV)WHiNHe!SHUce}&2Yl)Ed^QUkD2$_Nx zQ#99prNE`v-2cnDW7qf7v=Ba3I8E15$A|2Il)PjFH*py$0}{P2^=aIWV^&)gr~vE) zLQnWri71q~?YFzgSe>dHr94(YEAW=;xPmqJ*AslWVFVOp_zl!FJ z5*Iy?Z&S2YzkP?Nq0sgN?iQl?N=N89*;70L`N4=IT&&{l48F$G#<5>h3#iv*N}_~x zF^&>Xs!w-`$^$Ruv&`{2dD-3KZf`j=uu&Tju3+A%n_p$?~G%LWBy`d zmNQZ5GgaoW`nFC{TzwwPK+=#(nj6^)y6j@D#l>X>6_Oe2;mZ~d=~^3Q;!v3;3Yr0`j04Ew?pu*9ol6(pWdk7H zzOO}k2^zL;L(=;xB-4aP8=w{jky?c*nDo{0nGxl891480Oq=||*EkskrO4u5j*O*& zgAv`<@Jkxlcpg@q8jrIZSFM*x{vVA`x4_Qqbj9R|>eIOXAK{0UcJxgoH`*ZoquxW{ zQ$%>pH&^2bB#~GMB}gt+^k2+K5b$!- zX`EvNFT^sj@TtjsY9`_R=BEc8+bdWLI1hJ;Y()LeMj2>v#g}_?A^)QM2h6^Vs(N+< zgm0;K&su^FT!o@sGWe2WOU(rsD$iA*I7N_k1@L@FtOf(ae`!rO>G7rghCOY0fSCzs zynn${4fgY|6bY_xO*j~p`{X&&R2GCxnV`q!4~}A5-dnwu45Su^87N^_iN_iqtAuU1 z5|j}Q^}~WIvuJ><&smI;7^(~5V3BWs`O^XGyQPBssp5mn$UpLc?6LcbH%u(D)wtQL z@0lS*t=?(lZ(uF-ViHaKV{34it=Gx}+vl78CerU{y+8bsyOJ4eHSeK~b9Y%xB^YC; z3UTMOd09-q{F|Wf@BX%_f6R|W<#bj*T*DzYe*CjYT{q+#-c-28D~NBr+nOg;9f|~^ zD(*fLS5&0K*J;mbZ~z$N=&&4W9)|s74T`OFGAauqvuWJI?LUagzFr0*S;_|y+bh5J z#(5y8%?F^ic$suDLr6}gDKU{c8TT~ACXt5Q;D*ej?_eMQh{QVJL#kZ2JtaH!C4;n? zsujd=IxOPv)+;Hfd(XM#87@D4LsdHg6Bjb>@!~F%!p} zr8;N8M|n=ZT+59!aM1JVgn-RVf@77h6PmDZymZUp`E{tdu%AYLlO4;97TBmdPGi(5 zgK5(9S3%w-{4`>S>&#KA9aH2DT$F3T?Oj}M^N;mY`!tksMw9DpYA0+Wa^^x-BT1!Ex;G9?OzX79SC**|09xUcrOSumbtty$H^Dv%SjI6uio8%MWv zRkzgr4xE>&JK!{Mdi2M7P}y z?>zu`Hr;yl1vbs^LU~Vx)7>;fOevBn*TN}QU3FX zsrUY&xI>2!8RD^CNUU2ipw0AqIbMyr<|?6aJCT9xcywgh_8@BwiIgN$W1sEgFb>`1 z1QtCf@vNi;sU1Ot{ZqwHcLxqJ(+-hEjs@__Z9+_kLXl7fk#FMPVVg-$jqNq-?!FR93~hCl%|XqiG94_MfuG4o z#>`T3^*?|uf5}DAo>;gTYY#oLU?<2dgsNd+iJ(NLly^f1*(i$&ABvS~`99jKp+3#& zfTSm!=tjd}k~+R}3rMhT@;s;LG1m@xD=`U}%dG8`&t=B;>#iV)=9pl+Gbbmhw1N61c%{-Bmrfp4w ztwZs_OoubYUz!L6dkN3V@8?w!2ftCa6MK`E1_Rq&4H-jc$}E0r(e9-Awl<683iFhF zMsA?asp*HWT}q+U&>=VpUc6cHC6F010}W=GKd8`u zVr$!u!}!O;)pL|S)^2W?rv<17v$I0X#R0WH#dFP4{(fVYEu7jjwydhD#=)3_2F00I zP6A2U1H2UFLH-oVWO(um(|&bg@e|y4^2|5)Fokv9ua6#RpI~ZakxekB zROsOpdP@E)r_R#C&uFsSR0ftbMnDR?6UL_+O?G0hXl>lj1~r$PRR z-c%06TA#EjMC9h?u7{Ixf2PkwDh((~YZ`2c(eTtt$C9EIhUbk}5;+BfP;v64eP(R! z)W!R8%18tn+QBvDl&zeeuYF!Y!yx_-Y3(Fj5|pK4KzlH>ftgv%;Kt>PN|)fHtQzQarxDsV3FOLHBjgP~)b2GtdFGbSrs?L*4&z0VpHYfq{wF7Y|~z^{=vvd=SXqg1`&Rmw0oU z$(#&$m$WFrYyL7C$XfKzcN7vsEoYA=mv_FzPSnXNb~$*>_yok zL{ydkdb_)CEJ81Bs7e8k;P24a?qa9;;a=TKRx2+sIECGjze-2pu$oF#hO5N)qM#c6 zE1FQKJ}UKA%5V3^3e59wbeoqqcnI!f5t7u-VXr?u|5KferVr9gROpvF`9K|gN|62` zlcJN}qE9EA2+!pUPK!O@>83I)I4B7ywl3J_BRCg{z}2AkWs1}j-!VO zQ9kpo%V(Ds*nJN8tAT{>!3gi3uy7M3NPkg*6jYL;UXnG?&K!rm>4usei2{mqGCw0H zewKQ`&Cv2zG@i5FSakHw>7!su=&MIG%KGNX3BiHms+f#|0{RKJo&_>}Ge^&}zRuCy zCPeb%4tmg_*R@!7Mtixzq=UhD$Po$%uennA=KaNCFhOTdeWl{}rspS`aQaD2%nz~l z=}=LIz;^(K^LRtsulFg4&)Jg?^>XQp@#p-%pPmrZb)WducT$1XAt4#;MM-G$wJ`n+ zES}giLpvebqKJMy)9i+ORwB3(geW5wyZ(isU$^T|<>xvEes7EdKRXQyb)xv8<-U4z zTX}oqbdM0RP3gaq=#V@;C?o!)Wc1;$Z-!&O{%~&C&9MGJ1)Pe4R{dC(jp=x zj4+K&dQ%Qb)o7mMVh)1VtIF>2Quvw=<%#Lk=$-pOInSgVRId%P3+MY8P&Xsrzi}w) z-_A^xwEtEAA0K*c+2YvX_90P&C;fbi3`=;T;87BnQMp=B7&GuQqZ{2F z5B3H^-}Y;bXhO0qbH11Tdr-sxY(v4>gEbT-N+XSJU?+}qelQ+<${lqsw1MiHB;~NH z5-vKHYp8@E#13=*L3vZ-$>~6OtmFZ4S$Wx>2^HzeipYky??>Y46{yUpK!Tph_hP+C9+w!|(l0q_-NXaQ!(XCZ@rnJihN>w?|S3s9!i2o4yodGVtJ> z%=ZQFB_n3+X;?z^0BN=YEGBf)zNvW(f*xm3bgbAoJcDO}$E0o-YXp4*E`7SeThvA; z84(WiBZT-6Kz_ENZS{+R3?Jhpq}U|EnDl-w$exQnaJo5l>|o?iN6GoRyUp_r80_gK zGW=uxf<3B+muXAmhT=LQZ6QE`(NevG5gi1JX^W(9%2OOOSYfe)`p6KuF7iDBz6)+V zKAgZAD#C4Od<-Z8=doX_-w8cIf&0gp=d3>@CWa@_ulC%>)6GK;1(P(@&R;AU6MJ7q zO)YC-_f0AAuGFPjId$#1>`P7926^bXKNT%AW-Z%Iej_|%*nL|>**MD+E@QZPQE>@9 zs_?gd8A~}S`bZ2mwVTShnDHDA6yZCEV%965ut7DqEswcCQ-Eae7Y)TzGE)>h@(h@m zyy}ecMf%8tsOHxf=ge3Us*y&y{UO4Ul|jy|gG85|P;p~9R9yH+)A@a!l@;vKeGNLKrLzvZa zTLx_qbf#fYrbj;v;hTs-BZg}IQy__R5?paU%Yp%X^Q{Z?gW<)Ec{-;aXUWA9TF-5g z&&DU{!6a4I84`a*644jW|B6Y*yda!dJ@IXh3ToEXOw2XC**&{)OT^FCObJEw$HB74 zpv%vkf%Pc)$UYCZ{*Y0xcFrJ?X*;*1GZ9hmkP*2@J$0Aoq3ltL==|9^Ss1Mpd-B&0G!8i5O)7%=q}+|C z2>XlS>;y)YEi(dkGi^4p z2!i4m{{gd_@Rh_+$c3RHXWn1zFB_9ZGkIhl+OwL+aH9NNXal4klhA4vKOOUg-52~+&^RUZ`_jQe|A_*Kqa|6Dq z;b-o1zssl{&D(Gs{HRtSD_NMdgT+Ka3`^t>#roy+O8*`xLdI`hsnh+!EtrpeWFm%z z8vMq3zGW$7hml`csp-U!z>QnM?>Kw}tqtb3=&koBh}`>7q6o{}+Lxn2Jluj* z&Y*%gB*S&eg_?SFZu>}j!OCCcQ=m?UD7j>kR6^aw9Q8_1wh*yuhi-sz)2M<;uo0xC z7ON!-2^klpCG&A!bpUBKz_MJ$`Nrv?hk^wFu0%7kc3<-`$N(9a8*2Nl@Pgj?bgRu~ zw5rAYX+142Gw`+rHAUZWHZmpwrwWh)b9|gt!T?t@-cL>LbPb`n(Cf6Il==iVVi4sB zn~9y8NwW{(vp-_rYc?|xY$P@-p4N&iO;&!saCGB$SbKZhRM>-5a9%o{4b4~uQJ#Nz zo9q6a=CT&G?P!hXXYHTg)Szfe8Mk;SA4k9vz20q{~ z|0<&L+L9dvcdYs|j+Wi4CTwI;9mF*;ju|o;qMxBQHI2HH4yuZg^UkEzBvz}cAvM%R z@~leCb&$rQd;dz`M(1}*vUoc@l;`~zCv*I)qflcbdkR=cQQJ}CsoN%AUA;98M7J-$ zh;jL*xKHM(<9|MhJ(P8crm3KyFyV1iBls?O6=AkKR0p0GdLGRp`b^0vvWCC z;==^DV(u@M>Z_aq40BAU6Ny_<7kt&^q6W0M^Rc}=VPcyg>9G?K2&L? zNCV1%+a4L3dV@`MdDF~fj!(?efeOc4Ow1 z{_p;ln#lNV4s74m2O@eQ7+j_Fxy@PVHy16J?QumdPsgyvUk^7nlLW3aN-Q%{Y9O3X zb|l|Sh|g3%*^!ROj)<(`fSLK8m#NnV&)od zcXxMpJ6sQU=TF}Ed#iq5P1Rl1-d^uaPw(tJz1>ec*jgDtKRj6{giR2+AZSgK%Z+4Z z`QV1XM>Coy6M5-Y*~TEXf(_+a_|dP&hc0#q4mxi9eBJxg$?pf%%?0WTpI>#%F<0-# zX(5<*ZF$PZVPWLxX%{J`WKHoaK!F}hdOMno177<}bw~;Ct3%XcQDXR|RB-fwpFl3! zn;F@vVhs98ta@1Y#D92891KW#VvL8RV2N_i6c~_p-{LP=fmM+E$%p^!Q_Tp#%N*Xd zlqnHTZBX2-rlL6v{7$6f)k@s-t=bYC-^3JIdA}aje4Z$BqsJXNh}MrOEf|-of=L+& zZnmrWcox{$d~;p^P(#7dZkAFE=1g^CggbpBa&;y zn9cKk6HV`vaTA!OAu+0wva%Nfg2KHy3|M%g%1nC9>mErq8j|*1h z$RbS2{pQED*F(K{%VV826;NKUb)uNQ4ETkQ#L{pp2+)-%uV4HbH`WBO8a%%0M4LF%%^3sjb zXMjOq!1-7A=u*0p2W{c8=j?pt&&??nBIhwMHrpS?G_WF6Uv4f}S%a|Jya?VA$`i7z zd5c}g<$y808}#kEw-+{^Wv;NdyxRC&V4H7C-;rLtbZ@-$w(CCMz@z#I4ULXPt$E!A z-x+o@!t_({waEKOX;vA?HQq*{r!_tj`R$_RkFrFKayp~?=(C|(=6J&Jomqx^^JcwD(?KzMd8hRqd%zs+%}Q8NFxr>!EnnqYE0*{%WF49(;5VLnp&YKKH|!`d@DgTH+GyGjYBW>%fq*=B~xgkLP%(4^ERST z<4`9mpMPGp@}9Ln(g#E*;XTsa>|?sYwXO%1%;5RvElc-*|A=Wz#D~-WM<93SQYPj> z)g~yB3@v}IphyS(`zZX6N616`d9*f6s(i&Fv5(QE4kfupA(>#}b=Abg2Ikq%c&0~* z1D<`V+R64K9v7jaaIOJ^TA;(t2WhN>lF&4(Zt4E!WnmIbOo{%!_aqGXo5i-B(#RnIjGG#zbRzPq5@!aY+MOlIoRia*g4cO04;6 ztqENQP+}G%-3dGFF7ej@|&)^#&Q%A|XTC&MQ* zmf(_=xmzxH=+;&zCL(%Hg}ObzOTouZHw5T?;~__*pE5aEB(9p7d-0)$`93`zZLcH5 zk|TU*n6(W?hLY$U=B=8`%2Ymqu8vLuZ#VXU&?oE;^zk~UMu%G;N5|`dwWryP;k4#k zcB)Z5b`_N057N1F=5=V8!mSYj=pA}US|r4weSF}ukowO8+s(kzcX4cK-ojepFGt(l z+b^N<1A33-ICEB2E%mM}VTM^oGFSjm%hsALQ%Y7pamt{p79iBz@kir4lD__-v?!01 zrBM)#pKE?T2Kr18Ys+)!e3Od!t!IjVui`=Oznh zG=t9ggs64_)V;oKz+&S@P`4dJ81wmzL3 zp9-PpJELwDCtbz1%j5@Rsmq9cD8>0v=y0<_>rI4Z`SUnHriqp|;zmH+VxRdN2SHhE zQkSoxF9dyVhkwdz(r`ofl~6c#c|wY`oc0^y&}E3z!apNM;G{`CmkR6Sw~(71XD^kn zWSWw?k@&7_gY1f*pqpp`X3PB)G&COdohFe2dKf=(q+GMefyHk3Wb5>eJ=9I0vQALEm*hIhQ0HQ!FF? zP~zN{NJZr`w7Cwt!?7rksc3H0W{2+Wa?M4|oMy65HS2PgJyFc2vW76P(x-eWKW@-R z+C{XqE>aeK{h`0&299y!UE6MN0NtgVOFh$p_Q%_6rWL*>_vZ)$;^#|YATan5VVONR z0G-(zxb7gI$XsUw!w#^rZIqPJ)QYOQwCOAkm6%wpYSEDx!|M5XOPR!NKKPh@!R_5+*oaoYXs5eFn& zup*z5=N8p`@+D+u_r3Q<<%reilaXi(b&4De4GTWC*ONowxEl{&pW1#UHtNMiqLw9G zuK%|oY#3MUJ_R$qC{6ajx!c`?U{j27*3#$?znZR3i(3nxLfCaS#k#ghV0r{bXM+If zF{^{gRb>9(OL*W;CT}-Pme4})UO@*+wIXVzI?%QI7Fk%^s__uKFFR`AeX4Nje25BQ zSxR=uFcjC;@&tHmn9|cGznw6M`8uAoxfu8zu2QtHFz8)ZlZ&Ssy`Jkr5((wW@HMa- z4dqot`uGT~hIO%%QMb0=T-_}%L+0KcDD2d)MAL^8cyGxJy9(1?mBVXsoyXA~+wmac zn8+j+f+p^%-kPFDiap>^*$Qt1O}@+rgI$$SRxKT2;c0ky?cj5y;v}+XlYikEp)lKm-3 z!_1_Q1GAv=E*%l&h>Tb@VOfglkHn8yJ@)hj`yOvx1UUoP!f=hl*=Tk(Cd$Yk-eUPn z74?#ukhypv=&H+%c*GDd_U#26Q{}HwP{=^Rdp_FRy)P@>&id^DH@IQOzOwvVD~f}a z`lFmt#f3HZ+CXUBWn$SN5y~XQ^BG;tG$H?c_V9!7%P>&7JqkaWfWW#aa$S&Ru9kz- zQVcMUk0vNeIUd@9Brxsg=BkW#`H^2^0qodYHwTVLw>agMA6Fl++;K{1b*MdU6_MO( z252Ikn0~h9MI+QK9ogVZ?KGux-s2SbVx-6(`vihRV5I>bbejYr&%FyXMwgC=6?sA| zpj6SyJ3)b^B#q}*JIK%6@>9g6AwQt&10v-S%H_CN5Nt`#?S zEyil`>7*#93MQ)P3~LMx;_YGS!eJJ6%;Ql`mA`C_x2ZHA5V(}36sg-S5F2`uH%S~J zvOR6l>q?W9_@<{rE*hG?O4Y5ld0=P@c?S|;FNd0<0RHr$z*j>4&t$d4W<1kDTd6xFiU@;Z;GJv z{<&|Yf@9Bd^LckcBv*KHi5QkmMx=woey!a!KiEDh!@o<1D%rFPB6DvE_>8P8X+d~Q}2@g60u zsCMi2u8|KJpGy|k>FfEI!69kY2e2;3%U)=Cd*aMCjpff|8de_Q#=?$G!+t-%Xtb9t zhv7LGicK7-?&)bFP!eG0DkPmih!^ z7vux8R~-K}YQPpNo?0%2QTTg?hwdB`h1Opc>tY34Mi2tw`XgmWFcQ0*zI!f9hiz?L zY5(cH-e+1WS#zfX564E0I_kg}rpj>x^_L{RO_jqUQnUN&Glms~M#XkMpuQ+pwD87& zDAPL5a7#|ZPphQZlEBK;aM{sywFQ>sr>I_i&FlI zQh}{p$*+Zo;^S5HJ)G^{qs71(93JC!h47iDLxdViGn=HN~oaglHK;H#SY zqbbl!61-~|{io+siW=N7ezc#g6Ee{SE}BM~^tVxW5A6c6%k$)E`t&9Zwv}4W`6;Ce zqL{G!_ipY)2#*hptUj$4kG^Q=rGd*A4$+ZJICkI!n(S`@_ZR$d^#?i{QHk)wTOXr5 z4h>j5MO9}u@01bH+CQEOH+;s|;{~-J#e_V%7o2%ZYrPClUD}tvL@zl}pPl$ZDI8{I zZ(X`;?NvVWli&+5;Qf{8cxuN9fZ2j!3Np%h%6$riYhefiZQtshsg#sV+A`#ZZeVTP zxWjZzd`gjkn<43JgAK8(LqD>Qrz9SV2mwQj+f%{6+%1>78gAQLo|I6(wq$+@AR*$> zmwnmXz+k)Mrks_?-tOY}EGX6a?an_l=Hxk&jkuQFbPbsMcFebi(#PKJdU&TK`v!S9 z=Biq5hNN7%X$AoeVBDWCXUFrouE5U!Xrj47atjH+a7Vo%ibPb-h%^ABMsU zGSWv9L-K`okU*GQ*RmBmO}7Zv80HK1jG(5S-?Z0P^Ozpu!;k~K{&ap080$t-hbJI1 zA9gZ)(~})W&^BCj8I+6xMnvEJ1Azt(7R5q=Hcj8DtL)@q z=lw`s%gmuXo4X*3id#^bp6au_jouaWcTc<{gd)z!&9k+m8XG2R->;#cUag%r9f_J@ zlVYBcHIwH;-sEMGQSmvFLV7Jt0vAbj=~Is|zh-{m=oGL3?mQ-EptHer<0ZAUpVu>u zX1z(;uGk0dEwCX9E5458P^AWn4cDUm#_N*F6*y7a$d z6cRo~zhtiUI1-TCqwCS34i1E8My|i$D`U^aBACHGCVsyWjV2)nR(kwGBT_GDMAj{gfyJC#36L ze(cMd6nDY%K*r1$t{9_l| z4~*jwe>!^!pPmy|EgroApdRUOBfEsJ?|0!Q=45zEaOQ%ZRn)G~p{gid333&=iCegyH7 z+d`y>vQMA1jt4$SCAQ@(F7Fi3O3>igX%xb!#Zp%Mg&s%odJj<$P{e4f=~2qR5^57H&e5X_>|=d?f7g^`?`Fp5}Fb`Q5L8r9g01H(7n^ zsy#Q103Ev`bC61yqbx5l7u$(t8uI>Ty!g?9`GRzc*%jfdC=JHPO%*w;BVTjK~jb_Hq%-Ya}=& zV0IvYaATrBRR*D<3;17&(%(oM>HLwoCoj3)?=jUwC^#h z_=>To_M-_0tQ&^mEj~XjeZ+a~gt&Bj=Z<=5^_dn_eL<%Q9SQ*dY^z~WqSqW&8?UQo z!Q%*ZL=p|W{iAx0rsg~}uxo?vpZ(|rH>nLxWqq*((+@KR(X7TaB;F$Oa-Qc6s%p=h4J zZf^D={E`VbGZhP;PFfCkz_TNBFx+pXN79&m#&4h}s+tP+E%%IYFC(2P>h)<66yJTW z@~eQ9L2Sy2$8l8pcnhfq#(RG&!SjvCN12a$i`p-b7moowrVHPENP4gNmc*r}kw_B| z9{`+ZAA>OAo{71qjJW8=1PZ6UG3x1PB44D+*In5oGO}pvX&Bssc}X3|m?5eKl&PrS4KMdwNknSIJjKUK7|~8whXn?TPaYB8>OEuSvRWQ`ZI%eL47m}mCkkse;Z?akAs&7TNTr^YhslhNP<${*+)p?`1 z5$77{zJKg;ZOkPg0|_ToMR-pHxS%tYElSb zk3ew#$CzG)*{4JD>EX+4r%U)N@VNEg73o3qP7P6XyUl72%+RDowPAMx0Ag9duDJ z^GrWlIsCPvZaYSX-cy-00C5La5zQ=4$$V1sB(+>Kk3=vf$)O=YPVEwkx1Iah_(i%r+?;s9QlUtge+Q+0#1;^NZ_(n z)s;_lJbU~by-CM~hMpP*kGMpc0*M))ksUG(3oN+kqw;S{&&D;wLcOOag+YBjT}_r+ z$y^Bk1U!=1PX%h{Q?u_`G~jQIUN|{OZ*0KX2?n>GiWa6px80vuKY&`!1|0;WMn@aIndc74-*fJ{$Pfe9A;)Ya>JrkukR3lkgNj}Z9LM{wlT z1aHOKmj>{eV4F&x1<#+U+5ddHehC4jtyQye zNs_ARp`xqf=J?Vw4ahG|1inP0UaxArh-aFWM9wL8eP11u^fuzf2}q`?ib@z~@$soa zB+seFbumkX3#XYUE;COE6i$yFd=W(*m5z;@kB~AmxhOgh9;@l*b-tA9c+2M((163_ zQrg~ao-JL@cFk=F!bHc3b^GCaR`L5jsP2S}n3;#B!Wq|A7MXc*O}Dv^nCm~R&~XSv zuc}eFJ}uGa90-Yu2`w`yh>$xW^sh1$o!7Am9S(W2AT9Wlf(Jc=BJ+%A!l#!BTgH5h}=JzRZVziO-8MED5FOlEcnKfu%WnQ!y!dPq}6S& zgrV1XDf^JH{C_mkXQa~J??&CkJ{XGLkYeI*CGbQepqwPVM$NV2 zY`f9mgsadMNEQnhYsp?tXTu!9(M(Xhf8yn4Lh)vskXL^{I3&ZP9AkFB4$xLQ5CXsE zwN&c%vO$WEV<1@yp}iIJxtk=_G1NxDrWgGWGoLRjY&X)JqRm#`c>4Cv!vW!42xxg|3E-4d&@imb8zen~07yWSQG zdLspo`9o<~x~ljH9XI-L9-uSO&f~2WF8&JxH;D)hExV1qQBzH8{M+*`o1l4+?SxbBjfbM~Mv1PsO6%>D z_%J6$Yz2+R=^Y?BT`ZLk11$|?yz+H;*uy!FEeBg%Uz z)x8Tp;mh(_Ux+1q(@;Y$l}`ap6f)s>M!WK-wN8Q4DM=4=n2e21!bYH(}v^9MM8OL*=?XFR(p~vd- z)35^x)qQ!yHN&|rJ^wL`yU0eRysCr~{NrY?;G$U{u@7_EK04PFfA^gc1J&{yYHok$ z?B(pS0Xdm!x@4y)taU84r9bK4U;7(nR)9r&##ztlC1iQkHxl;+Hq^Us{*q%E?VlM= z(-YY9Yfvy0Dw|2>D7U&uKEeXdR(yp6Hx!$wKxY3XPG>|_+l)+LZ7jj8xSw0xvQjbd zF#j*lc{A=$>pW*KF3y9XcQZ>~ODN(nm9TB_b&HM1`3v#>$w6TT&2H3FVvMn` z7Qm3d*1y?(KD2KvkxzShSi1IcUZ<9^@v&&OKX-8Dc(&MHdll&MZQEixdUf;yhIq!7I@T8+F8>ES# z=2vf@?6a$6^_de&AW-q zMwR1lvDamZih3#cMW#Roxl$p(P(ehuVO z+a!oEGc4F$wGAJd)Ac9yj~Iu}v%3+&delRd9qt!BtLbXn^>Obe*DxDLra1WFg}dB{ z+U(Nmgq}Y4c>w|4)1GY_ZoVsMGkt2ugc~W|kwoh|Xl~e|%N8jqe_is3cZrvQfwZa% zOX=xVjL)jOBl)m%d3CVY`ocv0tB85T_NLbUPb|BzeO0E=%7X**$&P3pCnd~O|LZxz zFOmeKJLxai8fM%5PIKbY6gj7K(Y!k2d|waVB0Vqw{)F0S#v`BU>3G5W1+k_k6Dq%| z%SO3AS5x_z3(@Zj1DJ3U4hz91vnxCSm4blM4DzWyj_YMo$289XcLz*NR#c&S5>*r1)Pq#XUZMQ2&jbKIWuIo6d6qOhbQ37$YE8wbb`qgcw>de`S#@^p<}H z<_z5ji0@C2U6%%MOjM317X-tvZ6;(J_FgJZk~6Ia?qJdoP%i{e zJNT(K17*t1GaP^Oe>Pq#+{iCzj76hYDZ1pHJ17hPO&ae#_FQ02{voS{_q*d~OS;gV zU+wP9@teA{wjii+Jb_^<X49SApd{FfNl)h0o$u2O+uX1A1KVy)n)(gLpiyp2M*d3#m=I5Isv(_dSuWj#1t&f3|dDlNWpnH1- zjA$R2SyqhC#395K6cpM^g}=JAIp&DhPYXbK!;CJsytGJnnz+S>iVUCKE{wzm#ZKML zYco@yolXQa&=}C(Sk22LKoUQB1^5{u1MnsX0>f}$3HjuI{N;W`zN3mv^0XEh%8od% z+YQKe9lLHIy!r|A5E=XQx&{FvFWYIEr=!Zi_#=xF;rdgfy36}!fEN1cfhzv$G4}Gz;JWteiDgC#{?FoTpK@Jk$oQwBZT)BU;nns>%a5(v!4pk%w7l9)o#fwB?ETwSeXDQ$E}r*$4~a7 zLHRJ=HrL^T>`_h~-}#}NR;rF4uzQG?J*2vhvV^~9H8O^XvwF@1-GPcu@4t-)JWF8B zzOeAL&F1`=D+*n{DNR7fZhy-T69;2iOw!517LtLl(zrc}Nx=S>>&qhR*b98_j;-Sn zF6(SM93Ju(FMG1b3G?@um3Rxk>Q>PR26gi!S78e!7==pPUcc8?p6(!nq+0v0Z=jpN0ul-#n6=+` z>NY@jGx50B>l^bW=?nq;TphtcmSftPaB=IBZ8dtG1rL$h`V&*rAL}VRFjYLK-Fg^A zoDZR~*U5RvjEVNm9LWE-Ep3a)e}C*`B(HPJ;REi9>~^4b`@DP(WXqP~pMG*TtZD^Z5x*;39j73Uu|e5wh2QEzR+7ydX~zxiHM zIXUOQ{nW6{{7RVdbLnHG#B77IPwYtlziY-O!}kx~Xh)E8G*)2>&&J*p?*hk32T1pY zk)`!ZUUNAD{+%`A<7tFX8NBlT!q3r?c3+sOUgVzbC$}R2LrzR zM=L!(ibPN@o`_iU()r_I;{P7}pSqT|JKk!M@-Tq?T#e_r8F9a3-g!2#CDSEP zER50(#=^SXODDE&JiyaGTBuC0xlFLqKR{yzN6uTJn2u5%FR{5_?c3g+ZJa$+@pO-A zH+R$9G}Hx~wEY_)Q4cARB_)jt8Lutd(_u7y*Q3Q;U^KOa|2I=slzDC7FQPBI?+v#D z!&ADd$6HCcts%H$I=rka4}(yqmkuBJjq4qo0BVgs+w)(E7zX)!`NnVRt=Scs&j)4} z{a}{YP%5N$9*4AUWPvl#DLh+*!pONkYq`EOZX7bQVicruEDca21D;1N^&fB2Hd?-! zf>W&3EYF*7k1%YQfQ(_WD~<=Wd-IcVKd9ekNiWJi^JZ4MHnBIedA2{@gPY0irq_1N zw^4uNsk$o!-v<0h;lV`8?>Mm3^uw3%-TJRYU0fZImHOS;TcwhA^XY`MnV7xqHzUAk z0uEsey(z$K)Ti^X^=!RcegNhAH?KqpMbgDZv5o(m^zXcm3)b6jg+sBB1uz5Tnc6-I zp3gYwKL^UzJzOr;Lc3+kTX0O$JvE>tW0lG9$?$%u@RJ%`mTIv%vv%f}@G&4Z?leZy zKb}i*6<7C(qr4I9sb^Q!<6s49i9l$1Go9dBu|)UxK~XRk1#0n{CZ0;$vs{u8=+MsG zrHu1!xa$jcnV5V<=GzsRzD|%A4fTFS~tuv#iv<=Ef9W@|Q zDDO2^_|>}Ma7f0|=-jR`?d7K4Q=FI6AjnpT=gXT-cJO&`5|R;Rzgr-wpQ1CKM4ff~ zx*>2}Qz*;JX+DLZbmu(8CfBfalhUO@JoLIR;Duw|e2)}rShiuaa+$|w@U@T1Q1WGv zl(&=bXTONG75VrTtdIi|)3}Liyyq z8z&0*dnAX2S6|jiL((({G7=%O;$jZ|kaGBgm0S1ihDtvHnx4}y$K9}l4X!!FZgSh8-UpBKKV@dycmG|Y75N;qjM*51slTIRk&%H@zJ6QkPod1xa3SBkGwzZu<^llWiyH2Pa{b7+=X4c?~Y7A*bMac(8n%TSHUjvmILIt_iwT?}C zySgPfZL)SdkPEGw&Z%9DVD|guEuW8>_YVP41x{9^yNjatf73P7tm-`Jx=7tvyDAo5 z_&|oS2#kVGn&w$8JRxZ0~mWB!#|{;4}^K1a0r@w+>%l<3P|J3k=gh{*QGx zm@w8F8FZ|EiO*N0sz78ET476zew7NtPS9oK*L~hocPeTDT6WnYaK=7 zsy}mU7AjIE*EgJ`8vrHx!V5yuhfd)&lD=?~f^RjuV2al#p9;;Blaa`_n?H=(G5kWb z(>r`M(WSp1^FO?Z$e#x6t1Pb?i@Qhb*(Y46r&z>QXPWXNu>Q^+X7(Wrymp$->zqKo zwCHi)=Ue5s+YbUk&1{|p1M!{O@y=lW_;F3tz1);4@{xw|M39YY{f`SEnCm4VQ3nm# zDA;t-r0WIr*!@=Qw##jg$?W&Vaxny>Sf!P)?WMN4>rw;3pti2?W?y6pl z2=Ro5%ie2hH)Ph^todlfi+cs%SQuT3Ag*ZE=A`lJ$g5Z%@0$_mEN4xAX0;0BmeHFh z)^aUMDZ6w%eE~Uf^T2t#R_cx)i&TnPGvfy}ej)_(M@R?9vS;_L3qt6J?ZVxw&JFG= zaOhWC;?=AA+AoS!r~$5$3AaJw%`T@H&9^6LdvbqfuC^1*xr{6J)}D%O0!-6^3dM-l z?{uG@$Tk}DSi#0NWm7E~j42l`ZA2#T=uf{Syf$TIkQ*$t>%#3;m{3(a2rLCnHZxUi zWIps~!FFVIE1E$2&`znHrU9SzBO@=o*Q3Y>g+Stgvv(Nmsq@_=L8i!U=WwSA!i8Tt zwxT%}&~rb|t?0D*mxeRUzJKTx30SN)`Hgs!chh>y@P%nWA|r*ZO??r#GrP0ViX}9) z$+dsyYyy~_IqER+Jb3=1^( z{42aW57+Syk78svaKr1;WBMIT+wpRH``VDigNK%9_uYm7PVT`oA2RqSKXjLU4O<0C z$eDMBoN(RT>wS-CDQS9X@EhU0t_QQ$YjE+=6Itm(t*#gznwaZCjhm*cbg`?p!|2Y& z)xmUEXn6~HzIjj7J=l;-qOzV9k>&4J7g4nt-?69{>5RPXgaa#2g)C+mIiPC#FDQk^ zeGF3PJ*#00ZOn%3=zW{YSiNOrCVrJ}*e#O5pn$}C(?*LHM~!_Bu9)B0(g2(({kiRy z&O;F{FsI#Nc&kG4PV?quRcZJ5&>t(DA(LNUnG*bOK^Y?@0uBAmuSMbC+xPl`|0~I1 zft&NXotQS@E&A_0xyPMdX-o@~mh)i167X8YRW&U+YM}4!ESu<5oL^D=(Va z`K{zLZvKySqd>qH&%{Q}3`*rq-=RqihEj*!g%KaoF(25tXuHXiNVqx1v1?ezL$hg^ zs#4YZRjd31#VhN!bB)r6+iZf&$=_OVMNTB#fikRZl&MsVA7CwBE?HYFWjJ;14g%^> zM!Vb`x-H7fe?Ar4Gp}aJ>H_OxMA06EI69m#|MQ^sftNG}!Swk2X1H`!Tk!#5%$Kg| z4Q=d}F8hn`S?p{#cu^6I(`V>>7~=zqHXLoDl`@!)CXXlrp&*UHvsXM(<4F~qsEH{5u zT|22Hl^-dc0tXus8JMbC&I%3N*_T}J9Mq~N9haT=;#B3>wbHVn5Cj$O(MvpFcVQ~M z!+OtFN08U;>Fbu)#qvd#cDuD3Qzh1#o|}xtfb&zKA=1dKWdckzsQcz<)uK#hkCmTZ zs}x@vGh;rhz-;IW3WF35*q;xdbjsR5 zrChMV(jOz)Y|6i~w!RmY!-W{0o7XYqJ34FgHr(=7aw#*)4}}F*QZYWGuQ(+JPA->X z*xc!@wmNFOUXTu;mzu?e{68S*#aCf*D|DbrT{6BDGI-d(9{o()qpfmb7&B8atq;5< z3)#=#{I$c@N{2T;B2k+ohdK0lmTK*UxImuVwgUDF)57i#M57AEqU4@>2Tx18C0{;u zDBvG7i$F!@wqByjlRk;J?`68(DMB%p$U`@nM-IhwGCSGL^3%T=F(0so|4`9GF-yv; zRpyRoM$yNpH8;)d=B~uOH~0^od6KHt+codLV$Qc@Z-loMTZAcJS&-476b01E>0uWOe(KZsVYRYUOR?dE(=&jDEDQ-f&`OYcSTA`)tWs+k?OxoksGukTS-u_ zh_W0?@gd|q#li?V+hCZ)rx@<-1>_KDD!1+_#bX^#iaC*I{clJ?R-%u zTK8?P!Bk&>H%_}+qk>(+7!w@>^9qKU#!n@D!ech5{1kn$k1+Ru`PX|f3hg7S|%%!%hCSzxnFvPjHt7nHlOxpt8i`uNJTt&WFOcyKOiLrMxxdJx<*(6FDLMO?D`6l}Kt1LwPx+d1pEZ?%IuqZ`h27 zdT<>qQ)o-G(dKe_IVYZw$`>{AEUPzuUIJm(oR1caTM&>N>HD*ysrmP4g<+QjLm%uu zO@-I?=(aH&2y|YWrXaEPuE7E`{2O0bfNl^62pZe(xCfYJp*ThgU_N=oCr_NA`vBoC zDG+oDTWKmO_HpH*5aPDXPpyww%vG>v1sMkbZ@EBVw*=&?k#&Ys)$8WuDCjN2sUm%H zICsQX^50QwgY_EY9xZiJAJ23q<=E(2DW-0qB!e!|HbS7HlT(P!IU`1Qje#+~=6-hy zw+-sFyy4D?EA`oj5uXh66f-DnEwSgNb~&)~V>&HI=+@7kQIq@d$3?n(tJDX6P#pFn zivWhCGp=*py8#yo$8tl9xQ%r@!NQ@`h)4+L3Dg_nW4G0p5NgD~t6~>q19Kk@IDpqn z6ecW~-(q*80FG!HnKefc_{;26eA9?HL_~)1H)e#qvk-dX4U6H})PGSo4MbyAQ+DoK zZNByI&v2j9iI87)R(iwRs;(BZhi4mLi(@|l^Qj)&*`36=l-~krO%aT$Z6pwn$242% zspJLH+ZeQQ8^xFf5tk(Y5?0R>XC<9^&nG)q!``=A?I%w2I_lh}m%COQwZ@EHyUd!$ z#=2}Sat&%JCruYWO^&uuVb0&&KVtoz5o}sA!Fbq?gd+ls|6BkupFN)YPhXilZl>$~ z?=N?gVrmc5Zo3a}g(id?3Ez&4SGB-EQ*7EvgznbG@jlSWrV^DkJY}<4^c~QazNEK2 z^o5+A_d{jR9W+eG(v5*~_gs|EXF2i#QnB;_B<0OZ@6T^%^XC)WiFe16@d$K5$)?Pa zpCVY>n*=Ra>i`}XfxUShS|avGyl=M}h39*f5-oh^gT^oc;~%^>lU)^hFDr^k z4u4k39=!urqXihIZjKfSb%2I$3k`M-L|KthV27T^%W>g()@#gT6nVh2R+8s~`9`3; zmKDV=zD+BhkWM{BC`_qVmFaOHo!d%UJ%22Ar)$UsqB-r4=P)iPemb})Yj+E{`-@O@ zzJZp}ID3ZU0a7}hO*n#cNw`u94VJIuZZ>p$%j+Q6mVbOBzY}8M0 z8!U{`A=ux{Wew3SQgal&@sEJiTBy3-*BWyyoS;+FtN?jWQv)_u90=}=7aGiETo04? zW+Qh4hOf03TZ}c;%1noO5JlYsAK*`EfhzN4*bBPzk2gMTzj9)jgU58(#&3Ln;KyXV z9Qm+mCOI@iT#Q<0Ps>q@At3p+&ikeMo75_E=$s7-Yg-l55u}>-D_-S+iRSU4&7!)uIX>XfXDN zue<65Tcz`|eIDTMsb4H-1u$#78 zu1$yMApd~PX;6PC&7L+5anlE9G_M4~N8h@LgNfUXy5II0<@3_ce)KI~Wm@MfT3*M$ z^u^fK;LeR1RRV8??>?@BvP`Bi3Z90=p zN36$xB4U$)vD=-$^{SECn?=H_wL{cy5*VnD?$urn5M>&JuZgK1Yo_!6R9x2RoD?K7 zaqZYm<)UuLGU%hSoqS!OJ`OTu;OFSD}5i0HXm>esx-KZPSGPnPm_xqsMD2QmiJf8S z<~n1QCg+}jtAW^!$^Hz2g_A;)gUf4o2HbM#3J4ADq}vEi)+~I2o^YrpyT(c}32YymN;8q~ztR6x9NX-C`i_Wx zE@=Ls+DPey^Jt;*i)F&5H+ILs5OpMgx%U;HIQ)AGh+d=Z44m#G;VddHOv`lwMy^0%mxW_RkqG?{3PD_ef%&F>{ zmv)1)Dh!m|{Ynb&p=Gp&kVzUIt|O_kU;%}|m-YGDv({~}dOXEfQs?2KT1Gd)zHR2c z`uhz0rg4g=eL_0H+^Yw7x#sjJoC`x#5SWN;k_(C3zk*W_eWBSa18|v!yHBA+?0P#= z&H9Hed3T4@11NeYmw^n%RB8EHbidsA^7E9b>j9JDZp<)(VeZniBz99|<*WW)k&6o2 zUO>u2gwWl@ma)?|P&H&joTK9$Bbg}&3Z^K<5N^Iz?W!y_Zqv!gT`l1FjS~L(q9#(i z)p{^$AZX)kM-_qs%{wa?pZXpZBe1T1G@JEtu5r{sJ_+B&}q*`UvJ*rV-ZZ7VbSe<1tK1AKps8tMWjWQvBAs2OO?pu#_ z;c>G68PS&-ds4+uZH2(jaXLGBk*-T3n==Xn=!lH1B(1BJO0hhMITSS8t+RC z>~*a1+kkRz{@X2Nb_U3gw~zi<9^*T$61dMW{wDX!N3;+eNw;j_hz`?f*%Kee|&$$tIwE>l7 z9|u=^{ncMBUFsD_{^>S!QHtAjx8{ITl*!}R=4Yaq{wWPSGbEkae{9^?iyfAH*kC>n zmL;o>=cnik>KBRjG_Ly*mDC!po#1)>i6Ff@M5|u}7E;+3%4O5d@$q8%oNDYQiu22g zi5dr;3U%~y`3mm)`1=v^*WUPviZAFiI!3gnZ7ZP`An890vroSAXax0-|!j7z60=!+MQm%V>@^m@MPG(l?rT*B$|g5IkHA%=;9--l;Zmt-YC z(z4)npLf>ZkM+?(-!=4;n;N-YzWNIA&TYF4B6o|=$SbC3#R((w2*U^8WN-!^ynSF4dQ=MYS_l!u7U05(Lw~IBNFFRnUzEb<}s&wWA&1vhf2MDn)4pckyX3#!W$asy^ppJJINLSGyi1z=8aRm z;FNlqzKiK2^!vk8|8f|I#e#9U{^_;Fd)UUa%XPy?QLR+ou-Q))IzKLYISf0bj@6PE zK9kKl`FXH%ck3O$%%t%=cFBjP=xft&5y!ZEs>brz2IueBLx~NvTYUpe$2L@~6oH<` zP@-+OWyt8dZ7bu)S&9KQ&*fQtp@EVtlTGB`&(=`a=Y{;EV_RQ(I{S<^DkAzWMt_ z2rJZr<}a2crAy-PwIpdIY|#!HYC;C6(?EUnLP(k{FuZa6IL>O~)FZ+*S> zx$EkCjAIf7)b8_mljsi&BuX65_J$MJY}fdCmfAf-3t#DWZjEDKz$?0De{FnlE<)Ll z&%j`4)+(VRu6m~Fk8_cns*U`$6Z_qFW4^V)%ww4wyMB-tVDLRSy{(^vs*U7v9mtxn zU7RLwy?FL4G5vsZPnc})=SEb_D7$o4V#vg2u>i%wp^FA z;iJ~=O9t8M1xU1=&+~PcF1kJ#hHPrwJQEcy%6C>t;3zP%BXbh!mm0z`KEWFS5+n zRzLepCPURr;SY)Z>P;sv4*DX-2jIN3kT9WiUoNbd)bZUv(u>J<>zLI8)|^^pUwL%g z2M4ivyu^Qg%eM$$6@C6_k=yHzW(b}eeqDtLiFOuNt?21I`!9znFuk25Am zE-oQ}-)2f|+GmdlCsXa5TTyqiv5TaWg^nn+ z+h1Tduay)vC}8pIC@vibo>}F{8!(l-DCXHTSm4W#vjQ5Js&IeJP0c-OCzk4`9_%v{1BEQ-9AGmv8}f)x3%D4 zx~4!bR?1&474XR{Sip@5q(BNz)~h<0X$hyiZM`DT3`j%9E*+YMCA`(uM&E-nnF=P% z^{}S|DP2n>p@9&(e+Hu8^<#S<&((Ont|wF;CC~FP6y}uMemg{S<_GB)p4$3}MU~C* z^~k{)H(>3DLN0;#a9uWK+SZgh9;|shDyNPCbyZ1l6vE9b9*v|Ovdd=n9y-b7&tHxs z_1~CD+xCov?QLuLpxBIw8%Lzvj2<>4_4NbH1Cf8sk{^ZyPvZgDT;Apy=*Dj@g_Z#t)bShmOVkVwBuy)euW>rpzAKY{; z%Bx5mc@pdeZ;ZH%8=%Ukc%j!aALaLiLKB`}Ww+5yECznea4py~c>O^j_EY{A)n5Auy1Pa-j=S_v*MM`Eh>@fzq5^oj|qU8LGqAc2W z`}fUmaX@22e8|JThL~p_aBf;)xPpH|RI=03#C(5t?z__K>}nB`{1L5|qj46j``ZJ1 z*(C(LE$p=aEI2R7_~Dyt1gc&T=!?(%(p zNR}0+*7aE|6Gh9?Ln9Fxtj_=%GH%kuT}j6Jl)Of+P@ykzKZNy2Y+CK0n#HtGhEI3| zX1e+BiL@E?3vU7hYe6#+@iDz+0(aw3^XiW#n!2vdC;pnmsB4Fy1_3kRW4J1TaZ{(2 zctwg%;g!p$Fo@?p*dwUrLQ`0n_bkFjx?MvDz9P#e^K$!47_febtT%pwJ z!$Z9W6J>$7zQR^9sHfMg1lG80H^8TlLKMG4rOTtY043JR@eJS^R43 zMv4~~|Efeu4nVgwMsLlNy>ZTSRCOM~lp|vW_(-qM`}upczr8Lp(@}5JZq?SdxgHc~ zx1Xg$)Ty^jo*bY!K#H^uqNO77ZkfOQ?osx7FcUQ_fLm22=#@*FN-d9 z;`494+<8ZF$b05}sXH>-a@se@e229bJ&Q|EYZl{s?waiAR{<9B3GK4nxHlQ~afTQg zaFJXR;2qk`!SM4ZFnW@eI1=t6-N_hd3+KoHLw!)upWfo}z{g2`2zd;aPtZ@FvmZQ6 zJ>e-6JF-%?#a`B}7$4Igo8-;PwI8amJ3i(!rq0(77ol($rvs-cc8J|LcRK}+LogoH z@^S{l#>ZY#s}SfnZZu|XbUs^gR!eJZ3*P=ZsxHUNIN>qOXgpSqw&AINAO!{0u{-MB zJ!(@}y`6F#n~a%u9maH-yfRobhP5Yd%#|%eh~{i zM-cYS{LaW_l@{botW)pFzv=-IFM&;Sw?)!ovsxiC90WB%Yd?J(EOujd80VJ0s&2Ov zCYEi{yqMW0Ck-Q_Fho>;>l=TPHy%J5H@XI~Maezh3Q5!=LdkS1kvnsbQQL2}UjOUP zjbJ%7ns`RmTxeXFV4>>*$Abj^jRGXp|C zZNWPMxH=3HnZLv{NP>601E5c=(+E&$x1)~{$ozHjSa)ZP9X^Mpb7rMQnK11Q@pm2R zJB)~-8<2?M@i9(Mv|O#98%i4VKtZP20O!yQIP09PRN_bnZ*@gTyZYfjK}_#{qFVNv zxzwaMgpfi&(;2VVP<@-=8@J~BTG0pjT3wYQE@$u^u~9QS%7J-Kn{Cn=2w#qhX&AcR zt=`p3<2e3{u%=HnewZP2qMoKxY4T808M;-$<~<+vQyGS^7Dd~YS6ATptXmaV4!`D3 z6v-W1ZazfbOqhw-my(2{s3(j)Pj*WlbbQv->V+T_z;4seuEA75jUzxq%EL=!pdgK< zbm?RNP}6m;%$mACe8zg2o(Z01sdVu`Mour9lt{;p2z4Sij4oBLz63$m@f6V@q)$zF0*$h(l3p@ocisCwI=5!;VX_tb6r0l4-vz`GOI_*K zH!dnIMz~3+AR{&S+zv(NuvzQ?Z?NN*xr_5RJB#3UMl_kP^b+@E&Kt=cb0Fx5plJ@r z_(88l_GjzTK1^=wXCf1})gl+eY8SO7iEf<_cv?R{4AXntBNLKGa{}BFh`|9<5hedI-7g}lZZtq0VR(~+~ zd*ajPaA;AlKtzHtP)g`L3*WqSJAswwu1u{{hfFy}DEcGG0hK2y#wPFz%QZZbj&oY8 z4HGT+t6ifMbT9?YWV5JQlQU&SjO8Nz209bee~5PEiDuf!GMKh*gSW)9YkrGMD@KiD z>KJuDC7jA)8uCHp4~J*{0qInWX| z&<6Q)GK3w}>$F(bTtin@E-7!FLjC@XQ{}DSZpz?RDNX?lEMqN^x$DrU#U@SMU|GKI z=NJZ;yQ=bilVdb;q-%O}s(a?U5u8zN#ipm)hD`$Hw%(`Fr!z(iA38-}Cb(>KTl2Y0?Ue^`U4^bv6a$UxFBS$?NSs_HvaLuK~HcdCk3qqbcxfGQQEQf{ysVc3#C+q zepX~oprAj8^RL45g-Ut+`^dxMM3FL4*sN_zBW-0ksXc5)qn?_-<-Q-EyKMEq zf25Rr*LS~#-hf*(_uV~zLVLB;)ZEM4FXM^o@36t(0p~?=WJ782fLFZL7r}w-T+vxx zr}1`ea1rcnft@ppxifpF^37S1+uCX{KHRNj(Rd3Zy&(C#^hhs=!x6B6T=``d(ij-+ zrlZ(R_Ey5MDXOBrnAP`PWZHIWw>yMUqXy)+yUkbIcXB!u_HQArJv^;nuP%|FGQA9_ zf*K>e-MZ~)ligg^yg+T?%r8ElLD8i2cJRD`6HY0n*h{@Q0w9%XiS5qAE+`-#)C~;V z3Gp4W=ChbV92kGj%;+Piy?DLf9`-y@r4WVmx7uy1yM7x=QS_IF+$?G9J(@Os>l>j8 z;a;QK1V)v8?E1cs+oi&(Vvw&JI*FB+v#7{y)Hz3D^?1?2Z_C>`WunUy-*CTf)wqeu z0#Eev#BfMVsj^wsiskDh` zkh2CgW^5v?_T$?@9wU1=4OI-Pb_RPR2q|^&d4xKm9B!nF3r?E~#CgXZO&@qBqe(vJ zfOTW+bNzBRP5mrlGxi(<KUotjH+PBIr6Ge_thm*4L@v-`6vg;qxy-Q0fuX@`~Bx%Eo zzA^t1+3E)nFrmN5PoO98!HyL4!L`J}7057FNG{tpBtDDnwBK&0eJL&ReU2Ep^NXU*2@3vrQOGsP@O7H1 z(ruVs&+MUZe_=eQov$79dTTnxBik{?5uZ0)`JIvVWHMRo_JI*fNM#5 zM6D^jwbGeukF5==Q7BNjkR8UYbOMgOGFz?3RYB`*qZZH@qC*#WTlal2g}x(5nK1Z! z=ZH>MV+j_<3c!&AFyu7zj1V;pVAsWvG{=}tYQp(fHJ-8qgmCg;s5DRDc*H{K?P--u zP$1Vh-t8rRcFj`dgWfa+u+AbWlgA&&xgUK&Zbxf5+3#9Q^Rz`&)E~%VvZhWY_ffwud>7AicIVOn4Qz-sF5;-j(0}HL?4p zD*8((^Lj%p!Pjm3l>7|8DOF#!yi#So-{}wF*u2_NE#AK~h0Z#n$Rj;mI(K&Vrh0ex zw#D~RBPFV{K?9yNOQD6%W(NG{uZ5>=r=uL4Z&h+QpXcyoG3JxcnAmENjjWERwfoB# z-*<;s@lD#|HI{I%Ulikfa&?Yf;$M2**E!RETklJo$~fP4bmvxS9aq&1M@Wq$t5U83?)u>tG1P$2Lsv%kXL* zr1MwU4V2(SZoFn_-nQ>gNWLG_=HeMh_*yLAgUh~?G!JT{yfbs#+bIZ5p|FQ+of=g| zzTdKZOOP%x=rNcC03EON)!wU;?IAMq2CLx+;~;`C4)PEJzjgwt5Ds0eR9-=jXHQQe0Qd}cfXB|D{oUl z*S`1J`rfl$6b&bY9L|#KvMmpa@88rp?o5puJx6Q)f_)HMmki0t9n?wlT;A>hyIyW+ z_;UUFXxFeh0ddUMUmV>2da_;FfIWHz3e#36t{rRV0##A0C{0KhH_5JZXm|qAB>c%& zf_qAh@@^O4d<#-}_cqPG-i`T zedhZ86}rpi`?TpN%d67G47OoqH)X~T4}ib@((?I?Zf^K^kDcI2bB&IF^u6cv9;Z6= z2;Ay*cPPKNJ48!eE1k*x_Vu+TsIb?_{{)|GPcNDs+=@cy%HG01EoXyv{8wyMp!3B@ zLmX^^%Iy>)aNDK8M-L5_27vGu73}r#5enGwtGe!(CX?N{J{DcS1pti^u(#YzomYt1 zPPSj4Y*W0q@1GvshAY|9EnmLB2)=AJJ3=pU8Q#2wUZ#d!qwNq#XI0&7s!Fgz)xh>^ zOH$G_(Q<$*`lNQc>~ft53)4kCRV&aZA{GFFxZ6;zTciAhk?CFUinn`}cM3xu$(g^g{Q`U3pWR zN46qgR$>L2tnPck^@lP)djCvRpBn&$+5Gy1x$@Fgq;_iT-lp7}`BX1^e4Xj#{C8Be z#mI2uvfA(J(MLvd*7vi3uhH6eD!F+2X`%XKMkt2NwQUJV=o8>wBR>5hscjD={D5NYY|-eKRM`5 zloS3@`^h~uSLl0G82|L>d3CnnPwPnF3xtS1wA1pN_spu+uKB6bpb#a8QLrbAI7mth zI}`NEq9A&BLfar7*YDa%ebw%fWa?W@l7QO77Zhf*6+2lVKEHDwjL3ESQT-iiwi?lE zmHqimR%_AW3!i^94B8Pz6C6xogB~&e9NU_I1;h!fNWbf3@R&Y9e&43PYCq&<;+{U8 zv@v-cB7(+|=Xg5XvXAK+S`@0{v!CTI^!-{{fj8}7Gx1%+qx;6=Xq z#{=b3cMlH8XATeE>3j=rHl=NJwfEr^gKT8o0-D*du}6veo>%vgSU`d9+eb-b@DN-* z1K<6|@4m0UP1?eX*|7TlXgJ5_s3_;W5E$IdCgOH~s@WlS*E~ZusyB+N_^ic7{D%SX z3Fc<0C|=jiS96q?6V0fjeSGlk5zQY~^~|;_tgxnBSXoZ=(3v49U>A5ypZ+W)g)m}xiI=}Sab$a#5<5`K?!`z_88e?})t3$WrH97rh)eQ7nkV}d{@X8a zs*g6Z4VCR%Nqb@TYpTG9Uv3EUTk0HH!4?5s1W|JDAezqie$Of1a;s%}-J;~ZC{NnX z{j@gQQTTao%3>Mr2q*nJ$0%!c;mRZSi^EX88o*xV=P**)tq%s3=6`tmiZ3c$ zrY*XnWcK0*il2_fzw}tPqbGFO*ax0O05GyzrkB`0R>c*dBX)S{MULmi&8|6_`V!(C z^$}Z&n)L%0KH0#Zx(fm3G(&yO8L!z77+vZkyykwx6XBxxAmp0haDs`+5KT*HH(`di z{0|v{3cS^e%{S+|?c*cF$8}@B+%?>#YWRs?`Z`2Fru~kmJ%1Dvwr#lFKkll0Huh;# zFAPpsX;IN5B9@>T6(su>Y6}LWxLIIf>(S zQL`|eHrk#vT%F64#~?6#f-=G%ux{R9FvIzb(<%{_lxumyru88LwyJ^D+FscUaG%D6 zg7oYG@@wbaRdI)e3+}-k1JG@PXtz}G260cGs@GdKlXm5a6F;{LqXLA;aQuZ50{w8o zwC%zU-;XD3Sh1OAD)BxZ?3;~@C;n<=k`M^z4OCj9a-xJ_=v;)l57Wi!ut?2qL& zhq1^Wo8xa>J!C5ew2SUyaEXRWIEmlQL zN@Ksu^q8G^0PVXh{L)UOp}w;V^@*M}^`!wx9NNnX!EjydLozugbdR(s^2xFg;f#qW z!jDiYVmQ!MA3L+pVmuzIP!n2JAvt)gc#fZkHxufLAp`GRaUYfdKiQ6rv=nn?xq#Hu9hp1R@6T>)7 zl1n^OV}w5>ggiDMNAyFz>|~Q?)>lPHi;}1R0f3nxJ@$aMpa2lZMsZ-*BZbxS7~BBm zH_!rjXWZFs!qy&{IIi0rWgm~W=d7H6EH8HU9&}30U?F>gy_UCXueXVr->|)SaF|We z5j00McZOrTz3`WKT>5f2`Vf$zj@18q1b~$q+Gld9J`u5sIiBtq>xz0cxEYPh$@?hW z-R{Iu^Gk4gNrN>EIoLi2!eMF&q;ClKe`MjeL14gSa0iW*dhN-O#<=NB%)U13n`_TZ z93{K{aYX?{WgbX)+>9i9cc_rRF5;ZRRxW{ly2ePXGTf1)(0I|JWZB{#_10mdjh83h;;diye!EDjxcY zK19f`vz7{NGS3&lp)iAUiFb?u%=dpRWd@iQ*>YFnB#}&4p(TGQLS!^l#d5caW--Te zc)YniIFA2g4ab9q2nFZ;#qxg>ubDK+PU=TJlhiOavhNcZkq88qv@tku(l#-t9zRI@ zA8uR60Z71V`Rel*IgDGc|2U{5F>p2b`+d;f2^~5`vgQHI(JS@po$)_bz!85lE|7)G z)kb-;If6?jJ(;Lhght^3;f(~y>~2hf{(DT6P^X^W)IVA@fEm6s^K|KHH7lzr+RNGq z;=rKENHk!d#NtV?tI;MLD*-Lu+$F^1>)kI`glq#Fe=y0y6`2EIR*Hq-=Ky$X6vdIz@eS0PhNelHOM7A+mHPRaJpUZcfgUok`~tCj z1#z$*Oc9nSB`T8ZC%m<@pkxwR(?~qC!+(@|fa!ifayDSlfvn0S zfBADWeT1cSZ&x37E{8&w#QfMFj$K4vC}@PUM4#bwWE?hv&+5R{lepJzM@VCE;ivwn zoqeFNwwM}v7S}YPoSzj1>Ln$q>61GI(QsEn9*x3b zJ1D5{Jv;E;yvsI)2Pp2X^pzEk&~Uk4Lx;lS$FLXDGK-qo3SkU&?9}WgM5RfF0T~&j zm-z9G5d;&>Vq(F^vLnM=ZV?9HYZ6P%9PO9nctq^RVRd7R+^hd1B}+^I+d;9p*qNm! z2|h`Rz+=<7kJyPgNQ2sFkt%7G?0~xN$d^CJfVV}TG)(6m$E3WSaO$g-5+sR64tM^h z7PZ^5ZxO1}3$-Rdw23&(dgUSlp1cD|gBkR%536M4+-jJWx!QJ+FXNyaYIy$5I#t{t zS&}fMeDBf9V#`{ktRY#V+&27Lo55$Dcx>)$Riedeo1C*O;iU>_T55YD$2*ytBUFIR zy&1ds@Q}d`W^4GE(U2tLA)_Iim(eZRow0@1$)c-zteq^qU;bEPUOClSbylmq)ivO} zn8UJl{_E{<-0$-D^dy0nJ+DDaQ#m4H3@Ty_HV2c<0~L6zBTBxol!GdgZ~^=9U{W&> zi#|Pz=ua*qXTyP;KS`4@F<~NNY9?EE9JM#oqExOK}8+GXCwKoghad^53$`3nu`4YA=XQ+HN$XPTF%|+Jl zUuVZ13O74{EWWi$Mjy{EG}U+BBaAOEQlUa!q}URR-NJVx%GJxzGxYHd}59Z4UJnQ?ppZ zw%nmJ{QgNPR_9k`NjbOqR@KXe@n~jFv*yyc<3(9jm043+b9o2;wb+=)N!ixbiKlvr z;uyDa9tCWCwbVRbhP@^bGwucwdM(C@_%7lxT+MDBJiG{2DZ?L}P{IM|P_e%3FU2xxwwnnx z%8d9CA$HpKwNxx{97cZDONBRQ1)1wftiwUP6mUH2sdy!;!RI#d;wycL3#{4kfLhe z&lAKyXtLQUBGiP%7^;Ei{PR?kcv?Sj`zkrMI(W7o-wSYPE^nS5_AzZqFBt|9wfrLb zP*MQRVQ!W98Ci%R^b;n6OrQY_=)IOyZj5f|Ad-4|b{qgv-_aj0dw@<7kZm(kv;&C}>s;a8%)E zg?jLH3%77ezBIXtzSoVLPfdy4*&UyqvHo-b^D51kErV`0p`>-WnyN|G6xgDij~5iW70Qv904oA!uyR#^H+*zKc$#lHs_@5zG9^oc1`B1j zqWGDFUHVH>04}t$*UH}C!41_Br)V@K&K%0LrkKM`CARULBtbDC^}dirH)D9ZGL9|- zd|G@Y^N5Ak_SVqJd5R~=*swN;IvSbsNA>!tXO%@x@p&QsbS{1;k2&tKxwd)6aW(!t zx6am@x>3U~v}2uLv_iPO>sRjFyv69JA_ikZve!>1!jV$R<1!+ZHt*rnW$e~t$KK&F znN2*CNki>>dZ$T9^7Q8qJid|zUOyv9a=W=w$n$y|XJ=z)CBoFXjVtBiYdda6+^ojR zVJ!;?MisJBFR4!KC~_lF2z?b|#Wc5$3PsgVPzMZW1N`6z(`8^7k`U3vpljD)#k2$( zoQxB#(31HM+4L(4`NwJ002=Wi@(kjFEAsltJrJev!v@n@gqvEp91lyBf!lG}DTYAC zERF8yp1KKV;m_lD9o&>K9wAey5#fZid-k~DvOq@YaQgj@ydbfpQ?@f)Yi52B*$}OwsPf10nFcr*o1=hwnvg`0f1m!!m2U*yRFi4$h z>i13@J>Y!7$n+42!{s@YbneuF@n%0Is|H~TaFrJFyncC6gE_FFF=wH3aDEaikAfn@%8+7vs7x z3SZkTo-3GCQrtf6@!gT=Ig^zoX3PqJfDq~=gawpXddCN-KgrOzvY8TzvHa zp!Pali(KnvQS*)(K9?JI7dM{I&;3z{dI*w)FM)z#1|zLJxXC-dgrKwd#^x|Gnc}vt ziXpsOP73hZ5I8bPy(xGN&ou3@16`c1plm&Uwh z>`@(!J=b>c{_hN=cjyJ2e1$i;cAmO0({$Dnt7w6bx5A|`& zd*RLbOPeDC%5j;gLO!e2mM~4?FZCWx0aGC1W-!yHC`f^aczgl!)gMNyw5TJ@%9uYt z%e3iW)j>Ox8`2QZEf!WJ5Z?bnNzYB^B zOnJRnteT4@BD7HAyGEEwL(Rhr-l`&pFok91!MJ@@1Y-rH|&J{+7ncBEkpS-WAj zor7o@dSKGYzet>@;#CMWlbscEkVJngldhbHO00qjg_s{8!rs{hG1Zx&3CK*`6uGS} zpuro%1?U4(FE})Kzn|HGkGDjC7Gezc486a}N4WH2qA`bpKw>p!6kEfvkWxpkFcs!7 za-!L(5U9{nQ48bU?M_PV#9xT9Mr%eGB`_$X>qKD!l^I>JvSt4>3O%Gof!yqHqzRYI zA8I5xUsQ9+d^@QA)=$t>gBYS*ybJPt*?nwmo>QCX4W8UaC3sD$klJ8DDj6^b&Yy+A z7H^Bb>YE2l{!t;*-VJesI3>LkuarnhL@*m#*ilJDWq`%%^!ak$j{m5cj3z|&; zj$p$Wxf2$E=|6Xkm=zy^5s4A6CnLm8%oIS0{z@E$j$Auw?mIVgR97P8x(ggdnNC(>LCW}@%Eq5%XKWZPLcJ^}^i6DkregACzy+L!UE zJbqn=B#>Cdg^@)T0wS{pRp`PYcB%S`IlDbc68Rwbk0aUdg9TD>c_0cln9Pt;Fvw=8 z3ZJ4nKQpATV5|Rx3dkWKD`bgjNPBlDPzCl-E-2`NNyn6v>K8$Rf7WV&a=}r<*jWuk zfb5igOmH;h2_ItVhfq@W4Q6ZfFjBB2N3GJbe*eq0v*K_OY5Yh_&0+*XXhVcTs2FoB zzp&s3-EKgHRN#<)BObsF&>(Y%8;8YQoin8=YBC_a|$CivAlhN9V zs8u^QWC6i$RVQT#NeUTs6HG4{NkjNY*(L{q1T#is*`HJDB-(-phf2Wkdl1wk!3@Yu z4GklVJ_n1YfsGT)X{pvH(PJRiyJIO?JjDbqS9FT`PZw+q*RBH*1WKueNoodKH79}$ z>c}mMIwVG@2k}lW2)f{>0WEGJh3sx13S_v6@%0hd zG7x4EUA1N2aEG`%n^s46EM`5p|2JCR5b*W1b`zI8L?$?+q;N9~+^M|m18%&=Kze`! z7#Z4ZxId(Lp(39w4@yJ;Bc;U8?yru?6rH%~|0*qclfZ#td*~gpuR6;^t}kem%ZbhrCh_`hll}4BMXK3hwxVB#t;S;ae?W9#r>N3 zkQ%k3GDy}&G7?As%>^YI6oTlN$%>OH63~2UDee%azVJt`3B@!X?@#L%g^6I7-3n^B z0RC_xcrDUJum2?G`W$+0g!z(Zdh*gj^veiG&|W#9oU~pd0@665GkP#?DL^7pqtzCG z(v|Qd+$BjITFM$|bpO%)v+Qsw2#eS$ZEF05ga=p-GF2eTlF0QE&P`)v%{_Fd+m+x6 zF@bCBLAU(Uibbg@VN9aWaQe~@BOKk0Dt`OdQWU}cSUa%kA|m^rB?tUND1^)9p`fF4 zF3}l}4p@2^irdeF(DIbjqY}kAzy+sGDUAo^cN`9DC+6X#@U`V==@V0a?cM#ClF#h% zLqm$x|E7?z>93^-XPPiSSXBSeH3=uHf^eSV?jB6(2|P~zVy#1GL0!J+(7Vm9BXx=l zc>PxtVHjYa*{CM=C~O9T@Q3`N9=5O`j$eJb>>m&Firr*n?95^W84^hr#)5^<*`8@5l}PNveP4cGNqu z`zgqOtBHkcNejz*Rhh_LSV%SHc2$a7ymCnS$>+l5u!8nlW~Ty@zpD-6K_s_hC{PxU zPMjf7SN`VU^>1Gf@9~F9In6HQhXM+~*aRjt#tBei_7T>)YcXqm#^$1q5S8G|DTt6R zJpRvg4IFZp+eifYkb+t3Qq#{`8|5XB_@Na^K13nxov5*4j_MS9TIrE}Fk1oQ#6$mc z;JhhdI3Amo7)&I_Fy3n>gl9}uAs4MM*UcyaovHc!sQzS}0Ru^%?oI`G;MOxcV;C=U zMYuI=K4S%32^xCmy`Lw4(uxoN=e^VZ5HlQ5`Eb7sKH-VQ-;~P@QCD!80V3|0jHMjS zhc_@%*p?6rQ|t>`yt@Bn1hdj`#Tmo6oYKrTDr@o)#Ug}=B}|pE!Ujy>EQT_sZcv6n zvRy0#l@*g;i2x3|19sqNh$JS+jryV=z9TIa*)5`hq@3)lp|7aXMt|I?0#B%8&Cks6 ztIQRcmZ_(TrWR%>I;qgAd_>fN_diXKLR>R|Qe($bbo9$|eP=oA5lhl&6+@WDro#3{ zfQg@Zm&JjVc2j)L^nbfDIphY=VWnk4trT4O(_30Wgsx6b!M+?QhOiKLmWwC5@Tc); zU4})uxY>fL$vF9cG8%rM%G|g3vh#{yVa@qUOu}m6@=uz==!~TB@wGs3vA~3(HdKGHg2p3K_>Ix1OIY#3`#e6la)o{`Og>))hv)K|ny9Bx``O0famIm^?azB*{ ziuE!rDcP{*pKCO*l%SI|#GR9y^JW6S04gSc^Na?(TX(VlR`Wc2FaN!Y#x-z7d60s+$Kaj3?R=C?sI&-CGVuu7?RTd z7ro$o;MEA|I2~4dJBNpl*ckp~uFJqKOLB+&Xr_|f5kKc?;fosb0gB(j+?A~GtrrKa|JCky3XlB4nf`JEbo8@MqNqT} z|NeVuW_*D8Us&`x^$gKgGQ9~mHDlwhDO`3AcDaX7Dqg#La3^8j6%kyXix@^m%>oj3 zQ0q{|g3Pp|47*aUJ`UP{i$3UxpBip21Xg5B5gi9({$$x$ahf5)nHzwh_ zv!dE1H&`1w-_`Uh^`D2Zr{FR`%^^6bQ&lf)Lb!rEMvdReZQ@Qn0OBYwBm^E&bCeNJ<56g_lxEJJSr1`*ZLG`;uEC8)VXhn&!DWhX0 zBqN<{Bb)nUb(X3>Pj0pG_fyBa^`uu7uunPCJ=&hQap!-PEawc*w;ui0I5bR#Op)bN znOe6M;o>u#9|b^ zq$FXvAWJ+)e<;6X#TMZxQN?c$lRdva<1WfPqBK7*RPGqICs9MmcvFmO9?0-5ODezq z3v0bZ*El_&U1Gk@Q?*X^)_yfCc|>9+Ndao>P9HE*Hio;~C2aXM?xHY>e$ z8ZipgNj3CpkUeP_;Lj7{Wquj4zqvCTwp--hKQ?Ofu%^=@)N?m0GMi zWjM9RM!BB(qBARNR{WaHYac|V%WYfkBzrC_gcPq4m~$A7=Jr%qtwXy%H%QkU z@Yy|asOZ?|o9A(vDqCfFrtzJUio(44MaR>9T9H;WjsoHGz%^sBX{C{oGeO$iLnoG+ zT1GaZ&e*BEg=p6NHU8vbqmJ~DtEh3zHkc@TuOa++K>5@zJLEwpoXxzf+_X?>OJ=Mg zf8W_XV?M+tLnXS|LvumGt7PZWHh%m3kCaDMWSuNWXYm739riG5-rCk3XWqH-yrDo7 pw;G2Ty0vX`b7>t7Gp5X!?>UztE=w+{HxS?@AtEDOC8!th{{TrA4|M3!k}aB^P9-7Da%LG9?NtlWLmWFK+j`Fg9UXDRgt zWd6C{hxNGElwO$&865RgkMI_g2nuMF1LkN-dsu|iLx2C$OM0aoet>o@ECnd>m)x3T0mnau;g*ByvmNr z78=0dCY^sV@yTEad>Cpv;p>Aw#{@L*Y3CtRlOQ-1vGF7xK%3&7*y?7Q(&qB=V07p8_meI)6-q?)M!`9&s3K*XU&wJ6<%*BY*!`8;m zna6{l{4WI0d-+c_6FKQ$5EpBHa!q+4si?h^87T)NGb1y(06ZxvDW8+6IghfK#J}k8 zSN!CkU0fV^n3&w%-5K54810=bm{_>ExtW+*nOIpF-XR#AJ?&hKJQ(bpDgNo?zxoj~ zb2f3Zba1h>w>|AWcJ!Tz6^|IzZlG1Z*S zoJ8$y--mP&_#e*vi~OIB|041+{dw~Lpu|69{#*M_X90LVrvK)d0K87-4^l8NAuwq% zVO0jEm;Ps)!@%HI}T-Q~MC zT$gGk#Lxy{Bl5q5aWVIUB{@%)&AC+SzTI>#G(X*f%FoMBPRfzD5cq3OItc_X7WnVh zozHzeZO?j3nG?X^{?}m|D&(gwV?;(N1o6L)Ft8M60oealNtqxHq1smmnF4=<`f*RRPbn^}#|H-L|a4ux?8HOx9rBWYLHT8LE$^NDx~3bq8z1m&G>% zTWUsC82nPZMLi?M<+qPYjTwyr7v7K-Hx$n)G9^Kg*o7A)zg_B)X^CteY4c`5W3}>Gzd) z(bb|vo$cxzyhy9>a&tzc`jV(snbb}*KZAoPO^T^LlO1O>f?+@5l!N;V@1e*Jmq)8b zEn1qI$^Gm;2NIeDT)Pi?iy!YhJAAfnGFwd-{n@VKy8eAv(Gs!)=wsv#|` z)f$OmwZ>r4{HAK9?k9^^-Z%7*iYGWi2&;WY=9vF6nM7?mr*yWprfuqCnL(fZNjz09 zgB;_dq_k!4c7j0-ArH-(B4N@=opP(hzO&kQm9LcHLn;D#g|{bV1>~@x#Qsk z3kN-SPz-xAED(-B#@#x7sqtYNe8u@9e(!WMN14^FgZ`!YEiu!XX}YVq;>MQOSqAy} zw|?11gZ|fzd$+Q5ZeE5DmHU@u+`sQBB;Ya}R@hmsUi*xMo6m1u>pqZ4sm$GbZKA^Q1;d zzFek9X|5Ux$Ho3tq+aoS_U$xk_wxkrTz_qaBgiZ^zJuG*y&rRXIXHUsOAMOHseQZS zHQjke4_+>FpzHZI9JA9FxH>UVY8*P1(gy5kk=^;F7u=!rvQCkjvpnVR<~lh=h~N;g zlv-gY3eDJa$W^tK)u;Nmq^O$LG)#4M*Y5N{`&b>$vGXTCn@TaWBnw1>5A=ASJQEZ4 zLZ`~}3g}d+N(06uHS#6vg~RF0(7LtZr=n^$n0A1w5MGU?;~&ui9p=aIYiel}^+aF3 z7$iK}SXAo1%KkOjsPRJWZMXbwX7$fUKZc9N`Gv|QmPSG{zq878qG|gIaI1UE#1V4S zxHmURaiOPh=6UBPV_^@DS&d{zhb{1yymDV*rdZ~vO=BiUHQTHvlnH*6fha@IM^B|= z8JfZmoU5rx0iXzw-fX@l7LOrTI9RQ>F0}0S_NaViBrxNlICRmnS#HwGL^)?+vrV_P z7O2(HBQ%(4Q7JKf9?%~PYOLPB1ZRidmpz`hR94la5KzPQb!}AEWs?~Fs<1Rc*9K_> zgfhK(?fhw9y5MuOz{;-n)*ukal>=p^2QeY<^Y*r8F3lqe+=Pfv2URomr8-y<58Vus{}IG`kTL`B2HZ+#&IYtd^)Ax0k}L{u4K| zt1jw8ae0&^E!X&3<>&izjq>UjD`efXAnG`x)Np;BkI@S^Mpt4Rvz-(@tgiW8 z>Ixj}vPsnx6~N|~A8HG%($wq-uFX2`u-4BnjTU=`zBzQRXl3eY!`voAKR&xM#NcGQ zoc(Uv9WK#|AGynBG5IMj`Mnw&JkmG;9wOc>HDJ}Jg<%TRab(E$6$!jV8-GG|L!zdw7XjoUo8@@`8dvh)c_|J zkBMD2b#xxIMQ%3tHH+`}rhD_J^X1~lG`CBhV2{%uk|joC&>3EHyr!%2_VSvOk%zg- z0RQ`xdj(<*Ul}Yqwbk+|gX*n#>6e2g)6=?Wv&AzKY(;rFIP2AR+21dZ#A?^SrAxIK z6txS;UF!+!T|(u2=NOdB;ZxbNeXj7hyB=$18|>3UR@Vk}l*^+wxG?-jZ#iYJ(!b}- z_|nney&d3apM%i3bZVl21*#vZYv`nX!#YGF#iA)sZa`1nL1EyU9%JNIsG^VQ0Yln# zKvHsfSK%tptd;zt{1*ANsL+y5wUp*^@wQaPu7LA;qxx)6WOb!D}F3d#n} z@kW|1qrHKXk;VG=eKV)I!kc1#)C55ziVqu&P2W59o^DGOP!D>;C{b)TN#pH&^zdED zYxPoUjn(?7)Z-H?=3TEc9}rBFO**lY+hFwdsB4IqDJ<{_J``Gi9g~qY`>FuewI5`5 z9cIZ^+*8of>EqDN*RjLCQUvPuDG!NNA3V3JLcy$S2%`R3Px1kLBe^6 zP{gXIR#VSGy(oQXGr(N*ugEffrTI}YTLPcEjKAM7YD$id3kg{of)te1L-&gk$p5CR zx8x%8?k~P<2)@K6D`tIFFR#`TaF03&eli95`>CC{+k7IhO;+TUjO7!yT<(&dJYT7f zk|`QjhbnXFqr91{;Jf|S-0QP=;fYLUQnRvK#y&OLbm1$j9Z#Z;66vIt|5d79dq6v$ zcz)vJ>cF?YI@3PWjRm+k@3zCxNh-VN)wE*ADUSM9sljn>bfv*^zcpyfSv)!a4ZIBJ z;VtRN$4QE8{ii~kw{y;7HLSLvI(QR?8_xN$3{mTax@PgMr3ETB`%XRh3W<#ScE3kG z?&|@HHjKjRrSei`DBF%~t!{}F(Rj$lZ2e&E_UB$@OMw--o!|8mi%@DS_`KpvK5C)7 z3_7)4De9$t*l{viYTsAV`zwM7d6~Urd}gcJQVxjTIW-jhPkdU2T54~b;@c*yCbbk2 zi^r*7oyprRdCls}KN1_AT6$|;XZUSk#i}tV2Nr&rLWg4%CGWmIdjW}m)MYo$@uWm) zNt3At6sG<(?*#pEMLs%BN?O=vEZUy`D!rq@wFuJnZV-Rso30+Q^+J@}uOlPwVo>yj z*RFh>&m&^dc8;ZGqCMYZLN=eH?jiY2iS`C1XhHjK`Xf`c;=Yn{@3+OOM+?^njT}1V z5;{(ufw?Y8zJ%V(p=s2G*aDHW$2b|+yt@WFRK;J#Lu&3Gu2EAOObLb~)SHe=NA3-o zfskQTfz^pe)0KkO{Bm%Z6{P8YW43k2Sq5Lc)I{92ZbY@NA8M#<&g}FA)w_L*ey=NW zUsTsf4OX_E*e)>+zg|mnKQD#P_x-{t({B-rs`0NMf0-WMyPxw<(Gz^C_S*Dx366Ik z2^p(lJr9Y5Uw*2{D--e1Oo>O=`t^M(BM0w0U}r}1jdVEo#X8<}&Hr+1w${1cW1+<4 zHT+GvK1rLvjBau`iKuk0vZiZ64BF+dE3~SB4sAN?|(~35wtRAYL?_egm_BzPy-* z{#E2-jZb2>WhUb=XSGsqnti3+S=BA8nVY7J8e0G9M_tBfS%eSM#K~Wj^#JOqST(Pf zRzv4 zOD>0sHk~A@<`tCAIQD@9il$cVx)ur&8mG1t)p{fquu~AN5@uo6w*h)*X7L(uT@D=7G zF`zfW3=hXDqtK1gOt%WB7LZ@YC${2Lri}+6s6syZAS}OuJ+!2hk7lzFA{fbuRhdKb zJvh*p+4=C##7h-UtYJ5{Flhl;xi)3;b1cmFMEq*1+h0g~9?*|xr^f973YFb|@b!*? zfd06!rlCuxF`jEeuUS7Fmqc+=;3#GWiTSbeC9_Dqsk?Lm5xZF=MTw;K*@{~+g)IcH zNODX-@8Wr2jA`^yZ*6~%Kpj8y0?ro-KBNcNHRWwS#r{;6P5qQ1+184Ct*V{i4qxQ< z%c0= zA2P(!8b*`^6)HE^)@0TLH^4YSPs0jQQZKtINCH@1iH6gZ1XVf*1W<@usv|~oD3!bz z;pmISBCrG@+mGoV#*E={e_H$IgQdnq+rG|J!(&%!S?GI8>rwZYPh%dpcUH5)r$-_W zTK(qRsP@lp$m6DEfcb6p9AHORhmy8%RtJ=*=OSL^Vq>z>bHR$B@q-ffQIJ1G`x{*%Tl=w_eo9Ps)n&)0`H?CABqRe2nX-r$1 zUg>(a8UpER{AV5jjy^&NUinl9kLNTvmY|r+%^;9QUokh4T`T)D)#T(P98R#&T(9Kf zqz|7Z1R{kRI3Q8x{qx6SQQg}(o@E|Za(`PFu2HgG_0IY-fR|wsk5@?_c=vQrkL2{V zRco^8saT6&2z4m7{9Lu?(s#4PkyT3%!+lqliHvET+_L~WcBVvgsBk!0VIxu0eZzJR zt|vh?jxpiOH90MTUNwQ*F%NSNeawkxB~JXOZYt#}yG+#quYw8L;GFkqMz3GEgvSeC z8}}fT!DD8}Jxa6e*bJcVBCuWUN05Ps25jS}vT3EH*swmOqISmZq&A+tGBr4|;`2x& ztj}d(!00Z;3KR9&>K}EULRXIG9T7K5SYJ5yT2G>W@8Jw%;&fM21S^|i@fAB>WJaV> z9J-$tM|c@(h_DfrIu`h}f_4`M=Yjf3D0)HDMLH9TU3*1N0~#M)B}u-pSkWUwQz)}q z7Ra@qN1xP1+%^82azdmGoG~-A0+0UDN>T1$)GR_!YqG;n@*sKRdRV4%U4NMOg~Dp3 zjttT{5zbS&=z$A>S<#35fU2GWw_n}Z?@M%ksBTnmIqE__S#eb`&tCRC5M4-SeWUt4 zE5H2{k7$>dU$WJ+j}7Lm4)6nA6C2a&{0DzyX;rl7(wN1xPlq7Mc*z=2F$teSVQ6{B z@v5yHV%XZevYUAprZIBjyU%0>Uv&z_F|@GEJWo-CZ^pZjOycp;-n>Awi~U8oWs0aRqW>)&0+QB z0i46|uGW&DZ$QW`$YvrxHuXf0kfqKyI546 zFlv2;k6y_UUTNEkSd2x#RGqFFA4( z*lw|u`JU`qFjl;kI%FV%v%&JVh5dpx`ElzzSRXP8%=)6#Byd|YVzgbVwL^@frW`jU zh1AzLBu;a+8bFc*L$XM<}{~g8)VCsKuru~oq*n_Ri>;_7djge4+ zy}j&gjeyD{jFtwlQ`B6&*2~*51iEaKKF#N(UbR)@$>3pDM4L}4UxgvjlV4}ug2tP! zfGOJZx4t(s6m9yI`cd-~CXrn==rU_{TJ`dwt7>u2u1{`75oE6{8|8le1%RP5$DaeV ztTJ=?jJv8$M&#GaKQQWqZxBj9@+UVhx!V3VYFxb~nr9QAlLW}O#pLVnuj5^D5^H35 z$p~_mlF2Qxfn00O*EQ9(Xyy*pMovGl*BK6CX1LF|WYpV~$7HF~LV2X&0^krGA#$1g zjt#n42iAH{P%t2B(R2JBxYg{eV#(QFzo_M$doJU5Y8n);*B-O`qB$2?I;Lok43$Hu zlwQyTqKCTs8UYaAEY-B<&kBW`*ZF@9Z;h<@@|M{2VR9cX-eu?^CE{Y&6}1hvJK6?B z7s8|0ObWDZJfY%P*J#HRrha{Czcm|;Rc^P7g;W(HTGB&{7rbflL}Ocr9Q!tze1&6B zU|mNSgFw0HC9HI9G?AG)Q`xRe+LPB=64unR6rFy}XlJufJ}9IBWpVLSqeX$idx7M;~)R+w4;X5EEOAg3?-R$WD^ zbf0cJlRb=XPKb2&YtMaJWS7tdyL>C2-Olh=N|NlBfx8npdgY+*1KIBii}K~=Uk+6n zKOOCD8M%7eFS;66wS9enlYc9=gI@SLy69QH-6`!ZQn{#yGZrnokGJ6gkXd$XwA*C_#6iau`7>cH$YNiwSj|EY!)qb$ zppeCilE`^M09EFy^=%t#vbzV`k=4{YxmxASx;q*n+$AybRl$$r(dK=UpKLwzWz~20 z>pKsD6>oDpJ&j|S{aWu?Yr11L=AaRhLaSf8sE4=4&X~-e*T%Z1K20Me# z_fdiE8@hS{K~O_^o}W;t%1hjYx%)5%6Q3Doxw3EG@_2Lil1=o*nTL`2Z7YsUh244J zUHF2Xw*86!ftp(BJXWzbj>eSd+ZIS6IywdlNyaE}ajU~#&S2i>ps}$WRe(`o;|Dx} zvtbf?3-i~C5OEQnxyKXt+fMqE+`S7O2<7m66Qwud?1G{!VItTxLpVIr=Qx}^jXwi;T> z-!NQtRE@N&bjIyxTxuOAG6hrw9F9}!J{NYeVWd_?!IuHkUill_ur;Zl^{3PLYScrm z^5|4Uc^*7l?S%b@#nVPSV#9fioa1d>8;5RdfB&M@s@TN0c0YNfPcc)|4yU?Br&Zc# zEI>b?O#}knu>=~F6iCX_9--s4@5)QqKS{Wx&dKS90fdVj8gr4P`tj8If|TIy`)4-^ zr*Twqq<;|RBoN*~r-b`f3Ib4}(QyYLuUA)ZkKbcZVWE6AJ%Tv?hf+^6rwPw7mx>31 zg_r6UorzVKgR^Cfc$u+80P8_tO8JPct?nZ#?ewxCy^3p1w=uomLnihG0YUq-F<#LH zTQ3#PWIzY<^8t|SNhGay# zQCq(4R9ox$nCT?-j>YUlDN`fg^2{{}jzlB91H(R&{c#FyCY+eIag zPfKLzvgpf9mNl4o{d}r0v5u;B^>b)*p49QWuXoFB+z!)J&11y==5G@?z!9g_FE&5a z5H3@HnIZPR+*} z$;;W5S~Px4^k?Xcw^?IX+`eWwuYbw`x556JE6)SxLL=O;Ws0r;B2hReAy29G4G`+oK zdZMh1>ufUIoIi)OA-Zi9pjmg;a!Yk-*LLt^MYsoiK-A95XADCwtqq+$Qd=6@bj#}F zsSnWJgKwzvNOYkRpRi5z#>v^z?G**LuJYJS&(f6sR zgrvWi88ov&$(yWwfxx=KInEB!6E}quF3sWVe8Hd)aG$oIQFPhbBt;1(mYTW=_x? z*|xM;#=DJQ-*mdJ_!2E7Jf^Y3H7`1{R7~LW>8M@H>N7aO31`wR^`DhNG6}E?Ky=7F z0mXdb#T{P}>tc;{)$L1iN|G8?8K|U9nKhvYNc}!w>6Y-K;77%m`e4{Li7xmTO`&)Uw4_~5NWM46a=!r6QzHqOSo-+*t+38oN18(<|Z`& zO^no5APHQ`>ka*G+9#$L-Kbjb(*8icp}@7D16#iijV<|Cy#LLkc)u?iJNct%29t?_ zS=U}V9h4I9jK;a@=l&!=pZyeaPF5lFKj5uYLLcat+ynNL{_iE`7#fJk<{x-UxXYS< zgRB3zy%A(^I-`}Hapiyb{6F74sQKtaF#kl&e?{P*raGzjrBiI9dYb>;(L1!of582J z3!2ngM)MQ?S-n<-$(zld$8ok}cAhOh;l^?H)t`d9kN0MVMj_Ya^ZOO?)$Cxj#aP|a z>Gx)z(|6NTwn(P$cmCM2yUgkpZL!NW$FmEj%3y*@fo{=TVDN=!|7S(4bRV&mdUBe zYZ=U8ysd*Rovz>7_Q&f>r|uTo?!N0=Ij)Xhoe#|BT58(6*FO0Y+4@a-a4>ntxKDT@ z=j{$QI%Y3r=bgF!t(f#{8umE$YB%3S87ivcjQd?*^^M;mp6epcWOvn?qdL|i{^}?9 z)XJ~l*}OSV?Xib^Xwl^8uWW5WAR}{uj$2Z zciE(Q{8#i%$4xzNCvQ&Yxj@@Z?Q!XTcY*VZb1n|SyP1OvK6{Y;6q&vEq*h$#IUmnWy`@8E zjZ4I?T=d1{w2pq{><6BU@uip6nomu{v@A0s>xwD{`}z9E1CC$6yNc^8yq{R)a&QAa2Oi&)PZr&Z86^+Y7YZVZdYhU(6+7TD6f7n|-Zglc~q!ZqThed2B$3qjMlwwqy3i-)W0CdcgkmFJ&> z?nC_+1WV8Q7|-gq9UiWZsrENcL!#R5{5BmPOAeEG*^Z8z2WNb%_Z-#jeBK+LV!G~p zS(`)kX4~z&)v+e=?^^u8HOIZX?85ciZF9)^z+{Sh?!%+a?r*mk{^Resk)~0+zUC>l zaU@yosD6KZ&7Xrh(4%kKlPHfjRGU!vA}(v(J{r3~-Un1e=sz5IX&D|*0P zLYFO4NngS6YPcSC9QAR@Yrd}hh8UePmm;9>!lR%CRcS%2SN0J352^=x#Etc7U@ zJo}+3M(U~Cyw&b1eaw0hSGO&vJhq8nX|qCZ1tvLcLiI zxxApJS=o~*adFh`q(c?I11w>(QD`Owg^FsWk606&P1$eQP)4_vA!azDw`C44g)54` zlZ75wGDEYN_Ew1~mq_&H`{Nkmxs6o zJc&pM*_{o3y8q=_AevY{rxsd2SZi=Mkc)hWc`rPL?0Zp)EUNyZ7TRGYL|75q^1a@} zK=nbzCEcZ$vC~w_P(~N1zDjZl&yV~s<8dt^+s4v!tKwzE%+U8VH22f}PO&TH>gq;q z#sj4kxJ@ZsWy=isa`|ZK1GY~p(9e^f75;VTKQIDFZ=OWyrrQ)zGYM58TT__bC+)bQ zwIU+>3q@*#;7tCBFh~Of$-(e25yM=SXG$VnF=6%SND?a*LO-+gE~p48ffJOj4fsg^ z_08*$*J{jISlFdM=T(SZ@ke;jh3y6hbWd@UO!T;w!9m8oivKM10TjVx)P(~zkTi2! zLWLE|e4^pFC>nl=(Jz~fNA?%hhcyHYnvEp=3oJ$|NRnES4hF(hBr+2xcesscB_G<; z9A0J75c3I578Pg+K$?yZGGLIKh=@W|-O<0vk#9P=}#!@Ilh71idT!B3oHw4vyUE(d8nR*_2BrwflWRN1gfD!_%I7qpK+A>w{>MtGk$J4 zOo{_z#{`JupKYIhk^}zT=!eJ*?qRfzf)Sh`?N&Ek3Fn-;QQ&_}yRjpRljO;l&F^x( zWATreoTB##;G-HY7xzQ+a!07-z-P4LVz}H#Oz{d62&Hhd-FRk`w*^|P2w|_Rldq4X4!XXnNMVDbUOy%q!~K^BhRmq2Wpbl)83P@)GK{w=7s`FxqXp~@=Y;pE zkEOqEva+)BDt6AjeDJCBd+{>a^zJ9vBpnPDSuDt3ciWaOq93Y2aw ze#H>hHwP0=C-by(hZ?G?E>yO*w(LnUMG~>BOFT@bN5NYcoY#Bc_V=Um_2!WucVG$qKkx+lar8)z^TP5os!n~WfH+RA3Qd5xxSVbpoWIUPtodJ z@AKB5rW@9MhwqioLpF3%zTR68h(DbVPnN6 zKu5CpAWaGdq12%*&Y2ms9u(cF)OQI5&K4!{&^H6i;ti#dga9ne4-g9UT58`k<2h6G zJyE%y7Dc%oF?_zix}H~2{PDiAmST$UCdTLWCNJ$r5;cLi-B1kP_2ykyvn2ib6glNXL5j^qC z%*;KU?)%Vn?~BfjNzr^EP2c^G29axJ?$PU4`{(T!sok%)HBN6YcVp#h6+gvyxc^8! z?iFNZngnIgU3F=73HfLxPVnU{YOFTx;uVo>pEBan(z|$UjXiDN2|OJ7zgo~TFtBqI z^18{9jxoM#0=QBiDKClNz0t#&z5mC&ms1Oz@;YK82C3*QUxYmmX4Ht9DqPL?0b zIz3`1&D}4yYz6m?HNI7fC6Gxq5it9pt=F?H)7~JcPP4o#>x8qdx7WM<`>Wlr#Oa^h z!YCx;M*aZcm!LbXfNn=I6#2;B?)={@&QYk$^ZZ{uEv>DSx}Vy+LG_&@-fK;^=0P|z zhihA}ZYqSBONu@}F%CTYTZ~GfW6~T*3Icq05Db`2S_@XO7qcLtqXM*0pkL@nx(E{) zWi>fnEBXl+&vfD0`_>9r5I7uviY39rBVZQzzbyH)vq^D$gyp=K6iKwQvH2u}&eH@# z?9rnc@|YrhubDMFYPclcOW|g9m?Msr>YIYw-3V0jCy%tY;2T2e|}8F67sn3Aqv&=*tM$ zW9QRMWz?ff2nHrRUY~=J)C#{`wblgeBSb`dr%AcprAYc$i&n2a_SFv(8D8=DJ~rt3 zzucP31#!F_NeZ&MhV}8epX(M?_6KoW&QiKxw`>`ybzF2k$>rL6udR(k2JHu24FHi1 zBc3AN_I~;yo4Hj!jgT4crK1@p7`e%(i%Jbb;+o^~hUh`B2(>!uculYH0?dc=2YQIm z>VeF*CSm(oThCt|qXWivuJ_0G6D5gR&cV}koun98as^bE0%GGWvNU z0jC|N3wnCN!%v*<&mkaCO}CvcQi33+NDD#7P0qz9v%W&8g1Mz?Z7G8s1EZB85ezz48JEGLlbe4pg9nAzY4&lLS1lfD-hs0;_}F!?`3OUGw)6c&;PRtykq-Am+fpKGPI+x!i3 z1AC?N`>=JBEFSUD&JN`PFF;93sDvHO)sZxBmffCqS9}yqVrhE?Aa#o7?z3^6~^@A`fnu^dO(1#o1$hA*|qO}ibhOO ztH+h`T(!(`6aqFp(V*eCskN?*qek=SYnT zM3KV}CK{q6;ILudHy#h>5q>qc9Gvp|&8EWX0cKQbG)I9lj~6A_;YPZ~^4go}WdrCeVPlW?YXSJZUjFPtKd+_i7LRP(*R>p(@6OGK^cqu*?&cZiGNx#PF# z(2rzJ3qwCC1wb|oel|oC>v8@e1kwK`;Fa;0|4aW+crLOmZqw;BMvI}S4fKrP*f^RX zYYX=>s{IQFy$Gr?o5kcOK?N6=qYxc!Z8?~rNy1S$b4sJxW*J<}ns;#;lfdoi1k2&# z*?)VUdizxGbcFi;`U=-2-YDw&hndz5kKI^_Z6VG4o1h*iH=CxeAB1EyMtJ>REH0*~ z=D;u0;38$gJz@m8zQ470B_2|nJ4$q#(lbOYqT@VP8!REZom+-TyWd_f-Z*lob#Z#Z z`d|sW-Zdp1kKbh#l^MwTeG^&W;Pceh^TbyA3a5+TU)#fs2`9wo`h!M_#$(K zG|s4xWg`HN9Z|X9lkki~I1#T~Ivmpobw!Ag{3l&_mLFll+>f4>S3z0)rYL(P$;61o zWGJ=j_y98+7Po|WYv5&VH9kf-jrZJF`RjLTPa>)p6q6!di{Uv$2J;0Ep3KTJVO5&& zxEv)og2EAq_9ECw6=?twC?5dlCb;w_hA0n#(t-nl=$0vI9;pm1AB}rZGQ#%(30mo@ zp(5b{z5L0VdvN;*b%-{kV}6fwc{~-S0>MzGxU2EK+@^xF!L+HILU?@^G%1F`y@I1Y zH(6UYR1{<|1+X(;3%$?VGBC56Jii8%B<{`Nu&Z5cH2M(f08Av!Q*V2TzI4c#v(avN*4qs z-u+Mi%V3gEIq-{yMvj%d`Tb%rF(m9fII!&Z2BI_G-IHBHJwo6?%1tsa?PM+6L$I78 z^9Z22=^fGUpc)-g9u8PR7vm8Gq7OWmZ};(U%-Hla(&@({;egN?Jmwo%;iwG7%Rs}x zk_kJzAT1S_KGfM3cT_LbPY&Td<0Q$7E`GHq1^wcO(JMmQz1hhR8SjB)DO$u2x^S1- zS0?mG-{vIq`!KvAP3EoH#eRXyKos14cbkU`9 z4=Kr^O~7?fF9$tpg+>hrMl4hJbKQ4cqgv}FodSjX{zsM(sR40q$Po??#hx+1Xc(K2 zgr+QDkGN6*7)Q!R#+JV>tX{AQ93c&^lKnaXBLlf;98bVG>ER)SC(NG>8Y11wA1Iu_ z-4?y-gQPeK>22o~k`54uCZ+�qtoxN|`WuY1)9}`Ptk0LO(=$OzCDtCXG!H8jxi1 z4b=k0(RRU$g9%9Ym@#o__}*>=-;$2qJRZC;`GpbRvU?D4S5S0idm zTWY9PK?8lZ4@Xr&TXH04gK;@ezY^++N3z5Bg&OA&xnC8pL`6K}BX!6I_Y{Q-tP8BV zn&I9FM=HQ#GE|56BqO150L~^5pT{W(qchnW943&A4k2Rj0BNK@19&u^-}!}{=RBUt z4G4jBOAP{skp?-0vRVM#vO-c&*@95{YNN;k;M}T3ETXl^HryIc8BFim=(dO*B*@Vd0atXb@s%*RJ%fA9T;9lRo<ddhp4_Vv@sj(2!!TGn*d|LSZqqlvM_G2mnO2?*{T^m))A=6DYTd8x~~T}my)CB z1eM8fI@$wh#moYi0fz_P8p&!{2Kq?KU&)@p31mc_#`ckXg-!6T&Cj=8BtlomrpW;o z1HZBv3dINVR{8;j5(W2YAoj?s-@P9s4M3ejPC#TPuny)U;5d?U=T&x(Z9xxeH zOfxx&V3s`|D(fr4L4pv_uQ@KG-3&GkSx~*rY%&z1AZ$Gr zwA~v+&Lirgj2cslu+D(i1FkOCqTVxsCPT@i1+x15vOaSx3|pnwzSv^ccf0puh4!yB zNP|I0nz4fw81PHUx3)IpHkwsH`lNJG~NAf(9{BYCz z3rzrzZ<~A=3Gp{xm7T`PI2Nx!bJXpVuvZf7bPvYYCSC6VAzc4b80bw7Ltw0QujyXt ze!#DLo3*`4&Qw4?;r!Mj)@|^@V4MAFonuHezgyA3Hqj{73BZj*$S7zQ_9JqK7;|Yj zsJp$ZiJqq00V@;&0t&Y`gQQER>3)67aLknz3WYk!bj)FspaCTbEa9eBMz}1{6@h;H z1+Y)8FGLLcnc}q)fimtMxq_D7p_C+7k={PwOQxKV&dlT{y<>}{=1*`lWX8PG_$0w0 z$$MX;m>?Eps+8|8LGOFk*uk;1)G2qCSNaG2N}G<;)lXSJuGP14{S1Hn8O?<64hBm= zgAL4{g##v3wnLi_Z5LkpsmU3B4=N)*M_^tOMUz#B3r^@g&26;moj{91tF%ck2%Zg% zL#nrRKV}^yU&|Up4^biDs3pqjYy9Ah&JpKA6XnWo4xNQ|N*q#2;UrA~% zvlA9LiB%t=xs9+SGmhT}1*k@FfDzKc`JJT(iYM75w0@#FkK}v539)>gpgC4qT$f z8Ds_#e7y-h*rbm;-v1@6jab#4*+!f_1t}$OiyCL3`_!AGZsH)Ef=Z;oRHVs>2=lssm6CwjFq}S=fDn^oM1Mqt zhISi*JI<>&g~U}#85PBcVBvecWm&*A20pT6i)#dp1rU+VJG4rA^nP6?8 z1yU|dwk(wpnS{{Owtmzh>Quh7GSMAe)O#ou5&zidIs?sDV;I(?MeJZ{N*ZV+-$Ry4 zTG3&S4afH3aS)dEWqMyF&l@uxPxu?$2Z&Jwi1Fhx$QDo*!6VWgyUWVQ^nN5Xfg>6eHm~$ZQAxxSU0TDS@QeC( zfcRkqp3q*fD-=CCUk0Hf0 zyA~{hY%X5FVZ}CU9&d4aiUG3L(uKJp1_TX3dT~8?uoU8R0jeQ7@=N9IdadIuH#rHS z=66qsJ(xWbOnkYf-i=AShLBrRpaU~(*lb87Cok7|m2S&M|2_gMmbD*g5;GiJH1;A2 zb9#3LxhEEh7jsuX03jJ-AP^$N^>gVK-K{`xF(oESaqxIEsL=-R zgZ9Q^t8f43csp%lp<$*n2?E&76QKutbQ-ye<09-hFj`$RNUgVZ9hWtW0uz-A*1d#}Vpx1k@0iWZ4E1 z1Y0GJYl&ev95K!LY5nm_;Zmb86!1|JUG#jLm#6Nx_A-FEJQ@nPSwWG+F#H|LDPu|` zo?sI9+n*e4AUy^wwCGQi5K4n5RT}-r?$=}gNAY&mxf*;l^Vi5KtYE~CjLJBdK?>jE z1*~KJFjygjttx;*fkFm|ctLOsh{Q8XefVL{_x)fvb%Sj&{nua*#!DBZjL_vkr)?@2 zYs}eR3P5#8f^@n|{V4RKM{&4uD8n?_6R9F8h2cbx7}2cA>+(`ke*AC%wrj9jFKxX| zzmk9{{7G=rPZW5-V#0>s)0qUeu$yR^2;V%ynL7*(YbnfXh?^l1!5*b4CVeoleA;b9 zeW3TzyaDeT_8O&*JBCR|;(DTShlI}lh1 zI4A|Y_CVEPEiyE~(HqhRKTGh;Lml=Y?)Q1Y$RbjGE?C!Ev0RI66XGbcYZ3IIn#LYc zUH7L^H4OPh1K67J<73+nzji=QRbJ<906*(>2H%Id?QsTcjeT6T0J9AchuaUpSVfWG zf{EiIH?X;Od`}kq24;Q-hd&A3C#lUeA`Gl!fd*5F5jTtsnYCR4E7aE%4ZAipIt6W- zbOd>=v;`xbLk+PR!lO_nhjJKx0W=8;SIAhqyrVV57RO@HVX?T0K`d=p zit*XXQsp6~W{P`Hy=$+r;gMG?mCoRCckXQ>o*5HfmKify8sl-3uU|xXI5>l4+$Vod zBK%ikyw8BkC@KxA@zH4xI6Tby!}Lx8MhKV)budY5j$SW4d@}vG>CSN6hEFX&W2JmL zLr7nc&omx6|IhpzF_=IFa6zkk=AvCuYIw51IP~fdN3b(Wq{yQ}8K}nT!hJS`=9J$F z(4I?_s0nO3St|YyTVEMfXV0{YOQE<+ad#+C+})kxPH`*l?(XjH?(SZk;>F!v+Ov`8 z{r;S__yL>TxsypUxn|~?*#@8$xwRqy|57@zAs<7JB!M3uwIu@7zV+0fKb(i3xOMzp z2(q|?e2;!)+G`6!!jyg~Gf7&tgP0wr3@U;qJflKaGyXf=gY=Z zM&6q3qu<~ua6Ow9AdDaDnKMDclD>FnDJsW_e>ahv9_L+$CIN~y-Y>Q2%0l%u1ngdP zqO8h*wjSo|^`yAk8aPJq8fZr77p_OW>zgQ63_&8RJ`rvBWN%=~ZDbUzAqbocTt@JV zlMR&1&xZI`L#X7sMeq?&vMczZyYj1EdqUjXoKJ%pt;G>cle}_A($QB z>fVX4AebGf6YqM&qns=qUZY%^4R={Gk7yng=4}|^BotwQS!ccCO7DLxj4fvc=o-GS zpJ~U9I~vZJFWS2w_F)T?4{O_(CC3f>JT3Px3lC@KM#gcwNNYDpTRFeK4bGw81?r{G zX1J|&B*Wj{7r&mcmMxDSe#lV#L+^3btft>jCP%|W(6D46gVM8N-sr9ZPB)I(mB7{F z7#?lWP{gW%NN92-lE%1XQbp1&FGHZXi0trS&-Cf(Hq)4Fggv%kFjyWdNzMF);os@W z(au978oL&vIm;vWVXHP!aksY zSvGt^S@q*|QsWjz*2cz&a(sJPpBab1xOzT8kd#phkx(Z9|HG98%i7jsL^;Z180doY zTPy?F3hhRsXYuxj97U>1=ZZrqlkjB>0(kwkKylN=G2%+QvFIy$mU!AK;X+nk{rp=~ zzR-{W=H&!fL}nQ)G9vh4y7zFfA2*iMfnne`i4;gb0way{#A2XCh@^#TCR8H=2GDDd zRUMFYdLt;B)4(UN703QHU3!^kZbT-yexF zLI{YdAA+6T?Q3qmm~J{4Jz!ZHUCc<9e^rgVG!dEDCWgSUR6XgHyRpcern(5h5|x|$ z^*E!;y@E|tA0X_yUi|XWQYX905l`zdj2WW3tjU1JM}|nBbN`Xm`GL;=>k;^F=9Kg-PGy==k1Wp^24yrpKa&{|h5#LFu%k|1Vn0 z22#P+-6x(zwHakbPW8bdfQ6R*_PIB8g!GmF&~;9>ks=^j=GROJ=gDYJ@DbQ{ zAm9ZYJv|b0pb?{l_aFpu)EDohYun+f>l!`E|AM3}z=__W;;Ic+K%+!&V-rpGa&8ny zD%N164Mqv${|MiI$KOa1%0o&3-=+3>i~nYMg6W-s+I1wbd3X#{nq4SdQGX1DBPTu+r4g*`92`0Y)2-q`|OBm+oPx)nhJh5ls}Z`1EOCyI)2 zh?h?JBN9RLL7D&q(;%d%M%oSe230aa`96a%RgmII*nvI_|KCCG28-5j(K|^n4L#~= zB$gz~@s^K;^dg8Vk>81N$rJsMMKk^elJ=U$EJ3VcK(Fra+Ow?V#b%L|RQ3G2I#pWL z8daloruJHlP9A*MJKU&~)?0CPvsB46dg-;QV>dtqHLh*3V=&$3;hm_XLyznQ=-vRj zBy}m^_JZkmhaI5$Lz{q4cNE}G8r>ASGPo_nOpo^Mt}T|z~x z{9SPxGZ61%2Y0fm}ql1rNzHj}m4YFTbn&VA(H;%eN~^xyOyW zv+efL2vg}hfl6gd-xznt!+@FL$|6I}<8S7I>U#Unmxlo~1Bdo6%%$5YRCKXawCV(@ z4d#gog=Vfmf1uyjx?2PvT?@uc%R`8AWON(Xs#&f=&AxghIW)hmOp(QWi85)!%<67< zw6cvBW_L3BsG^y_qW#d;d6~v4COoxqxS*T^0#6W7JLgqe_>N#2c0K}X&}MR_D((Wg zV=2r61CiKN{{H@qEiQ4?YV;!D8xHyhrY0t+nd@|R#+gL%@jLR0isTX#npr+|k`2YF z&}I4`vBlnKpvSxGr~BMNnW2~~v=T_6dX!=}OdiX$G$y+i91ah8=?r$Fz(^eAPD;J2 zy@{AZIVE`w4dPfbnb~hl273`)y@=$?A2f6V5WujmoGwY$w-_o2r57R<3MY%GM0qt) z+y|r>vMdAj=RQvb`1pX>V`GvS&msxqj>-Rtew`HrllNZ=#e+I(oCr|~33cOX>ul`hiGjtZ=)ci?|I;G=`6&{O#t))fH()B5IXQ9(mP+TIU|L6wG7=^m% z%URQ8c(`$X9Y(84KIN=_@~`kI;8?s@4n-C^NV4kWT)c>jy93>vgww$Y6>Wk;z1ynm zx|LK~F!I2t&?s#bglgApJ(srQ!U+M)PY~q!s>8z&zlTeZ4>bz7A8N?UEnnPrMz#-qoR|^w3=+&4 z2toTK6eGPA5!8~JGgIuvQTx|z@Y*)wNJn+M4Gyt?BWe5;e&*|paBdmsug`FB&Hvot z61Z~!g+eOTLd5OM6%&!-*Wkf!=qCe{l_e^+q-m8mA9Z}rrsGEq=XR*_n~Q}gZ|X_0 zSuB~vG3N1lKX*v2qN>}+RF+bOr$}WAM;_XG%V>a9ekeQ)fYOaqg~kRE%#!4~+hkw$ z>b3IQzPHiOtLTu^a?&k#hQ|Pu;Nu`uPDmWhXn!)?y*81T-H&&F)T#~`AhkD4OP=on zqK)wIl>G$LW<>f`NfARF>^hwZBhJZQGxaDVFGW-BLM||?0dy-Fq>{|o9_k>{S>Z7r3a9Fns4T=@mrqOWu2vg$UleBwF^va7uJOCf#F1>#r0-y?Z)!Gm7Xd=p z;T67G;L0-#eLcv65&2H@U-!)i>RFb5g74?;Z*q>lvz7Agd zrWcC&3mtRm{t$EdlV4vsa=>JNIiFg&Kyx^_Z-i60^DCN&(QsOjX(|x9*$uqbZh;%K zazR2u!hR+KxyE&pyZJ(DAy1{Kz=t1w$^%j4oyO$tO#<{VKVI&p6M8h}E=r|~fw9p) zI@#Hztju#4GrK>w-Q6oP&U-o?Z$%%D!_}gOMw>)MSMDnH_i~#Fq;#>tg2Qla#m-=4 z8#*0d{sjoUM9|ogK~|EP*V*rU0I0I5iJnG?evWbVf}zwr-1i3nEB=Nn0-aafcT&+5 znX4act{@DJ_vXjF5Si}COfI6-y8qPQCYTAyxzG%?Xv>ks3OZ@P$5(NPFy-A@@rRmH z*1yiv_x2~|=H2hI5a(#=nyfD`^&5E#@YnEDw~Ih{os$}~z@3v0+8NIOluX22+`&k{ zjTy+WBOv7+NYD)%$gsE{8hrn^MEWqJoe?8;7~-_O51sCHH9QiUkg_zlADWy<$FW`} z0e5I58_#~wsI)+)?{nru5{g`xbvDy2D?8flVw8?lwPd_L?9xZCY*=*uGL$P)V3L7B zZO_MrV0-f5#a>05^@}M=LWcAklWJ368`1_%%u@%6f_-;iE#?gT^|x7)u7EnEfWXVP zei&jIRH!z^tBpVUkJ5>@&bb|x`E6||iAqx!7$mTnj%TZMG%dMvJ^okQpCu*}_3TyN zJkkPy8X?1BdX%6Btb%%HXd`P;3tT>!ylydCh`PL)0dJN zm4dM(Zl#K*YeEXD{*#q}w#>V^od}>{ijz1l6(a=o1oDWupaFq4;A7;lM{i;CDahj)phy(m~=GAXN+!k(& z`72RJirga*Lt>Y4gYDv>dRW8T$@bY5?r1woTeCXUK8A7iFNFfNFS`l$w5C}%$!Z6< zJIRv5zEXpKF}CvKOu`EHpO<215jE-vEr)Jr+rQ4C#6f}l{@LnAd>FLaErRRt4YI~a zvnOSEtW=;%MriMFj{-S}f~dHdxVS$;CEw0I$Lb>Ip@q49eF&~GAL|SPAPZ+oZAFM; za2RZULqaDmE!=HhZ}G~{vfFOX!209%3v9?Y5+v|WoM3{G;x9jBD0gnq(0#v?H&xy5 zvGZao(wNK6_E(NjK-~Fy!#Gsjmaqy}9Qj-jqVQKf4sJCjjRMJ_lAk#B%j-sPDw#iJ zSApF)Gkns;TGL_4l*Gw(@$8BI>m2`GCQovfY>qRa4ao>Q?E5Dxu`?#r7tL6m(apD8 zPE=94-QKyiu+HgShYTw?%tAsW(gEAWACh29Uy3cUFc<< z{AM>qb@3uwkHg4AWB=F~%X|}6);gG;`s^JCw$Xda6EBFb&ud9I8*J4NB)JB)-G5tj zMkAhPX05wTS@TWDDdb(sgMi$soqLEXr;mN|>LmdDct;C$rIzms6C!p?lKy@6=uG2s zRW2zh$tx-%S63RcW|IpR%vt)9=xdCWFF0FC8p88Jmmq=^%!mWN17n&6={CO{d!qxD z8d6TO%Iq5mmBch1;8eau_gtbcs*u{RU5`;;-GQH-b^Kc zcp1gJ7E5(uER@*Ee8xZS9!Pk2 z;(__fj4)>XdUctqy1nRV=u$mcre_I|<~4q1{jPxHC}z#gWTxNJ=mqXQy>;l6`}LG= zf`!?4>OW5an2T^USBy?o2%l9e9eKvHY~<1JZ-}M7+zTG%0`#o*^x{dj=a3*spZ+|I zdGO+9!9Mx&K^N<#gsux8-(fO#1}|>&-m+yy_F56$K1o(aR^2hx)(7gvH}#6Uk<`}f zSbkWnzwkf+zGA+hbK@%2=)EeqE-!DAh~`bN z8vSk@J6pQ6NUyb6RUvlM_;vyA5ak#6{=LIS#3Q0Qh}}kAsu(T^^5UbrWDh(<*RZkh zG2WdEY;W;J*RGoiq*m^mj1ZM~j=U&-D;R_ZbZL2c{9LKZXc#7w!AKm%W%`-hAgn{@ zxj)?y-oJYh=fmQ{JOCA!l9IA!`O+f+B0sw>Pn0ubcC}$6<@XZl=3HHWzkhYNC(lu= zsjaH!((I$3th`2Cf)L#+bdZD0Nv^zj@*BOR zcgKbom^?B4MnV;Uj4c6R6<0g)5pX!2XUTO%eBq*uO_q1sX&iVGYF@Ok8V+){e zr{3s(H{txqvBZc0(>ofCDQb}zO7^!GBi8@##uy^?25$7zO^1)G01%8vcgItAVkBsz z0o^9q>tsI87H;?A{k3LU9t9*czP>+z*gMH#uFzMPRYEnh8j>bB>vZCG+0li|ew^66 zYNJ+9Dq3E1z2@Z=gj+}bf|{--!8}F|?LkA~0*HK5P`XTR%Wh5acXXq@Z+`ZHdMmkn za_E}KVfNipJ5irc;pa^Qf0qBG1$BXMb>Ko6I$2VF&d@jWU+&)z{O7DF!7jtBr-J>>$Kui?_#0qRvPo7()}?Tj7(-Q97E!BvJarZj}3tCWqNkZ z&dy?(VNe_XC*PXCWjga@zRY4}d~2}N$vE00 z!HGDLPc1~IY_14(ZjI({u5KaTW&NdcUbd0UEK)Ah@}e<&9p5Z>52*p|i@mwW^UwK} zz3O&bo2exFU}OZ$q`!VYz-lm_!fe#O*cXfp`RKvm`L41F#DRKPSPYo)kQ#F$M}v{! zDyYDTQ0mt$-q2;hb&NO#K0@&e3Ef|82LZptA+?9Kf|F9?-{X{(^3+BdBr z86c|gUFvnZK{EI(*r@-Og19(-?(pf6z}i;e5ukiZPDg08TBoIkDYk|nAxVk*0R3Fk#0vh7*>T}t^uI#Y`5Y{&BsU12KM%tsk)UUYBR;fe~_k7O~x zMabJ_xFKHVXP8B8Ff~6<3LvINuDIW=`q=CB_pdtAC$m~<1&Hghd|WX9fd*pwduZ4u zBnZb|`=fa=6O-Z<05_HqkjY?~Y8QsZYhRItrOxr8W6=(xQ}9T-V8zRQbJSGKE) zVNi;7mH3s+e7xGa;C6Q?L7q+!s}6s*(mvTHc`Mso1a>i^p_^KZ9`sWY#@Nimr&_`Vm3WHOYFp>>h9kDyT${M zMzN{bvpbP)rnP@e&AvJrZk)PZ$m7Y|({g+4L!x~!wtF6}e>tQt^C_+;XLE5h$HwOL zI9aiWo#N)70Pi}x$F^Ym{Y!TqQ|LZdw}fhT&>k6^@}3y5&O5j%`&C7_XsH;<@vRE*VB<4es>~9ap-j=fI)kaAA>M z#nBr7m>TD!ET!BIII4)Dh$Z`})x+`#i%Fby$69nZgEzLq6|T}MI!p9N^xGOq2EdJu zQ2OabyB)-O&pZPB<&x)?`<1Lycxh%kC$^7a`(fX@&< zU5(}a)_H&FVq#&Im}=G3@FeuIYj!8`6=`mqPls(7y^Vb7C?8}V6h-D0%y;3FAh^mT zsZDSkE!-4eq40cojk^#Cq85=7vLSdc*ljlboOx7psJXsG0{o<}zT0r0IC8C=E8~gT z;YStLk$M$PQgHv(cq)L;SgM5-wjyMb^IuKN2zXvio1$`sD(Ti>_(6k$e$Mm9vCyeP z3_7crdZF&H=V4k@>wf(3@F0ND+I-yr_=0@gH<2@=0`WXlv!YN@QIqxQF;JR7_1skf z_vs4Y4BIYfIu84Q!^pQFt6DV(m+Nc|L`0M9(MIW$N!v?AGKPkJ$}h`P{q&PY&bv|2 z;dqH^P&y;Qv3<)3Q$b;shP(6ig}epOU21rrgm9G8)+B;VJ5fLRj}u1^B2VkvO2asp zSUa^pT8){{x)KOnmPq*Yn}8ncYgV6!qt$*(`VVj~zg^PtRXsiY$y}}tIsy^Z`hz2Y z+#v8zi+^99^0Tw~5~#lu0yNm=7}Mm?^})akkp9wHe-{Hh$nKs8Du{>jaYJd zN3Q4DuE&_>n2I<+Mj~JGQv@dO7Y&Haws3pt=L0gB#ZJO(tf$MS+cS&f(RdubVlkli zxQOm0hh&}d5W!yU}yO$DJl+4=S%FwW0McOwKyG_r=!RaCo0@Ot)eRpm zcP^7B-Gl*oXZk3$fGj3%+i=Z*)IR}I%VU;7gAti=EiJ-qfaDZR!3y|pkef@SU4`(A_~pE_3e&OGH(RLF5q$)gU|CjYANXF`^PX87~sXQ4%{z%qq{ z@02)sqy43i!2&breA(&Q~=y!@&;DvsbU*UVKy^ZX|fskWaLQf zx9JbW+HY3bu1qSE0jO`fyK5w-3=MNM`;r&DmEX{y6@klTd1+>9!t5LP0tq)-1n|m# zm!nN(v6}IY6G@=sS|InLDYuwjnI&W@lwmfRej!`^t_5qE^|IjwEPd?SQZLGrPQ$8T zPrp1~sGS}spEGfA>4`M0(u`Uu8F;J-fZ}DnH1XD~)7}pl_9NWUwbY7+6 z-teb=yp9hd@KM;&A$C|`U^yO(Cl*J6a7bwAF~ye;1(${WCJG4HkcAfeqiuN4d*5n5 zUG>LAZIAB&+ARryM;~Xg+%TL#qrSaj2Pi^i_p?-&PP>GXYA0k=ISCitqR#yZ9y9;w z@km+BMC_PL-lLw@e6dN1b^nL_A2x9WNV6$4nxxW^?=H%ac~n!55zd^&@F)zUYx8JI zcSCNPL@G%RxaO%dY$?FuEuy+z+Bu;9KiR&G2G~>b{7!UdLoT?-6aw5<)cJ>|DZvP` zp`=ESGwlG+CTLkqxv4uPZ4dkK_Ua^~T*EkM=cw$rS-C*qGc5D!)d+%gRTB%Cqq7`* z-)_5jAlU;s)z4_WX~M!KDyDXAd z%Q{(_PG)6N5_}ezfY~+4Ipt9kyo_h9sNzihC+-E* z9ad+4Ny)Zh@_6XrEYvJ(gP6XZnK(RnSzi(q*Yc)BF});gIGzH95IbA%8*EC(k7{BS zlbR+egE9KNewA^zk5vXeaPyj$IS{_}YHM+vHVG(~tC5IA;6zt?z8u;1qpA>(k^P3z z9}G)aUh`0B+_#o!yU)oVxC9Rsa5gEfP@r1q7CKZev&6iDd5;a_1JtOlgPOMQr) zLH{Mp+$E}=dt-P-rB&Qz2;+BptA>^?g^L=E8k_4U-|6X;)1{4B>N;JewVLW(HtZEu z2*9-$0oAlig8UkFK2StIrA})1V?KUOi>nAKFE8KKD5m6Jq(Kb%Rrb9W0OjWgxzlUR zv6{Gh(ARM{zA#!+zg(?q0KTW<)ksA0PAdNzk9DV=RPNyrZbQTAc+vJnT(z`v zm##QwzKr8#g59`E&C!jJ{r&5!*tb&kK5St|;KY3_1QOVz)+|4Z z#VWoDwmlr@&0w;zJExUuOvpI;{}RAOC4r_#NxG3lCWhjdmLQzZqj^S`Ej#!Ye8R&^ z{oJ>G&zLJmy8_71pTF5$*16q5^29QmX~&lW$|n71fa*Z$X#GNj5QOf1tZY4PkpLu2 zn>cWC{(HXK*~0tRl)G3FS!~`n6(5rMZg`98=sU)c}hdLg(lD(KV8lFv1Fz>)ZE23H_Y|yq<$C@+~uLc)&aW@8zPDd zWKoK>NIk{#ALLyUDgQeMFqbC>hgY^R12SdaB zmkI~dio}c1-qxj`o@KgN@|YmE=zPbP*Q|-%>D;NDTe0+&lfj-Qf|<;Y5dU}^rP@N4olPHVHC&!NbTQX2zEGQEqKL1p(lu$-)N@D|vQNVY; zLep#o78@Je)nXlhw0627@s63{=ssLHKu}Evi(dQ>T_LTB4ubVjkZL&9O ztjjd({MFD$U9Pf8oh?mkm0rhHR{E~Hf>z{c5)G2WH6SD*C=~K}NxWbXK*T_VdpJf2 zq%wDYTzfAbtDXOT$^;&Kv!kPb>4o{%e$@*w56?k>6^va>v0Kozv!G&CfOV2Pz7yLurJUSZB84_S_$~;1x(0@Lu#7$l!E2sDz3==Qg%Gij z+aj@!pBP!f;XSj2c4< zE&gM6DBgAW^pb1Lir83#;ql8XE5s{mIg^XAkzDv>GU>6Wr?e&*c0?fZ*WsV6t7hEGzGP_$aI=Zeb8yktacxPsIFu}c=$2nn4V z7MD;Das_jli#O1ur*j$o**`p7iS%9KXvwm_5mQq7Ub8A{<}uQAa^AfC)Vs%%CEGn_>Yd`F;J6Otn(^6L!l{|q~=RHkn7njt+)r7HstmIcryopBt z4hzlI=47bhMFsokdmHD|=DlsexrqCW%`&tznrH|pxnLwkFDy9gAG5_(kx~H#3lD78 z5%q)SYxDl#7~^6u@y`3{a9_!AO2%b=0aX+Qs&ZgxN zvj{2(%>sKKC{wxO92q}s)a){L)DiCAJU_|_IM(n=scobb5x}PY-|9~VdxYQL1s&dnv;g{3tCkg>Ugc4hv1m$F_^-w6CLi`d}&!RUAOPn$?K6^n-d*X84@ zy9=9iee+S`^(@rN5!-Q?TwP;fxt?k>-(zP0O|Zj1L7%f_O9^a?nu2+KGOG;?MoAzk}| zS(TOAk4=v@KC^*J>#nX({doJx+CHN$Ha(f8lTS5mo9;fE)8-+(YKWpgr!MNW6si6< z4n{w(Pr4K!qoSItTpnU1ZQP@`H#gAe&A9uwg^NCa(6GC*Iv2(e(Qm3M{w$w^;S0iE zlh8WlErE`(cz9<1bVv>;RFf*g0Wa`SOgVgkRoY%^ju47@@zz>M&USQu0Xh{icEtZ< z9O78k)~0A$I-0Az7U~g9Og<%4PEZ}|mM~*acW-h6)qmZ%YBBESQ_sWp@Ev#$H> zuCTl!dub-{E^^YQrH-c!zAv}5mF&;n^eT5kzbDC?N`4dXIc&WWl*B`{7lJRJ9!PZy zgr+xN0^2X@9^S~UYsEthMUxmZb8OYH9tHL#UJL1l0ri&`cVW9YgT`Eg!S*h9{CpRl zTt&+A6HSDo81yQR79=_azr^N-5_w93Afep9-p5c3I0g!#iEvo-7Q3x;Wc|Xi`wx2g zTZA@;I@mb6^zLV5{<-GRL?~J_HauxoedlYR?RaKpZMe_!e!7*WrCh80chH7#K`8z5 zgSeP=aGoFCI`Yi2lGRv^65KoVa)*cdvwTt#zl=@9j*O1z%(FaqSMY2IaGi*4MVkXR z)RmPfmXzk0dBv1Z;z9AcB8WbC2)Aa?eRdKqWxdp>j!Qrp?91L}*FFRKJ57Wyq{ZRZ z=ZLR)=c861QDJ!{nGnCbd)0SW3u8e}bCc}g=bG}Ug$MScShqW@H8pr9FO>Ws(NM<9 z(~0QDN>G6?OF`wbaoWF-9;U&z9o9$<4uQGz5^){&^7oLM=_ zz}KAtAM8t7%E#y@t0oW(GxOU~f&AvfXU$DJzNYC_pA)S&{=Al`qbjj8ZU9XtCe;GX|U z7n-O5^9tB|kw59O+^vac3F3XPc|(B>r4bUB2PqCtF<-`gdF=#{#&CUWxYHw)^fmWZ zOAK+y42(1KhdF^c)R)8s+}VL}Q?Prt%x^R1V=%}NAR&?5V{NGDjihBaSrB$^0`+0I z3bE&g!ukUeG#0k?^+XiAi}3#_Oc#oFB;rgRbLn{Y!{mfe=(*Hh8B@`v^d^BP>zw}#-# zeOIPgP}?BD@V@c{)aa~ymBsHLMiGN-Ykh%3%ZIoV%tdydcPAAG=K9dSSx^R`!0;UM zc75hv8UAMUDF_P?Av}UMSiLu{E`R7p@dZgbwC>l5Nh4E>>`g*262VokkpPpU*F(U+ zv$do5I9VB#7Fjh$e)$rC5mW~t$iJz}hfuFTieiL>&PK}Ogqtq-k{#35Ym%lPw3(o^ z(vrpHd3hWovZRkY5>*Z}i;tAWLDjt0*YYmPuLsfl4`EkjLaOg)v@QtkZgnGTxc{4- z0XQ)HGGKO8MaF*#Q99JrTl29)OO0Yi2>j;sq76`c7=vr(%K_7#LbUF&6_lB&{og`- zA==0g5oAKHNdKY8o$B(-Yz5WRT7#>u? zuFt30Zb|lS(+Sgoz!JuBMsGPcXwaodBgQ?jW#*at3G{E7eJNi0{^6gyAb2&Gp-sj#tI%>HE*kL)G}NA$UI~D* zdRxS81`s10OjA6_zz2F>SZ4A+=}6ke&|ceD`7HZ|!dWo<0``XBgd2}Y9hRhwwm_rZ z=*yc|`IR&$=^iFW`@@2Oui-hkLKTx@_LYzSEG}^)=qiF<00oiP&_X#!nUlcbS-kpV zF^6=31A1J8vG3`-iUOBlbg4jIK2x#kh`9J>9ZB<%+|%s*l*y^H^LG3>1m+}PGQ@nNyW;OUO}v7ZI#$B;}ocWfT5yieUy}xLg<7_foT_J=hD;9 zg3w#9SH-Nxot?(MlgZ~Wl{hbgTg1E_om?c~y{B=4(tJ^y(F|M)^%MemC-FI)>O8#T z_994o6oGRwsVE8b1flM3IcSLC;#)E`^^h72^{_37PdEpCG4@l$4C(g5y%e!~MOhPx zw^wWu#_A!V>6M=|fB&3MU3xjk40o_e$?VpXq%{cl(q}k!p7AHyvvYa+<-zHfe?O7W z-cVSTUfPpVdDOMW{t3>+%qkH;<{R3IT%!ZvZB}@}`7gZfQ6CVA z9>E$OW96y0NIsPEea*;0*m!mNV01OB_|{uq1lSy&<2bKo3-fKBzdamGdJs%@-j}%j zQQ;xeKRgQf%whZ^e8#|sd5R(0GmS6j${bMG2*=hM&3oq+w&62?{Ror})R_cR9P4po zJ=l;kKGtf>bU@=V^40;-9{o9f-ruTBdGHlXrxU5)d;RNeC*H2u*9CHE+0;$9!Vvk4 z_^>%vj?v_my~uW{y20v-vOQGqd#H0)#IFs(nQTe9iR)M>ho2#6#p<%AxbvC#MRU+; zH{6~-EdntFJNT~iK7w4*{dQFhOO4xKq@B9`(GeZk6@=bH%i1^;txsk+)#F@aKFn_i ziP!Rv_93wHB^8IqM%Yrd{ z!C3yH8YCTkppd_)^K>Pd&Hv5pacphGW%2f#4~v=pZu{&~ju^r_I_Cg(DoX1FItc8h zp}rgg6Cvvz!yFz#00IKnXzOhR!hGWGL|9#mJ{30>muGJ8dJ%1aTjW@q7pB$wTN|m z(3?R%kJ3}oU_=2VR1ME9j-geGkg$J($@Rc#*X_)%A-eve^J5B#kZEr2(igQLfI&a6 zJRZ@HGsv%YKjVGZ@@C*~B7PtV(i8!g1NOOPo|+BP4hAQoGWOV0vY=+M(aw{I0?(tf zQ?MC};m*r8E695Ok5Jv)F7p&%aYm_UmK5famQbn8nVaw8bs0l+$dQDT1}*>8I^X5s zMTme33=i|=f*%9jx|EzQaddpVMrV!MR}AvGk5_x3|QVo zEcyaGm=veKlq&g}5Dc0g6bH7TtxtF0+qYihw$Ikm%s$3(EL9et^-Jh~jh=VmS&;i) z@wi{)$O&l1&jMOZU~yM3$wu}=ndvrW%JqN&D#i4f3Vg26{_YJY(ezKZWOZOLsy_B3zSqqi{FiGx#Ni8lQ^tQDIiK5HzEa&_X`hW+ZOsN_Xb5k1a$7x7$!N!qOJiYGvhSz&f>+Skn_F}9B4bANC{$G54SZl zDNOq@n5r2HfkP+`S7mcTQc8`NN-1#l78ew_e9NCvP+pGuf>WQ+BjN?Rf9+@L;J4gO zcq)r=fnC0Skc}YD5*{r~r)?q;@-JG6k)9tW2Z~Gp){?%sTDpXii8DK1GWToc+Y%K6 z@ShHm7F20TS=1a=qJ+ei(u3#vJ&VyM2o$aw5j;;7v|8%y0+byD>X)wy?G$R#AG;Y2 zB!V7QCQq-$BYBILEo@sWDcw=`dxGLFezPP$c^T0oXrh z#NZ4mco7yDOs1A)4vKG*lndtdsaY!O6Xtk@XMpFUIKVgyaB>L+-A{kbQ+?d=d7!|9 zkPE%t({k1G+3)QDkQN9SwZ|5yMN9r;K5Ss-Kl_^U3AewN^eZx>p)-xYxiSEK+5-^W zDEqbx-v_ptMbPMseL(YdxnnwY9isHUa#odP)(3o&9{&Skp!<=J1tc60mt_eLZC zdpGWbe*DeN{?Q(P1~xD2J&R^rO($D&Y_+&D<0(YQX1f*_IpYp10 z(qk-a}}i1*@?V)GrxYF9lkbE;5T__ zL52eJ>UBOiJA-GQ3f#-m9mBxfQX{G?FV_T+4~R-t%Ax+)y||=mw0mfhN@LKWswQz_ z;qo}EQI3upZuUV>#atb(^h=DZ=HzhYNY&5HP5U|aBH1iCZd5swp^c?lWH|HCbArMi z9UU61EL#6m+O@E3CM;_NJCohIzhHDQci&&Fw%=WDs4X3>OGakl{sRQW{!2`dPtnJh zgqCyC3ak@6p+eg#o+}e4YL2y{>xFKRzt!FLz&7;y<`%TpCWuAdwC2*)7H&Njz_CfT z&rKl>i-iu~vS2n@EvTVYQo}~bt$Bfr7)niT6mz!-k4uOjxxI4)Dm8N6|Jy3?t)IN4 z@B`5cGXMEGTq$T;`2n{BI^z`$H#!P@8Vp2|rL<`$W8~)Eo_fC5G*(lIs%facg;ps8v z7-``|T6|{Py`3*8`auDH0~*L^3p16JOUGZ0Uf#z*9v890!P%VP2um-Yof6bhLcc1e zy@}C5*Spba5}42296U=zXO=I#kC2ZHQEei-W46}Tcd?+?i5|Bw$sEQ7oEHa>D`L*g zofc1UYz~`wihNLeF{pV53WY<3EUUV=4+6SB*Z&F#)2jzL{z1x!WL;k~T}xEA)FN`+ zWFwHn|Lu7mWWM@08|9Dl{=tQWja>DL<0LMl-N08UJzcIaiYO7D*~RmYIh}IBr*I4& zhcf506EGn>urUCQYIw~(@I0)Nv8k(H~yAJk_cSC5LkP7sC^}y=`rkvV8lUy8Ab>=d)Nf5sXcT4FzERe4a%p@N6JhblNIp-3UX>#9pjp-tF}m3>CnHd z>ol4vD?6Koz8y)KT3EoFNEHb^9*puN7AugAN?|D4-+^tn-#LDQ)Yqp6%H>U{6!boX z{i++u<<=>gvj2lUgkhA&Lqk9?7G4KmGtfg;b@|~!%lYZVLS9{)3i!Gm1`AZ8vg5V^ zQJTC=H;*Eapif>j8Ny<5n{yt-Ue*;7_|lW}Z-10C8syrnU-Q9Gbu1&?Vw^sj=V$}` zHtMzGK@7Ms{=qTqmd>aw)sQzUvqYkL#nOy(YreJpr^((Gwpz)~5MO>(lDa<2mK8T4 zwP?pLm+9>8%3Az*r9Nu-rY_VB>rZ&cj7z!L%GCZ2Mes@OBxmmXX?A9^7RhdlwuJpt zs-JZj4a;Ze6;qAkayVxN0gTDO$SJ?_AzE?9Wr>~mbs}oU_2V~cM zAc+#wc5RP4?BqEK3RazlSY9N!5^SsM*)tRL-slFR2Tk(gk;MyM58isa&q<|m-OY0= zzWN}IH~%J)ZaKCfgKg=2f2BdP5j>dJ%8Ivz!D-WHc2;BYw}+K60Go#0n$dt!b0lli-qZ^sYe5n&FG%71Emuk>IcZS=$`VPh6c@cxik3N>kwGFcR zl*Oje@H2YqamxIv8}iiqe2xb1_<6BMrw#|jfOXA*2|_t`+_|G^7AOr8?t$8GO3~6> zz<11VmvR283+}>WB9mho>iDbF%iN@=aLLA`?fI`M1h~_56_39Kiuyp4omre)(i5#O zv_Ghxe<@2PuMpQ7OGp0ZHia`$`=-lJ#J#Us18h{HP$(H=<^BYj&FE%Ko+an|{0sC> zZ{q~&_HNA`d(0vAY6+)$aGi(-fwXvBt>%ZvSVIi-^tJU%i_(CiGa7xX$qA*tks};3 zS3(OzwgADu=s=d?FcXDw*I8I#`#lj?f1}8QLNF2pqbvHB>&E`#i%;j&zCh}lnwTzw z_Z8zQ3`!9_BGj6*Q&U97v|8c!!h@x$yQw(G^%_Ughg>w?5Va<5?P0~CX?a18Tv93k zH%}kJen6M?vt-_pXj_b1CL5d??V;qMJ1q@G!a#NXwCtHA;H&VYX=f@mEE0{LNd)@* z7ByO?qfuz%Q4JZ3tKpENBH~pU7bK0fPjo^+BkB<|+z_OSm-1kUSia~zGC{>|N zWUDO<9E-TG(&}&%T4Jyp^=9*jc@&dl>gq1+rZmSWYBkVb{Ek+-y_Ei+0!+Jl6fg_Jp=c4Cfpw67<@r1O%{q`a-4_1v3 zsUCV3XPUU2d-7##$qUrDcHPM=G|l_rpsD(^FsMAdMP`0zA}x$mNde!Y4j$Wi0W{gm zW)31V@t{u0ZCBxG0=(lXOOJS++r!TYcinaAbZ*Gclh9wwMOoHd6#RHF>Uq%d+hz&_ zeU!w+WPLw9ulN-3Y$Q_s!jHsbh2z$x`GwSO=2nof@z8t`kS~8aO}>K+VGiR@l_K4+ zwS0a^x5l7WjjhA-&FZuaYMq3eb+$y|-qb6Z0Ngo6RgLHWHT9NpQAKO}FfmA%beDoi z4V?~Mk^<7gPy^E4-JMFOAR*n|4Ff|-r=$YXF_iCk9?$u|^KpLjVeLJ8?RDSReFboZ z%U`@$IWrQGdWz6vtChxeyOs_5vK>gL*)tZ#y~rI&ZXog6nj%E=wVtV@t5lRoi9TI5 zj61^%!(yqOUD!bPy^oD@d_Jf=|H2i_91tKr0ZZZdY+KIP%?R`++}w#2$BctHCQ_2W z;!ff2FJm&W5bhcyNOAgRYdwv}hb zxOgJQ0WS3q_w^fTvzC)#nJOk<0KI6CiEPN^biiO{Ss0H=1ghiRtX{0peK!TO4?pm} z0c7_30p1WmC^h)GTqn+p{Bd>N*C*y-Tl|mcv$2T+2(73;kEJ>R%qprju#`{B2KmW79k2zw%xdl+v-Y>KL1*R^3G20d z<>{hM!(D^7x6>|zdsemPvn$?xW5&zibg=mjj_`bn!2BhdSL*xK-m153OT_;NG2my) z5HR<)HSa!F>^f~xwWEpDO*@vG3(P$;OLkRfoPq2cs-NzH!?gXw=F}CA%TE9 zE8sV(DAdW5$5UB2K$5IN)6Q&g^`# z@Fpw&g)NdwN$w+zZpu7Lhp1p zyZujtZP)K;`Cz=~^IB;jrS7Z4JVAZK@};%tz?WQoHz_DS{LpmPP;Pp8Mk1W-TQ91O z^s(r-dYBtRGhHDOJB0~1J<83~01O_M`iGPWm?o1is|UC*dLx_wxgVko;BWczF?`1L z-`Ey>$w-hZ%SS$tJ9ceO-5E(D2P+%;%E~x_#j#dn8pSPJbRiVQyLIW4!5eBE%b}Fg zsG9z=^?RdxzDbx^mf%KHCr06MJXC-xL@Cpd8%JEFaGcT|Np4^+7z2@5G z(H`blMg{S=cklJ|>pZ(KZBtpZ~*`+65OBlj;J@;52dYs#d zzS~LDz7z2Dn{0PF;)FjSLCmw-OWtZS+urovGvNoO-jewTVp|nHMJs#?=rHGp8ix(Z zbYD^ZYb__>4K~6yjs57ckO$mK4$!%kgvic@6IGH%LY+_JFoWtPfT zV|d?7oAga7X%JhB{L%{$?)2|C;k57jq_Ai&qc0uezV`KZQnQw06m)X^L+~od2`BEN zL*`9;pIMPb47A?VY0IttmeuLz9lwb^AC_k~i6n37?vKqxeeUOlecb0UIgcfBk;QH) z!9S(l(vU@)?Emysunyhbp63qrWWhdy(04b{cSokpX0S|baG#~~u@;^xIPYMRfqxJaHbgZ82(g$A8(PL>*VK-I_;38RnG5mhmZ$Mvm3MaoH)%`J@Wcejq_vH&lm%S1=$>Tbw z1d?SB-H40aIk17er~NlA6K@ZaZ|{o|7n0oPA~NkeZDWY@!RW;cthOaM)gv&(CG*IXxp=a zra6PRdHS4Cs0HZN(FNS(6I78X3yN?=pNH;8lDoTJr(*)JhIe;C9U)taOrm8t-x|n~1Zbpj}-DFaf7=hynS-(7F3b=PM3b z;^`kpo53*J+}Q&d*2-rN?c^4D9oQTq%{)ZJKg{y(HJ*$`Up3 z+Xl!LmSzHGVO(zyG=F2ZS9+KL*GW}sAw5_E7sujBvx2qZ>^h6^=!?=dBjaXKF{W3y z5Eog(S5{^;0?xO}TbHYFY~5kYO0B*>KSS`v1>WIOxYE;3qen6uT$Z#s%*t5>wC&JK z&1qU~1(qZG^TOX+PG$>&M2M9U-luj#)(zxEMGbS7@vQ{)K3jXbekP08nBTCd)^H@NB0qa;`TQ+pIm70z|Jw#_sFWC*M`qOBBCIzs|uzFyrHf&|Chlm769UC`r zsOYuYqBaIsch^$5u?LF3kMM0V6C6{+&ghY2%Q|$qOn3l*4CbDBFlm^wHWbmFzz1ad zvIX3d2}e9mme6DOsJdG`k1bwZd(>8~YlnW__XuJSp@e`O;hygGH=&OVS^_XrVAbJWY)MqJp- zb^n+vE?{Z;lJ@raNZpP#q9L8ju57^kcCPpcWAp){p&l>W_&xHsenzFk_>|qp(sELN z<2uRTmSLxk&TW8R5gyg>gs|%81{fFSIAqhEzA}L(B?}c@z0eW+rE8Fsl5}HCce|i{ z4>Wk2Y7h;QCpiMQ8gTm}v|=4X2-NKli41H$exzY0N43OxeY&OVwq4gTA9^ z55)=;5aTp<{lo+gDUh)0jgW1*Jft%f2tGqMCmVkznXvAV0aM zOH#8qko&J&BZ)89i-*QE(`7dt{C4tvogr6n!Rc%KYLP}ZpDJ@BaZ8hz54AU7MlEDx z;nJ81P6;CC_RhsDJ*Y-SL}a)eq`py@j? z6XaKq^}$`B!379ZEEc{ANY8jD#3a3+`Hru=-sXeXN{v{Hk+v{nf0EE50s_lb9$J3O z_s*1t&#fVZ-vRC`Qrx;zh`(m@MaDVsgN~*dv|LE{M}7+A^I?suJ|9Cx*~gC6*f2|B z@XPnwspFj<8+at%JAKi_do5OOAR;GEfK48atb!M3mx>)Zf**2DYUSS&i@d;FhpfEn zS8(dKkkgD;Hmw_m#N}SR{y|{l8m?U34?tVM*cQ>7OLTs$=GHY0%zSefMnZNEZ6~Tc zZnoED+xk9V%!lnG`UHFL%HYxZ<$V|@`nNv`?u23?)EKNA*lp`mYW93YjhTMwp4%cH;R-k!)64T^Qo5jZYP*zwS8oXD zkV?;F8Va*DHwP07d072Qnl7L7mYgl0RweEr_fl3248aeG1~e*liIMbZbc^~9T?wnv zh;#gx8^H=NjX)W7xVTr|D!BTG9PPYBF@HPCQ>-<%W3k`(?jM-Tg!7kjqDmWIV^F#F zAKW-Uked5J_0`#wTf} z%KstMF9HL3z5*o1+Szq#1nAN_6+_8e=i8ah7l_@jNuqp?wpPC5K!^~Xo z6}8vX^Lh9V@jy`&k@?f=5?b>dG)P*0XZcECmgR{6f#ES{$o`gQslB)`M&z%PO{B?U z?^8(rI9kG%V#s~W6)PLf;cw_BvZ1Q$dKp7XOw37~d`&0BZs!S6I6`H*I@imX5}M53 z#@}e%H}-u`dpozr<8K&pd3n2g)QUY5ZfSPDqo{jW&+zGHW)~vtd|Bj``|WkPdRmAR zH{%8=*46E!ZuNPJx=WN2S{DZ*`U}^OD}8Z!8PCutsU+7EaA^Pjt&dMcwy+QF$tcp@ zoA=h=%9UyS=RA%EJ_^TONyG#>%!Z!v;KGdj{BjgwS89klW`Se&@PES$NkF!2hF8zl zE4_M+DuT_xJL4`m4ZC;u91iso9v&i2t(+;e<`Er#9FCn9i{wrc^3(3*B)K#1D6Q#Q z)$3vUem8s*1!BB`km&ePr6k()yeBK+Murr^v z01jMZCa!WnTI3+({E%$m(5gu5znQCU)b4V*s0g1&boMiK8t{#P({{9%p=cBYnx!!eY{rZb z;@&i4FH{uWG%X$Nx0W8wN9*ls0&8wr(2O_zQmHp9dwXo>bQ@1W?7Bdmv6gIt^@8P0 zN<@a+si^Dqs;siER=NWeT@;jxm{$M~6`q&3_JX=^dO6{n{Ru^+Ct%D}>mN6kcXO=H z_%-#x`r49bHJl`UbYFNKg1=*0}Xd}!B_r-6>pS_uEi;+#Y zt=GreTYvA80c%gVW93-9#ul5_^&t z9?$EqQYUk|Bav@FOP=@MdfmU}tneS1PY}jGN#6xI)37#;F=Qm`8!K^d+=)W32Md_f zKFQ&UCrBGe#>s1H79NRv%DA5_aitX09?(VFk1b=GY{SWnxM2&mDJ;@gq+_aTYWT`r zqPs3?Aa(?Q1fRdXp@F>tMuT;PcsYd2H5y(Yi@ZSSCX*GXu&xbe1Hr%TJmW>$+jeW^ ze~0YVC~|%%R=>txiik=?n91K(AYglI0H?pft(flX{+-w?#I}8b7 zEGN<-az~M_{Z6R~F$gRq0q=!j?@?5aMzk}k(5lFKJkuM5dd9e?)(1iUz%CJfv5_ZW$&b=h`Q{pgzlbS*2a_q<00% zcU#{H7An?`dFyA5z7mAZZ#M9?f$zayeR8?|B(Ora3qV=GNP%xyy3}?SZXtJXDf-rB z9TjL-JuaVgLVnJUIo4@En<#sY3Zi$Ep`uZR@Y`Xi1jFy zftc0pfjZc*_hBT>j4C5we22)0mvaR~xEZ7C` ziF@~fG#`1N%kUHDt;geGcfbM$+Aax6o%gOY6VMS!w$1Zr9fi7!c5VZ>i^;s9iAHev zI)ZnDBz?EKypkL4)wQT&{t#&OO-I2MImGx5==W%x%O5=&@+&PL^0SOQhH|==Fiut{bvggR%{Z{LnN;aF5fuW%aC%Ui7Yh|-tZ5o48yDP(tS%AoOg+1b&^S?Py) zSWSE*VK7$6w3=Z#J&QOIB%J?+0$U&5~FJh!k8EfNv)L+~xxEO^(CVo3W%Q z^17wIj8AQTaIpIv0B=4)%A;ipTmz__;*O_=@{N%JG3OGZ@;=ToQx&)kU9uL(Tnf5r zl60{NN(A~@j{A7h-3R92pG^4=bKzKA1R-h=k+pRE8~GJrG(kS<@84_fyNGKqFmjQo z2lt|62)jT=j#xgGibnU8N(Cyjg3O}x%(Q}1lO`v7Y_=fqg06Ud&|h{a63EwAbTqjy{#|Tr87^Rv^x^5SOMRh%&6#HCqA26aUK+& zPtM=O<@X@-eH2&b-iKw;JQpJRNypFV&{_Whj}8=1&w?*+HUAt@)`-17RcqUx&$3va zQzU;77(=r{_UQi;rynJHvKVN`%_o?~PzopF$+EFI{IsyKXbaUZlNF1=43c_rhq>Og z#XM_?l^g+fSI`vBys0v9327bXQ~TNjG6`miZRel(4Z8R+u+41H{C5^bcsM%LaFye+ zA>D)=(k&VQI&qnSJht&qg~PZ(DWV?7NrD^8Sk%A3-Xbe}k12i;K;}&5-Khb5**Q;+ zKHl@uC+YL&%*ds!mPMnY4&8%RsS&TUYWZMdrihc-jAJSqFQ^b4OOZ!KpDgJ{LG7``yXiBo9Bsb8p8#gJCnmP851QeZ}hWywJ ze|jyrz6m%K^8WED%28M2`A-(oN^atTyL%>imP_t(ta-XhWl*j``(1ec$Knv|iBkXQ z-VH)PVm^Uf9BkT*W#`G~MENboO4}nUd>Wf;oUHp)Nvb}V;y0~<5<8j0zw2o;kEVs(8mC1uRe!Z+x2w%KnpE9pP zUoJ;I-TLzJH4_6Z$XN<8J4jEQQX%SGvDae}l(rcdT~SP7?!jsJ0Fo-|y*kv6Xi$L1 zk`0SK_yfTSS6;TI)oJ@iw;9yKH=!_p)-D!we7Ynm9rl=)^fQJQq<3xGdMRS0$^&(c(q8e6VYUx%{pwlm? z9)Rj6cS(Y@r=_mb9XGD*1jj;bQz_P7I$~Tul`de^J^y;G=cdx5S(>+99nv0bi1S{j zYPJ-!D0NE1&Fy9I%-mbDhyFVgkztR`gW7Fp(FTjN$af@gt*MPD7=2ko5sq1ycRKbx z;e1yKeJHSLg-us2gJ=47!YMgoBUSZQKQ}o1R43Ozc`4$B9ChWZ;THlA*gyNH_}w zUpVbmEc{JJ^}3vvw|Km}I&X#fsjhqN(`?(0`HHRAn#qsAUH2z*&M#-x#>F3J#WT*8 z?~ga0>{=hMS9THkwaI_KMCc#(Y~9{f7h>R`2AvM{17A;n>6h4~+PKSoAW!-!q`pHp z@$4f+I~tju-#9IkD~ldQTT@`}t8Gzp2yplZr9wplBA6g(D3ak6JL>7&;pttI?LB>{ z5*aD&-cBZsE!_}~zuC4fFHpJ2*brUqn*mnoo zIVh3Y=Z)YrO#8l*_?ow>T!Ffa2Yz0euxs(M&UF+el&V^ixRbQi7hcC_Hr@l|z=-a1 zJHQId^?9<`)*RgrX(2!lFSN|Zj7JuVlI-RVw@#2JqNMsti$bUqAnD#qe~-n`qX8Q1C~-@eMD|;kfg~C@|1BI6aa*6QT4Y`8v+#p zl4-@Wa0&Qyw6BEJ3W6KOibBM!oQQ~8)BI~V@HaQELcehg1Kj=RzME^dL@f>BJT-QI z(#?g4;QZW;$O+`5JN;`(u+VkQ4`1niH1MtXrTnyDzj5EWAQcyD}fjyV3{;Cjvggl*L+O;w< zaxan#ne6Vsaqlq%pQ4uw48XxdQp*LILB~5xMwaBQV`Edbj$o2CSWF`jSjugihB!tA;t`Gw5v3nF~1o9h@@ppc=>$!K020>&^Y0oEn4@i~44>iu@}+27P=mONiZM6xlEvO)Z5 zTRb&9{Mp~^-dJGusBjF+0_sF1MiDY{f6uEZFCjhXw+U)1sFsQXZqSNA1ux;Dja8|rI&D!ymF zi{ZvYc|G2lfM&_@eU7n?v2W9b@IZ?G?#d6|+(i%jbNL?rbG$pTE%Wt~<2Yrj*F;<~ z9A~p{f4GzR)3J`1UaOvN+H$t8%tisCS0bMs(Dgb$dtetMQhRe&)A57=N7OO--z0!M ztEVq(J0rGu1$~BGty0nPXIZUOA_O9dNK#t{P~U^HnmbwO7=63X27PWpdf}VGVN%2u zREM>09N$KnHA*$^!(-Iyef$qy(`mLl#R=?f7a@x=j5$4M8Z#Eaq zjo+w$u@6gosgz1yxunQ$I@(<*pD@M?6AOvdsNX^8gqeRZ^4kQQq6g3muDPaE7`AHI zcft2c=^h>=Bn-Hh2{+kGG@j^dp6Sy)c|}oXe~W&bj-wL!3x7xgM-6lhmf^PU`Q5Qi zdO?MOF>yyu0 z-~Sd-v?%5pKG$Ff3GZYKDF+YTt~ermQt-)i&i%}64kOF)Fme2j)(5A2LK^Jzc(t(0 zA`Xv&J5IC2$`Hxi1^Vsr=5c!&dH;L~&)I;}z!5vfX1m9R=Vtb7vCn9R?+4qU+p1SGQeOTw5)`jvsC=W=pTj_^kji%F5cOIQ*LsTFp&|99 zTpg#uXJ}>wc)2C4jA5)wP(hbHWv?grew=l{Op)SHTI^56Dai|o!GCj^NVo%fIF&9W zEL8lV({=tiv1wxdtAQ+i0KpWp;?ru(0Y_PNbqIyYhs%L?zNtySZcB)xdJqUQliESj zRnF#eS)7{fSz~hV2NAPfWTjr_AGl4w&zyIhX#%ZT0!XI+l z@H@i&kRhs%l!?h75pACMHcq*e5WQ*M3!q$@X2= zwP3)7psw_Q-cCJf{2K8u@}2FuGEI!*6@n+L+vvE%dXUTuG;2$14=A_q&VajJKJzOsTyMR{N{K`t~d1X-la5VX7ZD%2R z#aL8hYliLtr`bhu}tRLYK^em=5n2o6<^BI(-9sV z9QC#dPu_8Y(svO1K`4nEIE9~7ff0ZF7^$_NcDMYxtjZZ>dB?1~LFM0C3sHmW_YHtf zlTng+ghO-GPOhsS#}>%+62@G29%o#%+!({kx4x}WCO;JoUEzQ4S*_}bd!dRM0e&;m zkQj~=Eb;PfG=l3bfgD53w-~u(o2JSRp;h^x;M_S5p*wEvLiP5OrJulSQC|%H5d~JoBN?a*2)K;?w>l?+Q(%eEUZfvS>qq5K3a#v4 z{CWte>l_KWoZm4ExF=cPfEg|E7UR^*{^UR)fN%PW!PbS4Z}^40kc&_jw|uA`SDuee zye=7^{N-uar{#jM|H05&1o`6&a3!6h0Wtyk*j80?3Ijq2jn6}8nW54+0v4CRBiy9d zLaU)(N9uIdC(L*JzOq7AsG8tOBIfEz9?A{4BuBc?)c8Nvw>rQ%ERgP;`0?{-7P~Bl zN%+T%UMf|5da_$>508Y2a)bYY^oJM#`aoG#3=zXvoCy`kIfLh9aV>R-@?WLu|0y0@ zrSgf+Kdrot;z=Xy8ySLD2#0c-O$HrkgeL|bL`nTrQT#u!Pl9kn0A)upNTPa6nvjtU z)eWGQz9h@$i&jEG$U^8_soUoBkgj|gk#5|yQoZm`2Ts0*amk?XphFf4B*QT`(X}7k zGSwC_YZE3RhUuQ_+mtw#7yXwlk0{xBSh3U>dP5X0QF$LQZO6~6Om8EEKSGFDZMo^5 z8k;(3<>3m$cw_Kpy0`3ujnkCEkkO$ z`hRpG0fK{Hzf)7o?RsT1E4yM0A_Qx3A%03wE)fH^Y~jO55^18n3lb%yd1@VXd`rgv z=V4(>PY}2&gIrPhMkq-)^s3jFxS^-NhMVD68SQq(mnBLfd}fj7RJ=FWxM1cw)D=)! zb$N31IS+=F>Dgkk zr#2AM)U8lc7C_DVy8lOVO^)}UNi?DddH&y8T$!d4UUfEfwXDyx=0qMD05V3=y`tMV z#)n7po>dYJ#iA0lDVV!w%U+VCDddaOSC&>_$6M@Ld>lww-fT=fEaP?+m zPQe>Q7+T4vw3LL;X-teemiAo6vz=)n(36k22Gv|1WCpzz8JW!E!KrckG@ zL{(^!qcR?l3kwX6HU~eV^8GnT%gr@fJU~|`%*fhxFD}(Y<^L$@e7vmL_8GR?n# zhK%wm8vcmlE3G7-%h^BVqB~qKU-GR5=F6Bwi=hWhvNN7P(~C1(-ikCIdNKVXv0Ty- zTi=zOSy#$Ef}XDC0K?UEg8O0Gknqn0oM69>pkL^6v_X{ zyAqT?w|C89W+2tU)<9%k@SB(%<=Si7Ko2aankD+0aPvMh?Zo<2`iFhqV^bpHH95+F z#x~yZ_U&kkuLb}l1CgKHIc1L+%?K8fmx}(`F5HI?CmZjDQ^Y2g3JuXc%03Q3yXYQl zkeH)iaN+arD`OEIt7bOaS{46Nbyre<(u32nz2Yu@;?YtD#Vpi| z#TG|oKU|nRPfCf}u_W%v?xBY6H*oe*Pje(XktStwWilmi_1;aHSou{Hk!j@iH#~c0 zrGsAv8#tmDbjl>{)o}z<{W8=J_T~PXwfj=*$HU&ES%HV@!i=dm!+>E?QJN>L(8BXnzZ%$z1Q1Rg#xHzN zLUuy|8dBbIBJRr;9#oIfTP@g(uUyKdy-p3J+;u^ouXR+d_!iR) zg}4VVkgJ-DuP4UD#yBO)GvpDiPH}(5KjS{->o1IL8s9RGCy=}MHqaq>W)xH6$&hKA z_>PB{?RP)jdpmPOs6~T`0uJrDd5uVkMoH~n!xLg-X8WArWXP$MG!{ln1Tps9@E;g1!!0xTUQl{)z93h^xeJ~qP8vpvgO8RdNUD$%8Gh#_tdDxdh)O&K9_m#gYygXK z_Tezv(ZVT!?g>y!=&jxx*t39~4=zw*joa6gXQ%%C3o$wgVbInt4$J1Vw=0+C7c0)I zZR2e>IbvI)K%t2bO6G5pSd-+>enmlZ#@@9|jDCt=sPgG zbhfc|X(MD|hdui)qLS^q-4DCSfz{Od6`AThTYrP<_H3Vx;tP%)vRMsJST3eRVH$qP zN~g@l(!;0&6Sqo(Z-@J!YQn%P-#4iket1rsK&HKC+rdL)4@|QtB|Ljn=0=-}^931j zc2u+X#62T(&j@h2FDEG{$l$3akZkDz9L94K{AZCP#wf?+x8#%RsB(Fh>+dp`LR-nDtn_8(mT;nO>-c{Mu8ILL*bd#M;;3e&svrhxn7B=_}YZhzws_`RD zxZjI=E&3N6Pq^tmmbPV6mpz5AWGmxFHHasPjT-X0uP^#xG&8v8E?(iOVlD^@aU}7! za^@*eZSN{};3uW8IJ;AwhzPt{dT63;~86bRLC0gTn@uUaGIz7i)jr7@I^TMt4lrW zGiEv3_k0r1!d-z}bjdw!jvb=6c1tdTpw)l49|{$#{OZA6ebp<6Wa%hG}DIz`d3D}vz6JcV}JFYmIAlA zZ5YD7x#5L$vr{=q;s1Mm%OUV7-RST9=UDx`HT_Xi&r2?G@I%nh_faduBDS3H`gz4d z+Y!&?+oYcqlTw&*ydkfY!_6Vj%80ff80tRv5GUyam)Dr``eTH$BBiO5IKoF1acD$D z->G?@9~AtTR=~9R1Fe|pdPQx0>oS%q_hlh(2{kPQx}Fgw7RMUiTAQxuK~ClMNi$M; zvMixn3?{9Ku$}NC_wcmxq~`(B38(gN>-LllG|gyjKGYCDtrCyzg39jyl{8FP$S2Ko zIoPj@7gdTWjm+?LHaI>q z#6{o`?1E^#plm^+8L^A}jO2_DKj?Nj%m#a7Byb^1$youl0KEzom-vwGcWQDwQ>g!l zCQ|ZX0y-ugdIzV-Q8~;ontgWvoIi^q`yD9hqu_B5*E{K>fg?abixYWr3Uo<|h1D~b zXp-BejtBCu+98duCOaDnmjh-rn6&s&a#EkW$H`+Ql@c#zhhr^|IkFgP(6hzkHrM~ ztMs&8X*4FP;}<_2witSR%5UmUe`hu6{w)N<@jXGL@9>>w;0cx7Z}~W0(lH6AQbS-F zx;w(n1Vb;B+$V^+h_Jt+3#Wd}f^!SdrFLi7<_gFaEqS~C*OJMZFmec;ak4f2vn)gM z$1sem~K6j#wq!W!5oFA+Ijf@Kfcd?W($-}hLwgzv&G5Zr*L zQ(J~DM*y2go6phzT5jKrQxJ*tody64 zDQFX09f{*R^J|o_5Q+2zVcYQ47X$W&lw2!J&1mS8!ph?>QguznA#sb0Od)Q%Mtcx* z=sr*>qOcBm$9~^pj=W{^-&7t>-mL~nJ8BDlQh{cXZ_3`)WWY+{0o1bIUR$lF~ z>jLqyA9jggCd4k<t&LY+urtrnx~A;4w(*s^>16^o z@o}8bkVCZ>YOlTQG76fe@60ZIX2Y#Z1SbsU=YOs*^SB?XQdw_gZTLa`k~?9)`B+{) zh-&Ez>3H9CEL_t1R1di(A1AmF-wQ51{LcK*80Ka7xN4bY`uS|n>`8a0vOksP8%!Xf za&~?T%trT+Vk3VtB=!@ ztt;T!9g5B%lZZ5IT&(zx5=dYzqva_i(m!Yrz~3Yt_CrYysI^6ACEd zlu*PI^}2gX6#uen?_(d$i37mb}Z(;hsoW`W6z_f%guk>Ao)PO}Z$BfOY gL*;{Ps;__Wy&8V8#1*&bAt64BvZ^vwQsChK5BRq{TmS$7 diff --git a/docs/import_from_beats.md b/docs/import_from_beats.md index 6ffdf53f4fb..b3dc309f7db 100644 --- a/docs/import_from_beats.md +++ b/docs/import_from_beats.md @@ -1,52 +1 @@ -# Import from Beats modules - -The import procedure heavily uses on the _import-beats_ script. If you are interested how does it work internally, -feel free to review the script's [README](https://github.com/elastic/integrations/tree/main/dev/import-beats/README.md). - -1. Create an issue in the [integrations](https://github.com/elastic/integrations) to track ongoing progress with - the integration (especially manual changes). - - Focus on the one particular product (e.g. MySQL, ActiveMQ) you would like to integrate with. - Use this issue to mention every manual change that has been applied. It will help in adjusting the `import-beats` - script and reviewing the integration. - -2. Prepare the developer environment: - 1. Clone/refresh the following repositories: - * https://github.com/elastic/beats - * https://github.com/elastic/ecs - * https://github.com/elastic/eui - * https://github.com/elastic/kibana - - Make sure you don't have any manual changes applied as they will reflect on the integration. - 2. Clone/refresh the Elastic Integrations to always use the latest version of the script: - * https://github.com/elastic/integrations - 3. Make sure you've the `mage` tool installed: - ```bash - $ go get -u -d github.com/magefile/mage - ``` -3. Use the `elastic-package stack up -v -d` command to boot up required dependencies: - 1. Elasticseach instance: - * Kibana's dependency - 2. Kibana instance: - * used to migrate dashboards, if not available, you can skip the generation (`SKIP_KIBANA=true`) - - _Hint_. There is the `elastic-package` cheat sheet available [here](https://github.com/elastic/integrations/blob/main/testing/environments/README.md). - -4. Create a new branch for the integration in `integrations` repository (diverge from main). -5. Run the command: `mage ImportBeats` to start the import process (note that the import script assumes the projects checked out in step 2 are at `../{project-name}`). - - The outcome of running the `import-beats` script is directory with refreshed and updated integrations. - - It will take a while to finish, but the console output should be updated frequently to track the progress. - The command should terminate with an exit code of 0. If it doesn't, please open an issue. - - Generated packages are stored by default in the `packages` directory. Generally, the import process - updates all of the integrations, so don't be surprised if you notice updates to multiple integrations, including - the one you're currently working on (e.g. `packages/foobarbaz`). You can either commit these changes - or leave them for later. - - If you want to select a subgroup of packages, set the environment variable `PACKAGES` (comma-delimited list): - - ```bash - $ PACKAGES=aws,cisco mage ImportBeats - ``` +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/developer-workflow-import-beat.html) instead.** \ No newline at end of file diff --git a/docs/testing_and_validation.md b/docs/testing_and_validation.md index 117d9a67168..7f589e82357 100644 --- a/docs/testing_and_validation.md +++ b/docs/testing_and_validation.md @@ -1,136 +1 @@ -# Testing and validation - -## Run the whole setup - -1. Build the package you'd like to verify (e.g. `apache`): - ```bash - $ cd apache - $ elastic-package build - ``` - -2. Start testing environment: - - _Run from inside the Integrations repository._ - - ```bash - $ elastic-package stack up -d -v - ``` - - The command above will boot up the Elastic stack (Elasticsearch, Kibana, Package Registry) using Docker containers. - It rebuilds the Package Registry Docker image using packages built in step 1. and boots up the Package Registry. - - To reload the already deployed Package Registry use the following command: - - ```bash - $ elastic-package stack up -v -d --services package-registry - ``` - -3. Verify that your integration is available (in the right version), e.g. MySQL: http://localhost:8080/search?package=mysql (use - `experimental=true` parameter if the package is in experimental version. Alternatively set `release` to `beta` or higher in your - package's `manifest.yml`, if appropriate.) - - ```json - [ - { - "description": "MySQL Integration", - "download": "/epr/mysql/mysql-0.0.1.tar.gz", - "icons": [ - { - "src": "/package/mysql/0.0.1/img/logo_mysql.svg", - "title": "logo mysql", - "size": "32x32", - "type": "image/svg+xml" - } - ], - "name": "mysql", - "path": "/package/mysql/0.0.1", - "title": "MySQL", - "type": "integration", - "version": "0.0.1" - } - ] - ``` - -The `elastic-package stack` provides an enrolled instance of the Elastic Agent. Use that one instead of a local application -if you can run the service (you're integrating with) in the Docker network and you don't need to rebuild the Elastic-Agent -or it's subprocesses (e.g. Filebeat or Metricbeat). The service Docker image can be used for [system -testing](https://github.com/elastic/elastic-package/blob/main/docs/howto/system_testing.md). If you prefer to use a local -instance of the Elastic Agent, proceed with steps 4 an 5: - -4. (Optional) Download the Elastic-Agent from https://www.elastic.co/downloads/elastic-agent - -5. (Optional) Enroll the agent and start it: - - Use the "Enroll new agent" option in the Kibana UI (Ingest Manager -> Fleet -> Create user and enable Fleet) and run a similar command: - - ```bash - $ ./elastic-agent enroll http://localhost:5601/rel cFhNVlZIRUIxYjhmbFhqNTBoS2o6OUhMWkF4SFJRZmFNZTh3QmtvR1cxZw== - $ ./elastic-agent run - ``` - - The `elastic-agent` will start two other processes - `metricbeat` and `filebeat`. - -6. Run the product you're integrating with (e.g. a docker image with MySQL). - -7. Install package. - - Click out the configuration in the Kibana UI, deploy it and wait for the agent to pick out the updated configuration. - -8. Navigate with Kibana UI to freshly installed dashboards, verify the metrics/logs flow. - -## Use test runners - -`elastic-package` provides different types of test runners. Review [howto](https://github.com/elastic/elastic-package/tree/main/docs/howto) guides -to learn about the various methods for testing packages. - -The `test` subcommand requires a reference to the live Elastic stack. Service endpoints can be defined via environment variables. -If you're using the Elastic stack created with `elastic-package`, you can use export endpoints with `elastic-package stack shellinit`: - -```bash -$ eval "$(elastic-package stack shellinit)" -``` - -To preview environment variables: - -```bash -$ elastic-package stack shellinit -export ELASTIC_PACKAGE_ELASTICSEARCH_HOST=http://127.0.0.1:9200 -export ELASTIC_PACKAGE_ELASTICSEARCH_USERNAME=elastic -export ELASTIC_PACKAGE_ELASTICSEARCH_PASSWORD=changeme -export ELASTIC_PACKAGE_KIBANA_HOST=http://127.0.0.1:5601 -``` - -## Review test coverage - -The `elastic-package` tool can calculate test coverage for packages and export coverage reports in the [Cobertura](https://cobertura.github.io/cobertura/) format. -Coverage reports contain information about present/missing pipeline, system and static tests, so they help in identifying untested -integrations. For pipeline tests, it features detailed source-code coverage reports -highlighting the ingest processors that are covered during testing. - -The CI job runner collects coverage data and stores them together with build artifacts. The Cobertura plugin (*Coverage Report* tab) uses these data -to visualize test coverage grouped by package, data stream and test type. - -See test coverage report for the *main* branch: [link](https://fleet-ci.elastic.co/job/Ingest-manager/job/integrations/job/main/cobertura/) - -### Cobertura format vs. package domain language - -As the Cobertura report format refers to packages, classes, methods, etc., unfortunately it doesn't map easily onto the packages domain. -We decided to make few assumptions for the Cobertura classification: - -**Package** - integration - -**File** - data stream - -**Class** - test type (pipeline tests, system tests, etc.) - -**Method** - "OK" if there are any tests present - -For pipeline tests, which include actual source-code coverage, the mapping is different: - -**Package** - integration.data_stream - -**File** - Path to ingest pipeline file - -**Class** - Ingest pipeline name - -**Method** - Ingest processor \ No newline at end of file +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/testing-and-validation.html) instead.** \ No newline at end of file diff --git a/docs/tips_for_building_integrations.md b/docs/tips_for_building_integrations.md index 68156b419b7..b3dc309f7db 100644 --- a/docs/tips_for_building_integrations.md +++ b/docs/tips_for_building_integrations.md @@ -1,141 +1 @@ -# Tips for building integrations - -The section offers a set of tips for developers to improve integrations that they're working on. It combines hints, guidelines, -recommendations and tricks. Please consider this section as a live document that may evolve in the future, depending -on the business or technical requirements for the entire platform (Elastic Package Registry, Elastic Agent and Kibana). - -## elastic-package - -[elastic-package](https://github.com/elastic/elastic-package) is a command line tool, written in Go, used for developing Elastic packages. It can help you lint, -format, test and build your packages. This is the official builder tool to develop Integrations. See the -[Getting started](https://github.com/elastic/elastic-package#getting-started) section to ramp up quickly and review its features. - -If you need the revision of elastic-package in the correct version (the same one as the CI uses), which is defined in `go.mod`, use the following command -(in the Integrations repository): - -```bash -$ go build github.com/elastic/elastic-package -$ ./elastic-package help -``` - -## New integrations - -### Manifest files - -1. Set the initial version to `0.1.0`. - - Tagging the integration with a lower version, like `0.0.1`, means that it's at very early stage and most likely - it doesn't work at all. It might be partially developed. - -2. Select one or two categories for the integration. - - The list of available categories is present in the Package Registry source: https://github.com/elastic/package-registry/blob/1dd3e7c4956f7e34809bb87acae50b2a63cd7ad0/packages/package.go#L29-L55 - -3. Make sure that the version condition for Kibana is set to `^7.10.0` and not `>=7.10.0`. Otherwise the package is also in 8.0.0 but we do not know today if it will actually be compatible with >= 8.0.0. - - ```yaml - conditions: - kibana.version: '^7.10.0' - ``` - -4. Set the proper package owner (either Github team or personal account) - - Good candidates for a team: `elastic/integrations`, `elastic/security-service-integrations` - - Update the `.github/CODEOWNERS` file accordingly. - -## All integrations - -### Development - -1. When you're developing integrations and you'd like to propagate your changes to the package registry, first rebuild the package: - - ```bash - $ cd packages/apache - $ elastic-package build - ``` - - Then, rebuild and redeploy the Package Registry: - - _It's important to execute the following command in the Integrations repository._ - - ```bash - $ elastic-package stack up -v -d --services package-registry - ``` - - Explanation: it's much faster to rebuild and restart the container with the Package Registry, than work with - mounted volumes. - -### Code reviewers - -1. Ping "Team:Integrations". - - Use the team label to notify relevant team members about the incoming pull request. - -#### Manifest files - -1. Descriptions of configuration options should be as short as possible. - - Remember to keep only the meaningful information about the configuration option. - - Good candidates: references to the product configuration, accepted string values, explanation. - - Bad candidates: *Collect metrics from A, B, C, D,... X, Y, Z datasets.* - -2. Descriptions should be human readable. - - Try to rephrase sentences like: *Collect foo_Bar3 metrics*, into *Collect Foo Bar metrics*. - -3. Description should be easy to understand. - - Simplify sentences, don't provide information about the input if not required. - - Bad candidate: *Collect application logs (log input)* - - Good candidates: *Collect application logs*, *Collect standard logs for the application* - -4. Letter casing is important for screenshot descriptions. - - These descriptions are visualized in the Kibana UI. It would be better experience to have them clean and consistent. - - Bad candidate: *filebeat running on ec2 machine* - - Good candidates: *Filebeat running on AWS EC2 machine* - -5. If package relies on some feature or a field, available only in a specific stack or beats version, `kibana.version` condition should be adjusted accordingly in the package's `manifest.yml`: - ```yaml - conditions: - kibana.version: '^8.7.0' - ``` - > Note: The package version with such condition as above will be only available in Kibana version >=8.7.0 - - > Note: Changing dashboards and visualizations using an unreleased version of Kibana might be unsafe since the Kibana Team might make changes to the Kibana code and potentially the data models. There is no guarantee that your changes won't be broken by the time new Kibana version is released. - -#### CI - -1. Run `elastic-package check` and `elastic-package test` locally. - - If you want to verify if your integration works as intended, you can execute the same steps as CI: - - ```bash - $ cd packages/apache - $ elastic-package check -v - $ elastic-package test -v - ``` - - Keep in mind that the `elastic-package test` command requires a live cluster running and exported environment variables. - The environment variables can be set with `eval "$(elastic-package stack shellinit)"`. - - -#### Fields - -1. Remove empty fields files. - - If you notice that fields file (e.g. `package-fields.yml`) doesn't contain any field definitions or it defines root only, - feel free to remove it. - - Bad candidate: - ```yaml - - name: mypackage.mydataset - type: group - ``` +**This content has moved. Please see the [Integrations Developer Guide](https://www.elastic.co/guide/en/integrations-developer/current/developer-workflow-import-beat.html) instead.** \ No newline at end of file From a431cabd9e8cd8581015526e7af26a408a7cc3df Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Wed, 12 Jun 2024 12:49:29 +0530 Subject: [PATCH 007/105] crowdstrike: Add `device.id` field. (#10124) Add `device.id` ECS field. `device.id` is required by Defend Workflows team to implement bi-directional actions against Crowdstrike. Both `falcon` and `fdr` datastreams are updated to add `device.id` field. `alert` and `host` datastreams already adds this field. --- packages/crowdstrike/changelog.yml | 5 +++++ .../pipeline/test-event-stream.log-expected.json | 3 +++ .../pipeline/test-falcon-firewall.log-expected.json | 3 +++ .../pipeline/test-falcon-sample.log-expected.json | 3 +++ .../falcon/elasticsearch/ingest_pipeline/default.yml | 7 +++++++ .../_dev/test/pipeline/test-data.log-expected.json | 6 ++++++ .../_dev/test/pipeline/test-fdr.log-expected.json | 3 +++ .../fdr/elasticsearch/ingest_pipeline/default.yml | 12 ++++++++++++ packages/crowdstrike/data_stream/fdr/fields/ecs.yml | 2 ++ packages/crowdstrike/docs/README.md | 1 + packages/crowdstrike/manifest.yml | 2 +- 11 files changed, 46 insertions(+), 1 deletion(-) diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index b1029bc5883..77f1a894f74 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.36.0" + changes: + - description: Add `device.id` field. + type: enhancement + link: https://github.com/elastic/integrations/pull/10124 - version: "1.35.0" changes: - description: Make `host.ip` field conform to ECS field definition. diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json index 4ebb3b0732a..2577fe6b9c7 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json @@ -31,6 +31,9 @@ "ip": "81.2.69.142", "port": 445 }, + "device": { + "id": "6734ff444f4456" + }, "ecs": { "version": "8.11.0" }, diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-firewall.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-firewall.log-expected.json index a43c256defb..8f45bf31dd6 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-firewall.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-firewall.log-expected.json @@ -32,6 +32,9 @@ "ip": "10.10.10.10", "port": 445 }, + "device": { + "id": "12345a1bc2d34fghi56jk7890lmno12p" + }, "ecs": { "version": "8.11.0" }, diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json index 6e4ff2df0e6..26a7a0b959d 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json @@ -31,6 +31,9 @@ "ip": "10.37.60.194", "port": 445 }, + "device": { + "id": "718af202ab2c4ba5b6a5d10d39c0e0a5" + }, "ecs": { "version": "8.11.0" }, diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml index 5fca7f20fad..2d00a380865 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml @@ -336,6 +336,13 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true +# If `device.id`` is not already mapped inside respective pipelines using SensorId, use `event.DeviceId` to map it. + - set: + field: device.id + copy_from: crowdstrike.event.DeviceId + ignore_empty_value: true + tag: rename_event_deviceid + if: ctx.device?.id == null - remove: field: event.original tag: remove_event_original diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json index 5d1825e5908..096bfd15961 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json @@ -67,6 +67,9 @@ "cid": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "eid": 118 }, + "device": { + "id": "55555555555555555555555555555555" + }, "ecs": { "version": "8.11.0" }, @@ -182,6 +185,9 @@ "cid": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "eid": 119 }, + "device": { + "id": "666666666" + }, "ecs": { "version": "8.11.0" }, diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json index 3d110d9e936..79253fb8dbc 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json @@ -2902,6 +2902,9 @@ "cid": "ffffffff15754bcfb5f9152ec7ac90ac", "name": "PtyCreatedMacV1" }, + "device": { + "id": "251658248" + }, "ecs": { "version": "8.11.0" }, diff --git a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml index 9b647bb054c..8e8afa51154 100644 --- a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -2341,6 +2341,18 @@ processors: field: _temp.hashes target_field: file.hash if: ctx.event?.action != null && (ctx.event.action.contains("File") || ctx.event.action.contains("Directory") || ctx.event.action.contains("Executable")) && ctx._temp?.hashes != null && ctx._temp?.hashes.size() > 0 + ## Device Fields. + - set: + field: device.id + copy_from: crowdstrike.SensorId + ignore_empty_value: true + tag: rename_event_sensorid + - set: + field: device.id + copy_from: crowdstrike.DeviceId + ignore_empty_value: true + tag: rename_event_deviceid + if: ctx.device?.id == null ## Crowdstrike fields. - split: diff --git a/packages/crowdstrike/data_stream/fdr/fields/ecs.yml b/packages/crowdstrike/data_stream/fdr/fields/ecs.yml index 4c5f6667933..a59ddff9346 100644 --- a/packages/crowdstrike/data_stream/fdr/fields/ecs.yml +++ b/packages/crowdstrike/data_stream/fdr/fields/ecs.yml @@ -22,6 +22,8 @@ name: destination.ip - external: ecs name: destination.port +- external: ecs + name: device.id - external: ecs name: dns.question.name - external: ecs diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index a08bce66d99..d3817dd18a7 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -1573,6 +1573,7 @@ and/or `session_token`. | destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | +| device.id | The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. | keyword | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index bdc2c01d386..1a056eeec20 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "1.35.0" +version: "1.36.0" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.0.3" From 3e97417b8d170483847608b0c392f54c73449c59 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 12 Jun 2024 21:10:24 +0930 Subject: [PATCH 008/105] all: fix sample events to agree with ECS (#10136) * cisco_umbrella * forgerock * lumos * mattermost * microsoft_exchange_online_message_trace * pulse_connect_secure * sentinel_one * ti_cybersixgill * trend_micro_vision_one Also fix missed changelog entry link in crowdstrike package. --- packages/cisco_umbrella/changelog.yml | 5 + .../data_stream/log/sample_event.json | 24 +- packages/cisco_umbrella/docs/README.md | 24 +- packages/cisco_umbrella/manifest.yml | 2 +- packages/crowdstrike/changelog.yml | 2 +- packages/forgerock/changelog.yml | 5 + .../data_stream/am_access/sample_event.json | 22 +- .../data_stream/am_activity/sample_event.json | 18 +- .../am_authentication/sample_event.json | 22 +- .../data_stream/am_config/sample_event.json | 18 +- .../data_stream/am_core/sample_event.json | 18 +- .../data_stream/idm_access/sample_event.json | 22 +- .../idm_activity/sample_event.json | 18 +- .../idm_authentication/sample_event.json | 22 +- .../data_stream/idm_config/sample_event.json | 22 +- .../data_stream/idm_core/sample_event.json | 18 +- .../data_stream/idm_sync/sample_event.json | 18 +- packages/forgerock/docs/README.md | 207 +++++++++--------- packages/forgerock/manifest.yml | 2 +- packages/lumos/changelog.yml | 5 + .../activity_logs/sample_event.json | 32 +-- packages/lumos/docs/README.md | 32 +-- packages/lumos/manifest.yml | 2 +- packages/mattermost/changelog.yml | 5 + .../data_stream/audit/sample_event.json | 36 +-- packages/mattermost/docs/README.md | 35 ++- packages/mattermost/manifest.yml | 2 +- .../changelog.yml | 5 + .../data_stream/log/sample_event.json | 112 ++++------ .../docs/README.md | 111 ++++------ .../manifest.yml | 2 +- packages/pulse_connect_secure/changelog.yml | 5 + .../data_stream/log/sample_event.json | 22 +- packages/pulse_connect_secure/docs/README.md | 22 +- packages/pulse_connect_secure/manifest.yml | 2 +- packages/sentinel_one/changelog.yml | 5 + .../data_stream/activity/sample_event.json | 18 +- .../data_stream/agent/sample_event.json | 25 ++- .../data_stream/alert/sample_event.json | 22 +- .../data_stream/group/sample_event.json | 18 +- .../data_stream/threat/sample_event.json | 23 +- packages/sentinel_one/docs/README.md | 101 +++++---- packages/sentinel_one/manifest.yml | 2 +- packages/ti_cybersixgill/changelog.yml | 5 + .../data_stream/threat/sample_event.json | 20 +- packages/ti_cybersixgill/docs/README.md | 20 +- packages/ti_cybersixgill/manifest.yml | 2 +- packages/trend_micro_vision_one/changelog.yml | 5 + .../data_stream/alert/sample_event.json | 12 +- .../data_stream/audit/sample_event.json | 18 +- .../data_stream/detection/sample_event.json | 24 +- .../trend_micro_vision_one/docs/README.md | 52 ++--- packages/trend_micro_vision_one/manifest.yml | 2 +- 53 files changed, 667 insertions(+), 626 deletions(-) diff --git a/packages/cisco_umbrella/changelog.yml b/packages/cisco_umbrella/changelog.yml index 2fbcb807e82..330dc3bb1d1 100644 --- a/packages/cisco_umbrella/changelog.yml +++ b/packages/cisco_umbrella/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.24.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 - version: "1.24.0" changes: - description: Make `event.category` field conform to ECS field definition. diff --git a/packages/cisco_umbrella/data_stream/log/sample_event.json b/packages/cisco_umbrella/data_stream/log/sample_event.json index d16a4e2d56c..af25e8bc88d 100644 --- a/packages/cisco_umbrella/data_stream/log/sample_event.json +++ b/packages/cisco_umbrella/data_stream/log/sample_event.json @@ -1,17 +1,17 @@ { "@timestamp": "2024-03-14T18:59:23.000Z", "agent": { - "ephemeral_id": "e35b09c8-23c2-496b-adf0-0328de4ea63d", - "id": "2c5ad0eb-f525-4944-8ec2-2cb048f1147d", + "ephemeral_id": "4b522414-3f7d-4cec-a7f7-7df2a87de0c9", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.13.0" }, "aws": { "s3": { "bucket": { - "arn": "arn:aws:s3:::elastic-package-cisco-umbrella-bucket-33606", - "name": "elastic-package-cisco-umbrella-bucket-33606" + "arn": "arn:aws:s3:::elastic-package-cisco-umbrella-bucket-37380", + "name": "elastic-package-cisco-umbrella-bucket-37380" }, "object": { "key": "auditlogs.log" @@ -37,24 +37,26 @@ }, "data_stream": { "dataset": "cisco_umbrella.log", - "namespace": "ep", + "namespace": "27145", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "2c5ad0eb-f525-4944-8ec2-2cb048f1147d", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.12.0" + "version": "8.13.0" }, "event": { "action": "update", "agent_id_status": "verified", - "category": "configuration", + "category": [ + "configuration" + ], "dataset": "cisco_umbrella.log", "id": "1757843536", - "ingested": "2024-04-12T02:04:00Z", + "ingested": "2024-06-12T03:03:50Z", "kind": "event", "original": "\"1757843536\",\"2024-03-14 18:59:23\",\"admin@company.com\",\"Administrator\",\"logexportconfigurations\",\"update\",\"81.2.69.144\",\"\",\"includeAuditLog: 1\n\"", "type": [ @@ -66,7 +68,7 @@ }, "log": { "file": { - "path": "https://elastic-package-cisco-umbrella-bucket-33606.s3.us-east-1.amazonaws.com/auditlogs.log" + "path": "https://elastic-package-cisco-umbrella-bucket-37380.s3.us-east-1.amazonaws.com/auditlogs.log" }, "offset": 529 }, diff --git a/packages/cisco_umbrella/docs/README.md b/packages/cisco_umbrella/docs/README.md index 79e05a75241..11f5de9a4a4 100644 --- a/packages/cisco_umbrella/docs/README.md +++ b/packages/cisco_umbrella/docs/README.md @@ -19,17 +19,17 @@ An example event for `log` looks as following: { "@timestamp": "2024-03-14T18:59:23.000Z", "agent": { - "ephemeral_id": "e35b09c8-23c2-496b-adf0-0328de4ea63d", - "id": "2c5ad0eb-f525-4944-8ec2-2cb048f1147d", + "ephemeral_id": "4b522414-3f7d-4cec-a7f7-7df2a87de0c9", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.13.0" }, "aws": { "s3": { "bucket": { - "arn": "arn:aws:s3:::elastic-package-cisco-umbrella-bucket-33606", - "name": "elastic-package-cisco-umbrella-bucket-33606" + "arn": "arn:aws:s3:::elastic-package-cisco-umbrella-bucket-37380", + "name": "elastic-package-cisco-umbrella-bucket-37380" }, "object": { "key": "auditlogs.log" @@ -55,24 +55,26 @@ An example event for `log` looks as following: }, "data_stream": { "dataset": "cisco_umbrella.log", - "namespace": "ep", + "namespace": "27145", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "2c5ad0eb-f525-4944-8ec2-2cb048f1147d", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.12.0" + "version": "8.13.0" }, "event": { "action": "update", "agent_id_status": "verified", - "category": "configuration", + "category": [ + "configuration" + ], "dataset": "cisco_umbrella.log", "id": "1757843536", - "ingested": "2024-04-12T02:04:00Z", + "ingested": "2024-06-12T03:03:50Z", "kind": "event", "original": "\"1757843536\",\"2024-03-14 18:59:23\",\"admin@company.com\",\"Administrator\",\"logexportconfigurations\",\"update\",\"81.2.69.144\",\"\",\"includeAuditLog: 1\n\"", "type": [ @@ -84,7 +86,7 @@ An example event for `log` looks as following: }, "log": { "file": { - "path": "https://elastic-package-cisco-umbrella-bucket-33606.s3.us-east-1.amazonaws.com/auditlogs.log" + "path": "https://elastic-package-cisco-umbrella-bucket-37380.s3.us-east-1.amazonaws.com/auditlogs.log" }, "offset": 529 }, diff --git a/packages/cisco_umbrella/manifest.yml b/packages/cisco_umbrella/manifest.yml index 24734845cb2..d58aa633c5c 100644 --- a/packages/cisco_umbrella/manifest.yml +++ b/packages/cisco_umbrella/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_umbrella title: Cisco Umbrella -version: "1.24.0" +version: "1.24.1" description: Collect logs from Cisco Umbrella with Elastic Agent. type: integration categories: diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 77f1a894f74..496c6041ef3 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -68,7 +68,7 @@ changes: - description: Fix drive letter parsing. type: bugfix - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/9119 - version: "1.28.2" changes: - description: Add missing type mapping for host fields. diff --git a/packages/forgerock/changelog.yml b/packages/forgerock/changelog.yml index 07f7dda044e..1758e86058a 100644 --- a/packages/forgerock/changelog.yml +++ b/packages/forgerock/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 - version: "1.17.0" changes: - description: Make `event.type` and `event.category` fields conform to ECS field definition. diff --git a/packages/forgerock/data_stream/am_access/sample_event.json b/packages/forgerock/data_stream/am_access/sample_event.json index cc5ba673ab5..50e1fa24b5f 100644 --- a/packages/forgerock/data_stream/am_access/sample_event.json +++ b/packages/forgerock/data_stream/am_access/sample_event.json @@ -1,33 +1,35 @@ { "@timestamp": "2022-11-06T18:16:43.813Z", "agent": { - "ephemeral_id": "d7b5cd10-b6c7-4ab2-8d07-043fb6d42e2b", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "82b02cc6-7222-4ccc-b7f4-4c1c55315484", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_access", - "namespace": "ep", + "namespace": "51919", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "action": "AM-SESSION-IDLE_TIMED_OUT", "agent_id_status": "verified", - "created": "2023-08-29T18:23:25.132Z", + "created": "2024-06-12T03:05:10.979Z", "dataset": "forgerock.am_access", "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-79599", - "ingested": "2023-08-29T18:23:28Z", - "type": "access" + "ingested": "2024-06-12T03:05:14Z", + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-SESSION-IDLE_TIMED_OUT", @@ -60,4 +62,4 @@ "user": { "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/am_activity/sample_event.json b/packages/forgerock/data_stream/am_activity/sample_event.json index 4011ed116bb..d7cc3dcf77c 100644 --- a/packages/forgerock/data_stream/am_activity/sample_event.json +++ b/packages/forgerock/data_stream/am_activity/sample_event.json @@ -1,32 +1,32 @@ { "@timestamp": "2022-10-05T20:55:59.966Z", "agent": { - "ephemeral_id": "6af93045-8737-4c3a-87a6-6b24d24d94c3", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "9db3f780-4230-43f5-832f-203266705932", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_activity", - "namespace": "ep", + "namespace": "71478", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "action": "AM-SESSION-CREATED", "agent_id_status": "verified", - "created": "2023-08-29T18:24:18.086Z", + "created": "2024-06-12T03:05:53.025Z", "dataset": "forgerock.am_activity", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438366", - "ingested": "2023-08-29T18:24:21Z", + "ingested": "2024-06-12T03:05:57Z", "reason": "CREATE" }, "forgerock": { @@ -62,4 +62,4 @@ }, "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/am_authentication/sample_event.json b/packages/forgerock/data_stream/am_authentication/sample_event.json index cc0d7bc39f8..191ac31fe01 100644 --- a/packages/forgerock/data_stream/am_authentication/sample_event.json +++ b/packages/forgerock/data_stream/am_authentication/sample_event.json @@ -1,33 +1,35 @@ { "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { - "ephemeral_id": "3a49e2d0-3cf1-4a2f-8f79-88f5bcc4f5bb", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "2ffe10cc-935a-4457-869f-95b732cb0c8b", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_authentication", - "namespace": "ep", + "namespace": "88343", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "action": "AM-LOGIN-COMPLETED", "agent_id_status": "verified", - "category": "authentication", - "created": "2023-08-29T18:25:11.183Z", + "category": [ + "authentication" + ], + "created": "2024-06-12T03:06:40.162Z", "dataset": "forgerock.am_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", - "ingested": "2023-08-29T18:25:14Z", + "ingested": "2024-06-12T03:06:44Z", "outcome": "success" }, "forgerock": { @@ -74,4 +76,4 @@ "user": { "id": "id=autoid-resource-server,ou=agent,ou=am-config" } -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/am_config/sample_event.json b/packages/forgerock/data_stream/am_config/sample_event.json index e0d90d3e3dd..123335c8868 100644 --- a/packages/forgerock/data_stream/am_config/sample_event.json +++ b/packages/forgerock/data_stream/am_config/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-09-20T14:40:10.664Z", "agent": { - "ephemeral_id": "8b20ca54-fc63-4851-8782-615436bf1368", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "4afe06fa-469e-40e2-babb-b30baf137536", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_config", - "namespace": "ep", + "namespace": "65246", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "action": "AM-CONFIG-CHANGE", @@ -26,10 +26,10 @@ "category": [ "configuration" ], - "created": "2023-08-29T18:26:03.247Z", + "created": "2024-06-12T03:07:28.334Z", "dataset": "forgerock.am_config", "id": "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-20605", - "ingested": "2023-08-29T18:26:06Z" + "ingested": "2024-06-12T03:07:31Z" }, "forgerock": { "level": "INFO", @@ -62,4 +62,4 @@ }, "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/am_core/sample_event.json b/packages/forgerock/data_stream/am_core/sample_event.json index 3303ae9e762..509234d9575 100644 --- a/packages/forgerock/data_stream/am_core/sample_event.json +++ b/packages/forgerock/data_stream/am_core/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2022-12-05T19:29:20.845Z", "agent": { - "ephemeral_id": "a4c66cb1-05e2-4a3c-bf9f-b1ba82d619a3", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "b802141d-9281-4caa-bb31-d5561f968ee5", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_core", - "namespace": "ep", + "namespace": "90018", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:26:55.131Z", + "created": "2024-06-12T03:08:15.631Z", "dataset": "forgerock.am_core", - "ingested": "2023-08-29T18:26:58Z", + "ingested": "2024-06-12T03:08:19Z", "reason": "Connection attempt failed: availableConnections=0, maxPoolSize=10" }, "forgerock": { @@ -48,4 +48,4 @@ "forgerock-debug", "forgerock-am-core" ] -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/idm_access/sample_event.json b/packages/forgerock/data_stream/idm_access/sample_event.json index 2425f14febd..96191ed55e2 100644 --- a/packages/forgerock/data_stream/idm_access/sample_event.json +++ b/packages/forgerock/data_stream/idm_access/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2022-11-01T15:04:50.110Z", "agent": { - "ephemeral_id": "21bbe733-0623-4805-af6d-e7cb05b45003", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "1c6538cf-fe70-498c-8919-a60c26ffcfac", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "client": { "ip": "216.160.83.56", @@ -13,26 +13,28 @@ }, "data_stream": { "dataset": "forgerock.idm_access", - "namespace": "ep", + "namespace": "61539", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:27:48.240Z", + "created": "2024-06-12T03:09:02.660Z", "dataset": "forgerock.idm_access", "duration": 2000000, "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49025", - "ingested": "2023-08-29T18:27:51Z", + "ingested": "2024-06-12T03:09:14Z", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "access", @@ -91,4 +93,4 @@ "user": { "id": "anonymous" } -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/idm_activity/sample_event.json b/packages/forgerock/data_stream/idm_activity/sample_event.json index 4c18178a67e..2fa07a9a206 100644 --- a/packages/forgerock/data_stream/idm_activity/sample_event.json +++ b/packages/forgerock/data_stream/idm_activity/sample_event.json @@ -1,31 +1,31 @@ { "@timestamp": "2022-11-01T18:02:39.882Z", "agent": { - "ephemeral_id": "353ff5a3-0662-4599-99a0-3cff15bab6d7", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "18f29cf6-4b37-4c4d-8d49-91bf8719e14c", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_activity", - "namespace": "ep", + "namespace": "89179", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:28:40.611Z", + "created": "2024-06-12T03:09:56.979Z", "dataset": "forgerock.idm_activity", "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-268906", - "ingested": "2023-08-29T18:28:43Z", + "ingested": "2024-06-12T03:10:08Z", "outcome": "success" }, "forgerock": { @@ -59,4 +59,4 @@ }, "id": "9120c7db-d7e6-4b51-b805-07bbee7a4bb9" } -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/idm_authentication/sample_event.json b/packages/forgerock/data_stream/idm_authentication/sample_event.json index 2c60c9b590a..08bfce1a6d9 100644 --- a/packages/forgerock/data_stream/idm_authentication/sample_event.json +++ b/packages/forgerock/data_stream/idm_authentication/sample_event.json @@ -1,32 +1,34 @@ { "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { - "ephemeral_id": "c42575e9-a330-406b-a3b5-04edf383bb2e", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "a585941c-cf1b-4f9e-ab31-9f02ad2f3a8d", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_authentication", - "namespace": "ep", + "namespace": "54220", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "category": "authentication", - "created": "2023-08-29T18:29:35.619Z", + "category": [ + "authentication" + ], + "created": "2024-06-12T03:10:55.079Z", "dataset": "forgerock.idm_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", - "ingested": "2023-08-29T18:29:38Z", + "ingested": "2024-06-12T03:11:07Z", "outcome": "success" }, "forgerock": { @@ -70,4 +72,4 @@ "user": { "id": "id=user" } -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/idm_config/sample_event.json b/packages/forgerock/data_stream/idm_config/sample_event.json index 8f35430cdaf..fe4dd755abd 100644 --- a/packages/forgerock/data_stream/idm_config/sample_event.json +++ b/packages/forgerock/data_stream/idm_config/sample_event.json @@ -1,32 +1,34 @@ { "@timestamp": "2022-10-19T16:12:12.549Z", "agent": { - "ephemeral_id": "e0c45592-0c85-42cf-a413-86e1a9ea0fba", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "fb37ec3d-49b8-4a56-8540-f9bf8f749477", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_config", - "namespace": "ep", + "namespace": "74292", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "category": "configuration", - "created": "2023-08-29T18:30:25.437Z", + "category": [ + "configuration" + ], + "created": "2024-06-12T03:11:48.197Z", "dataset": "forgerock.idm_config", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-134332", - "ingested": "2023-08-29T18:30:28Z" + "ingested": "2024-06-12T03:12:00Z" }, "forgerock": { "changedFields": [ @@ -58,4 +60,4 @@ }, "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf" } -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/idm_core/sample_event.json b/packages/forgerock/data_stream/idm_core/sample_event.json index 91915ef5716..76b693605bd 100644 --- a/packages/forgerock/data_stream/idm_core/sample_event.json +++ b/packages/forgerock/data_stream/idm_core/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2022-12-05T20:01:34.448Z", "agent": { - "ephemeral_id": "6afff7c3-5136-4b5c-bd1e-41176dfda962", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "0ecd4e49-8926-4644-a9ac-e464dcb4f31c", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_core", - "namespace": "ep", + "namespace": "52603", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:31:16.370Z", + "created": "2024-06-12T03:12:40.380Z", "dataset": "forgerock.idm_core", - "ingested": "2023-08-29T18:31:19Z", + "ingested": "2024-06-12T03:12:52Z", "reason": "Dec 05, 2022 8:01:34 PM org.forgerock.openidm.internal.InternalObjectSet readInstance" }, "input": { @@ -38,4 +38,4 @@ "forgerock-debug", "forgerock-idm-core" ] -} +} \ No newline at end of file diff --git a/packages/forgerock/data_stream/idm_sync/sample_event.json b/packages/forgerock/data_stream/idm_sync/sample_event.json index 9b130c6e651..9c0e1a04a56 100644 --- a/packages/forgerock/data_stream/idm_sync/sample_event.json +++ b/packages/forgerock/data_stream/idm_sync/sample_event.json @@ -1,31 +1,31 @@ { "@timestamp": "2022-10-19T16:09:17.900Z", "agent": { - "ephemeral_id": "de52dbc7-9ccf-4400-8b31-2299929a4a11", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "9597c9be-7da7-4082-890f-94632a9bdfed", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_sync", - "namespace": "ep", + "namespace": "29113", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:32:10.406Z", + "created": "2024-06-12T03:13:33.362Z", "dataset": "forgerock.idm_sync", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-130280", - "ingested": "2023-08-29T18:32:13Z", + "ingested": "2024-06-12T03:13:45Z", "outcome": "success" }, "forgerock": { @@ -56,4 +56,4 @@ "user": { "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf" } -} +} \ No newline at end of file diff --git a/packages/forgerock/docs/README.md b/packages/forgerock/docs/README.md index f99fdfb71a1..a38ec8d2116 100644 --- a/packages/forgerock/docs/README.md +++ b/packages/forgerock/docs/README.md @@ -18,33 +18,35 @@ An example event for `am_access` looks as following: { "@timestamp": "2022-11-06T18:16:43.813Z", "agent": { - "ephemeral_id": "d7b5cd10-b6c7-4ab2-8d07-043fb6d42e2b", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "82b02cc6-7222-4ccc-b7f4-4c1c55315484", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_access", - "namespace": "ep", + "namespace": "51919", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "action": "AM-SESSION-IDLE_TIMED_OUT", "agent_id_status": "verified", - "created": "2023-08-29T18:23:25.132Z", + "created": "2024-06-12T03:05:10.979Z", "dataset": "forgerock.am_access", "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-79599", - "ingested": "2023-08-29T18:23:28Z", - "type": "access" + "ingested": "2024-06-12T03:05:14Z", + "type": [ + "access" + ] }, "forgerock": { "eventName": "AM-SESSION-IDLE_TIMED_OUT", @@ -78,7 +80,6 @@ An example event for `am_access` looks as following: "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } } - ``` **Exported fields** @@ -162,32 +163,32 @@ An example event for `am_activity` looks as following: { "@timestamp": "2022-10-05T20:55:59.966Z", "agent": { - "ephemeral_id": "6af93045-8737-4c3a-87a6-6b24d24d94c3", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "9db3f780-4230-43f5-832f-203266705932", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_activity", - "namespace": "ep", + "namespace": "71478", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "action": "AM-SESSION-CREATED", "agent_id_status": "verified", - "created": "2023-08-29T18:24:18.086Z", + "created": "2024-06-12T03:05:53.025Z", "dataset": "forgerock.am_activity", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438366", - "ingested": "2023-08-29T18:24:21Z", + "ingested": "2024-06-12T03:05:57Z", "reason": "CREATE" }, "forgerock": { @@ -224,7 +225,6 @@ An example event for `am_activity` looks as following: "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } } - ``` **Exported fields** @@ -270,33 +270,35 @@ An example event for `am_authentication` looks as following: { "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { - "ephemeral_id": "3a49e2d0-3cf1-4a2f-8f79-88f5bcc4f5bb", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "2ffe10cc-935a-4457-869f-95b732cb0c8b", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_authentication", - "namespace": "ep", + "namespace": "88343", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "action": "AM-LOGIN-COMPLETED", "agent_id_status": "verified", - "category": "authentication", - "created": "2023-08-29T18:25:11.183Z", + "category": [ + "authentication" + ], + "created": "2024-06-12T03:06:40.162Z", "dataset": "forgerock.am_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", - "ingested": "2023-08-29T18:25:14Z", + "ingested": "2024-06-12T03:06:44Z", "outcome": "success" }, "forgerock": { @@ -344,7 +346,6 @@ An example event for `am_authentication` looks as following: "id": "id=autoid-resource-server,ou=agent,ou=am-config" } } - ``` **Exported fields** @@ -386,24 +387,24 @@ An example event for `am_config` looks as following: { "@timestamp": "2022-09-20T14:40:10.664Z", "agent": { - "ephemeral_id": "8b20ca54-fc63-4851-8782-615436bf1368", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "4afe06fa-469e-40e2-babb-b30baf137536", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_config", - "namespace": "ep", + "namespace": "65246", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "action": "AM-CONFIG-CHANGE", @@ -411,10 +412,10 @@ An example event for `am_config` looks as following: "category": [ "configuration" ], - "created": "2023-08-29T18:26:03.247Z", + "created": "2024-06-12T03:07:28.334Z", "dataset": "forgerock.am_config", "id": "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-20605", - "ingested": "2023-08-29T18:26:06Z" + "ingested": "2024-06-12T03:07:31Z" }, "forgerock": { "level": "INFO", @@ -448,7 +449,6 @@ An example event for `am_config` looks as following: "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } } - ``` **Exported fields** @@ -492,30 +492,30 @@ An example event for `am_core` looks as following: { "@timestamp": "2022-12-05T19:29:20.845Z", "agent": { - "ephemeral_id": "a4c66cb1-05e2-4a3c-bf9f-b1ba82d619a3", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "b802141d-9281-4caa-bb31-d5561f968ee5", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_core", - "namespace": "ep", + "namespace": "90018", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:26:55.131Z", + "created": "2024-06-12T03:08:15.631Z", "dataset": "forgerock.am_core", - "ingested": "2023-08-29T18:26:58Z", + "ingested": "2024-06-12T03:08:19Z", "reason": "Connection attempt failed: availableConnections=0, maxPoolSize=10" }, "forgerock": { @@ -540,7 +540,6 @@ An example event for `am_core` looks as following: "forgerock-am-core" ] } - ``` **Exported fields** @@ -578,11 +577,11 @@ An example event for `idm_access` looks as following: { "@timestamp": "2022-11-01T15:04:50.110Z", "agent": { - "ephemeral_id": "21bbe733-0623-4805-af6d-e7cb05b45003", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "1c6538cf-fe70-498c-8919-a60c26ffcfac", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "client": { "ip": "216.160.83.56", @@ -590,26 +589,28 @@ An example event for `idm_access` looks as following: }, "data_stream": { "dataset": "forgerock.idm_access", - "namespace": "ep", + "namespace": "61539", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:27:48.240Z", + "created": "2024-06-12T03:09:02.660Z", "dataset": "forgerock.idm_access", "duration": 2000000, "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49025", - "ingested": "2023-08-29T18:27:51Z", + "ingested": "2024-06-12T03:09:14Z", "outcome": "success", - "type": "access" + "type": [ + "access" + ] }, "forgerock": { "eventName": "access", @@ -669,7 +670,6 @@ An example event for `idm_access` looks as following: "id": "anonymous" } } - ``` **Exported fields** @@ -718,31 +718,31 @@ An example event for `idm_activity` looks as following: { "@timestamp": "2022-11-01T18:02:39.882Z", "agent": { - "ephemeral_id": "353ff5a3-0662-4599-99a0-3cff15bab6d7", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "18f29cf6-4b37-4c4d-8d49-91bf8719e14c", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_activity", - "namespace": "ep", + "namespace": "89179", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:28:40.611Z", + "created": "2024-06-12T03:09:56.979Z", "dataset": "forgerock.idm_activity", "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-268906", - "ingested": "2023-08-29T18:28:43Z", + "ingested": "2024-06-12T03:10:08Z", "outcome": "success" }, "forgerock": { @@ -777,7 +777,6 @@ An example event for `idm_activity` looks as following: "id": "9120c7db-d7e6-4b51-b805-07bbee7a4bb9" } } - ``` **Exported fields** @@ -819,32 +818,34 @@ An example event for `idm_authentication` looks as following: { "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { - "ephemeral_id": "c42575e9-a330-406b-a3b5-04edf383bb2e", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "a585941c-cf1b-4f9e-ab31-9f02ad2f3a8d", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_authentication", - "namespace": "ep", + "namespace": "54220", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "category": "authentication", - "created": "2023-08-29T18:29:35.619Z", + "category": [ + "authentication" + ], + "created": "2024-06-12T03:10:55.079Z", "dataset": "forgerock.idm_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", - "ingested": "2023-08-29T18:29:38Z", + "ingested": "2024-06-12T03:11:07Z", "outcome": "success" }, "forgerock": { @@ -889,7 +890,6 @@ An example event for `idm_authentication` looks as following: "id": "id=user" } } - ``` **Exported fields** @@ -929,32 +929,34 @@ An example event for `idm_config` looks as following: { "@timestamp": "2022-10-19T16:12:12.549Z", "agent": { - "ephemeral_id": "e0c45592-0c85-42cf-a413-86e1a9ea0fba", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "fb37ec3d-49b8-4a56-8540-f9bf8f749477", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_config", - "namespace": "ep", + "namespace": "74292", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "category": "configuration", - "created": "2023-08-29T18:30:25.437Z", + "category": [ + "configuration" + ], + "created": "2024-06-12T03:11:48.197Z", "dataset": "forgerock.idm_config", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-134332", - "ingested": "2023-08-29T18:30:28Z" + "ingested": "2024-06-12T03:12:00Z" }, "forgerock": { "changedFields": [ @@ -987,7 +989,6 @@ An example event for `idm_config` looks as following: "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf" } } - ``` **Exported fields** @@ -1026,30 +1027,30 @@ An example event for `idm_core` looks as following: { "@timestamp": "2022-12-05T20:01:34.448Z", "agent": { - "ephemeral_id": "6afff7c3-5136-4b5c-bd1e-41176dfda962", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "0ecd4e49-8926-4644-a9ac-e464dcb4f31c", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_core", - "namespace": "ep", + "namespace": "52603", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:31:16.370Z", + "created": "2024-06-12T03:12:40.380Z", "dataset": "forgerock.idm_core", - "ingested": "2023-08-29T18:31:19Z", + "ingested": "2024-06-12T03:12:52Z", "reason": "Dec 05, 2022 8:01:34 PM org.forgerock.openidm.internal.InternalObjectSet readInstance" }, "input": { @@ -1064,7 +1065,6 @@ An example event for `idm_core` looks as following: "forgerock-idm-core" ] } - ``` **Exported fields** @@ -1093,31 +1093,31 @@ An example event for `idm_sync` looks as following: { "@timestamp": "2022-10-19T16:09:17.900Z", "agent": { - "ephemeral_id": "de52dbc7-9ccf-4400-8b31-2299929a4a11", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "9597c9be-7da7-4082-890f-94632a9bdfed", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_sync", - "namespace": "ep", + "namespace": "29113", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.9.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-08-29T18:32:10.406Z", + "created": "2024-06-12T03:13:33.362Z", "dataset": "forgerock.idm_sync", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-130280", - "ingested": "2023-08-29T18:32:13Z", + "ingested": "2024-06-12T03:13:45Z", "outcome": "success" }, "forgerock": { @@ -1149,7 +1149,6 @@ An example event for `idm_sync` looks as following: "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf" } } - ``` **Exported fields** diff --git a/packages/forgerock/manifest.yml b/packages/forgerock/manifest.yml index 5cf00dab053..b5e583b2db4 100644 --- a/packages/forgerock/manifest.yml +++ b/packages/forgerock/manifest.yml @@ -1,6 +1,6 @@ name: forgerock title: "ForgeRock" -version: "1.17.0" +version: "1.17.1" description: Collect audit logs from ForgeRock with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/lumos/changelog.yml b/packages/lumos/changelog.yml index 82bcec0922a..98bad0e736a 100644 --- a/packages/lumos/changelog.yml +++ b/packages/lumos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 - version: "1.2.0" changes: - description: Make `event.type` field conform to ECS field definition. diff --git a/packages/lumos/data_stream/activity_logs/sample_event.json b/packages/lumos/data_stream/activity_logs/sample_event.json index 3ee0174f430..836f66a79f7 100644 --- a/packages/lumos/data_stream/activity_logs/sample_event.json +++ b/packages/lumos/data_stream/activity_logs/sample_event.json @@ -1,52 +1,54 @@ { - "@timestamp": "2024-03-14T17:53:58.869Z", + "@timestamp": "2024-06-12T03:14:31.761Z", "agent": { - "ephemeral_id": "9d0d6b51-1c05-4ab1-ab5c-c16e485d734f", - "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e", + "ephemeral_id": "164152f0-95db-44c9-a369-1412cbf18efd", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "lumos.activity_logs", - "namespace": "ep", + "namespace": "41003", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "event": { "action": "SOD_POLICY_DELETED", "agent_id_status": "verified", - "created": "2024-03-14T17:53:58.869Z", + "created": "2024-06-12T03:14:31.761Z", "dataset": "lumos.activity_logs", "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", - "ingested": "2024-03-14T17:54:10Z", + "ingested": "2024-06-12T03:14:43Z", "kind": "event", "outcome": "success", - "type": "info" + "type": [ + "info" + ] }, "host": { - "architecture": "aarch64", + "architecture": "x86_64", "containerized": false, "hostname": "docker-fleet-agent", - "id": "fb3be8e9409740ebb6621b777f0c397d", + "id": "8259e024976a406e8a54cdbffeb84fec", "ip": [ - "192.168.144.7" + "172.19.0.7" ], "mac": [ - "02-42-C0-A8-90-07" + "02-42-AC-13-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "6.6.12-linuxkit", + "kernel": "6.5.11-linuxkit", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", diff --git a/packages/lumos/docs/README.md b/packages/lumos/docs/README.md index 71a04477a00..1becdd681e4 100644 --- a/packages/lumos/docs/README.md +++ b/packages/lumos/docs/README.md @@ -56,54 +56,56 @@ An example event for `activity` looks as following: ```json { - "@timestamp": "2024-03-14T17:53:58.869Z", + "@timestamp": "2024-06-12T03:14:31.761Z", "agent": { - "ephemeral_id": "9d0d6b51-1c05-4ab1-ab5c-c16e485d734f", - "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e", + "ephemeral_id": "164152f0-95db-44c9-a369-1412cbf18efd", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "lumos.activity_logs", - "namespace": "ep", + "namespace": "41003", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "event": { "action": "SOD_POLICY_DELETED", "agent_id_status": "verified", - "created": "2024-03-14T17:53:58.869Z", + "created": "2024-06-12T03:14:31.761Z", "dataset": "lumos.activity_logs", "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", - "ingested": "2024-03-14T17:54:10Z", + "ingested": "2024-06-12T03:14:43Z", "kind": "event", "outcome": "success", - "type": "info" + "type": [ + "info" + ] }, "host": { - "architecture": "aarch64", + "architecture": "x86_64", "containerized": false, "hostname": "docker-fleet-agent", - "id": "fb3be8e9409740ebb6621b777f0c397d", + "id": "8259e024976a406e8a54cdbffeb84fec", "ip": [ - "192.168.144.7" + "172.19.0.7" ], "mac": [ - "02-42-C0-A8-90-07" + "02-42-AC-13-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "6.6.12-linuxkit", + "kernel": "6.5.11-linuxkit", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", diff --git a/packages/lumos/manifest.yml b/packages/lumos/manifest.yml index 247ea50d7f9..8d03976ac00 100644 --- a/packages/lumos/manifest.yml +++ b/packages/lumos/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.2 name: lumos title: "Lumos" -version: 1.2.0 +version: 1.2.1 description: "An integration with Lumos to ship your Activity logs to your Elastic instance." type: integration categories: diff --git a/packages/mattermost/changelog.yml b/packages/mattermost/changelog.yml index f7550a8dee7..9907ceedc28 100644 --- a/packages/mattermost/changelog.yml +++ b/packages/mattermost/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 - version: "2.0.0" changes: - description: Make `event.type` field conform to ECS field definition. diff --git a/packages/mattermost/data_stream/audit/sample_event.json b/packages/mattermost/data_stream/audit/sample_event.json index da9b7902fb7..b90e7cac9e1 100644 --- a/packages/mattermost/data_stream/audit/sample_event.json +++ b/packages/mattermost/data_stream/audit/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2021-12-04T23:19:32.051Z", "agent": { - "ephemeral_id": "9f5e87b3-da6a-4888-96ba-c905ba197b12", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "ephemeral_id": "3a1ecfb2-18a4-46c9-9996-65f6853ed739", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.13.0" }, "data_stream": { "dataset": "mattermost.audit", - "namespace": "ep", + "namespace": "26102", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.13.0" }, "event": { "action": "updateConfig", @@ -27,7 +27,7 @@ "configuration" ], "dataset": "mattermost.audit", - "ingested": "2022-01-02T00:19:22Z", + "ingested": "2024-06-12T03:15:44Z", "kind": "event", "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"172.19.0.1\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "outcome": "success", @@ -37,24 +37,24 @@ }, "host": { "architecture": "x86_64", - "containerized": true, + "containerized": false, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", + "id": "8259e024976a406e8a54cdbffeb84fec", "ip": [ - "172.18.0.5" + "172.19.0.7" ], "mac": [ - "02:42:ac:12:00:05" + "02-42-AC-13-00-07" ], "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "6.5.11-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -113,4 +113,4 @@ }, "version": "96.0.4664.45" } -} +} \ No newline at end of file diff --git a/packages/mattermost/docs/README.md b/packages/mattermost/docs/README.md index b29f901334f..3f6ad1ba484 100644 --- a/packages/mattermost/docs/README.md +++ b/packages/mattermost/docs/README.md @@ -126,24 +126,24 @@ An example event for `audit` looks as following: { "@timestamp": "2021-12-04T23:19:32.051Z", "agent": { - "ephemeral_id": "9f5e87b3-da6a-4888-96ba-c905ba197b12", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "ephemeral_id": "3a1ecfb2-18a4-46c9-9996-65f6853ed739", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.13.0" }, "data_stream": { "dataset": "mattermost.audit", - "namespace": "ep", + "namespace": "26102", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.13.0" }, "event": { "action": "updateConfig", @@ -152,7 +152,7 @@ An example event for `audit` looks as following: "configuration" ], "dataset": "mattermost.audit", - "ingested": "2022-01-02T00:19:22Z", + "ingested": "2024-06-12T03:15:44Z", "kind": "event", "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"172.19.0.1\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "outcome": "success", @@ -162,24 +162,24 @@ An example event for `audit` looks as following: }, "host": { "architecture": "x86_64", - "containerized": true, + "containerized": false, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", + "id": "8259e024976a406e8a54cdbffeb84fec", "ip": [ - "172.18.0.5" + "172.19.0.7" ], "mac": [ - "02:42:ac:12:00:05" + "02-42-AC-13-00-07" ], "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "6.5.11-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -239,5 +239,4 @@ An example event for `audit` looks as following: "version": "96.0.4664.45" } } - ``` diff --git a/packages/mattermost/manifest.yml b/packages/mattermost/manifest.yml index 001f869f42a..dca2dafcc41 100644 --- a/packages/mattermost/manifest.yml +++ b/packages/mattermost/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: mattermost title: "Mattermost" -version: "2.0.0" +version: "2.0.1" description: Collect logs from Mattermost with Elastic Agent. type: integration categories: diff --git a/packages/microsoft_exchange_online_message_trace/changelog.yml b/packages/microsoft_exchange_online_message_trace/changelog.yml index 83ed1c79b49..9d4f16a29b7 100644 --- a/packages/microsoft_exchange_online_message_trace/changelog.yml +++ b/packages/microsoft_exchange_online_message_trace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 - version: "1.21.0" changes: - description: Make `event.outcome` field conform to ECS field definition. diff --git a/packages/microsoft_exchange_online_message_trace/data_stream/log/sample_event.json b/packages/microsoft_exchange_online_message_trace/data_stream/log/sample_event.json index 354ae533517..38ff2b39152 100644 --- a/packages/microsoft_exchange_online_message_trace/data_stream/log/sample_event.json +++ b/packages/microsoft_exchange_online_message_trace/data_stream/log/sample_event.json @@ -1,35 +1,19 @@ { - "@timestamp": "2022-09-05T18:10:13.490Z", + "@timestamp": "2022-10-21T17:25:36.969Z", "agent": { - "ephemeral_id": "f42c0a8e-b2c0-4772-ab85-278acafa95f5", - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "ephemeral_id": "7db2c43f-4281-444d-b5b8-242a7ddf8ba2", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.13.0" }, "data_stream": { "dataset": "microsoft_exchange_online_message_trace.log", - "namespace": "ep", + "namespace": "63147", "type": "logs" }, "destination": { - "as": { - "number": 209 - }, "domain": "contoso.com", - "geo": { - "city_name": "Milton", - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 47.2513, - "lon": -122.3149 - }, - "region_iso_code": "US-WA", - "region_name": "Washington" - }, - "ip": "216.160.83.56", "registered_domain": "contoso.com", "top_level_domain": "com", "user": { @@ -43,25 +27,25 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.8.2" + "version": "8.13.0" }, "email": { "attachments": { "file": { - "size": 87891 + "size": 22761 } }, - "delivery_timestamp": "2022-09-05T18:10:13.4907658", + "delivery_timestamp": "2022-10-21T17:25:36.969376Z", "from": { "address": [ - "azure-noreply@microsoft.com" + "noreply@azure.microsoft.com" ] }, - "local_id": "cf7a249a-5edd-4350-130a-08da8f69e0f6", - "message_id": "", - "subject": "PIM: A privileged directory role was assigned outside of PIM", + "local_id": "a5e6dc0f-23df-4b20-d240-08dab38944a1", + "message_id": "", + "subject": "testmail 2", "to": { "address": [ "linus@contoso.com" @@ -70,69 +54,63 @@ }, "event": { "agent_id_status": "verified", - "created": "2023-07-24T14:46:09.199Z", "dataset": "microsoft_exchange_online_message_trace.log", - "end": "2022-09-06T09:01:46.036Z", - "ingested": "2023-07-24T14:46:12Z", - "original": "{\"EndDate\":\"2022-09-06T09:01:46.0369423Z\",\"FromIP\":\"81.2.69.144\",\"Index\":0,\"MessageId\":\"\\u003ca210cf91-4f2e-484c-8ada-3b27064ee5e3@az.uksouth.production.microsoft.com\\u003e\",\"MessageTraceId\":\"cf7a249a-5edd-4350-130a-08da8f69e0f6\",\"Organization\":\"contoso.com\",\"Received\":\"2022-09-05T18:10:13.4907658\",\"RecipientAddress\":\"linus@contoso.com\",\"SenderAddress\":\"azure-noreply@microsoft.com\",\"Size\":87891,\"StartDate\":\"2022-09-04T09:01:46.0369423Z\",\"Status\":\"Delivered\",\"Subject\":\"PIM: A privileged directory role was assigned outside of PIM\",\"ToIP\":\"216.160.83.56\"}", - "outcome": "Delivered", - "start": "2022-09-04T09:01:46.036Z" + "end": "2022-10-22T09:40:10.000Z", + "ingested": "2024-06-12T03:18:25Z", + "original": "{\"Organization\":\"contoso.com\",\"MessageId\":\"\\u003cGVAP278MB037586A65EF1FB2F844B0258DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"Received\":\"2022-10-21T17:25:36.969376Z\",\"SenderAddress\":\"noreply@azure.microsoft.com\",\"RecipientAddress\":\"linus@contoso.com\",\"Subject\":\"testmail 2\",\"Status\":\"Delivered\",\"ToIP\":null,\"FromIP\":\"40.107.23.54\",\"Size\":22761,\"MessageTraceId\":\"a5e6dc0f-23df-4b20-d240-08dab38944a1\",\"StartDate\":\"2022-10-21T09:40:10Z\",\"EndDate\":\"2022-10-22T09:40:10Z\",\"Index\":0}", + "outcome": "success", + "start": "2022-10-21T09:40:10.000Z" }, "input": { - "type": "httpjson" + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/microsoft_exchange_online_message_trace_test.ndjson.log" + }, + "offset": 0 }, "microsoft": { "online_message_trace": { - "EndDate": "2022-09-06T09:01:46.0369423Z", - "FromIP": "81.2.69.144", + "EndDate": "2022-10-22T09:40:10Z", + "FromIP": "40.107.23.54", "Index": 0, - "MessageId": "", - "MessageTraceId": "cf7a249a-5edd-4350-130a-08da8f69e0f6", + "MessageId": "", + "MessageTraceId": "a5e6dc0f-23df-4b20-d240-08dab38944a1", "Organization": "contoso.com", - "Received": "2022-09-05T18:10:13.4907658", + "Received": "2022-10-21T17:25:36.969376Z", "RecipientAddress": "linus@contoso.com", - "SenderAddress": "azure-noreply@microsoft.com", - "Size": 87891, - "StartDate": "2022-09-04T09:01:46.0369423Z", + "SenderAddress": "noreply@azure.microsoft.com", + "Size": 22761, + "StartDate": "2022-10-21T09:40:10Z", "Status": "Delivered", - "Subject": "PIM: A privileged directory role was assigned outside of PIM", - "ToIP": "216.160.83.56" + "Subject": "testmail 2" } }, "related": { "user": [ "linus@contoso.com", - "azure-noreply@microsoft.com", + "noreply@azure.microsoft.com", "linus", - "azure-noreply" + "noreply" ] }, "source": { - "domain": "microsoft.com", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.144", + "domain": "azure.microsoft.com", + "ip": "40.107.23.54", "registered_domain": "microsoft.com", + "subdomain": "azure", "top_level_domain": "com", "user": { - "domain": "microsoft.com", - "email": "azure-noreply@microsoft.com", - "id": "azure-noreply@microsoft.com", - "name": "azure-noreply" + "domain": "azure.microsoft.com", + "email": "noreply@azure.microsoft.com", + "id": "noreply@azure.microsoft.com", + "name": "noreply" } }, "tags": [ "preserve_original_event", + "microsoft-defender-endpoint", "forwarded" ] -} +} \ No newline at end of file diff --git a/packages/microsoft_exchange_online_message_trace/docs/README.md b/packages/microsoft_exchange_online_message_trace/docs/README.md index ae398555acf..4e2a675dde2 100644 --- a/packages/microsoft_exchange_online_message_trace/docs/README.md +++ b/packages/microsoft_exchange_online_message_trace/docs/README.md @@ -144,37 +144,21 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2022-09-05T18:10:13.490Z", + "@timestamp": "2022-10-21T17:25:36.969Z", "agent": { - "ephemeral_id": "f42c0a8e-b2c0-4772-ab85-278acafa95f5", - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "ephemeral_id": "7db2c43f-4281-444d-b5b8-242a7ddf8ba2", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.13.0" }, "data_stream": { "dataset": "microsoft_exchange_online_message_trace.log", - "namespace": "ep", + "namespace": "63147", "type": "logs" }, "destination": { - "as": { - "number": 209 - }, "domain": "contoso.com", - "geo": { - "city_name": "Milton", - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 47.2513, - "lon": -122.3149 - }, - "region_iso_code": "US-WA", - "region_name": "Washington" - }, - "ip": "216.160.83.56", "registered_domain": "contoso.com", "top_level_domain": "com", "user": { @@ -188,25 +172,25 @@ An example event for `log` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.8.2" + "version": "8.13.0" }, "email": { "attachments": { "file": { - "size": 87891 + "size": 22761 } }, - "delivery_timestamp": "2022-09-05T18:10:13.4907658", + "delivery_timestamp": "2022-10-21T17:25:36.969376Z", "from": { "address": [ - "azure-noreply@microsoft.com" + "noreply@azure.microsoft.com" ] }, - "local_id": "cf7a249a-5edd-4350-130a-08da8f69e0f6", - "message_id": "", - "subject": "PIM: A privileged directory role was assigned outside of PIM", + "local_id": "a5e6dc0f-23df-4b20-d240-08dab38944a1", + "message_id": "", + "subject": "testmail 2", "to": { "address": [ "linus@contoso.com" @@ -215,73 +199,66 @@ An example event for `log` looks as following: }, "event": { "agent_id_status": "verified", - "created": "2023-07-24T14:46:09.199Z", "dataset": "microsoft_exchange_online_message_trace.log", - "end": "2022-09-06T09:01:46.036Z", - "ingested": "2023-07-24T14:46:12Z", - "original": "{\"EndDate\":\"2022-09-06T09:01:46.0369423Z\",\"FromIP\":\"81.2.69.144\",\"Index\":0,\"MessageId\":\"\\u003ca210cf91-4f2e-484c-8ada-3b27064ee5e3@az.uksouth.production.microsoft.com\\u003e\",\"MessageTraceId\":\"cf7a249a-5edd-4350-130a-08da8f69e0f6\",\"Organization\":\"contoso.com\",\"Received\":\"2022-09-05T18:10:13.4907658\",\"RecipientAddress\":\"linus@contoso.com\",\"SenderAddress\":\"azure-noreply@microsoft.com\",\"Size\":87891,\"StartDate\":\"2022-09-04T09:01:46.0369423Z\",\"Status\":\"Delivered\",\"Subject\":\"PIM: A privileged directory role was assigned outside of PIM\",\"ToIP\":\"216.160.83.56\"}", - "outcome": "Delivered", - "start": "2022-09-04T09:01:46.036Z" + "end": "2022-10-22T09:40:10.000Z", + "ingested": "2024-06-12T03:18:25Z", + "original": "{\"Organization\":\"contoso.com\",\"MessageId\":\"\\u003cGVAP278MB037586A65EF1FB2F844B0258DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"Received\":\"2022-10-21T17:25:36.969376Z\",\"SenderAddress\":\"noreply@azure.microsoft.com\",\"RecipientAddress\":\"linus@contoso.com\",\"Subject\":\"testmail 2\",\"Status\":\"Delivered\",\"ToIP\":null,\"FromIP\":\"40.107.23.54\",\"Size\":22761,\"MessageTraceId\":\"a5e6dc0f-23df-4b20-d240-08dab38944a1\",\"StartDate\":\"2022-10-21T09:40:10Z\",\"EndDate\":\"2022-10-22T09:40:10Z\",\"Index\":0}", + "outcome": "success", + "start": "2022-10-21T09:40:10.000Z" }, "input": { - "type": "httpjson" + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/microsoft_exchange_online_message_trace_test.ndjson.log" + }, + "offset": 0 }, "microsoft": { "online_message_trace": { - "EndDate": "2022-09-06T09:01:46.0369423Z", - "FromIP": "81.2.69.144", + "EndDate": "2022-10-22T09:40:10Z", + "FromIP": "40.107.23.54", "Index": 0, - "MessageId": "", - "MessageTraceId": "cf7a249a-5edd-4350-130a-08da8f69e0f6", + "MessageId": "", + "MessageTraceId": "a5e6dc0f-23df-4b20-d240-08dab38944a1", "Organization": "contoso.com", - "Received": "2022-09-05T18:10:13.4907658", + "Received": "2022-10-21T17:25:36.969376Z", "RecipientAddress": "linus@contoso.com", - "SenderAddress": "azure-noreply@microsoft.com", - "Size": 87891, - "StartDate": "2022-09-04T09:01:46.0369423Z", + "SenderAddress": "noreply@azure.microsoft.com", + "Size": 22761, + "StartDate": "2022-10-21T09:40:10Z", "Status": "Delivered", - "Subject": "PIM: A privileged directory role was assigned outside of PIM", - "ToIP": "216.160.83.56" + "Subject": "testmail 2" } }, "related": { "user": [ "linus@contoso.com", - "azure-noreply@microsoft.com", + "noreply@azure.microsoft.com", "linus", - "azure-noreply" + "noreply" ] }, "source": { - "domain": "microsoft.com", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.144", + "domain": "azure.microsoft.com", + "ip": "40.107.23.54", "registered_domain": "microsoft.com", + "subdomain": "azure", "top_level_domain": "com", "user": { - "domain": "microsoft.com", - "email": "azure-noreply@microsoft.com", - "id": "azure-noreply@microsoft.com", - "name": "azure-noreply" + "domain": "azure.microsoft.com", + "email": "noreply@azure.microsoft.com", + "id": "noreply@azure.microsoft.com", + "name": "noreply" } }, "tags": [ "preserve_original_event", + "microsoft-defender-endpoint", "forwarded" ] } - ``` **Exported fields** diff --git a/packages/microsoft_exchange_online_message_trace/manifest.yml b/packages/microsoft_exchange_online_message_trace/manifest.yml index e210fd066f4..3df3cf27867 100644 --- a/packages/microsoft_exchange_online_message_trace/manifest.yml +++ b/packages/microsoft_exchange_online_message_trace/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_exchange_online_message_trace title: "Microsoft Exchange Online Message Trace" -version: "1.21.0" +version: "1.21.1" description: "Microsoft Exchange Online Message Trace Integration" type: integration categories: diff --git a/packages/pulse_connect_secure/changelog.yml b/packages/pulse_connect_secure/changelog.yml index 924aa0c5bb8..4f4f8b74c68 100644 --- a/packages/pulse_connect_secure/changelog.yml +++ b/packages/pulse_connect_secure/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 - version: "2.0.0" changes: - description: Make `event.category` and `event.type` fields conform to ECS field definition. diff --git a/packages/pulse_connect_secure/data_stream/log/sample_event.json b/packages/pulse_connect_secure/data_stream/log/sample_event.json index 5bebefb2850..8019cba7ce8 100644 --- a/packages/pulse_connect_secure/data_stream/log/sample_event.json +++ b/packages/pulse_connect_secure/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-10-19T09:10:35.000+02:00", "agent": { - "ephemeral_id": "f5012eed-664a-4430-85b2-b8c48267837e", - "id": "1b313b92-040f-43af-8905-5b86b2755044", + "ephemeral_id": "59d9a27c-2780-41a3-b336-00bff722f3ec", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.4" + "version": "8.13.0" }, "client": { "address": "89.160.20.156", @@ -31,23 +31,25 @@ }, "data_stream": { "dataset": "pulse_connect_secure.log", - "namespace": "ep", + "namespace": "47711", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "1b313b92-040f-43af-8905-5b86b2755044", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.11.4" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:10:35.000+02:00", "dataset": "pulse_connect_secure.log", - "ingested": "2024-02-09T13:09:18Z", + "ingested": "2024-06-12T03:21:05Z", "kind": "event", "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "outcome": "success", @@ -57,11 +59,11 @@ "hostname": "pcs-node1" }, "input": { - "type": "tcp" + "type": "udp" }, "log": { "source": { - "address": "192.168.176.4:39024" + "address": "172.19.0.5:42415" } }, "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", diff --git a/packages/pulse_connect_secure/docs/README.md b/packages/pulse_connect_secure/docs/README.md index 497fc80f28e..b8d0e95d560 100644 --- a/packages/pulse_connect_secure/docs/README.md +++ b/packages/pulse_connect_secure/docs/README.md @@ -10,11 +10,11 @@ An example event for `log` looks as following: { "@timestamp": "2021-10-19T09:10:35.000+02:00", "agent": { - "ephemeral_id": "f5012eed-664a-4430-85b2-b8c48267837e", - "id": "1b313b92-040f-43af-8905-5b86b2755044", + "ephemeral_id": "59d9a27c-2780-41a3-b336-00bff722f3ec", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.4" + "version": "8.13.0" }, "client": { "address": "89.160.20.156", @@ -40,23 +40,25 @@ An example event for `log` looks as following: }, "data_stream": { "dataset": "pulse_connect_secure.log", - "namespace": "ep", + "namespace": "47711", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "1b313b92-040f-43af-8905-5b86b2755044", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.11.4" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "category": "network", + "category": [ + "network" + ], "created": "2021-10-19T09:10:35.000+02:00", "dataset": "pulse_connect_secure.log", - "ingested": "2024-02-09T13:09:18Z", + "ingested": "2024-06-12T03:21:05Z", "kind": "event", "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "outcome": "success", @@ -66,11 +68,11 @@ An example event for `log` looks as following: "hostname": "pcs-node1" }, "input": { - "type": "tcp" + "type": "udp" }, "log": { "source": { - "address": "192.168.176.4:39024" + "address": "172.19.0.5:42415" } }, "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", diff --git a/packages/pulse_connect_secure/manifest.yml b/packages/pulse_connect_secure/manifest.yml index c6659c897a1..b862911c584 100644 --- a/packages/pulse_connect_secure/manifest.yml +++ b/packages/pulse_connect_secure/manifest.yml @@ -1,6 +1,6 @@ name: pulse_connect_secure title: Pulse Connect Secure -version: 2.0.0 +version: 2.0.1 description: Collect logs from Pulse Connect Secure with Elastic Agent. type: integration icons: diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index 1710c03e9f2..542ae7f8314 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 - version: "1.23.0" changes: - description: Make `host.ip` field conform to ECS field definition. diff --git a/packages/sentinel_one/data_stream/activity/sample_event.json b/packages/sentinel_one/data_stream/activity/sample_event.json index dde49965f63..4f4f17ce552 100644 --- a/packages/sentinel_one/data_stream/activity/sample_event.json +++ b/packages/sentinel_one/data_stream/activity/sample_event.json @@ -1,33 +1,33 @@ { "@timestamp": "2022-04-05T16:01:56.995Z", "agent": { - "ephemeral_id": "d7cb61c6-f67e-41a2-ad96-fbcb9390b1ba", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "630c4de2-59ec-4613-ab7d-261434a79313", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.activity", - "namespace": "ep", + "namespace": "83396", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2023-10-19T11:39:59.555Z", + "created": "2024-06-12T03:21:55.005Z", "dataset": "sentinel_one.activity", - "ingested": "2023-10-19T11:40:00Z", + "ingested": "2024-06-12T03:22:05Z", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:01:56.995120Z\",\"data\":{\"accountId\":1234567890123456800,\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"created Default account.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:01:56.992136Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -79,4 +79,4 @@ "full_name": "test user", "id": "1234567890123456789" } -} +} \ No newline at end of file diff --git a/packages/sentinel_one/data_stream/agent/sample_event.json b/packages/sentinel_one/data_stream/agent/sample_event.json index 9960a2703cf..247473f7f16 100644 --- a/packages/sentinel_one/data_stream/agent/sample_event.json +++ b/packages/sentinel_one/data_stream/agent/sample_event.json @@ -1,33 +1,33 @@ { "@timestamp": "2022-04-07T08:31:47.481Z", "agent": { - "ephemeral_id": "b79cbfcd-f5db-4c13-949e-773ecdb03861", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "bc127c14-939d-445f-ba71-65c2a9cd997e", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.agent", - "namespace": "ep", + "namespace": "27680", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-10-19T11:40:47.027Z", + "created": "2024-06-12T03:22:47.058Z", "dataset": "sentinel_one.agent", - "ingested": "2023-10-19T11:40:50Z", + "ingested": "2024-06-12T03:22:59Z", "kind": "event", "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}", "type": [ @@ -53,7 +53,9 @@ "region_name": "England" }, "id": "13491234512345", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "00-00-5E-00-53-00" ], @@ -89,6 +91,9 @@ "name": "Account Name" }, "active_threats_count": 7, + "agent": { + "id": "13491234512345" + }, "allow_remote_shell": true, "apps_vulnerability_status": "not_applicable", "console_migration_status": "N/A", @@ -190,4 +195,4 @@ "forwarded", "sentinel_one-agent" ] -} +} \ No newline at end of file diff --git a/packages/sentinel_one/data_stream/alert/sample_event.json b/packages/sentinel_one/data_stream/alert/sample_event.json index 36913539fd2..1234aa98353 100644 --- a/packages/sentinel_one/data_stream/alert/sample_event.json +++ b/packages/sentinel_one/data_stream/alert/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2018-02-27T04:49:26.257Z", "agent": { - "ephemeral_id": "c0eb8175-0afb-4233-970c-cf3233254110", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "5076489f-5b52-4bc8-a887-13206a7b5ebd", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "container": { "id": "string", @@ -16,7 +16,7 @@ }, "data_stream": { "dataset": "sentinel_one.alert", - "namespace": "ep", + "namespace": "68976", "type": "logs" }, "destination": { @@ -38,19 +38,19 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "malware" ], - "created": "2023-10-19T11:41:38.188Z", + "created": "2024-06-12T03:23:40.343Z", "dataset": "sentinel_one.alert", "id": "123456789123456789", - "ingested": "2023-10-19T11:41:42Z", + "ingested": "2024-06-12T03:23:52Z", "kind": "event", "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"81.2.69.144\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"info\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"81.2.69.142\",\"srcMachineIp\":\"81.2.69.142\",\"srcPort\":\"1234\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", "type": [ @@ -62,7 +62,9 @@ "mtime": "2018-02-27T04:49:26.257Z" }, "host": { - "ip": "81.2.69.142", + "ip": [ + "81.2.69.142" + ], "name": "string", "os": { "family": "string", @@ -269,4 +271,4 @@ "domain": "string", "name": "string" } -} +} \ No newline at end of file diff --git a/packages/sentinel_one/data_stream/group/sample_event.json b/packages/sentinel_one/data_stream/group/sample_event.json index 2cfcb9ddebb..df2a027240d 100644 --- a/packages/sentinel_one/data_stream/group/sample_event.json +++ b/packages/sentinel_one/data_stream/group/sample_event.json @@ -1,33 +1,33 @@ { "@timestamp": "2022-04-05T16:01:57.564Z", "agent": { - "ephemeral_id": "83bb6b62-84e1-449b-a652-b206238f20f8", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "99777f03-5c73-4831-b833-2489562ef8fb", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.group", - "namespace": "ep", + "namespace": "81222", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], - "created": "2023-10-19T11:42:26.967Z", + "created": "2024-06-12T03:24:33.387Z", "dataset": "sentinel_one.group", - "ingested": "2023-10-19T11:42:30Z", + "ingested": "2024-06-12T03:24:45Z", "kind": "event", "original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}", "type": [ @@ -72,4 +72,4 @@ "user": { "full_name": "Test User" } -} +} \ No newline at end of file diff --git a/packages/sentinel_one/data_stream/threat/sample_event.json b/packages/sentinel_one/data_stream/threat/sample_event.json index 7ffaa23c37c..d7658a39682 100644 --- a/packages/sentinel_one/data_stream/threat/sample_event.json +++ b/packages/sentinel_one/data_stream/threat/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-04-06T08:54:17.194Z", "agent": { - "ephemeral_id": "8e74b49b-8a2e-4955-9a51-41e94056e2fa", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "3ea8603b-159f-441f-ae62-7fce6805bf8c", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.threat", - "namespace": "ep", + "namespace": "37791", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "action": "SentinelOne Cloud", @@ -26,10 +26,10 @@ "category": [ "malware" ], - "created": "2023-10-19T11:43:14.860Z", + "created": "2024-06-12T03:25:25.764Z", "dataset": "sentinel_one.threat", "id": "1234567890123456789", - "ingested": "2023-10-19T11:43:18Z", + "ingested": "2024-06-12T03:25:37Z", "kind": "alert", "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"X2:0X:0X:X6:00:XX\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", "type": [ @@ -51,7 +51,9 @@ "region_name": "England" }, "id": "1234567890123456789", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "X2-0X-0X-X6-00-XX" ], @@ -99,6 +101,7 @@ "id": "1234567890123456789", "name": "Default Group" }, + "id": "1234567890123456789", "infected": true, "is_active": true, "is_decommissioned": false, @@ -268,4 +271,4 @@ } } } -} +} \ No newline at end of file diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md index df3592c0d00..d6c549108cd 100644 --- a/packages/sentinel_one/docs/README.md +++ b/packages/sentinel_one/docs/README.md @@ -33,33 +33,33 @@ An example event for `activity` looks as following: { "@timestamp": "2022-04-05T16:01:56.995Z", "agent": { - "ephemeral_id": "d7cb61c6-f67e-41a2-ad96-fbcb9390b1ba", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "630c4de2-59ec-4613-ab7d-261434a79313", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.activity", - "namespace": "ep", + "namespace": "83396", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2023-10-19T11:39:59.555Z", + "created": "2024-06-12T03:21:55.005Z", "dataset": "sentinel_one.activity", - "ingested": "2023-10-19T11:40:00Z", + "ingested": "2024-06-12T03:22:05Z", "kind": "event", "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:01:56.995120Z\",\"data\":{\"accountId\":1234567890123456800,\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"created Default account.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:01:56.992136Z\",\"userId\":\"1234567890123456789\"}", "type": [ @@ -112,7 +112,6 @@ An example event for `activity` looks as following: "id": "1234567890123456789" } } - ``` **Exported fields** @@ -252,33 +251,33 @@ An example event for `agent` looks as following: { "@timestamp": "2022-04-07T08:31:47.481Z", "agent": { - "ephemeral_id": "b79cbfcd-f5db-4c13-949e-773ecdb03861", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "bc127c14-939d-445f-ba71-65c2a9cd997e", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.agent", - "namespace": "ep", + "namespace": "27680", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-10-19T11:40:47.027Z", + "created": "2024-06-12T03:22:47.058Z", "dataset": "sentinel_one.agent", - "ingested": "2023-10-19T11:40:50Z", + "ingested": "2024-06-12T03:22:59Z", "kind": "event", "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.144\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"missingPermissions\":[\"user-action-needed-bluetooth-per\",\"user_action_needed_fda\"],\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}", "type": [ @@ -304,7 +303,9 @@ An example event for `agent` looks as following: "region_name": "England" }, "id": "13491234512345", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "00-00-5E-00-53-00" ], @@ -340,6 +341,9 @@ An example event for `agent` looks as following: "name": "Account Name" }, "active_threats_count": 7, + "agent": { + "id": "13491234512345" + }, "allow_remote_shell": true, "apps_vulnerability_status": "not_applicable", "console_migration_status": "N/A", @@ -442,7 +446,6 @@ An example event for `agent` looks as following: "sentinel_one-agent" ] } - ``` **Exported fields** @@ -605,11 +608,11 @@ An example event for `alert` looks as following: { "@timestamp": "2018-02-27T04:49:26.257Z", "agent": { - "ephemeral_id": "c0eb8175-0afb-4233-970c-cf3233254110", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "5076489f-5b52-4bc8-a887-13206a7b5ebd", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "container": { "id": "string", @@ -620,7 +623,7 @@ An example event for `alert` looks as following: }, "data_stream": { "dataset": "sentinel_one.alert", - "namespace": "ep", + "namespace": "68976", "type": "logs" }, "destination": { @@ -642,19 +645,19 @@ An example event for `alert` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "malware" ], - "created": "2023-10-19T11:41:38.188Z", + "created": "2024-06-12T03:23:40.343Z", "dataset": "sentinel_one.alert", "id": "123456789123456789", - "ingested": "2023-10-19T11:41:42Z", + "ingested": "2024-06-12T03:23:52Z", "kind": "event", "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"81.2.69.144\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"info\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"81.2.69.142\",\"srcMachineIp\":\"81.2.69.142\",\"srcPort\":\"1234\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", "type": [ @@ -666,7 +669,9 @@ An example event for `alert` looks as following: "mtime": "2018-02-27T04:49:26.257Z" }, "host": { - "ip": "81.2.69.142", + "ip": [ + "81.2.69.142" + ], "name": "string", "os": { "family": "string", @@ -874,7 +879,6 @@ An example event for `alert` looks as following: "name": "string" } } - ``` **Exported fields** @@ -1055,33 +1059,33 @@ An example event for `group` looks as following: { "@timestamp": "2022-04-05T16:01:57.564Z", "agent": { - "ephemeral_id": "83bb6b62-84e1-449b-a652-b206238f20f8", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "99777f03-5c73-4831-b833-2489562ef8fb", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.group", - "namespace": "ep", + "namespace": "81222", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], - "created": "2023-10-19T11:42:26.967Z", + "created": "2024-06-12T03:24:33.387Z", "dataset": "sentinel_one.group", - "ingested": "2023-10-19T11:42:30Z", + "ingested": "2024-06-12T03:24:45Z", "kind": "event", "original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}", "type": [ @@ -1127,7 +1131,6 @@ An example event for `group` looks as following: "full_name": "Test User" } } - ``` **Exported fields** @@ -1209,24 +1212,24 @@ An example event for `threat` looks as following: { "@timestamp": "2022-04-06T08:54:17.194Z", "agent": { - "ephemeral_id": "8e74b49b-8a2e-4955-9a51-41e94056e2fa", - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "ephemeral_id": "3ea8603b-159f-441f-ae62-7fce6805bf8c", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.threat", - "namespace": "ep", + "namespace": "37791", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0dc831b8-c128-48db-a3c7-379a3da30bb1", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "action": "SentinelOne Cloud", @@ -1234,10 +1237,10 @@ An example event for `threat` looks as following: "category": [ "malware" ], - "created": "2023-10-19T11:43:14.860Z", + "created": "2024-06-12T03:25:25.764Z", "dataset": "sentinel_one.threat", "id": "1234567890123456789", - "ingested": "2023-10-19T11:43:18Z", + "ingested": "2024-06-12T03:25:37Z", "kind": "alert", "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"X2:0X:0X:X6:00:XX\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", "type": [ @@ -1259,7 +1262,9 @@ An example event for `threat` looks as following: "region_name": "England" }, "id": "1234567890123456789", - "ip": "81.2.69.143", + "ip": [ + "81.2.69.143" + ], "mac": [ "X2-0X-0X-X6-00-XX" ], @@ -1307,6 +1312,7 @@ An example event for `threat` looks as following: "id": "1234567890123456789", "name": "Default Group" }, + "id": "1234567890123456789", "infected": true, "is_active": true, "is_decommissioned": false, @@ -1477,7 +1483,6 @@ An example event for `threat` looks as following: } } } - ``` **Exported fields** diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index d3badc4457f..a0b92308d98 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: sentinel_one title: SentinelOne -version: "1.23.0" +version: "1.23.1" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: diff --git a/packages/ti_cybersixgill/changelog.yml b/packages/ti_cybersixgill/changelog.yml index e04ab070b79..5ed502d8ca7 100644 --- a/packages/ti_cybersixgill/changelog.yml +++ b/packages/ti_cybersixgill/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.29.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 - version: "1.29.0" changes: - description: Make `event.type` field conform to ECS field definition. diff --git a/packages/ti_cybersixgill/data_stream/threat/sample_event.json b/packages/ti_cybersixgill/data_stream/threat/sample_event.json index 22ee5bf764f..5bff494972c 100644 --- a/packages/ti_cybersixgill/data_stream/threat/sample_event.json +++ b/packages/ti_cybersixgill/data_stream/threat/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-12-07T13:58:01.596Z", "agent": { - "ephemeral_id": "5b99e697-c059-40e4-9097-eb5a21a371c6", - "id": "49b0da18-7d53-4b44-9bda-940341f4fb0f", + "ephemeral_id": "70f5e8ea-8e32-4560-8e0f-3f3438fe9958", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "cybersixgill": { "actor": "vaedzy", @@ -23,29 +23,31 @@ }, "data_stream": { "dataset": "ti_cybersixgill.threat", - "namespace": "ep", + "namespace": "39285", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "49b0da18-7d53-4b44-9bda-940341f4fb0f", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2024-03-15T19:20:27.045Z", + "created": "2024-06-12T03:26:26.797Z", "dataset": "ti_cybersixgill.threat", - "ingested": "2024-03-15T19:20:27Z", + "ingested": "2024-06-12T03:26:27Z", "kind": "enrichment", "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}", "severity": 70, - "type": "indicator" + "type": [ + "indicator" + ] }, "input": { "type": "httpjson" diff --git a/packages/ti_cybersixgill/docs/README.md b/packages/ti_cybersixgill/docs/README.md index 277b8e8e17b..726fbde7b26 100644 --- a/packages/ti_cybersixgill/docs/README.md +++ b/packages/ti_cybersixgill/docs/README.md @@ -113,11 +113,11 @@ An example event for `threat` looks as following: { "@timestamp": "2021-12-07T13:58:01.596Z", "agent": { - "ephemeral_id": "5b99e697-c059-40e4-9097-eb5a21a371c6", - "id": "49b0da18-7d53-4b44-9bda-940341f4fb0f", + "ephemeral_id": "70f5e8ea-8e32-4560-8e0f-3f3438fe9958", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "cybersixgill": { "actor": "vaedzy", @@ -135,29 +135,31 @@ An example event for `threat` looks as following: }, "data_stream": { "dataset": "ti_cybersixgill.threat", - "namespace": "ep", + "namespace": "39285", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "49b0da18-7d53-4b44-9bda-940341f4fb0f", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2024-03-15T19:20:27.045Z", + "created": "2024-06-12T03:26:26.797Z", "dataset": "ti_cybersixgill.threat", - "ingested": "2024-03-15T19:20:27Z", + "ingested": "2024-06-12T03:26:27Z", "kind": "enrichment", "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}", "severity": 70, - "type": "indicator" + "type": [ + "indicator" + ] }, "input": { "type": "httpjson" diff --git a/packages/ti_cybersixgill/manifest.yml b/packages/ti_cybersixgill/manifest.yml index e592cbe6a3d..d22b1497ace 100644 --- a/packages/ti_cybersixgill/manifest.yml +++ b/packages/ti_cybersixgill/manifest.yml @@ -1,6 +1,6 @@ name: ti_cybersixgill title: Cybersixgill -version: "1.29.0" +version: "1.29.1" description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml index fcbbd6436bf..4e9c309252f 100644 --- a/packages/trend_micro_vision_one/changelog.yml +++ b/packages/trend_micro_vision_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.19.1" + changes: + - description: Fix sample event. + type: bugfix + link: https://github.com/elastic/integrations/pull/10136 - version: "1.19.0" changes: - description: Make `host.mac` field conform to ECS field definition. diff --git a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json index 73a073b39e5..3c18fdc1848 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2023-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "0d7a0409-56a0-4b49-9a61-d020f4466176", - "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", + "ephemeral_id": "332ba8f3-c3fa-4c28-a2db-d290177c13e5", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "trend_micro_vision_one.alert", - "namespace": "ep", + "namespace": "19452", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, @@ -25,10 +25,10 @@ "category": [ "email" ], - "created": "2024-04-03T23:51:51.124Z", + "created": "2024-06-12T03:27:26.911Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2024-04-03T23:52:03Z", + "ingested": "2024-06-12T03:27:38Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2023-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, diff --git a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json index e58d7d1ad3f..87112a7761c 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json @@ -1,33 +1,33 @@ { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "d3c3e470-8bcc-4e5a-b8b6-e1b25f54c763", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "652abe8f-556a-4a24-9e9d-dc2990f84a38", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "trend_micro_vision_one.audit", - "namespace": "ep", + "namespace": "46929", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "authentication" ], - "created": "2023-09-27T08:39:38.449Z", + "created": "2024-06-12T03:28:27.263Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2023-09-27T08:39:39Z", + "ingested": "2024-06-12T03:28:39Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", @@ -71,4 +71,4 @@ "result": "Unsuccessful" } } -} +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json index de1df0d017b..13fca374eb0 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json @@ -1,15 +1,15 @@ { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "041ba589-51ca-4422-a895-36a10f4568a8", - "id": "94a80c96-489d-4fc8-aeab-bdef580d21f8", + "ephemeral_id": "b136ddab-1cc6-49c5-b9c2-4a4fcf650fe2", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "trend_micro_vision_one.detection", - "namespace": "ep", + "namespace": "99796", "type": "logs" }, "destination": { @@ -23,9 +23,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "94a80c96-489d-4fc8-aeab-bdef580d21f8", - "snapshot": true, - "version": "8.11.0" + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "snapshot": false, + "version": "8.13.0" }, "event": { "action": "clean", @@ -33,10 +33,10 @@ "category": [ "intrusion_detection" ], - "created": "2023-10-06T09:10:41.685Z", + "created": "2024-06-12T03:29:29.064Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2023-10-06T09:10:44Z", + "ingested": "2024-06-12T03:29:41Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, @@ -62,7 +62,9 @@ "ip": [ "81.2.69.142" ], - "mac": "00-00-5E-00-53-23", + "mac": [ + "00-00-5E-00-53-23" + ], "name": "abc-docker" }, "http": { @@ -304,4 +306,4 @@ }, "version": "12.0" } -} +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md index 151838b31d9..444208b8605 100644 --- a/packages/trend_micro_vision_one/docs/README.md +++ b/packages/trend_micro_vision_one/docs/README.md @@ -49,22 +49,22 @@ An example event for `alert` looks as following: { "@timestamp": "2023-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "0d7a0409-56a0-4b49-9a61-d020f4466176", - "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", + "ephemeral_id": "332ba8f3-c3fa-4c28-a2db-d290177c13e5", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "trend_micro_vision_one.alert", - "namespace": "ep", + "namespace": "19452", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, @@ -73,10 +73,10 @@ An example event for `alert` looks as following: "category": [ "email" ], - "created": "2024-04-03T23:51:51.124Z", + "created": "2024-06-12T03:27:26.911Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2024-04-03T23:52:03Z", + "ingested": "2024-06-12T03:27:38Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2023-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, @@ -313,33 +313,33 @@ An example event for `audit` looks as following: { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "d3c3e470-8bcc-4e5a-b8b6-e1b25f54c763", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "652abe8f-556a-4a24-9e9d-dc2990f84a38", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "data_stream": { "dataset": "trend_micro_vision_one.audit", - "namespace": "ep", + "namespace": "46929", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.7.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "authentication" ], - "created": "2023-09-27T08:39:38.449Z", + "created": "2024-06-12T03:28:27.263Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2023-09-27T08:39:39Z", + "ingested": "2024-06-12T03:28:39Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", @@ -384,7 +384,6 @@ An example event for `audit` looks as following: } } } - ``` **Exported fields** @@ -461,15 +460,15 @@ An example event for `detection` looks as following: { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "041ba589-51ca-4422-a895-36a10f4568a8", - "id": "94a80c96-489d-4fc8-aeab-bdef580d21f8", + "ephemeral_id": "b136ddab-1cc6-49c5-b9c2-4a4fcf650fe2", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "trend_micro_vision_one.detection", - "namespace": "ep", + "namespace": "99796", "type": "logs" }, "destination": { @@ -483,9 +482,9 @@ An example event for `detection` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "94a80c96-489d-4fc8-aeab-bdef580d21f8", - "snapshot": true, - "version": "8.11.0" + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "snapshot": false, + "version": "8.13.0" }, "event": { "action": "clean", @@ -493,10 +492,10 @@ An example event for `detection` looks as following: "category": [ "intrusion_detection" ], - "created": "2023-10-06T09:10:41.685Z", + "created": "2024-06-12T03:29:29.064Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2023-10-06T09:10:44Z", + "ingested": "2024-06-12T03:29:41Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, @@ -522,7 +521,9 @@ An example event for `detection` looks as following: "ip": [ "81.2.69.142" ], - "mac": "00-00-5E-00-53-23", + "mac": [ + "00-00-5E-00-53-23" + ], "name": "abc-docker" }, "http": { @@ -765,7 +766,6 @@ An example event for `detection` looks as following: "version": "12.0" } } - ``` **Exported fields** diff --git a/packages/trend_micro_vision_one/manifest.yml b/packages/trend_micro_vision_one/manifest.yml index 3ccb4db932c..563662497cf 100644 --- a/packages/trend_micro_vision_one/manifest.yml +++ b/packages/trend_micro_vision_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: trend_micro_vision_one title: Trend Micro Vision One -version: "1.19.0" +version: "1.19.1" description: Collect logs from Trend Micro Vision One with Elastic Agent. type: integration categories: From f25ee8596a0028b2b185309483888c48244e3c07 Mon Sep 17 00:00:00 2001 From: mmahacek Date: Wed, 12 Jun 2024 22:27:20 -0700 Subject: [PATCH 009/105] Update MSSQL doc for version requirements (#10025) * Update MSSQL doc for version requirements * Update changelog.yml for MSSQL integration * Move note on version limit Move version note to be more specific about which metrics are limited. * update version and README * update version --------- Co-authored-by: aliabbas-elastic --- packages/microsoft_sqlserver/_dev/build/docs/README.md | 2 +- packages/microsoft_sqlserver/changelog.yml | 5 +++++ packages/microsoft_sqlserver/docs/README.md | 2 +- packages/microsoft_sqlserver/manifest.yml | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/packages/microsoft_sqlserver/_dev/build/docs/README.md b/packages/microsoft_sqlserver/_dev/build/docs/README.md index d0e70536a32..a5357bcae3f 100644 --- a/packages/microsoft_sqlserver/_dev/build/docs/README.md +++ b/packages/microsoft_sqlserver/_dev/build/docs/README.md @@ -38,7 +38,7 @@ If you browse Microsoft Developer Network (MSDN) for the following tables, you w 1. `transaction_log`: - [sys.databases](https://learn.microsoft.com/en-us/sql/relational-databases/system-compatibility-views/sys-sysdatabases-transact-sql?view=sql-server-ver16) - [sys.dm_db_log_space_usage](https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-db-log-space-usage-transact-sql?view=sql-server-ver16) - - [sys.dm_db_log_stats (DB_ID)](https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-db-log-stats-transact-sql?view=sql-server-ver16) + - [sys.dm_db_log_stats (DB_ID)](https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-db-log-stats-transact-sql?view=sql-server-ver16) (Available on SQL Server (MSSQL) 2016 (13.x) SP 2 and later) 2. `performance`: - [sys.dm_os_performance_counters](https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-os-performance-counters-transact-sql?view=sql-server-ver16) diff --git a/packages/microsoft_sqlserver/changelog.yml b/packages/microsoft_sqlserver/changelog.yml index fd3f9fbd5a7..daea9ec59e3 100644 --- a/packages/microsoft_sqlserver/changelog.yml +++ b/packages/microsoft_sqlserver/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 2.5.1 + changes: + - description: Update documentation for `transaction_logs` metric collection limits. + type: enhancement + link: https://github.com/elastic/integrations/pull/10025 - version: 2.5.0 changes: - description: Enable 'secret' for the sensitive fields. diff --git a/packages/microsoft_sqlserver/docs/README.md b/packages/microsoft_sqlserver/docs/README.md index cd8435f89a9..3b4e730606e 100644 --- a/packages/microsoft_sqlserver/docs/README.md +++ b/packages/microsoft_sqlserver/docs/README.md @@ -38,7 +38,7 @@ If you browse Microsoft Developer Network (MSDN) for the following tables, you w 1. `transaction_log`: - [sys.databases](https://learn.microsoft.com/en-us/sql/relational-databases/system-compatibility-views/sys-sysdatabases-transact-sql?view=sql-server-ver16) - [sys.dm_db_log_space_usage](https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-db-log-space-usage-transact-sql?view=sql-server-ver16) - - [sys.dm_db_log_stats (DB_ID)](https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-db-log-stats-transact-sql?view=sql-server-ver16) + - [sys.dm_db_log_stats (DB_ID)](https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-db-log-stats-transact-sql?view=sql-server-ver16) (Available on SQL Server (MSSQL) 2016 (13.x) SP 2 and later) 2. `performance`: - [sys.dm_os_performance_counters](https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-os-performance-counters-transact-sql?view=sql-server-ver16) diff --git a/packages/microsoft_sqlserver/manifest.yml b/packages/microsoft_sqlserver/manifest.yml index 927f1e11c02..ed18ca5b54f 100644 --- a/packages/microsoft_sqlserver/manifest.yml +++ b/packages/microsoft_sqlserver/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_sqlserver title: "Microsoft SQL Server" -version: "2.5.0" +version: "2.5.1" description: Collect events from Microsoft SQL Server with Elastic Agent type: integration categories: From efc03f6d264ee8287587f19eee7e83ed66ba94e4 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi <46651782+alaudazzi@users.noreply.github.com> Date: Thu, 13 Jun 2024 14:38:00 +0200 Subject: [PATCH 010/105] Replace Azure AD with Microsoft Entra ID (#10142) * Replace Azure AD with Microsoft Entra ID * Fix app name on the Azure Functions page * Update manifest and changelog --- packages/azure_billing/_dev/build/docs/README.md | 2 +- packages/azure_billing/changelog.yml | 5 +++++ packages/azure_billing/docs/README.md | 2 +- packages/azure_billing/manifest.yml | 2 +- packages/azure_functions/_dev/build/docs/README.md | 2 +- packages/azure_functions/changelog.yml | 5 +++++ packages/azure_functions/docs/README.md | 2 +- packages/azure_functions/manifest.yml | 2 +- 8 files changed, 16 insertions(+), 6 deletions(-) diff --git a/packages/azure_billing/_dev/build/docs/README.md b/packages/azure_billing/_dev/build/docs/README.md index 462c443b324..d1c8e83c11b 100644 --- a/packages/azure_billing/_dev/build/docs/README.md +++ b/packages/azure_billing/_dev/build/docs/README.md @@ -54,7 +54,7 @@ Set up a new app registration in Azure. To create the app registration: 1. Sign in to the [Azure Portal](https://portal.azure.com/). -2. Search for and select **Azure Active Directory**. +2. Search for and select **Microsoft Entra ID**. 3. Under **Manage**, select **App registrations** > **New registration**. 4. Enter a display _Name_ for your application (for example, "elastic-agent"). 5. Specify who can use the application. diff --git a/packages/azure_billing/changelog.yml b/packages/azure_billing/changelog.yml index ad93c772206..9b8adef8005 100644 --- a/packages/azure_billing/changelog.yml +++ b/packages/azure_billing/changelog.yml @@ -1,3 +1,8 @@ +- version: 1.5.1 + changes: + - description: Replace Azure AD with Microsoft Entra ID + type: enhancement + link: https://github.com/elastic/integrations/pull/10142 - version: 1.5.0 changes: - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values diff --git a/packages/azure_billing/docs/README.md b/packages/azure_billing/docs/README.md index 222fc0b84e7..65ea45ed7f7 100644 --- a/packages/azure_billing/docs/README.md +++ b/packages/azure_billing/docs/README.md @@ -54,7 +54,7 @@ Set up a new app registration in Azure. To create the app registration: 1. Sign in to the [Azure Portal](https://portal.azure.com/). -2. Search for and select **Azure Active Directory**. +2. Search for and select **Microsoft Entra ID**. 3. Under **Manage**, select **App registrations** > **New registration**. 4. Enter a display _Name_ for your application (for example, "elastic-agent"). 5. Specify who can use the application. diff --git a/packages/azure_billing/manifest.yml b/packages/azure_billing/manifest.yml index 04fd60f7678..d731545517a 100644 --- a/packages/azure_billing/manifest.yml +++ b/packages/azure_billing/manifest.yml @@ -1,6 +1,6 @@ name: azure_billing title: Azure Billing Metrics -version: "1.5.0" +version: "1.5.1" description: Collect billing metrics with Elastic Agent. type: integration icons: diff --git a/packages/azure_functions/_dev/build/docs/README.md b/packages/azure_functions/_dev/build/docs/README.md index 42c03120057..f31351371ef 100644 --- a/packages/azure_functions/_dev/build/docs/README.md +++ b/packages/azure_functions/_dev/build/docs/README.md @@ -107,7 +107,7 @@ To start collecting data with this integration, you need to: To create a new app registration: 1. Sign in to the [Azure Portal](https://portal.azure.com/). -2. Search for and select **Azure Active Directory**. +2. Search for and select **Microsoft Entra ID**. 3. Under **Manage**, select **App registrations** > **New registration**. 4. Enter a display _Name_ for your application (for example, "elastic-agent"). 5. Specify who can use the application. diff --git a/packages/azure_functions/changelog.yml b/packages/azure_functions/changelog.yml index f21b46d6bae..20ba87c66cc 100644 --- a/packages/azure_functions/changelog.yml +++ b/packages/azure_functions/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 0.4.2 + changes: + - description: Replace Azure AD with Microsoft Entra ID. + type: enhancement + link: https://github.com/elastic/integrations/pull/10142 - version: 0.4.1 changes: - description: Remove Add Cloud Metadata flag from agent config. diff --git a/packages/azure_functions/docs/README.md b/packages/azure_functions/docs/README.md index 4b98112820e..f230137088c 100644 --- a/packages/azure_functions/docs/README.md +++ b/packages/azure_functions/docs/README.md @@ -214,7 +214,7 @@ To start collecting data with this integration, you need to: To create a new app registration: 1. Sign in to the [Azure Portal](https://portal.azure.com/). -2. Search for and select **Azure Active Directory**. +2. Search for and select **Microsoft Entra ID**. 3. Under **Manage**, select **App registrations** > **New registration**. 4. Enter a display _Name_ for your application (for example, "elastic-agent"). 5. Specify who can use the application. diff --git a/packages/azure_functions/manifest.yml b/packages/azure_functions/manifest.yml index 475a3c686c3..6d036c85dc8 100644 --- a/packages/azure_functions/manifest.yml +++ b/packages/azure_functions/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: azure_functions title: "Azure Functions" -version: "0.4.1" +version: "0.4.2" source: license: "Elastic-2.0" description: "Get metrics and logs from Azure Functions" From 9b0322765c65a1fc899f090a5cbcfb2c079917e7 Mon Sep 17 00:00:00 2001 From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com> Date: Thu, 13 Jun 2024 10:13:45 -0500 Subject: [PATCH 011/105] [panw] Improve handling of urls and filenames when parsing anti-virus events (#10140) - The filename or URL contained within an anti-virus threat event is now extracted to the file.name or url fields, respectively. - Fixed url.extension extraction so only the last component of the extension is extracted. --- packages/panw/changelog.yml | 5 + ...-panos-inc-threat-sample.log-expected.json | 2 +- .../test-panw-panos-threat-sample.log | 2 + ...panw-panos-threat-sample.log-expected.json | 363 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/threat.yml | 19 +- packages/panw/manifest.yml | 2 +- 6 files changed, 386 insertions(+), 7 deletions(-) diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml index aa4226a3ec6..30cc04ab1a4 100644 --- a/packages/panw/changelog.yml +++ b/packages/panw/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.26.0" + changes: + - description: Improve handling of urls and filenames when parsing anti-virus events. + type: enhancement + link: https://github.com/elastic/integrations/pull/10140 - version: "3.25.2" changes: - description: Fix null dereference with absent certificate dates in decryption pipeline. diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json index f43f1c044f8..0f8d5123c65 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json @@ -2669,7 +2669,7 @@ ], "url": { "domain": "cls-softwares.com", - "extension": "40013.exe", + "extension": "exe", "original": "cls-softwares.com/softwarefortubeview.40013.exe", "path": "/softwarefortubeview.40013.exe" }, diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log index 30c19c3a807..2e2fde322c0 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log @@ -202,3 +202,5 @@ Apr 9 16:57:37 PA5250 1,2024/04/09 16:57:36,123456789012,THREAT,url,2561,2024/04 Apr 9 16:57:37 PA5250 1,2024/04/09 11:00:29,123456789012,THREAT,url,2561,2024/04/09 11:00:29,10.154.247.224,192.168.4.4,192.168.72.187,192.168.4.4,A_ANY_L7A_surf-Good internet appl PUBNET-Open Internet,,,ssl,vsys1,Open Internet,Internet-PUBNET,ae1.898,ethernet1/16.451,Panorama-Elastic,2024/04/09 11:00:29,2552174,1,57241,443,6226,443,0x403400,tcp,block-url,"dns.google",(9999),encrypted-dns,informational,client-to-server,7341108846081879882,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"encrypted-dns,computer-and-internet-info,low-risk",f27e631a-d0b9-4d01-bdfa-e955076d9a21,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T11:00:29.812+02:00,,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,_reportid Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,url,2561,2024/04/09 20:43:29,192.168.72.187,192.168.110.104,0.0.0.0,0.0.0.0,A_SRC_ANY_DMZ-Public-to-Internet,,,google-base,vsys1,Internet,Internet,ethernet1/15.451,ae2.497,Panorama-Elastic,2024/04/09 20:43:29,3853754,1,12235,80,0,0,0xb000,tcp,alert,"www.google.com/",(9999),search-engines,informational,client-to-server,7341108846134004297,0x8000000000000000,Belgium,United States,,text/html,0,,,1,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," CUC_OCP4_worker-nodes,search-engines,low-risk",a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:30.719+02:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,google-base,no,no,_reportid Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,url,2561,2024/04/09 20:43:29,192.168.72.187,192.168.110.104,0.0.0.0,0.0.0.0,A_SRC_ANY_DMZ-Public-to-Internet,,,google-base,vsys1,Internet,Internet,ethernet1/15.451,ae2.497,Panorama-Elastic,2024/04/09 20:43:29,3853754,1,12235,80,0,0,0xb000,tcp,alert,"www.google.com:80/",(9999),search-engines,informational,client-to-server,7341108846134004297,0x8000000000000000,Belgium,United States,,text/html,0,,,1,,,,,,,,0,0,0,0,0,Core,AC-PA5250,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," CUC_OCP4_worker-nodes,search-engines,low-risk",a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:30.719+02:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,google-base,no,no,_reportid +Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,virus,2561,2024/04/09 20:43:29,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_ANY_DMZ-Public-to-Internet,src_username@src-domainname,,web-browsing,vsys1,Inside,Outside,ae1.1324,ae2.497,default,2024/04/09 20:43:29,2398805,2,50833,443,14918,443,0x1402000,tcp,reset-server,"download-cdn.jetbrains.com/resharper/dotUltimate.2023.3.4/Packages/JetBrains.ReSharper.Plugins.ReSharperTutorials.233.0.20240306.121739.nupkg",Virus/Linux.example(419149938),computer-and-internet-info,medium,server-to-client,7332568507791862502,0x8000000000000000,United States,United States,,,0,,,1,,,,,,,,0,16,14,0,0,,AC-PA5250,,,,,0,,0,,N/A,script-av,Antivirus-4767-5285,0x0,0,4294967295,,,a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:29.123+01:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no, +Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,virus,2561,2024/04/09 20:43:29,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_ANY_DMZ-Public-to-Internet,src_username@src-domainname,,web-browsing,vsys1,Inside,Outside,ae1.1324,ae2.497,default,2024/04/09 20:43:29,234719,1,54576,443,50192,443,0x1402000,tcp,reset-both,"commons-digester3-3.2.jar",Virus/Linux.example(419149938),computer-and-internet-info,medium,server-to-client,7364505737280619655,0x8000000000000000,United States,United States,,,0,,,1,,,,,,,,0,16,14,0,0,,AC-PA5250,,,,,0,,0,2024/04/09 20:43:29,N/A,script-av,Antivirus-4809-5327,0x0,0,4294967295,,,a76c7b1d-5e84-48f5-9498-a9d10ffc959c,894567,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:29+02:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no, diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json index 28fa410153d..227681a26e9 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json @@ -12203,6 +12203,9 @@ "denied" ] }, + "file": { + "name": "browser" + }, "labels": { "nat_translated": true, "non_standard_port_usage": true, @@ -12388,6 +12391,9 @@ "denied" ] }, + "file": { + "name": "browser" + }, "labels": { "nat_translated": true, "non_standard_port_usage": true, @@ -35191,6 +35197,363 @@ "path": "/", "port": 80 } + }, + { + "@timestamp": "2024-04-09T20:43:29.000+09:30", + "destination": { + "domain": "download-cdn.jetbrains.com", + "geo": { + "name": "United States" + }, + "ip": "192.168.236.67", + "nat": { + "ip": "192.168.236.67", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "virus_detected", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2024-04-09T20:43:29.000+09:30", + "kind": "alert", + "original": "Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,virus,2561,2024/04/09 20:43:29,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_ANY_DMZ-Public-to-Internet,src_username@src-domainname,,web-browsing,vsys1,Inside,Outside,ae1.1324,ae2.497,default,2024/04/09 20:43:29,2398805,2,50833,443,14918,443,0x1402000,tcp,reset-server,\"download-cdn.jetbrains.com/resharper/dotUltimate.2023.3.4/Packages/JetBrains.ReSharper.Plugins.ReSharperTutorials.233.0.20240306.121739.nupkg\",Virus/Linux.example(419149938),computer-and-internet-info,medium,server-to-client,7332568507791862502,0x8000000000000000,United States,United States,,,0,,,1,,,,,,,,0,16,14,0,0,,AC-PA5250,,,,,0,,0,,N/A,script-av,Antivirus-4767-5285,0x0,0,4294967295,,,a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:29.123+01:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,", + "outcome": "failure", + "severity": 3, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "ssl_decrypted": true, + "temporary_match": true + }, + "log": { + "level": "medium" + }, + "message": "10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_ANY_DMZ-Public-to-Internet,src_username@src-domainname,,web-browsing,vsys1,Inside,Outside,ae1.1324,ae2.497,default,2024/04/09 20:43:29,2398805,2,50833,443,14918,443,0x1402000,tcp,reset-server,\"download-cdn.jetbrains.com/resharper/dotUltimate.2023.3.4/Packages/JetBrains.ReSharper.Plugins.ReSharperTutorials.233.0.20240306.121739.nupkg\",Virus/Linux.example(419149938),computer-and-internet-info,medium,server-to-client,7332568507791862502,0x8000000000000000,United States,United States,,,0,,,1,,,,,,,,0,16,14,0,0,,AC-PA5250,,,,,0,,0,,N/A,script-av,Antivirus-4767-5285,0x0,0,4294967295,,,a76c7b1d-5e84-48f5-9498-a9d10ffc959c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:29.123+01:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,", + "network": { + "application": "web-browsing", + "community_id": [ + "1:YkryUKyZVqhE4CgxEzfse4AMVSE=", + "1:PFufwB1F3/uzhJX5C2NBDkMNdY0=" + ], + "direction": "outbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ae2.497" + }, + "zone": "Outside" + }, + "hostname": "AC-PA5250", + "ingress": { + "interface": { + "name": "ae1.1324" + }, + "zone": "Inside" + }, + "product": "PAN-OS", + "serial_number": "123456789012", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "reset-server", + "action_flags": "0x8000000000000000", + "application": { + "category": "general-internet", + "characteristics": "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use", + "is_saas": "no", + "is_sanctioned": "no", + "risk_level": 4, + "sub_category": "internet-utility", + "technology": "browser-based", + "tunneled": "web-browsing" + }, + "content_version": "Antivirus-4767-5285", + "device_group_hierarchy1": "16", + "device_group_hierarchy2": "14", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "2398805", + "high_resolution_timestamp": "2024-04-10T05:13:29.123+09:30", + "http2_connection": "0", + "imsi": "0", + "log_profile": "default", + "logged_time": "2024-04-09T20:43:29.000+09:30", + "network": { + "nat": { + "community_id": "1:PFufwB1F3/uzhJX5C2NBDkMNdY0=" + } + }, + "parent_session": { + "id": "0" + }, + "partial_hash": "0", + "payload_protocol_id": "4294967295", + "repeat_count": 2, + "ruleset": "A_SRC_ANY_DMZ-Public-to-Internet", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7332568507791862502", + "sub_type": "virus", + "threat": { + "id": "419149938", + "name": "Virus/Linux.example" + }, + "threat_category": "script-av", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "computer-and-internet-info" + }, + "url_idx": "1", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "AC-PA5250" + ], + "ip": [ + "10.84.12.242", + "192.168.236.67", + "192.168.26.150" + ], + "user": [ + "src_username" + ] + }, + "rule": { + "name": "A_SRC_ANY_DMZ-Public-to-Internet", + "uuid": "a76c7b1d-5e84-48f5-9498-a9d10ffc959c" + }, + "source": { + "geo": { + "name": "United States" + }, + "ip": "10.84.12.242", + "nat": { + "ip": "192.168.26.150", + "port": 14918 + }, + "port": 50833, + "user": { + "domain": "src-domainname", + "name": "src_username" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "download-cdn.jetbrains.com", + "extension": "nupkg", + "original": "download-cdn.jetbrains.com/resharper/dotUltimate.2023.3.4/Packages/JetBrains.ReSharper.Plugins.ReSharperTutorials.233.0.20240306.121739.nupkg", + "path": "/resharper/dotUltimate.2023.3.4/Packages/JetBrains.ReSharper.Plugins.ReSharperTutorials.233.0.20240306.121739.nupkg" + }, + "user": { + "domain": "src-domainname", + "name": "src_username" + } + }, + { + "@timestamp": "2024-04-09T20:43:29.000+09:30", + "destination": { + "geo": { + "name": "United States" + }, + "ip": "192.168.236.67", + "nat": { + "ip": "192.168.236.67", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "virus_detected", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2024-04-09T20:43:29.000+09:30", + "kind": "alert", + "original": "Apr 9 20:43:30 AC-PA5250 1,2024/04/09 20:43:29,123456789012,THREAT,virus,2561,2024/04/09 20:43:29,10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_ANY_DMZ-Public-to-Internet,src_username@src-domainname,,web-browsing,vsys1,Inside,Outside,ae1.1324,ae2.497,default,2024/04/09 20:43:29,234719,1,54576,443,50192,443,0x1402000,tcp,reset-both,\"commons-digester3-3.2.jar\",Virus/Linux.example(419149938),computer-and-internet-info,medium,server-to-client,7364505737280619655,0x8000000000000000,United States,United States,,,0,,,1,,,,,,,,0,16,14,0,0,,AC-PA5250,,,,,0,,0,2024/04/09 20:43:29,N/A,script-av,Antivirus-4809-5327,0x0,0,4294967295,,,a76c7b1d-5e84-48f5-9498-a9d10ffc959c,894567,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:29+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,", + "outcome": "failure", + "severity": 3, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "file": { + "name": "commons-digester3-3.2.jar" + }, + "http": { + "version": "2" + }, + "labels": { + "nat_translated": true, + "ssl_decrypted": true, + "temporary_match": true + }, + "log": { + "level": "medium" + }, + "message": "10.84.12.242,192.168.236.67,192.168.26.150,192.168.236.67,A_SRC_ANY_DMZ-Public-to-Internet,src_username@src-domainname,,web-browsing,vsys1,Inside,Outside,ae1.1324,ae2.497,default,2024/04/09 20:43:29,234719,1,54576,443,50192,443,0x1402000,tcp,reset-both,\"commons-digester3-3.2.jar\",Virus/Linux.example(419149938),computer-and-internet-info,medium,server-to-client,7364505737280619655,0x8000000000000000,United States,United States,,,0,,,1,,,,,,,,0,16,14,0,0,,AC-PA5250,,,,,0,,0,2024/04/09 20:43:29,N/A,script-av,Antivirus-4809-5327,0x0,0,4294967295,,,a76c7b1d-5e84-48f5-9498-a9d10ffc959c,894567,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-04-09T20:43:29+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,", + "network": { + "application": "web-browsing", + "community_id": [ + "1:bJ//8Xa1/JOlL7O+KFZcUft0DCo=", + "1:KieQz1quDcAUcmGtAzCKjeD4Xho=" + ], + "direction": "outbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ae2.497" + }, + "zone": "Outside" + }, + "hostname": "AC-PA5250", + "ingress": { + "interface": { + "name": "ae1.1324" + }, + "zone": "Inside" + }, + "product": "PAN-OS", + "serial_number": "123456789012", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "reset-both", + "action_flags": "0x8000000000000000", + "application": { + "category": "general-internet", + "characteristics": "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use", + "is_saas": "no", + "is_sanctioned": "no", + "risk_level": 4, + "sub_category": "internet-utility", + "technology": "browser-based", + "tunneled": "web-browsing" + }, + "content_version": "Antivirus-4809-5327", + "device_group_hierarchy1": "16", + "device_group_hierarchy2": "14", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "234719", + "high_resolution_timestamp": "2024-04-10T04:13:29.000+09:30", + "http2_connection": "894567", + "imsi": "0", + "log_profile": "default", + "logged_time": "2024-04-09T20:43:29.000+09:30", + "network": { + "nat": { + "community_id": "1:KieQz1quDcAUcmGtAzCKjeD4Xho=" + } + }, + "parent_session": { + "id": "0", + "start_time": "2024-04-09T20:43:29.000+09:30" + }, + "partial_hash": "0", + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "A_SRC_ANY_DMZ-Public-to-Internet", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7364505737280619655", + "sub_type": "virus", + "threat": { + "id": "419149938", + "name": "Virus/Linux.example" + }, + "threat_category": "script-av", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "computer-and-internet-info" + }, + "url_idx": "1", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "AC-PA5250" + ], + "ip": [ + "10.84.12.242", + "192.168.236.67", + "192.168.26.150" + ], + "user": [ + "src_username" + ] + }, + "rule": { + "name": "A_SRC_ANY_DMZ-Public-to-Internet", + "uuid": "a76c7b1d-5e84-48f5-9498-a9d10ffc959c" + }, + "session": { + "start_time": "2024-04-09T20:43:29.000+09:30" + }, + "source": { + "geo": { + "name": "United States" + }, + "ip": "10.84.12.242", + "nat": { + "ip": "192.168.26.150", + "port": 50192 + }, + "port": 54576, + "user": { + "domain": "src-domainname", + "name": "src_username" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "src-domainname", + "name": "src_username" + } } ] } \ No newline at end of file diff --git a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml index 132cdf6fcb9..057bc046e63 100644 --- a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml +++ b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml @@ -279,16 +279,25 @@ processors: field: source.user.email copy_from: panw.panos.sender ignore_failure: true - + - set: + if: 'ctx.panw?.panos?.sub_type == "url" && ctx.panw?.panos?.misc instanceof String' + tag: set_url + field: url.original + copy_from: panw.panos.misc + - set: + if: 'ctx.panw?.panos?.sub_type == "virus" && ctx.panw?.panos?.misc instanceof String && ctx.panw.panos.misc.contains("/")' + tag: set_virus_url + field: url.original + copy_from: panw.panos.misc # Crude implementation of `uri_parts` as its not working well due to lack of scheme. # When the scheme of the URL is absent, this script parses the URL in `ctx.panw.panos.misc` into components namely # `url.original`, `url.domain`, `url.port`, `url.path`, `url.query`, `url.extension` - script: - if: "ctx.url?.scheme == null && ctx.panw?.panos?.sub_type == 'url' && ctx.panw?.panos?.misc instanceof String" + if: "ctx.url?.original != null" lang: painless source: |- Map url = new HashMap(); - String url_original = ctx.panw.panos.misc; + String url_original = ctx.url.original; String domainPort = url_original; url.original = url_original; @@ -304,7 +313,7 @@ processors: url.path = afterDomain.substring(0, idxQuery); url.query = afterDomain.substring(idxQuery + 1); } - int idxExtn = url.path.indexOf("."); + int idxExtn = url.path.lastIndexOf("."); if (idxExtn != -1) { url.extension = url.path.substring(idxExtn+1); } @@ -347,7 +356,7 @@ processors: } ctx.file["name"] = ctx.file.path.substring(idx+1); - set: - if: ctx.panw?.panos?.sub_type == 'file' && (ctx.panw?.panos?.misc instanceof String) && !(ctx.panw.panos.misc.contains('/') || ctx.panw.panos.misc.contains('\\')) + if: '["file", "virus"].contains(ctx.panw?.panos?.sub_type) && (ctx.panw?.panos?.misc instanceof String) && !(ctx.panw.panos.misc.contains("/") || ctx.panw.panos.misc.contains("\\"))' field: file.name copy_from: panw.panos.misc ignore_failure: true diff --git a/packages/panw/manifest.yml b/packages/panw/manifest.yml index 08416f03f30..7d38efcf29d 100644 --- a/packages/panw/manifest.yml +++ b/packages/panw/manifest.yml @@ -1,6 +1,6 @@ name: panw title: Palo Alto Next-Gen Firewall -version: "3.25.2" +version: "3.26.0" description: Collect logs from Palo Alto next-gen firewalls with Elastic Agent. type: integration format_version: "3.0.3" From 42668f9e54a0d25c9c1c56f075efd6bd949c55d5 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 13 Jun 2024 17:29:34 +0200 Subject: [PATCH 012/105] Update default timeout for pipeline serverless (#10141) --- .buildkite/pipeline.serverless.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/pipeline.serverless.yml b/.buildkite/pipeline.serverless.yml index 27e2cd5d7a8..1524e70af7c 100644 --- a/.buildkite/pipeline.serverless.yml +++ b/.buildkite/pipeline.serverless.yml @@ -49,7 +49,7 @@ steps: - label: "Check integrations in serverless" key: "test-integrations-serverless-project" command: ".buildkite/scripts/test_integrations_with_serverless.sh" - timeout_in_minutes: 120 + timeout_in_minutes: 240 env: SERVERLESS: true FORCE_CHECK_ALL: true From c208f7916696239e332bf70bad4bc325978f2ddb Mon Sep 17 00:00:00 2001 From: Rob Bavey Date: Thu, 13 Jun 2024 15:10:21 -0400 Subject: [PATCH 013/105] [Logstash] Add pipeline level worker utilization (#10107) * Add pipeline level `worker_utilization` to collected and stored metrics * Remove incorrect flow metrics from tables Flow metric values in table views for plugins were showing incorrect values - showing a summation of all the values in the time period, rather than the correct value. * Add pipeline-level `worker_utilization` metrics to dashboards Introduce support for pipeline-level `worker_utilization` metrics to dashboards. * Update changelog * Add observability to categories Add the observability category, to enable the Logstash integration to show up in "add data" in serverless observability solution. * Remove non-functional pipeline filters Removes pipeline filters from dashboards where they do not apply --- packages/logstash/changelog.yml | 5 + .../elasticsearch/ingest_pipeline/default.yml | 20 + .../data_stream/pipeline/fields/fields.yml | 8 + packages/logstash/docs/README.md | 4 +- ...-4bbf4a50-6ece-11ee-910d-eb0006359086.json | 2 +- ...-4f60a1e0-6eab-11ee-86f6-d7074508d975.json | 2 +- ...-79270240-48ee-11ee-8cb5-99927777c522.json | 35 +- ...-8f8c78a0-6e9e-11ee-86f6-d7074508d975.json | 2 +- ...-9d450b10-4680-11ee-9ddc-919f87fe352d.json | 40 +- ...-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json | 2 +- ...-b516a470-71ea-11ee-aadf-e577130ac888.json | 2 +- ...-b5234e70-6f54-11ee-910d-eb0006359086.json | 2 +- ...-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json | 726 +++++++----------- ...-c0594170-526a-11ee-9ecc-31444cb79548.json | 226 +++++- ...-ee860840-41ed-11ee-874b-fdb94cc3273a.json | 308 ++++---- ...-fe17b800-6eb4-11ee-86f6-d7074508d975.json | 2 +- packages/logstash/manifest.yml | 8 +- 17 files changed, 710 insertions(+), 684 deletions(-) diff --git a/packages/logstash/changelog.yml b/packages/logstash/changelog.yml index 382e9d10960..2f5b9b4fd84 100644 --- a/packages/logstash/changelog.yml +++ b/packages/logstash/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.4.9" + changes: + - description: Add pipeline level worker utilization graphs, and remove incorrect flow metrics information + type: enhancement + link: https://github.com/elastic/integrations/pull/10107 - version: "2.4.8" changes: - description: Add guard against empty graph returned by Logstash API diff --git a/packages/logstash/data_stream/pipeline/elasticsearch/ingest_pipeline/default.yml b/packages/logstash/data_stream/pipeline/elasticsearch/ingest_pipeline/default.yml index 8ff364355a6..0976016ad2a 100644 --- a/packages/logstash/data_stream/pipeline/elasticsearch/ingest_pipeline/default.yml +++ b/packages/logstash/data_stream/pipeline/elasticsearch/ingest_pipeline/default.yml @@ -94,6 +94,26 @@ processors: - remove: ignore_missing: true field: logstash.pipeline.total.flow.worker_concurrency.last_24_hours + - remove: + ignore_missing: true + field: logstash.pipeline.total.flow.worker_concurrency.current + if: ctx.logstash?.pipeline?.total?.flow?.worker_concurrency?.current == "Infinity" + - remove: + ignore_missing: true + field: logstash.pipeline.total.flow.worker_utilization.last_1_minute + if: ctx.logstash?.pipeline?.total?.flow?.worker_utilization?.last_1_minute == "Infinity" + - remove: + ignore_missing: true + field: logstash.pipeline.total.flow.worker_utilization.last_5_minutes + - remove: + ignore_missing: true + field: logstash.pipeline.total.flow.worker_utilization.last_15_minutes + - remove: + ignore_missing: true + field: logstash.pipeline.total.flow.worker_utilization.last_1_hour + - remove: + ignore_missing: true + field: logstash.pipeline.total.flow.worker_utilization.last_24_hours - remove: ignore_missing: true field: logstash.pipeline.total.flow.filter_throughput.lifetime diff --git a/packages/logstash/data_stream/pipeline/fields/fields.yml b/packages/logstash/data_stream/pipeline/fields/fields.yml index de807ffc36e..b4dccd2453e 100644 --- a/packages/logstash/data_stream/pipeline/fields/fields.yml +++ b/packages/logstash/data_stream/pipeline/fields/fields.yml @@ -76,7 +76,15 @@ - name: worker_concurrency.current type: scaled_float metric_type: gauge + description: last 1 minute value of the worker utilization flow metric + - name: worker_utilization.last_1_minute + metric_type: gauge + type: scaled_float description: current value of the worker concurrency flow metric + - name: worker_utilization.current + type: scaled_float + metric_type: gauge + description: last 1 minute value of the worker concurrency flow metric - name: worker_concurrency.last_1_minute metric_type: gauge type: scaled_float diff --git a/packages/logstash/docs/README.md b/packages/logstash/docs/README.md index b968d8ad0e1..31ee47039dd 100644 --- a/packages/logstash/docs/README.md +++ b/packages/logstash/docs/README.md @@ -897,8 +897,10 @@ This is the `pipeline` dataset, which drives the Pipeline dashboard pages. | logstash.pipeline.total.flow.queue_persisted_growth_bytes.last_1_minute | current value of the queue persisted growth bytes flow metric | scaled_float | | gauge | | logstash.pipeline.total.flow.queue_persisted_growth_events.current | current value of the queue persisted growth events flow metric | scaled_float | | gauge | | logstash.pipeline.total.flow.queue_persisted_growth_events.last_1_minute | current value of the queue persisted growth events flow metric | scaled_float | | gauge | -| logstash.pipeline.total.flow.worker_concurrency.current | current value of the worker concurrency flow metric | scaled_float | | gauge | +| logstash.pipeline.total.flow.worker_concurrency.current | last 1 minute value of the worker utilization flow metric | scaled_float | | gauge | | logstash.pipeline.total.flow.worker_concurrency.last_1_minute | current value of the worker concurrency flow metric | scaled_float | | gauge | +| logstash.pipeline.total.flow.worker_utilization.current | last 1 minute value of the worker concurrency flow metric | scaled_float | | gauge | +| logstash.pipeline.total.flow.worker_utilization.last_1_minute | current value of the worker concurrency flow metric | scaled_float | | gauge | | logstash.pipeline.total.queues.current_size.bytes | Current size of the PQ | long | byte | gauge | | logstash.pipeline.total.queues.events | Number of events in the PQ for this pipeline | long | | counter | | logstash.pipeline.total.queues.max_size.bytes | Maximum possible size of the PQ | long | | gauge | diff --git a/packages/logstash/kibana/dashboard/logstash-4bbf4a50-6ece-11ee-910d-eb0006359086.json b/packages/logstash/kibana/dashboard/logstash-4bbf4a50-6ece-11ee-910d-eb0006359086.json index a712c578c1e..9ae5d90d81a 100644 --- a/packages/logstash/kibana/dashboard/logstash-4bbf4a50-6ece-11ee-910d-eb0006359086.json +++ b/packages/logstash/kibana/dashboard/logstash-4bbf4a50-6ece-11ee-910d-eb0006359086.json @@ -1541,7 +1541,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:38:12.893Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-4bbf4a50-6ece-11ee-910d-eb0006359086", "managed": true, "references": [ diff --git a/packages/logstash/kibana/dashboard/logstash-4f60a1e0-6eab-11ee-86f6-d7074508d975.json b/packages/logstash/kibana/dashboard/logstash-4f60a1e0-6eab-11ee-86f6-d7074508d975.json index 664db7e869b..66c5f0eb7f7 100644 --- a/packages/logstash/kibana/dashboard/logstash-4f60a1e0-6eab-11ee-86f6-d7074508d975.json +++ b/packages/logstash/kibana/dashboard/logstash-4f60a1e0-6eab-11ee-86f6-d7074508d975.json @@ -894,7 +894,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:38:12.893Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-4f60a1e0-6eab-11ee-86f6-d7074508d975", "managed": true, "references": [ diff --git a/packages/logstash/kibana/dashboard/logstash-79270240-48ee-11ee-8cb5-99927777c522.json b/packages/logstash/kibana/dashboard/logstash-79270240-48ee-11ee-8cb5-99927777c522.json index a388edc7c49..3c597eaff93 100644 --- a/packages/logstash/kibana/dashboard/logstash-79270240-48ee-11ee-8cb5-99927777c522.json +++ b/packages/logstash/kibana/dashboard/logstash-79270240-48ee-11ee-8cb5-99927777c522.json @@ -4,7 +4,7 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"5c0bd4d8-47ca-4a2f-a1ff-d9f4b55dfad0\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5c0bd4d8-47ca-4a2f-a1ff-d9f4b55dfad0\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"c5cca387-507e-44a6-883f-0ab948c24319\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"c5cca387-507e-44a6-883f-0ab948c24319\",\"fieldName\":\"logstash.pipeline.name\",\"title\":\"Pipeline Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + "panelsJSON": "{\"5c0bd4d8-47ca-4a2f-a1ff-d9f4b55dfad0\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5c0bd4d8-47ca-4a2f-a1ff-d9f4b55dfad0\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" }, "description": "", "kibanaSavedObjectMeta": { @@ -59,8 +59,7 @@ "y": 0 }, "panelIndex": "67c48168-cf30-4dcb-a96e-8e0a38e6049d", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -129,8 +128,7 @@ }, "panelIndex": "0c5d0dc4-28b0-4875-a024-63fb45db1c37", "title": "Node Count", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -322,8 +320,7 @@ }, "panelIndex": "c38da400-a6af-4225-9e21-6ba4da521b43", "title": "Total JVM Heap Used", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -427,8 +424,7 @@ }, "panelIndex": "944396f6-413e-439e-9226-5fcf76247442", "title": "Total Events Received", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -532,8 +528,7 @@ }, "panelIndex": "22f8be07-6626-4fc6-a741-e095030bf543", "title": "Total Events Emitted", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -712,8 +707,7 @@ }, "panelIndex": "3df9851c-7ac3-4bed-ade1-7e3ee0509971", "title": "Events received per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -892,8 +886,7 @@ }, "panelIndex": "a66223a5-9fdb-4335-8012-4ae2748928ac", "title": "Events emitted per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1147,8 +1140,7 @@ }, "panelIndex": "272e809f-0867-4ef2-aef3-626e954008c9", "title": "Events Latency (ms) average", - "type": "lens", - "version": "8.10.1" + "type": "lens" } ], "timeRestore": false, @@ -1156,9 +1148,9 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:16:10.413Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-79270240-48ee-11ee-8cb5-99927777c522", - "managed": false, + "managed": true, "references": [ { "id": "logstash-sm-metrics", @@ -1204,11 +1196,6 @@ "id": "logstash-sm-metrics", "name": "controlGroup_5c0bd4d8-47ca-4a2f-a1ff-d9f4b55dfad0:optionsListDataView", "type": "index-pattern" - }, - { - "id": "logstash-sm-metrics", - "name": "controlGroup_c5cca387-507e-44a6-883f-0ab948c24319:optionsListDataView", - "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/logstash/kibana/dashboard/logstash-8f8c78a0-6e9e-11ee-86f6-d7074508d975.json b/packages/logstash/kibana/dashboard/logstash-8f8c78a0-6e9e-11ee-86f6-d7074508d975.json index 4a94202e719..25534cba265 100644 --- a/packages/logstash/kibana/dashboard/logstash-8f8c78a0-6e9e-11ee-86f6-d7074508d975.json +++ b/packages/logstash/kibana/dashboard/logstash-8f8c78a0-6e9e-11ee-86f6-d7074508d975.json @@ -697,7 +697,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:38:12.893Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-8f8c78a0-6e9e-11ee-86f6-d7074508d975", "managed": true, "references": [ diff --git a/packages/logstash/kibana/dashboard/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d.json b/packages/logstash/kibana/dashboard/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d.json index 383b7a5c714..666669100a1 100644 --- a/packages/logstash/kibana/dashboard/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d.json +++ b/packages/logstash/kibana/dashboard/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d.json @@ -4,7 +4,7 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"f8e0eae3-62e0-4539-87d6-523e89a8213e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"f8e0eae3-62e0-4539-87d6-523e89a8213e\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"selectedOptions\":[]}},\"25b6ddfd-e372-4344-827b-c81461088031\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"25b6ddfd-e372-4344-827b-c81461088031\",\"fieldName\":\"logstash.pipeline.name\",\"title\":\"Pipeline Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + "panelsJSON": "{\"73fdfb3a-3e86-499a-93f1-993479254e4e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"73fdfb3a-3e86-499a-93f1-993479254e4e\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" }, "description": "", "kibanaSavedObjectMeta": { @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation** \n\n**Logstash Overview**\n\n[Overview](/app/dashboards#/view/logstash-79270240-48ee-11ee-8cb5-99927777c522) \n[Nodes Overview](/app/dashboards#/view/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a) \n**[Node Overview](/app/dashboards#/view/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d)** \n[Node Overview Advanced View](/app/dashboards#/view/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5) \n\n[Pipelines Overview](/app/dashboards#/view/logstash-c0594170-526a-11ee-9ecc-31444cb79548) \n[Pipeline Details Overview](/app/dashboards#/view/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc)\n\nOverview\n\nThis Dashboard gives a view of the overall performance of a single Logstash Node. Should be used in conjunction with the node name\nfilter", + "markdown": "**Navigation** \n\n**Logstash Overview**\n\n[Overview](/app/dashboards#/view/logstash-79270240-48ee-11ee-8cb5-99927777c522) \n[Nodes Overview](/app/dashboards#/view/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a) \n**[Node Overview](/app/dashboards#/view/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d)** \n[Node Overview Advanced View](/app/dashboards#/view/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5) \n\n[Pipelines Overview](/app/dashboards#/view/logstash-c0594170-526a-11ee-9ecc-31444cb79548) \n[Pipeline Details Overview](/app/dashboards#/view/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc)\n\nOverview\n\nThis Dashboard gives a view of the overall performance of a single Logstash Node. Should be used in conjunction with the node name filter", "openLinksInNewTab": false }, "title": "", @@ -59,8 +59,7 @@ "y": 0 }, "panelIndex": "c2c433cf-50ce-4530-86e5-f82a240c57b8", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -347,8 +346,7 @@ }, "panelIndex": "73a755c6-89a3-4f34-8daf-83feef5caa28", "title": "", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -505,8 +503,7 @@ }, "panelIndex": "63747092-edb6-4864-a9ad-27e5bdce2ad2", "title": "Events received per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -675,8 +672,7 @@ }, "panelIndex": "9ea7a32a-ee7e-45d4-b0cf-273278e52cae", "title": "JVM Heap (MB)", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -833,8 +829,7 @@ }, "panelIndex": "bac81244-9c35-4cf9-8ed4-3c7082a255ae", "title": "Events emitted per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -973,8 +968,7 @@ }, "panelIndex": "5a43f153-bec9-4420-96f8-0c2d4b032a43", "title": "Process CPU Utilization (%)", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1205,8 +1199,7 @@ }, "panelIndex": "5af28ec8-a9f0-49cb-9627-e13c0ac5ca1d", "title": "Events Latency (ms)", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1345,8 +1338,7 @@ }, "panelIndex": "c6fb1dc0-c51d-4c00-903c-d90ad3b77ce1", "title": "System Load", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1553,8 +1545,7 @@ }, "panelIndex": "87bc08bb-a0ca-4f82-8943-a141aaef3248", "title": "Running Pipelines", - "type": "lens", - "version": "8.10.1" + "type": "lens" } ], "timeRestore": false, @@ -1562,7 +1553,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:38:12.893Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-9d450b10-4680-11ee-9ddc-919f87fe352d", "managed": true, "references": [ @@ -1613,12 +1604,7 @@ }, { "id": "logstash-sm-metrics", - "name": "controlGroup_f8e0eae3-62e0-4539-87d6-523e89a8213e:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logstash-sm-metrics", - "name": "controlGroup_25b6ddfd-e372-4344-827b-c81461088031:optionsListDataView", + "name": "controlGroup_73fdfb3a-3e86-499a-93f1-993479254e4e:optionsListDataView", "type": "index-pattern" } ], diff --git a/packages/logstash/kibana/dashboard/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json b/packages/logstash/kibana/dashboard/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json index 0f46ef9f5b9..b4eb3eb02ca 100644 --- a/packages/logstash/kibana/dashboard/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json +++ b/packages/logstash/kibana/dashboard/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json @@ -1759,7 +1759,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:51:18.875Z", + "created_at": "2024-06-05T19:53:56.470Z", "id": "logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5", "managed": false, "references": [ diff --git a/packages/logstash/kibana/dashboard/logstash-b516a470-71ea-11ee-aadf-e577130ac888.json b/packages/logstash/kibana/dashboard/logstash-b516a470-71ea-11ee-aadf-e577130ac888.json index 353325e7886..009d9b97fb8 100644 --- a/packages/logstash/kibana/dashboard/logstash-b516a470-71ea-11ee-aadf-e577130ac888.json +++ b/packages/logstash/kibana/dashboard/logstash-b516a470-71ea-11ee-aadf-e577130ac888.json @@ -1218,7 +1218,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:38:12.893Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-b516a470-71ea-11ee-aadf-e577130ac888", "managed": true, "references": [ diff --git a/packages/logstash/kibana/dashboard/logstash-b5234e70-6f54-11ee-910d-eb0006359086.json b/packages/logstash/kibana/dashboard/logstash-b5234e70-6f54-11ee-910d-eb0006359086.json index 12f39d35d73..3aa953e34ba 100644 --- a/packages/logstash/kibana/dashboard/logstash-b5234e70-6f54-11ee-910d-eb0006359086.json +++ b/packages/logstash/kibana/dashboard/logstash-b5234e70-6f54-11ee-910d-eb0006359086.json @@ -1218,7 +1218,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:38:12.893Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-b5234e70-6f54-11ee-910d-eb0006359086", "managed": true, "references": [ diff --git a/packages/logstash/kibana/dashboard/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json b/packages/logstash/kibana/dashboard/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json index 8e1aa8597aa..23313cd48ab 100644 --- a/packages/logstash/kibana/dashboard/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json +++ b/packages/logstash/kibana/dashboard/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json @@ -4,7 +4,7 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"429cdb8b-f9d9-45b0-bf04-2fca76ad3cd8\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"429cdb8b-f9d9-45b0-bf04-2fca76ad3cd8\",\"fieldName\":\"logstash.pipeline.name\",\"title\":\"Pipeline Name\",\"selectedOptions\":[],\"enhancements\":{},\"existsSelected\":false}},\"497f4765-376b-4a02-9982-0e8bf9a0b1ef\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"497f4765-376b-4a02-9982-0e8bf9a0b1ef\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"selectedOptions\":[],\"existsSelected\":false}}}" + "panelsJSON": "{\"94cc8a2a-a81e-451b-891b-407075069331\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"94cc8a2a-a81e-451b-891b-407075069331\",\"fieldName\":\"logstash.pipeline.name\",\"title\":\"Pipeline Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"selectedOptions\":[]}},\"73fdfb3a-3e86-499a-93f1-993479254e4e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"73fdfb3a-3e86-499a-93f1-993479254e4e\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" }, "description": "", "kibanaSavedObjectMeta": { @@ -41,7 +41,7 @@ "description": "", "params": { "fontSize": 12, - "markdown": "**Navigation** \n\n**Logstash Overview**\n\n[Overview](/app/dashboards#/view/logstash-79270240-48ee-11ee-8cb5-99927777c522) \n[Nodes Overview](/app/dashboards#/view/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a) \n[Node Overview](/app/dashboards#/view/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d) \n[Node Overview Advanced View](/app/dashboards#/view/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5) \n\n[Pipelines Overview](/app/dashboards#/view/logstash-c0594170-526a-11ee-9ecc-31444cb79548) \n**[Pipeline Details Overview](/app/dashboards#/view/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc)** \n\n\nOverview\n\nThis Dashboard gives a detailed view of a Logstash pipeline. \n \nUse the filters to drill down on individual nodes and pipelines.\n \nPlugin drilldowns are available by clicking on the plugin in the table views for inputs, filters and outputs. \n\nSpecialized drilldowns are available for the dissect and grok filters, and the elasticsearch output. \n\n", + "markdown": "**Navigation** \n\n**Logstash Overview**\n\n[Overview](/app/dashboards#/view/logstash-79270240-48ee-11ee-8cb5-99927777c522) \n[Nodes Overview](/app/dashboards#/view/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a) \n[Node Overview](/app/dashboards#/view/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d) \n[Node Overview Advanced View](/app/dashboards#/view/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5) \n\n[Pipelines Overview](/app/dashboards#/view/logstash-c0594170-526a-11ee-9ecc-31444cb79548) \n**[Pipeline Details Overview](/app/dashboards#/view/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc)** \n\n\nOverview\n\nThis Dashboard gives a detailed view of a Logstash pipeline.\n \nUse the filters to drill down on individual nodes and pipelines. This view works best when focused on a single pipeline.\n \nPlugin drilldowns are available by clicking on the plugin in the table views for inputs, filters and outputs. \n\nSpecialized drilldowns are available for the dissect and grok filters, and the elasticsearch output. \n\n", "openLinksInNewTab": false }, "title": "", @@ -58,8 +58,7 @@ }, "panelIndex": "1b7d4c91-b582-4639-a771-7853e72a94b6", "title": "Logstash Nav Panel", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -184,8 +183,7 @@ "y": 0 }, "panelIndex": "9a756479-5952-441e-beff-e0896500ca39", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -294,8 +292,7 @@ "y": 0 }, "panelIndex": "b48c9b95-bcc4-4bde-b41d-630a4f31b26e", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -404,8 +401,212 @@ "y": 0 }, "panelIndex": "6da9466a-ede0-44b6-a2e7-d704065bb90b", - "type": "lens", - "version": "8.10.1" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logstash-sm-metrics", + "name": "indexpattern-datasource-layer-4d13c1a7-6b92-47fe-8baf-7ca505bd9fda", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logstash-sm-metrics", + "layers": { + "4d13c1a7-6b92-47fe-8baf-7ca505bd9fda": { + "columnOrder": [ + "31515c2b-a1f2-4da6-a5f7-f6f2ad8bc7d3", + "1c9f4a0d-3d6f-4126-afbb-ba4745e565d5", + "d9cd1ee6-586c-41b4-9d5f-976cd8eececf", + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX0", + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX1" + ], + "columns": { + "1c9f4a0d-3d6f-4126-afbb-ba4745e565d5": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "31515c2b-a1f2-4da6-a5f7-f6f2ad8bc7d3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Pipeline Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"logstash.pipeline.total.flow.worker_utilization.last_1_minute\": *" + }, + "isBucketed": false, + "label": "Last value of logstash.pipeline.total.flow.worker_utilization.last_1_minute", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "logstash.pipeline.total.flow.worker_utilization.last_1_minute" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "logstash.host.name" + }, + "d9cd1ee6-586c-41b4-9d5f-976cd8eececf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Worker Utilization", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "last_value(logstash.pipeline.total.flow.worker_utilization.last_1_minute)/100", + "isFormulaBroken": false + }, + "references": [ + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX1" + ], + "scale": "ratio" + }, + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"logstash.pipeline.total.flow.worker_utilization.last_1_minute\": *" + }, + "isBucketed": false, + "label": "Part of Worker Utilization", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "logstash.pipeline.total.flow.worker_utilization.last_1_minute" + }, + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Worker Utilization", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX0", + 100 + ], + "location": { + "max": 77, + "min": 0 + }, + "name": "divide", + "text": "last_value(logstash.pipeline.total.flow.worker_utilization.last_1_minute)/100", + "type": "function" + } + }, + "references": [ + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX0" + ], + "scale": "ratio" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logstash-sm-metrics", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "d9cd1ee6-586c-41b4-9d5f-976cd8eececf" + ], + "layerId": "4d13c1a7-6b92-47fe-8baf-7ca505bd9fda", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "31515c2b-a1f2-4da6-a5f7-f6f2ad8bc7d3", + "xAccessor": "1c9f4a0d-3d6f-4126-afbb-ba4745e565d5" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "Average Time processed per event (ms)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "6f7df80f-6315-417a-8b95-bbcdc938e4df", + "w": 40, + "x": 8, + "y": 5 + }, + "panelIndex": "6f7df80f-6315-417a-8b95-bbcdc938e4df", + "title": "Worker Utilization (%)", + "type": "lens" }, { "embeddableConfig": { @@ -651,12 +852,11 @@ "i": "7d85767a-5dbb-4704-8716-1d4c30a5f675", "w": 40, "x": 8, - "y": 5 + "y": 17 }, "panelIndex": "7d85767a-5dbb-4704-8716-1d4c30a5f675", "title": "Average Time processed per event (ms)", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -814,12 +1014,11 @@ "i": "f03395de-a163-4204-ac82-83c0ea542eeb", "w": 20, "x": 8, - "y": 17 + "y": 29 }, "panelIndex": "f03395de-a163-4204-ac82-83c0ea542eeb", "title": "Events received per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1057,12 +1256,11 @@ "i": "5171ef08-d301-4a9c-832b-40f41c9ad24d", "w": 20, "x": 28, - "y": 17 + "y": 29 }, "panelIndex": "5171ef08-d301-4a9c-832b-40f41c9ad24d", "title": "Persistent Queue utilization (%)", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1220,12 +1418,11 @@ "i": "4fad1f03-99d3-4834-a6c4-bea283178567", "w": 20, "x": 8, - "y": 26 + "y": 38 }, "panelIndex": "4fad1f03-99d3-4834-a6c4-bea283178567", "title": "Events emitted per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1388,12 +1585,11 @@ "i": "a3444242-6e3e-4959-8815-43e65b3e8d69", "w": 20, "x": 28, - "y": 26 + "y": 38 }, "panelIndex": "a3444242-6e3e-4959-8815-43e65b3e8d69", "title": "Persistent Queue size (events)", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1425,12 +1621,11 @@ "i": "681d5f97-e2f4-4a74-9710-7e75bb73fea8", "w": 24, "x": 16, - "y": 35 + "y": 47 }, "panelIndex": "681d5f97-e2f4-4a74-9710-7e75bb73fea8", "title": "Plugins", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -1447,6 +1642,7 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "logstash-sm-metrics", "layers": { "df79554f-08e3-4f7f-b438-80bc81e14637": { "columnOrder": [ @@ -1457,7 +1653,6 @@ "d172976a-5c43-46b7-9d96-44ac40134cbe", "3bdc4103-5313-4e00-a407-de5b7fde820c", "8db4855c-0536-4cf8-84bd-eb8af3b72829", - "a175cdde-215b-441e-84d6-ceab03b1495d", "d172976a-5c43-46b7-9d96-44ac40134cbeX0", "d172976a-5c43-46b7-9d96-44ac40134cbeX1", "3bdc4103-5313-4e00-a407-de5b7fde820cX0", @@ -1484,10 +1679,10 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a175cdde-215b-441e-84d6-ceab03b1495d", - "type": "column" + "fallback": true, + "type": "alphabetical" }, - "orderDirection": "desc", + "orderDirection": "asc", "otherBucket": true, "parentFormat": { "id": "terms" @@ -1510,10 +1705,10 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a175cdde-215b-441e-84d6-ceab03b1495d", - "type": "column" + "fallback": true, + "type": "alphabetical" }, - "orderDirection": "desc", + "orderDirection": "asc", "otherBucket": true, "parentFormat": { "id": "terms" @@ -1595,10 +1790,10 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a175cdde-215b-441e-84d6-ceab03b1495d", - "type": "column" + "fallback": true, + "type": "alphabetical" }, - "orderDirection": "desc", + "orderDirection": "asc", "otherBucket": true, "parentFormat": { "id": "terms" @@ -1727,28 +1922,6 @@ ], "scale": "ratio" }, - "a175cdde-215b-441e-84d6-ceab03b1495d": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"logstash.pipeline.plugin.input.flow.throughput.last_1_minute\": *" - }, - "isBucketed": false, - "label": "Throughput flow", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 3 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "logstash.pipeline.plugin.input.flow.throughput.last_1_minute" - }, "d172976a-5c43-46b7-9d96-44ac40134cbe": { "customLabel": true, "dataType": "number", @@ -1790,6 +1963,7 @@ } }, "incompleteColumns": {}, + "indexPatternId": "logstash-sm-metrics", "sampling": 1 } } @@ -1896,40 +2070,6 @@ "type": "palette" } }, - { - "alignment": "center", - "colorMode": "cell", - "columnId": "a175cdde-215b-441e-84d6-ceab03b1495d", - "isTransposed": false, - "palette": { - "name": "positive", - "params": { - "stops": [ - { - "color": "#d6e9e4", - "stop": 20 - }, - { - "color": "#aed3ca", - "stop": 40 - }, - { - "color": "#85bdb1", - "stop": 60 - }, - { - "color": "#5aa898", - "stop": 80 - }, - { - "color": "#209280", - "stop": 100 - } - ] - }, - "type": "palette" - } - }, { "alignment": "center", "columnId": "245e3126-537a-4644-b6b3-9a33800dfb91", @@ -2012,11 +2152,10 @@ "i": "9a34af7e-5f12-49b4-86e0-5577203711eb", "w": 40, "x": 8, - "y": 39 + "y": 51 }, "panelIndex": "9a34af7e-5f12-49b4-86e0-5577203711eb", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -2216,12 +2355,11 @@ "i": "f94ee279-63d8-45de-bfa0-9c93416b9752", "w": 40, "x": 8, - "y": 46 + "y": 58 }, "panelIndex": "f94ee279-63d8-45de-bfa0-9c93416b9752", "title": "Time spent pushing to queues", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -2425,12 +2563,11 @@ "i": "1eabaf75-95dd-4cae-95d5-f00efe978872", "w": 20, "x": 8, - "y": 55 + "y": 67 }, "panelIndex": "1eabaf75-95dd-4cae-95d5-f00efe978872", "title": "Events emitted per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -2596,12 +2733,11 @@ "i": "3470dd76-7ebd-4b19-a3de-fa0082a72ee5", "w": 20, "x": 28, - "y": 55 + "y": 67 }, "panelIndex": "3470dd76-7ebd-4b19-a3de-fa0082a72ee5", "title": "Input Flow", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -2634,12 +2770,11 @@ "i": "7f5bcb0f-394c-4bbd-b17a-c163a28a9315", "w": 24, "x": 16, - "y": 64 + "y": 76 }, "panelIndex": "7f5bcb0f-394c-4bbd-b17a-c163a28a9315", "title": "Plugins", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -2656,6 +2791,7 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "logstash-sm-metrics", "layers": { "df79554f-08e3-4f7f-b438-80bc81e14637": { "columnOrder": [ @@ -2667,8 +2803,6 @@ "d172976a-5c43-46b7-9d96-44ac40134cbe", "56e40393-65fa-403e-b757-05ae1fc04063", "3bdc4103-5313-4e00-a407-de5b7fde820c", - "5f2a9ea0-38a8-403a-bf56-5792745b0b7a", - "6fdcaadf-6c83-43f1-9f65-b148037b7aab", "d172976a-5c43-46b7-9d96-44ac40134cbeX0", "d172976a-5c43-46b7-9d96-44ac40134cbeX1", "3bdc4103-5313-4e00-a407-de5b7fde820cX0", @@ -2736,10 +2870,10 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "5f2a9ea0-38a8-403a-bf56-5792745b0b7a", - "type": "column" + "fallback": true, + "type": "alphabetical" }, - "orderDirection": "desc", + "orderDirection": "asc", "otherBucket": true, "parentFormat": { "id": "terms" @@ -2927,28 +3061,6 @@ ], "scale": "ratio" }, - "5f2a9ea0-38a8-403a-bf56-5792745b0b7a": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"logstash.pipeline.plugin.filter.flow.worker_millis_per_event.last_1_minute\": *" - }, - "isBucketed": false, - "label": "Worker millis per event", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "logstash.pipeline.plugin.filter.flow.worker_millis_per_event.last_1_minute" - }, "65ca78d2-d895-4db6-bec3-7e110bd0030b": { "customLabel": true, "dataType": "string", @@ -2989,28 +3101,6 @@ "scale": "ordinal", "sourceField": "logstash.pipeline.plugin.filter.name" }, - "6fdcaadf-6c83-43f1-9f65-b148037b7aab": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"logstash.pipeline.plugin.filter.flow.worker_utilization.last_1_minute\": *" - }, - "isBucketed": false, - "label": "Worker utilization", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 3 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "logstash.pipeline.plugin.filter.flow.worker_utilization.last_1_minute" - }, "8914109f-497d-4293-8692-dbdddffbf42f": { "customLabel": true, "dataType": "number", @@ -3074,6 +3164,7 @@ } }, "incompleteColumns": {}, + "indexPatternId": "logstash-sm-metrics", "sampling": 1 } } @@ -3237,107 +3328,6 @@ "type": "palette" } }, - { - "alignment": "center", - "colorMode": "cell", - "columnId": "5f2a9ea0-38a8-403a-bf56-5792745b0b7a", - "isTransposed": false, - "palette": { - "name": "custom", - "params": { - "colorStops": [ - { - "color": "#209280", - "stop": 0 - }, - { - "color": "#54b399", - "stop": 20 - }, - { - "color": "#d6bf57", - "stop": 40 - }, - { - "color": "#e7664c", - "stop": 60 - }, - { - "color": "#cc5642", - "stop": 80 - } - ], - "continuity": "above", - "name": "custom", - "rangeMax": null, - "rangeMin": 0, - "reverse": false, - "steps": 5, - "stops": [ - { - "color": "#209280", - "stop": 20 - }, - { - "color": "#54b399", - "stop": 40 - }, - { - "color": "#d6bf57", - "stop": 60 - }, - { - "color": "#e7664c", - "stop": 80 - }, - { - "color": "#cc5642", - "stop": 100 - } - ] - }, - "type": "palette" - } - }, - { - "alignment": "center", - "colorMode": "cell", - "columnId": "6fdcaadf-6c83-43f1-9f65-b148037b7aab", - "isTransposed": false, - "palette": { - "name": "status", - "params": { - "continuity": "above", - "name": "status", - "rangeMax": null, - "rangeMin": 0, - "reverse": false, - "stops": [ - { - "color": "#209280", - "stop": 0 - }, - { - "color": "#54b399", - "stop": 20 - }, - { - "color": "#d6bf57", - "stop": 40 - }, - { - "color": "#e7664c", - "stop": 60 - }, - { - "color": "#cc5642", - "stop": 80 - } - ] - }, - "type": "palette" - } - }, { "alignment": "center", "colorMode": "cell", @@ -3407,11 +3397,7 @@ } ], "layerId": "df79554f-08e3-4f7f-b438-80bc81e14637", - "layerType": "data", - "sorting": { - "columnId": "6fdcaadf-6c83-43f1-9f65-b148037b7aab", - "direction": "desc" - } + "layerType": "data" } }, "title": "", @@ -3476,11 +3462,10 @@ "i": "97bcb728-f0e5-4047-aade-2ef56bd33c22", "w": 40, "x": 8, - "y": 68 + "y": 80 }, "panelIndex": "97bcb728-f0e5-4047-aade-2ef56bd33c22", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -3762,12 +3747,11 @@ "i": "f8033492-7353-4564-83d5-6715e387f9ac", "w": 40, "x": 8, - "y": 82 + "y": 94 }, "panelIndex": "f8033492-7353-4564-83d5-6715e387f9ac", "title": "Average time spent processing each event", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -3971,12 +3955,11 @@ "i": "d6db9db8-7da0-435c-8118-9d0c36d2573d", "w": 20, "x": 8, - "y": 92 + "y": 104 }, "panelIndex": "d6db9db8-7da0-435c-8118-9d0c36d2573d", "title": "Events received per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -4177,12 +4160,11 @@ "i": "03d92828-8549-4cd9-a7ea-12f25502cef1", "w": 20, "x": 28, - "y": 92 + "y": 104 }, "panelIndex": "03d92828-8549-4cd9-a7ea-12f25502cef1", "title": "Worker utilization", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -4386,12 +4368,11 @@ "i": "55b1238e-1f8e-4b73-8dfc-906aa2eecbb6", "w": 20, "x": 8, - "y": 103 + "y": 115 }, "panelIndex": "55b1238e-1f8e-4b73-8dfc-906aa2eecbb6", "title": "Events emitted per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -4576,12 +4557,11 @@ "i": "48f64446-f5ca-451d-8a59-bb12b4807381", "w": 20, "x": 28, - "y": 103 + "y": 115 }, "panelIndex": "48f64446-f5ca-451d-8a59-bb12b4807381", "title": "Worker milliseconds per event", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -4614,12 +4594,11 @@ "i": "cfd22405-6008-4373-ad69-94e70427e259", "w": 24, "x": 17, - "y": 114 + "y": 126 }, "panelIndex": "cfd22405-6008-4373-ad69-94e70427e259", "title": "Plugins", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -4636,6 +4615,7 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "logstash-sm-metrics", "layers": { "df79554f-08e3-4f7f-b438-80bc81e14637": { "columnOrder": [ @@ -4647,8 +4627,6 @@ "d172976a-5c43-46b7-9d96-44ac40134cbe", "e0728321-e2b4-44c6-b07b-a89f632f02e1", "3bdc4103-5313-4e00-a407-de5b7fde820c", - "a7134cf0-c941-41e8-b346-40bc893c2514", - "8cb013fb-a55f-4c6d-88e1-6ce798c8db07", "d172976a-5c43-46b7-9d96-44ac40134cbeX0", "d172976a-5c43-46b7-9d96-44ac40134cbeX1", "3bdc4103-5313-4e00-a407-de5b7fde820cX0", @@ -4815,10 +4793,10 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "8cb013fb-a55f-4c6d-88e1-6ce798c8db07", - "type": "column" + "fallback": true, + "type": "alphabetical" }, - "orderDirection": "desc", + "orderDirection": "asc", "otherBucket": true, "parentFormat": { "id": "terms" @@ -4841,10 +4819,10 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a7134cf0-c941-41e8-b346-40bc893c2514", - "type": "column" + "fallback": true, + "type": "alphabetical" }, - "orderDirection": "desc", + "orderDirection": "asc", "otherBucket": true, "parentFormat": { "id": "terms" @@ -4854,38 +4832,6 @@ "scale": "ordinal", "sourceField": "logstash.pipeline.plugin.output.name" }, - "8cb013fb-a55f-4c6d-88e1-6ce798c8db07": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"logstash.pipeline.plugin.output.flow.worker_utilization.last_1_minute\": *" - }, - "isBucketed": false, - "label": "Worker utilization", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "logstash.pipeline.plugin.output.flow.worker_utilization.last_1_minute" - }, - "a7134cf0-c941-41e8-b346-40bc893c2514": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"logstash.pipeline.plugin.output.flow.worker_millis_per_event.last_1_minute\": *" - }, - "isBucketed": false, - "label": "Worker millis per event", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "logstash.pipeline.plugin.output.flow.worker_millis_per_event.last_1_minute" - }, "d172976a-5c43-46b7-9d96-44ac40134cbe": { "customLabel": true, "dataType": "number", @@ -5046,6 +4992,7 @@ } }, "incompleteColumns": {}, + "indexPatternId": "logstash-sm-metrics", "sampling": 1 } } @@ -5152,84 +5099,6 @@ "type": "palette" } }, - { - "alignment": "center", - "colorMode": "cell", - "columnId": "a7134cf0-c941-41e8-b346-40bc893c2514", - "isTransposed": false, - "palette": { - "name": "status", - "params": { - "continuity": "above", - "name": "status", - "rangeMax": null, - "rangeMin": 0, - "reverse": false, - "stops": [ - { - "color": "#209280", - "stop": 0 - }, - { - "color": "#54b399", - "stop": 20 - }, - { - "color": "#d6bf57", - "stop": 40 - }, - { - "color": "#e7664c", - "stop": 60 - }, - { - "color": "#cc5642", - "stop": 80 - } - ] - }, - "type": "palette" - } - }, - { - "alignment": "center", - "colorMode": "cell", - "columnId": "8cb013fb-a55f-4c6d-88e1-6ce798c8db07", - "isTransposed": false, - "palette": { - "name": "status", - "params": { - "continuity": "above", - "name": "status", - "rangeMax": null, - "rangeMin": 0, - "reverse": false, - "stops": [ - { - "color": "#209280", - "stop": 0 - }, - { - "color": "#54b399", - "stop": 20 - }, - { - "color": "#d6bf57", - "stop": 40 - }, - { - "color": "#e7664c", - "stop": 60 - }, - { - "color": "#cc5642", - "stop": 80 - } - ] - }, - "type": "palette" - } - }, { "alignment": "center", "columnId": "5cbd518c-9c32-454d-88a3-935dab1a7fda", @@ -5383,11 +5252,10 @@ "i": "5ea51e10-bede-40f6-9842-f840617bcc8b", "w": 40, "x": 8, - "y": 118 + "y": 130 }, "panelIndex": "5ea51e10-bede-40f6-9842-f840617bcc8b", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -5668,12 +5536,11 @@ "i": "bb1876b7-7faa-4c37-a8af-c79a70149922", "w": 40, "x": 8, - "y": 134 + "y": 146 }, "panelIndex": "bb1876b7-7faa-4c37-a8af-c79a70149922", "title": "Average time spent processing event (ms)", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -5877,12 +5744,11 @@ "i": "c49e6ec7-e4a6-4938-b39b-d0c49b1ae114", "w": 20, "x": 8, - "y": 145 + "y": 157 }, "panelIndex": "c49e6ec7-e4a6-4938-b39b-d0c49b1ae114", "title": "Events received per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -6083,12 +5949,11 @@ "i": "1c17de77-a7e5-4265-ada5-a7aaf0b6c972", "w": 20, "x": 28, - "y": 145 + "y": 157 }, "panelIndex": "1c17de77-a7e5-4265-ada5-a7aaf0b6c972", "title": "Worker utilization", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -6292,12 +6157,11 @@ "i": "231824a2-a183-439f-8e08-e1bad6c5e9db", "w": 20, "x": 8, - "y": 156 + "y": 168 }, "panelIndex": "231824a2-a183-439f-8e08-e1bad6c5e9db", "title": "Events emitted per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -6498,12 +6362,11 @@ "i": "09cd3d58-f4a5-4033-a011-15002b6649e7", "w": 20, "x": 28, - "y": 156 + "y": 168 }, "panelIndex": "09cd3d58-f4a5-4033-a011-15002b6649e7", "title": "Worker millseconds per event", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -6537,12 +6400,11 @@ "i": "31278c59-d923-4beb-800b-a8107e9064c5", "w": 24, "x": 16, - "y": 167 + "y": 179 }, "panelIndex": "31278c59-d923-4beb-800b-a8107e9064c5", "title": "Plugins", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -7124,11 +6986,10 @@ "i": "46fbd106-9dba-4c2c-b359-fd04c22e1314", "w": 40, "x": 8, - "y": 171 + "y": 183 }, "panelIndex": "46fbd106-9dba-4c2c-b359-fd04c22e1314", - "type": "lens", - "version": "8.10.1" + "type": "lens" } ], "timeRestore": false, @@ -7136,7 +6997,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:38:12.893Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc", "managed": true, "references": [ @@ -7160,6 +7021,11 @@ "name": "6da9466a-ede0-44b6-a2e7-d704065bb90b:indexpattern-datasource-layer-d6fe4fea-e92e-4042-9c92-0663b598a523", "type": "index-pattern" }, + { + "id": "logstash-sm-metrics", + "name": "6f7df80f-6315-417a-8b95-bbcdc938e4df:indexpattern-datasource-layer-4d13c1a7-6b92-47fe-8baf-7ca505bd9fda", + "type": "index-pattern" + }, { "id": "logstash-sm-metrics", "name": "7d85767a-5dbb-4704-8716-1d4c30a5f675:indexpattern-datasource-layer-4d13c1a7-6b92-47fe-8baf-7ca505bd9fda", @@ -7302,12 +7168,12 @@ }, { "id": "logstash-sm-metrics", - "name": "controlGroup_429cdb8b-f9d9-45b0-bf04-2fca76ad3cd8:optionsListDataView", + "name": "controlGroup_94cc8a2a-a81e-451b-891b-407075069331:optionsListDataView", "type": "index-pattern" }, { "id": "logstash-sm-metrics", - "name": "controlGroup_497f4765-376b-4a02-9982-0e8bf9a0b1ef:optionsListDataView", + "name": "controlGroup_73fdfb3a-3e86-499a-93f1-993479254e4e:optionsListDataView", "type": "index-pattern" } ], diff --git a/packages/logstash/kibana/dashboard/logstash-c0594170-526a-11ee-9ecc-31444cb79548.json b/packages/logstash/kibana/dashboard/logstash-c0594170-526a-11ee-9ecc-31444cb79548.json index 3d414213e52..719592f40c4 100644 --- a/packages/logstash/kibana/dashboard/logstash-c0594170-526a-11ee-9ecc-31444cb79548.json +++ b/packages/logstash/kibana/dashboard/logstash-c0594170-526a-11ee-9ecc-31444cb79548.json @@ -4,7 +4,7 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"94cc8a2a-a81e-451b-891b-407075069331\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"94cc8a2a-a81e-451b-891b-407075069331\",\"fieldName\":\"logstash.pipeline.name\",\"title\":\"Pipeline Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"selectedOptions\":[]}},\"73fdfb3a-3e86-499a-93f1-993479254e4e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"73fdfb3a-3e86-499a-93f1-993479254e4e\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + "panelsJSON": "{\"94cc8a2a-a81e-451b-891b-407075069331\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"94cc8a2a-a81e-451b-891b-407075069331\",\"fieldName\":\"logstash.pipeline.name\",\"title\":\"Pipeline Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"selectedOptions\":[]}},\"73fdfb3a-3e86-499a-93f1-993479254e4e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"73fdfb3a-3e86-499a-93f1-993479254e4e\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"selectedOptions\":[]}}}" }, "description": "", "kibanaSavedObjectMeta": { @@ -41,7 +41,7 @@ "description": "", "params": { "fontSize": 12, - "markdown": "**Navigation** \n\n**Logstash Overview**\n\n[Overview](/app/dashboards#/view/logstash-79270240-48ee-11ee-8cb5-99927777c522) \n[Nodes Overview](/app/dashboards#/view/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a) \n[Node Overview](/app/dashboards#/view/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d) \n[Node Overview Advanced View](/app/dashboards#/view/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5) \n\n**[Pipelines Overview](/app/dashboards#/view/logstash-c0594170-526a-11ee-9ecc-31444cb79548)** \n[Pipeline Details Overview](/app/dashboards#/view/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc)\n\n\nOverview\n\nThis Dashboard gives an overall view of pipelines running on dashboards. \n \nClick on a pipeline in the table view to get more details on the running pipeline, and the plugins in that pipeline.", + "markdown": "**Navigation** \n\n**Logstash Overview**\n\n[Overview](/app/dashboards#/view/logstash-79270240-48ee-11ee-8cb5-99927777c522) \n[Nodes Overview](/app/dashboards#/view/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a) \n[Node Overview](/app/dashboards#/view/logstash-9d450b10-4680-11ee-9ddc-919f87fe352d) \n[Node Overview Advanced View](/app/dashboards#/view/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5) \n\n**[Pipelines Overview](/app/dashboards#/view/logstash-c0594170-526a-11ee-9ecc-31444cb79548)** \n[Pipeline Details Overview](/app/dashboards#/view/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc)\n\n\nOverview\n\nThis Dashboard gives an overall view of pipelines running on dashboards. \n\nUse filters to narrow down on individual nodes\n \nClick on a pipeline in the table view to get more details on the running pipeline, and the plugins in that pipeline.", "openLinksInNewTab": false }, "title": "", @@ -50,7 +50,7 @@ } }, "gridData": { - "h": 37, + "h": 46, "i": "3edb2e9f-2807-4e65-9adc-259c15debce9", "w": 8, "x": 0, @@ -58,8 +58,7 @@ }, "panelIndex": "3edb2e9f-2807-4e65-9adc-259c15debce9", "title": "Logstash Nav Panel", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -159,8 +158,7 @@ }, "panelIndex": "5f909278-92f5-4ebc-bb18-8aca8f987733", "title": "", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -235,8 +233,7 @@ }, "panelIndex": "239e17fa-3741-4bd5-a44c-6488c53c7c2b", "title": "[Metrics Logstash] Nodes running pipelines viz", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -342,8 +339,7 @@ }, "panelIndex": "0134bb0e-0e1d-49ec-92d4-d775c64c7bdb", "title": "[Metrics Logstash] Total Events Received viz ", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -449,8 +445,7 @@ }, "panelIndex": "8199ac33-4d5b-46e0-b3cd-3683204cc65c", "title": "[Metrics Logstash] Total Events Emitted viz", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1027,8 +1022,7 @@ }, "panelIndex": "7f8d9886-3037-425d-bcb4-ae92a2b0d16e", "title": "Pipelines", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1275,8 +1269,179 @@ }, "panelIndex": "6609ea37-a262-4072-ac19-90aabff49e12", "title": "Average Time processed per event (ms)", - "type": "lens", - "version": "8.10.1" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logstash-sm-metrics", + "name": "indexpattern-datasource-layer-4d13c1a7-6b92-47fe-8baf-7ca505bd9fda", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logstash-sm-metrics", + "layers": { + "4d13c1a7-6b92-47fe-8baf-7ca505bd9fda": { + "columnOrder": [ + "31515c2b-a1f2-4da6-a5f7-f6f2ad8bc7d3", + "1c9f4a0d-3d6f-4126-afbb-ba4745e565d5", + "d9cd1ee6-586c-41b4-9d5f-976cd8eececf", + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX0" + ], + "columns": { + "1c9f4a0d-3d6f-4126-afbb-ba4745e565d5": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "31515c2b-a1f2-4da6-a5f7-f6f2ad8bc7d3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Pipeline Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "logstash.pipeline.name" + }, + "d9cd1ee6-586c-41b4-9d5f-976cd8eececf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Worker Utilization", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "%" + } + }, + "formula": "last_value(logstash.pipeline.total.flow.worker_utilization.last_1_minute)", + "isFormulaBroken": false + }, + "references": [ + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX0" + ], + "scale": "ratio" + }, + "d9cd1ee6-586c-41b4-9d5f-976cd8eececfX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"logstash.pipeline.total.flow.worker_utilization.last_1_minute\": *" + }, + "isBucketed": false, + "label": "Part of Worker Utilization", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "logstash.pipeline.total.flow.worker_utilization.last_1_minute" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logstash-sm-metrics", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "curveType": "CURVE_STEP_AFTER", + "hideEndzones": true, + "layers": [ + { + "accessors": [ + "d9cd1ee6-586c-41b4-9d5f-976cd8eececf" + ], + "layerId": "4d13c1a7-6b92-47fe-8baf-7ca505bd9fda", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "31515c2b-a1f2-4da6-a5f7-f6f2ad8bc7d3", + "xAccessor": "1c9f4a0d-3d6f-4126-afbb-ba4745e565d5" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "yLeftExtent": { + "mode": "full", + "niceValues": true + } + } + }, + "title": "Worker Utilization(%)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "ea9af11b-6332-4b3c-bbe4-c6d8e9833985", + "w": 40, + "x": 8, + "y": 21 + }, + "panelIndex": "ea9af11b-6332-4b3c-bbe4-c6d8e9833985", + "title": "Worker Utilization (%)", + "type": "lens" }, { "embeddableConfig": { @@ -1421,12 +1586,11 @@ "i": "1a42a8c2-9823-4178-90ae-f3a403b63711", "w": 20, "x": 8, - "y": 21 + "y": 30 }, "panelIndex": "1a42a8c2-9823-4178-90ae-f3a403b63711", "title": "Events received per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1672,12 +1836,11 @@ "i": "d290b2f1-1769-41f4-9d29-41755eef8871", "w": 20, "x": 28, - "y": 22 + "y": 30 }, "panelIndex": "d290b2f1-1769-41f4-9d29-41755eef8871", "title": "Persistent Queue utilization (%)", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1840,12 +2003,11 @@ "i": "09177cfd-5361-4e91-b7c3-64eeb7837ce8", "w": 20, "x": 8, - "y": 29 + "y": 38 }, "panelIndex": "09177cfd-5361-4e91-b7c3-64eeb7837ce8", "title": "Events emitted per second", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1989,12 +2151,11 @@ "i": "4017b8f5-f8f2-46b9-86fe-501f46d551c3", "w": 20, "x": 28, - "y": 28 + "y": 38 }, "panelIndex": "4017b8f5-f8f2-46b9-86fe-501f46d551c3", "title": "Persistent Queue size (events)", - "type": "lens", - "version": "8.10.1" + "type": "lens" } ], "timeRestore": false, @@ -2002,7 +2163,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:15:45.734Z", + "created_at": "2024-06-05T20:51:12.261Z", "id": "logstash-c0594170-526a-11ee-9ecc-31444cb79548", "managed": false, "references": [ @@ -2041,6 +2202,11 @@ "name": "6609ea37-a262-4072-ac19-90aabff49e12:indexpattern-datasource-layer-4d13c1a7-6b92-47fe-8baf-7ca505bd9fda", "type": "index-pattern" }, + { + "id": "logstash-sm-metrics", + "name": "ea9af11b-6332-4b3c-bbe4-c6d8e9833985:indexpattern-datasource-layer-4d13c1a7-6b92-47fe-8baf-7ca505bd9fda", + "type": "index-pattern" + }, { "id": "logstash-sm-metrics", "name": "1a42a8c2-9823-4178-90ae-f3a403b63711:indexpattern-datasource-layer-0dc38ed3-eda8-48d3-85d1-454d187be2f1", diff --git a/packages/logstash/kibana/dashboard/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a.json b/packages/logstash/kibana/dashboard/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a.json index abf8d2e2878..d28ed7ab716 100644 --- a/packages/logstash/kibana/dashboard/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a.json +++ b/packages/logstash/kibana/dashboard/logstash-ee860840-41ed-11ee-874b-fdb94cc3273a.json @@ -4,7 +4,7 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"55797c81-115d-42f4-8b92-a90449de3183\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"55797c81-115d-42f4-8b92-a90449de3183\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"ffddbdfd-c666-4a7c-b81d-c66cb20212f4\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ffddbdfd-c666-4a7c-b81d-c66cb20212f4\",\"fieldName\":\"logstash.pipeline.name\",\"title\":\"Logstash Pipeline Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + "panelsJSON": "{\"55797c81-115d-42f4-8b92-a90449de3183\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"55797c81-115d-42f4-8b92-a90449de3183\",\"fieldName\":\"logstash.host.name\",\"title\":\"Logstash Host Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" }, "description": "", "kibanaSavedObjectMeta": { @@ -58,8 +58,7 @@ "y": 0 }, "panelIndex": "3175d525-4aa7-40b5-bc68-d89d105257de", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -129,8 +128,7 @@ "y": 0 }, "panelIndex": "8302492d-1d16-4955-91cd-c892d7002dbb", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -240,8 +238,7 @@ }, "panelIndex": "345f1c7e-4b91-4df2-8c09-22d2a8c5d6be", "title": "Total JVM Heap Used", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -347,8 +344,7 @@ }, "panelIndex": "b1f30ec6-50f8-4fb0-8ebf-c00b1df332ee", "title": "Total Events Received", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -454,8 +450,7 @@ }, "panelIndex": "5eedee54-06fd-496e-8b1d-b3df3ff80341", "title": "Total Events Emitted", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -897,11 +892,10 @@ "i": "4a093412-9812-433a-bf8d-225e4a402339", "w": 40, "x": 8, - "y": 5 + "y": 4 }, "panelIndex": "4a093412-9812-433a-bf8d-225e4a402339", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -924,25 +918,111 @@ "ef4e5445-487e-4a0c-ac01-063e8c199a84", "43c45a77-5bb2-4f66-8bfd-77f3cf386a87", "0c423bdf-578e-4f0a-bb27-180a24a133e1", - "cd7a8cba-084f-42b4-a4b5-334eee79e32e" + "0c423bdf-578e-4f0a-bb27-180a24a133e1X0", + "0c423bdf-578e-4f0a-bb27-180a24a133e1X1", + "0c423bdf-578e-4f0a-bb27-180a24a133e1X2", + "0c423bdf-578e-4f0a-bb27-180a24a133e1X3", + "0c423bdf-578e-4f0a-bb27-180a24a133e1X4" ], "columns": { "0c423bdf-578e-4f0a-bb27-180a24a133e1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Event Latency (ms)", + "operationType": "formula", + "params": { + "formula": "counter_rate(last_value(logstash.node.stats.events.duration_in_millis))/counter_rate(last_value(logstash.node.stats.events.out))", + "isFormulaBroken": false + }, + "references": [ + "0c423bdf-578e-4f0a-bb27-180a24a133e1X4" + ], + "scale": "ratio" + }, + "0c423bdf-578e-4f0a-bb27-180a24a133e1X0": { "customLabel": true, "dataType": "number", "filter": { "language": "kuery", - "query": "logstash.node.stats.events.in : *" + "query": "\"logstash.node.stats.events.duration_in_millis\": *" }, "isBucketed": false, - "label": "Events Received Rate", + "label": "Part of Event Latency (ms)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "logstash.node.stats.events.duration_in_millis" + }, + "0c423bdf-578e-4f0a-bb27-180a24a133e1X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Event Latency (ms)", "operationType": "counter_rate", "references": [ - "cd7a8cba-084f-42b4-a4b5-334eee79e32e" + "0c423bdf-578e-4f0a-bb27-180a24a133e1X0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "0c423bdf-578e-4f0a-bb27-180a24a133e1X2": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"logstash.node.stats.events.out\": *" + }, + "isBucketed": false, + "label": "Part of Event Latency (ms)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "logstash.node.stats.events.out" + }, + "0c423bdf-578e-4f0a-bb27-180a24a133e1X3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Event Latency (ms)", + "operationType": "counter_rate", + "references": [ + "0c423bdf-578e-4f0a-bb27-180a24a133e1X2" ], "scale": "ratio", "timeScale": "s" }, + "0c423bdf-578e-4f0a-bb27-180a24a133e1X4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Event Latency (ms)", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "0c423bdf-578e-4f0a-bb27-180a24a133e1X1", + "0c423bdf-578e-4f0a-bb27-180a24a133e1X3" + ], + "location": { + "max": 128, + "min": 0 + }, + "name": "divide", + "text": "counter_rate(last_value(logstash.node.stats.events.duration_in_millis))/counter_rate(last_value(logstash.node.stats.events.out))", + "type": "function" + } + }, + "references": [ + "0c423bdf-578e-4f0a-bb27-180a24a133e1X1", + "0c423bdf-578e-4f0a-bb27-180a24a133e1X3" + ], + "scale": "ratio" + }, "43c45a77-5bb2-4f66-8bfd-77f3cf386a87": { "dataType": "date", "isBucketed": true, @@ -956,22 +1036,10 @@ "scale": "interval", "sourceField": "@timestamp" }, - "cd7a8cba-084f-42b4-a4b5-334eee79e32e": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of logstash.node.stats.events.in", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "logstash.node.stats.events.in" - }, "ef4e5445-487e-4a0c-ac01-063e8c199a84": { - "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Node name", + "label": "Top 1000 values of logstash.node.stats.logstash.name", "operationType": "terms", "params": { "exclude": [], @@ -1066,24 +1134,22 @@ } } }, - "title": "Events Received Rate/s", + "title": "Events Latency (ms) average", "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {}, - "hidePanelTitles": false + "enhancements": {} }, "gridData": { "h": 10, - "i": "fef0f0cc-45df-4389-9c13-78b56790905c", + "i": "7bfdba6c-bcdc-4c51-be8c-41188c08dc6c", "w": 20, - "x": 8, - "y": 15 + "x": 28, + "y": 14 }, - "panelIndex": "fef0f0cc-45df-4389-9c13-78b56790905c", - "title": "Events received per second", - "type": "lens", - "version": "8.10.1" + "panelIndex": "7bfdba6c-bcdc-4c51-be8c-41188c08dc6c", + "title": "Events Latency (ms) average", + "type": "lens" }, { "embeddableConfig": { @@ -1117,7 +1183,7 @@ "query": "logstash.node.stats.events.in : *" }, "isBucketed": false, - "label": "Events Emitted Rate", + "label": "Events Received Rate", "operationType": "counter_rate", "references": [ "cd7a8cba-084f-42b4-a4b5-334eee79e32e" @@ -1141,13 +1207,13 @@ "cd7a8cba-084f-42b4-a4b5-334eee79e32e": { "dataType": "number", "isBucketed": false, - "label": "Maximum of logstash.node.stats.events.out", + "label": "Maximum of logstash.node.stats.events.in", "operationType": "max", "params": { "emptyAsNull": true }, "scale": "ratio", - "sourceField": "logstash.node.stats.events.out" + "sourceField": "logstash.node.stats.events.in" }, "ef4e5445-487e-4a0c-ac01-063e8c199a84": { "customLabel": true, @@ -1248,7 +1314,7 @@ } } }, - "title": "Events Emitted Rate/s", + "title": "Events Received Rate/s", "type": "lens", "visualizationType": "lnsXY" }, @@ -1257,15 +1323,14 @@ }, "gridData": { "h": 10, - "i": "acdc425f-0de2-46b6-8d9e-5dccdcb99270", + "i": "fef0f0cc-45df-4389-9c13-78b56790905c", "w": 20, "x": 8, - "y": 25 + "y": 14 }, - "panelIndex": "acdc425f-0de2-46b6-8d9e-5dccdcb99270", - "title": "Events emitted per second", - "type": "lens", - "version": "8.10.1" + "panelIndex": "fef0f0cc-45df-4389-9c13-78b56790905c", + "title": "Events received per second", + "type": "lens" }, { "embeddableConfig": { @@ -1288,111 +1353,25 @@ "ef4e5445-487e-4a0c-ac01-063e8c199a84", "43c45a77-5bb2-4f66-8bfd-77f3cf386a87", "0c423bdf-578e-4f0a-bb27-180a24a133e1", - "0c423bdf-578e-4f0a-bb27-180a24a133e1X0", - "0c423bdf-578e-4f0a-bb27-180a24a133e1X1", - "0c423bdf-578e-4f0a-bb27-180a24a133e1X2", - "0c423bdf-578e-4f0a-bb27-180a24a133e1X3", - "0c423bdf-578e-4f0a-bb27-180a24a133e1X4" + "cd7a8cba-084f-42b4-a4b5-334eee79e32e" ], "columns": { "0c423bdf-578e-4f0a-bb27-180a24a133e1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Event Latency (ms)", - "operationType": "formula", - "params": { - "formula": "counter_rate(last_value(logstash.node.stats.events.duration_in_millis))/counter_rate(last_value(logstash.node.stats.events.out))", - "isFormulaBroken": false - }, - "references": [ - "0c423bdf-578e-4f0a-bb27-180a24a133e1X4" - ], - "scale": "ratio" - }, - "0c423bdf-578e-4f0a-bb27-180a24a133e1X0": { "customLabel": true, "dataType": "number", "filter": { "language": "kuery", - "query": "\"logstash.node.stats.events.duration_in_millis\": *" - }, - "isBucketed": false, - "label": "Part of Event Latency (ms)", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "logstash.node.stats.events.duration_in_millis" - }, - "0c423bdf-578e-4f0a-bb27-180a24a133e1X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Event Latency (ms)", - "operationType": "counter_rate", - "references": [ - "0c423bdf-578e-4f0a-bb27-180a24a133e1X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "0c423bdf-578e-4f0a-bb27-180a24a133e1X2": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"logstash.node.stats.events.out\": *" - }, - "isBucketed": false, - "label": "Part of Event Latency (ms)", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" + "query": "logstash.node.stats.events.in : *" }, - "scale": "ratio", - "sourceField": "logstash.node.stats.events.out" - }, - "0c423bdf-578e-4f0a-bb27-180a24a133e1X3": { - "customLabel": true, - "dataType": "number", "isBucketed": false, - "label": "Part of Event Latency (ms)", + "label": "Events Emitted Rate", "operationType": "counter_rate", "references": [ - "0c423bdf-578e-4f0a-bb27-180a24a133e1X2" + "cd7a8cba-084f-42b4-a4b5-334eee79e32e" ], "scale": "ratio", "timeScale": "s" }, - "0c423bdf-578e-4f0a-bb27-180a24a133e1X4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Event Latency (ms)", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "0c423bdf-578e-4f0a-bb27-180a24a133e1X1", - "0c423bdf-578e-4f0a-bb27-180a24a133e1X3" - ], - "location": { - "max": 128, - "min": 0 - }, - "name": "divide", - "text": "counter_rate(last_value(logstash.node.stats.events.duration_in_millis))/counter_rate(last_value(logstash.node.stats.events.out))", - "type": "function" - } - }, - "references": [ - "0c423bdf-578e-4f0a-bb27-180a24a133e1X1", - "0c423bdf-578e-4f0a-bb27-180a24a133e1X3" - ], - "scale": "ratio" - }, "43c45a77-5bb2-4f66-8bfd-77f3cf386a87": { "dataType": "date", "isBucketed": true, @@ -1406,10 +1385,22 @@ "scale": "interval", "sourceField": "@timestamp" }, + "cd7a8cba-084f-42b4-a4b5-334eee79e32e": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of logstash.node.stats.events.out", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "logstash.node.stats.events.out" + }, "ef4e5445-487e-4a0c-ac01-063e8c199a84": { + "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Top 1000 values of logstash.node.stats.logstash.name", + "label": "Node name", "operationType": "terms", "params": { "exclude": [], @@ -1504,23 +1495,23 @@ } } }, - "title": "Events Latency (ms) average", + "title": "Events Emitted Rate/s", "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {} + "enhancements": {}, + "hidePanelTitles": false }, "gridData": { "h": 10, - "i": "7bfdba6c-bcdc-4c51-be8c-41188c08dc6c", + "i": "acdc425f-0de2-46b6-8d9e-5dccdcb99270", "w": 20, - "x": 28, - "y": 9 + "x": 8, + "y": 24 }, - "panelIndex": "7bfdba6c-bcdc-4c51-be8c-41188c08dc6c", - "title": "Events Latency (ms) average", - "type": "lens", - "version": "8.10.1" + "panelIndex": "acdc425f-0de2-46b6-8d9e-5dccdcb99270", + "title": "Events emitted per second", + "type": "lens" } ], "timeRestore": false, @@ -1528,9 +1519,9 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:16:38.088Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-ee860840-41ed-11ee-874b-fdb94cc3273a", - "managed": false, + "managed": true, "references": [ { "id": "logstash-sm-metrics", @@ -1564,28 +1555,23 @@ }, { "id": "logstash-sm-metrics", - "name": "fef0f0cc-45df-4389-9c13-78b56790905c:indexpattern-datasource-layer-9f4942e8-bd51-41fe-9e6b-c6ca7ee81425", + "name": "7bfdba6c-bcdc-4c51-be8c-41188c08dc6c:indexpattern-datasource-layer-9f4942e8-bd51-41fe-9e6b-c6ca7ee81425", "type": "index-pattern" }, { "id": "logstash-sm-metrics", - "name": "acdc425f-0de2-46b6-8d9e-5dccdcb99270:indexpattern-datasource-layer-9f4942e8-bd51-41fe-9e6b-c6ca7ee81425", + "name": "fef0f0cc-45df-4389-9c13-78b56790905c:indexpattern-datasource-layer-9f4942e8-bd51-41fe-9e6b-c6ca7ee81425", "type": "index-pattern" }, { "id": "logstash-sm-metrics", - "name": "7bfdba6c-bcdc-4c51-be8c-41188c08dc6c:indexpattern-datasource-layer-9f4942e8-bd51-41fe-9e6b-c6ca7ee81425", + "name": "acdc425f-0de2-46b6-8d9e-5dccdcb99270:indexpattern-datasource-layer-9f4942e8-bd51-41fe-9e6b-c6ca7ee81425", "type": "index-pattern" }, { "id": "logstash-sm-metrics", "name": "controlGroup_55797c81-115d-42f4-8b92-a90449de3183:optionsListDataView", "type": "index-pattern" - }, - { - "id": "logstash-sm-metrics", - "name": "controlGroup_ffddbdfd-c666-4a7c-b81d-c66cb20212f4:optionsListDataView", - "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/logstash/kibana/dashboard/logstash-fe17b800-6eb4-11ee-86f6-d7074508d975.json b/packages/logstash/kibana/dashboard/logstash-fe17b800-6eb4-11ee-86f6-d7074508d975.json index 26c7d45ac60..6aa2b5ef9ab 100644 --- a/packages/logstash/kibana/dashboard/logstash-fe17b800-6eb4-11ee-86f6-d7074508d975.json +++ b/packages/logstash/kibana/dashboard/logstash-fe17b800-6eb4-11ee-86f6-d7074508d975.json @@ -934,7 +934,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-26T14:38:12.893Z", + "created_at": "2024-06-12T18:52:56.240Z", "id": "logstash-fe17b800-6eb4-11ee-86f6-d7074508d975", "managed": true, "references": [ diff --git a/packages/logstash/manifest.yml b/packages/logstash/manifest.yml index bf95acba644..367f2b5af12 100644 --- a/packages/logstash/manifest.yml +++ b/packages/logstash/manifest.yml @@ -1,6 +1,6 @@ name: logstash title: Logstash -version: 2.4.8 +version: 2.4.9 description: Collect logs and metrics from Logstash with Elastic Agent. type: integration icons: @@ -9,14 +9,14 @@ icons: size: 32x32 type: image/svg+xml format_version: 3.0.0 -categories: ["elastic_stack"] +categories: + - observability + - elastic_stack conditions: kibana: version: ^8.10.1 elastic: subscription: basic - capabilities: - - observability owner: github: elastic/stack-monitoring type: elastic From 7cdf5800aed7b680040eaba311f997d54407726b Mon Sep 17 00:00:00 2001 From: ShourieG <105607378+ShourieG@users.noreply.github.com> Date: Fri, 14 Jun 2024 14:42:22 +0530 Subject: [PATCH 014/105] [Amazon Security Lake] - Removed support for SQS since it is not supported at the input level (#10144) * remove wrongly implemented sqs support from amazon security lake package * updated changelog * addressed PR comments --- .../_dev/build/docs/README.md | 20 ++---- packages/amazon_security_lake/changelog.yml | 5 ++ .../event/agent/stream/aws-s3.yml.hbs | 28 -------- .../data_stream/event/manifest.yml | 66 +------------------ packages/amazon_security_lake/docs/README.md | 20 ++---- packages/amazon_security_lake/manifest.yml | 6 +- 6 files changed, 20 insertions(+), 125 deletions(-) diff --git a/packages/amazon_security_lake/_dev/build/docs/README.md b/packages/amazon_security_lake/_dev/build/docs/README.md index 8e9acb12ead..f8795d62068 100644 --- a/packages/amazon_security_lake/_dev/build/docs/README.md +++ b/packages/amazon_security_lake/_dev/build/docs/README.md @@ -4,9 +4,8 @@ This [Amazon Security Lake](https://aws.amazon.com/security-lake/) integration h Security Lake automates the collection of security-related log and event data from integrated AWS services and third-party services. It also helps you manage the lifecycle of data with customizable retention and replication settings. Security Lake converts ingested data into Apache Parquet format and a standard open-source schema called the Open Cybersecurity Schema Framework (OCSF). With OCSF support, Security Lake normalizes and combines security data from AWS and a broad range of enterprise security data sources. -The Amazon Security Lake integration can be used in two different modes to collect data: +The Amazon Security Lake integration currently supports only one mode of log collection: - AWS S3 polling mode: Amazon Security Lake writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files. -- AWS S3 SQS mode: Amazon Security Lake writes data to S3, S3 sends a notification of a new object to SQS, the Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple agents can be used in this mode. ## Compatibility @@ -29,7 +28,7 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### To collect data from Amazon Security Lake follow the below steps: 1. To enable and start Amazon Security Lake, follow the steps mentioned here: [`https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html`](https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html). -2. After creating data lake, follow below steps to create a data subscribers to consume data. +2. After creating the data lake, follow the steps below to create data subscribers to consume data. - Open the [Security Lake console](https://console.aws.amazon.com/securitylake/). - By using the AWS Region selector in the upper-right corner of the page, select the Region where you want to create the subscriber. - In the navigation pane, choose **Subscribers**. @@ -38,9 +37,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic - For **Log and event sources**, choose which sources the subscriber is authorized to consume. - For **Data access method**, choose **S3** to set up data access for the subscriber. - For **Subscriber credentials**, provide the subscriber's **AWS account ID** and **external ID**. - - For **Notification details**, select **SQS queue**. - Choose Create. -3. Above mentioned steps will create and provide required details such as IAM roles/AWS role ID, external id and queue url to configure AWS Security Lake Integration. +3. Above mentioned steps will create and provide the required details such as IAM roles/AWS role ID, external ID and queue URL to configure AWS Security Lake Integration. ### Enabling the integration in Elastic: @@ -50,16 +48,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic 3. Click on the "Amazon Security Lake" integration from the search results. 4. Click on the Add Amazon Security Lake Integration button to add the integration. ![Home Page](../img/home_page.png) -5. By default collect logs via S3 Bucket toggle will be off and collect logs for AWS SQS. -6. While adding the integration, if you want to collect logs via AWS SQS, then you have to put the following details: - - queue url - ![Queue URL](../img/queue_url.png) - - collect logs via S3 Bucket toggled off - - role ARN - - external id - ![Role ARN and External ID](../img/role_arn_and_external_id.png) - - or if you want to collect logs via AWS S3, then you have to put the following details: +5. The integration currently only supports collecting logs via AWS S3. +6. While adding the integration, you have to configure the following details: - bucket arn - collect logs via S3 Bucket toggled on - role ARN diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml index 4873164d0a9..882ad77c701 100644 --- a/packages/amazon_security_lake/changelog.yml +++ b/packages/amazon_security_lake/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Removed SQS support since we don't support sqs based parquet decoding at the input level. + type: bugfix + link: https://github.com/elastic/integrations/pull/10144 - version: "1.2.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs b/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs index 391daa8e96a..67d1ad222d6 100644 --- a/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs +++ b/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs @@ -1,4 +1,3 @@ -{{#if collect_s3_logs}} {{#if bucket_arn}} bucket_arn: {{bucket_arn}} @@ -12,32 +11,10 @@ bucket_list_interval: {{interval}} {{#if bucket_list_prefix}} bucket_list_prefix: {{bucket_list_prefix}} {{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -sqs.notification_parsing_script.source: {{event_parsing_script}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} {{#if file_selectors}} file_selectors: {{file_selectors}} {{/if}} - -{{/if}} - {{#if access_key_id}} access_key_id: {{access_key_id}} {{/if}} @@ -79,11 +56,6 @@ proxy_url: {{proxy_url}} ssl: {{ssl}} {{/if}} tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} {{#if preserve_original_event}} - preserve_original_event {{/if}} diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index cfdaa053df2..4c27180a984 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -7,14 +7,6 @@ streams: description: Collect Amazon Security Lake Events via AWS S3 input. template_path: aws-s3.yml.hbs vars: - - name: collect_s3_logs - required: true - show_user: true - title: Collect logs via S3 Bucket - description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue. - type: bool - multi: false - default: false - name: access_key_id type: password title: Access Key ID @@ -85,50 +77,13 @@ streams: show_user: true default: 5 description: Number of workers that will process the S3 objects listed. It is a required parameter for collecting logs via the AWS S3 Bucket. - - name: queue_url - type: text - title: "[SQS] Queue URL" - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS. - - name: visibility_timeout - type: text - title: "[SQS] Visibility Timeout" - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s. - - name: api_timeout - type: text - title: "[SQS] API Timeout" - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s. - - name: max_number_of_messages - type: integer - title: "[SQS] Maximum Concurrent SQS Messages" - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - name: file_selectors type: yaml - title: "[SQS] File Selectors" + title: "File Selectors" multi: false required: false show_user: false - description: If the SQS queue will have events that correspond to files that this integration shouldn't process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: region - type: text - title: "[SQS] Region" - multi: false - required: false - show_user: true - description: The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the queue_url value. + description: If the S3 bucket will have events that correspond to files that this integration shouldn't process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - name: fips_enabled type: bool title: Enable S3 FIPS @@ -173,23 +128,6 @@ streams: show_user: false default: "" description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. - - name: event_parsing_script - type: yaml - title: Event Notification Parsing Script - multi: false - required: true - show_user: false - description: The JS script used to parse the custom format of SQS Event notifications. - default: | - function parse(notification) { - var evts = []; - var m = JSON.parse(notification); - var evt = new S3EventV2(); - evt.SetS3BucketName(m.detail.bucket.name); - evt.SetS3ObjectKey(m.detail.object.key); - evts.push(evt); - return evts; - } - name: proxy_url type: text title: Proxy URL diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index b2d0bc76422..a89851deb77 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -4,9 +4,8 @@ This [Amazon Security Lake](https://aws.amazon.com/security-lake/) integration h Security Lake automates the collection of security-related log and event data from integrated AWS services and third-party services. It also helps you manage the lifecycle of data with customizable retention and replication settings. Security Lake converts ingested data into Apache Parquet format and a standard open-source schema called the Open Cybersecurity Schema Framework (OCSF). With OCSF support, Security Lake normalizes and combines security data from AWS and a broad range of enterprise security data sources. -The Amazon Security Lake integration can be used in two different modes to collect data: +The Amazon Security Lake integration currently supports only one mode of log collection: - AWS S3 polling mode: Amazon Security Lake writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files. -- AWS S3 SQS mode: Amazon Security Lake writes data to S3, S3 sends a notification of a new object to SQS, the Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple agents can be used in this mode. ## Compatibility @@ -29,7 +28,7 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### To collect data from Amazon Security Lake follow the below steps: 1. To enable and start Amazon Security Lake, follow the steps mentioned here: [`https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html`](https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html). -2. After creating data lake, follow below steps to create a data subscribers to consume data. +2. After creating the data lake, follow the steps below to create data subscribers to consume data. - Open the [Security Lake console](https://console.aws.amazon.com/securitylake/). - By using the AWS Region selector in the upper-right corner of the page, select the Region where you want to create the subscriber. - In the navigation pane, choose **Subscribers**. @@ -38,9 +37,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic - For **Log and event sources**, choose which sources the subscriber is authorized to consume. - For **Data access method**, choose **S3** to set up data access for the subscriber. - For **Subscriber credentials**, provide the subscriber's **AWS account ID** and **external ID**. - - For **Notification details**, select **SQS queue**. - Choose Create. -3. Above mentioned steps will create and provide required details such as IAM roles/AWS role ID, external id and queue url to configure AWS Security Lake Integration. +3. Above mentioned steps will create and provide the required details such as IAM roles/AWS role ID, external ID and queue URL to configure AWS Security Lake Integration. ### Enabling the integration in Elastic: @@ -50,16 +48,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic 3. Click on the "Amazon Security Lake" integration from the search results. 4. Click on the Add Amazon Security Lake Integration button to add the integration. ![Home Page](../img/home_page.png) -5. By default collect logs via S3 Bucket toggle will be off and collect logs for AWS SQS. -6. While adding the integration, if you want to collect logs via AWS SQS, then you have to put the following details: - - queue url - ![Queue URL](../img/queue_url.png) - - collect logs via S3 Bucket toggled off - - role ARN - - external id - ![Role ARN and External ID](../img/role_arn_and_external_id.png) - - or if you want to collect logs via AWS S3, then you have to put the following details: +5. The integration currently only supports collecting logs via AWS S3. +6. While adding the integration, you have to configure the following details: - bucket arn - collect logs via S3 Bucket toggled on - role ARN diff --git a/packages/amazon_security_lake/manifest.yml b/packages/amazon_security_lake/manifest.yml index a1d954414f1..59714638667 100644 --- a/packages/amazon_security_lake/manifest.yml +++ b/packages/amazon_security_lake/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: amazon_security_lake title: Amazon Security Lake -version: "1.2.0" +version: "1.2.1" description: Collect logs from Amazon Security Lake with Elastic Agent. type: integration categories: ["aws", "security"] @@ -62,8 +62,8 @@ policy_templates: description: Collect logs from Amazon Security Lake instances. inputs: - type: aws-s3 - title: Collect Amazon Security Lake logs via AWS S3 or AWS SQS - description: Collecting logs from Amazon Security Lake via AWS S3 or AWS SQS. + title: Collect Amazon Security Lake logs via AWS S3 + description: Collecting logs from Amazon Security Lake via AWS S3. owner: github: elastic/security-service-integrations type: elastic From f8383050336a554a8616d35646e248c284a380b0 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 17 Jun 2024 17:06:31 +0930 Subject: [PATCH 015/105] ti_abusech: improve error handling and reporting in malwarebazaar data stream (#10156) --- packages/ti_abusech/changelog.yml | 5 +++ .../malwarebazaar/agent/stream/cel.yml.hbs | 44 +++++++++++++++---- packages/ti_abusech/manifest.yml | 2 +- 3 files changed, 42 insertions(+), 9 deletions(-) diff --git a/packages/ti_abusech/changelog.yml b/packages/ti_abusech/changelog.yml index 4833b109488..ba3fd5c699a 100644 --- a/packages/ti_abusech/changelog.yml +++ b/packages/ti_abusech/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: Improve error handling and reporting in malwarebazaar data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/10156 - version: "2.0.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_abusech/data_stream/malwarebazaar/agent/stream/cel.yml.hbs b/packages/ti_abusech/data_stream/malwarebazaar/agent/stream/cel.yml.hbs index bec59164391..b4278311cba 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/agent/stream/cel.yml.hbs +++ b/packages/ti_abusech/data_stream/malwarebazaar/agent/stream/cel.yml.hbs @@ -17,18 +17,46 @@ resource.url: {{url}} redact: fields: ~ program: | - request("POST", state.url, "query=get_recent&selector=time").with({ - "Header":{ - "Content-Type": ["application/x-www-form-urlencoded"], - } - }).as(req, req.do_request().as(resp, - bytes(resp.Body).decode_json().as(body, { + request("POST", state.url, "query=get_recent&selector=time").with({ + "Header":{ + "Content-Type": ["application/x-www-form-urlencoded"], + } + }).do_request().as(resp, resp.StatusCode == 200 ? + bytes(resp.Body).decode_json().as(body, body.?query_status.orValue("") == "ok" ? + { "events": body.data.map(ind, { "message": ind.encode_json() }), "url": state.url - }) - )) + } + : body.?query_status.orValue("") == "no_results" ? + { + "events": [], + "url": state.url + } + : + { + "events": [{ + "error": { + ?"id": body.?query_status, + "message": "POST:"+string(resp.Body) + }, + }], + "url": state.url + } + ) + : + { + "events": [{ + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST:"+string(resp.Body) + }, + }], + "url": state.url + } + ) {{#if ioc_expiration_duration}} fields_under_root: true diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index f5d1b22b277..d4570c22f39 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -1,6 +1,6 @@ name: ti_abusech title: AbuseCH -version: "2.0.1" +version: "2.1.0" description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. type: integration format_version: "3.0.3" From 9d8246816a3a1c82007f7894667427b35ad59921 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jun 2024 10:27:59 +0200 Subject: [PATCH 016/105] Bump github.com/elastic/go-licenser from 0.4.1 to 0.4.2 (#10146) Bumps [github.com/elastic/go-licenser](https://github.com/elastic/go-licenser) from 0.4.1 to 0.4.2. - [Release notes](https://github.com/elastic/go-licenser/releases) - [Changelog](https://github.com/elastic/go-licenser/blob/main/.goreleaser.yml) - [Commits](https://github.com/elastic/go-licenser/compare/v0.4.1...v0.4.2) --- updated-dependencies: - dependency-name: github.com/elastic/go-licenser dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 13 ++----------- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 5debcfbb9cd..40ca16ada41 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22.0 require ( github.com/blang/semver v3.5.1+incompatible github.com/elastic/elastic-package v0.100.0 - github.com/elastic/go-licenser v0.4.1 + github.com/elastic/go-licenser v0.4.2 github.com/elastic/package-registry v1.24.0 github.com/magefile/mage v1.15.0 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index b54c9cb6b61..0984de47496 100644 --- a/go.sum +++ b/go.sum @@ -99,8 +99,8 @@ github.com/elastic/elastic-package v0.100.0 h1:SiuS7jmi8YWu7lkmD2yn7Y6euoaMxOVmR github.com/elastic/elastic-package v0.100.0/go.mod h1:ffyHwLLyREQvJBP2WRGhRxJl+dosf494/Dvl+b4bKms= github.com/elastic/go-elasticsearch/v7 v7.17.10 h1:TCQ8i4PmIJuBunvBS6bwT2ybzVFxxUhhltAs3Gyu1yo= github.com/elastic/go-elasticsearch/v7 v7.17.10/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= -github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4= -github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU= +github.com/elastic/go-licenser v0.4.2 h1:bPbGm8bUd8rxzSswFOqvQh1dAkKGkgAmrPxbUi+Y9+A= +github.com/elastic/go-licenser v0.4.2/go.mod h1:W8eH6FaZDR8fQGm+7FnVa7MxI1b/6dAqxz+zPB8nm5c= github.com/elastic/go-resource v0.2.0 h1:T92tw+THqISnCKaZBijlZMpEpCYkFkwsOgLQxKX6pqA= github.com/elastic/go-resource v0.2.0/go.mod h1:KySNvn044vVpPCX1osrkB5MQHemDM5RnkeBFW51CiRo= github.com/elastic/go-sysinfo v1.9.0 h1:usICqY/Nw4Mpn9f4LdtpFrKxXroJDe81GaxxUlCckIo= @@ -459,7 +459,6 @@ github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7Jul github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= @@ -521,12 +520,9 @@ golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= @@ -542,7 +538,6 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= @@ -577,8 +572,6 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -619,12 +612,10 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200509030707-2212a7e161a5/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= From 6dfca046e4837991fb7a266d95063f58858299ee Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Tue, 18 Jun 2024 00:11:01 +1000 Subject: [PATCH 017/105] [sentinel_one] Change default interval to 30s for all data streams (#10103) --- packages/sentinel_one/changelog.yml | 5 +++++ packages/sentinel_one/data_stream/activity/manifest.yml | 2 +- packages/sentinel_one/data_stream/agent/manifest.yml | 2 +- packages/sentinel_one/data_stream/alert/manifest.yml | 2 +- packages/sentinel_one/data_stream/group/manifest.yml | 2 +- packages/sentinel_one/data_stream/threat/manifest.yml | 2 +- packages/sentinel_one/manifest.yml | 2 +- 7 files changed, 11 insertions(+), 6 deletions(-) diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index 542ae7f8314..be562b21f17 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.2" + changes: + - description: Change default interval to 30s for all data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/10103 - version: "1.23.1" changes: - description: Fix sample event. diff --git a/packages/sentinel_one/data_stream/activity/manifest.yml b/packages/sentinel_one/data_stream/activity/manifest.yml index e6636bbbfc4..b650597ed3e 100644 --- a/packages/sentinel_one/data_stream/activity/manifest.yml +++ b/packages/sentinel_one/data_stream/activity/manifest.yml @@ -18,7 +18,7 @@ streams: type: text title: Interval description: "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s." - default: 1m + default: 30s multi: false required: true show_user: true diff --git a/packages/sentinel_one/data_stream/agent/manifest.yml b/packages/sentinel_one/data_stream/agent/manifest.yml index c82797097dc..0fceff67373 100644 --- a/packages/sentinel_one/data_stream/agent/manifest.yml +++ b/packages/sentinel_one/data_stream/agent/manifest.yml @@ -18,7 +18,7 @@ streams: type: text title: Interval description: "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s." - default: 5m + default: 30s multi: false required: true show_user: true diff --git a/packages/sentinel_one/data_stream/alert/manifest.yml b/packages/sentinel_one/data_stream/alert/manifest.yml index 7d49c430a18..69c19269901 100644 --- a/packages/sentinel_one/data_stream/alert/manifest.yml +++ b/packages/sentinel_one/data_stream/alert/manifest.yml @@ -18,7 +18,7 @@ streams: type: text title: Interval description: "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s." - default: 5m + default: 30s multi: false required: true show_user: true diff --git a/packages/sentinel_one/data_stream/group/manifest.yml b/packages/sentinel_one/data_stream/group/manifest.yml index 2673b2f05f1..8ae55c4610b 100644 --- a/packages/sentinel_one/data_stream/group/manifest.yml +++ b/packages/sentinel_one/data_stream/group/manifest.yml @@ -18,7 +18,7 @@ streams: type: text title: Interval description: "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s." - default: 5m + default: 30s multi: false required: true show_user: true diff --git a/packages/sentinel_one/data_stream/threat/manifest.yml b/packages/sentinel_one/data_stream/threat/manifest.yml index 238c35aad90..59dab361031 100644 --- a/packages/sentinel_one/data_stream/threat/manifest.yml +++ b/packages/sentinel_one/data_stream/threat/manifest.yml @@ -18,7 +18,7 @@ streams: type: text title: Interval description: "Duration between requests to the SentinelOne API. NOTE: Supported units for this parameter are h/m/s." - default: 5m + default: 30s multi: false required: true show_user: true diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index a0b92308d98..eefe8df2c10 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: sentinel_one title: SentinelOne -version: "1.23.1" +version: "1.23.2" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: From 78a9267977a8a0a9f6411053a2b1fc3baf9edc07 Mon Sep 17 00:00:00 2001 From: gogochan <5281995+gogochan@users.noreply.github.com> Date: Mon, 17 Jun 2024 10:56:52 -0400 Subject: [PATCH 018/105] [CiscoIOS] Restore system Message handling for Cisco IOS (#10147) --- packages/cisco_ios/changelog.yml | 5 +++ .../log/_dev/test/pipeline/test-syslog.log | 3 +- .../pipeline/test-syslog.log-expected.json | 38 +++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 1 + packages/cisco_ios/manifest.yml | 2 +- 5 files changed, 47 insertions(+), 2 deletions(-) diff --git a/packages/cisco_ios/changelog.yml b/packages/cisco_ios/changelog.yml index 5b7e69fccf0..d5c46bf6101 100644 --- a/packages/cisco_ios/changelog.yml +++ b/packages/cisco_ios/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.26.10" + changes: + - description: Restore system Message handling for Cisco IOS + type: bugfix + link: https://github.com/elastic/integrations/pull/10147 - version: "1.26.9" changes: - description: Update grok if statement to skip IOSXE messages with no sub-message diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log index 08e0ec4c640..dd9e7b3b6e8 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log @@ -11,4 +11,5 @@ <190>3352460: 3352481: Aug 12 2023 12:15:33.963 mdt: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00013807835737559120 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet1/0/2.6 10.50.14.44:53836 => 89.160.20.128:80(target:class)-(ZP_PROCESS_TO_CORPORATE:class-default) due to Policy drop:classify result with ip ident 13017 tcp flag 0x2, seq 4266642156, ack 0 <191>: rt401-rk30409: Aug 18 07:15:04.461 CEST: last message repeated 66 times <189>1469087: chswitchm1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV -<189>1469087: ch_switch_m-1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV \ No newline at end of file +<189>1469087: ch_switch_m-1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV +<189>Jun 12 18:10:50 10.53.35.85 %ILPOWER-5-IEEE_DISCONNECT: Interface Gi1/0/20: PD removed diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json index 80e344d5e7b..09533925162 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json @@ -635,6 +635,44 @@ "tags": [ "preserve_original_event" ] + }, + { + "cisco": { + "ios": { + "facility": "ILPOWER" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "code": "IEEE_DISCONNECT", + "original": "<189>Jun 12 18:10:50 10.53.35.85 %ILPOWER-5-IEEE_DISCONNECT: Interface Gi1/0/20: PD removed", + "provider": "firewall", + "severity": 5, + "type": [ + "info" + ] + }, + "log": { + "level": "notification", + "syslog": { + "hostname": "10.53.35.85", + "priority": 189 + } + }, + "message": "Interface Gi1/0/20: PD removed", + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml index ab3553b83a2..5079476fd92 100644 --- a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -38,6 +38,7 @@ processors: - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} %{IP} %{CISCO_HOSTNAME:log.syslog.hostname}: (?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$' - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{NUMBER:cisco.ios.sequence}: (?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$' - '^%{CISCO_PRIORITY_MSGCOUNT}?(?:(?:%{CISCO_HOSTNAME:log.syslog.hostname}|%{IP})[:]? )?(?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$' + - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP:log.syslog.hostname}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{GREEDYDATA:_temp_.message}$' pattern_definitions: CISCO_PRIORITY_MSGCOUNT: '<%{NONNEGINT:log.syslog.priority:long}>(?:%{NONNEGINT:cisco.ios.message_count})?(?:: )?' CISCO_TIMESTAMP: '[*]?%{CISCOTIMESTAMP:_temp_.cisco_timestamp}(?: %{CISCO_TZ:_temp_.tz})?' diff --git a/packages/cisco_ios/manifest.yml b/packages/cisco_ios/manifest.yml index c005219f610..8c15074d6fd 100644 --- a/packages/cisco_ios/manifest.yml +++ b/packages/cisco_ios/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ios title: Cisco IOS -version: "1.26.9" +version: "1.26.10" description: Collect logs from Cisco IOS with Elastic Agent. type: integration categories: From 10287a4b7df15550bd2a39c6937d11219dd5f227 Mon Sep 17 00:00:00 2001 From: marioschaefer Date: Mon, 17 Jun 2024 17:20:23 +0200 Subject: [PATCH 019/105] [panw] Bug - fix grok parser for panw audit logs (#10163) - Fix grok parser for panw audit logs so hostname/ip from syslog header is extracted to observer.hostname. --- packages/panw/changelog.yml | 5 + .../pipeline/test-panw-panos-audit-sample.log | 2 + ...-panw-panos-audit-sample.log-expected.json | 102 +++++++++++++++--- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/panw/manifest.yml | 2 +- 5 files changed, 98 insertions(+), 15 deletions(-) diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml index 30cc04ab1a4..95d6726869a 100644 --- a/packages/panw/changelog.yml +++ b/packages/panw/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.26.1" + changes: + - description: fix grok parser for audit-logs. + type: bugfix + link: https://github.com/elastic/integrations/pull/10163 - version: "3.26.0" changes: - description: Improve handling of urls and filenames when parsing anti-virus events. diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log index 356fb67fc63..dbad64cedc0 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log @@ -1,2 +1,4 @@ Apr 11 20:06:15 192.168.0.1 01111111111,2024/04/11 20:06:15,audit,2561,gui-op,suser,"",success Apr 18 18:35:20 10.1.1.1 003001000000,2024/04/18 18:35:20,audit,2561,gui-op,Mustang,"all",success +Apr 18 18:36:20 test-hostname 003001000000,2024/04/18 18:36:20,audit,2561,gui-op,Mustang,"all",success +Apr 18 18:37:20 test-hostname.test.intra 003001000000,2024/04/18 18:37:20,audit,2561,gui-op,Mustang,"all",success diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log-expected.json index 9d42264d854..e63b30b6d60 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-audit-sample.log-expected.json @@ -16,10 +16,8 @@ "timezone": "-04:00" }, "message": "2561,gui-op,suser,\"\",success", - "network": { - "type": "ipv4" - }, "observer": { + "hostname": "192.168.0.1", "product": "PAN-OS", "serial_number": "01111111111", "type": "firewall", @@ -34,13 +32,10 @@ } }, "related": { - "ip": [ + "hosts": [ "192.168.0.1" ] }, - "source": { - "ip": "192.168.0.1" - }, "tags": [ "preserve_original_event" ], @@ -64,10 +59,8 @@ "timezone": "-04:00" }, "message": "2561,gui-op,Mustang,\"all\",success", - "network": { - "type": "ipv4" - }, "observer": { + "hostname": "10.1.1.1", "product": "PAN-OS", "serial_number": "003001000000", "type": "firewall", @@ -82,12 +75,95 @@ } }, "related": { - "ip": [ + "hosts": [ "10.1.1.1" ] }, - "source": { - "ip": "10.1.1.1" + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Mustang" + } + }, + { + "@timestamp": "2024-04-18T18:36:20.000-04:00", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-04-18T14:36:20.000-04:00", + "kind": "event", + "original": "Apr 18 18:36:20 test-hostname 003001000000,2024/04/18 18:36:20,audit,2561,gui-op,Mustang,\"all\",success", + "outcome": "success", + "timezone": "-04:00" + }, + "message": "2561,gui-op,Mustang,\"all\",success", + "observer": { + "hostname": "test-hostname", + "product": "PAN-OS", + "serial_number": "003001000000", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "cmd": "all", + "cmd_source": "gui-op", + "config_version": "2561", + "type": "AUDIT" + } + }, + "related": { + "hosts": [ + "test-hostname" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Mustang" + } + }, + { + "@timestamp": "2024-04-18T18:37:20.000-04:00", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-04-18T14:37:20.000-04:00", + "kind": "event", + "original": "Apr 18 18:37:20 test-hostname.test.intra 003001000000,2024/04/18 18:37:20,audit,2561,gui-op,Mustang,\"all\",success", + "outcome": "success", + "timezone": "-04:00" + }, + "message": "2561,gui-op,Mustang,\"all\",success", + "observer": { + "hostname": "test-hostname.test.intra", + "product": "PAN-OS", + "serial_number": "003001000000", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "cmd": "all", + "cmd_source": "gui-op", + "config_version": "2561", + "type": "AUDIT" + } + }, + "related": { + "hosts": [ + "test-hostname.test.intra" + ] }, "tags": [ "preserve_original_event" diff --git a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml index b57ffe83c42..8f3924bc43f 100644 --- a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml +++ b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml @@ -31,7 +31,7 @@ processors: field: _temp_.message patterns: - "^%{DATA},%{TIMESTAMP:event.created},%{FIELD:observer.serial_number},%{FIELD:panw.panos.type},(?:%{FIELD:panw.panos.sub_type})?,%{FIELD:_temp_.config_version},%{TIMESTAMP:_temp_.generated_time},%{GREEDYDATA:message}$" - - "^%{SYSLOGTIMESTAMP:_temp_.syslog_time} %{IP:source.ip} %{NOTSPACE:observer.serial_number},%{PANW_DATE:_temp_.generated_time},%{FIELD:panw.panos.type},%{GREEDYDATA:message}$" + - "^%{SYSLOGTIMESTAMP:_temp_.syslog_time} %{IPORHOST:observer.hostname} %{NOTSPACE:observer.serial_number},%{PANW_DATE:_temp_.generated_time},%{FIELD:panw.panos.type},%{GREEDYDATA:message}$" pattern_definitions: TIMESTAMP: "%{PANW_DATE}|%{TIMESTAMP_ISO8601}" PANW_DATE: "%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME}" diff --git a/packages/panw/manifest.yml b/packages/panw/manifest.yml index 7d38efcf29d..0d95d261dbf 100644 --- a/packages/panw/manifest.yml +++ b/packages/panw/manifest.yml @@ -1,6 +1,6 @@ name: panw title: Palo Alto Next-Gen Firewall -version: "3.26.0" +version: "3.26.1" description: Collect logs from Palo Alto next-gen firewalls with Elastic Agent. type: integration format_version: "3.0.3" From d3066310b16e7b6a2732dd581e09099076d13724 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 17 Jun 2024 21:04:34 -0400 Subject: [PATCH 020/105] qualys_vmdr - user_activity fixes (#10035) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Disable the new data stream by default to support automatic upgrades. Relates #6104. Without this, upgrades fail because the user must populate the required `url` field to make their policy valid. Add the missing preserve event original toggle. Set the X-Requested-With to curl to be consistent with the other data streams. I'm still not sure if using `curl` is necessary, but I don't want this to be the reason it is not working. Format the `since_datetime` query param. Previously it was including nanoseconds, and now it only includes seconds (e.g. `?since_datetime=2024-06-16 22:12:32`). The docs state: > Specify the date to include the activity log starting from that point in time. Date must be in the format YYYY-MM-DD HH:ii:ss, and must be less than or equal to today’s date. --- packages/qualys_vmdr/_dev/deploy/docker/files/config.yml | 2 ++ packages/qualys_vmdr/changelog.yml | 5 +++++ .../_dev/test/system/test-user-activity-config.yml | 1 + .../data_stream/user_activity/agent/stream/cel.yml.hbs | 7 +++++-- .../qualys_vmdr/data_stream/user_activity/manifest.yml | 9 +++++++++ packages/qualys_vmdr/manifest.yml | 2 +- 6 files changed, 23 insertions(+), 3 deletions(-) diff --git a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml index c5efb315c2b..0acaf71898b 100644 --- a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml +++ b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml @@ -195,6 +195,8 @@ rules: methods: ['GET'] query_params: action: list + truncation_limit: 1000 + since_datetime: '{since_datetime:\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}}' responses: - status_code: 200 body: |- diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml index fbe508bfe40..12924f6de47 100644 --- a/packages/qualys_vmdr/changelog.yml +++ b/packages/qualys_vmdr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.2.1" + changes: + - description: Disable the new user activity data stream by default. Add a toggle to preserve original event to the user activity data stream. Format the since_datetime query parameter. + type: bugfix + link: https://github.com/elastic/integrations/pull/10035 - version: "3.2.0" changes: - description: Add new data stream for collecting user activity logs. diff --git a/packages/qualys_vmdr/data_stream/user_activity/_dev/test/system/test-user-activity-config.yml b/packages/qualys_vmdr/data_stream/user_activity/_dev/test/system/test-user-activity-config.yml index 0e9524c4d3b..4aaecd429d7 100644 --- a/packages/qualys_vmdr/data_stream/user_activity/_dev/test/system/test-user-activity-config.yml +++ b/packages/qualys_vmdr/data_stream/user_activity/_dev/test/system/test-user-activity-config.yml @@ -8,5 +8,6 @@ data_stream: url: http://{{Hostname}}:{{Port}} preserve_duplicate_custom_fields: true preserve_original_event: true + enable_request_tracer: true assert: hit_count: 8 diff --git a/packages/qualys_vmdr/data_stream/user_activity/agent/stream/cel.yml.hbs b/packages/qualys_vmdr/data_stream/user_activity/agent/stream/cel.yml.hbs index 4fa43b67e6a..6dd94db3125 100644 --- a/packages/qualys_vmdr/data_stream/user_activity/agent/stream/cel.yml.hbs +++ b/packages/qualys_vmdr/data_stream/user_activity/agent/stream/cel.yml.hbs @@ -29,13 +29,13 @@ program: | "GET", state.url.trim_right("/") + "/api/2.0/fo/activity_log/?" + { "action": ["list"], - "since_datetime": [string(state.?cursor.latest_ts.orValue(now - duration(state.initial_interval)))], + "since_datetime": [string(state.?cursor.latest_ts.orValue(now - duration(state.initial_interval)).format("2006-01-02 15:04:05"))], ?"truncation_limit": has(state.batch_size) ? optional.of([string(state.batch_size)]) : optional.none(), }.format_query() ).with({ "Header":{ "Authorization": ["Basic " + (state.user + ":" + state.password).base64()], - "X-Requested-With": ["Elastic-Agent"], + "X-Requested-With": ["curl"], } }).do_request().as(resp, ( resp.StatusCode == 200 @@ -66,6 +66,9 @@ tags: {{#if preserve_duplicate_custom_fields}} - preserve_duplicate_custom_fields {{/if}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} diff --git a/packages/qualys_vmdr/data_stream/user_activity/manifest.yml b/packages/qualys_vmdr/data_stream/user_activity/manifest.yml index 86350efb590..260271ea75d 100644 --- a/packages/qualys_vmdr/data_stream/user_activity/manifest.yml +++ b/packages/qualys_vmdr/data_stream/user_activity/manifest.yml @@ -5,6 +5,7 @@ streams: title: User Activity Log description: Collect User Activity Log data from Qualys VMDR platform. template_path: cel.yml.hbs + enabled: false vars: - name: url type: text @@ -65,6 +66,14 @@ streams: type: bool multi: false default: false + - name: preserve_original_event + required: true + show_user: false + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false - name: processors type: yaml title: Processors diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml index acc6348112a..78ee445356a 100644 --- a/packages/qualys_vmdr/manifest.yml +++ b/packages/qualys_vmdr/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: qualys_vmdr title: Qualys VMDR -version: "3.2.0" +version: "3.2.1" description: Collect data from Qualys VMDR platform with Elastic Agent. type: integration categories: From 03498e82b905217c91b44af5c2abceddbc2bb261 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 18 Jun 2024 09:58:55 +0200 Subject: [PATCH 021/105] Fix template to not fail without local domains. (#10172) --- .../microsoft_exchange_online_message_trace/changelog.yml | 5 +++++ .../data_stream/log/agent/stream/httpjson.yml.hbs | 2 ++ .../data_stream/log/agent/stream/log.yml.hbs | 2 ++ .../microsoft_exchange_online_message_trace/manifest.yml | 2 +- 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/packages/microsoft_exchange_online_message_trace/changelog.yml b/packages/microsoft_exchange_online_message_trace/changelog.yml index 9d4f16a29b7..0732d7b3822 100644 --- a/packages/microsoft_exchange_online_message_trace/changelog.yml +++ b/packages/microsoft_exchange_online_message_trace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.2" + changes: + - description: Fix template to not fail without local domains. + type: bugfix + link: https://github.com/elastic/integrations/pull/10172 - version: "1.21.1" changes: - description: Fix sample event. diff --git a/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/httpjson.yml.hbs b/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/httpjson.yml.hbs index ce2e183e5bf..d13a38716ec 100644 --- a/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/httpjson.yml.hbs +++ b/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/httpjson.yml.hbs @@ -38,12 +38,14 @@ request.transforms: target: url.params.$skiptoken value: 0 fields_under_root: true +{{#if local_domains}} fields: _conf: local_domains: {{#each local_domains as |local_domain i|}} - {{local_domain}} {{/each}} +{{/if}} tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/log.yml.hbs b/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/log.yml.hbs index 4b36fe6d887..46f63a388a6 100644 --- a/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/log.yml.hbs +++ b/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/log.yml.hbs @@ -4,12 +4,14 @@ paths: {{/each}} exclude_files: ['\.gz$'] fields_under_root: true +{{#if local_domains}} fields: _conf: local_domains: {{#each local_domains as |local_domain i|}} - {{local_domain}} {{/each}} +{{/if}} tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/microsoft_exchange_online_message_trace/manifest.yml b/packages/microsoft_exchange_online_message_trace/manifest.yml index 3df3cf27867..bda6c474bdc 100644 --- a/packages/microsoft_exchange_online_message_trace/manifest.yml +++ b/packages/microsoft_exchange_online_message_trace/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_exchange_online_message_trace title: "Microsoft Exchange Online Message Trace" -version: "1.21.1" +version: "1.21.2" description: "Microsoft Exchange Online Message Trace Integration" type: integration categories: From d73917a12d69cf12295e85b742266e928a8c4360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20K=C3=B6tting?= <145989254+SimonKoetting@users.noreply.github.com> Date: Tue, 18 Jun 2024 10:47:01 +0200 Subject: [PATCH 022/105] Adjust mapping to include related & error field (#10173) * Adjust mapping to include related & error field * Update changelog.yml --- packages/microsoft_exchange_server/changelog.yml | 5 +++++ .../data_stream/httpproxy/fields/ecs.yml | 4 ++++ .../data_stream/imap4_pop3/fields/ecs.yml | 4 ++++ .../data_stream/messagetracking/fields/ecs.yml | 4 ++++ .../data_stream/smtp/fields/ecs.yml | 4 ++++ packages/microsoft_exchange_server/manifest.yml | 2 +- 6 files changed, 22 insertions(+), 1 deletion(-) diff --git a/packages/microsoft_exchange_server/changelog.yml b/packages/microsoft_exchange_server/changelog.yml index bfdf29268d9..32365f9ae55 100644 --- a/packages/microsoft_exchange_server/changelog.yml +++ b/packages/microsoft_exchange_server/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.2" + changes: + - description: Adjust mapping to include related & error field + type: bugfix + link: https://github.com/elastic/integrations/pull/10173 - version: "1.0.1" changes: - description: Adjust mapping to include agent & host field diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/fields/ecs.yml b/packages/microsoft_exchange_server/data_stream/httpproxy/fields/ecs.yml index 347e9480f49..07954fe12e2 100644 --- a/packages/microsoft_exchange_server/data_stream/httpproxy/fields/ecs.yml +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/fields/ecs.yml @@ -56,3 +56,7 @@ name: agent.type - external: ecs name: agent.version +- external: ecs + name: related.ip +- external: ecs + name: error.message \ No newline at end of file diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/ecs.yml b/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/ecs.yml index 1077defd8ba..63147069dd4 100644 --- a/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/ecs.yml +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/ecs.yml @@ -42,3 +42,7 @@ name: agent.type - external: ecs name: agent.version +- external: ecs + name: related.ip +- external: ecs + name: error.message \ No newline at end of file diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/fields/ecs.yml b/packages/microsoft_exchange_server/data_stream/messagetracking/fields/ecs.yml index 196aa523265..501a42a98ad 100644 --- a/packages/microsoft_exchange_server/data_stream/messagetracking/fields/ecs.yml +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/fields/ecs.yml @@ -64,3 +64,7 @@ name: agent.type - external: ecs name: agent.version +- external: ecs + name: related.ip +- external: ecs + name: error.message diff --git a/packages/microsoft_exchange_server/data_stream/smtp/fields/ecs.yml b/packages/microsoft_exchange_server/data_stream/smtp/fields/ecs.yml index 4fb33ccbd0e..dc1eea7da32 100644 --- a/packages/microsoft_exchange_server/data_stream/smtp/fields/ecs.yml +++ b/packages/microsoft_exchange_server/data_stream/smtp/fields/ecs.yml @@ -40,3 +40,7 @@ name: agent.type - external: ecs name: agent.version +- external: ecs + name: related.ip +- external: ecs + name: error.message \ No newline at end of file diff --git a/packages/microsoft_exchange_server/manifest.yml b/packages/microsoft_exchange_server/manifest.yml index 425254a4551..bb6a309add2 100644 --- a/packages/microsoft_exchange_server/manifest.yml +++ b/packages/microsoft_exchange_server/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: microsoft_exchange_server title: "Microsoft Exchange Server" -version: 1.0.1 +version: 1.0.2 source: license: "Elastic-2.0" description: Collect logs from Microsoft Exchange Server with Elastic Agent. From 03a4f75f3476bad3227a0895648be12a1bb2cfa1 Mon Sep 17 00:00:00 2001 From: gogochan <5281995+gogochan@users.noreply.github.com> Date: Tue, 18 Jun 2024 08:38:44 -0400 Subject: [PATCH 023/105] [CISCO AIRONET] Allow failure for LOG-3-Q_IND matching (#10166) --- packages/cisco_aironet/changelog.yml | 5 + .../test/pipeline/test-aironet-messages.log | 5 +- .../test-aironet-messages.log-expected.json | 102 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/cisco_aironet/manifest.yml | 2 +- 5 files changed, 113 insertions(+), 3 deletions(-) diff --git a/packages/cisco_aironet/changelog.yml b/packages/cisco_aironet/changelog.yml index e40ec0d9f9a..bbc392d379f 100644 --- a/packages/cisco_aironet/changelog.yml +++ b/packages/cisco_aironet/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.2" + changes: + - description: Make LOG-3-Q_IND parsing optional. + type: bugfix + link: https://github.com/elastic/integrations/pull/10166 - version: "1.13.1" changes: - description: Fix CLIENT_ORCH_LOG messages. diff --git a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log index 1dbfc5c1acd..08f1c4039e1 100644 --- a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log +++ b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log @@ -29,4 +29,7 @@ <131>WLC001: *Dot1x_NW_MsgTask_3: Aug 29 10:58:57.787: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:893 Unable to send AAA message for client de:fb:48:7c:4f:f7 <132>WLC001: *bcastReceiveTask: Aug 20 14:55:28.577: %BCAST-4-MLD_INVALID_IPV6_PKT: bcastMld.c:2594 Received IPV6 packet which is not a valid MLD packet <132>WLC001: *apfReceiveTask: Aug 22 10:24:20.959: %APF-4-MOBILESTATION_NOT_FOUND: apf_ms.c:8467 Could not find the mobile cc:73:14:61:b0:8f in internal database -<190>201477: Jan 4 17:25:42.866: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 2 R0/0: wncd: Username entry (00-00-00-00-00-00) joined with ssid (System-110) for device with MAC: 0000.0000.0000 \ No newline at end of file +<190>201477: Jan 4 17:25:42.866: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 2 R0/0: wncd: Username entry (00-00-00-00-00-00) joined with ssid (System-110) for device with MAC: 0000.0000.0000 +<132>WLC001: *spamReceiveTask: Dec 17 19:59:10.223: %LOG-3-Q_IND: mm_aplist.c:734 Could not delete an AP from the AP list. +<132>WLC001: *spamApTask4: Jun 08 04:26:43.773: %LOG-3-Q_IND: spam_lrad.c:11366 Country code (CN ) not configured for AP 6c:99:89:b0:XX:XX[…It occurred 2 times.!] +<132>WLC001: *emWeb: Jan 22 11:42:50.501: %LOG-3-Q_IND: spam_lrad.c:52448 The system is unable to find WLAN 1 to be deleted; AP XX:XX:XX:XX:XX:XX[...It occurred 3 times.!] diff --git a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json index 52d0098d22a..bbd231ef947 100644 --- a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json +++ b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json @@ -1242,6 +1242,108 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2024-12-17T19:59:10.223Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Q_IND", + "original": "<132>WLC001: *spamReceiveTask: Dec 17 19:59:10.223: %LOG-3-Q_IND: mm_aplist.c:734 Could not delete an AP from the AP list.", + "provider": "LOG", + "severity": "3" + }, + "host": { + "name": "WLC001" + }, + "log": { + "level": "warning", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 132, + "severity": { + "code": 4 + } + } + }, + "message": "Could not delete an AP from the AP list.", + "process": { + "name": "spamReceiveTask" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-06-08T04:26:43.773Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Q_IND", + "original": "<132>WLC001: *spamApTask4: Jun 08 04:26:43.773: %LOG-3-Q_IND: spam_lrad.c:11366 Country code (CN ) not configured for AP 6c:99:89:b0:XX:XX[…It occurred 2 times.!]", + "provider": "LOG", + "severity": "3" + }, + "host": { + "name": "WLC001" + }, + "log": { + "level": "warning", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 132, + "severity": { + "code": 4 + } + } + }, + "message": "Country code (CN ) not configured for AP 6c:99:89:b0:XX:XX[…It occurred 2 times.!]", + "process": { + "name": "spamApTask4" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-22T11:42:50.501Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Q_IND", + "original": "<132>WLC001: *emWeb: Jan 22 11:42:50.501: %LOG-3-Q_IND: spam_lrad.c:52448 The system is unable to find WLAN 1 to be deleted; AP XX:XX:XX:XX:XX:XX[...It occurred 3 times.!]", + "provider": "LOG", + "severity": "3" + }, + "host": { + "name": "WLC001" + }, + "log": { + "level": "warning", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 132, + "severity": { + "code": 4 + } + } + }, + "message": "The system is unable to find WLAN 1 to be deleted; AP XX:XX:XX:XX:XX:XX[...It occurred 3 times.!]", + "process": { + "name": "emWeb" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml index c8228d286bd..11098328208 100644 --- a/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -191,7 +191,7 @@ processors: patterns: - "version %{INT:cisco.eapol.version:int}, type %{INT:cisco.eapol.type:int}, descriptor %{INT:cisco.eapol.descriptor:int}, client %{MAC:client.mac}" - "client %{MAC:client.mac}" - ignore_failure: false + ignore_failure: true ### - grok: description: APF-6-USER_NAME_CREATED, APF-6-USER_NAME_DELETED diff --git a/packages/cisco_aironet/manifest.yml b/packages/cisco_aironet/manifest.yml index 84a186309e1..817cb0a9477 100644 --- a/packages/cisco_aironet/manifest.yml +++ b/packages/cisco_aironet/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_aironet title: "Cisco Aironet" -version: "1.13.1" +version: "1.13.2" description: "Integration for Cisco Aironet WLC Logs" type: integration categories: From e40c48b4ebcebd743264f113fff54c637fe9c9d1 Mon Sep 17 00:00:00 2001 From: Lee E Hinman <57081003+leehinman@users.noreply.github.com> Date: Tue, 18 Jun 2024 10:09:33 -0500 Subject: [PATCH 024/105] [elastic_agent] Agent Metrics Dashboard improvements (#10031) * Fix time interval and aggregations * add dropped, duplicate, failed & toomany panels * fix labels on axis --- packages/elastic_agent/changelog.yml | 5 + .../fields/fields.yml | 2 +- ...-f47f18cc-9c7d-4278-b2ea-a6dee816d395.json | 1385 +++++++++++++---- packages/elastic_agent/manifest.yml | 2 +- 4 files changed, 1085 insertions(+), 309 deletions(-) diff --git a/packages/elastic_agent/changelog.yml b/packages/elastic_agent/changelog.yml index ea58e73c1ec..6d46225688f 100644 --- a/packages/elastic_agent/changelog.yml +++ b/packages/elastic_agent/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Change aggregations on elastic agent dashboards + type: enhancement + link: https://github.com/elastic/integrations/pull/10031 - version: "1.19.2" changes: - description: Add all process values to endpoint metrics diff --git a/packages/elastic_agent/data_stream/endpoint_security_metrics/fields/fields.yml b/packages/elastic_agent/data_stream/endpoint_security_metrics/fields/fields.yml index 95494f1374b..f6d2d1da72f 100644 --- a/packages/elastic_agent/data_stream/endpoint_security_metrics/fields/fields.yml +++ b/packages/elastic_agent/data_stream/endpoint_security_metrics/fields/fields.yml @@ -434,4 +434,4 @@ type: keyword ignore_above: 1024 description: The binary that exeuctes the component - example: filebeat \ No newline at end of file + example: filebeat diff --git a/packages/elastic_agent/kibana/dashboard/elastic_agent-f47f18cc-9c7d-4278-b2ea-a6dee816d395.json b/packages/elastic_agent/kibana/dashboard/elastic_agent-f47f18cc-9c7d-4278-b2ea-a6dee816d395.json index e34bfa1e28b..808d4a63c76 100644 --- a/packages/elastic_agent/kibana/dashboard/elastic_agent-f47f18cc-9c7d-4278-b2ea-a6dee816d395.json +++ b/packages/elastic_agent/kibana/dashboard/elastic_agent-f47f18cc-9c7d-4278-b2ea-a6dee816d395.json @@ -106,7 +106,7 @@ "drop_last_bucket": 0, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "metrics-*", - "interval": "", + "interval": "\u003e=1m", "isModelInvalid": false, "max_lines_legend": 1, "series": [ @@ -168,6 +168,7 @@ "type": "timeseries", "use_kibana_indexes": false }, + "title": "", "type": "metrics", "uiState": {} } @@ -197,6 +198,7 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "metrics-*", "layers": { "c8958799-403d-41b6-9b7a-836c6de65bb6": { "columnOrder": [ @@ -234,7 +236,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Memory Usage", + "label": " ", "operationType": "max", "params": { "emptyAsNull": true, @@ -249,6 +251,7 @@ "sourceField": "system.process.memory.size" }, "c59ea682-bc16-4391-a1db-366fe40591e4": { + "customLabel": false, "dataType": "date", "isBucketed": true, "label": "@timestamp", @@ -256,13 +259,14 @@ "params": { "dropPartials": true, "includeEmptyRows": false, - "interval": "auto" + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" } }, "incompleteColumns": {}, + "indexPatternId": "metrics-*", "sampling": 1 } } @@ -279,8 +283,8 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, + "x": false, + "yLeft": false, "yRight": true }, "fittingFunction": "None", @@ -305,7 +309,13 @@ "seriesType": "area_stacked", "showGridlines": false, "splitAccessor": "30880bcc-bda9-4cb3-b86c-e1ec9f01f4a5", - "xAccessor": "c59ea682-bc16-4391-a1db-366fe40591e4" + "xAccessor": "c59ea682-bc16-4391-a1db-366fe40591e4", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "401c5798-78b4-40ea-8ff7-debce9f4dbeb" + } + ] } ], "legend": { @@ -358,6 +368,7 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "metrics-*", "layers": { "46ce3b62-69c2-45c5-bfb2-8eadce526ad1": { "columnOrder": [ @@ -399,15 +410,16 @@ "params": { "dropPartials": true, "includeEmptyRows": false, - "interval": "auto" + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" }, "2c4fab1b-eb92-4949-bcc2-225d2c0bdb24": { + "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Maximum of system.process.fd.open", + "label": " ", "operationType": "max", "params": { "emptyAsNull": true @@ -417,6 +429,7 @@ } }, "incompleteColumns": {}, + "indexPatternId": "metrics-*", "sampling": 1 } } @@ -432,6 +445,11 @@ "query": "" }, "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, "layers": [ { "accessors": [ @@ -485,17 +503,13 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1f53ae6d-f631-4ef1-8da4-e1918fd352af", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "metrics-*", "layers": { "ad65be36-0be3-4937-8f41-ec9e48adfce6": { "columnOrder": [ @@ -508,7 +522,7 @@ "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a": { "dataType": "string", "isBucketed": true, - "label": "Top values of beat.type", + "label": "Top values of agent.name + 1 other", "operationType": "terms", "params": { "missingBucket": false, @@ -519,12 +533,15 @@ "orderDirection": "asc", "otherBucket": false, "parentFormat": { - "id": "terms" + "id": "multi_terms" }, + "secondaryFields": [ + "component.id" + ], "size": 10 }, "scale": "ordinal", - "sourceField": "beat.type" + "sourceField": "agent.name" }, "49cd060d-6f21-4d81-ad6b-1c8462c97353": { "dataType": "date", @@ -534,7 +551,7 @@ "params": { "dropPartials": true, "includeEmptyRows": false, - "interval": "auto" + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" @@ -544,10 +561,10 @@ "dataType": "number", "filter": { "language": "kuery", - "query": "data_stream.dataset : \"elastic_agent.*\" " + "query": "" }, "isBucketed": false, - "label": "Events Rate /s", + "label": " ", "operationType": "counter_rate", "references": [ "f5cbe487-2a43-425b-9cd1-40283e5e596c" @@ -564,7 +581,8 @@ "sourceField": "beat.stats.libbeat.output.events.total" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "metrics-*" } } } @@ -599,8 +617,8 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, + "x": false, + "yLeft": false, "yRight": true }, "fittingFunction": "None", @@ -650,6 +668,7 @@ } } }, + "type": "lens", "visualizationType": "lnsXY" }, "enhancements": {}, @@ -674,17 +693,13 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-47363713-6910-43c5-9f85-328b9ee18f0d", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4984682b-b209-448b-a8bc-239d1858c0ae", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "metrics-*", "layers": { "47363713-6910-43c5-9f85-328b9ee18f0d": { "columnOrder": [ @@ -697,7 +712,7 @@ "009f999d-bdb4-4b3f-a031-06d2a7173a57": { "dataType": "string", "isBucketed": true, - "label": "Top values of beat.type", + "label": "Top values of agent.name + 1 other", "operationType": "terms", "params": { "missingBucket": false, @@ -708,12 +723,15 @@ "orderDirection": "asc", "otherBucket": false, "parentFormat": { - "id": "terms" + "id": "multi_terms" }, + "secondaryFields": [ + "component.id" + ], "size": 10 }, "scale": "ordinal", - "sourceField": "beat.type" + "sourceField": "agent.name" }, "672c59a5-1ad7-4f2b-89a5-cb3920d94e4b": { "dataType": "number", @@ -731,7 +749,7 @@ "params": { "dropPartials": true, "includeEmptyRows": false, - "interval": "auto" + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" @@ -741,10 +759,10 @@ "dataType": "number", "filter": { "language": "kuery", - "query": "data_stream.dataset : \"elastic_agent.*\" " + "query": "" }, "isBucketed": false, - "label": "Bytes sent/s", + "label": " ", "operationType": "counter_rate", "params": { "format": { @@ -761,7 +779,8 @@ "timeScale": "s" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "metrics-*" } } } @@ -796,8 +815,8 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, + "x": false, + "yLeft": false, "yRight": true }, "fittingFunction": "None", @@ -847,6 +866,7 @@ } } }, + "type": "lens", "visualizationType": "lnsXY" }, "enhancements": {}, @@ -871,17 +891,13 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9ef414bb-7c9f-40b2-a01f-da090834917a", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "metrics-*", "layers": { "ad65be36-0be3-4937-8f41-ec9e48adfce6": { "columnOrder": [ @@ -899,7 +915,7 @@ "params": { "dropPartials": true, "includeEmptyRows": false, - "interval": "auto" + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" @@ -919,22 +935,25 @@ "orderDirection": "asc", "otherBucket": false, "parentFormat": { - "id": "terms" + "id": "multi_terms" }, + "secondaryFields": [ + "component.id" + ], "size": 10 }, "scale": "ordinal", - "sourceField": "beat.type" + "sourceField": "agent.name" }, "e201a210-6e89-4d72-9d9c-a00b036fb0eb": { "customLabel": true, "dataType": "number", "filter": { "language": "kuery", - "query": "data_stream.dataset : \"elastic_agent.*\" " + "query": "" }, "isBucketed": false, - "label": "Output Errors", + "label": " ", "operationType": "counter_rate", "references": [ "f5cbe487-2a43-425b-9cd1-40283e5e596c" @@ -951,7 +970,8 @@ "sourceField": "beat.stats.libbeat.output.write.errors" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "metrics-*" } } } @@ -986,8 +1006,8 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, + "x": false, + "yLeft": false, "yRight": true }, "fittingFunction": "None", @@ -1037,6 +1057,7 @@ } } }, + "type": "lens", "visualizationType": "lnsXY" }, "enhancements": {}, @@ -1061,17 +1082,13 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d8c4f995-b5b9-4da1-9c7c-32fd11cfbcee", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "metrics-*", "layers": { "ad65be36-0be3-4937-8f41-ec9e48adfce6": { "columnOrder": [ @@ -1084,7 +1101,7 @@ "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a": { "dataType": "string", "isBucketed": true, - "label": "Top values of beat.type", + "label": "Top values of agent.name + 1 other", "operationType": "terms", "params": { "missingBucket": false, @@ -1095,12 +1112,15 @@ "orderDirection": "asc", "otherBucket": true, "parentFormat": { - "id": "terms" + "id": "multi_terms" }, + "secondaryFields": [ + "component.id" + ], "size": 10 }, "scale": "ordinal", - "sourceField": "beat.type" + "sourceField": "agent.name" }, "49cd060d-6f21-4d81-ad6b-1c8462c97353": { "dataType": "date", @@ -1110,7 +1130,7 @@ "params": { "dropPartials": true, "includeEmptyRows": false, - "interval": "auto" + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" @@ -1120,10 +1140,10 @@ "dataType": "number", "filter": { "language": "kuery", - "query": "data_stream.dataset : \"elastic_agent.*\" " + "query": "" }, "isBucketed": false, - "label": "Events Rate /s", + "label": " ", "operationType": "counter_rate", "references": [ "f5cbe487-2a43-425b-9cd1-40283e5e596c" @@ -1140,7 +1160,8 @@ "sourceField": "beat.stats.libbeat.output.events.acked" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "metrics-*" } } } @@ -1175,8 +1196,8 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, + "x": false, + "yLeft": false, "yRight": true }, "fittingFunction": "None", @@ -1226,6 +1247,7 @@ } } }, + "type": "lens", "visualizationType": "lnsXY" }, "enhancements": {}, @@ -1250,17 +1272,13 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ea5a0af6-28f9-412b-bbd7-99c48037b794", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "metrics-*", "layers": { "ad65be36-0be3-4937-8f41-ec9e48adfce6": { "columnOrder": [ @@ -1278,7 +1296,7 @@ "params": { "dropPartials": true, "includeEmptyRows": false, - "interval": "auto" + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" @@ -1298,22 +1316,25 @@ "orderDirection": "asc", "otherBucket": false, "parentFormat": { - "id": "terms" + "id": "multi_terms" }, + "secondaryFields": [ + "component.id" + ], "size": 10 }, "scale": "ordinal", - "sourceField": "beat.type" + "sourceField": "agent.name" }, "e201a210-6e89-4d72-9d9c-a00b036fb0eb": { "customLabel": true, "dataType": "number", "filter": { "language": "kuery", - "query": "data_stream.dataset : \"elastic_agent.*\" " + "query": "" }, "isBucketed": false, - "label": "Batches sent/s", + "label": " ", "operationType": "counter_rate", "references": [ "f5cbe487-2a43-425b-9cd1-40283e5e596c" @@ -1330,7 +1351,8 @@ "sourceField": "beat.stats.libbeat.output.events.batches" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "metrics-*" } } } @@ -1365,8 +1387,8 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, + "x": false, + "yLeft": false, "yRight": true }, "fittingFunction": "None", @@ -1442,17 +1464,13 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a867faed-481f-461e-9416-0b99b025f7a8", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "metrics-*", "layers": { "ad65be36-0be3-4937-8f41-ec9e48adfce6": { "columnOrder": [ @@ -1469,7 +1487,7 @@ "params": { "dropPartials": true, "includeEmptyRows": false, - "interval": "auto" + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" @@ -1483,35 +1501,39 @@ "params": { "missingBucket": false, "orderBy": { - "columnId": "e201a210-6e89-4d72-9d9c-a00b036fb0eb", - "type": "column" + "fallback": false, + "type": "alphabetical" }, - "orderDirection": "desc", + "orderDirection": "asc", "otherBucket": false, "parentFormat": { - "id": "terms" + "id": "multi_terms" }, + "secondaryFields": [ + "component.id" + ], "size": 10 }, "scale": "ordinal", - "sourceField": "beat.type" + "sourceField": "agent.name" }, "e201a210-6e89-4d72-9d9c-a00b036fb0eb": { "customLabel": true, "dataType": "number", "filter": { "language": "kuery", - "query": "beat.type:*" + "query": "" }, "isBucketed": false, - "label": "Batch size", + "label": " ", "operationType": "max", "scale": "ratio", "sourceField": "beat.stats.libbeat.output.events.active", "timeScale": "s" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "metrics-*" } } } @@ -1546,8 +1568,8 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, + "x": false, + "yLeft": false, "yRight": true }, "fittingFunction": "None", @@ -1620,13 +1642,8 @@ "attributes": { "references": [ { - "id": "logs-*", - "name": "indexpattern-datasource-layer-38cd2447-deab-49b7-9d84-400f2ba12511", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "97ad75be-db47-4cb4-bb1e-0c0320d04edd", + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" } ], @@ -1634,53 +1651,54 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "metrics-*", "layers": { - "38cd2447-deab-49b7-9d84-400f2ba12511": { + "ad65be36-0be3-4937-8f41-ec9e48adfce6": { "columnOrder": [ - "0a3d2e1f-e2f5-4001-b02b-927904b0ab94", - "6093c949-5f5d-4c72-baba-5a84ce2f1a9b", - "c37367a6-4c26-4f3f-86eb-10db67933171" + "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a", + "49cd060d-6f21-4d81-ad6b-1c8462c97353", + "e201a210-6e89-4d72-9d9c-a00b036fb0eb", + "f5cbe487-2a43-425b-9cd1-40283e5e596c" ], "columns": { - "0a3d2e1f-e2f5-4001-b02b-927904b0ab94": { + "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a": { "dataType": "string", "isBucketed": true, - "label": "Top 10 values of component.id", + "label": "Top values of agent.name + 1 other", "operationType": "terms", "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "c37367a6-4c26-4f3f-86eb-10db67933171", - "type": "column" + "fallback": true, + "type": "alphabetical" }, - "orderDirection": "desc", - "otherBucket": true, + "orderDirection": "asc", + "otherBucket": false, "parentFormat": { - "id": "terms" + "id": "multi_terms" }, + "secondaryFields": [ + "component.id" + ], "size": 10 }, "scale": "ordinal", - "sourceField": "component.id" + "sourceField": "agent.name" }, - "6093c949-5f5d-4c72-baba-5a84ce2f1a9b": { + "49cd060d-6f21-4d81-ad6b-1c8462c97353": { "dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" + "dropPartials": true, + "includeEmptyRows": false, + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" }, - "c37367a6-4c26-4f3f-86eb-10db67933171": { + "e201a210-6e89-4d72-9d9c-a00b036fb0eb": { "customLabel": true, "dataType": "number", "filter": { @@ -1688,18 +1706,28 @@ "query": "" }, "isBucketed": false, - "label": "Queue depth", + "label": " ", + "operationType": "counter_rate", + "references": [ + "f5cbe487-2a43-425b-9cd1-40283e5e596c" + ], + "scale": "ratio", + "timeScale": "s" + }, + "f5cbe487-2a43-425b-9cd1-40283e5e596c": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of beat.stats.libbeat.output.events.dropped", "operationType": "max", "params": { "emptyAsNull": true }, "scale": "ratio", - "sourceField": "monitoring.metrics.libbeat.pipeline.events.active" + "sourceField": "beat.stats.libbeat.output.events.dropped" } }, "incompleteColumns": {}, - "linkToLayers": [], - "sampling": 1 + "indexPatternId": "metrics-*" } } } @@ -1712,7 +1740,7 @@ "meta": { "alias": null, "disabled": false, - "index": "97ad75be-db47-4cb4-bb1e-0c0320d04edd", + "index": "1f53ae6d-f631-4ef1-8da4-e1918fd352af", "key": "data_stream.dataset", "negate": false, "params": { @@ -1734,8 +1762,8 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, + "x": false, + "yLeft": false, "yRight": true }, "fittingFunction": "None", @@ -1752,13 +1780,15 @@ "layers": [ { "accessors": [ - "c37367a6-4c26-4f3f-86eb-10db67933171" + "e201a210-6e89-4d72-9d9c-a00b036fb0eb" ], - "layerId": "38cd2447-deab-49b7-9d84-400f2ba12511", + "layerId": "ad65be36-0be3-4937-8f41-ec9e48adfce6", "layerType": "data", - "seriesType": "area_stacked", - "splitAccessor": "0a3d2e1f-e2f5-4001-b02b-927904b0ab94", - "xAccessor": "6093c949-5f5d-4c72-baba-5a84ce2f1a9b" + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a", + "xAccessor": "49cd060d-6f21-4d81-ad6b-1c8462c97353" } ], "legend": { @@ -1783,7 +1813,6 @@ } } }, - "title": "[Elastic Agent] Queue depth", "type": "lens", "visualizationType": "lnsXY" }, @@ -1792,52 +1821,622 @@ }, "gridData": { "h": 9, - "i": "9bbe71b3-01b6-4eb3-bac0-90ea2437d0d1", + "i": "ded80e0c-7b32-4022-bee5-1c224e1ec73b", "w": 24, - "x": 24, + "x": 0, "y": 54 }, - "panelIndex": "9bbe71b3-01b6-4eb3-bac0-90ea2437d0d1", - "title": "[Elastic Agent] Queue depth", + "panelIndex": "ded80e0c-7b32-4022-bee5-1c224e1ec73b", + "title": "[Elastic Agent] Events dropped rate /s", "type": "lens" }, { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "elastic_agent.elastic_agent" + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "ad65be36-0be3-4937-8f41-ec9e48adfce6": { + "columnOrder": [ + "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a", + "49cd060d-6f21-4d81-ad6b-1c8462c97353", + "e201a210-6e89-4d72-9d9c-a00b036fb0eb", + "f5cbe487-2a43-425b-9cd1-40283e5e596c" + ], + "columns": { + "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of agent.name + 1 other", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "component.id" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "agent.name" + }, + "49cd060d-6f21-4d81-ad6b-1c8462c97353": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e201a210-6e89-4d72-9d9c-a00b036fb0eb": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": " ", + "operationType": "counter_rate", + "references": [ + "f5cbe487-2a43-425b-9cd1-40283e5e596c" + ], + "scale": "ratio", + "timeScale": "s" + }, + "f5cbe487-2a43-425b-9cd1-40283e5e596c": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of beat.stats.libbeat.output.events.duplicates", + "operationType": "max", + "scale": "ratio", + "sourceField": "beat.stats.libbeat.output.events.duplicates" + } }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "elastic_agent.elastic_agent" - } + "incompleteColumns": {}, + "indexPatternId": "metrics-*" } } - ], - "query": { - "language": "kuery", - "query": "" } - } - }, - "description": "", + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1f53ae6d-f631-4ef1-8da4-e1918fd352af", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "elastic_agent.*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "elastic_agent.*" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "e201a210-6e89-4d72-9d9c-a00b036fb0eb" + ], + "layerId": "ad65be36-0be3-4937-8f41-ec9e48adfce6", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a", + "xAccessor": "49cd060d-6f21-4d81-ad6b-1c8462c97353" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "08f30154-3b1f-475b-acd2-6a6f6415b9eb", + "w": 24, + "x": 24, + "y": 54 + }, + "panelIndex": "08f30154-3b1f-475b-acd2-6a6f6415b9eb", + "title": "[Elastic Agent] Events duplicate rate /s", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "ad65be36-0be3-4937-8f41-ec9e48adfce6": { + "columnOrder": [ + "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a", + "49cd060d-6f21-4d81-ad6b-1c8462c97353", + "e201a210-6e89-4d72-9d9c-a00b036fb0eb", + "f5cbe487-2a43-425b-9cd1-40283e5e596c" + ], + "columns": { + "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of agent.name + 1 other", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "component.id" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "agent.name" + }, + "49cd060d-6f21-4d81-ad6b-1c8462c97353": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e201a210-6e89-4d72-9d9c-a00b036fb0eb": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": " ", + "operationType": "counter_rate", + "references": [ + "f5cbe487-2a43-425b-9cd1-40283e5e596c" + ], + "scale": "ratio", + "timeScale": "s" + }, + "f5cbe487-2a43-425b-9cd1-40283e5e596c": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of beat.stats.libbeat.output.events.failed", + "operationType": "max", + "scale": "ratio", + "sourceField": "beat.stats.libbeat.output.events.failed" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1f53ae6d-f631-4ef1-8da4-e1918fd352af", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "elastic_agent.*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "elastic_agent.*" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "e201a210-6e89-4d72-9d9c-a00b036fb0eb" + ], + "layerId": "ad65be36-0be3-4937-8f41-ec9e48adfce6", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a", + "xAccessor": "49cd060d-6f21-4d81-ad6b-1c8462c97353" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "ce5bea64-4178-4290-997b-a59455991f3d", + "w": 24, + "x": 0, + "y": 63 + }, + "panelIndex": "ce5bea64-4178-4290-997b-a59455991f3d", + "title": "[Elastic Agent] Events failed rate /s", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "ad65be36-0be3-4937-8f41-ec9e48adfce6": { + "columnOrder": [ + "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a", + "49cd060d-6f21-4d81-ad6b-1c8462c97353", + "e201a210-6e89-4d72-9d9c-a00b036fb0eb", + "f5cbe487-2a43-425b-9cd1-40283e5e596c" + ], + "columns": { + "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of agent.name + 1 other", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "component.id" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "agent.name" + }, + "49cd060d-6f21-4d81-ad6b-1c8462c97353": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e201a210-6e89-4d72-9d9c-a00b036fb0eb": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": " ", + "operationType": "counter_rate", + "references": [ + "f5cbe487-2a43-425b-9cd1-40283e5e596c" + ], + "scale": "ratio", + "timeScale": "s" + }, + "f5cbe487-2a43-425b-9cd1-40283e5e596c": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of beat.stats.libbeat.output.events.toomany", + "operationType": "max", + "scale": "ratio", + "sourceField": "beat.stats.libbeat.output.events.toomany" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1f53ae6d-f631-4ef1-8da4-e1918fd352af", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "elastic_agent.*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "elastic_agent.*" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "e201a210-6e89-4d72-9d9c-a00b036fb0eb" + ], + "layerId": "ad65be36-0be3-4937-8f41-ec9e48adfce6", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2e112c50-5bc4-4c0b-a69b-8c17e0f9fc0a", + "xAccessor": "49cd060d-6f21-4d81-ad6b-1c8462c97353" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "d3b72917-b8be-4c96-b10f-cbca8ebf0a68", + "w": 24, + "x": 24, + "y": 63 + }, + "panelIndex": "d3b72917-b8be-4c96-b10f-cbca8ebf0a68", + "title": "[Elastic Agent] Events TooMany rate /s", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "elastic_agent.elastic_agent" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "elastic_agent.elastic_agent" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", "params": { "axis_formatter": "number", "axis_position": "left", @@ -1849,7 +2448,7 @@ }, "id": "f0383b91-4a09-4b03-a013-f5938add6bfa", "index_pattern_ref_name": "metrics_42ec7297-eb0f-492b-bb18-d1301fa1ead7_0_index_pattern", - "interval": "", + "interval": "\u003e=1m", "isModelInvalid": false, "max_lines_legend": 1, "series": [ @@ -1940,6 +2539,7 @@ "type": "timeseries", "use_kibana_indexes": true }, + "title": "", "type": "metrics", "uiState": {} } @@ -1949,7 +2549,7 @@ "i": "42ec7297-eb0f-492b-bb18-d1301fa1ead7", "w": 24, "x": 0, - "y": 54 + "y": 72 }, "panelIndex": "42ec7297-eb0f-492b-bb18-d1301fa1ead7", "title": "[Elastic Agent] CGroup CPU Usage", @@ -1960,13 +2560,8 @@ "attributes": { "references": [ { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-fa212775-2294-4cb0-a671-eb76e6856d14", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-c7cc9cd8-585a-4078-a86f-8b0213c874fd", + "id": "logs-*", + "name": "indexpattern-datasource-layer-38cd2447-deab-49b7-9d84-400f2ba12511", "type": "index-pattern" } ], @@ -1974,40 +2569,19 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { - "c7cc9cd8-585a-4078-a86f-8b0213c874fd": { - "columnOrder": [ - "ba13a1db-763d-4a12-88c2-a5247a612c66" - ], - "columns": { - "ba13a1db-763d-4a12-88c2-a5247a612c66": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Container Limit", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "system.process.cgroup.memory.mem.limit.bytes" - } - }, - "incompleteColumns": {}, - "linkToLayers": [], - "sampling": 1 - }, - "fa212775-2294-4cb0-a671-eb76e6856d14": { + "38cd2447-deab-49b7-9d84-400f2ba12511": { "columnOrder": [ - "3495fd36-d74d-4daf-9dae-1e84e63bc31e", - "a084070f-a15a-473c-abf4-d2e52e84c6ae", - "90bc620d-c329-4607-90d4-5245a7cc7e69" + "0a3d2e1f-e2f5-4001-b02b-927904b0ab94", + "6093c949-5f5d-4c72-baba-5a84ce2f1a9b", + "c37367a6-4c26-4f3f-86eb-10db67933171" ], "columns": { - "3495fd36-d74d-4daf-9dae-1e84e63bc31e": { + "0a3d2e1f-e2f5-4001-b02b-927904b0ab94": { "dataType": "string", "isBucketed": true, - "label": "Top 10 values of elastic_agent.process", + "label": "Top 10 values of component.id", "operationType": "terms", "params": { "exclude": [], @@ -2016,61 +2590,80 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "90bc620d-c329-4607-90d4-5245a7cc7e69", + "columnId": "c37367a6-4c26-4f3f-86eb-10db67933171", "type": "column" }, "orderDirection": "desc", - "otherBucket": false, + "otherBucket": true, "parentFormat": { "id": "terms" }, "size": 10 }, "scale": "ordinal", - "sourceField": "elastic_agent.process" - }, - "90bc620d-c329-4607-90d4-5245a7cc7e69": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Memory Usage", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "system.process.cgroup.memory.mem.usage.bytes" + "sourceField": "component.id" }, - "a084070f-a15a-473c-abf4-d2e52e84c6ae": { + "6093c949-5f5d-4c72-baba-5a84ce2f1a9b": { "dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": { - "dropPartials": true, - "includeEmptyRows": false, - "interval": "auto" + "dropPartials": false, + "includeEmptyRows": true, + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" + }, + "c37367a6-4c26-4f3f-86eb-10db67933171": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": " ", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "monitoring.metrics.libbeat.pipeline.events.active" } }, "incompleteColumns": {}, + "indexPatternId": "logs-*", + "linkToLayers": [], "sampling": 1 } } - }, - "textBased": { - "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "97ad75be-db47-4cb4-bb1e-0c0320d04edd", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "elastic_agent.*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "elastic_agent.*" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -2078,62 +2671,56 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": false + "x": false, + "yLeft": false, + "yRight": true }, + "fittingFunction": "None", "gridlinesVisibilitySettings": { "x": true, "yLeft": true, - "yRight": false + "yRight": true }, - "layers": [ - { - "accessors": [ - "90bc620d-c329-4607-90d4-5245a7cc7e69" - ], - "layerId": "fa212775-2294-4cb0-a671-eb76e6856d14", - "layerType": "data", - "position": "top", - "seriesType": "area_stacked", - "showGridlines": false, - "splitAccessor": "3495fd36-d74d-4daf-9dae-1e84e63bc31e", - "xAccessor": "a084070f-a15a-473c-abf4-d2e52e84c6ae" - }, - { - "accessors": [ - "ba13a1db-763d-4a12-88c2-a5247a612c66" - ], - "layerId": "c7cc9cd8-585a-4078-a86f-8b0213c874fd", - "layerType": "referenceLine", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "ba13a1db-763d-4a12-88c2-a5247a612c66" - } - ] + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c37367a6-4c26-4f3f-86eb-10db67933171" + ], + "layerId": "38cd2447-deab-49b7-9d84-400f2ba12511", + "layerType": "data", + "seriesType": "area_stacked", + "splitAccessor": "0a3d2e1f-e2f5-4001-b02b-927904b0ab94", + "xAccessor": "6093c949-5f5d-4c72-baba-5a84ce2f1a9b" } ], "legend": { "isVisible": true, "legendSize": "large", "position": "right", - "shouldTruncate": true, "showSingleSeries": true }, - "preferredSeriesType": "area_stacked", + "preferredSeriesType": "line", "tickLabelsVisibilitySettings": { "x": true, "yLeft": true, - "yRight": false + "yRight": true }, - "title": "Empty XY chart", "valueLabels": "hide", "valuesInLegend": true, - "yRightTitle": "" + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } } }, - "title": "", + "title": "[Elastic Agent] Queue depth", "type": "lens", "visualizationType": "lnsXY" }, @@ -2142,13 +2729,13 @@ }, "gridData": { "h": 9, - "i": "e651fb9f-763d-4c9d-80d7-7c56adb98883", + "i": "9bbe71b3-01b6-4eb3-bac0-90ea2437d0d1", "w": 24, "x": 24, - "y": 63 + "y": 81 }, - "panelIndex": "e651fb9f-763d-4c9d-80d7-7c56adb98883", - "title": "[Elastic Agent] Cgroup Memory Usage", + "panelIndex": "9bbe71b3-01b6-4eb3-bac0-90ea2437d0d1", + "title": "[Elastic Agent] Queue depth", "type": "lens" }, { @@ -2209,7 +2796,7 @@ "params": { "dropPartials": false, "includeEmptyRows": true, - "interval": "auto" + "interval": "m" }, "scale": "interval", "sourceField": "@timestamp" @@ -2218,7 +2805,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Queue usage", + "label": " ", "operationType": "formula", "params": { "format": { @@ -2316,8 +2903,8 @@ }, "visualization": { "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, + "x": false, + "yLeft": false, "yRight": true }, "fittingFunction": "None", @@ -2377,11 +2964,210 @@ "i": "bf48fd17-63ec-4d90-8b6a-328bb74b466a", "w": 24, "x": 0, - "y": 63 + "y": 81 }, "panelIndex": "bf48fd17-63ec-4d90-8b6a-328bb74b466a", "title": "[Elastic Agent] Queue Usage", "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-c7cc9cd8-585a-4078-a86f-8b0213c874fd", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-fa212775-2294-4cb0-a671-eb76e6856d14", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "c7cc9cd8-585a-4078-a86f-8b0213c874fd": { + "columnOrder": [ + "ba13a1db-763d-4a12-88c2-a5247a612c66" + ], + "columns": { + "ba13a1db-763d-4a12-88c2-a5247a612c66": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Container Limit", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "system.process.cgroup.memory.mem.limit.bytes" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "linkToLayers": [], + "sampling": 1 + }, + "fa212775-2294-4cb0-a671-eb76e6856d14": { + "columnOrder": [ + "3495fd36-d74d-4daf-9dae-1e84e63bc31e", + "a084070f-a15a-473c-abf4-d2e52e84c6ae", + "90bc620d-c329-4607-90d4-5245a7cc7e69" + ], + "columns": { + "3495fd36-d74d-4daf-9dae-1e84e63bc31e": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of elastic_agent.process", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "90bc620d-c329-4607-90d4-5245a7cc7e69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "elastic_agent.process" + }, + "90bc620d-c329-4607-90d4-5245a7cc7e69": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": " ", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "system.process.cgroup.memory.mem.usage.bytes" + }, + "a084070f-a15a-473c-abf4-d2e52e84c6ae": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": false + }, + "layers": [ + { + "accessors": [ + "90bc620d-c329-4607-90d4-5245a7cc7e69" + ], + "layerId": "fa212775-2294-4cb0-a671-eb76e6856d14", + "layerType": "data", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "splitAccessor": "3495fd36-d74d-4daf-9dae-1e84e63bc31e", + "xAccessor": "a084070f-a15a-473c-abf4-d2e52e84c6ae" + }, + { + "accessors": [ + "ba13a1db-763d-4a12-88c2-a5247a612c66" + ], + "layerId": "c7cc9cd8-585a-4078-a86f-8b0213c874fd", + "layerType": "referenceLine", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "ba13a1db-763d-4a12-88c2-a5247a612c66" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "area_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": false + }, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yRightTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "e651fb9f-763d-4c9d-80d7-7c56adb98883", + "w": 24, + "x": 24, + "y": 72 + }, + "panelIndex": "e651fb9f-763d-4c9d-80d7-7c56adb98883", + "title": "[Elastic Agent] Cgroup Memory Usage", + "type": "lens" } ], "timeRestore": false, @@ -2389,7 +3175,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-05-01T20:29:40.958Z", + "created_at": "2024-06-18T13:40:33.056Z", "id": "elastic_agent-f47f18cc-9c7d-4278-b2ea-a6dee816d395", "managed": false, "references": [ @@ -2415,57 +3201,57 @@ }, { "id": "metrics-*", - "name": "6f1753a7-612d-4e25-a33f-8aa3542d3c39:1f53ae6d-f631-4ef1-8da4-e1918fd352af", + "name": "daff36f6-d0b5-45e8-b0d9-910bace3c15b:indexpattern-datasource-layer-47363713-6910-43c5-9f85-328b9ee18f0d", "type": "index-pattern" }, { "id": "metrics-*", - "name": "daff36f6-d0b5-45e8-b0d9-910bace3c15b:indexpattern-datasource-layer-47363713-6910-43c5-9f85-328b9ee18f0d", + "name": "0165de2d-694a-40f5-95e1-855ce4ebd03e:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" }, { "id": "metrics-*", - "name": "daff36f6-d0b5-45e8-b0d9-910bace3c15b:4984682b-b209-448b-a8bc-239d1858c0ae", + "name": "b1dcfde7-66f1-41fb-bc7d-d3deef840d4f:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" }, { "id": "metrics-*", - "name": "0165de2d-694a-40f5-95e1-855ce4ebd03e:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", + "name": "1a30ba18-2c22-4935-b245-6ec8f1a37ced:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" }, { "id": "metrics-*", - "name": "0165de2d-694a-40f5-95e1-855ce4ebd03e:9ef414bb-7c9f-40b2-a01f-da090834917a", + "name": "d004044a-99f4-44fa-964a-361accd1810d:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" }, { "id": "metrics-*", - "name": "b1dcfde7-66f1-41fb-bc7d-d3deef840d4f:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", + "name": "ded80e0c-7b32-4022-bee5-1c224e1ec73b:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" }, { "id": "metrics-*", - "name": "b1dcfde7-66f1-41fb-bc7d-d3deef840d4f:d8c4f995-b5b9-4da1-9c7c-32fd11cfbcee", + "name": "08f30154-3b1f-475b-acd2-6a6f6415b9eb:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" }, { "id": "metrics-*", - "name": "1a30ba18-2c22-4935-b245-6ec8f1a37ced:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", + "name": "ce5bea64-4178-4290-997b-a59455991f3d:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" }, { "id": "metrics-*", - "name": "1a30ba18-2c22-4935-b245-6ec8f1a37ced:ea5a0af6-28f9-412b-bbd7-99c48037b794", + "name": "d3b72917-b8be-4c96-b10f-cbca8ebf0a68:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", "type": "index-pattern" }, { "id": "metrics-*", - "name": "d004044a-99f4-44fa-964a-361accd1810d:indexpattern-datasource-layer-ad65be36-0be3-4937-8f41-ec9e48adfce6", + "name": "42ec7297-eb0f-492b-bb18-d1301fa1ead7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "metrics-*", - "name": "d004044a-99f4-44fa-964a-361accd1810d:a867faed-481f-461e-9416-0b99b025f7a8", + "name": "42ec7297-eb0f-492b-bb18-d1301fa1ead7:metrics_42ec7297-eb0f-492b-bb18-d1301fa1ead7_0_index_pattern", "type": "index-pattern" }, { @@ -2475,17 +3261,12 @@ }, { "id": "logs-*", - "name": "9bbe71b3-01b6-4eb3-bac0-90ea2437d0d1:97ad75be-db47-4cb4-bb1e-0c0320d04edd", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "42ec7297-eb0f-492b-bb18-d1301fa1ead7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "name": "bf48fd17-63ec-4d90-8b6a-328bb74b466a:indexpattern-datasource-layer-38cd2447-deab-49b7-9d84-400f2ba12511", "type": "index-pattern" }, { "id": "metrics-*", - "name": "42ec7297-eb0f-492b-bb18-d1301fa1ead7:metrics_42ec7297-eb0f-492b-bb18-d1301fa1ead7_0_index_pattern", + "name": "e651fb9f-763d-4c9d-80d7-7c56adb98883:indexpattern-datasource-layer-c7cc9cd8-585a-4078-a86f-8b0213c874fd", "type": "index-pattern" }, { @@ -2493,16 +3274,6 @@ "name": "e651fb9f-763d-4c9d-80d7-7c56adb98883:indexpattern-datasource-layer-fa212775-2294-4cb0-a671-eb76e6856d14", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "e651fb9f-763d-4c9d-80d7-7c56adb98883:indexpattern-datasource-layer-c7cc9cd8-585a-4078-a86f-8b0213c874fd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bf48fd17-63ec-4d90-8b6a-328bb74b466a:indexpattern-datasource-layer-38cd2447-deab-49b7-9d84-400f2ba12511", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "controlGroup_2678bf39-3def-453e-9f30-2904bc88efe9:optionsListDataView", diff --git a/packages/elastic_agent/manifest.yml b/packages/elastic_agent/manifest.yml index ee367c674b4..210a54ee210 100644 --- a/packages/elastic_agent/manifest.yml +++ b/packages/elastic_agent/manifest.yml @@ -1,6 +1,6 @@ name: elastic_agent title: Elastic Agent -version: 1.19.2 +version: 1.20.0 description: Collect logs and metrics from Elastic Agents. type: integration format_version: 1.0.0 From 3c75ae66868f4714a15a7ce4a3cb6ecc10868f66 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 19 Jun 2024 06:14:18 +0930 Subject: [PATCH 025/105] cylance,ti_opencti: fix up package validation issues (#10134) cylance: * fix kibana.version syntax in manifest ti_opencti: * ensure field usage conforms to ECS definitions * use extended list of expected_values for indicator type * sync data stream and transform field definitions * correct event.module value --------- Co-authored-by: Chris Berkhout --- packages/cylance/changelog.yml | 5 +++ packages/cylance/manifest.yml | 5 +-- packages/ti_opencti/changelog.yml | 5 +++ .../data_stream/indicator/fields/ecs.yml | 36 ++++++++++++++++++- .../data_stream/indicator/sample_event.json | 25 ++++++------- packages/ti_opencti/docs/README.md | 24 ++++++------- .../transform/latest_ioc/fields/ecs.yml | 36 +++++++++++++++++-- packages/ti_opencti/manifest.yml | 2 +- 8 files changed, 108 insertions(+), 30 deletions(-) diff --git a/packages/cylance/changelog.yml b/packages/cylance/changelog.yml index 198582b93bb..61347300f85 100644 --- a/packages/cylance/changelog.yml +++ b/packages/cylance/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.19.3" + changes: + - description: Fix `kibana.version` syntax in manifest. + type: enhancement + link: https://github.com/elastic/integrations/pull/10134 - version: "0.19.2" changes: - description: Changed owners diff --git a/packages/cylance/manifest.yml b/packages/cylance/manifest.yml index 0ca03d9e19e..bf31368efe1 100644 --- a/packages/cylance/manifest.yml +++ b/packages/cylance/manifest.yml @@ -1,12 +1,13 @@ format_version: 2.7.0 name: cylance title: CylanceProtect Logs -version: "0.19.2" +version: "0.19.3" description: Collect logs from CylanceProtect devices with Elastic Agent. categories: ["security", "edr_xdr"] type: integration conditions: - kibana.version: "^7.14.1 || ^8.0.0" + kibana: + version: "^7.14.1 || ^8.0.0" policy_templates: - name: protect title: CylanceProtect diff --git a/packages/ti_opencti/changelog.yml b/packages/ti_opencti/changelog.yml index 2c61ed85ed1..ba759a88b85 100644 --- a/packages/ti_opencti/changelog.yml +++ b/packages/ti_opencti/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.0" + changes: + - description: Extend `threat.indicator.type` definition to allow ECS conformance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10134 - version: "2.1.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_opencti/data_stream/indicator/fields/ecs.yml b/packages/ti_opencti/data_stream/indicator/fields/ecs.yml index 8421a5ebb3c..b7f2d2f1a58 100644 --- a/packages/ti_opencti/data_stream/indicator/fields/ecs.yml +++ b/packages/ti_opencti/data_stream/indicator/fields/ecs.yml @@ -7,6 +7,38 @@ level: extended type: keyword description: Type of indicator as represented by Cyber Observable in STIX 2.1 or OpenCTI + expected_values: + - artifact + - autonomous-system + - bank-account + - cryptocurrency-wallet + - cryptographic-key + - directory + - domain-name + - email-addr + - email-message + - email-mime-part-type + - hostname + - ipv4-addr + - ipv6-addr + - mac-addr + - media-content + - mutex + - network-traffic + - payment-card + - phone-number + - process + - software + - file + - text + - url + - user-account + - user-agent + - windows-registry-key + - windows-registry-value-type + - x509-certificate + - unknown + - port # Additional file hash algorithms - name: threat.indicator.file.hash.sha3_256 type: keyword @@ -173,7 +205,9 @@ name: threat.indicator.x509.subject.common_name - external: ecs name: threat.indicator.x509.version_number +# Below fields to be moved into base-fields.yml after kibana.version changed to >= 8.14 +# Related to fix: https://github.com/elastic/kibana/pull/177608 - name: event.module type: constant_keyword description: Event module - value: ti_misp + value: ti_opencti diff --git a/packages/ti_opencti/data_stream/indicator/sample_event.json b/packages/ti_opencti/data_stream/indicator/sample_event.json index 1a2295bf91c..234ba4a76cf 100644 --- a/packages/ti_opencti/data_stream/indicator/sample_event.json +++ b/packages/ti_opencti/data_stream/indicator/sample_event.json @@ -1,24 +1,24 @@ { - "@timestamp": "2023-11-09T01:59:11.241Z", + "@timestamp": "2024-06-12T06:54:25.854Z", "agent": { - "ephemeral_id": "f115b31f-9c4f-4f14-a73b-3a54e25f204e", - "id": "00b6764d-580c-4a5e-bd48-b4e128e0d894", + "ephemeral_id": "de8fc32a-4eaf-4e32-97ae-bcdb93b8d8ee", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_opencti.indicator", - "namespace": "ep", + "namespace": "66338", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "00b6764d-580c-4a5e-bd48-b4e128e0d894", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -28,9 +28,9 @@ "created": "2018-02-05T08:04:53.000Z", "dataset": "ti_opencti.indicator", "id": "d019b01c-b637-4eb2-af53-6d527be3193d", - "ingested": "2023-11-09T01:59:14Z", + "ingested": "2024-06-12T06:54:37Z", "kind": "enrichment", - "original": "{\"confidence\":15,\"created\":\"2018-02-05T08:04:53.000Z\",\"createdBy\":{\"identity_class\":\"organization\",\"name\":\"CthulhuSPRL.be\"},\"description\":\"\",\"externalReferences\":{\"edges\":[]},\"id\":\"d019b01c-b637-4eb2-af53-6d527be3193d\",\"is_inferred\":false,\"killChainPhases\":{\"edges\":[]},\"lang\":\"en\",\"modified\":\"2023-01-17T05:53:42.851Z\",\"name\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"objectLabel\":{\"edges\":[{\"node\":{\"value\":\"information-credibility-6\"}},{\"node\":{\"value\":\"osint\"}}]},\"objectMarking\":{\"edges\":[{\"node\":{\"definition\":\"TLP:GREEN\",\"definition_type\":\"TLP\"}}]},\"observables\":{\"edges\":[{\"node\":{\"entity_type\":\"Hostname\",\"id\":\"b0a91059-5637-4050-8dce-a976a607f75c\",\"observable_value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"standard_id\":\"hostname--2047cd44-ffae-5b34-b912-5856add59b59\",\"value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\"}}],\"pageInfo\":{\"globalCount\":1}},\"pattern\":\"[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"revoked\":true,\"standard_id\":\"indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b\",\"valid_from\":\"2018-02-05T08:04:53.000Z\",\"valid_until\":\"2019-02-05T08:04:53.000Z\",\"x_opencti_detection\":false,\"x_opencti_main_observable_type\":\"Hostname\",\"x_opencti_score\":40}", + "original": "{\"confidence\":15,\"created\":\"2018-02-05T08:04:53.000Z\",\"createdBy\":{\"identity_class\":\"organization\",\"name\":\"CthulhuSPRL.be\"},\"description\":\"\",\"externalReferences\":{\"edges\":[]},\"id\":\"d019b01c-b637-4eb2-af53-6d527be3193d\",\"is_inferred\":false,\"killChainPhases\":[],\"lang\":\"en\",\"modified\":\"2023-01-17T05:53:42.851Z\",\"name\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"objectLabel\":[{\"value\":\"information-credibility-6\"},{\"value\":\"osint\"}],\"objectMarking\":[{\"definition\":\"TLP:GREEN\",\"definition_type\":\"TLP\"}],\"observables\":{\"edges\":[{\"node\":{\"entity_type\":\"Hostname\",\"id\":\"b0a91059-5637-4050-8dce-a976a607f75c\",\"observable_value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"standard_id\":\"hostname--2047cd44-ffae-5b34-b912-5856add59b59\",\"value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\"}}],\"pageInfo\":{\"globalCount\":1}},\"pattern\":\"[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"revoked\":true,\"standard_id\":\"indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b\",\"valid_from\":\"2018-02-05T08:04:53.000Z\",\"valid_until\":\"2019-02-05T08:04:53.000Z\",\"x_opencti_detection\":false,\"x_opencti_main_observable_type\":\"Hostname\",\"x_opencti_score\":40}", "type": [ "indicator" ] @@ -42,6 +42,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2019-02-05T08:04:53.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, @@ -91,8 +92,8 @@ "modified_at": "2023-01-17T05:53:42.851Z", "name": "ec2-23-21-172-164.compute-1.amazonaws.com", "provider": "CthulhuSPRL.be", - "reference": "http://elastic-package-service-opencti_stub-1:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d", - "type": "hostname", + "reference": "http://svc-opencti_stub:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d", + "type": "domain-name", "url": { "domain": "ec2-23-21-172-164.compute-1.amazonaws.com", "registered_domain": "ec2-23-21-172-164.compute-1.amazonaws.com", @@ -100,4 +101,4 @@ } } } -} +} \ No newline at end of file diff --git a/packages/ti_opencti/docs/README.md b/packages/ti_opencti/docs/README.md index 67550a057ae..ede58b254d7 100644 --- a/packages/ti_opencti/docs/README.md +++ b/packages/ti_opencti/docs/README.md @@ -53,26 +53,26 @@ An example event for `indicator` looks as following: ```json { - "@timestamp": "2023-11-09T01:59:11.241Z", + "@timestamp": "2024-06-12T06:54:25.854Z", "agent": { - "ephemeral_id": "f115b31f-9c4f-4f14-a73b-3a54e25f204e", - "id": "00b6764d-580c-4a5e-bd48-b4e128e0d894", + "ephemeral_id": "de8fc32a-4eaf-4e32-97ae-bcdb93b8d8ee", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_opencti.indicator", - "namespace": "ep", + "namespace": "66338", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "00b6764d-580c-4a5e-bd48-b4e128e0d894", + "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -82,9 +82,9 @@ An example event for `indicator` looks as following: "created": "2018-02-05T08:04:53.000Z", "dataset": "ti_opencti.indicator", "id": "d019b01c-b637-4eb2-af53-6d527be3193d", - "ingested": "2023-11-09T01:59:14Z", + "ingested": "2024-06-12T06:54:37Z", "kind": "enrichment", - "original": "{\"confidence\":15,\"created\":\"2018-02-05T08:04:53.000Z\",\"createdBy\":{\"identity_class\":\"organization\",\"name\":\"CthulhuSPRL.be\"},\"description\":\"\",\"externalReferences\":{\"edges\":[]},\"id\":\"d019b01c-b637-4eb2-af53-6d527be3193d\",\"is_inferred\":false,\"killChainPhases\":{\"edges\":[]},\"lang\":\"en\",\"modified\":\"2023-01-17T05:53:42.851Z\",\"name\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"objectLabel\":{\"edges\":[{\"node\":{\"value\":\"information-credibility-6\"}},{\"node\":{\"value\":\"osint\"}}]},\"objectMarking\":{\"edges\":[{\"node\":{\"definition\":\"TLP:GREEN\",\"definition_type\":\"TLP\"}}]},\"observables\":{\"edges\":[{\"node\":{\"entity_type\":\"Hostname\",\"id\":\"b0a91059-5637-4050-8dce-a976a607f75c\",\"observable_value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"standard_id\":\"hostname--2047cd44-ffae-5b34-b912-5856add59b59\",\"value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\"}}],\"pageInfo\":{\"globalCount\":1}},\"pattern\":\"[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"revoked\":true,\"standard_id\":\"indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b\",\"valid_from\":\"2018-02-05T08:04:53.000Z\",\"valid_until\":\"2019-02-05T08:04:53.000Z\",\"x_opencti_detection\":false,\"x_opencti_main_observable_type\":\"Hostname\",\"x_opencti_score\":40}", + "original": "{\"confidence\":15,\"created\":\"2018-02-05T08:04:53.000Z\",\"createdBy\":{\"identity_class\":\"organization\",\"name\":\"CthulhuSPRL.be\"},\"description\":\"\",\"externalReferences\":{\"edges\":[]},\"id\":\"d019b01c-b637-4eb2-af53-6d527be3193d\",\"is_inferred\":false,\"killChainPhases\":[],\"lang\":\"en\",\"modified\":\"2023-01-17T05:53:42.851Z\",\"name\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"objectLabel\":[{\"value\":\"information-credibility-6\"},{\"value\":\"osint\"}],\"objectMarking\":[{\"definition\":\"TLP:GREEN\",\"definition_type\":\"TLP\"}],\"observables\":{\"edges\":[{\"node\":{\"entity_type\":\"Hostname\",\"id\":\"b0a91059-5637-4050-8dce-a976a607f75c\",\"observable_value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"standard_id\":\"hostname--2047cd44-ffae-5b34-b912-5856add59b59\",\"value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\"}}],\"pageInfo\":{\"globalCount\":1}},\"pattern\":\"[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"revoked\":true,\"standard_id\":\"indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b\",\"valid_from\":\"2018-02-05T08:04:53.000Z\",\"valid_until\":\"2019-02-05T08:04:53.000Z\",\"x_opencti_detection\":false,\"x_opencti_main_observable_type\":\"Hostname\",\"x_opencti_score\":40}", "type": [ "indicator" ] @@ -96,6 +96,7 @@ An example event for `indicator` looks as following: "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2019-02-05T08:04:53.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, @@ -145,8 +146,8 @@ An example event for `indicator` looks as following: "modified_at": "2023-01-17T05:53:42.851Z", "name": "ec2-23-21-172-164.compute-1.amazonaws.com", "provider": "CthulhuSPRL.be", - "reference": "http://elastic-package-service-opencti_stub-1:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d", - "type": "hostname", + "reference": "http://svc-opencti_stub:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d", + "type": "domain-name", "url": { "domain": "ec2-23-21-172-164.compute-1.amazonaws.com", "registered_domain": "ec2-23-21-172-164.compute-1.amazonaws.com", @@ -155,7 +156,6 @@ An example event for `indicator` looks as following: } } } - ``` #### Exported fields diff --git a/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/ecs.yml index 3268295abff..b7f2d2f1a58 100644 --- a/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/ecs.yml +++ b/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -7,6 +7,38 @@ level: extended type: keyword description: Type of indicator as represented by Cyber Observable in STIX 2.1 or OpenCTI + expected_values: + - artifact + - autonomous-system + - bank-account + - cryptocurrency-wallet + - cryptographic-key + - directory + - domain-name + - email-addr + - email-message + - email-mime-part-type + - hostname + - ipv4-addr + - ipv6-addr + - mac-addr + - media-content + - mutex + - network-traffic + - payment-card + - phone-number + - process + - software + - file + - text + - url + - user-account + - user-agent + - windows-registry-key + - windows-registry-value-type + - x509-certificate + - unknown + - port # Additional file hash algorithms - name: threat.indicator.file.hash.sha3_256 type: keyword @@ -173,9 +205,9 @@ name: threat.indicator.x509.subject.common_name - external: ecs name: threat.indicator.x509.version_number -# Below fields to be moved into base-fields.yml after kibana.version changed to >= 8.14 +# Below fields to be moved into base-fields.yml after kibana.version changed to >= 8.14 # Related to fix: https://github.com/elastic/kibana/pull/177608 - name: event.module type: constant_keyword description: Event module - value: ti_misp + value: ti_opencti diff --git a/packages/ti_opencti/manifest.yml b/packages/ti_opencti/manifest.yml index 12509aff228..cd743ee76bf 100644 --- a/packages/ti_opencti/manifest.yml +++ b/packages/ti_opencti/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: ti_opencti title: OpenCTI -version: "2.1.1" +version: "2.2.0" description: "Ingest threat intelligence indicators from OpenCTI with Elastic Agent." type: integration source: From 8bb9a5998d97e8e11542d202aae109afb81e5dd8 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 19 Jun 2024 11:10:55 +0930 Subject: [PATCH 026/105] qualys_vmdr: fix date format to match user activity api behaviour (#10188) Also hoist the state.with call and clean up CEL syntax. --- .../_dev/deploy/docker/files/config.yml | 2 +- packages/qualys_vmdr/changelog.yml | 5 ++ .../user_activity/agent/stream/cel.yml.hbs | 74 ++++++++++--------- packages/qualys_vmdr/manifest.yml | 2 +- 4 files changed, 45 insertions(+), 38 deletions(-) diff --git a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml index 0acaf71898b..18d7dbed61a 100644 --- a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml +++ b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml @@ -196,7 +196,7 @@ rules: query_params: action: list truncation_limit: 1000 - since_datetime: '{since_datetime:\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}}' + since_datetime: '{since_datetime:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z' responses: - status_code: 200 body: |- diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml index 12924f6de47..83ce50d1c20 100644 --- a/packages/qualys_vmdr/changelog.yml +++ b/packages/qualys_vmdr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.2.2" + changes: + - description: Fix date format to match user activity API behaviour. + type: bugfix + link: https://github.com/elastic/integrations/pull/10188 - version: "3.2.1" changes: - description: Disable the new user activity data stream by default. Add a toggle to preserve original event to the user activity data stream. Format the since_datetime query parameter. diff --git a/packages/qualys_vmdr/data_stream/user_activity/agent/stream/cel.yml.hbs b/packages/qualys_vmdr/data_stream/user_activity/agent/stream/cel.yml.hbs index 6dd94db3125..0f15e80e4c2 100644 --- a/packages/qualys_vmdr/data_stream/user_activity/agent/stream/cel.yml.hbs +++ b/packages/qualys_vmdr/data_stream/user_activity/agent/stream/cel.yml.hbs @@ -25,43 +25,45 @@ redact: fields: - password program: | - request( - "GET", - state.url.trim_right("/") + "/api/2.0/fo/activity_log/?" + { - "action": ["list"], - "since_datetime": [string(state.?cursor.latest_ts.orValue(now - duration(state.initial_interval)).format("2006-01-02 15:04:05"))], - ?"truncation_limit": has(state.batch_size) ? optional.of([string(state.batch_size)]) : optional.none(), - }.format_query() - ).with({ - "Header":{ - "Authorization": ["Basic " + (state.user + ":" + state.password).base64()], - "X-Requested-With": ["curl"], - } - }).do_request().as(resp, ( - resp.StatusCode == 200 - ? - bytes(resp.Body).mime("text/csv; header=present").as(events, state.with({ - "events": events.map(e, {"message": e.encode_json()}), - "want_more": has(state.batch_size) && size(events) >= state.batch_size, - "cursor": { - ?"latest_ts": size(events) > 0 ? - optional.of(events.map(e, e.Date.parse_time(time_layout.RFC3339)).max()) - : - state.?cursor.latest_ts, + state.with( + request( + "GET", + state.url.trim_right("/") + "/api/2.0/fo/activity_log/?" + { + "action": ["list"], + "since_datetime": [string(state.?cursor.latest_ts.orValue(now - duration(state.initial_interval)).format(time_layout.RFC3339))], + ?"truncation_limit": has(state.batch_size) ? optional.of([string(state.batch_size)]) : optional.none(), + }.format_query() + ).with({ + "Header":{ + "Authorization": ["Basic " + (state.user + ":" + state.password).base64()], + "X-Requested-With": ["curl"], + } + }).do_request().as(resp, + resp.StatusCode == 200 + ? + bytes(resp.Body).mime("text/csv; header=present").as(events, { + "events": events.map(e, {"message": e.encode_json()}), + "want_more": has(state.batch_size) && size(events) >= state.batch_size, + "cursor": { + ?"latest_ts": size(events) > 0 ? + optional.of(events.map(e, e.Date.parse_time(time_layout.RFC3339)).max()) + : + state.?cursor.latest_ts, + }, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": string(resp.Body), + }, }, - })) - : - state.with({ - "events": { - "error": { - "code": string(resp.StatusCode), - "id": string(resp.Status), - "message": string(resp.Body), - }, - }, - "want_more": false, - }) - )) + "want_more": false, + } + ) + ) tags: {{#if preserve_duplicate_custom_fields}} - preserve_duplicate_custom_fields diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml index 78ee445356a..dedbd6beecd 100644 --- a/packages/qualys_vmdr/manifest.yml +++ b/packages/qualys_vmdr/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: qualys_vmdr title: Qualys VMDR -version: "3.2.1" +version: "3.2.2" description: Collect data from Qualys VMDR platform with Elastic Agent. type: integration categories: From 1969d40d1034b6fe19738150420c2ed2020a7be5 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 19 Jun 2024 11:11:30 +0930 Subject: [PATCH 027/105] o365: improve handling of o365.audit.AdditionalInfo (#10187) In some cases, this field may be a string. This results in a mapping failure. So in cases where the field is a string, conditionally parse out the JSON. --- packages/o365/changelog.yml | 5 + .../pipeline/test-stringly-json-events.json | 31 ++++++ ...st-stringly-json-events.json-expected.json | 104 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 12 ++ packages/o365/manifest.yml | 2 +- 5 files changed, 153 insertions(+), 1 deletion(-) diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index 4337c3e3365..9977d04563b 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.3" + changes: + - description: Improve handling of o365.audit.AdditionalInfo. + type: bugfix + link: https://github.com/elastic/integrations/pull/10187 - version: "2.3.2" changes: - description: Improve handling of o365.audit.OperationProperties. diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json index 6eefdf8cdf1..46f71280f36 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json @@ -29,6 +29,37 @@ "UserType": 0, "UserKey": "xxxxxxxx" } + }, + { + "event": { + "original": "{\"AdditionalInfo\": \"{\\\"resourceDisplayName\\\":\\\"Track Pictures Viewer\\\"}\",\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"username@domain.pl\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\"}" + }, + "o365audit": { + "AdditionalInfo": "{\"resourceDisplayName\":\"Track Pictures Viewer\"}", + "Activity": "CreateArtifact", + "WorkspaceName": "obszar_robaczy", + "OrganizationId": "53d83e1d-xxx-xxx-84e9-01ec5045dd81", + "Operation": "CreateArtifact", + "Id": "a4420e70-b7a1-xxx-xxx-11e3364acd22", + "CreationTime": "2024-01-30T14:23:40", + "Timestamp": "2024-01-30T14:22:50", + "UserId": "username@domain.pl", + "ClientIP": "81.2.69.144", + "RecordType": 20, + "ResultStatus": "InProgress", + "ObjectDisplayName": "test_lakehouse", + "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756", + "Experience": "Lakehouse", + "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c", + "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669", + "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", + "Workload": "PowerBI", + "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b", + "OperationProperties": "[]", + "ObjectType": "Lakehouse", + "UserType": 0, + "UserKey": "xxxxxxxx" + } } ] } \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json-expected.json index d6893154166..0b650b3a50c 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json-expected.json @@ -105,6 +105,110 @@ }, "version": "120.0.0.0" } + }, + { + "@timestamp": "2024-01-30T14:23:40.000Z", + "client": { + "address": "81.2.69.144", + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateArtifact", + "category": [ + "web" + ], + "code": "PowerBIAudit", + "id": "a4420e70-b7a1-xxx-xxx-11e3364acd22", + "kind": "event", + "original": "{\"AdditionalInfo\": \"{\\\"resourceDisplayName\\\":\\\"Track Pictures Viewer\\\"}\",\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"username@domain.pl\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\"}", + "outcome": "success", + "provider": "PowerBI", + "type": [ + "info" + ] + }, + "host": { + "id": "53d83e1d-xxx-xxx-84e9-01ec5045dd81", + "name": "domain.pl" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Activity": "CreateArtifact", + "AdditionalInfo": { + "resourceDisplayName": "Track Pictures Viewer" + }, + "CreationTime": "2024-01-30T14:23:40", + "Experience": "Lakehouse", + "ObjectDisplayName": "test_lakehouse", + "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669", + "ObjectType": "Lakehouse", + "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756", + "OperationProperties": [], + "RecordType": "20", + "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b", + "ResultStatus": "InProgress", + "Timestamp": "2024-01-30T14:22:50", + "UserId": "username@domain.pl", + "UserKey": "xxxxxxxx", + "UserType": "0", + "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c", + "WorkspaceName": "obszar_robaczy" + } + }, + "organization": { + "id": "53d83e1d-xxx-xxx-84e9-01ec5045dd81" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "username" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "domain.pl", + "email": "username@domain.pl", + "id": "username@domain.pl", + "name": "username" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "120.0.0.0" + } } ] } \ No newline at end of file diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index a1dce5a270b..becf63cb163 100644 --- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -80,6 +80,17 @@ processors: field: o365audit.OrganizationId target_field: organization.id ignore_missing: true + + - json: + tag: json-extract-stringly-AdditionalInfo + field: o365audit.AdditionalInfo + if: ctx.o365audit?.AdditionalInfo instanceof String + on_failure: + - remove: + field: o365audit.AdditionalInfo + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - json: tag: json-extract-stringly-OperationProperties field: o365audit.OperationProperties @@ -90,6 +101,7 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: field: o365audit.UserAgent target_field: user_agent.original diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index eef70a8acc9..fe7d562be53 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Microsoft 365 -version: "2.3.2" +version: "2.3.3" description: Collect logs from Microsoft 365 with Elastic Agent. type: integration format_version: "3.0.2" From ef96a8ccd8d3bb1042bb0a4004f7bc24d665da77 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 19 Jun 2024 11:30:15 +0930 Subject: [PATCH 028/105] sentinel_one: fix sample event mac address (#10186) --- .../_dev/deploy/docker/files/config.yml | 2 +- packages/sentinel_one/changelog.yml | 5 +++++ .../data_stream/threat/sample_event.json | 16 ++++++++-------- packages/sentinel_one/docs/README.md | 16 ++++++++-------- packages/sentinel_one/manifest.yml | 2 +- 5 files changed, 23 insertions(+), 18 deletions(-) diff --git a/packages/sentinel_one/_dev/deploy/docker/files/config.yml b/packages/sentinel_one/_dev/deploy/docker/files/config.yml index d1633ca2302..9412d2423e7 100644 --- a/packages/sentinel_one/_dev/deploy/docker/files/config.yml +++ b/packages/sentinel_one/_dev/deploy/docker/files/config.yml @@ -28,4 +28,4 @@ rules: responses: - status_code: 200 body: | - {"data":[{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"protect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"X2:0X:0X:X6:00:XX"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"unquarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:54:17.198002Z","latestReport":"/threats/mitigation-report","mitigationEndedAt":"2022-04-06T08:54:17.101000Z","mitigationStartedAt":"2022-04-06T08:54:17.101000Z","status":"success"},{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:45:55.303355Z","latestReport":null,"mitigationEndedAt":"2022-04-06T08:45:55.297364Z","mitigationStartedAt":"2022-04-06T08:45:55.297363Z","status":"success"}],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Trojan","classificationSource":"Cloud","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:45:54.519988Z","detectionEngines":[{"key":"sentinelone_cloud","title":"SentinelOne Cloud"}],"detectionType":"static","engines":["SentinelOne Cloud"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"EXE","fileExtensionType":"Executable","filePath":"default.exe","fileSize":1234,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:45:53.968000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.exe","pendingActions":false,"processUser":"test user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"D0XXXXXXXXXXAF4D","threatId":"1234567890123456789","threatName":"default.exe","updatedAt":"2022-04-06T08:54:17.194122Z"},"whiteningOptions":["hash"]},{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"X2:0X:0X:X6:00:XX"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}],"pagination":{"nextCursor":null,"totalItems":2}} + {"data":[{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"protect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"DE:AD:00:00:BE:EF"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"unquarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:54:17.198002Z","latestReport":"/threats/mitigation-report","mitigationEndedAt":"2022-04-06T08:54:17.101000Z","mitigationStartedAt":"2022-04-06T08:54:17.101000Z","status":"success"},{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:45:55.303355Z","latestReport":null,"mitigationEndedAt":"2022-04-06T08:45:55.297364Z","mitigationStartedAt":"2022-04-06T08:45:55.297363Z","status":"success"}],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Trojan","classificationSource":"Cloud","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:45:54.519988Z","detectionEngines":[{"key":"sentinelone_cloud","title":"SentinelOne Cloud"}],"detectionType":"static","engines":["SentinelOne Cloud"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"EXE","fileExtensionType":"Executable","filePath":"default.exe","fileSize":1234,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:45:53.968000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.exe","pendingActions":false,"processUser":"test user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"D0XXXXXXXXXXAF4D","threatId":"1234567890123456789","threatName":"default.exe","updatedAt":"2022-04-06T08:54:17.194122Z"},"whiteningOptions":["hash"]},{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"DE:AD:00:00:BE:EF"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}],"pagination":{"nextCursor":null,"totalItems":2}} \ No newline at end of file diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index be562b21f17..86a49d43fef 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.3" + changes: + - description: Fix sample event MAC address. + type: bugfix + link: https://github.com/elastic/integrations/pull/10186 - version: "1.23.2" changes: - description: Change default interval to 30s for all data streams. diff --git a/packages/sentinel_one/data_stream/threat/sample_event.json b/packages/sentinel_one/data_stream/threat/sample_event.json index d7658a39682..1361366254b 100644 --- a/packages/sentinel_one/data_stream/threat/sample_event.json +++ b/packages/sentinel_one/data_stream/threat/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2022-04-06T08:54:17.194Z", "agent": { - "ephemeral_id": "3ea8603b-159f-441f-ae62-7fce6805bf8c", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "ephemeral_id": "a2264e16-9431-4dd9-9e8a-6209c36c3c1e", + "id": "59bbe264-6d1c-48b7-9f6a-f2172d817ded", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.threat", - "namespace": "37791", + "namespace": "80468", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "59bbe264-6d1c-48b7-9f6a-f2172d817ded", "snapshot": false, "version": "8.13.0" }, @@ -26,12 +26,12 @@ "category": [ "malware" ], - "created": "2024-06-12T03:25:25.764Z", + "created": "2024-06-18T21:22:32.743Z", "dataset": "sentinel_one.threat", "id": "1234567890123456789", - "ingested": "2024-06-12T03:25:37Z", + "ingested": "2024-06-18T21:22:44Z", "kind": "alert", - "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"X2:0X:0X:X6:00:XX\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", + "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"DE:AD:00:00:BE:EF\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", "type": [ "info" ] @@ -55,7 +55,7 @@ "81.2.69.143" ], "mac": [ - "X2-0X-0X-X6-00-XX" + "DE-AD-00-00-BE-EF" ], "name": "test-LINUX", "os": { diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md index d6c549108cd..f79898ca8cf 100644 --- a/packages/sentinel_one/docs/README.md +++ b/packages/sentinel_one/docs/README.md @@ -1212,22 +1212,22 @@ An example event for `threat` looks as following: { "@timestamp": "2022-04-06T08:54:17.194Z", "agent": { - "ephemeral_id": "3ea8603b-159f-441f-ae62-7fce6805bf8c", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "ephemeral_id": "a2264e16-9431-4dd9-9e8a-6209c36c3c1e", + "id": "59bbe264-6d1c-48b7-9f6a-f2172d817ded", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "sentinel_one.threat", - "namespace": "37791", + "namespace": "80468", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "59bbe264-6d1c-48b7-9f6a-f2172d817ded", "snapshot": false, "version": "8.13.0" }, @@ -1237,12 +1237,12 @@ An example event for `threat` looks as following: "category": [ "malware" ], - "created": "2024-06-12T03:25:25.764Z", + "created": "2024-06-18T21:22:32.743Z", "dataset": "sentinel_one.threat", "id": "1234567890123456789", - "ingested": "2024-06-12T03:25:37Z", + "ingested": "2024-06-18T21:22:44Z", "kind": "alert", - "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"X2:0X:0X:X6:00:XX\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", + "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"2a02:cf40::\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"DE:AD:00:00:BE:EF\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", "type": [ "info" ] @@ -1266,7 +1266,7 @@ An example event for `threat` looks as following: "81.2.69.143" ], "mac": [ - "X2-0X-0X-X6-00-XX" + "DE-AD-00-00-BE-EF" ], "name": "test-LINUX", "os": { diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index eefe8df2c10..07a356cddb0 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: sentinel_one title: SentinelOne -version: "1.23.2" +version: "1.23.3" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: From 460d113f2f0f1de75c959a1a1e96ac67606d2b44 Mon Sep 17 00:00:00 2001 From: milan-elastic <118723373+milan-elastic@users.noreply.github.com> Date: Wed, 19 Jun 2024 18:18:05 +0530 Subject: [PATCH 029/105] Add global level data_stream.dataset dashboard filter (#9768) * add dashboard level fitler for activemq * add dashboard level filter for apache_spark * add dashboard level filter for apache_tomcat * add dashboard level filter for hadoop * add dashboard level filter for airflow * add dashboard level filter for apache * add dashboard level filter for cassandra * add dashboard filter for ceph * add dashboard level filter for citrix adc * add dashboad level filter for cockroachdb * update pr link in changelog * remove validation.yml * export dashboard again after migration to remove paneljson conflicts * remove tags from dashboard * minor change in apache tomcat catalina and localhost dashboard --- packages/activemq/changelog.yml | 5 + ...-8a0cbc90-f916-11ec-9736-016ee09668f5.json | 345 +- ...-bbc52920-f916-11ec-9736-016ee09668f5.json | 459 +- ...-d3639bc0-f916-11ec-9736-016ee09668f5.json | 460 +- ...-eac72840-f916-11ec-9736-016ee09668f5.json | 198 +- ...-f98d0c50-f916-11ec-9736-016ee09668f5.json | 200 +- ...-896ef3a0-145f-11ea-8fd8-030a13064883.json | 46 - ...-d784ec10-1460-11ea-8fd8-030a13064883.json | 46 - packages/activemq/manifest.yml | 2 +- packages/activemq/validation.yml | 4 - packages/airflow/changelog.yml | 5 + ...-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75.json | 83 +- packages/airflow/manifest.yml | 2 +- packages/airflow/validation.yml | 3 - packages/apache/changelog.yml | 5 + .../apache-Logs-Apache-Dashboard.json | 68 +- ...he-Metrics-Apache-HTTPD-server-status.json | 69 +- packages/apache/manifest.yml | 2 +- packages/apache/validation.yml | 3 - packages/apache_spark/changelog.yml | 5 + ...-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json | 5388 +++++++---------- packages/apache_spark/manifest.yml | 2 +- packages/apache_spark/validation.yml | 3 - packages/apache_tomcat/changelog.yml | 5 + .../data_stream/access/manifest.yml | 1 - .../data_stream/catalina/manifest.yml | 3 +- .../data_stream/localhost/manifest.yml | 8 +- ...-2a331270-b8cd-11ed-a099-3791d000f969.json | 202 +- ...-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223.json | 321 +- ...-5b24a9c0-0e86-11ee-8c11-879004e1a267.json | 213 +- ...-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8.json | 296 +- ...-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195.json | 238 +- ...-9f21d4e0-b837-11ed-8008-cf66df3fb6bf.json | 26 +- ...-af7759b0-0a75-11ee-a8d8-d15950a587f6.json | 131 +- ...-c2e71320-bccb-11ed-8065-19219c0d55ab.json | 198 +- ...-c8ec7280-1a57-11ee-8c1a-099fb2bcb823.json | 336 +- ...-c97374d0-bb78-11ed-812e-b1288b469a47.json | 70 +- ...-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195.json | 111 - ...-4d39c820-ddcd-11ed-8080-ddad81fe2c3c.json | 111 - ...-d0957a70-eda4-11ed-909a-2baec7270d1f.json | 124 - packages/apache_tomcat/manifest.yml | 2 +- packages/apache_tomcat/validation.yml | 3 - packages/cassandra/changelog.yml | 5 + ...-25b7d6d0-1c71-11ec-84f1-e1733c643874.json | 769 +-- ...-49e4e6e0-cc54-11ec-8c59-ed6efced90da.json | 139 +- ...-a7a48e10-1f8a-11ec-ba68-fbf426daf104.json | 44 - packages/cassandra/manifest.yml | 2 +- packages/cassandra/validation.yml | 4 - packages/ceph/changelog.yml | 5 + ...-b2083fa0-9e0a-11ed-9f4a-79c03177b9dc.json | 1017 +--- packages/ceph/manifest.yml | 2 +- packages/ceph/validation.yml | 3 - packages/citrix_adc/changelog.yml | 5 + ...-2b30a8f0-4fa9-11ed-8fa7-7bab33159b99.json | 200 +- ...-73ef1be0-485a-11ed-aee6-31b55c85e6df.json | 247 +- ...-8d0661f0-4fa4-11ed-8fa7-7bab33159b99.json | 200 +- ...-95709fd0-e130-11ee-adb0-b71252739438.json | 925 +-- ...-abcd5660-4947-11ed-9b28-1f7d06bfd481.json | 372 +- ...-b475f280-4eb1-11ed-9db6-73aea65de09b.json | 200 +- ...-c4b9b970-3d99-11ed-9f8b-1bc5a55dfeec.json | 178 +- packages/citrix_adc/manifest.yml | 2 +- packages/citrix_adc/validation.yml | 3 - packages/cockroachdb/changelog.yml | 5 + ...-e3ba0c30-9766-11e9-9eea-6f554992ec1f.json | 79 +- packages/cockroachdb/manifest.yml | 2 +- packages/cockroachdb/validation.yml | 3 - packages/hadoop/changelog.yml | 5 + ...-3e16f2c0-cd28-11ec-be30-1d9331f0b107.json | 1280 ++-- ...-70125ec0-cf78-11ec-bc3e-6faca2b11df2.json | 1126 ++-- ...-c06fb680-cf76-11ec-bc3e-6faca2b11df2.json | 2257 +++---- ...-cb235590-cd24-11ec-be30-1d9331f0b107.json | 2539 ++++---- packages/hadoop/manifest.yml | 2 +- packages/hadoop/validation.yml | 4 - 73 files changed, 8084 insertions(+), 13342 deletions(-) delete mode 100644 packages/activemq/kibana/search/activemq-896ef3a0-145f-11ea-8fd8-030a13064883.json delete mode 100644 packages/activemq/kibana/search/activemq-d784ec10-1460-11ea-8fd8-030a13064883.json delete mode 100644 packages/activemq/validation.yml delete mode 100644 packages/airflow/validation.yml delete mode 100644 packages/apache/validation.yml delete mode 100644 packages/apache_spark/validation.yml delete mode 100644 packages/apache_tomcat/kibana/search/apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195.json delete mode 100644 packages/apache_tomcat/kibana/search/apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c.json delete mode 100644 packages/apache_tomcat/kibana/search/apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f.json delete mode 100644 packages/apache_tomcat/validation.yml delete mode 100644 packages/cassandra/kibana/search/cassandra-a7a48e10-1f8a-11ec-ba68-fbf426daf104.json delete mode 100644 packages/cassandra/validation.yml delete mode 100644 packages/ceph/validation.yml delete mode 100644 packages/citrix_adc/validation.yml delete mode 100644 packages/cockroachdb/validation.yml delete mode 100644 packages/hadoop/validation.yml diff --git a/packages/activemq/changelog.yml b/packages/activemq/changelog.yml index 0cd8019260c..b77dd247569 100644 --- a/packages/activemq/changelog.yml +++ b/packages/activemq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.3.0 + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: 1.2.1 changes: - description: Add pipeline tests for Broker, Queue and Topic data streams. diff --git a/packages/activemq/kibana/dashboard/activemq-8a0cbc90-f916-11ec-9736-016ee09668f5.json b/packages/activemq/kibana/dashboard/activemq-8a0cbc90-f916-11ec-9736-016ee09668f5.json index 7fe152b6486..1a4cb79d5b1 100644 --- a/packages/activemq/kibana/dashboard/activemq-8a0cbc90-f916-11ec-9736-016ee09668f5.json +++ b/packages/activemq/kibana/dashboard/activemq-8a0cbc90-f916-11ec-9736-016ee09668f5.json @@ -1,10 +1,32 @@ { "attributes": { "description": "The dashboard presents metric data describing ActiveMQ broker. Metrics show statistics of enqueued and dequeued messages, consumers, producers and memory usage (broker, store, temp).", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "activemq.broker" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "activemq.broker" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -13,6 +35,9 @@ }, "optionsJSON": { "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -20,11 +45,6 @@ "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-12141562-7906-4ed5-8d08-5dfca67bd65d", @@ -39,16 +59,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-428be7c3-a9fa-4d69-a65a-d9d763c39ebc", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e97d1cb0-3237-4d6a-9bc7-8b7ab8c699d8", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "12141562-7906-4ed5-8d08-5dfca67bd65d": { "columnOrder": [ @@ -188,29 +204,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e97d1cb0-3237-4d6a-9bc7-8b7ab8c699d8", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.broker" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.broker" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -275,6 +270,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "bottom", "showSingleSeries": true }, @@ -300,18 +296,12 @@ }, "panelIndex": "0bb4a077-65fc-4d3a-a6e6-39a7ec01e01f", "title": "Broker Messages [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-76785d34-137e-4deb-8c2f-6a0e580fe791", @@ -321,16 +311,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-95249016-3e82-44fb-b4dc-9daf847c8323", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ad66c61f-b23d-4d78-bd08-635474184598", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "76785d34-137e-4deb-8c2f-6a0e580fe791": { "columnOrder": [ @@ -403,29 +389,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "ad66c61f-b23d-4d78-bd08-635474184598", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.broker" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.broker" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -474,6 +439,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "bottom", "showSingleSeries": true }, @@ -499,32 +465,22 @@ }, "panelIndex": "9719ed38-5a0d-4132-b504-1bae29b20369", "title": "Broker Consumers/Producers [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-ac4e031d-2809-4be6-a8fe-3eceb0b8e0b2", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "815a9769-bfaf-450b-a311-0207b9e77365", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ac4e031d-2809-4be6-a8fe-3eceb0b8e0b2": { "columnOrder": [ @@ -574,29 +530,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "815a9769-bfaf-450b-a311-0207b9e77365", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.broker" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.broker" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -634,6 +569,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "bottom", "showSingleSeries": true }, @@ -659,32 +595,22 @@ }, "panelIndex": "7f00478e-0bf9-409c-89b7-2fc3f4ee50a9", "title": "Broker Connections [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-8166160e-8716-4e77-85fc-c42382687c37", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5d935ffb-7266-42d2-865f-1ac53d948841", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8166160e-8716-4e77-85fc-c42382687c37": { "columnOrder": [ @@ -741,29 +667,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5d935ffb-7266-42d2-865f-1ac53d948841", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.broker" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.broker" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -823,32 +728,22 @@ }, "panelIndex": "b82bc348-18ce-4a6c-8d6d-4e90340f1690", "title": "Broker Memory Usage [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-e7c5af36-1010-45a6-94ba-2a002a82dc83", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3e5315d2-5eee-4820-9888-47559e66e7da", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e7c5af36-1010-45a6-94ba-2a002a82dc83": { "columnOrder": [ @@ -905,29 +800,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3e5315d2-5eee-4820-9888-47559e66e7da", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.broker" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.broker" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -987,32 +861,22 @@ }, "panelIndex": "3716faab-9aeb-4431-8fab-0fed419689f5", "title": "Broker Store Memory Usage [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-72c3dc23-6894-4f3e-8c4d-497e829ada9f", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "02acd0aa-8adb-4014-9db9-9558c7f7d209", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "72c3dc23-6894-4f3e-8c4d-497e829ada9f": { "columnOrder": [ @@ -1069,29 +933,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "02acd0aa-8adb-4014-9db9-9558c7f7d209", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.broker" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.broker" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1151,23 +994,21 @@ }, "panelIndex": "c20b98fb-92f8-4933-ac32-18119552b57a", "title": "Broker Temp Memory Usage [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics ActiveMQ] Broker", "version": 1 }, - "coreMigrationVersion": "8.2.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-10T15:15:34.429Z", "id": "activemq-8a0cbc90-f916-11ec-9736-016ee09668f5", - "migrationVersion": { - "dashboard": "8.2.0" - }, + "managed": false, "references": [ { "id": "metrics-*", - "name": "0bb4a077-65fc-4d3a-a6e6-39a7ec01e01f:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -1185,16 +1026,6 @@ "name": "0bb4a077-65fc-4d3a-a6e6-39a7ec01e01f:indexpattern-datasource-layer-428be7c3-a9fa-4d69-a65a-d9d763c39ebc", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "0bb4a077-65fc-4d3a-a6e6-39a7ec01e01f:e97d1cb0-3237-4d6a-9bc7-8b7ab8c699d8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9719ed38-5a0d-4132-b504-1bae29b20369:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "9719ed38-5a0d-4132-b504-1bae29b20369:indexpattern-datasource-layer-76785d34-137e-4deb-8c2f-6a0e580fe791", @@ -1205,71 +1036,27 @@ "name": "9719ed38-5a0d-4132-b504-1bae29b20369:indexpattern-datasource-layer-95249016-3e82-44fb-b4dc-9daf847c8323", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "9719ed38-5a0d-4132-b504-1bae29b20369:ad66c61f-b23d-4d78-bd08-635474184598", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7f00478e-0bf9-409c-89b7-2fc3f4ee50a9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "7f00478e-0bf9-409c-89b7-2fc3f4ee50a9:indexpattern-datasource-layer-ac4e031d-2809-4be6-a8fe-3eceb0b8e0b2", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "7f00478e-0bf9-409c-89b7-2fc3f4ee50a9:815a9769-bfaf-450b-a311-0207b9e77365", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b82bc348-18ce-4a6c-8d6d-4e90340f1690:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "b82bc348-18ce-4a6c-8d6d-4e90340f1690:indexpattern-datasource-layer-8166160e-8716-4e77-85fc-c42382687c37", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "b82bc348-18ce-4a6c-8d6d-4e90340f1690:5d935ffb-7266-42d2-865f-1ac53d948841", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3716faab-9aeb-4431-8fab-0fed419689f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "3716faab-9aeb-4431-8fab-0fed419689f5:indexpattern-datasource-layer-e7c5af36-1010-45a6-94ba-2a002a82dc83", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "3716faab-9aeb-4431-8fab-0fed419689f5:3e5315d2-5eee-4820-9888-47559e66e7da", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c20b98fb-92f8-4933-ac32-18119552b57a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "c20b98fb-92f8-4933-ac32-18119552b57a:indexpattern-datasource-layer-72c3dc23-6894-4f3e-8c4d-497e829ada9f", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c20b98fb-92f8-4933-ac32-18119552b57a:02acd0aa-8adb-4014-9db9-9558c7f7d209", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/activemq/kibana/dashboard/activemq-bbc52920-f916-11ec-9736-016ee09668f5.json b/packages/activemq/kibana/dashboard/activemq-bbc52920-f916-11ec-9736-016ee09668f5.json index af1a268e7ba..5c6867b7f4a 100644 --- a/packages/activemq/kibana/dashboard/activemq-bbc52920-f916-11ec-9736-016ee09668f5.json +++ b/packages/activemq/kibana/dashboard/activemq-bbc52920-f916-11ec-9736-016ee09668f5.json @@ -1,10 +1,32 @@ { "attributes": { "description": "The dashboard presents metric data describing ActiveMQ queues. Metrics show statistics of exchanged messages, consumers, producers and memory usage.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "activemq.queue" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "activemq.queue" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +36,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": true, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -21,25 +45,16 @@ "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-453e1b5c-252b-43a6-967b-272078a30001", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c8604f14-b353-4db8-bf8c-98701a4c0946", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "453e1b5c-252b-43a6-967b-272078a30001": { "columnOrder": [ @@ -114,29 +129,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c8604f14-b353-4db8-bf8c-98701a4c0946", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.queue" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.queue" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -174,7 +168,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -200,32 +194,22 @@ }, "panelIndex": "3157f297-1d10-4340-8286-c94da70d2d5b", "title": "Queues Messages Dequeue [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-c5b8701c-9614-4430-97cd-1151d4c506a1", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1cf3f5a6-bf8a-46db-8f9d-d65622ff22dc", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c5b8701c-9614-4430-97cd-1151d4c506a1": { "columnOrder": [ @@ -300,29 +284,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1cf3f5a6-bf8a-46db-8f9d-d65622ff22dc", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.queue" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.queue" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -360,7 +323,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -386,32 +349,22 @@ }, "panelIndex": "e0a49d67-aeb4-4965-a9ad-8497be08ef94", "title": "Queues Messages Dispatch [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-586e1684-5c4c-41de-b951-0621194d6b0c", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1db31480-1773-4a7d-b9a9-ba15e0f71294", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "586e1684-5c4c-41de-b951-0621194d6b0c": { "columnOrder": [ @@ -486,29 +439,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1db31480-1773-4a7d-b9a9-ba15e0f71294", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.queue" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.queue" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -546,7 +478,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -572,32 +504,22 @@ }, "panelIndex": "860cc8aa-e1ab-4e0b-bcc8-7d618454d1a8", "title": "Queues Messages Enqueue [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-f5fecce5-b460-4ef0-9e44-49a441c8856b", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a0b760e3-966a-4026-9d4c-4706b63407c2", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f5fecce5-b460-4ef0-9e44-49a441c8856b": { "columnOrder": [ @@ -672,29 +594,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a0b760e3-966a-4026-9d4c-4706b63407c2", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.queue" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.queue" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -732,7 +633,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -758,32 +659,22 @@ }, "panelIndex": "b436365e-8c57-42c5-83c9-422680315dc7", "title": "Queues Messages In-flight [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-afd559c7-ddfa-40c5-b82f-639ffe20618e", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a439e754-dc49-4c20-a75e-810bea2d0fa6", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "afd559c7-ddfa-40c5-b82f-639ffe20618e": { "columnOrder": [ @@ -858,29 +749,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a439e754-dc49-4c20-a75e-810bea2d0fa6", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.queue" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.queue" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -929,7 +799,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -959,32 +829,22 @@ }, "panelIndex": "dfc4f2ee-20da-48d9-baf9-c69451791901", "title": "Queues Messages Expired [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-a0a59831-d5e6-42bb-a097-ed95f6ed6f33", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "96903449-d137-4061-8f2e-6537780d0165", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a0a59831-d5e6-42bb-a097-ed95f6ed6f33": { "columnOrder": [ @@ -1047,29 +907,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "96903449-d137-4061-8f2e-6537780d0165", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.queue" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.queue" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1107,7 +946,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -1133,32 +972,22 @@ }, "panelIndex": "2c35e787-ad23-485f-abb0-86f1032e4547", "title": "Queues Consumers [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-82fceedb-d629-4bc3-ac77-3901c351dadd", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a148322d-089b-4075-aefb-2660b3b3aaa7", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "82fceedb-d629-4bc3-ac77-3901c351dadd": { "columnOrder": [ @@ -1228,29 +1057,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a148322d-089b-4075-aefb-2660b3b3aaa7", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.queue" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.queue" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1288,7 +1096,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -1314,32 +1122,22 @@ }, "panelIndex": "fb9c1fc2-6f9e-423e-81bc-13aa00aeeeb5", "title": "Queues Messages Enqueue Time [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-fff9e7b4-8fae-41f3-92c4-74e42c7c631e", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5df6b602-4411-412a-9d97-ced633d98049", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "fff9e7b4-8fae-41f3-92c4-74e42c7c631e": { "columnOrder": [ @@ -1403,29 +1201,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5df6b602-4411-412a-9d97-ced633d98049", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.queue" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.queue" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1463,7 +1240,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -1489,23 +1266,21 @@ }, "panelIndex": "15e43ab4-bcd8-4f89-8a2d-3f05af79c938", "title": "Queues Producers [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics ActiveMQ] Queues", "version": 1 }, - "coreMigrationVersion": "8.2.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-10T15:17:39.613Z", "id": "activemq-bbc52920-f916-11ec-9736-016ee09668f5", - "migrationVersion": { - "dashboard": "8.2.0" - }, + "managed": false, "references": [ { "id": "metrics-*", - "name": "3157f297-1d10-4340-8286-c94da70d2d5b:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -1513,116 +1288,42 @@ "name": "3157f297-1d10-4340-8286-c94da70d2d5b:indexpattern-datasource-layer-453e1b5c-252b-43a6-967b-272078a30001", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "3157f297-1d10-4340-8286-c94da70d2d5b:c8604f14-b353-4db8-bf8c-98701a4c0946", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e0a49d67-aeb4-4965-a9ad-8497be08ef94:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "e0a49d67-aeb4-4965-a9ad-8497be08ef94:indexpattern-datasource-layer-c5b8701c-9614-4430-97cd-1151d4c506a1", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "e0a49d67-aeb4-4965-a9ad-8497be08ef94:1cf3f5a6-bf8a-46db-8f9d-d65622ff22dc", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "860cc8aa-e1ab-4e0b-bcc8-7d618454d1a8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "860cc8aa-e1ab-4e0b-bcc8-7d618454d1a8:indexpattern-datasource-layer-586e1684-5c4c-41de-b951-0621194d6b0c", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "860cc8aa-e1ab-4e0b-bcc8-7d618454d1a8:1db31480-1773-4a7d-b9a9-ba15e0f71294", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b436365e-8c57-42c5-83c9-422680315dc7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "b436365e-8c57-42c5-83c9-422680315dc7:indexpattern-datasource-layer-f5fecce5-b460-4ef0-9e44-49a441c8856b", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "b436365e-8c57-42c5-83c9-422680315dc7:a0b760e3-966a-4026-9d4c-4706b63407c2", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "dfc4f2ee-20da-48d9-baf9-c69451791901:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "dfc4f2ee-20da-48d9-baf9-c69451791901:indexpattern-datasource-layer-afd559c7-ddfa-40c5-b82f-639ffe20618e", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "dfc4f2ee-20da-48d9-baf9-c69451791901:a439e754-dc49-4c20-a75e-810bea2d0fa6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2c35e787-ad23-485f-abb0-86f1032e4547:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "2c35e787-ad23-485f-abb0-86f1032e4547:indexpattern-datasource-layer-a0a59831-d5e6-42bb-a097-ed95f6ed6f33", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "2c35e787-ad23-485f-abb0-86f1032e4547:96903449-d137-4061-8f2e-6537780d0165", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fb9c1fc2-6f9e-423e-81bc-13aa00aeeeb5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "fb9c1fc2-6f9e-423e-81bc-13aa00aeeeb5:indexpattern-datasource-layer-82fceedb-d629-4bc3-ac77-3901c351dadd", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "fb9c1fc2-6f9e-423e-81bc-13aa00aeeeb5:a148322d-089b-4075-aefb-2660b3b3aaa7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "15e43ab4-bcd8-4f89-8a2d-3f05af79c938:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "15e43ab4-bcd8-4f89-8a2d-3f05af79c938:indexpattern-datasource-layer-fff9e7b4-8fae-41f3-92c4-74e42c7c631e", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "15e43ab4-bcd8-4f89-8a2d-3f05af79c938:5df6b602-4411-412a-9d97-ced633d98049", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/activemq/kibana/dashboard/activemq-d3639bc0-f916-11ec-9736-016ee09668f5.json b/packages/activemq/kibana/dashboard/activemq-d3639bc0-f916-11ec-9736-016ee09668f5.json index a17554b91b3..2490dc47307 100644 --- a/packages/activemq/kibana/dashboard/activemq-d3639bc0-f916-11ec-9736-016ee09668f5.json +++ b/packages/activemq/kibana/dashboard/activemq-d3639bc0-f916-11ec-9736-016ee09668f5.json @@ -1,10 +1,32 @@ { "attributes": { "description": "The dashboard presents metric data describing ActiveMQ topics. Metrics show statistics of exchanged messages, consumers, producers and memory usage.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "activemq.topic" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "activemq.topic" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -13,6 +35,9 @@ }, "optionsJSON": { "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -20,25 +45,16 @@ "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-453e1b5c-252b-43a6-967b-272078a30001", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a0f2c1c4-e554-4a3c-a060-25ca7f4c69db", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "453e1b5c-252b-43a6-967b-272078a30001": { "columnOrder": [ @@ -112,29 +128,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a0f2c1c4-e554-4a3c-a060-25ca7f4c69db", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.topic" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.topic" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -172,7 +167,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -198,32 +193,22 @@ }, "panelIndex": "1e5e96e7-dd15-437b-831f-4801b211cdfe", "title": "Topics Messages Dequeue [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-c5b8701c-9614-4430-97cd-1151d4c506a1", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5822cc9e-7a5e-4a4f-bbc5-e64330b2f59b", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c5b8701c-9614-4430-97cd-1151d4c506a1": { "columnOrder": [ @@ -297,29 +282,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5822cc9e-7a5e-4a4f-bbc5-e64330b2f59b", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.topic" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.topic" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -357,7 +321,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -383,32 +347,22 @@ }, "panelIndex": "c05e8bf0-80ab-451a-b0eb-6a7f7e187653", "title": "Topics Messages Dispatch [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-586e1684-5c4c-41de-b951-0621194d6b0c", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "71a6295f-638d-4f94-a819-52adbfcb15fc", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "586e1684-5c4c-41de-b951-0621194d6b0c": { "columnOrder": [ @@ -482,29 +436,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "71a6295f-638d-4f94-a819-52adbfcb15fc", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.topic" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.topic" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -542,7 +475,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -568,32 +501,22 @@ }, "panelIndex": "d691cd9d-d4dd-4038-9986-6869eee30acc", "title": "Topics Messages Enqueue [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-f5fecce5-b460-4ef0-9e44-49a441c8856b", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "af7973f5-ab9c-4474-8081-65ac126aa3c2", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f5fecce5-b460-4ef0-9e44-49a441c8856b": { "columnOrder": [ @@ -666,29 +589,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "af7973f5-ab9c-4474-8081-65ac126aa3c2", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.topic" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.topic" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -726,7 +628,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -752,32 +654,22 @@ }, "panelIndex": "a24b4750-e896-4e1c-bcf3-f714cb58976d", "title": "Topics Messages In-flight [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-afd559c7-ddfa-40c5-b82f-639ffe20618e", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "90bf8a4a-75c8-4f64-b7d3-dd810191bb48", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "afd559c7-ddfa-40c5-b82f-639ffe20618e": { "columnOrder": [ @@ -850,29 +742,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "90bf8a4a-75c8-4f64-b7d3-dd810191bb48", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.topic" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.topic" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -921,7 +792,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -951,32 +822,22 @@ }, "panelIndex": "c017b9af-0ffe-42e1-8eb3-559f3f57fba6", "title": "Topics Messages Expired [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-a0a59831-d5e6-42bb-a097-ed95f6ed6f33", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4805e448-794f-43a9-b532-0e0a8afac07e", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a0a59831-d5e6-42bb-a097-ed95f6ed6f33": { "columnOrder": [ @@ -1038,29 +899,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4805e448-794f-43a9-b532-0e0a8afac07e", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.topic" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.topic" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1098,7 +938,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -1124,32 +964,22 @@ }, "panelIndex": "741b64f5-0750-49a6-ad43-9cd5a913eaf2", "title": "Topics Consumers [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-82fceedb-d629-4bc3-ac77-3901c351dadd", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b1d623e0-1409-481b-9bf4-25de926265e4", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "82fceedb-d629-4bc3-ac77-3901c351dadd": { "columnOrder": [ @@ -1217,29 +1047,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b1d623e0-1409-481b-9bf4-25de926265e4", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.topic" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.topic" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1277,7 +1086,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -1303,32 +1112,22 @@ }, "panelIndex": "d11a4e6f-c68a-4d3d-990f-c8598ab0abf8", "title": "Topics Messages Enqueue Time [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-fff9e7b4-8fae-41f3-92c4-74e42c7c631e", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d67e0346-14d1-4bc9-aee4-9bb6ecc912a0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "fff9e7b4-8fae-41f3-92c4-74e42c7c631e": { "columnOrder": [ @@ -1391,29 +1190,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d67e0346-14d1-4bc9-aee4-9bb6ecc912a0", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.topic" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.topic" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1451,7 +1229,7 @@ ], "legend": { "isVisible": true, - "legendSize": 130, + "legendSize": "medium", "position": "right", "showSingleSeries": true }, @@ -1477,23 +1255,21 @@ }, "panelIndex": "3c3ab247-35a0-4d0c-b833-74b601a330b5", "title": "Topics Producers [Metrics ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics ActiveMQ] Topics", "version": 1 }, - "coreMigrationVersion": "8.2.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-10T15:19:42.637Z", "id": "activemq-d3639bc0-f916-11ec-9736-016ee09668f5", - "migrationVersion": { - "dashboard": "8.2.0" - }, + "managed": false, "references": [ { "id": "metrics-*", - "name": "1e5e96e7-dd15-437b-831f-4801b211cdfe:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -1501,116 +1277,42 @@ "name": "1e5e96e7-dd15-437b-831f-4801b211cdfe:indexpattern-datasource-layer-453e1b5c-252b-43a6-967b-272078a30001", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "1e5e96e7-dd15-437b-831f-4801b211cdfe:a0f2c1c4-e554-4a3c-a060-25ca7f4c69db", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c05e8bf0-80ab-451a-b0eb-6a7f7e187653:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "c05e8bf0-80ab-451a-b0eb-6a7f7e187653:indexpattern-datasource-layer-c5b8701c-9614-4430-97cd-1151d4c506a1", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "c05e8bf0-80ab-451a-b0eb-6a7f7e187653:5822cc9e-7a5e-4a4f-bbc5-e64330b2f59b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d691cd9d-d4dd-4038-9986-6869eee30acc:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "d691cd9d-d4dd-4038-9986-6869eee30acc:indexpattern-datasource-layer-586e1684-5c4c-41de-b951-0621194d6b0c", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "d691cd9d-d4dd-4038-9986-6869eee30acc:71a6295f-638d-4f94-a819-52adbfcb15fc", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a24b4750-e896-4e1c-bcf3-f714cb58976d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "a24b4750-e896-4e1c-bcf3-f714cb58976d:indexpattern-datasource-layer-f5fecce5-b460-4ef0-9e44-49a441c8856b", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "a24b4750-e896-4e1c-bcf3-f714cb58976d:af7973f5-ab9c-4474-8081-65ac126aa3c2", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c017b9af-0ffe-42e1-8eb3-559f3f57fba6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "c017b9af-0ffe-42e1-8eb3-559f3f57fba6:indexpattern-datasource-layer-afd559c7-ddfa-40c5-b82f-639ffe20618e", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "c017b9af-0ffe-42e1-8eb3-559f3f57fba6:90bf8a4a-75c8-4f64-b7d3-dd810191bb48", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "741b64f5-0750-49a6-ad43-9cd5a913eaf2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "741b64f5-0750-49a6-ad43-9cd5a913eaf2:indexpattern-datasource-layer-a0a59831-d5e6-42bb-a097-ed95f6ed6f33", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "741b64f5-0750-49a6-ad43-9cd5a913eaf2:4805e448-794f-43a9-b532-0e0a8afac07e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d11a4e6f-c68a-4d3d-990f-c8598ab0abf8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "d11a4e6f-c68a-4d3d-990f-c8598ab0abf8:indexpattern-datasource-layer-82fceedb-d629-4bc3-ac77-3901c351dadd", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "d11a4e6f-c68a-4d3d-990f-c8598ab0abf8:b1d623e0-1409-481b-9bf4-25de926265e4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3c3ab247-35a0-4d0c-b833-74b601a330b5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "3c3ab247-35a0-4d0c-b833-74b601a330b5:indexpattern-datasource-layer-fff9e7b4-8fae-41f3-92c4-74e42c7c631e", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3c3ab247-35a0-4d0c-b833-74b601a330b5:d67e0346-14d1-4bc9-aee4-9bb6ecc912a0", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/activemq/kibana/dashboard/activemq-eac72840-f916-11ec-9736-016ee09668f5.json b/packages/activemq/kibana/dashboard/activemq-eac72840-f916-11ec-9736-016ee09668f5.json index 0bc8d3d34d9..baaf16594a5 100644 --- a/packages/activemq/kibana/dashboard/activemq-eac72840-f916-11ec-9736-016ee09668f5.json +++ b/packages/activemq/kibana/dashboard/activemq-eac72840-f916-11ec-9736-016ee09668f5.json @@ -1,10 +1,32 @@ { "attributes": { "description": "This dashboard shows audit logs collected by the ActiveMQ logs integration.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "activemq.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "activemq.audit" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -13,6 +35,9 @@ }, "optionsJSON": { "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -20,25 +45,16 @@ "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-97afd794-5fb8-4a7c-b42b-6893c8ba17a2", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e5d9ec26-7d86-4df9-8ecd-47862f1f9932", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "97afd794-5fb8-4a7c-b42b-6893c8ba17a2": { "columnOrder": [ @@ -100,29 +116,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e5d9ec26-7d86-4df9-8ecd-47862f1f9932", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -159,6 +154,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right", "showSingleSeries": true }, @@ -184,48 +180,22 @@ }, "panelIndex": "25ee5210-609e-4bad-b145-f3c1cd7d981c", "title": "Audit Event Results [Logs ActiveMQ]", - "type": "lens", - "version": "8.2.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 23, - "i": "f2a1e6f8-cd1a-4fbd-a0b1-da4ee9db7c54", - "w": 48, - "x": 0, - "y": 15 - }, - "panelIndex": "f2a1e6f8-cd1a-4fbd-a0b1-da4ee9db7c54", - "panelRefName": "panel_f2a1e6f8-cd1a-4fbd-a0b1-da4ee9db7c54", - "type": "search", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-60f30f3b-cd6a-4b80-be6d-70333867f0d0", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "310394e7-ccf5-4fb3-82c9-268d5b38b5e2", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "60f30f3b-cd6a-4b80-be6d-70333867f0d0": { "columnOrder": [ @@ -273,29 +243,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "310394e7-ccf5-4fb3-82c9-268d5b38b5e2", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -338,6 +287,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_horizontal", @@ -366,23 +316,61 @@ }, "panelIndex": "b6ffb795-51c1-4268-80ce-2ba716d513e7", "title": "Audit Account [Logs ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "log.level", + "user.name", + "message" + ], + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"activemq.audit\\\"\"},\"version\":true}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 23, + "i": "7540ae0e-4036-434a-968d-e49fb960c304", + "w": 48, + "x": 0, + "y": 15 + }, + "panelIndex": "7540ae0e-4036-434a-968d-e49fb960c304", + "title": "Audit Events [Logs ActiveMQ]", + "type": "search" } ], "timeRestore": false, "title": "[Logs ActiveMQ] Audit", "version": 1 }, - "coreMigrationVersion": "8.2.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-10T15:20:50.795Z", "id": "activemq-eac72840-f916-11ec-9736-016ee09668f5", - "migrationVersion": { - "dashboard": "8.2.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "25ee5210-609e-4bad-b145-f3c1cd7d981c:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -390,21 +378,6 @@ "name": "25ee5210-609e-4bad-b145-f3c1cd7d981c:indexpattern-datasource-layer-97afd794-5fb8-4a7c-b42b-6893c8ba17a2", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "25ee5210-609e-4bad-b145-f3c1cd7d981c:e5d9ec26-7d86-4df9-8ecd-47862f1f9932", - "type": "index-pattern" - }, - { - "id": "activemq-896ef3a0-145f-11ea-8fd8-030a13064883", - "name": "f2a1e6f8-cd1a-4fbd-a0b1-da4ee9db7c54:panel_f2a1e6f8-cd1a-4fbd-a0b1-da4ee9db7c54", - "type": "search" - }, - { - "id": "logs-*", - "name": "b6ffb795-51c1-4268-80ce-2ba716d513e7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "b6ffb795-51c1-4268-80ce-2ba716d513e7:indexpattern-datasource-layer-60f30f3b-cd6a-4b80-be6d-70333867f0d0", @@ -412,9 +385,10 @@ }, { "id": "logs-*", - "name": "b6ffb795-51c1-4268-80ce-2ba716d513e7:310394e7-ccf5-4fb3-82c9-268d5b38b5e2", + "name": "7540ae0e-4036-434a-968d-e49fb960c304:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/activemq/kibana/dashboard/activemq-f98d0c50-f916-11ec-9736-016ee09668f5.json b/packages/activemq/kibana/dashboard/activemq-f98d0c50-f916-11ec-9736-016ee09668f5.json index dac4297c721..0e8365acdcf 100644 --- a/packages/activemq/kibana/dashboard/activemq-f98d0c50-f916-11ec-9736-016ee09668f5.json +++ b/packages/activemq/kibana/dashboard/activemq-f98d0c50-f916-11ec-9736-016ee09668f5.json @@ -1,10 +1,32 @@ { "attributes": { "description": "This dashboard shows application logs collected by the ActiveMQ logs integration.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "activemq.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "activemq.log" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -13,6 +35,9 @@ }, "optionsJSON": { "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -20,25 +45,16 @@ "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-c1b6e0c4-a963-47d4-ac5b-37a7fe77a25c", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2dd569bf-38d9-40b7-85c6-3b86d0984c8a", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c1b6e0c4-a963-47d4-ac5b-37a7fe77a25c": { "columnOrder": [ @@ -100,29 +116,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "2dd569bf-38d9-40b7-85c6-3b86d0984c8a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.log" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -159,6 +154,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right", "showSingleSeries": true }, @@ -184,34 +180,12 @@ }, "panelIndex": "b6bdc4b4-745a-4fa2-9928-9f7cb783f5b9", "title": "Application Event Results [Logs ActiveMQ]", - "type": "lens", - "version": "8.2.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 22, - "i": "a3093cd3-7edf-4e25-949e-631f3e5e8dec", - "w": 48, - "x": 0, - "y": 15 - }, - "panelIndex": "a3093cd3-7edf-4e25-949e-631f3e5e8dec", - "panelRefName": "panel_a3093cd3-7edf-4e25-949e-631f3e5e8dec", - "type": "search", - "version": "8.2.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-7444f83f-a66f-498b-9db1-c630cda0e184", @@ -219,18 +193,14 @@ }, { "id": "logs-*", - "name": "851e8a44-fa47-4f2d-bb64-114fac74a3e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f909fc3b-ab49-4307-896c-410d5042bd83", + "name": "eb834b22-17be-4c81-af21-30ab3ddf6110", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7444f83f-a66f-498b-9db1-c630cda0e184": { "columnOrder": [ @@ -286,7 +256,7 @@ "meta": { "alias": null, "disabled": false, - "index": "851e8a44-fa47-4f2d-bb64-114fac74a3e2", + "index": "eb834b22-17be-4c81-af21-30ab3ddf6110", "key": "log.level", "negate": false, "params": { @@ -299,29 +269,9 @@ "log.level": "ERROR" } } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f909fc3b-ab49-4307-896c-410d5042bd83", - "key": "event.dataset", - "negate": false, - "params": { - "query": "activemq.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "activemq.log" - } - } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -358,23 +308,61 @@ }, "panelIndex": "843b2c29-7386-41ac-acdd-286021471008", "title": "Top Error Callers [Logs ActiveMQ]", - "type": "lens", - "version": "8.2.0" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "log.level", + "message", + "activemq.log.thread" + ], + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"activemq.log\\\" \"},\"version\":true}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 22, + "i": "58c5e9cf-4342-4a2c-a893-98de182dc283", + "w": 48, + "x": 0, + "y": 15 + }, + "panelIndex": "58c5e9cf-4342-4a2c-a893-98de182dc283", + "title": "Application Events [Logs ActiveMQ]", + "type": "search" } ], "timeRestore": false, "title": "[Logs ActiveMQ] Log", "version": 1 }, - "coreMigrationVersion": "8.2.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-10T15:22:31.677Z", "id": "activemq-f98d0c50-f916-11ec-9736-016ee09668f5", - "migrationVersion": { - "dashboard": "8.2.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "b6bdc4b4-745a-4fa2-9928-9f7cb783f5b9:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -382,21 +370,6 @@ "name": "b6bdc4b4-745a-4fa2-9928-9f7cb783f5b9:indexpattern-datasource-layer-c1b6e0c4-a963-47d4-ac5b-37a7fe77a25c", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "b6bdc4b4-745a-4fa2-9928-9f7cb783f5b9:2dd569bf-38d9-40b7-85c6-3b86d0984c8a", - "type": "index-pattern" - }, - { - "id": "activemq-d784ec10-1460-11ea-8fd8-030a13064883", - "name": "a3093cd3-7edf-4e25-949e-631f3e5e8dec:panel_a3093cd3-7edf-4e25-949e-631f3e5e8dec", - "type": "search" - }, - { - "id": "logs-*", - "name": "843b2c29-7386-41ac-acdd-286021471008:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "843b2c29-7386-41ac-acdd-286021471008:indexpattern-datasource-layer-7444f83f-a66f-498b-9db1-c630cda0e184", @@ -404,14 +377,15 @@ }, { "id": "logs-*", - "name": "843b2c29-7386-41ac-acdd-286021471008:851e8a44-fa47-4f2d-bb64-114fac74a3e2", + "name": "843b2c29-7386-41ac-acdd-286021471008:eb834b22-17be-4c81-af21-30ab3ddf6110", "type": "index-pattern" }, { "id": "logs-*", - "name": "843b2c29-7386-41ac-acdd-286021471008:f909fc3b-ab49-4307-896c-410d5042bd83", + "name": "58c5e9cf-4342-4a2c-a893-98de182dc283:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/activemq/kibana/search/activemq-896ef3a0-145f-11ea-8fd8-030a13064883.json b/packages/activemq/kibana/search/activemq-896ef3a0-145f-11ea-8fd8-030a13064883.json deleted file mode 100644 index eebd5581d21..00000000000 --- a/packages/activemq/kibana/search/activemq-896ef3a0-145f-11ea-8fd8-030a13064883.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "log.level", - "user.name", - "message" - ], - "description": "", - "grid": {}, - "hideChart": false, - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset :\"activemq.audit\"" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Audit Events [Logs ActiveMQ]", - "version": 1 - }, - "coreMigrationVersion": "8.2.0", - "id": "activemq-896ef3a0-145f-11ea-8fd8-030a13064883", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/activemq/kibana/search/activemq-d784ec10-1460-11ea-8fd8-030a13064883.json b/packages/activemq/kibana/search/activemq-d784ec10-1460-11ea-8fd8-030a13064883.json deleted file mode 100644 index c97730d889e..00000000000 --- a/packages/activemq/kibana/search/activemq-d784ec10-1460-11ea-8fd8-030a13064883.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "log.level", - "message", - "activemq.log.thread" - ], - "description": "", - "grid": {}, - "hideChart": false, - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset :\"activemq.log\" " - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Application Events [Logs ActiveMQ]", - "version": 1 - }, - "coreMigrationVersion": "8.2.0", - "id": "activemq-d784ec10-1460-11ea-8fd8-030a13064883", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/activemq/manifest.yml b/packages/activemq/manifest.yml index 5364305ec91..c3a59ab145e 100644 --- a/packages/activemq/manifest.yml +++ b/packages/activemq/manifest.yml @@ -1,6 +1,6 @@ name: activemq title: ActiveMQ -version: "1.2.1" +version: "1.3.0" description: Collect logs and metrics from ActiveMQ instances with Elastic Agent. type: integration icons: diff --git a/packages/activemq/validation.yml b/packages/activemq/validation.yml deleted file mode 100644 index efdb1de132d..00000000000 --- a/packages/activemq/validation.yml +++ /dev/null @@ -1,4 +0,0 @@ -errors: - exclude_checks: - - SVR00004 - - SVR00002 diff --git a/packages/airflow/changelog.yml b/packages/airflow/changelog.yml index dd30364085c..1a71e19eea7 100644 --- a/packages/airflow/changelog.yml +++ b/packages/airflow/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.8.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: "0.7.0" changes: - description: Update documentation. diff --git a/packages/airflow/kibana/dashboard/airflow-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75.json b/packages/airflow/kibana/dashboard/airflow-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75.json index dfb8d882bf5..d4f203f0116 100644 --- a/packages/airflow/kibana/dashboard/airflow-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75.json +++ b/packages/airflow/kibana/dashboard/airflow-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75.json @@ -1,10 +1,32 @@ { "attributes": { "description": "Overview of the Airflow metrics", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "airflow.statsd" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "airflow.statsd" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +36,7 @@ "optionsJSON": { "hidePanelTitles": true, "syncColors": true, + "syncCursor": true, "syncTooltips": true, "useMargins": true }, @@ -53,8 +76,7 @@ "y": 0 }, "panelIndex": "6c905272-160e-4b34-993a-f1a852f2ff9f", - "type": "visualization", - "version": "8.5.3" + "type": "visualization" }, { "embeddableConfig": { @@ -69,7 +91,7 @@ "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1f437331-dce0-4ea7-83b1-25f5af716cbb": { "columnOrder": [ @@ -162,8 +184,7 @@ }, "panelIndex": "fd9c4a3c-6cf7-4d06-a859-cd1ac597b72b", "title": "Executor Pool", - "type": "lens", - "version": "8.5.3" + "type": "lens" }, { "embeddableConfig": { @@ -178,7 +199,7 @@ "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "015911be-cb0e-4adb-873a-56b78cf226fd": { "columnOrder": [ @@ -265,8 +286,7 @@ }, "panelIndex": "6bc09e6f-7346-4685-a701-e3bdf007d280", "title": "Executor queued tasks", - "type": "lens", - "version": "8.5.3" + "type": "lens" }, { "embeddableConfig": { @@ -281,7 +301,7 @@ "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "9b584f5d-b05c-47cb-a2c9-483a36fdfbcf": { "columnOrder": [ @@ -368,8 +388,7 @@ }, "panelIndex": "1d4e887d-a363-4595-a0ae-70c9afd6fab7", "title": "Executor running tasks", - "type": "lens", - "version": "8.5.3" + "type": "lens" }, { "embeddableConfig": { @@ -406,8 +425,7 @@ }, "panelIndex": "74e55490-b3a9-4e9b-9705-415576820f2e", "title": "", - "type": "visualization", - "version": "8.5.3" + "type": "visualization" }, { "embeddableConfig": { @@ -422,7 +440,7 @@ "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "480c453c-947f-43ba-a9d0-87ff77bba8c2": { "columnOrder": [ @@ -534,8 +552,7 @@ }, "panelIndex": "7b29e2c7-e78f-4b88-88a0-9ac93252a094", "title": "Scheduler Heartbeat", - "type": "lens", - "version": "8.5.3" + "type": "lens" }, { "embeddableConfig": { @@ -550,7 +567,7 @@ "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "bc3bf3b8-9f8d-498c-9df4-78069b97493b": { "columnOrder": [ @@ -663,8 +680,7 @@ }, "panelIndex": "9fc21588-7aac-4918-8ecd-7fd9e4299c7d", "title": "Dagbag Size", - "type": "lens", - "version": "8.5.3" + "type": "lens" }, { "embeddableConfig": { @@ -679,7 +695,7 @@ "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "cf3670aa-6ead-4b21-9cfb-3dcf0fac75ac": { "columnOrder": [ @@ -780,8 +796,7 @@ }, "panelIndex": "33dfa93f-c5a0-4609-91de-b660d17a4788", "title": "Dagbag import errors", - "type": "lens", - "version": "8.5.3" + "type": "lens" }, { "embeddableConfig": { @@ -796,7 +811,7 @@ "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a12d3d3c-3859-4532-a639-fdb7ba3fd1eb": { "columnOrder": [ @@ -900,20 +915,23 @@ }, "panelIndex": "1582880b-fb1a-4969-800d-bd594057a5ac", "title": "DAG processing total parse time", - "type": "lens", - "version": "8.5.3" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Airflow] Overview", "version": 1 }, - "coreMigrationVersion": "8.5.3", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-22T12:21:20.475Z", "id": "airflow-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75", - "migrationVersion": { - "dashboard": "8.5.0" - }, + "managed": false, "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, { "id": "metrics-*", "name": "fd9c4a3c-6cf7-4d06-a859-cd1ac597b72b:indexpattern-datasource-layer-1f437331-dce0-4ea7-83b1-25f5af716cbb", @@ -950,5 +968,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/airflow/manifest.yml b/packages/airflow/manifest.yml index 0d8cf53d6a5..fc5a09cffbf 100644 --- a/packages/airflow/manifest.yml +++ b/packages/airflow/manifest.yml @@ -1,6 +1,6 @@ name: airflow title: Airflow -version: "0.7.0" +version: "0.8.0" description: Airflow Integration. type: integration format_version: "3.0.0" diff --git a/packages/airflow/validation.yml b/packages/airflow/validation.yml deleted file mode 100644 index bcc8f74ac3a..00000000000 --- a/packages/airflow/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00002 diff --git a/packages/apache/changelog.yml b/packages/apache/changelog.yml index 22f3d1c3f41..54c8452c642 100644 --- a/packages/apache/changelog.yml +++ b/packages/apache/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.19.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: "1.18.0" changes: - description: Prepare package for serverless. diff --git a/packages/apache/kibana/dashboard/apache-Logs-Apache-Dashboard.json b/packages/apache/kibana/dashboard/apache-Logs-Apache-Dashboard.json index f5ec1eb08da..600d5d8f33e 100644 --- a/packages/apache/kibana/dashboard/apache-Logs-Apache-Dashboard.json +++ b/packages/apache/kibana/dashboard/apache-Logs-Apache-Dashboard.json @@ -9,7 +9,43 @@ "description": "Logs Apache integration dashboard", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "apache.access", + "apache.error" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "apache.access" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache.error" + } + } + ] + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -670,10 +706,15 @@ { "embeddableConfig": { "attributes": { - "description": "", "layerListJSON": "[{\"alpha\":1,\"id\":\"0378861a-232d-4383-a60b-ee38d55ce263\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\",\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"ced4b190-2f39-417e-ab9e-6557cb4996a2\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":\"Unique IPs map [Logs Apache]\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"844378cb-6817-449e-a434-8b50c9fd3dc9\",\"metrics\":[{\"field\":\"source.address\",\"type\":\"cardinality\"}],\"requestType\":\"point\",\"resolution\":\"MOST_FINE\",\"type\":\"ES_GEO_GRID\",\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"cardinality_of_source.address\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"type\":\"ORDINAL\"},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"name\":\"cardinality_of_source.address\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"maxSize\":18,\"minSize\":7},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#3d3d3d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]", - "mapStateJSON": "{\"adHocDataViews\":[],\"zoom\":1.58,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"data_stream.dataset:apache.access\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"keydownScrollZoom\":false,\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", - "title": "", + "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"zoom\":1.58}", + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" }, "enhancements": {}, @@ -722,16 +763,6 @@ "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" - }, - { - "id": "fleet-managed-default", - "name": "tag-ref-fleet-managed-default", - "type": "tag" - }, - { - "id": "fleet-pkg-apache-default", - "name": "tag-ref-fleet-pkg-apache-default", - "type": "tag" } ], "sort": [ @@ -769,10 +800,15 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-05-08T15:22:37.519Z", + "created_at": "2024-05-20T09:41:58.034Z", "id": "apache-Logs-Apache-Dashboard", "managed": false, "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "665ee316-bf0f-4182-ab1b-2763a7fffc06:indexpattern-datasource-layer-80350264-fda2-4655-918a-5dc7fd048f34", @@ -816,4 +852,4 @@ ], "type": "dashboard", "typeMigrationVersion": "8.9.0" -} +} \ No newline at end of file diff --git a/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status.json b/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status.json index 4c8a51f755e..1255d6bce5a 100644 --- a/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status.json +++ b/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status.json @@ -9,7 +9,30 @@ "description": "Overview of Apache server status", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "apache.status" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "apache.status" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -95,7 +118,7 @@ ], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "layerId": "c9badb69-4816-487b-9355-d139ef8ea850", @@ -165,7 +188,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "layerId": "f7f31753-87a3-44c8-8be7-d11de2e96e18", @@ -240,7 +263,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "layerId": "5db9209c-0470-4d6c-9099-6a61d16182e5", @@ -319,7 +342,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "fittingFunction": "Linear", @@ -606,7 +629,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -677,6 +700,7 @@ { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "metrics-*", @@ -685,6 +709,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -722,9 +747,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "fittingFunction": "Linear", @@ -792,6 +818,7 @@ { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "metrics-*", @@ -800,6 +827,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -837,9 +865,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "curveType": "LINEAR", @@ -969,7 +998,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1053,6 +1082,7 @@ { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "metrics-*", @@ -1061,6 +1091,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -1118,9 +1149,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "fittingFunction": "Linear", @@ -1200,6 +1232,7 @@ { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "metrics-*", @@ -1208,6 +1241,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -1297,9 +1331,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1359,6 +1394,7 @@ { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "metrics-*", @@ -1367,6 +1403,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -1482,9 +1519,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:apache.status)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1549,10 +1587,15 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-05-08T10:58:59.378Z", + "created_at": "2024-05-28T07:22:10.403Z", "id": "apache-Metrics-Apache-HTTPD-server-status", "managed": false, "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, { "id": "metrics-*", "name": "bcaad3c3-d62c-44bd-8e76-f00cb8a7f0eb:indexpattern-datasource-layer-f7f31753-87a3-44c8-8be7-d11de2e96e18", diff --git a/packages/apache/manifest.yml b/packages/apache/manifest.yml index 27b5f0c8b04..9a0dc7522b1 100644 --- a/packages/apache/manifest.yml +++ b/packages/apache/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.4 name: apache title: Apache HTTP Server -version: "1.18.0" +version: "1.19.0" source: license: Elastic-2.0 description: Collect logs and metrics from Apache servers with Elastic Agent. diff --git a/packages/apache/validation.yml b/packages/apache/validation.yml deleted file mode 100644 index 2b0dbafa239..00000000000 --- a/packages/apache/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00002 # Mandatory filters in dashboards. diff --git a/packages/apache_spark/changelog.yml b/packages/apache_spark/changelog.yml index 7a7d5175d28..bde0bbebc68 100644 --- a/packages/apache_spark/changelog.yml +++ b/packages/apache_spark/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: "1.0.3" changes: - description: Update README to follow documentation guidelines. diff --git a/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json b/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json index 7b4bb5b4b65..edd440246ff 100644 --- a/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json +++ b/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json @@ -1,3109 +1,2431 @@ { - "id": "apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.7.0" - }, - "coreMigrationVersion": "8.8.0", - "typeMigrationVersion": "8.7.0", - "updated_at": "2023-11-07T16:02:34.119Z", - "created_at": "2023-11-07T16:02:34.119Z", - "version": "Wzc5LDFd", - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 17, - "i": "a3339a86-6f2b-4f1a-85b8-4619c417a110", - "w": 24, - "x": 0, - "y": 0 - }, - "panelIndex": "a3339a86-6f2b-4f1a-85b8-4619c417a110", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-d7cd2d50-503d-48cc-b9d1-77da873349ef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9857a495-b7e6-4893-93e6-f16c050e0e41", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d59683b7-5f29-46b9-b01b-20b6aea422fe", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "d7cd2d50-503d-48cc-b9d1-77da873349ef": { - "columnOrder": [ - "f9bf9e21-aaa3-4948-9239-59ff6afb84d9", - "9401333e-571b-4999-9f50-405cad23cd1a" - ], - "columns": { - "9401333e-571b-4999-9f50-405cad23cd1a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Memory", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.memory.used" + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "apache_spark.driver", + "apache_spark.executor", + "apache_spark.node", + "apache_spark.application" + ], + "type": "phrases" }, - "f9bf9e21-aaa3-4948-9239-59ff6afb84d9": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto", - "includeEmptyRows": true - }, - "scale": "interval", - "sourceField": "@timestamp" + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "apache_spark.driver" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_spark.executor" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_spark.node" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_spark.application" + } + } + ] + } } - }, - "incompleteColumns": {} } - } + ], + "query": { + "language": "kuery", + "query": "" } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9857a495-b7e6-4893-93e6-f16c050e0e41", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-d7cd2d50-503d-48cc-b9d1-77da873349ef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f1fa5d56-79c5-4410-acee-4363edcc3b52", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d7cd2d50-503d-48cc-b9d1-77da873349ef": { + "columnOrder": [ + "f9bf9e21-aaa3-4948-9239-59ff6afb84d9", + "9401333e-571b-4999-9f50-405cad23cd1a" + ], + "columns": { + "9401333e-571b-4999-9f50-405cad23cd1a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Memory", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.memory.used" + }, + "f9bf9e21-aaa3-4948-9239-59ff6afb84d9": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f1fa5d56-79c5-4410-acee-4363edcc3b52", + "key": "apache_spark.driver.memory.used", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.memory.used" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "curveType": "LINEAR", + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "9401333e-571b-4999-9f50-405cad23cd1a" + ], + "layerId": "d7cd2d50-503d-48cc-b9d1-77da873349ef", + "layerType": "data", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "xAccessor": "f9bf9e21-aaa3-4948-9239-59ff6afb84d9", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "9401333e-571b-4999-9f50-405cad23cd1a" + } + ] + } + ], + "legend": { + "horizontalAlignment": "left", + "isInside": false, + "isVisible": true, + "legendSize": "auto", + "position": "top", + "showSingleSeries": true, + "verticalAlignment": "top" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Memory" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d59683b7-5f29-46b9-b01b-20b6aea422fe", - "key": "apache_spark.driver.memory.used", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.memory.used" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "curveType": "LINEAR", - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true + "enhancements": {}, + "hidePanelTitles": false }, - "layers": [ - { - "accessors": [ - "9401333e-571b-4999-9f50-405cad23cd1a" - ], - "layerId": "d7cd2d50-503d-48cc-b9d1-77da873349ef", - "layerType": "data", - "position": "top", - "seriesType": "area_stacked", - "showGridlines": false, - "xAccessor": "f9bf9e21-aaa3-4948-9239-59ff6afb84d9", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "9401333e-571b-4999-9f50-405cad23cd1a" - } - ] - } - ], - "legend": { - "horizontalAlignment": "left", - "isInside": false, - "isVisible": true, - "position": "top", - "showSingleSeries": true, - "verticalAlignment": "top", - "legendSize": "auto" + "gridData": { + "h": 17, + "i": "a3339a86-6f2b-4f1a-85b8-4619c417a110", + "w": 24, + "x": 0, + "y": 0 }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yLeftExtent": { - "mode": "full" + "panelIndex": "a3339a86-6f2b-4f1a-85b8-4619c417a110", + "title": "Memory usage over time [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-37e4c96b-3ba5-4033-9727-fad41089931d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9a5b37cb-eea9-4078-8237-c5a920e37075", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "37e4c96b-3ba5-4033-9727-fad41089931d": { + "columnOrder": [ + "3c99f57f-933e-432c-8038-b95d81f3443f" + ], + "columns": { + "3c99f57f-933e-432c-8038-b95d81f3443f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Stages Completed", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.stages.completed_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "9a5b37cb-eea9-4078-8237-c5a920e37075", + "key": "apache_spark.driver.stages.completed_count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.stages.completed_count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "3c99f57f-933e-432c-8038-b95d81f3443f", + "colorMode": "None", + "layerId": "37e4c96b-3ba5-4033-9727-fad41089931d", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "yRightExtent": { - "mode": "full" + "gridData": { + "h": 6, + "i": "2943002d-504e-4a30-a581-cd92fd621fe1", + "w": 8, + "x": 24, + "y": 0 }, - "yTitle": "Memory" - } + "panelIndex": "2943002d-504e-4a30-a581-cd92fd621fe1", + "title": "Number of stages completed [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" - }, - "title": "Memory usage over time [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 6, - "i": "2943002d-504e-4a30-a581-cd92fd621fe1", - "w": 8, - "x": 24, - "y": 0 - }, - "panelIndex": "2943002d-504e-4a30-a581-cd92fd621fe1", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-37e4c96b-3ba5-4033-9727-fad41089931d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8198873e-cf0a-43cf-8cd0-cd42a8df02c5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5df2fe94-f51b-44f9-b922-75663cb6996a", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "37e4c96b-3ba5-4033-9727-fad41089931d": { - "columnOrder": [ - "3c99f57f-933e-432c-8038-b95d81f3443f" - ], - "columns": { - "3c99f57f-933e-432c-8038-b95d81f3443f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Stages Completed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.stages.completed_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "8198873e-cf0a-43cf-8cd0-cd42a8df02c5", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-bb1faa77-fef6-486c-aaf9-ec1411bdad13", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b6da6da2-e44f-4c9b-86f1-3314d21ad564", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bb1faa77-fef6-486c-aaf9-ec1411bdad13": { + "columnOrder": [ + "31520286-aa33-494c-8f42-412342c54e48" + ], + "columns": { + "31520286-aa33-494c-8f42-412342c54e48": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Stages Skipped", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.stages.skipped_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b6da6da2-e44f-4c9b-86f1-3314d21ad564", + "key": "apache_spark.driver.stages.skipped_count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.stages.skipped_count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "31520286-aa33-494c-8f42-412342c54e48", + "layerId": "bb1faa77-fef6-486c-aaf9-ec1411bdad13", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5df2fe94-f51b-44f9-b922-75663cb6996a", - "key": "apache_spark.driver.stages.completed_count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.stages.completed_count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "3c99f57f-933e-432c-8038-b95d81f3443f", - "colorMode": "None", - "layerId": "37e4c96b-3ba5-4033-9727-fad41089931d", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 6, + "i": "784e4a18-20e7-48ef-8737-3a8a4643c4fe", + "w": 8, + "x": 32, + "y": 0 + }, + "panelIndex": "784e4a18-20e7-48ef-8737-3a8a4643c4fe", + "title": "Number of stages skipped [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of stages completed [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 6, - "i": "784e4a18-20e7-48ef-8737-3a8a4643c4fe", - "w": 8, - "x": 32, - "y": 0 - }, - "panelIndex": "784e4a18-20e7-48ef-8737-3a8a4643c4fe", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-bb1faa77-fef6-486c-aaf9-ec1411bdad13", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "603b47e3-4608-4094-8826-f923eab506a8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4a09ba27-dc93-43cf-be91-0632bc81cb47", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "bb1faa77-fef6-486c-aaf9-ec1411bdad13": { - "columnOrder": [ - "31520286-aa33-494c-8f42-412342c54e48" - ], - "columns": { - "31520286-aa33-494c-8f42-412342c54e48": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Stages Skipped", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.stages.skipped_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "603b47e3-4608-4094-8826-f923eab506a8", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6fc27bd4-9bc3-4233-9b1d-61df80582ad8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f847ce79-3f28-48ad-bdfe-383de0a679a2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6fc27bd4-9bc3-4233-9b1d-61df80582ad8": { + "columnOrder": [ + "cd6cf970-b884-4c72-94a1-0104f46eda4a" + ], + "columns": { + "cd6cf970-b884-4c72-94a1-0104f46eda4a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Stages Failed", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.stages.failed_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f847ce79-3f28-48ad-bdfe-383de0a679a2", + "key": "apache_spark.driver.stages.failed_count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.stages.failed_count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "cd6cf970-b884-4c72-94a1-0104f46eda4a", + "layerId": "6fc27bd4-9bc3-4233-9b1d-61df80582ad8", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4a09ba27-dc93-43cf-be91-0632bc81cb47", - "key": "apache_spark.driver.stages.skipped_count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.stages.skipped_count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "31520286-aa33-494c-8f42-412342c54e48", - "layerId": "bb1faa77-fef6-486c-aaf9-ec1411bdad13", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 6, + "i": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f", + "title": "Number of failed stages [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of stages skipped [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 6, - "i": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f", - "w": 8, - "x": 40, - "y": 0 - }, - "panelIndex": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-6fc27bd4-9bc3-4233-9b1d-61df80582ad8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7e8d1def-772c-494c-b14e-eae96e52b074", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c5b629cf-0836-49ff-a409-23cb47735f02", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "6fc27bd4-9bc3-4233-9b1d-61df80582ad8": { - "columnOrder": [ - "cd6cf970-b884-4c72-94a1-0104f46eda4a" - ], - "columns": { - "cd6cf970-b884-4c72-94a1-0104f46eda4a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Stages Failed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.stages.failed_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "7e8d1def-772c-494c-b14e-eae96e52b074", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "df39527d-9339-47cb-9833-2e3d3ccc9c30": { + "columnOrder": [ + "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", + "16d7f486-58c7-46a1-96ea-d2be88b82633", + "02d81198-17ac-4861-870d-c481ba9a7dad" + ], + "columns": { + "02d81198-17ac-4861-870d-c481ba9a7dad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Completed", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.driver.tasks.completed" + }, + "16d7f486-58c7-46a1-96ea-d2be88b82633": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Skipped", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.driver.tasks.skipped" + }, + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.driver.tasks.failed" + }, + "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "apache_spark.driver.tasks.failed : * or apache_spark.driver.tasks.skipped : * or apache_spark.driver.tasks.completed : * " + }, + "visualization": { + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", + "16d7f486-58c7-46a1-96ea-d2be88b82633", + "02d81198-17ac-4861-870d-c481ba9a7dad" + ], + "layerId": "df39527d-9339-47cb-9833-2e3d3ccc9c30", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", + "yConfig": [ + { + "axisMode": "left", + "color": "#d36086", + "forAccessor": "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a" + }, + { + "axisMode": "left", + "forAccessor": "16d7f486-58c7-46a1-96ea-d2be88b82633" + }, + { + "axisMode": "left", + "color": "#54b399", + "forAccessor": "02d81198-17ac-4861-870d-c481ba9a7dad" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Tasks" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } + "enhancements": {}, + "hidePanelTitles": false }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c5b629cf-0836-49ff-a409-23cb47735f02", - "key": "apache_spark.driver.stages.failed_count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.stages.failed_count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "cd6cf970-b884-4c72-94a1-0104f46eda4a", - "layerId": "6fc27bd4-9bc3-4233-9b1d-61df80582ad8", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 17, + "i": "f84a1cd9-1b4b-484e-87f7-953c2f645570", + "w": 24, + "x": 24, + "y": 6 + }, + "panelIndex": "f84a1cd9-1b4b-484e-87f7-953c2f645570", + "title": "Number of Tasks over time [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of failed stages [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 17, - "i": "f84a1cd9-1b4b-484e-87f7-953c2f645570", - "w": 24, - "x": 24, - "y": 6 - }, - "panelIndex": "f84a1cd9-1b4b-484e-87f7-953c2f645570", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "787550e5-b4cd-4892-babc-4f3d33c078ec", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "df39527d-9339-47cb-9833-2e3d3ccc9c30": { - "columnOrder": [ - "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", - "16d7f486-58c7-46a1-96ea-d2be88b82633", - "02d81198-17ac-4861-870d-c481ba9a7dad" - ], - "columns": { - "02d81198-17ac-4861-870d-c481ba9a7dad": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Completed", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.driver.tasks.completed" - }, - "16d7f486-58c7-46a1-96ea-d2be88b82633": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Skipped", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.driver.tasks.skipped" - }, - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Failed", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.driver.tasks.failed" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-efa9fcdd-f421-4c27-a85b-3a6d2512a09d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8977b3b6-d4be-4dfa-9afa-fa3b31be4c89", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "efa9fcdd-f421-4c27-a85b-3a6d2512a09d": { + "columnOrder": [ + "6962059b-392d-416f-a321-b0de80b841a7" + ], + "columns": { + "6962059b-392d-416f-a321-b0de80b841a7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Max Memory (MB)", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.memory.max_mem" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "8977b3b6-d4be-4dfa-9afa-fa3b31be4c89", + "key": "apache_spark.driver.memory.max_mem", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.memory.max_mem" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "6962059b-392d-416f-a321-b0de80b841a7", + "layerId": "efa9fcdd-f421-4c27-a85b-3a6d2512a09d", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto", - "includeEmptyRows": true - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "787550e5-b4cd-4892-babc-4f3d33c078ec", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - } - ], - "query": { - "language": "kuery", - "query": "apache_spark.driver.tasks.failed : * or apache_spark.driver.tasks.skipped : * or apache_spark.driver.tasks.completed : * " - }, - "visualization": { - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true + "enhancements": {}, + "hidePanelTitles": true }, - "layers": [ - { - "accessors": [ - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", - "16d7f486-58c7-46a1-96ea-d2be88b82633", - "02d81198-17ac-4861-870d-c481ba9a7dad" - ], - "layerId": "df39527d-9339-47cb-9833-2e3d3ccc9c30", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", - "yConfig": [ - { - "axisMode": "left", - "color": "#d36086", - "forAccessor": "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a" - }, - { - "axisMode": "left", - "forAccessor": "16d7f486-58c7-46a1-96ea-d2be88b82633" - }, - { - "axisMode": "left", - "color": "#54b399", - "forAccessor": "02d81198-17ac-4861-870d-c481ba9a7dad" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true, - "legendSize": "auto" + "gridData": { + "h": 6, + "i": "64cbf207-795a-4818-915c-137eaebc6198", + "w": 8, + "x": 0, + "y": 17 }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yLeftExtent": { - "mode": "full" + "panelIndex": "64cbf207-795a-4818-915c-137eaebc6198", + "title": "Maximum amount of memory available for storage [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-483b85ff-1b76-41d9-926b-25f70122ef28", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "830070a2-3bf5-40df-a57d-1094cfef42f3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "483b85ff-1b76-41d9-926b-25f70122ef28": { + "columnOrder": [ + "6ecaa697-7840-4a3c-a949-687d66bd9cdd" + ], + "columns": { + "6ecaa697-7840-4a3c-a949-687d66bd9cdd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed Jobs", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.jobs.failed" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "830070a2-3bf5-40df-a57d-1094cfef42f3", + "key": "apache_spark.driver.jobs.failed", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.jobs.failed" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "6ecaa697-7840-4a3c-a949-687d66bd9cdd", + "layerId": "483b85ff-1b76-41d9-926b-25f70122ef28", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "yRightExtent": { - "mode": "full" + "gridData": { + "h": 6, + "i": "62c6f93e-b6c1-4004-b780-535ed730ebaa", + "w": 8, + "x": 8, + "y": 17 }, - "yTitle": "Tasks" - } + "panelIndex": "62c6f93e-b6c1-4004-b780-535ed730ebaa", + "title": "Number of jobs failed [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" - }, - "title": "Number of Tasks over time [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 6, - "i": "64cbf207-795a-4818-915c-137eaebc6198", - "w": 8, - "x": 0, - "y": 17 - }, - "panelIndex": "64cbf207-795a-4818-915c-137eaebc6198", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-efa9fcdd-f421-4c27-a85b-3a6d2512a09d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b8679379-0bbe-4028-b3e7-2cc0f84fa045", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "97467acb-706a-4078-ae1a-ac6ab5fd47d7", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "efa9fcdd-f421-4c27-a85b-3a6d2512a09d": { - "columnOrder": [ - "6962059b-392d-416f-a321-b0de80b841a7" - ], - "columns": { - "6962059b-392d-416f-a321-b0de80b841a7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Max Memory (MB)", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.memory.max_mem" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b8679379-0bbe-4028-b3e7-2cc0f84fa045", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-aec1fa6a-6818-41f0-862a-8c7feed2ea3e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b5592314-e99b-4ef7-bc6d-69993664fb6f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "aec1fa6a-6818-41f0-862a-8c7feed2ea3e": { + "columnOrder": [ + "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a" + ], + "columns": { + "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Succeeded Jobs", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.jobs.succeeded" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b5592314-e99b-4ef7-bc6d-69993664fb6f", + "key": "apache_spark.driver.jobs.succeeded", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.jobs.succeeded" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a", + "layerId": "aec1fa6a-6818-41f0-862a-8c7feed2ea3e", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "97467acb-706a-4078-ae1a-ac6ab5fd47d7", - "key": "apache_spark.driver.memory.max_mem", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.memory.max_mem" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "6962059b-392d-416f-a321-b0de80b841a7", - "layerId": "efa9fcdd-f421-4c27-a85b-3a6d2512a09d", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 6, + "i": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa", + "w": 8, + "x": 16, + "y": 17 + }, + "panelIndex": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa", + "title": "Number of Succeeded jobs [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Maximum amount of memory available for storage [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 6, - "i": "62c6f93e-b6c1-4004-b780-535ed730ebaa", - "w": 8, - "x": 8, - "y": 17 - }, - "panelIndex": "62c6f93e-b6c1-4004-b780-535ed730ebaa", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-483b85ff-1b76-41d9-926b-25f70122ef28", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "509e9888-4307-45b6-9c04-5b7feafeef87", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "df5be9fa-fb96-4da2-a042-71b37b7c3275", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "483b85ff-1b76-41d9-926b-25f70122ef28": { - "columnOrder": [ - "6ecaa697-7840-4a3c-a949-687d66bd9cdd" - ], - "columns": { - "6ecaa697-7840-4a3c-a949-687d66bd9cdd": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Failed Jobs", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.jobs.failed" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "509e9888-4307-45b6-9c04-5b7feafeef87", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "df39527d-9339-47cb-9833-2e3d3ccc9c30": { + "columnOrder": [ + "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", + "16d7f486-58c7-46a1-96ea-d2be88b82633", + "02d81198-17ac-4861-870d-c481ba9a7dad" + ], + "columns": { + "02d81198-17ac-4861-870d-c481ba9a7dad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Started", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.executor.threadpool.started_tasks" + }, + "16d7f486-58c7-46a1-96ea-d2be88b82633": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Active", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.executor.threadpool.active_tasks" + }, + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Completed", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.executor.threadpool.complete_tasks" + }, + "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "apache_spark.executor.threadpool.complete_tasks : * or apache_spark.executor.threadpool.active_tasks : * or apache_spark.executor.threadpool.started_tasks : * " + }, + "visualization": { + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", + "16d7f486-58c7-46a1-96ea-d2be88b82633", + "02d81198-17ac-4861-870d-c481ba9a7dad" + ], + "layerId": "df39527d-9339-47cb-9833-2e3d3ccc9c30", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", + "yConfig": [ + { + "axisMode": "left", + "color": "#54b399", + "forAccessor": "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a" + }, + { + "axisMode": "left", + "forAccessor": "16d7f486-58c7-46a1-96ea-d2be88b82633" + }, + { + "axisMode": "left", + "color": "#d6bf57", + "forAccessor": "02d81198-17ac-4861-870d-c481ba9a7dad" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Threadpool Tasks" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } + "enhancements": {}, + "hidePanelTitles": false }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "df5be9fa-fb96-4da2-a042-71b37b7c3275", - "key": "apache_spark.driver.jobs.failed", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.jobs.failed" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "6ecaa697-7840-4a3c-a949-687d66bd9cdd", - "layerId": "483b85ff-1b76-41d9-926b-25f70122ef28", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 13, + "i": "b5caa5d1-221e-400d-a11a-ea539f1f4546", + "w": 26, + "x": 0, + "y": 23 + }, + "panelIndex": "b5caa5d1-221e-400d-a11a-ea539f1f4546", + "title": "Number of Threadpool tasks over time [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of jobs failed [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 6, - "i": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa", - "w": 8, - "x": 16, - "y": 17 - }, - "panelIndex": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-aec1fa6a-6818-41f0-862a-8c7feed2ea3e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3fe0b162-ec79-4815-895a-79ac382ca1d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62857a2d-669f-4c70-9f92-dcab405c9f9a", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "aec1fa6a-6818-41f0-862a-8c7feed2ea3e": { - "columnOrder": [ - "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a" - ], - "columns": { - "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Succeeded Jobs", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.jobs.succeeded" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3fe0b162-ec79-4815-895a-79ac382ca1d7", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-3a277aff-7c7b-443b-bccf-271cb4486f72", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e2038555-6ef6-4a33-b50c-c175b2ebbe02", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "3a277aff-7c7b-443b-bccf-271cb4486f72": { + "columnOrder": [ + "08a11063-090b-4210-a4e4-30189048b7aa" + ], + "columns": { + "08a11063-090b-4210-a4e4-30189048b7aa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes Read", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.executor.bytes.read" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e2038555-6ef6-4a33-b50c-c175b2ebbe02", + "key": "apache_spark.executor.bytes.read", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.executor.bytes.read" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "08a11063-090b-4210-a4e4-30189048b7aa", + "layerId": "3a277aff-7c7b-443b-bccf-271cb4486f72", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Number of Bytes Read [Metrics Apache Spark]", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "62857a2d-669f-4c70-9f92-dcab405c9f9a", - "key": "apache_spark.driver.jobs.succeeded", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.jobs.succeeded" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a", - "layerId": "aec1fa6a-6818-41f0-862a-8c7feed2ea3e", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 5, + "i": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18", + "w": 8, + "x": 26, + "y": 23 + }, + "panelIndex": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of Succeeded jobs [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 13, - "i": "b5caa5d1-221e-400d-a11a-ea539f1f4546", - "w": 26, - "x": 0, - "y": 23 - }, - "panelIndex": "b5caa5d1-221e-400d-a11a-ea539f1f4546", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1215080a-2795-41e4-a618-d54b0e020cbc", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "df39527d-9339-47cb-9833-2e3d3ccc9c30": { - "columnOrder": [ - "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", - "16d7f486-58c7-46a1-96ea-d2be88b82633", - "02d81198-17ac-4861-870d-c481ba9a7dad" - ], - "columns": { - "02d81198-17ac-4861-870d-c481ba9a7dad": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Started", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.executor.threadpool.started_tasks" - }, - "16d7f486-58c7-46a1-96ea-d2be88b82633": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Active", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.executor.threadpool.active_tasks" - }, - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Completed", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.executor.threadpool.complete_tasks" + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5d66805e-b15a-4a65-b914-128afac75b09", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f4140b61-62cd-4abe-a34e-bb7a1d14fefb", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5d66805e-b15a-4a65-b914-128afac75b09": { + "columnOrder": [ + "55aa8a79-a965-4ad3-bd75-1182fc29570e" + ], + "columns": { + "55aa8a79-a965-4ad3-bd75-1182fc29570e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes Written", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.executor.bytes.written" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f4140b61-62cd-4abe-a34e-bb7a1d14fefb", + "key": "apache_spark.executor.bytes.written", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.executor.bytes.written" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "55aa8a79-a965-4ad3-bd75-1182fc29570e", + "layerId": "5d66805e-b15a-4a65-b914-128afac75b09", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto", - "includeEmptyRows": true - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1215080a-2795-41e4-a618-d54b0e020cbc", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.executor" + "title": "Number of Bytes Written [Metrics Apache Spark]", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.executor" - } - } - } - ], - "query": { - "language": "kuery", - "query": "apache_spark.executor.threadpool.complete_tasks : * or apache_spark.executor.threadpool.active_tasks : * or apache_spark.executor.threadpool.started_tasks : * " - }, - "visualization": { - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true + "enhancements": {}, + "hidePanelTitles": true }, - "layers": [ - { - "accessors": [ - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", - "16d7f486-58c7-46a1-96ea-d2be88b82633", - "02d81198-17ac-4861-870d-c481ba9a7dad" - ], - "layerId": "df39527d-9339-47cb-9833-2e3d3ccc9c30", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", - "yConfig": [ - { - "axisMode": "left", - "color": "#54b399", - "forAccessor": "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a" - }, - { - "axisMode": "left", - "forAccessor": "16d7f486-58c7-46a1-96ea-d2be88b82633" - }, - { - "axisMode": "left", - "color": "#d6bf57", - "forAccessor": "02d81198-17ac-4861-870d-c481ba9a7dad" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true, - "legendSize": "auto" + "gridData": { + "h": 5, + "i": "0595e44f-e6b0-4d93-868f-040f2eb0de31", + "w": 7, + "x": 34, + "y": 23 }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yLeftExtent": { - "mode": "full" + "panelIndex": "0595e44f-e6b0-4d93-868f-040f2eb0de31", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-d4698267-4169-47b1-81cd-17bd8621879f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0b721af7-4c9c-4e69-8463-955e33a1b646", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d4698267-4169-47b1-81cd-17bd8621879f": { + "columnOrder": [ + "f718a530-bd5f-4e8e-8960-ffac1ce48483" + ], + "columns": { + "f718a530-bd5f-4e8e-8960-ffac1ce48483": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Waiting Applications", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.node.main.applications.waiting" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0b721af7-4c9c-4e69-8463-955e33a1b646", + "key": "apache_spark.node.main.applications.waiting", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.main.applications.waiting" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f718a530-bd5f-4e8e-8960-ffac1ce48483", + "layerId": "d4698267-4169-47b1-81cd-17bd8621879f", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "yRightExtent": { - "mode": "full" + "gridData": { + "h": 5, + "i": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2", + "w": 7, + "x": 41, + "y": 23 }, - "yTitle": "Threadpool Tasks" - } + "panelIndex": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2", + "title": "Number of Applications waiting [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" - }, - "title": "Number of Threadpool tasks over time [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18", - "w": 8, - "x": 26, - "y": 23 - }, - "panelIndex": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18", - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "3a277aff-7c7b-443b-bccf-271cb4486f72": { - "columnOrder": [ - "08a11063-090b-4210-a4e4-30189048b7aa" - ], - "columns": { - "08a11063-090b-4210-a4e4-30189048b7aa": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes Read", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-aa4bc89a-1467-4370-980f-99b6e33890d7", + "type": "index-pattern" }, - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.executor.bytes.read" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e2038555-6ef6-4a33-b50c-c175b2ebbe02", - "key": "apache_spark.executor.bytes.read", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.executor.bytes.read" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "08a11063-090b-4210-a4e4-30189048b7aa", - "layerId": "3a277aff-7c7b-443b-bccf-271cb4486f72", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } - }, - "title": "Number of Bytes Read [Metrics Apache Spark]", - "visualizationType": "lnsLegacyMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-3a277aff-7c7b-443b-bccf-271cb4486f72", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e2038555-6ef6-4a33-b50c-c175b2ebbe02", - "type": "index-pattern" - } - ] - }, - "type": "lens" - } - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "0595e44f-e6b0-4d93-868f-040f2eb0de31", - "w": 7, - "x": 34, - "y": 23 - }, - "panelIndex": "0595e44f-e6b0-4d93-868f-040f2eb0de31", - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "5d66805e-b15a-4a65-b914-128afac75b09": { - "columnOrder": [ - "55aa8a79-a965-4ad3-bd75-1182fc29570e" - ], - "columns": { - "55aa8a79-a965-4ad3-bd75-1182fc29570e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes Written", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } + { + "id": "metrics-*", + "name": "f4a2fb8e-abca-4281-a05d-0674a52289b5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "aa4bc89a-1467-4370-980f-99b6e33890d7": { + "columnOrder": [ + "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0" + ], + "columns": { + "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Records Read", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.executor.records.read" + } + }, + "incompleteColumns": {} + } + } + } }, - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.executor.bytes.written" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f4140b61-62cd-4abe-a34e-bb7a1d14fefb", - "key": "apache_spark.executor.bytes.written", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.executor.bytes.written" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "55aa8a79-a965-4ad3-bd75-1182fc29570e", - "layerId": "5d66805e-b15a-4a65-b914-128afac75b09", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } - }, - "title": "Number of Bytes Written [Metrics Apache Spark]", - "visualizationType": "lnsLegacyMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5d66805e-b15a-4a65-b914-128afac75b09", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f4140b61-62cd-4abe-a34e-bb7a1d14fefb", - "type": "index-pattern" - } - ] - }, - "type": "lens" - } - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2", - "w": 7, - "x": 41, - "y": 23 - }, - "panelIndex": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-d4698267-4169-47b1-81cd-17bd8621879f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "171181c8-0b9a-4664-85cb-0e8b82132b7a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6ffc819a-ab7a-43bd-aa18-dbd327428425", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "d4698267-4169-47b1-81cd-17bd8621879f": { - "columnOrder": [ - "f718a530-bd5f-4e8e-8960-ffac1ce48483" - ], - "columns": { - "f718a530-bd5f-4e8e-8960-ffac1ce48483": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Waiting Applications", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.node.main.applications.waiting" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "171181c8-0b9a-4664-85cb-0e8b82132b7a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f4a2fb8e-abca-4281-a05d-0674a52289b5", + "key": "apache_spark.executor.records.read", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.executor.records.read" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0", + "layerId": "aa4bc89a-1467-4370-980f-99b6e33890d7", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6ffc819a-ab7a-43bd-aa18-dbd327428425", - "key": "apache_spark.node.main.applications.waiting", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.main.applications.waiting" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f718a530-bd5f-4e8e-8960-ffac1ce48483", - "layerId": "d4698267-4169-47b1-81cd-17bd8621879f", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 5, + "i": "75c23769-a2bd-4825-b20a-d140aeb36175", + "w": 8, + "x": 26, + "y": 28 + }, + "panelIndex": "75c23769-a2bd-4825-b20a-d140aeb36175", + "title": "Number of Records Read [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of Applications waiting [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "75c23769-a2bd-4825-b20a-d140aeb36175", - "w": 8, - "x": 26, - "y": 28 - }, - "panelIndex": "75c23769-a2bd-4825-b20a-d140aeb36175", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-aa4bc89a-1467-4370-980f-99b6e33890d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "975bff6a-acfa-481f-86ba-7d697e207f65", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b889078f-52b4-4fdd-8fd5-6a636ff903a6", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "aa4bc89a-1467-4370-980f-99b6e33890d7": { - "columnOrder": [ - "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0" - ], - "columns": { - "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Records Read", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.executor.records.read" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "975bff6a-acfa-481f-86ba-7d697e207f65", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.executor" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-de0d9a21-100f-4912-a985-ca42e4347241", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3602cfcf-280e-49ef-a6ad-9e1384efa7e9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "de0d9a21-100f-4912-a985-ca42e4347241": { + "columnOrder": [ + "b14cce00-3621-4cc5-b9c9-75f22b038c77" + ], + "columns": { + "b14cce00-3621-4cc5-b9c9-75f22b038c77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Records Written", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.executor.records.written" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3602cfcf-280e-49ef-a6ad-9e1384efa7e9", + "key": "apache_spark.executor.records.written", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.executor.records.written" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b14cce00-3621-4cc5-b9c9-75f22b038c77", + "layerId": "de0d9a21-100f-4912-a985-ca42e4347241", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.executor" - } - } + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b889078f-52b4-4fdd-8fd5-6a636ff903a6", - "key": "apache_spark.executor.records.read", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.executor.records.read" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0", - "layerId": "aa4bc89a-1467-4370-980f-99b6e33890d7", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 5, + "i": "ab9316b5-5728-4b03-aadb-a93e22da9257", + "w": 7, + "x": 34, + "y": 28 + }, + "panelIndex": "ab9316b5-5728-4b03-aadb-a93e22da9257", + "title": "Number of Records Written [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of Records Read [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "ab9316b5-5728-4b03-aadb-a93e22da9257", - "w": 7, - "x": 34, - "y": 28 - }, - "panelIndex": "ab9316b5-5728-4b03-aadb-a93e22da9257", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-de0d9a21-100f-4912-a985-ca42e4347241", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cffd3ad8-723b-4694-bf3e-9d8a826ce05e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "de0d9a21-100f-4912-a985-ca42e4347241": { - "columnOrder": [ - "b14cce00-3621-4cc5-b9c9-75f22b038c77" - ], - "columns": { - "b14cce00-3621-4cc5-b9c9-75f22b038c77": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Records Written", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.executor.records.written" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "cffd3ad8-723b-4694-bf3e-9d8a826ce05e", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.executor" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "86fc698f-4b5a-46c4-9387-36aab76fdbf2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6": { + "columnOrder": [ + "1a987909-acd1-47bf-a0ad-4c8c046399a3" + ], + "columns": { + "1a987909-acd1-47bf-a0ad-4c8c046399a3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Applications", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.node.main.applications.count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "86fc698f-4b5a-46c4-9387-36aab76fdbf2", + "key": "apache_spark.node.main.applications.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.main.applications.count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "1a987909-acd1-47bf-a0ad-4c8c046399a3", + "layerId": "6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.executor" - } - } + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8", - "key": "apache_spark.executor.records.written", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.executor.records.written" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "b14cce00-3621-4cc5-b9c9-75f22b038c77", - "layerId": "de0d9a21-100f-4912-a985-ca42e4347241", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 5, + "i": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad", + "w": 7, + "x": 41, + "y": 28 + }, + "panelIndex": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad", + "title": "Total number of Applications [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of Records Written [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad", - "w": 7, - "x": 41, - "y": 28 - }, - "panelIndex": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6fdd6b46-a1d0-470b-bf9a-527dc0444653", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "948085ee-3b01-4c26-8bb4-b3c40b02049d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6": { - "columnOrder": [ - "1a987909-acd1-47bf-a0ad-4c8c046399a3" - ], - "columns": { - "1a987909-acd1-47bf-a0ad-4c8c046399a3": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Applications", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.node.main.applications.count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6fdd6b46-a1d0-470b-bf9a-527dc0444653", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-530fc85b-0ba7-4f65-862b-a303af533c19", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3823aee8-bc88-4d1c-a2e5-7ce36d8e7f68", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "530fc85b-0ba7-4f65-862b-a303af533c19": { + "columnOrder": [ + "759453c2-c093-4aed-8bb4-3e873849ff92" + ], + "columns": { + "759453c2-c093-4aed-8bb4-3e873849ff92": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Workers Alive", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.node.main.workers.alive" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3823aee8-bc88-4d1c-a2e5-7ce36d8e7f68", + "key": "apache_spark.node.main.workers.alive", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.main.workers.alive" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "759453c2-c093-4aed-8bb4-3e873849ff92", + "layerId": "530fc85b-0ba7-4f65-862b-a303af533c19", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "948085ee-3b01-4c26-8bb4-b3c40b02049d", - "key": "apache_spark.node.main.applications.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.main.applications.count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "1a987909-acd1-47bf-a0ad-4c8c046399a3", - "layerId": "6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 6, + "i": "cfbdf185-1437-478f-a856-eedbe62d1de2", + "w": 8, + "x": 26, + "y": 33 + }, + "panelIndex": "cfbdf185-1437-478f-a856-eedbe62d1de2", + "title": "Number of Workers Alive [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Total number of Applications [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 6, - "i": "cfbdf185-1437-478f-a856-eedbe62d1de2", - "w": 8, - "x": 26, - "y": 33 - }, - "panelIndex": "cfbdf185-1437-478f-a856-eedbe62d1de2", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-530fc85b-0ba7-4f65-862b-a303af533c19", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e76b86a5-b6ba-4537-a0d1-046096a9807d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d950973c-f5b8-4aae-857a-e8eccbecd2d6", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "530fc85b-0ba7-4f65-862b-a303af533c19": { - "columnOrder": [ - "759453c2-c093-4aed-8bb4-3e873849ff92" - ], - "columns": { - "759453c2-c093-4aed-8bb4-3e873849ff92": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Workers Alive", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.node.main.workers.alive" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e76b86a5-b6ba-4537-a0d1-046096a9807d", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-148ce684-6f54-430c-9b71-69989419abd4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "148ce684-6f54-430c-9b71-69989419abd4": { + "columnOrder": [ + "47b92b87-6745-4aa9-86cb-988e730f8db0", + "9baa45f5-7118-4b46-a1f7-9dde678df6f0" + ], + "columns": { + "47b92b87-6745-4aa9-86cb-988e730f8db0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Source Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9baa45f5-7118-4b46-a1f7-9dde678df6f0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "apache_spark.application.status" + }, + "9baa45f5-7118-4b46-a1f7-9dde678df6f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Application Name", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "apache_spark.application.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "emptySizeRatio": 0.54, + "layerId": "148ce684-6f54-430c-9b71-69989419abd4", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "9baa45f5-7118-4b46-a1f7-9dde678df6f0" + ], + "nestedLegend": false, + "numberDisplay": "hidden", + "primaryGroups": [ + "47b92b87-6745-4aa9-86cb-988e730f8db0" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" + "enhancements": {}, + "vis": { + "legendOpen": true } - } }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d950973c-f5b8-4aae-857a-e8eccbecd2d6", - "key": "apache_spark.node.main.workers.alive", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.main.workers.alive" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "759453c2-c093-4aed-8bb4-3e873849ff92", - "layerId": "530fc85b-0ba7-4f65-862b-a303af533c19", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 12, + "i": "78e81e12-c659-4d89-a80d-14ec4e49368a", + "w": 14, + "x": 34, + "y": 33 + }, + "panelIndex": "78e81e12-c659-4d89-a80d-14ec4e49368a", + "title": "Application Source Status [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of Workers Alive [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 12, - "i": "78e81e12-c659-4d89-a80d-14ec4e49368a", - "w": 14, - "x": 34, - "y": 33 - }, - "panelIndex": "78e81e12-c659-4d89-a80d-14ec4e49368a", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-148ce684-6f54-430c-9b71-69989419abd4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c7bd1bca-ca54-4168-8ed5-2e45bd906d13", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "148ce684-6f54-430c-9b71-69989419abd4": { - "columnOrder": [ - "47b92b87-6745-4aa9-86cb-988e730f8db0", - "9baa45f5-7118-4b46-a1f7-9dde678df6f0" - ], - "columns": { - "47b92b87-6745-4aa9-86cb-988e730f8db0": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Application Source Status", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9baa45f5-7118-4b46-a1f7-9dde678df6f0", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-87763c10-0d2a-4ff0-afb1-4d261c6c52de", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b18d5ce8-13ab-49d8-9247-9c4ac4aef5df", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "87763c10-0d2a-4ff0-afb1-4d261c6c52de": { + "columnOrder": [ + "0c759a6f-eef3-4849-81bb-9482134df3c0" + ], + "columns": { + "0c759a6f-eef3-4849-81bb-9482134df3c0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Cores Used", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.node.worker.cores.used" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b18d5ce8-13ab-49d8-9247-9c4ac4aef5df", + "key": "apache_spark.node.worker.cores.used", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.worker.cores.used" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "apache_spark.application.status" + "visualization": { + "accessor": "0c759a6f-eef3-4849-81bb-9482134df3c0", + "layerId": "87763c10-0d2a-4ff0-afb1-4d261c6c52de", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - "9baa45f5-7118-4b46-a1f7-9dde678df6f0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Application Name", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "apache_spark.application.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c7bd1bca-ca54-4168-8ed5-2e45bd906d13", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.application" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.application" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "emptySizeRatio": 0.54, - "layerId": "148ce684-6f54-430c-9b71-69989419abd4", - "layerType": "data", - "legendDisplay": "show", - "nestedLegend": false, - "numberDisplay": "hidden", - "legendSize": "auto", - "primaryGroups": [ - "47b92b87-6745-4aa9-86cb-988e730f8db0" - ], - "metrics": [ - "9baa45f5-7118-4b46-a1f7-9dde678df6f0" - ] - } - ], - "shape": "donut" - } + "enhancements": {}, + "hidePanelTitles": true, + "vis": null + }, + "gridData": { + "h": 9, + "i": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843", + "w": 13, + "x": 0, + "y": 36 + }, + "panelIndex": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843", + "title": "Number of Cores used [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "vis": { - "legendOpen": true - }, - "type": "lens" - }, - "title": "Application Source Status [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 9, - "i": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843", - "w": 13, - "x": 0, - "y": 36 - }, - "panelIndex": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-87763c10-0d2a-4ff0-afb1-4d261c6c52de", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7c76ed08-e31a-4d5a-a8a3-d6f7763d3c40", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fffcc31c-dfa7-4d03-baf5-d0c48357153f", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "87763c10-0d2a-4ff0-afb1-4d261c6c52de": { - "columnOrder": [ - "0c759a6f-eef3-4849-81bb-9482134df3c0" - ], - "columns": { - "0c759a6f-eef3-4849-81bb-9482134df3c0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Cores Used", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.node.worker.cores.used" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "7c76ed08-e31a-4d5a-a8a3-d6f7763d3c40", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7a60dd89-db58-4e7e-b73a-139574b69402", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4c2f45a1-1487-45a7-a9f8-a402910cbb5c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7a60dd89-db58-4e7e-b73a-139574b69402": { + "columnOrder": [ + "2001af6a-ebf0-4acc-afe2-d58db49ee160" + ], + "columns": { + "2001af6a-ebf0-4acc-afe2-d58db49ee160": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Memory Used (MB)", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.node.worker.memory.used" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4c2f45a1-1487-45a7-a9f8-a402910cbb5c", + "key": "apache_spark.node.worker.memory.used", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.worker.memory.used" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2001af6a-ebf0-4acc-afe2-d58db49ee160", + "layerId": "7a60dd89-db58-4e7e-b73a-139574b69402", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } + "enhancements": {}, + "hidePanelTitles": true, + "vis": null }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "fffcc31c-dfa7-4d03-baf5-d0c48357153f", - "key": "apache_spark.node.worker.cores.used", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.worker.cores.used" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "0c759a6f-eef3-4849-81bb-9482134df3c0", - "layerId": "87763c10-0d2a-4ff0-afb1-4d261c6c52de", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } + "gridData": { + "h": 9, + "i": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0", + "w": 13, + "x": 13, + "y": 36 + }, + "panelIndex": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0", + "title": "Memory Used [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "vis": null, - "type": "lens" - }, - "title": "Number of Cores used [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 9, - "i": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0", - "w": 13, - "x": 13, - "y": 36 - }, - "panelIndex": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7a60dd89-db58-4e7e-b73a-139574b69402", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a871806a-160b-4da4-bcd5-700175899a73", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "55f22446-ec98-430e-b92e-0660335ab2d9", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "7a60dd89-db58-4e7e-b73a-139574b69402": { - "columnOrder": [ - "2001af6a-ebf0-4acc-afe2-d58db49ee160" - ], - "columns": { - "2001af6a-ebf0-4acc-afe2-d58db49ee160": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Memory Used (MB)", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.node.worker.memory.used" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a871806a-160b-4da4-bcd5-700175899a73", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-340a830f-a169-4a46-959d-6471aac521f9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "31447df0-e71d-4c6d-a410-9e456564b03b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "340a830f-a169-4a46-959d-6471aac521f9": { + "columnOrder": [ + "fa33204d-6b0a-45ee-8a54-480191ba2782" + ], + "columns": { + "fa33204d-6b0a-45ee-8a54-480191ba2782": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Workers", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_spark.node.main.workers.count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "31447df0-e71d-4c6d-a410-9e456564b03b", + "key": "apache_spark.node.main.workers.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.main.workers.count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "fa33204d-6b0a-45ee-8a54-480191ba2782", + "layerId": "340a830f-a169-4a46-959d-6471aac521f9", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "55f22446-ec98-430e-b92e-0660335ab2d9", - "key": "apache_spark.node.worker.memory.used", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.worker.memory.used" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2001af6a-ebf0-4acc-afe2-d58db49ee160", - "layerId": "7a60dd89-db58-4e7e-b73a-139574b69402", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "vis": null, - "type": "lens" + "gridData": { + "h": 6, + "i": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d", + "w": 8, + "x": 26, + "y": 39 + }, + "panelIndex": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d", + "title": "Total Workers [Metrics Apache Spark]", + "type": "lens", + "version": "8.7.0" + } + ], + "timeRestore": false, + "title": "[Metrics Apache Spark] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.7.0", + "created_at": "2024-04-10T15:56:11.148Z", + "id": "apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156", + "migrationVersion": { + "dashboard": "8.7.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, - "title": "Memory Used [Metrics Apache Spark]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 6, - "i": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d", - "w": 8, - "x": 26, - "y": 39 + { + "id": "metrics-*", + "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:indexpattern-datasource-layer-d7cd2d50-503d-48cc-b9d1-77da873349ef", + "type": "index-pattern" }, - "panelIndex": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-340a830f-a169-4a46-959d-6471aac521f9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1723d45d-1e3e-422c-921d-06a9ad1d3309", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "59410b0e-e834-4387-b6a8-dd1e252c87c9", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "340a830f-a169-4a46-959d-6471aac521f9": { - "columnOrder": [ - "fa33204d-6b0a-45ee-8a54-480191ba2782" - ], - "columns": { - "fa33204d-6b0a-45ee-8a54-480191ba2782": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Workers", - "operationType": "last_value", - "params": { - "sortField": "@timestamp", - "showArrayValues": true - }, - "scale": "ratio", - "sourceField": "apache_spark.node.main.workers.count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1723d45d-1e3e-422c-921d-06a9ad1d3309", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "59410b0e-e834-4387-b6a8-dd1e252c87c9", - "key": "apache_spark.node.main.workers.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.main.workers.count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "fa33204d-6b0a-45ee-8a54-480191ba2782", - "layerId": "340a830f-a169-4a46-959d-6471aac521f9", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom", - "size": "xl" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" + { + "id": "metrics-*", + "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:f1fa5d56-79c5-4410-acee-4363edcc3b52", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2943002d-504e-4a30-a581-cd92fd621fe1:indexpattern-datasource-layer-37e4c96b-3ba5-4033-9727-fad41089931d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2943002d-504e-4a30-a581-cd92fd621fe1:9a5b37cb-eea9-4078-8237-c5a920e37075", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:indexpattern-datasource-layer-bb1faa77-fef6-486c-aaf9-ec1411bdad13", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:b6da6da2-e44f-4c9b-86f1-3314d21ad564", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:indexpattern-datasource-layer-6fc27bd4-9bc3-4233-9b1d-61df80582ad8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:f847ce79-3f28-48ad-bdfe-383de0a679a2", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64cbf207-795a-4818-915c-137eaebc6198:indexpattern-datasource-layer-efa9fcdd-f421-4c27-a85b-3a6d2512a09d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64cbf207-795a-4818-915c-137eaebc6198:8977b3b6-d4be-4dfa-9afa-fa3b31be4c89", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:indexpattern-datasource-layer-483b85ff-1b76-41d9-926b-25f70122ef28", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:830070a2-3bf5-40df-a57d-1094cfef42f3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:indexpattern-datasource-layer-aec1fa6a-6818-41f0-862a-8c7feed2ea3e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:b5592314-e99b-4ef7-bc6d-69993664fb6f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:indexpattern-datasource-layer-3a277aff-7c7b-443b-bccf-271cb4486f72", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:e2038555-6ef6-4a33-b50c-c175b2ebbe02", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "title": "Total Workers [Metrics Apache Spark]" - } + { + "id": "metrics-*", + "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:indexpattern-datasource-layer-5d66805e-b15a-4a65-b914-128afac75b09", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:f4140b61-62cd-4abe-a34e-bb7a1d14fefb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:indexpattern-datasource-layer-d4698267-4169-47b1-81cd-17bd8621879f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:0b721af7-4c9c-4e69-8463-955e33a1b646", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75c23769-a2bd-4825-b20a-d140aeb36175:indexpattern-datasource-layer-aa4bc89a-1467-4370-980f-99b6e33890d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75c23769-a2bd-4825-b20a-d140aeb36175:f4a2fb8e-abca-4281-a05d-0674a52289b5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:indexpattern-datasource-layer-de0d9a21-100f-4912-a985-ca42e4347241", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:3602cfcf-280e-49ef-a6ad-9e1384efa7e9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:indexpattern-datasource-layer-6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:86fc698f-4b5a-46c4-9387-36aab76fdbf2", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:indexpattern-datasource-layer-530fc85b-0ba7-4f65-862b-a303af533c19", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:3823aee8-bc88-4d1c-a2e5-7ce36d8e7f68", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:indexpattern-datasource-layer-148ce684-6f54-430c-9b71-69989419abd4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:indexpattern-datasource-layer-87763c10-0d2a-4ff0-afb1-4d261c6c52de", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:b18d5ce8-13ab-49d8-9247-9c4ac4aef5df", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:indexpattern-datasource-layer-7a60dd89-db58-4e7e-b73a-139574b69402", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:4c2f45a1-1487-45a7-a9f8-a402910cbb5c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:indexpattern-datasource-layer-340a830f-a169-4a46-959d-6471aac521f9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:31447df0-e71d-4c6d-a410-9e456564b03b", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Metrics Apache Spark] Overview", - "version": 1 - }, - "references": [ - { - "id": "metrics-*", - "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:indexpattern-datasource-layer-d7cd2d50-503d-48cc-b9d1-77da873349ef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:9857a495-b7e6-4893-93e6-f16c050e0e41", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:d59683b7-5f29-46b9-b01b-20b6aea422fe", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2943002d-504e-4a30-a581-cd92fd621fe1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2943002d-504e-4a30-a581-cd92fd621fe1:indexpattern-datasource-layer-37e4c96b-3ba5-4033-9727-fad41089931d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2943002d-504e-4a30-a581-cd92fd621fe1:8198873e-cf0a-43cf-8cd0-cd42a8df02c5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2943002d-504e-4a30-a581-cd92fd621fe1:5df2fe94-f51b-44f9-b922-75663cb6996a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:indexpattern-datasource-layer-bb1faa77-fef6-486c-aaf9-ec1411bdad13", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:603b47e3-4608-4094-8826-f923eab506a8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:4a09ba27-dc93-43cf-be91-0632bc81cb47", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:indexpattern-datasource-layer-6fc27bd4-9bc3-4233-9b1d-61df80582ad8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:7e8d1def-772c-494c-b14e-eae96e52b074", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:c5b629cf-0836-49ff-a409-23cb47735f02", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:787550e5-b4cd-4892-babc-4f3d33c078ec", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64cbf207-795a-4818-915c-137eaebc6198:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64cbf207-795a-4818-915c-137eaebc6198:indexpattern-datasource-layer-efa9fcdd-f421-4c27-a85b-3a6d2512a09d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64cbf207-795a-4818-915c-137eaebc6198:b8679379-0bbe-4028-b3e7-2cc0f84fa045", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64cbf207-795a-4818-915c-137eaebc6198:97467acb-706a-4078-ae1a-ac6ab5fd47d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:indexpattern-datasource-layer-483b85ff-1b76-41d9-926b-25f70122ef28", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:509e9888-4307-45b6-9c04-5b7feafeef87", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:df5be9fa-fb96-4da2-a042-71b37b7c3275", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:indexpattern-datasource-layer-aec1fa6a-6818-41f0-862a-8c7feed2ea3e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:3fe0b162-ec79-4815-895a-79ac382ca1d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:62857a2d-669f-4c70-9f92-dcab405c9f9a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:1215080a-2795-41e4-a618-d54b0e020cbc", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:indexpattern-datasource-layer-d4698267-4169-47b1-81cd-17bd8621879f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:171181c8-0b9a-4664-85cb-0e8b82132b7a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:6ffc819a-ab7a-43bd-aa18-dbd327428425", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75c23769-a2bd-4825-b20a-d140aeb36175:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75c23769-a2bd-4825-b20a-d140aeb36175:indexpattern-datasource-layer-aa4bc89a-1467-4370-980f-99b6e33890d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75c23769-a2bd-4825-b20a-d140aeb36175:975bff6a-acfa-481f-86ba-7d697e207f65", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75c23769-a2bd-4825-b20a-d140aeb36175:b889078f-52b4-4fdd-8fd5-6a636ff903a6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:indexpattern-datasource-layer-de0d9a21-100f-4912-a985-ca42e4347241", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:cffd3ad8-723b-4694-bf3e-9d8a826ce05e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:indexpattern-datasource-layer-6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:6fdd6b46-a1d0-470b-bf9a-527dc0444653", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:948085ee-3b01-4c26-8bb4-b3c40b02049d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:indexpattern-datasource-layer-530fc85b-0ba7-4f65-862b-a303af533c19", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:e76b86a5-b6ba-4537-a0d1-046096a9807d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:d950973c-f5b8-4aae-857a-e8eccbecd2d6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:indexpattern-datasource-layer-148ce684-6f54-430c-9b71-69989419abd4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:c7bd1bca-ca54-4168-8ed5-2e45bd906d13", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:indexpattern-datasource-layer-87763c10-0d2a-4ff0-afb1-4d261c6c52de", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:7c76ed08-e31a-4d5a-a8a3-d6f7763d3c40", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:fffcc31c-dfa7-4d03-baf5-d0c48357153f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:indexpattern-datasource-layer-7a60dd89-db58-4e7e-b73a-139574b69402", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:a871806a-160b-4da4-bcd5-700175899a73", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:55f22446-ec98-430e-b92e-0660335ab2d9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:indexpattern-datasource-layer-340a830f-a169-4a46-959d-6471aac521f9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:1723d45d-1e3e-422c-921d-06a9ad1d3309", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:59410b0e-e834-4387-b6a8-dd1e252c87c9", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:indexpattern-datasource-layer-3a277aff-7c7b-443b-bccf-271cb4486f72", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:e2038555-6ef6-4a33-b50c-c175b2ebbe02", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:indexpattern-datasource-layer-5d66805e-b15a-4a65-b914-128afac75b09", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:f4140b61-62cd-4abe-a34e-bb7a1d14fefb", - "id": "metrics-*" - } - ], - "managed": false + "type": "dashboard" } \ No newline at end of file diff --git a/packages/apache_spark/manifest.yml b/packages/apache_spark/manifest.yml index 766a86fa8ba..ddc595dd747 100644 --- a/packages/apache_spark/manifest.yml +++ b/packages/apache_spark/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: apache_spark title: Apache Spark -version: "1.0.3" +version: "1.1.0" description: Collect metrics from Apache Spark with Elastic Agent. type: integration categories: diff --git a/packages/apache_spark/validation.yml b/packages/apache_spark/validation.yml deleted file mode 100644 index bcc8f74ac3a..00000000000 --- a/packages/apache_spark/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00002 diff --git a/packages/apache_tomcat/changelog.yml b/packages/apache_tomcat/changelog.yml index 0d4a868bb5f..b374941046a 100644 --- a/packages/apache_tomcat/changelog.yml +++ b/packages/apache_tomcat/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: "1.5.1" changes: - description: Fix "Harvester Limit" and "File Handle Closure duration" configuration parameters. diff --git a/packages/apache_tomcat/data_stream/access/manifest.yml b/packages/apache_tomcat/data_stream/access/manifest.yml index 1e00963ce06..ef02d6b56f4 100644 --- a/packages/apache_tomcat/data_stream/access/manifest.yml +++ b/packages/apache_tomcat/data_stream/access/manifest.yml @@ -51,7 +51,6 @@ streams: required: false show_user: false default: 5m - template_path: filestream.yml.hbs title: Apache Tomcat Access logs description: Collect Apache Tomcat Access logs. diff --git a/packages/apache_tomcat/data_stream/catalina/manifest.yml b/packages/apache_tomcat/data_stream/catalina/manifest.yml index 3a07480e296..4faab58ef80 100644 --- a/packages/apache_tomcat/data_stream/catalina/manifest.yml +++ b/packages/apache_tomcat/data_stream/catalina/manifest.yml @@ -51,7 +51,7 @@ streams: description: Limits the number of harvesters that are started in parallel. More details [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#filebeat-input-filestream-harvester-limit). required: false show_user: false - default: 0 + default: 0 - name: close.on_state_change.inactive type: text title: File Handle Closure duration @@ -73,7 +73,6 @@ streams: pattern: '^\d{2}-\w{3}-\d{4}' negate: true match: after - template_path: filestream.yml.hbs title: Apache Tomcat Catalina logs description: Collect Apache Tomcat Catalina logs. diff --git a/packages/apache_tomcat/data_stream/localhost/manifest.yml b/packages/apache_tomcat/data_stream/localhost/manifest.yml index 81765caf78f..a4f51e27097 100644 --- a/packages/apache_tomcat/data_stream/localhost/manifest.yml +++ b/packages/apache_tomcat/data_stream/localhost/manifest.yml @@ -51,7 +51,7 @@ streams: description: Limits the number of harvesters that are started in parallel. More details [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#filebeat-input-filestream-harvester-limit). required: false show_user: false - default: 0 + default: 0 - name: close.on_state_change.inactive type: text title: File Handle Closure duration @@ -68,11 +68,7 @@ streams: required: false show_user: true multi: false - default: | - - multiline: - pattern: '^\d{2}-\w{3}-\d{4}' - negate: true - match: after + default: "- multiline:\n pattern: '^\\d{2}-\\w{3}-\\d{4}'\n negate: true\n match: after \n" template_path: filestream.yml.hbs title: Apache Tomcat Localhost logs description: Collect Apache Tomcat Localhost logs. diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-2a331270-b8cd-11ed-a099-3791d000f969.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-2a331270-b8cd-11ed-a099-3791d000f969.json index 1bc2443c451..823dde6a448 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-2a331270-b8cd-11ed-a099-3791d000f969.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-2a331270-b8cd-11ed-a099-3791d000f969.json @@ -17,9 +17,9 @@ "meta": { "alias": null, "disabled": false, - "field": "event.dataset", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", + "key": "data_stream.dataset", "negate": false, "params": { "query": "apache_tomcat.session" @@ -28,7 +28,7 @@ }, "query": { "match_phrase": { - "event.dataset": "apache_tomcat.session" + "data_stream.dataset": "apache_tomcat.session" } } } @@ -55,11 +55,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-0175242f-2671-474a-a828-deff61e43fb6", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "34b8c32b-1aaf-45de-bdb4-09081617f0c8", - "type": "index-pattern" } ], "state": { @@ -145,29 +140,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "34b8c32b-1aaf-45de-bdb4-09081617f0c8", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.session" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.session" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -221,8 +194,7 @@ }, "panelIndex": "a39adf70-8e40-4d80-a127-a1747a75be1f", "title": "Created sessions over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -232,11 +204,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-85bb5555-4581-4120-ab66-6ce66aeb4066", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fa5f9b9a-65b0-452a-bcd0-1df3a33b1b3e", - "type": "index-pattern" } ], "state": { @@ -322,29 +289,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "fa5f9b9a-65b0-452a-bcd0-1df3a33b1b3e", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.session" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.session" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -421,8 +366,7 @@ }, "panelIndex": "91d26f64-351f-420e-a37b-88a882ecba0e", "title": "Expired sessions per application [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -432,11 +376,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-57b12f03-6995-4072-8994-d512e5700ee4", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "de6b5c32-5630-4877-8b24-be30c47ee9c1", - "type": "index-pattern" } ], "state": { @@ -522,29 +461,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "de6b5c32-5630-4877-8b24-be30c47ee9c1", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.session" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.session" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -603,8 +520,7 @@ }, "panelIndex": "5922510e-e6a2-4f9c-aceb-83715cc3b539", "title": "Current active sessions over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -615,11 +531,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-9b0dd57c-eb2b-434c-a7d6-21a8e5e83e8b", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "efe32f1b-651c-4ce4-a1e9-06cb0cf2d5af", - "type": "index-pattern" } ], "state": { @@ -685,29 +596,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "efe32f1b-651c-4ce4-a1e9-06cb0cf2d5af", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.session" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.session" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -772,8 +661,7 @@ }, "panelIndex": "2d408e1c-da52-4aed-b760-812f89f48184", "title": "Session expiration processing time [Metric Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -783,11 +671,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-8533f30a-f59a-4f19-8a60-2231660778cf", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1df29502-1178-4b06-b0c8-3009d0c3271b", - "type": "index-pattern" } ], "state": { @@ -904,29 +787,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1df29502-1178-4b06-b0c8-3009d0c3271b", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.session" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.session" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -985,20 +846,17 @@ }, "panelIndex": "8ce83532-0623-4974-9280-b6c56c6b0c27", "title": "Sessions overview [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Apache Tomcat] Session", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-06-09T11:27:22.150Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T08:47:19.036Z", "id": "apache_tomcat-2a331270-b8cd-11ed-a099-3791d000f969", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "metrics-*", @@ -1010,51 +868,26 @@ "name": "a39adf70-8e40-4d80-a127-a1747a75be1f:indexpattern-datasource-layer-0175242f-2671-474a-a828-deff61e43fb6", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "a39adf70-8e40-4d80-a127-a1747a75be1f:34b8c32b-1aaf-45de-bdb4-09081617f0c8", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "91d26f64-351f-420e-a37b-88a882ecba0e:indexpattern-datasource-layer-85bb5555-4581-4120-ab66-6ce66aeb4066", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "91d26f64-351f-420e-a37b-88a882ecba0e:fa5f9b9a-65b0-452a-bcd0-1df3a33b1b3e", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "5922510e-e6a2-4f9c-aceb-83715cc3b539:indexpattern-datasource-layer-57b12f03-6995-4072-8994-d512e5700ee4", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "5922510e-e6a2-4f9c-aceb-83715cc3b539:de6b5c32-5630-4877-8b24-be30c47ee9c1", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "2d408e1c-da52-4aed-b760-812f89f48184:indexpattern-datasource-layer-9b0dd57c-eb2b-434c-a7d6-21a8e5e83e8b", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "2d408e1c-da52-4aed-b760-812f89f48184:efe32f1b-651c-4ce4-a1e9-06cb0cf2d5af", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "8ce83532-0623-4974-9280-b6c56c6b0c27:indexpattern-datasource-layer-8533f30a-f59a-4f19-8a60-2231660778cf", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "8ce83532-0623-4974-9280-b6c56c6b0c27:1df29502-1178-4b06-b0c8-3009d0c3271b", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "controlGroup_48036e6b-bb5f-4779-8ff2-a0affc20a119:optionsListDataView", @@ -1066,5 +899,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223.json index 4df83671119..431dbf19ec2 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223.json @@ -11,9 +11,9 @@ "meta": { "alias": null, "disabled": false, - "field": "event.dataset", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", + "key": "data_stream.dataset", "negate": false, "params": { "query": "apache_tomcat.access" @@ -22,7 +22,7 @@ }, "query": { "match_phrase": { - "event.dataset": "apache_tomcat.access" + "data_stream.dataset": "apache_tomcat.access" } } } @@ -52,12 +52,7 @@ }, { "id": "logs-*", - "name": "167c0497-503a-417c-a30c-768525e8b8dc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8c6e9f3c-a1db-4cf0-8b30-1d860be11d98", + "name": "9e014f3c-d19f-4e8c-9992-0053e2cff960", "type": "index-pattern" } ], @@ -125,27 +120,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "167c0497-503a-417c-a30c-768525e8b8dc", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - }, { "$state": { "store": "appState" @@ -154,7 +128,7 @@ "alias": null, "disabled": false, "field": "http.response.status_code", - "index": "8c6e9f3c-a1db-4cf0-8b30-1d860be11d98", + "index": "9e014f3c-d19f-4e8c-9992-0053e2cff960", "key": "http.response.status_code", "negate": false, "params": { @@ -242,8 +216,7 @@ }, "panelIndex": "af3cd65d-02e9-477c-8b3b-45f4b717a982", "title": "Top 10 client IPs with most client errors [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -256,12 +229,7 @@ }, { "id": "logs-*", - "name": "0a1fad48-e8d5-4a9b-b8bb-fc7067521d7a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "758d6656-914a-4304-bbe7-f85474ef30b9", + "name": "5d4ff327-4d18-4187-8e53-d6216c07701f", "type": "index-pattern" } ], @@ -329,27 +297,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0a1fad48-e8d5-4a9b-b8bb-fc7067521d7a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - }, { "$state": { "store": "appState" @@ -358,7 +305,7 @@ "alias": null, "disabled": false, "field": "http.response.status_code", - "index": "758d6656-914a-4304-bbe7-f85474ef30b9", + "index": "5d4ff327-4d18-4187-8e53-d6216c07701f", "key": "http.response.status_code", "negate": false, "params": { @@ -445,8 +392,7 @@ }, "panelIndex": "30187e6e-f500-4abd-b7c7-ebc64d84e2d9", "title": "Top 10 client IPs with most server errors [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -459,12 +405,7 @@ }, { "id": "logs-*", - "name": "54abd3e5-f8e0-40b6-b458-c1a6906bf3f5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "72bc9598-8105-4c02-b17a-8d8e8acae300", + "name": "514f5bf9-1cf9-4864-8398-945d0168d126", "type": "index-pattern" } ], @@ -530,28 +471,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "54abd3e5-f8e0-40b6-b458-c1a6906bf3f5", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - }, { "$state": { "store": "appState" @@ -560,7 +479,7 @@ "alias": null, "disabled": false, "field": "apache_tomcat.access.response_time", - "index": "72bc9598-8105-4c02-b17a-8d8e8acae300", + "index": "514f5bf9-1cf9-4864-8398-945d0168d126", "key": "apache_tomcat.access.response_time", "negate": false, "type": "exists", @@ -616,8 +535,7 @@ }, "panelIndex": "56ec99b7-5962-4037-b99b-522e2b02882e", "title": "Distribution of average response time by URL [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -627,11 +545,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-f4afc69c-a9d0-4b77-be15-d391fcbfe495", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2e2072ab-084c-42d9-8d7e-c9171319f95a", - "type": "index-pattern" } ], "state": { @@ -720,29 +633,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "2e2072ab-084c-42d9-8d7e-c9171319f95a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -785,8 +676,7 @@ }, "panelIndex": "2b880159-9649-4c31-a5c0-a1d93fcdfad3", "title": "Distribution of access events by OS name and version [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -800,12 +690,7 @@ }, { "id": "logs-*", - "name": "4b8a9e86-71d4-4b03-9049-bf28ec63ac90", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8d346bac-67c0-4aed-ad35-3a5693fc2836", + "name": "5cadfb38-6e24-4b34-8946-c384933cfd78", "type": "index-pattern" } ], @@ -873,27 +758,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4b8a9e86-71d4-4b03-9049-bf28ec63ac90", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - }, { "$state": { "store": "appState" @@ -902,7 +766,7 @@ "alias": null, "disabled": false, "field": "http.response.status_code", - "index": "8d346bac-67c0-4aed-ad35-3a5693fc2836", + "index": "5cadfb38-6e24-4b34-8946-c384933cfd78", "key": "http.response.status_code", "negate": false, "params": { @@ -967,8 +831,7 @@ }, "panelIndex": "911f0638-46a9-4967-b588-a05fddc3ed62", "title": "Distribution by HTTP Client(4xx) and Server(5xx) error status code [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -978,11 +841,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b6532743-79d3-4ab0-bdfa-fff8aa69c7a9", - "type": "index-pattern" } ], "state": { @@ -1048,29 +906,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b6532743-79d3-4ab0-bdfa-fff8aa69c7a9", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1113,8 +949,7 @@ }, "panelIndex": "ddb0844d-afd9-45d7-af40-d2153f020847", "title": "Distribution by HTTP status code [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -1235,37 +1070,84 @@ }, "panelIndex": "3cccb19d-989d-4942-b1c6-5b122c0e0f2b", "title": "Distribution of access events by connection status [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "attributes": { + "columns": [ + "source.ip", + "url.original", + "http.response.status_code" + ], + "grid": { + "columns": { + "http.response.status_code": { + "width": 183 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"data_stream.dataset\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"apache_tomcat.access\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"apache_tomcat.access\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"http.response.status_code\",\"key\":\"http.response.status_code\",\"negate\":false,\"params\":{\"gte\":\"400\",\"lt\":\"599\"},\"type\":\"range\",\"value\":{\"gte\":\"400\",\"lt\":\"599\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"range\":{\"http.response.status_code\":{\"gte\":\"400\",\"lt\":\"599\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "refreshInterval": { + "pause": true, + "value": 60000 + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRange": { + "from": "now-1y/d", + "to": "now" + }, + "timeRestore": false, + "usesAdHocDataView": false + }, + "enhancements": {} }, "gridData": { "h": 15, - "i": "5e9ce033-01e7-4c67-b228-becf11b14785", + "i": "43acabc9-d503-4215-8115-9b32976409ae", "w": 24, "x": 24, "y": 45 }, - "panelIndex": "5e9ce033-01e7-4c67-b228-becf11b14785", - "panelRefName": "panel_5e9ce033-01e7-4c67-b228-becf11b14785", - "type": "search", - "version": "8.7.0" + "panelIndex": "43acabc9-d503-4215-8115-9b32976409ae", + "title": "Client and Server HTTP error details [Logs Apache Tomcat]", + "type": "search" } ], "timeRestore": false, "title": "[Logs Apache Tomcat] Access", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-24T12:48:07.116Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:17:00.658Z", "id": "apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -1279,12 +1161,7 @@ }, { "id": "logs-*", - "name": "af3cd65d-02e9-477c-8b3b-45f4b717a982:167c0497-503a-417c-a30c-768525e8b8dc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "af3cd65d-02e9-477c-8b3b-45f4b717a982:8c6e9f3c-a1db-4cf0-8b30-1d860be11d98", + "name": "af3cd65d-02e9-477c-8b3b-45f4b717a982:9e014f3c-d19f-4e8c-9992-0053e2cff960", "type": "index-pattern" }, { @@ -1294,12 +1171,7 @@ }, { "id": "logs-*", - "name": "30187e6e-f500-4abd-b7c7-ebc64d84e2d9:0a1fad48-e8d5-4a9b-b8bb-fc7067521d7a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "30187e6e-f500-4abd-b7c7-ebc64d84e2d9:758d6656-914a-4304-bbe7-f85474ef30b9", + "name": "30187e6e-f500-4abd-b7c7-ebc64d84e2d9:5d4ff327-4d18-4187-8e53-d6216c07701f", "type": "index-pattern" }, { @@ -1309,12 +1181,7 @@ }, { "id": "logs-*", - "name": "56ec99b7-5962-4037-b99b-522e2b02882e:54abd3e5-f8e0-40b6-b458-c1a6906bf3f5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "56ec99b7-5962-4037-b99b-522e2b02882e:72bc9598-8105-4c02-b17a-8d8e8acae300", + "name": "56ec99b7-5962-4037-b99b-522e2b02882e:514f5bf9-1cf9-4864-8398-945d0168d126", "type": "index-pattern" }, { @@ -1324,44 +1191,40 @@ }, { "id": "logs-*", - "name": "2b880159-9649-4c31-a5c0-a1d93fcdfad3:2e2072ab-084c-42d9-8d7e-c9171319f95a", + "name": "911f0638-46a9-4967-b588-a05fddc3ed62:indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7", "type": "index-pattern" }, { "id": "logs-*", - "name": "911f0638-46a9-4967-b588-a05fddc3ed62:indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7", + "name": "911f0638-46a9-4967-b588-a05fddc3ed62:5cadfb38-6e24-4b34-8946-c384933cfd78", "type": "index-pattern" }, { "id": "logs-*", - "name": "911f0638-46a9-4967-b588-a05fddc3ed62:4b8a9e86-71d4-4b03-9049-bf28ec63ac90", + "name": "ddb0844d-afd9-45d7-af40-d2153f020847:indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7", "type": "index-pattern" }, { "id": "logs-*", - "name": "911f0638-46a9-4967-b588-a05fddc3ed62:8d346bac-67c0-4aed-ad35-3a5693fc2836", + "name": "3cccb19d-989d-4942-b1c6-5b122c0e0f2b:indexpattern-datasource-layer-1dd41a44-76bb-4cc0-adca-9acc7307125b", "type": "index-pattern" }, { "id": "logs-*", - "name": "ddb0844d-afd9-45d7-af40-d2153f020847:indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7", + "name": "43acabc9-d503-4215-8115-9b32976409ae:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "ddb0844d-afd9-45d7-af40-d2153f020847:b6532743-79d3-4ab0-bdfa-fff8aa69c7a9", + "name": "43acabc9-d503-4215-8115-9b32976409ae:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "3cccb19d-989d-4942-b1c6-5b122c0e0f2b:indexpattern-datasource-layer-1dd41a44-76bb-4cc0-adca-9acc7307125b", + "name": "43acabc9-d503-4215-8115-9b32976409ae:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" - }, - { - "id": "apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f", - "name": "5e9ce033-01e7-4c67-b228-becf11b14785:panel_5e9ce033-01e7-4c67-b228-becf11b14785", - "type": "search" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-5b24a9c0-0e86-11ee-8c11-879004e1a267.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-5b24a9c0-0e86-11ee-8c11-879004e1a267.json index 9bb4ee02c9c..866adc2a115 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-5b24a9c0-0e86-11ee-8c11-879004e1a267.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-5b24a9c0-0e86-11ee-8c11-879004e1a267.json @@ -17,9 +17,9 @@ "meta": { "alias": null, "disabled": false, - "field": "event.dataset", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", + "key": "data_stream.dataset", "negate": false, "params": { "query": "apache_tomcat.thread_pool" @@ -28,7 +28,7 @@ }, "query": { "match_phrase": { - "event.dataset": "apache_tomcat.thread_pool" + "data_stream.dataset": "apache_tomcat.thread_pool" } } } @@ -56,11 +56,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-05b7c993-53aa-433b-9754-7c1d297dbbad", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "37c53ea7-8de0-4acb-955f-38c67bd51b0a", - "type": "index-pattern" } ], "state": { @@ -99,30 +94,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "37c53ea7-8de0-4acb-955f-38c67bd51b0a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.thread_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.thread_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -153,8 +125,7 @@ }, "panelIndex": "f9c94977-dd52-43b4-922f-4341aacacf07", "title": "Total threads [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -165,11 +136,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-a6c3093d-5a17-4f06-831e-4bc8428628cf", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5b583af7-2a44-43ac-b787-9d6fc93f6374", - "type": "index-pattern" } ], "state": { @@ -290,30 +256,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "5b583af7-2a44-43ac-b787-9d6fc93f6374", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.thread_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.thread_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -366,12 +309,11 @@ "i": "29239466-a1a0-456b-a1f8-5209e6c26339", "w": 39, "x": 9, - "y": 4 + "y": 0 }, "panelIndex": "29239466-a1a0-456b-a1f8-5209e6c26339", "title": "Threads count by state over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -387,11 +329,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-e1e0cfc0-ff9f-4f4c-924a-a4d5ebc4d2ee", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2a8c013c-a759-4b11-81f2-65a7797491c7", - "type": "index-pattern" } ], "state": { @@ -484,30 +421,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "2a8c013c-a759-4b11-81f2-65a7797491c7", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.thread_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.thread_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -590,12 +504,11 @@ "i": "a4b1a059-57c5-469a-9c83-936263c4c73c", "w": 48, "x": 0, - "y": 11 + "y": 10 }, "panelIndex": "a4b1a059-57c5-469a-9c83-936263c4c73c", "title": "Number of connections over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -605,11 +518,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-76459985-8ced-4307-8994-b36fcde849cc", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d2a87cd7-ddfb-45b0-81cd-64a63f6b2290", - "type": "index-pattern" } ], "state": { @@ -668,29 +576,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d2a87cd7-ddfb-45b0-81cd-64a63f6b2290", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.thread_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.thread_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -750,12 +636,11 @@ "i": "31540e97-068b-4767-b7bd-373d35f8c6fe", "w": 48, "x": 0, - "y": 22 + "y": 21 }, "panelIndex": "31540e97-068b-4767-b7bd-373d35f8c6fe", "title": "Allocated bytes in current threads over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -766,11 +651,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-b6e6d14b-5440-4a1c-882f-a698d66eacfb", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9bb893c7-c116-49ed-99b8-2e35efd24bf3", - "type": "index-pattern" } ], "state": { @@ -823,29 +703,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9bb893c7-c116-49ed-99b8-2e35efd24bf3", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.thread_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.thread_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -888,24 +746,21 @@ "i": "5756b1ad-a32f-4248-8337-9cce4fb74b3e", "w": 48, "x": 0, - "y": 33 + "y": 32 }, "panelIndex": "5756b1ad-a32f-4248-8337-9cce4fb74b3e", "title": "Processing threads termination time over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Apache Tomcat] Thread Pool", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-19T08:01:33.946Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T08:51:28.183Z", "id": "apache_tomcat-5b24a9c0-0e86-11ee-8c11-879004e1a267", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "metrics-*", @@ -917,21 +772,11 @@ "name": "f9c94977-dd52-43b4-922f-4341aacacf07:indexpattern-datasource-layer-05b7c993-53aa-433b-9754-7c1d297dbbad", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "f9c94977-dd52-43b4-922f-4341aacacf07:37c53ea7-8de0-4acb-955f-38c67bd51b0a", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "29239466-a1a0-456b-a1f8-5209e6c26339:indexpattern-datasource-layer-a6c3093d-5a17-4f06-831e-4bc8428628cf", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "29239466-a1a0-456b-a1f8-5209e6c26339:5b583af7-2a44-43ac-b787-9d6fc93f6374", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "a4b1a059-57c5-469a-9c83-936263c4c73c:indexpattern-datasource-layer-1f96fdb7-93b8-4ced-9765-f891869c6b47", @@ -942,31 +787,16 @@ "name": "a4b1a059-57c5-469a-9c83-936263c4c73c:indexpattern-datasource-layer-e1e0cfc0-ff9f-4f4c-924a-a4d5ebc4d2ee", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "a4b1a059-57c5-469a-9c83-936263c4c73c:2a8c013c-a759-4b11-81f2-65a7797491c7", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "31540e97-068b-4767-b7bd-373d35f8c6fe:indexpattern-datasource-layer-76459985-8ced-4307-8994-b36fcde849cc", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "31540e97-068b-4767-b7bd-373d35f8c6fe:d2a87cd7-ddfb-45b0-81cd-64a63f6b2290", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "5756b1ad-a32f-4248-8337-9cce4fb74b3e:indexpattern-datasource-layer-b6e6d14b-5440-4a1c-882f-a698d66eacfb", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "5756b1ad-a32f-4248-8337-9cce4fb74b3e:9bb893c7-c116-49ed-99b8-2e35efd24bf3", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "controlGroup_77e2e883-4872-4992-80ef-ad4bce414173:optionsListDataView", @@ -978,5 +808,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8.json index 71bf9e6dd49..3f5a884f0eb 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8.json @@ -17,18 +17,37 @@ "meta": { "alias": null, "disabled": false, - "field": "event.module", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.module", + "key": "data_stream.dataset", "negate": false, - "params": { - "query": "apache_tomcat" - }, - "type": "phrase" + "params": [ + "apache_tomcat.access", + "apache_tomcat.catalina", + "apache_tomcat.localhost" + ], + "type": "phrases" }, "query": { - "match_phrase": { - "event.module": "apache_tomcat" + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.access" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.catalina" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.localhost" + } + } + ] } } } @@ -55,11 +74,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b6532743-79d3-4ab0-bdfa-fff8aa69c7a9", - "type": "index-pattern" } ], "state": { @@ -125,29 +139,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b6532743-79d3-4ab0-bdfa-fff8aa69c7a9", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -190,8 +182,7 @@ }, "panelIndex": "b089289a-38be-4f6f-8519-ef9b20a77409", "title": "Distribution by HTTP status code [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -205,12 +196,7 @@ }, { "id": "logs-*", - "name": "25ce66fb-534d-42a3-9baf-e3c7768ee2d6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "adb3c9a7-d289-4c05-9c2b-0791a5c482ff", + "name": "27726488-c222-4017-9646-dc2a3a3438e8", "type": "index-pattern" } ], @@ -278,27 +264,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "25ce66fb-534d-42a3-9baf-e3c7768ee2d6", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - }, { "$state": { "store": "appState" @@ -307,7 +272,7 @@ "alias": null, "disabled": false, "field": "http.response.status_code", - "index": "adb3c9a7-d289-4c05-9c2b-0791a5c482ff", + "index": "27726488-c222-4017-9646-dc2a3a3438e8", "key": "http.response.status_code", "negate": false, "params": { @@ -372,8 +337,7 @@ }, "panelIndex": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d", "title": "Distribution by HTTP Client(4xx) and Server(5xx) error status code [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -386,12 +350,7 @@ }, { "id": "logs-*", - "name": "44d71f68-2675-4ed4-adb5-9f2bdce23a3a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cfb45038-17c1-40f9-b31e-916d1eefc5c6", + "name": "9ac46d7b-7d38-4e7c-b723-2ace8d3a1c52", "type": "index-pattern" } ], @@ -482,28 +441,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "44d71f68-2675-4ed4-adb5-9f2bdce23a3a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - }, { "$state": { "store": "appState" @@ -512,7 +449,7 @@ "alias": null, "disabled": false, "field": "http.response.status_code", - "index": "cfb45038-17c1-40f9-b31e-916d1eefc5c6", + "index": "9ac46d7b-7d38-4e7c-b723-2ace8d3a1c52", "key": "http.response.status_code", "negate": false, "params": { @@ -586,56 +523,141 @@ }, "panelIndex": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7", "title": "Top error causing URLs with hosts [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "attributes": { + "columns": [ + "apache_tomcat.catalina.subsystem", + "log.level", + "message" + ], + "grid": { + "columns": { + "apache_tomcat.catalina.subsystem": { + "width": 240 + }, + "log.level": { + "width": 78 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"data_stream.dataset\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"apache_tomcat.catalina\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"apache_tomcat.catalina\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"log.level\",\"key\":\"log.level\",\"negate\":true,\"params\":{\"query\":\"info\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"log.level\":\"info\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, + "enhancements": {} }, "gridData": { "h": 15, - "i": "f02e494c-1b62-407e-a402-7799e9fab580", + "i": "74487d6a-9478-485f-b6da-91f9f5b974d0", "w": 48, "x": 0, "y": 30 }, - "panelIndex": "f02e494c-1b62-407e-a402-7799e9fab580", - "panelRefName": "panel_f02e494c-1b62-407e-a402-7799e9fab580", - "title": "Catalina Logs overview [Logs Apache Tomcat]", - "type": "search", - "version": "8.7.0" + "panelIndex": "74487d6a-9478-485f-b6da-91f9f5b974d0", + "title": "Catalina logs overview [Logs Apache Tomcat]", + "type": "search" }, { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "attributes": { + "columns": [ + "apache_tomcat.localhost.subsystem", + "log.level", + "message" + ], + "grid": { + "columns": { + "apache_tomcat.localhost.subsystem": { + "width": 248 + }, + "log.level": { + "width": 75 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"data_stream.dataset\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"apache_tomcat.localhost\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"apache_tomcat.localhost\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"log.level\",\"key\":\"log.level\",\"negate\":true,\"params\":{\"query\":\"info\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"log.level\":\"info\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, + "enhancements": {} }, "gridData": { "h": 15, - "i": "9940557b-4932-4f76-8aec-029ddac34539", + "i": "1cb8c14e-fcc5-428d-8d3c-95fcd031e0b8", "w": 48, "x": 0, "y": 45 }, - "panelIndex": "9940557b-4932-4f76-8aec-029ddac34539", - "panelRefName": "panel_9940557b-4932-4f76-8aec-029ddac34539", - "title": "Localhost Logs overview [Logs Apache Tomcat]", - "type": "search", - "version": "8.7.0" + "panelIndex": "1cb8c14e-fcc5-428d-8d3c-95fcd031e0b8", + "title": "Localhost logs overview [Logs Apache Tomcat]", + "type": "search" } ], "timeRestore": false, "title": "[Logs Apache Tomcat] Overview", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-24T12:48:07.116Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:02:01.512Z", "id": "apache_tomcat-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -649,48 +671,53 @@ }, { "id": "logs-*", - "name": "b089289a-38be-4f6f-8519-ef9b20a77409:b6532743-79d3-4ab0-bdfa-fff8aa69c7a9", + "name": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d:indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7", "type": "index-pattern" }, { "id": "logs-*", - "name": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d:indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7", + "name": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d:27726488-c222-4017-9646-dc2a3a3438e8", "type": "index-pattern" }, { "id": "logs-*", - "name": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d:25ce66fb-534d-42a3-9baf-e3c7768ee2d6", + "name": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7:indexpattern-datasource-layer-d30a1b56-5918-4732-850a-381fab2c59fb", "type": "index-pattern" }, { "id": "logs-*", - "name": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d:adb3c9a7-d289-4c05-9c2b-0791a5c482ff", + "name": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7:9ac46d7b-7d38-4e7c-b723-2ace8d3a1c52", "type": "index-pattern" }, { "id": "logs-*", - "name": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7:indexpattern-datasource-layer-d30a1b56-5918-4732-850a-381fab2c59fb", + "name": "74487d6a-9478-485f-b6da-91f9f5b974d0:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7:44d71f68-2675-4ed4-adb5-9f2bdce23a3a", + "name": "74487d6a-9478-485f-b6da-91f9f5b974d0:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7:cfb45038-17c1-40f9-b31e-916d1eefc5c6", + "name": "74487d6a-9478-485f-b6da-91f9f5b974d0:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" }, { - "id": "apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195", - "name": "f02e494c-1b62-407e-a402-7799e9fab580:panel_f02e494c-1b62-407e-a402-7799e9fab580", - "type": "search" + "id": "logs-*", + "name": "1cb8c14e-fcc5-428d-8d3c-95fcd031e0b8:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1cb8c14e-fcc5-428d-8d3c-95fcd031e0b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, { - "id": "apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c", - "name": "9940557b-4932-4f76-8aec-029ddac34539:panel_9940557b-4932-4f76-8aec-029ddac34539", - "type": "search" + "id": "logs-*", + "name": "1cb8c14e-fcc5-428d-8d3c-95fcd031e0b8:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" }, { "id": "logs-*", @@ -698,5 +725,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195.json index 3e2812e7449..fe37452c9a7 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195.json @@ -11,52 +11,33 @@ "meta": { "alias": null, "disabled": false, + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", "negate": false, "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.catalina" - }, - "type": "phrase" - }, - "query": { + "apache_tomcat.catalina", + "apache_tomcat.localhost" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { "match_phrase": { - "event.dataset": "apache_tomcat.catalina" + "data_stream.dataset": "apache_tomcat.catalina" } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.localhost" - }, - "type": "phrase" }, - "query": { + { "match_phrase": { - "event.dataset": "apache_tomcat.localhost" + "data_stream.dataset": "apache_tomcat.localhost" } } - } - ], - "relation": "OR", - "type": "combined" - }, - "query": {} + ] + } + } } ], "query": { @@ -84,7 +65,7 @@ }, { "id": "logs-*", - "name": "be7a31fc-fdbf-4791-81bc-e7c6f7fd4e72", + "name": "53285f39-f623-41c9-ae58-f17d2f93c83b", "type": "index-pattern" } ], @@ -155,9 +136,9 @@ "meta": { "alias": null, "disabled": false, - "field": "event.dataset", - "index": "be7a31fc-fdbf-4791-81bc-e7c6f7fd4e72", - "key": "event.dataset", + "field": "data_stream.dataset", + "index": "53285f39-f623-41c9-ae58-f17d2f93c83b", + "key": "data_stream.dataset", "negate": false, "params": { "query": "apache_tomcat.catalina" @@ -166,7 +147,7 @@ }, "query": { "match_phrase": { - "event.dataset": "apache_tomcat.catalina" + "data_stream.dataset": "apache_tomcat.catalina" } } } @@ -213,8 +194,7 @@ }, "panelIndex": "ce217a0a-1038-4867-b22b-c51765d12c99", "title": "Distribution of Catalina events by log level [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -228,7 +208,7 @@ }, { "id": "logs-*", - "name": "1fb283e4-af20-4f0b-b875-baaaacd84281", + "name": "047e3f42-7b80-46ec-a500-4ec8803dbe74", "type": "index-pattern" } ], @@ -299,9 +279,9 @@ "meta": { "alias": null, "disabled": false, - "field": "event.dataset", - "index": "1fb283e4-af20-4f0b-b875-baaaacd84281", - "key": "event.dataset", + "field": "data_stream.dataset", + "index": "047e3f42-7b80-46ec-a500-4ec8803dbe74", + "key": "data_stream.dataset", "negate": false, "params": { "query": "apache_tomcat.localhost" @@ -310,7 +290,7 @@ }, "query": { "match_phrase": { - "event.dataset": "apache_tomcat.localhost" + "data_stream.dataset": "apache_tomcat.localhost" } } } @@ -357,56 +337,143 @@ }, "panelIndex": "e48f4633-1502-44e1-b093-2b9bc378d24c", "title": "Distribution of Localhost events by log level [Logs Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { + "attributes": { + "columns": [ + "apache_tomcat.catalina.subsystem", + "log.level", + "message" + ], + "grid": { + "columns": { + "apache_tomcat.catalina.subsystem": { + "width": 240 + }, + "log.level": { + "width": 78 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"data_stream.dataset\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"apache_tomcat.catalina\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"apache_tomcat.catalina\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"log.level\",\"key\":\"log.level\",\"negate\":true,\"params\":{\"query\":\"info\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"log.level\":\"info\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, "enhancements": {}, "hidePanelTitles": false }, "gridData": { "h": 14, - "i": "e9897b3c-32b2-4c12-9510-4e1685ecb611", + "i": "2b6abb8b-9434-489f-b900-ef03efa9fc8f", "w": 48, "x": 0, "y": 14 }, - "panelIndex": "e9897b3c-32b2-4c12-9510-4e1685ecb611", - "panelRefName": "panel_e9897b3c-32b2-4c12-9510-4e1685ecb611", + "panelIndex": "2b6abb8b-9434-489f-b900-ef03efa9fc8f", "title": "Catalina Logs overview [Logs Apache Tomcat]", - "type": "search", - "version": "8.7.0" + "type": "search" }, { "embeddableConfig": { + "attributes": { + "columns": [ + "apache_tomcat.localhost.subsystem", + "log.level", + "message" + ], + "grid": { + "columns": { + "apache_tomcat.localhost.subsystem": { + "width": 248 + }, + "log.level": { + "width": 75 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"data_stream.dataset\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"apache_tomcat.localhost\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"apache_tomcat.localhost\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"log.level\",\"key\":\"log.level\",\"negate\":true,\"params\":{\"query\":\"info\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"log.level\":\"info\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, "enhancements": {}, "hidePanelTitles": false }, "gridData": { "h": 14, - "i": "8901474e-f646-4eb9-b734-667804d70207", + "i": "3f40d201-41dd-44ad-9f5d-9280b0e31dfd", "w": 48, "x": 0, "y": 28 }, - "panelIndex": "8901474e-f646-4eb9-b734-667804d70207", - "panelRefName": "panel_8901474e-f646-4eb9-b734-667804d70207", + "panelIndex": "3f40d201-41dd-44ad-9f5d-9280b0e31dfd", "title": "Localhost Logs overview [Logs Apache Tomcat]", - "type": "search", - "version": "8.7.0" + "type": "search" } ], "timeRestore": false, "title": "[Logs Apache Tomcat] Catalina and Localhost", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-24T10:47:18.401Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-05-06T12:38:03.227Z", "id": "apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -420,7 +487,7 @@ }, { "id": "logs-*", - "name": "ce217a0a-1038-4867-b22b-c51765d12c99:be7a31fc-fdbf-4791-81bc-e7c6f7fd4e72", + "name": "ce217a0a-1038-4867-b22b-c51765d12c99:53285f39-f623-41c9-ae58-f17d2f93c83b", "type": "index-pattern" }, { @@ -430,19 +497,40 @@ }, { "id": "logs-*", - "name": "e48f4633-1502-44e1-b093-2b9bc378d24c:1fb283e4-af20-4f0b-b875-baaaacd84281", + "name": "e48f4633-1502-44e1-b093-2b9bc378d24c:047e3f42-7b80-46ec-a500-4ec8803dbe74", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2b6abb8b-9434-489f-b900-ef03efa9fc8f:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2b6abb8b-9434-489f-b900-ef03efa9fc8f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { - "id": "apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195", - "name": "e9897b3c-32b2-4c12-9510-4e1685ecb611:panel_e9897b3c-32b2-4c12-9510-4e1685ecb611", - "type": "search" + "id": "logs-*", + "name": "2b6abb8b-9434-489f-b900-ef03efa9fc8f:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3f40d201-41dd-44ad-9f5d-9280b0e31dfd:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" }, { - "id": "apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c", - "name": "8901474e-f646-4eb9-b734-667804d70207:panel_8901474e-f646-4eb9-b734-667804d70207", - "type": "search" + "id": "logs-*", + "name": "3f40d201-41dd-44ad-9f5d-9280b0e31dfd:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3f40d201-41dd-44ad-9f5d-9280b0e31dfd:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9f21d4e0-b837-11ed-8008-cf66df3fb6bf.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9f21d4e0-b837-11ed-8008-cf66df3fb6bf.json index e5493750496..3e0b5bfc3c1 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9f21d4e0-b837-11ed-8008-cf66df3fb6bf.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9f21d4e0-b837-11ed-8008-cf66df3fb6bf.json @@ -17,9 +17,9 @@ "meta": { "alias": null, "disabled": false, - "field": "event.dataset", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", + "key": "data_stream.dataset", "negate": false, "params": { "query": "apache_tomcat.cache" @@ -28,7 +28,7 @@ }, "query": { "match_phrase": { - "event.dataset": "apache_tomcat.cache" + "data_stream.dataset": "apache_tomcat.cache" } } } @@ -201,8 +201,7 @@ }, "panelIndex": "36ae155c-4005-4d73-b475-8988477e226d", "title": "Cache size over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -354,8 +353,7 @@ }, "panelIndex": "9f922f1f-c807-461d-894f-84236ab8cbd8", "title": "Total requests processed through cache over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -507,20 +505,17 @@ }, "panelIndex": "93820318-a84d-43c0-97a0-65731001cf06", "title": "Total requests over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Apache Tomcat] Cache", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-05-05T07:24:12.119Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:03:38.064Z", "id": "apache_tomcat-9f21d4e0-b837-11ed-8008-cf66df3fb6bf", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "metrics-*", @@ -553,5 +548,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-af7759b0-0a75-11ee-a8d8-d15950a587f6.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-af7759b0-0a75-11ee-a8d8-d15950a587f6.json index dde26173ef3..0360ec660fa 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-af7759b0-0a75-11ee-a8d8-d15950a587f6.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-af7759b0-0a75-11ee-a8d8-d15950a587f6.json @@ -17,9 +17,9 @@ "meta": { "alias": null, "disabled": false, - "field": "event.dataset", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", + "key": "data_stream.dataset", "negate": false, "params": { "query": "apache_tomcat.connection_pool" @@ -28,7 +28,7 @@ }, "query": { "match_phrase": { - "event.dataset": "apache_tomcat.connection_pool" + "data_stream.dataset": "apache_tomcat.connection_pool" } } } @@ -55,11 +55,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-e325a4cc-4f13-45e6-ad1d-ab520a86078f", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d754c647-0a3e-4949-b974-ae09a1bc847d", - "type": "index-pattern" } ], "state": { @@ -129,30 +124,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "d754c647-0a3e-4949-b974-ae09a1bc847d", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.connection_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.connection_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -220,8 +192,7 @@ }, "panelIndex": "8379c1c8-9392-4af4-a7f4-e625811a8f12", "title": "Connections over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -231,11 +202,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-bf37fdfd-568b-4d88-8698-f487013d0e7a", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c82a919f-342a-40fb-b752-e7d04fed8ff7", - "type": "index-pattern" } ], "state": { @@ -274,30 +240,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "c82a919f-342a-40fb-b752-e7d04fed8ff7", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.connection_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.connection_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -327,8 +270,7 @@ }, "panelIndex": "f170f694-3b15-4d7f-8d02-93721b07841a", "title": "Active connections [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -338,11 +280,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-bf37fdfd-568b-4d88-8698-f487013d0e7a", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18d6b810-b483-4c38-8003-439a9795566e", - "type": "index-pattern" } ], "state": { @@ -381,30 +318,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "18d6b810-b483-4c38-8003-439a9795566e", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.connection_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.connection_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -434,20 +348,17 @@ }, "panelIndex": "4ba1c352-1167-4214-a1e0-a8acb13e59aa", "title": "Idle connections [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Apache Tomcat] Connection Pool", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-06-30T05:14:49.407Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:04:43.666Z", "id": "apache_tomcat-af7759b0-0a75-11ee-a8d8-d15950a587f6", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "metrics-*", @@ -459,31 +370,16 @@ "name": "8379c1c8-9392-4af4-a7f4-e625811a8f12:indexpattern-datasource-layer-e325a4cc-4f13-45e6-ad1d-ab520a86078f", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "8379c1c8-9392-4af4-a7f4-e625811a8f12:d754c647-0a3e-4949-b974-ae09a1bc847d", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "f170f694-3b15-4d7f-8d02-93721b07841a:indexpattern-datasource-layer-bf37fdfd-568b-4d88-8698-f487013d0e7a", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "f170f694-3b15-4d7f-8d02-93721b07841a:c82a919f-342a-40fb-b752-e7d04fed8ff7", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "4ba1c352-1167-4214-a1e0-a8acb13e59aa:indexpattern-datasource-layer-bf37fdfd-568b-4d88-8698-f487013d0e7a", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "4ba1c352-1167-4214-a1e0-a8acb13e59aa:18d6b810-b483-4c38-8003-439a9795566e", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "controlGroup_3503af0f-80d1-487e-8fa3-e470f20f9f8b:optionsListDataView", @@ -495,5 +391,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json index 30ac4e11b58..305e74c9ab4 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json @@ -61,11 +61,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-7a97f25c-2c29-43be-a9d9-227e78aa4824", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "424f182e-1baf-4bc9-a7a6-74f1ca6881ef", - "type": "index-pattern" } ], "state": { @@ -154,29 +149,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "424f182e-1baf-4bc9-a7a6-74f1ca6881ef", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.memory" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.memory" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -210,12 +183,12 @@ "y": 0 }, "panelIndex": "7249a3d9-803b-4ddd-952f-0021fcfe7f58", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { + "description": "When the value for the maximum memory size (in bytes) is set to -1 for heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation", "references": [ { "id": "metrics-*", @@ -226,11 +199,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1be63b2a-edae-4674-a21f-4cc44d7ef2a4", - "type": "index-pattern" } ], "state": { @@ -375,29 +343,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1be63b2a-edae-4674-a21f-4cc44d7ef2a4", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.memory" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.memory" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -483,8 +429,7 @@ }, "panelIndex": "ff461eaa-d936-4fbd-af56-72a528fdf515", "title": "Heap memory over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -500,11 +445,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-b9cb687d-7e05-469a-bc47-e9b07685a0d8", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8708baa5-febb-4d77-9857-ba124b9c91f8", - "type": "index-pattern" } ], "state": { @@ -593,29 +533,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "8708baa5-febb-4d77-9857-ba124b9c91f8", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.memory" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.memory" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -649,12 +567,12 @@ }, "panelIndex": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47", "title": "", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { + "description": "When the value for the maximum memory size (in bytes) is set to -1 for non-heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation", "references": [ { "id": "metrics-*", @@ -665,11 +583,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4fba9f55-18c8-458c-9ee5-83936d0402ac", - "type": "index-pattern" } ], "state": { @@ -814,29 +727,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4fba9f55-18c8-458c-9ee5-83936d0402ac", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.memory" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.memory" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -922,8 +813,7 @@ }, "panelIndex": "1c7a5509-3841-40a3-9b00-fd11ee6db933", "title": "Non-heap memory over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -939,11 +829,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-9664f1c8-ab27-4919-9805-e22529ee1f2c", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f7dd40ff-6ab5-4c72-9c14-3d9a3a1459c0", - "type": "index-pattern" } ], "state": { @@ -1030,29 +915,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f7dd40ff-6ab5-4c72-9c14-3d9a3a1459c0", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.memory" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.memory" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1141,20 +1004,17 @@ }, "panelIndex": "af80afbb-07f6-4f69-b475-2e5f19cfa60d", "title": "Garbage collection over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Apache Tomcat] Memory", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-18T10:55:22.442Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:05:56.186Z", "id": "apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "metrics-*", @@ -1171,11 +1031,6 @@ "name": "7249a3d9-803b-4ddd-952f-0021fcfe7f58:indexpattern-datasource-layer-7a97f25c-2c29-43be-a9d9-227e78aa4824", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "7249a3d9-803b-4ddd-952f-0021fcfe7f58:424f182e-1baf-4bc9-a7a6-74f1ca6881ef", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "ff461eaa-d936-4fbd-af56-72a528fdf515:indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b", @@ -1186,11 +1041,6 @@ "name": "ff461eaa-d936-4fbd-af56-72a528fdf515:indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "ff461eaa-d936-4fbd-af56-72a528fdf515:1be63b2a-edae-4674-a21f-4cc44d7ef2a4", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47:indexpattern-datasource-layer-603b89be-e03d-4ed5-83b6-4ca7c19f41aa", @@ -1201,11 +1051,6 @@ "name": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47:indexpattern-datasource-layer-b9cb687d-7e05-469a-bc47-e9b07685a0d8", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47:8708baa5-febb-4d77-9857-ba124b9c91f8", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "1c7a5509-3841-40a3-9b00-fd11ee6db933:indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b", @@ -1216,11 +1061,6 @@ "name": "1c7a5509-3841-40a3-9b00-fd11ee6db933:indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "1c7a5509-3841-40a3-9b00-fd11ee6db933:4fba9f55-18c8-458c-9ee5-83936d0402ac", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "af80afbb-07f6-4f69-b475-2e5f19cfa60d:indexpattern-datasource-layer-88daef46-ca28-45c1-b7cc-8f7ccff4842d", @@ -1231,16 +1071,12 @@ "name": "af80afbb-07f6-4f69-b475-2e5f19cfa60d:indexpattern-datasource-layer-9664f1c8-ab27-4919-9805-e22529ee1f2c", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "af80afbb-07f6-4f69-b475-2e5f19cfa60d:f7dd40ff-6ab5-4c72-9c14-3d9a3a1459c0", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "controlGroup_40090461-b167-4b82-8ae3-e1326133b845:optionsListDataView", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c8ec7280-1a57-11ee-8c1a-099fb2bcb823.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c8ec7280-1a57-11ee-8c1a-099fb2bcb823.json index ab28ff8c7f7..657ece9f8ba 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c8ec7280-1a57-11ee-8c1a-099fb2bcb823.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c8ec7280-1a57-11ee-8c1a-099fb2bcb823.json @@ -17,18 +17,55 @@ "meta": { "alias": null, "disabled": false, - "field": "event.module", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.module", + "key": "data_stream.dataset", "negate": false, - "params": { - "query": "apache_tomcat" - }, - "type": "phrase" + "params": [ + "apache_tomcat.session", + "apache_tomcat.cache", + "apache_tomcat.connection_pool", + "apache_tomcat.memory", + "apache_tomcat.request", + "apache_tomcat.thread_pool" + ], + "type": "phrases" }, "query": { - "match_phrase": { - "event.module": "apache_tomcat" + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.session" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.cache" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.connection_pool" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.memory" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.request" + } + }, + { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.thread_pool" + } + } + ] } } } @@ -51,11 +88,6 @@ "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-99998251-2f00-4a88-bf98-07e7d8e3ac81", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-207a8774-23b1-43df-831f-56cb6d093dc0", @@ -63,7 +95,7 @@ }, { "id": "metrics-*", - "name": "f3e87a81-2a03-49e7-b465-ae2e5540cfd7", + "name": "indexpattern-datasource-layer-99998251-2f00-4a88-bf98-07e7d8e3ac81", "type": "index-pattern" } ], @@ -137,30 +169,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "f3e87a81-2a03-49e7-b465-ae2e5540cfd7", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.session" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.session" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -193,8 +202,7 @@ }, "panelIndex": "06854553-1f37-41b0-972c-380acf5cb39f", "title": "Number of Applications [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -204,11 +212,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-e6ec4f57-529c-490f-86c3-5ae4140dc908", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "791b20c2-6ace-42e3-a393-51b4f378bd2a", - "type": "index-pattern" } ], "state": { @@ -288,30 +291,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "791b20c2-6ace-42e3-a393-51b4f378bd2a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.cache" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.cache" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -380,8 +360,7 @@ }, "panelIndex": "b8716edd-6941-4cba-9f1a-b3a08c7fc647", "title": "Top 5 requests per application over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -397,11 +376,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-e4ff0e97-e884-4a2e-859a-f16a579acd75", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e03e36e7-2153-4e6b-ad73-0b3f58c89969", - "type": "index-pattern" } ], "state": { @@ -604,30 +578,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "e03e36e7-2153-4e6b-ad73-0b3f58c89969", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.request" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.request" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -660,8 +611,7 @@ }, "panelIndex": "9e8b29e7-3679-4e44-a585-f4cf7f17044f", "title": "Average request processing time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -671,11 +621,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-7c4da97e-7d47-4847-87ae-0fbdcc983343", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "38cc0910-5849-444d-ba26-a9dab625f549", - "type": "index-pattern" } ], "state": { @@ -745,30 +690,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "38cc0910-5849-444d-ba26-a9dab625f549", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.connection_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.connection_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -836,8 +758,7 @@ }, "panelIndex": "ba5d9b2e-689c-4472-aa89-bc355a5cc780", "title": "Connections over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -847,11 +768,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-b09c20e6-d7d3-4fe2-8490-2c6feedb02c9", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "44b26cb6-1625-4950-9cd5-a079004b991b", - "type": "index-pattern" } ], "state": { @@ -933,30 +849,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "44b26cb6-1625-4950-9cd5-a079004b991b", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.memory" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.memory" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1009,8 +902,7 @@ }, "panelIndex": "38423062-d16c-4911-a9e9-dfdfba9d19b5", "title": "Memory usage over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -1020,11 +912,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-365e11cb-9eed-4fd4-a335-2b8ee3f454c5", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c9861b14-6ccb-4a1a-b38f-4d7c01febfc8", - "type": "index-pattern" } ], "state": { @@ -1106,30 +993,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "c9861b14-6ccb-4a1a-b38f-4d7c01febfc8", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.request" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.request" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1182,8 +1046,7 @@ }, "panelIndex": "5862d24f-ecf5-41fd-93b4-3d214e834361", "title": "Throughput over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" }, { "embeddableConfig": { @@ -1194,11 +1057,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-bdd64b4a-4147-4624-8e56-78dbbddd5986", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1a9a387d-da2b-46c0-9d67-d84642c4450d", - "type": "index-pattern" } ], "state": { @@ -1319,30 +1177,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "1a9a387d-da2b-46c0-9d67-d84642c4450d", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.thread_pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.thread_pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1395,35 +1230,27 @@ "i": "8d71c0de-16f1-4231-97ff-0bf7e1af5db0", "w": 24, "x": 0, - "y": 34 + "y": 28 }, "panelIndex": "8d71c0de-16f1-4231-97ff-0bf7e1af5db0", "title": "Thread distribution by server over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.8.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Apache Tomcat] Overview ", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-19T08:01:33.946Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:09:11.916Z", "id": "apache_tomcat-c8ec7280-1a57-11ee-8c1a-099fb2bcb823", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "metrics-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "06854553-1f37-41b0-972c-380acf5cb39f:indexpattern-datasource-layer-99998251-2f00-4a88-bf98-07e7d8e3ac81", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "06854553-1f37-41b0-972c-380acf5cb39f:indexpattern-datasource-layer-207a8774-23b1-43df-831f-56cb6d093dc0", @@ -1431,7 +1258,7 @@ }, { "id": "metrics-*", - "name": "06854553-1f37-41b0-972c-380acf5cb39f:f3e87a81-2a03-49e7-b465-ae2e5540cfd7", + "name": "06854553-1f37-41b0-972c-380acf5cb39f:indexpattern-datasource-layer-99998251-2f00-4a88-bf98-07e7d8e3ac81", "type": "index-pattern" }, { @@ -1439,11 +1266,6 @@ "name": "b8716edd-6941-4cba-9f1a-b3a08c7fc647:indexpattern-datasource-layer-e6ec4f57-529c-490f-86c3-5ae4140dc908", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "b8716edd-6941-4cba-9f1a-b3a08c7fc647:791b20c2-6ace-42e3-a393-51b4f378bd2a", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "9e8b29e7-3679-4e44-a585-f4cf7f17044f:indexpattern-datasource-layer-041c5a9d-e816-4c77-ae9f-e31b81d15a8a", @@ -1454,56 +1276,32 @@ "name": "9e8b29e7-3679-4e44-a585-f4cf7f17044f:indexpattern-datasource-layer-e4ff0e97-e884-4a2e-859a-f16a579acd75", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "9e8b29e7-3679-4e44-a585-f4cf7f17044f:e03e36e7-2153-4e6b-ad73-0b3f58c89969", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "ba5d9b2e-689c-4472-aa89-bc355a5cc780:indexpattern-datasource-layer-7c4da97e-7d47-4847-87ae-0fbdcc983343", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "ba5d9b2e-689c-4472-aa89-bc355a5cc780:38cc0910-5849-444d-ba26-a9dab625f549", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "38423062-d16c-4911-a9e9-dfdfba9d19b5:indexpattern-datasource-layer-b09c20e6-d7d3-4fe2-8490-2c6feedb02c9", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "38423062-d16c-4911-a9e9-dfdfba9d19b5:44b26cb6-1625-4950-9cd5-a079004b991b", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "5862d24f-ecf5-41fd-93b4-3d214e834361:indexpattern-datasource-layer-365e11cb-9eed-4fd4-a335-2b8ee3f454c5", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "5862d24f-ecf5-41fd-93b4-3d214e834361:c9861b14-6ccb-4a1a-b38f-4d7c01febfc8", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "8d71c0de-16f1-4231-97ff-0bf7e1af5db0:indexpattern-datasource-layer-bdd64b4a-4147-4624-8e56-78dbbddd5986", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "8d71c0de-16f1-4231-97ff-0bf7e1af5db0:1a9a387d-da2b-46c0-9d67-d84642c4450d", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "controlGroup_389cb789-1fc8-43c8-b276-08d02bae4cee:optionsListDataView", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c97374d0-bb78-11ed-812e-b1288b469a47.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c97374d0-bb78-11ed-812e-b1288b469a47.json index 378b5d3c072..dd74b4f746a 100644 --- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c97374d0-bb78-11ed-812e-b1288b469a47.json +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c97374d0-bb78-11ed-812e-b1288b469a47.json @@ -17,9 +17,9 @@ "meta": { "alias": null, "disabled": false, - "field": "event.dataset", + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", + "key": "data_stream.dataset", "negate": false, "params": { "query": "apache_tomcat.request" @@ -28,7 +28,7 @@ }, "query": { "match_phrase": { - "event.dataset": "apache_tomcat.request" + "data_stream.dataset": "apache_tomcat.request" } } } @@ -131,8 +131,7 @@ }, "panelIndex": "df3b5039-6960-47fe-a408-8c59b82d0a83", "title": "Maximum time to process a request [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -142,11 +141,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-528b2da5-ff7d-4fb7-a62c-e3d64b70df91", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "00da956e-dc3c-45f9-ab7f-2a3e0e1bb1e0", - "type": "index-pattern" } ], "state": { @@ -246,30 +240,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "00da956e-dc3c-45f9-ab7f-2a3e0e1bb1e0", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.request" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.request" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -315,8 +286,7 @@ }, "panelIndex": "77e484b6-3cf9-4226-a80f-c5100ac0a0af", "title": "Distribution of NIO connectors by total process time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -402,8 +372,7 @@ }, "panelIndex": "df3f56d0-2f45-44e0-b343-2404e987527b", "title": "Total time to process the requests [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -546,8 +515,7 @@ }, "panelIndex": "b43d4e14-e451-4025-9d4e-4cf781f94fba", "title": "Data transferred over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -654,8 +622,7 @@ }, "panelIndex": "5b8374fa-485f-469f-8118-a8d8abc20bfd", "title": "Requests processed over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -768,20 +735,17 @@ }, "panelIndex": "53358c42-fbc0-4329-8a1f-7330324cf827", "title": "Number of errors over time [Metrics Apache Tomcat]", - "type": "lens", - "version": "8.7.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Apache Tomcat] Request", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-05-05T07:24:00.465Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:10:03.496Z", "id": "apache_tomcat-c97374d0-bb78-11ed-812e-b1288b469a47", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "metrics-*", @@ -798,11 +762,6 @@ "name": "77e484b6-3cf9-4226-a80f-c5100ac0a0af:indexpattern-datasource-layer-528b2da5-ff7d-4fb7-a62c-e3d64b70df91", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "77e484b6-3cf9-4226-a80f-c5100ac0a0af:00da956e-dc3c-45f9-ab7f-2a3e0e1bb1e0", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "df3f56d0-2f45-44e0-b343-2404e987527b:indexpattern-datasource-layer-cb8d60de-f6ec-4c20-932f-5869a496730f", @@ -829,5 +788,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/search/apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195.json b/packages/apache_tomcat/kibana/search/apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195.json deleted file mode 100644 index 422f73d8e2c..00000000000 --- a/packages/apache_tomcat/kibana/search/apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "columns": [ - "apache_tomcat.catalina.subsystem", - "log.level", - "message" - ], - "description": "", - "grid": { - "columns": { - "apache_tomcat.catalina.subsystem": { - "width": 240 - }, - "log.level": { - "width": 78 - } - } - }, - "hideChart": false, - "isTextBasedQuery": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.catalina" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.catalina" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "log.level", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "log.level", - "negate": true, - "params": { - "query": "info" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "log.level": "info" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "timeRestore": false, - "title": "Catalina logs overview [Logs Apache Tomcat]", - "usesAdHocDataView": false - }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-24T12:48:07.116Z", - "id": "apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195", - "migrationVersion": { - "dashboard": "8.0.0", - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/search/apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c.json b/packages/apache_tomcat/kibana/search/apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c.json deleted file mode 100644 index 8109ba8161e..00000000000 --- a/packages/apache_tomcat/kibana/search/apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "columns": [ - "apache_tomcat.localhost.subsystem", - "log.level", - "message" - ], - "description": "", - "grid": { - "columns": { - "apache_tomcat.localhost.subsystem": { - "width": 248 - }, - "log.level": { - "width": 75 - } - } - }, - "hideChart": false, - "isTextBasedQuery": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.localhost" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.localhost" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "log.level", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "log.level", - "negate": true, - "params": { - "query": "info" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "log.level": "info" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "timeRestore": false, - "title": "Localhost logs overview [Logs Apache Tomcat]", - "usesAdHocDataView": false - }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-24T12:48:07.116Z", - "id": "apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c", - "migrationVersion": { - "dashboard": "8.0.0", - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/apache_tomcat/kibana/search/apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f.json b/packages/apache_tomcat/kibana/search/apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f.json deleted file mode 100644 index 0d905f587a7..00000000000 --- a/packages/apache_tomcat/kibana/search/apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "columns": [ - "source.ip", - "url.original", - "http.response.status_code" - ], - "description": "", - "grid": { - "columns": { - "http.response.status_code": { - "width": 183 - } - } - }, - "hideChart": false, - "isTextBasedQuery": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_tomcat.access" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_tomcat.access" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "http.response.status_code", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "http.response.status_code", - "negate": false, - "params": { - "gte": "400", - "lt": "599" - }, - "type": "range", - "value": { - "gte": "400", - "lt": "599" - } - }, - "query": { - "range": { - "http.response.status_code": { - "gte": "400", - "lt": "599" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "refreshInterval": { - "pause": true, - "value": 60000 - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "timeRange": { - "from": "now-1y/d", - "to": "now" - }, - "timeRestore": true, - "title": "Client and Server HTTP error details [Logs Apache Tomcat]", - "usesAdHocDataView": false - }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-24T12:48:07.116Z", - "id": "apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f", - "migrationVersion": { - "dashboard": "8.0.0", - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/apache_tomcat/manifest.yml b/packages/apache_tomcat/manifest.yml index ab7a6a8371b..0d099255630 100644 --- a/packages/apache_tomcat/manifest.yml +++ b/packages/apache_tomcat/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: apache_tomcat title: Apache Tomcat -version: "1.5.1" +version: "1.6.0" description: Collect and parse logs and metrics from Apache Tomcat servers with Elastic Agent. categories: ["web", "observability"] type: integration diff --git a/packages/apache_tomcat/validation.yml b/packages/apache_tomcat/validation.yml deleted file mode 100644 index 1189aa63c89..00000000000 --- a/packages/apache_tomcat/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00004 # References in dashboards. diff --git a/packages/cassandra/changelog.yml b/packages/cassandra/changelog.yml index 04e1ed156e5..24133cab15c 100644 --- a/packages/cassandra/changelog.yml +++ b/packages/cassandra/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: "1.12.2" changes: - description: Add documentation for setting up Jolokia to monitor Apache Cassandra. diff --git a/packages/cassandra/kibana/dashboard/cassandra-25b7d6d0-1c71-11ec-84f1-e1733c643874.json b/packages/cassandra/kibana/dashboard/cassandra-25b7d6d0-1c71-11ec-84f1-e1733c643874.json index cdc0de5b8fa..f5695a51c2f 100644 --- a/packages/cassandra/kibana/dashboard/cassandra-25b7d6d0-1c71-11ec-84f1-e1733c643874.json +++ b/packages/cassandra/kibana/dashboard/cassandra-25b7d6d0-1c71-11ec-84f1-e1733c643874.json @@ -7,10 +7,32 @@ "panelsJSON": "{\"04f8802a-d7b4-4055-b906-60fe95facc9f\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Host\",\"id\":\"04f8802a-d7b4-4055-b906-60fe95facc9f\",\"enhancements\":{}}},\"8a8cb6ef-8521-41a3-bbe8-bba0d0cfa2c3\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cassandra.metrics.system.data_center\",\"title\":\"Database\",\"id\":\"8a8cb6ef-8521-41a3-bbe8-bba0d0cfa2c3\",\"enhancements\":{}}}}" }, "description": "Cassandra Metrics Dashboard", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cassandra.metrics" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cassandra.metrics" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -20,6 +42,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": false }, "panelsJSON": [ @@ -56,8 +80,7 @@ "y": 0 }, "panelIndex": "6139e80c-4a75-4dcd-b617-96c56dd1caf8", - "type": "visualization", - "version": "8.3.0" + "type": "visualization" }, { "embeddableConfig": { @@ -67,16 +90,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-84e70f16-0200-46ec-b2d0-31534103e49f", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "886877c1-b611-47a6-a744-15a02941b018", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "84e70f16-0200-46ec-b2d0-31534103e49f": { "columnOrder": [ @@ -176,32 +195,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "886877c1-b611-47a6-a744-15a02941b018", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "columns": [ @@ -259,8 +257,7 @@ }, "panelIndex": "ea99aa96-c9cb-49a7-ac8e-9ed3461e3aef", "title": "Hosts [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -270,16 +267,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-84e70f16-0200-46ec-b2d0-31534103e49f", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d4b251d7-e04c-4315-9be9-3355828498e3", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "84e70f16-0200-46ec-b2d0-31534103e49f": { "columnOrder": [ @@ -351,32 +344,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d4b251d7-e04c-4315-9be9-3355828498e3", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "columns": [ @@ -418,8 +390,7 @@ }, "panelIndex": "0cac5b29-e217-4b68-a61a-f389d9b8d7a1", "title": "Nodes [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -429,16 +400,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-3a9f49ef-6c38-429d-b1a5-7bf2c847d024", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6d23911e-0983-4909-9678-ed97013196fd", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "3a9f49ef-6c38-429d-b1a5-7bf2c847d024": { "columnOrder": [ @@ -554,29 +521,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6d23911e-0983-4909-9678-ed97013196fd", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -629,8 +575,7 @@ }, "panelIndex": "995f4c8e-fa4d-42e7-86dd-d138d6d05e87", "title": "Cluster Info [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -640,16 +585,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-1df578c6-15e3-4c5f-b4f0-62f72f210db6", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1215e1ff-5606-4484-bf2c-bf1a24d0ebf4", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1df578c6-15e3-4c5f-b4f0-62f72f210db6": { "columnOrder": [ @@ -714,32 +655,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1215e1ff-5606-4484-bf2c-bf1a24d0ebf4", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -800,8 +720,7 @@ }, "panelIndex": "a6045295-4b0c-4dec-b7b8-c0404187f002", "title": "Disk Usage [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -811,16 +730,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-b200271a-40a4-4ef1-98ec-4f83b33b13e9", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "301014c4-00d1-4685-9cb8-20d370c691e6", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b200271a-40a4-4ef1-98ec-4f83b33b13e9": { "columnOrder": [ @@ -898,32 +813,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "301014c4-00d1-4685-9cb8-20d370c691e6", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -985,8 +879,7 @@ }, "panelIndex": "e600f07c-44c8-4844-8788-d456d8303f66", "title": "Cache [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -996,16 +889,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-b105d549-eb31-4b7a-b1cf-f813eea00af3", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1797fb28-ed26-407f-9ba3-98e6d512b369", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b105d549-eb31-4b7a-b1cf-f813eea00af3": { "columnOrder": [ @@ -1083,32 +972,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1797fb28-ed26-407f-9ba3-98e6d512b369", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1184,8 +1052,7 @@ }, "panelIndex": "b8cef86e-7c91-4a83-ac83-994334404231", "title": "Heap Memory [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -1195,16 +1062,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-96706e48-10cb-46c0-b758-9345d459333c", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3740462a-7cfc-4ec7-9a22-d8325b93fa03", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "96706e48-10cb-46c0-b758-9345d459333c": { "columnOrder": [ @@ -1282,32 +1145,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3740462a-7cfc-4ec7-9a22-d8325b93fa03", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1370,8 +1212,7 @@ }, "panelIndex": "cbbbaddb-c2c9-4406-9cd5-91aaac4d4f06", "title": "Tasks [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -1381,16 +1222,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-603cdd40-46f5-4bc2-b610-ffd4a0a4e5ac", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1c8c960a-c931-4f35-ba88-4f3c9bad5181", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "603cdd40-46f5-4bc2-b610-ffd4a0a4e5ac": { "columnOrder": [ @@ -1468,32 +1305,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1c8c960a-c931-4f35-ba88-4f3c9bad5181", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1555,8 +1371,7 @@ }, "panelIndex": "6c8fbd31-8d67-4d86-8583-48b35a473620", "title": "CAS Read/Write Latency [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -1566,16 +1381,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-893dad34-5b9e-4f2d-b470-29c258e5d43b", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a32f2a0c-fd9f-4545-a362-5ef0da423138", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "893dad34-5b9e-4f2d-b470-29c258e5d43b": { "columnOrder": [ @@ -1653,32 +1464,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a32f2a0c-fd9f-4545-a362-5ef0da423138", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1740,8 +1530,7 @@ }, "panelIndex": "b1d8d0cc-0873-4146-b7a9-6ed1c1f9b316", "title": "Read/Write Failures [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -1751,16 +1540,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-7c7c85de-bf32-4b48-a08a-fc375855b8c9", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4304fcdd-8834-43bc-a2c3-1e2359b69e88", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7c7c85de-bf32-4b48-a08a-fc375855b8c9": { "columnOrder": [ @@ -1955,32 +1740,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4304fcdd-8834-43bc-a2c3-1e2359b69e88", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -2087,8 +1851,7 @@ }, "panelIndex": "116de2a1-c967-47e2-b801-dd1d74cee1ac", "title": "Dropped Message [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -2098,16 +1861,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-b75fdb41-7783-4e48-9255-ad65d660e8f3", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b6f5adf6-7edc-4975-9274-f40614627d61", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b75fdb41-7783-4e48-9255-ad65d660e8f3": { "columnOrder": [ @@ -2185,32 +1944,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b6f5adf6-7edc-4975-9274-f40614627d61", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -2272,8 +2010,7 @@ }, "panelIndex": "e2295585-cc4f-402d-b6d8-ab54d8f300bb", "title": "Read/Write Count [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -2283,16 +2020,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-95c5880e-0b20-4345-bb42-c62ec385e0ad", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1cf800da-1764-41e6-8bf3-e79d3b066a78", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "95c5880e-0b20-4345-bb42-c62ec385e0ad": { "columnOrder": [ @@ -2357,32 +2090,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1cf800da-1764-41e6-8bf3-e79d3b066a78", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -2453,8 +2165,7 @@ }, "panelIndex": "32e9a9f0-5725-4b33-98e5-a29924847892", "title": "Read Latency [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -2464,16 +2175,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-eaaed275-514c-4910-8303-f46e38f1e922", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6f053a69-ca62-4cb0-89a1-a3652c434eae", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "eaaed275-514c-4910-8303-f46e38f1e922": { "columnOrder": [ @@ -2538,32 +2245,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6f053a69-ca62-4cb0-89a1-a3652c434eae", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -2620,8 +2306,7 @@ }, "panelIndex": "91a1108a-b151-4b79-8f20-36f2be710cd5", "title": "Write Latency [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -2631,16 +2316,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-1ba0ffbb-f8af-4686-82da-720228416a5c", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4777a91a-3fee-44ee-8576-a9f92d31bbcc", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1ba0ffbb-f8af-4686-82da-720228416a5c": { "columnOrder": [ @@ -2705,32 +2386,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4777a91a-3fee-44ee-8576-a9f92d31bbcc", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -2787,8 +2447,7 @@ }, "panelIndex": "2b907dce-54fa-43ea-a865-cf4250cceae4", "title": "Storage Exception [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -2798,16 +2457,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-a74b0b16-d3eb-40dc-aff1-182b82a3500b", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ef797281-7cfd-4afd-96b2-0ffe1ba6d72f", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a74b0b16-d3eb-40dc-aff1-182b82a3500b": { "columnOrder": [ @@ -2872,32 +2527,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "ef797281-7cfd-4afd-96b2-0ffe1ba6d72f", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -2954,8 +2588,7 @@ }, "panelIndex": "f5c4ffef-afcc-42b3-8e00-a88aecdf4d71", "title": "Range Slice Latency [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -2965,16 +2598,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-b0133202-9fd6-4886-af95-b9fbfc24f04d", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bea1c62b-4f2b-46f4-a6cc-4f8e44608515", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b0133202-9fd6-4886-af95-b9fbfc24f04d": { "columnOrder": [ @@ -3052,32 +2681,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "bea1c62b-4f2b-46f4-a6cc-4f8e44608515", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -3139,8 +2747,7 @@ }, "panelIndex": "4e99fbdf-8533-41a1-aead-15c63c884f4f", "title": "Unavailable Requests [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { @@ -3150,16 +2757,12 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-7954a98e-9375-45cb-99b1-cc278ab2f4f7", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f3ff6850-780d-4e21-a5f0-1ea72ebeefbd", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7954a98e-9375-45cb-99b1-cc278ab2f4f7": { "columnOrder": [ @@ -3237,32 +2840,11 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f3ff6850-780d-4e21-a5f0-1ea72ebeefbd", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.metrics" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.metrics" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:cassandra.metrics)" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -3324,28 +2906,26 @@ }, "panelIndex": "9bbec20f-016d-4176-a0d7-1447ed594245", "title": "Request Timeouts [Metrics Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Cassandra] Overview", "version": 1 }, - "coreMigrationVersion": "8.3.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:42:46.016Z", "id": "cassandra-25b7d6d0-1c71-11ec-84f1-e1733c643874", - "migrationVersion": { - "dashboard": "8.3.0" - }, + "managed": false, "references": [ { "id": "metrics-*", - "name": "ea99aa96-c9cb-49a7-ac8e-9ed3461e3aef:indexpattern-datasource-layer-84e70f16-0200-46ec-b2d0-31534103e49f", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "metrics-*", - "name": "ea99aa96-c9cb-49a7-ac8e-9ed3461e3aef:886877c1-b611-47a6-a744-15a02941b018", + "name": "ea99aa96-c9cb-49a7-ac8e-9ed3461e3aef:indexpattern-datasource-layer-84e70f16-0200-46ec-b2d0-31534103e49f", "type": "index-pattern" }, { @@ -3353,161 +2933,81 @@ "name": "0cac5b29-e217-4b68-a61a-f389d9b8d7a1:indexpattern-datasource-layer-84e70f16-0200-46ec-b2d0-31534103e49f", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "0cac5b29-e217-4b68-a61a-f389d9b8d7a1:d4b251d7-e04c-4315-9be9-3355828498e3", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "995f4c8e-fa4d-42e7-86dd-d138d6d05e87:indexpattern-datasource-layer-3a9f49ef-6c38-429d-b1a5-7bf2c847d024", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "995f4c8e-fa4d-42e7-86dd-d138d6d05e87:6d23911e-0983-4909-9678-ed97013196fd", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "a6045295-4b0c-4dec-b7b8-c0404187f002:indexpattern-datasource-layer-1df578c6-15e3-4c5f-b4f0-62f72f210db6", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "a6045295-4b0c-4dec-b7b8-c0404187f002:1215e1ff-5606-4484-bf2c-bf1a24d0ebf4", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "e600f07c-44c8-4844-8788-d456d8303f66:indexpattern-datasource-layer-b200271a-40a4-4ef1-98ec-4f83b33b13e9", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "e600f07c-44c8-4844-8788-d456d8303f66:301014c4-00d1-4685-9cb8-20d370c691e6", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "b8cef86e-7c91-4a83-ac83-994334404231:indexpattern-datasource-layer-b105d549-eb31-4b7a-b1cf-f813eea00af3", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "b8cef86e-7c91-4a83-ac83-994334404231:1797fb28-ed26-407f-9ba3-98e6d512b369", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "cbbbaddb-c2c9-4406-9cd5-91aaac4d4f06:indexpattern-datasource-layer-96706e48-10cb-46c0-b758-9345d459333c", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "cbbbaddb-c2c9-4406-9cd5-91aaac4d4f06:3740462a-7cfc-4ec7-9a22-d8325b93fa03", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "6c8fbd31-8d67-4d86-8583-48b35a473620:indexpattern-datasource-layer-603cdd40-46f5-4bc2-b610-ffd4a0a4e5ac", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "6c8fbd31-8d67-4d86-8583-48b35a473620:1c8c960a-c931-4f35-ba88-4f3c9bad5181", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "b1d8d0cc-0873-4146-b7a9-6ed1c1f9b316:indexpattern-datasource-layer-893dad34-5b9e-4f2d-b470-29c258e5d43b", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "b1d8d0cc-0873-4146-b7a9-6ed1c1f9b316:a32f2a0c-fd9f-4545-a362-5ef0da423138", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "116de2a1-c967-47e2-b801-dd1d74cee1ac:indexpattern-datasource-layer-7c7c85de-bf32-4b48-a08a-fc375855b8c9", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "116de2a1-c967-47e2-b801-dd1d74cee1ac:4304fcdd-8834-43bc-a2c3-1e2359b69e88", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "e2295585-cc4f-402d-b6d8-ab54d8f300bb:indexpattern-datasource-layer-b75fdb41-7783-4e48-9255-ad65d660e8f3", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "e2295585-cc4f-402d-b6d8-ab54d8f300bb:b6f5adf6-7edc-4975-9274-f40614627d61", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "32e9a9f0-5725-4b33-98e5-a29924847892:indexpattern-datasource-layer-95c5880e-0b20-4345-bb42-c62ec385e0ad", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "32e9a9f0-5725-4b33-98e5-a29924847892:1cf800da-1764-41e6-8bf3-e79d3b066a78", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "91a1108a-b151-4b79-8f20-36f2be710cd5:indexpattern-datasource-layer-eaaed275-514c-4910-8303-f46e38f1e922", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "91a1108a-b151-4b79-8f20-36f2be710cd5:6f053a69-ca62-4cb0-89a1-a3652c434eae", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "2b907dce-54fa-43ea-a865-cf4250cceae4:indexpattern-datasource-layer-1ba0ffbb-f8af-4686-82da-720228416a5c", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "2b907dce-54fa-43ea-a865-cf4250cceae4:4777a91a-3fee-44ee-8576-a9f92d31bbcc", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "f5c4ffef-afcc-42b3-8e00-a88aecdf4d71:indexpattern-datasource-layer-a74b0b16-d3eb-40dc-aff1-182b82a3500b", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "f5c4ffef-afcc-42b3-8e00-a88aecdf4d71:ef797281-7cfd-4afd-96b2-0ffe1ba6d72f", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "4e99fbdf-8533-41a1-aead-15c63c884f4f:indexpattern-datasource-layer-b0133202-9fd6-4886-af95-b9fbfc24f04d", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "4e99fbdf-8533-41a1-aead-15c63c884f4f:bea1c62b-4f2b-46f4-a6cc-4f8e44608515", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "9bbec20f-016d-4176-a0d7-1447ed594245:indexpattern-datasource-layer-7954a98e-9375-45cb-99b1-cc278ab2f4f7", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "9bbec20f-016d-4176-a0d7-1447ed594245:f3ff6850-780d-4e21-a5f0-1ea72ebeefbd", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "controlGroup_04f8802a-d7b4-4055-b906-60fe95facc9f:optionsListDataView", @@ -3519,5 +3019,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/cassandra/kibana/dashboard/cassandra-49e4e6e0-cc54-11ec-8c59-ed6efced90da.json b/packages/cassandra/kibana/dashboard/cassandra-49e4e6e0-cc54-11ec-8c59-ed6efced90da.json index adc4f5d05b9..91359db711e 100644 --- a/packages/cassandra/kibana/dashboard/cassandra-49e4e6e0-cc54-11ec-8c59-ed6efced90da.json +++ b/packages/cassandra/kibana/dashboard/cassandra-49e4e6e0-cc54-11ec-8c59-ed6efced90da.json @@ -7,10 +7,32 @@ "panelsJSON": "{\"d8f15f7c-0a06-47de-b9d1-7a5fc8e38ebe\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"process.thread.name\",\"title\":\"Process Thread\",\"id\":\"d8f15f7c-0a06-47de-b9d1-7a5fc8e38ebe\",\"enhancements\":{}}},\"0db0b0e3-0b6a-4f91-8209-b6f54ece9975\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"log.origin.file.name\",\"title\":\"Log File Name\",\"id\":\"0db0b0e3-0b6a-4f91-8209-b6f54ece9975\",\"enhancements\":{}}},\"6a41cd35-66c0-4d68-9403-d593ffe78487\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"log.level\",\"title\":\"Log Level\",\"id\":\"6a41cd35-66c0-4d68-9403-d593ffe78487\",\"enhancements\":{}}}}" }, "description": "System Logs of Cassandra", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cassandra.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cassandra.log" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -20,6 +42,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -58,8 +82,7 @@ }, "panelIndex": "18399b21-a004-4caa-9955-4adcc64985be", "title": "Dashboards [Cassandra]", - "type": "visualization", - "version": "8.3.0" + "type": "visualization" }, { "embeddableConfig": { @@ -69,16 +92,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-9e4b4d41-a619-4535-8e75-b7cfcf0a6fcb", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32a63ece-b6ce-4bc9-a426-a7d45555c74d", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "9e4b4d41-a619-4535-8e75-b7cfcf0a6fcb": { "columnOrder": [ @@ -125,46 +144,27 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "32a63ece-b6ce-4bc9-a426-a7d45555c74d", - "key": "event.dataset", - "negate": false, - "params": { - "query": "cassandra.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "cassandra.log" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "event.dataset : \"cassandra.log\" " + "query": "" }, "visualization": { "layers": [ { "categoryDisplay": "default", - "groups": [ - "893f8cdc-dc44-4bce-87d3-39628147d643" - ], "layerId": "9e4b4d41-a619-4535-8e75-b7cfcf0a6fcb", "layerType": "data", "legendDisplay": "default", - "metric": "b8566557-cb17-42ff-9f2d-5fb6d2b3e8ab", + "metrics": [ + "b8566557-cb17-42ff-9f2d-5fb6d2b3e8ab" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "893f8cdc-dc44-4bce-87d3-39628147d643" + ] } ], "shape": "donut" @@ -186,52 +186,78 @@ }, "panelIndex": "c70b222f-e779-42ed-bb48-ed7531aa00c0", "title": "Log Severity [Logs Cassandra]", - "type": "lens", - "version": "8.3.0" + "type": "lens" }, { "embeddableConfig": { + "attributes": { + "columns": [ + "log.level", + "process.thread.name", + "log.origin.file.name", + "log.origin.file.line", + "message" + ], + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, "enhancements": {}, "hidePanelTitles": false }, "gridData": { "h": 17, - "i": "db26a54d-2a4c-492a-8533-7b0b55dfc0cc", + "i": "fe3c04b7-1e67-4df3-b00a-03cc435213dc", "w": 35, "x": 0, "y": 5 }, - "panelIndex": "db26a54d-2a4c-492a-8533-7b0b55dfc0cc", - "panelRefName": "panel_db26a54d-2a4c-492a-8533-7b0b55dfc0cc", + "panelIndex": "fe3c04b7-1e67-4df3-b00a-03cc435213dc", "title": "Cassandra Log Search [Logs Cassandra]", - "type": "search", - "version": "8.3.0" + "type": "search" } ], "timeRestore": false, "title": "[Logs Cassandra] System Logs", "version": 1 }, - "coreMigrationVersion": "8.3.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:45:09.314Z", "id": "cassandra-49e4e6e0-cc54-11ec-8c59-ed6efced90da", - "migrationVersion": { - "dashboard": "8.3.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "c70b222f-e779-42ed-bb48-ed7531aa00c0:indexpattern-datasource-layer-9e4b4d41-a619-4535-8e75-b7cfcf0a6fcb", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "c70b222f-e779-42ed-bb48-ed7531aa00c0:32a63ece-b6ce-4bc9-a426-a7d45555c74d", + "name": "c70b222f-e779-42ed-bb48-ed7531aa00c0:indexpattern-datasource-layer-9e4b4d41-a619-4535-8e75-b7cfcf0a6fcb", "type": "index-pattern" }, { - "id": "cassandra-a7a48e10-1f8a-11ec-ba68-fbf426daf104", - "name": "db26a54d-2a4c-492a-8533-7b0b55dfc0cc:panel_db26a54d-2a4c-492a-8533-7b0b55dfc0cc", - "type": "search" + "id": "logs-*", + "name": "fe3c04b7-1e67-4df3-b00a-03cc435213dc:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" }, { "id": "logs-*", @@ -249,5 +275,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/cassandra/kibana/search/cassandra-a7a48e10-1f8a-11ec-ba68-fbf426daf104.json b/packages/cassandra/kibana/search/cassandra-a7a48e10-1f8a-11ec-ba68-fbf426daf104.json deleted file mode 100644 index 2dc8ce0cb73..00000000000 --- a/packages/cassandra/kibana/search/cassandra-a7a48e10-1f8a-11ec-ba68-fbf426daf104.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "log.level", - "process.thread.name", - "log.origin.file.name", - "log.origin.file.line", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "event.dataset : \"cassandra.log\" " - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Logs Cassandra] Cassandra Log Search", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "cassandra-a7a48e10-1f8a-11ec-ba68-fbf426daf104", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cassandra/manifest.yml b/packages/cassandra/manifest.yml index 9137ce67c78..cc1728f49bc 100644 --- a/packages/cassandra/manifest.yml +++ b/packages/cassandra/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cassandra title: Cassandra -version: "1.12.2" +version: "1.13.0" description: This Elastic integration collects logs and metrics from cassandra. type: integration categories: diff --git a/packages/cassandra/validation.yml b/packages/cassandra/validation.yml deleted file mode 100644 index efdb1de132d..00000000000 --- a/packages/cassandra/validation.yml +++ /dev/null @@ -1,4 +0,0 @@ -errors: - exclude_checks: - - SVR00004 - - SVR00002 diff --git a/packages/ceph/changelog.yml b/packages/ceph/changelog.yml index c827cf3beee..c72137fbcd3 100644 --- a/packages/ceph/changelog.yml +++ b/packages/ceph/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.5.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: "1.4.1" changes: - description: Update README with reindexing steps. diff --git a/packages/ceph/kibana/dashboard/ceph-b2083fa0-9e0a-11ed-9f4a-79c03177b9dc.json b/packages/ceph/kibana/dashboard/ceph-b2083fa0-9e0a-11ed-9f4a-79c03177b9dc.json index f8a3958344c..50385d03435 100644 --- a/packages/ceph/kibana/dashboard/ceph-b2083fa0-9e0a-11ed-9f4a-79c03177b9dc.json +++ b/packages/ceph/kibana/dashboard/ceph-b2083fa0-9e0a-11ed-9f4a-79c03177b9dc.json @@ -7,10 +7,69 @@ "panelsJSON": "{\"9ff3bff4-96d2-453a-8192-ac753974e843\":{\"order\":0,\"width\":\"medium\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Hostname\",\"id\":\"9ff3bff4-96d2-453a-8192-ac753974e843\",\"enhancements\":{},\"selectedOptions\":[]}}}" }, "description": "This Ceph dashboard visualizes all the data stream metrics.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "ceph.cluster_status", + "ceph.cluster_disk", + "ceph.osd_performance", + "ceph.osd_pool_stats", + "ceph.osd_tree", + "ceph.pool_disk" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "ceph.cluster_status" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ceph.cluster_disk" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ceph.osd_performance" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ceph.osd_pool_stats" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ceph.osd_tree" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ceph.pool_disk" + } + } + ] + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -20,6 +79,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -60,8 +120,7 @@ }, "panelIndex": "ed573b5d-2a4f-44ae-9493-5c2de903d829", "title": "Cluster-level metrics [Metrics Ceph]", - "type": "visualization", - "version": "8.5.1" + "type": "visualization" }, { "embeddableConfig": { @@ -71,17 +130,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-0c1dd662-93b6-4a1c-8041-f9e3f59cee7d", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2adc7f0d-55e4-4fdb-b1d5-63c7f458f6f6", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "0c1dd662-93b6-4a1c-8041-f9e3f59cee7d": { "columnOrder": [ @@ -110,29 +164,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "2adc7f0d-55e4-4fdb-b1d5-63c7f458f6f6", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -163,8 +195,7 @@ }, "panelIndex": "3fa88d2c-fdc3-46b2-9c15-69a030c467cf", "title": "Health of the cluster", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -174,17 +205,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-39cd9741-379b-45c6-9ad4-aa1146d6195b", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "747f5ab3-c458-4922-9d2b-6b92ae105ea1", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "39cd9741-379b-45c6-9ad4-aa1146d6195b": { "columnOrder": [ @@ -213,29 +239,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "747f5ab3-c458-4922-9d2b-6b92ae105ea1", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -266,8 +270,7 @@ }, "panelIndex": "9e5085c1-7dd3-40f4-bb0b-a505b6e99dac", "title": "Number of Monitors [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -277,17 +280,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-14ad3fcd-4116-4a71-ac98-a4009d31829e", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "13ec85bc-d085-4a14-a146-4526cd52b4c4", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "14ad3fcd-4116-4a71-ac98-a4009d31829e": { "columnOrder": [ @@ -316,29 +314,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "13ec85bc-d085-4a14-a146-4526cd52b4c4", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -369,8 +345,7 @@ }, "panelIndex": "dd4f065b-1239-4bee-a444-fa034fd09c07", "title": "Number of OSDs [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -380,17 +355,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-7f5dc570-2047-4509-997c-80104e5fcd20", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3bae23a5-d5a5-4d5f-9a69-4b22a6a2b152", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7f5dc570-2047-4509-997c-80104e5fcd20": { "columnOrder": [ @@ -419,29 +389,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3bae23a5-d5a5-4d5f-9a69-4b22a6a2b152", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -473,8 +421,7 @@ }, "panelIndex": "17f2bfff-26f9-44dc-bbf3-4724c27f0598", "title": "Pools [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -484,17 +431,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-9673e58b-442c-43a3-a802-4c81c9b13203", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5c3f88b-c1fc-428f-b53f-2751c4ded085", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "9673e58b-442c-43a3-a802-4c81c9b13203": { "columnOrder": [ @@ -523,29 +465,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f5c3f88b-c1fc-428f-b53f-2751c4ded085", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -576,8 +496,7 @@ }, "panelIndex": "945b7168-0d17-41cc-a3aa-2f7cea559a8e", "title": "Number of Objects [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -587,17 +506,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e1599ce8-ac45-44c3-a163-12907d5c157e", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "930f0862-d502-4462-afc0-b01eb4315b4e", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e1599ce8-ac45-44c3-a163-12907d5c157e": { "columnOrder": [ @@ -626,29 +540,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "930f0862-d502-4462-afc0-b01eb4315b4e", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -679,8 +571,7 @@ }, "panelIndex": "255d4995-42a7-4cc9-907a-db4029c33f13", "title": "Number of placement groups [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -690,17 +581,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-788f4638-0fd7-4e3a-8f68-8c6ecbf528c7", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "46f82ebb-c484-41bd-a833-e0ee4c004368", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "788f4638-0fd7-4e3a-8f68-8c6ecbf528c7": { "columnOrder": [ @@ -729,29 +615,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "46f82ebb-c484-41bd-a833-e0ee4c004368", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -782,8 +646,7 @@ }, "panelIndex": "d7faa5d5-98e4-438a-ac7d-5329d488e877", "title": "Number of degraded placement groups [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -793,17 +656,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-88c3cc28-f52a-4fae-a8f9-b2616f77e0de", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "241733b1-834c-43b0-a22f-b263cc0c75f3", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "88c3cc28-f52a-4fae-a8f9-b2616f77e0de": { "columnOrder": [ @@ -832,29 +690,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "241733b1-834c-43b0-a22f-b263cc0c75f3", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -885,8 +721,7 @@ }, "panelIndex": "a62097ef-8e8b-4224-b769-c466ea248ae7", "title": "Number of remapped placement groups [Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -896,17 +731,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-83ec5db0-556b-4ae3-a46c-3659dc3ce23f", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f3a1e010-9034-40ea-8499-493c97cbc61a", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "83ec5db0-556b-4ae3-a46c-3659dc3ce23f": { "columnOrder": [ @@ -1001,29 +831,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f3a1e010-9034-40ea-8499-493c97cbc61a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_disk" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_disk" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1078,8 +886,7 @@ }, "panelIndex": "c28207db-4e22-406d-8fca-a3cd17237845", "title": "Storage over time [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -1089,17 +896,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-87350dfb-48ec-4ad3-a446-9f1f753cac20", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "664fa1f9-9910-4272-b004-ca7da4e3a0df", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "87350dfb-48ec-4ad3-a446-9f1f753cac20": { "columnOrder": [ @@ -1159,29 +961,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "664fa1f9-9910-4272-b004-ca7da4e3a0df", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.osd_performance" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.osd_performance" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1254,8 +1034,7 @@ }, "panelIndex": "89e00b5e-52b6-4990-b032-b022d08f3506", "title": "OSD performance latency over time [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -1265,17 +1044,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-b7475e80-d9a7-434e-b4c1-dfa09308d01e", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "de657185-f5e3-43c0-aa74-df41e5b3b849", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b7475e80-d9a7-434e-b4c1-dfa09308d01e": { "columnOrder": [ @@ -1335,29 +1109,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "de657185-f5e3-43c0-aa74-df41e5b3b849", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1409,8 +1161,7 @@ }, "panelIndex": "381809a6-7ca2-45ea-ac26-296b0cb9ed3f", "title": "Client operations over time [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -1420,17 +1171,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-b7475e80-d9a7-434e-b4c1-dfa09308d01e", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14bb58aa-5be1-4c86-891a-32db9efc1d41", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b7475e80-d9a7-434e-b4c1-dfa09308d01e": { "columnOrder": [ @@ -1502,29 +1248,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "14bb58aa-5be1-4c86-891a-32db9efc1d41", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1576,8 +1300,7 @@ }, "panelIndex": "232b3838-c0ca-4045-98f3-76fe1c8cfeed", "title": "Client throughput over time [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -1587,17 +1310,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e271504b-eee6-4202-87fa-047e94120fa8", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "57e143fd-794f-4528-bc7c-c9e58637a145", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e271504b-eee6-4202-87fa-047e94120fa8": { "columnOrder": [ @@ -1645,29 +1363,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "57e143fd-794f-4528-bc7c-c9e58637a145", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.osd_pool_stats" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.osd_pool_stats" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1712,8 +1408,7 @@ }, "panelIndex": "3e98c5a3-db21-4c6d-95e1-1dd169722cd3", "title": "Most active pools [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -1723,17 +1418,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-b55267b3-aed9-43d0-ae3a-3410e62927eb", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a9beab5a-2995-444d-9a68-bfa70e40c869", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b55267b3-aed9-43d0-ae3a-3410e62927eb": { "columnOrder": [ @@ -1794,29 +1484,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a9beab5a-2995-444d-9a68-bfa70e40c869", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.pool_disk" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.pool_disk" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1845,6 +1513,8 @@ "valueLabels": "show" } }, + "title": "Most populated pools [Metrics Ceph]", + "type": "lens", "visualizationType": "lnsXY" }, "enhancements": {} @@ -1858,8 +1528,7 @@ }, "panelIndex": "1a25cbbf-6903-4803-a5b5-097b23bedf5e", "title": "Most populated pools [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -1896,8 +1565,7 @@ }, "panelIndex": "afcd9756-a369-4ed4-beb6-7d8eb2e7cda3", "title": "Pool-level metrics [Metrics Ceph]", - "type": "visualization", - "version": "8.5.1" + "type": "visualization" }, { "embeddableConfig": { @@ -1907,17 +1575,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-f388f05d-f04a-44ca-b054-2ee98431a742", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fc9b5733-8bfb-4547-a63e-ac0fab8c2b96", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f388f05d-f04a-44ca-b054-2ee98431a742": { "columnOrder": [ @@ -1990,29 +1653,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "fc9b5733-8bfb-4547-a63e-ac0fab8c2b96", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.pool_disk" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.pool_disk" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2042,6 +1683,8 @@ "valueLabels": "hide" } }, + "title": "Used storage over time [Metrics Ceph]", + "type": "lens", "visualizationType": "lnsXY" }, "enhancements": {} @@ -2055,8 +1698,7 @@ }, "panelIndex": "db6613ea-f2da-46e0-b462-d37c887766cf", "title": "Used storage over time [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -2066,17 +1708,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-86e6ce22-894e-46f2-bc10-3e2592afed43", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6b54ae5e-c766-4a34-915e-992915a5df66", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "86e6ce22-894e-46f2-bc10-3e2592afed43": { "columnOrder": [ @@ -2115,46 +1752,24 @@ }, "8e91bf40-dc0e-4e1d-a85a-5e5e4335b23c": { "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6b54ae5e-c766-4a34-915e-992915a5df66", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.osd_pool_stats" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.osd_pool_stats" + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} } } } - ], + }, + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2206,8 +1821,7 @@ }, "panelIndex": "02355a13-c6bd-49cd-b969-aa8a670e1ead", "title": "Client I/O rates over time [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -2217,17 +1831,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-67a8825e-b9f7-4e72-acff-c7270c47c6dc", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "89058b85-9f8a-4a21-a134-ca786a5efa90", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "67a8825e-b9f7-4e72-acff-c7270c47c6dc": { "columnOrder": [ @@ -2299,29 +1908,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "89058b85-9f8a-4a21-a134-ca786a5efa90", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.osd_pool_stats" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.osd_pool_stats" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2399,8 +1986,7 @@ }, "panelIndex": "4f300c9d-1c45-4ea0-94c0-cbf0f666e5f9", "title": "Client I/O memory utilization over time [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -2410,17 +1996,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-60de3c1f-4622-4886-bd71-e3954d52a18c", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f32c5afe-3969-4830-b6d8-fa929e71c796", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "60de3c1f-4622-4886-bd71-e3954d52a18c": { "columnOrder": [ @@ -2558,29 +2139,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f32c5afe-3969-4830-b6d8-fa929e71c796", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.pool_disk" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.pool_disk" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2644,8 +2203,7 @@ }, "panelIndex": "64e666fb-d682-4a93-80f4-036a02a6f8b9", "title": "Pool disk usage [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -2655,17 +2213,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-28706d94-e982-41ef-8f5f-3d0fa353dc21", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ae021268-4828-452a-85a4-db458fb80ede", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "28706d94-e982-41ef-8f5f-3d0fa353dc21": { "columnOrder": [ @@ -2797,29 +2350,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "ae021268-4828-452a-85a4-db458fb80ede", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.osd_pool_stats" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.osd_pool_stats" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2885,8 +2416,7 @@ }, "panelIndex": "7d8b7cae-db9a-4c82-82e4-cc3b50351788", "title": "Client I/O rates [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -2923,8 +2453,7 @@ }, "panelIndex": "e630f855-03a8-42bb-a5c4-0b0abd319757", "title": "OSD status [Metrics Ceph]", - "type": "visualization", - "version": "8.5.1" + "type": "visualization" }, { "embeddableConfig": { @@ -2934,17 +2463,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-1cd5003e-4bf0-4603-a14a-6505adc662d9", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6b51eb9c-1965-4ddb-9bb5-61d6efd864ea", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1cd5003e-4bf0-4603-a14a-6505adc662d9": { "columnOrder": [ @@ -2973,29 +2497,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6b51eb9c-1965-4ddb-9bb5-61d6efd864ea", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -3026,8 +2528,7 @@ }, "panelIndex": "bc96d7dc-651a-4c8e-9336-d3456794a963", "title": "Number of UP state OSDs [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -3040,19 +2541,14 @@ }, { "id": "logs-*", - "name": "acd0ac93-7c3c-4fc1-b3fd-0b7d9c0c43db", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e1ee168a-3231-47dd-8e32-5e0c3d811a7c", + "name": "67e00cdd-f10d-43ee-a7d8-ca8f7ffa3c23", "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "d127f1fa-f94b-412b-b85e-fcba9ac1ebb3": { "columnOrder": [ @@ -3148,7 +2644,7 @@ "alias": null, "disabled": false, "field": "ceph.osd_tree.node_osd_id", - "index": "acd0ac93-7c3c-4fc1-b3fd-0b7d9c0c43db", + "index": "67e00cdd-f10d-43ee-a7d8-ca8f7ffa3c23", "key": "ceph.osd_tree.node_osd_id", "negate": false, "params": { @@ -3169,27 +2665,6 @@ } } } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e1ee168a-3231-47dd-8e32-5e0c3d811a7c", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.osd_tree" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.osd_tree" - } - } } ], "internalReferences": [], @@ -3247,8 +2722,7 @@ }, "panelIndex": "a3653db8-b0e6-479c-b811-9f994144dbbe", "title": "Bucket node tree overview [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -3258,17 +2732,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-9105c68d-1d97-4d7c-b5f0-698af914aa77", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3d3bd346-9bb7-4578-8771-42308959fda3", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "9105c68d-1d97-4d7c-b5f0-698af914aa77": { "columnOrder": [ @@ -3297,29 +2766,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3d3bd346-9bb7-4578-8771-42308959fda3", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.cluster_status" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.cluster_status" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -3350,8 +2797,7 @@ }, "panelIndex": "ee76d490-0087-44d0-bc47-b150f00d0e8c", "title": "Number of IN state OSDs [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" }, { "embeddableConfig": { @@ -3364,19 +2810,14 @@ }, { "id": "logs-*", - "name": "1e723e4b-2c40-4f7c-ba97-ff4c6df19729", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e69e0764-8dcf-459c-be31-c25888b8fbcd", + "name": "1c01665f-fd72-424e-b7d7-b8ca187ed0c2", "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "9e9ef9e0-d38d-42a6-9c84-ad3425e83c3e": { "columnOrder": [ @@ -3531,27 +2972,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1e723e4b-2c40-4f7c-ba97-ff4c6df19729", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ceph.osd_tree" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ceph.osd_tree" - } - } - }, { "$state": { "store": "appState" @@ -3560,7 +2980,7 @@ "alias": null, "disabled": false, "field": "ceph.osd_tree.node_osd_id", - "index": "e69e0764-8dcf-459c-be31-c25888b8fbcd", + "index": "1c01665f-fd72-424e-b7d7-b8ca187ed0c2", "key": "ceph.osd_tree.node_osd_id", "negate": false, "params": { @@ -3659,28 +3079,26 @@ }, "panelIndex": "941a025d-9bd2-4f62-9881-97277f1d89bb", "title": "OSD tree overview [Metrics Ceph]", - "type": "lens", - "version": "8.5.1" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Ceph] Overview", "version": 1 }, - "coreMigrationVersion": "8.5.1", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T09:55:34.900Z", "id": "ceph-b2083fa0-9e0a-11ed-9f4a-79c03177b9dc", - "migrationVersion": { - "dashboard": "8.5.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "3fa88d2c-fdc3-46b2-9c15-69a030c467cf:indexpattern-datasource-layer-0c1dd662-93b6-4a1c-8041-f9e3f59cee7d", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "3fa88d2c-fdc3-46b2-9c15-69a030c467cf:2adc7f0d-55e4-4fdb-b1d5-63c7f458f6f6", + "name": "3fa88d2c-fdc3-46b2-9c15-69a030c467cf:indexpattern-datasource-layer-0c1dd662-93b6-4a1c-8041-f9e3f59cee7d", "type": "index-pattern" }, { @@ -3688,191 +3106,96 @@ "name": "9e5085c1-7dd3-40f4-bb0b-a505b6e99dac:indexpattern-datasource-layer-39cd9741-379b-45c6-9ad4-aa1146d6195b", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "9e5085c1-7dd3-40f4-bb0b-a505b6e99dac:747f5ab3-c458-4922-9d2b-6b92ae105ea1", - "type": "index-pattern" - }, { "id": "logs-*", "name": "dd4f065b-1239-4bee-a444-fa034fd09c07:indexpattern-datasource-layer-14ad3fcd-4116-4a71-ac98-a4009d31829e", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "dd4f065b-1239-4bee-a444-fa034fd09c07:13ec85bc-d085-4a14-a146-4526cd52b4c4", - "type": "index-pattern" - }, { "id": "logs-*", "name": "17f2bfff-26f9-44dc-bbf3-4724c27f0598:indexpattern-datasource-layer-7f5dc570-2047-4509-997c-80104e5fcd20", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "17f2bfff-26f9-44dc-bbf3-4724c27f0598:3bae23a5-d5a5-4d5f-9a69-4b22a6a2b152", - "type": "index-pattern" - }, { "id": "logs-*", "name": "945b7168-0d17-41cc-a3aa-2f7cea559a8e:indexpattern-datasource-layer-9673e58b-442c-43a3-a802-4c81c9b13203", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "945b7168-0d17-41cc-a3aa-2f7cea559a8e:f5c3f88b-c1fc-428f-b53f-2751c4ded085", - "type": "index-pattern" - }, { "id": "logs-*", "name": "255d4995-42a7-4cc9-907a-db4029c33f13:indexpattern-datasource-layer-e1599ce8-ac45-44c3-a163-12907d5c157e", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "255d4995-42a7-4cc9-907a-db4029c33f13:930f0862-d502-4462-afc0-b01eb4315b4e", - "type": "index-pattern" - }, { "id": "logs-*", "name": "d7faa5d5-98e4-438a-ac7d-5329d488e877:indexpattern-datasource-layer-788f4638-0fd7-4e3a-8f68-8c6ecbf528c7", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "d7faa5d5-98e4-438a-ac7d-5329d488e877:46f82ebb-c484-41bd-a833-e0ee4c004368", - "type": "index-pattern" - }, { "id": "logs-*", "name": "a62097ef-8e8b-4224-b769-c466ea248ae7:indexpattern-datasource-layer-88c3cc28-f52a-4fae-a8f9-b2616f77e0de", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "a62097ef-8e8b-4224-b769-c466ea248ae7:241733b1-834c-43b0-a22f-b263cc0c75f3", - "type": "index-pattern" - }, { "id": "logs-*", "name": "c28207db-4e22-406d-8fca-a3cd17237845:indexpattern-datasource-layer-83ec5db0-556b-4ae3-a46c-3659dc3ce23f", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "c28207db-4e22-406d-8fca-a3cd17237845:f3a1e010-9034-40ea-8499-493c97cbc61a", - "type": "index-pattern" - }, { "id": "logs-*", "name": "89e00b5e-52b6-4990-b032-b022d08f3506:indexpattern-datasource-layer-87350dfb-48ec-4ad3-a446-9f1f753cac20", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "89e00b5e-52b6-4990-b032-b022d08f3506:664fa1f9-9910-4272-b004-ca7da4e3a0df", - "type": "index-pattern" - }, { "id": "logs-*", "name": "381809a6-7ca2-45ea-ac26-296b0cb9ed3f:indexpattern-datasource-layer-b7475e80-d9a7-434e-b4c1-dfa09308d01e", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "381809a6-7ca2-45ea-ac26-296b0cb9ed3f:de657185-f5e3-43c0-aa74-df41e5b3b849", - "type": "index-pattern" - }, { "id": "logs-*", "name": "232b3838-c0ca-4045-98f3-76fe1c8cfeed:indexpattern-datasource-layer-b7475e80-d9a7-434e-b4c1-dfa09308d01e", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "232b3838-c0ca-4045-98f3-76fe1c8cfeed:14bb58aa-5be1-4c86-891a-32db9efc1d41", - "type": "index-pattern" - }, { "id": "logs-*", "name": "3e98c5a3-db21-4c6d-95e1-1dd169722cd3:indexpattern-datasource-layer-e271504b-eee6-4202-87fa-047e94120fa8", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "3e98c5a3-db21-4c6d-95e1-1dd169722cd3:57e143fd-794f-4528-bc7c-c9e58637a145", - "type": "index-pattern" - }, { "id": "logs-*", "name": "1a25cbbf-6903-4803-a5b5-097b23bedf5e:indexpattern-datasource-layer-b55267b3-aed9-43d0-ae3a-3410e62927eb", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "1a25cbbf-6903-4803-a5b5-097b23bedf5e:a9beab5a-2995-444d-9a68-bfa70e40c869", - "type": "index-pattern" - }, { "id": "logs-*", "name": "db6613ea-f2da-46e0-b462-d37c887766cf:indexpattern-datasource-layer-f388f05d-f04a-44ca-b054-2ee98431a742", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "db6613ea-f2da-46e0-b462-d37c887766cf:fc9b5733-8bfb-4547-a63e-ac0fab8c2b96", - "type": "index-pattern" - }, { "id": "logs-*", "name": "02355a13-c6bd-49cd-b969-aa8a670e1ead:indexpattern-datasource-layer-86e6ce22-894e-46f2-bc10-3e2592afed43", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "02355a13-c6bd-49cd-b969-aa8a670e1ead:6b54ae5e-c766-4a34-915e-992915a5df66", - "type": "index-pattern" - }, { "id": "logs-*", "name": "4f300c9d-1c45-4ea0-94c0-cbf0f666e5f9:indexpattern-datasource-layer-67a8825e-b9f7-4e72-acff-c7270c47c6dc", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "4f300c9d-1c45-4ea0-94c0-cbf0f666e5f9:89058b85-9f8a-4a21-a134-ca786a5efa90", - "type": "index-pattern" - }, { "id": "logs-*", "name": "64e666fb-d682-4a93-80f4-036a02a6f8b9:indexpattern-datasource-layer-60de3c1f-4622-4886-bd71-e3954d52a18c", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "64e666fb-d682-4a93-80f4-036a02a6f8b9:f32c5afe-3969-4830-b6d8-fa929e71c796", - "type": "index-pattern" - }, { "id": "logs-*", "name": "7d8b7cae-db9a-4c82-82e4-cc3b50351788:indexpattern-datasource-layer-28706d94-e982-41ef-8f5f-3d0fa353dc21", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "7d8b7cae-db9a-4c82-82e4-cc3b50351788:ae021268-4828-452a-85a4-db458fb80ede", - "type": "index-pattern" - }, { "id": "logs-*", "name": "bc96d7dc-651a-4c8e-9336-d3456794a963:indexpattern-datasource-layer-1cd5003e-4bf0-4603-a14a-6505adc662d9", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "bc96d7dc-651a-4c8e-9336-d3456794a963:6b51eb9c-1965-4ddb-9bb5-61d6efd864ea", - "type": "index-pattern" - }, { "id": "logs-*", "name": "a3653db8-b0e6-479c-b811-9f994144dbbe:indexpattern-datasource-layer-d127f1fa-f94b-412b-b85e-fcba9ac1ebb3", @@ -3880,12 +3203,7 @@ }, { "id": "logs-*", - "name": "a3653db8-b0e6-479c-b811-9f994144dbbe:acd0ac93-7c3c-4fc1-b3fd-0b7d9c0c43db", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3653db8-b0e6-479c-b811-9f994144dbbe:e1ee168a-3231-47dd-8e32-5e0c3d811a7c", + "name": "a3653db8-b0e6-479c-b811-9f994144dbbe:67e00cdd-f10d-43ee-a7d8-ca8f7ffa3c23", "type": "index-pattern" }, { @@ -3893,11 +3211,6 @@ "name": "ee76d490-0087-44d0-bc47-b150f00d0e8c:indexpattern-datasource-layer-9105c68d-1d97-4d7c-b5f0-698af914aa77", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "ee76d490-0087-44d0-bc47-b150f00d0e8c:3d3bd346-9bb7-4578-8771-42308959fda3", - "type": "index-pattern" - }, { "id": "logs-*", "name": "941a025d-9bd2-4f62-9881-97277f1d89bb:indexpattern-datasource-layer-9e9ef9e0-d38d-42a6-9c84-ad3425e83c3e", @@ -3905,12 +3218,7 @@ }, { "id": "logs-*", - "name": "941a025d-9bd2-4f62-9881-97277f1d89bb:1e723e4b-2c40-4f7c-ba97-ff4c6df19729", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "941a025d-9bd2-4f62-9881-97277f1d89bb:e69e0764-8dcf-459c-be31-c25888b8fbcd", + "name": "941a025d-9bd2-4f62-9881-97277f1d89bb:1c01665f-fd72-424e-b7d7-b8ca187ed0c2", "type": "index-pattern" }, { @@ -3919,5 +3227,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ceph/manifest.yml b/packages/ceph/manifest.yml index 81110b47cac..1df638aaa67 100644 --- a/packages/ceph/manifest.yml +++ b/packages/ceph/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: ceph title: Ceph -version: "1.4.1" +version: "1.5.0" description: This Elastic integration collects metrics from Ceph instance. type: integration categories: diff --git a/packages/ceph/validation.yml b/packages/ceph/validation.yml deleted file mode 100644 index bcc8f74ac3a..00000000000 --- a/packages/ceph/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00002 diff --git a/packages/citrix_adc/changelog.yml b/packages/citrix_adc/changelog.yml index 27e8c940347..330695ea49d 100644 --- a/packages/citrix_adc/changelog.yml +++ b/packages/citrix_adc/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: "1.5.1" changes: - description: Update description with log collection. diff --git a/packages/citrix_adc/kibana/dashboard/citrix_adc-2b30a8f0-4fa9-11ed-8fa7-7bab33159b99.json b/packages/citrix_adc/kibana/dashboard/citrix_adc-2b30a8f0-4fa9-11ed-8fa7-7bab33159b99.json index a5e01b17a40..326f40711dc 100644 --- a/packages/citrix_adc/kibana/dashboard/citrix_adc-2b30a8f0-4fa9-11ed-8fa7-7bab33159b99.json +++ b/packages/citrix_adc/kibana/dashboard/citrix_adc-2b30a8f0-4fa9-11ed-8fa7-7bab33159b99.json @@ -1,10 +1,32 @@ { "attributes": { "description": "This Citrix ADC dashboard visualizes Load Balancing Virtual Server metrics.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.lbvserver" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.lbvserver" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +36,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -26,16 +49,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-8a7f37c1-312f-4aeb-90cd-bece74fd1af2", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3e48063b-2914-422f-963c-7dfd0b6b7eff", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8a7f37c1-312f-4aeb-90cd-bece74fd1af2": { "columnOrder": [ @@ -101,29 +120,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3e48063b-2914-422f-963c-7dfd0b6b7eff", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.lbvserver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.lbvserver" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -188,8 +186,7 @@ }, "panelIndex": "6963ede6-4a7a-4d62-9439-f6bdabefea49", "title": "Packets sent over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -199,16 +196,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-5a544beb-a6ae-4c14-9427-955caee52bf9", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1a3ede12-c809-46ab-a99c-95731d032b96", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "5a544beb-a6ae-4c14-9427-955caee52bf9": { "columnOrder": [ @@ -274,29 +267,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1a3ede12-c809-46ab-a99c-95731d032b96", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.lbvserver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.lbvserver" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -361,8 +333,7 @@ }, "panelIndex": "97546882-61a8-40a9-b8bd-473bfc1def87", "title": "Packets received over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -372,16 +343,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-1763a2d7-2bde-4a4c-8b91-3908be7ca25d", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4c49a4dc-50ec-44b6-98a0-c6ae5196fbdb", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1763a2d7-2bde-4a4c-8b91-3908be7ca25d": { "columnOrder": [ @@ -447,29 +414,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4c49a4dc-50ec-44b6-98a0-c6ae5196fbdb", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.lbvserver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.lbvserver" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -514,8 +460,7 @@ }, "panelIndex": "21454c91-bf66-4747-bad9-68aa53a71720", "title": "Spillovers over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -525,16 +470,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-923b22b5-99bd-4a30-8ab4-0bbe86d9fe3e", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "72df249a-03ce-455c-8cd5-3ce5d903659b", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "923b22b5-99bd-4a30-8ab4-0bbe86d9fe3e": { "columnOrder": [ @@ -600,29 +541,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "72df249a-03ce-455c-8cd5-3ce5d903659b", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.lbvserver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.lbvserver" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -667,28 +587,26 @@ }, "panelIndex": "9bbb31bb-a788-4aa6-816e-c0c42e4ae35c", "title": "Current client connections over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Citrix ADC] Load Balancing Virtual Server", "version": 1 }, - "coreMigrationVersion": "8.4.1", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T10:03:39.777Z", "id": "citrix_adc-2b30a8f0-4fa9-11ed-8fa7-7bab33159b99", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "6963ede6-4a7a-4d62-9439-f6bdabefea49:indexpattern-datasource-layer-8a7f37c1-312f-4aeb-90cd-bece74fd1af2", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "6963ede6-4a7a-4d62-9439-f6bdabefea49:3e48063b-2914-422f-963c-7dfd0b6b7eff", + "name": "6963ede6-4a7a-4d62-9439-f6bdabefea49:indexpattern-datasource-layer-8a7f37c1-312f-4aeb-90cd-bece74fd1af2", "type": "index-pattern" }, { @@ -696,31 +614,17 @@ "name": "97546882-61a8-40a9-b8bd-473bfc1def87:indexpattern-datasource-layer-5a544beb-a6ae-4c14-9427-955caee52bf9", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "97546882-61a8-40a9-b8bd-473bfc1def87:1a3ede12-c809-46ab-a99c-95731d032b96", - "type": "index-pattern" - }, { "id": "logs-*", "name": "21454c91-bf66-4747-bad9-68aa53a71720:indexpattern-datasource-layer-1763a2d7-2bde-4a4c-8b91-3908be7ca25d", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "21454c91-bf66-4747-bad9-68aa53a71720:4c49a4dc-50ec-44b6-98a0-c6ae5196fbdb", - "type": "index-pattern" - }, { "id": "logs-*", "name": "9bbb31bb-a788-4aa6-816e-c0c42e4ae35c:indexpattern-datasource-layer-923b22b5-99bd-4a30-8ab4-0bbe86d9fe3e", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9bbb31bb-a788-4aa6-816e-c0c42e4ae35c:72df249a-03ce-455c-8cd5-3ce5d903659b", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/citrix_adc/kibana/dashboard/citrix_adc-73ef1be0-485a-11ed-aee6-31b55c85e6df.json b/packages/citrix_adc/kibana/dashboard/citrix_adc-73ef1be0-485a-11ed-aee6-31b55c85e6df.json index d11490f4671..fe8b62e4833 100644 --- a/packages/citrix_adc/kibana/dashboard/citrix_adc-73ef1be0-485a-11ed-aee6-31b55c85e6df.json +++ b/packages/citrix_adc/kibana/dashboard/citrix_adc-73ef1be0-485a-11ed-aee6-31b55c85e6df.json @@ -1,10 +1,32 @@ { "attributes": { "description": "This Citrix ADC dashboard visualizes System metrics.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.system" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.system" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +36,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -26,16 +49,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-eee36b23-5dec-4dc7-983e-0d4dca19edca", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "679a4987-e531-4cb3-ae99-69fe0b79f914", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "eee36b23-5dec-4dc7-983e-0d4dca19edca": { "columnOrder": [ @@ -70,29 +89,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "679a4987-e531-4cb3-ae99-69fe0b79f914", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.system" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.system" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -107,7 +105,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -121,8 +119,7 @@ }, "panelIndex": "7dbde1e2-7e1d-4f02-874f-a0c105840bb3", "title": "System memory [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -132,16 +129,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-eee36b23-5dec-4dc7-983e-0d4dca19edca", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d4e185c8-3e2c-4c1e-9fcf-39517dbaf0fa", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "eee36b23-5dec-4dc7-983e-0d4dca19edca": { "columnOrder": [ @@ -176,29 +169,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d4e185c8-3e2c-4c1e-9fcf-39517dbaf0fa", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.system" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.system" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -213,7 +185,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -227,8 +199,7 @@ }, "panelIndex": "66e8467c-5e5a-4f59-9c9f-cc681764f1ac", "title": "Main memory in use [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -238,16 +209,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-eee36b23-5dec-4dc7-983e-0d4dca19edca", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ac9c6f50-ecbc-48d4-b585-acf3e1dfef81", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "eee36b23-5dec-4dc7-983e-0d4dca19edca": { "columnOrder": [ @@ -276,29 +243,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "ac9c6f50-ecbc-48d4-b585-acf3e1dfef81", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.system" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.system" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -313,7 +259,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -327,8 +273,7 @@ }, "panelIndex": "44afa48e-858d-4c7e-9174-f3ab1e8e1869", "title": "CPUs on the NetScaler appliance [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -338,16 +283,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-fef8a002-f9de-4fcb-ab17-324b9eabf51b", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0c1a842b-195f-47aa-9ee1-1da52c4ead01", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "fef8a002-f9de-4fcb-ab17-324b9eabf51b": { "columnOrder": [ @@ -403,29 +344,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0c1a842b-195f-47aa-9ee1-1da52c4ead01", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.system" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.system" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -487,8 +407,7 @@ }, "panelIndex": "18be8e3f-3ec4-4ba4-9d48-9f74154e312f", "title": "CPU utilization [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -498,16 +417,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-fef8a002-f9de-4fcb-ab17-324b9eabf51b", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c34a943f-2d5f-4150-8c84-4caec7ad969e", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "fef8a002-f9de-4fcb-ab17-324b9eabf51b": { "columnOrder": [ @@ -563,29 +478,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c34a943f-2d5f-4150-8c84-4caec7ad969e", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.system" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.system" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -647,28 +541,26 @@ }, "panelIndex": "f8d336a2-8260-42b9-9825-52efbd544c4f", "title": "Memory utilization [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Citrix ADC] System", "version": 1 }, - "coreMigrationVersion": "8.4.1", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T10:04:58.590Z", "id": "citrix_adc-73ef1be0-485a-11ed-aee6-31b55c85e6df", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "7dbde1e2-7e1d-4f02-874f-a0c105840bb3:indexpattern-datasource-layer-eee36b23-5dec-4dc7-983e-0d4dca19edca", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "7dbde1e2-7e1d-4f02-874f-a0c105840bb3:679a4987-e531-4cb3-ae99-69fe0b79f914", + "name": "7dbde1e2-7e1d-4f02-874f-a0c105840bb3:indexpattern-datasource-layer-eee36b23-5dec-4dc7-983e-0d4dca19edca", "type": "index-pattern" }, { @@ -676,41 +568,22 @@ "name": "66e8467c-5e5a-4f59-9c9f-cc681764f1ac:indexpattern-datasource-layer-eee36b23-5dec-4dc7-983e-0d4dca19edca", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "66e8467c-5e5a-4f59-9c9f-cc681764f1ac:d4e185c8-3e2c-4c1e-9fcf-39517dbaf0fa", - "type": "index-pattern" - }, { "id": "logs-*", "name": "44afa48e-858d-4c7e-9174-f3ab1e8e1869:indexpattern-datasource-layer-eee36b23-5dec-4dc7-983e-0d4dca19edca", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "44afa48e-858d-4c7e-9174-f3ab1e8e1869:ac9c6f50-ecbc-48d4-b585-acf3e1dfef81", - "type": "index-pattern" - }, { "id": "logs-*", "name": "18be8e3f-3ec4-4ba4-9d48-9f74154e312f:indexpattern-datasource-layer-fef8a002-f9de-4fcb-ab17-324b9eabf51b", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "18be8e3f-3ec4-4ba4-9d48-9f74154e312f:0c1a842b-195f-47aa-9ee1-1da52c4ead01", - "type": "index-pattern" - }, { "id": "logs-*", "name": "f8d336a2-8260-42b9-9825-52efbd544c4f:indexpattern-datasource-layer-fef8a002-f9de-4fcb-ab17-324b9eabf51b", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8d336a2-8260-42b9-9825-52efbd544c4f:c34a943f-2d5f-4150-8c84-4caec7ad969e", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/citrix_adc/kibana/dashboard/citrix_adc-8d0661f0-4fa4-11ed-8fa7-7bab33159b99.json b/packages/citrix_adc/kibana/dashboard/citrix_adc-8d0661f0-4fa4-11ed-8fa7-7bab33159b99.json index 629e94f2132..7275169f457 100644 --- a/packages/citrix_adc/kibana/dashboard/citrix_adc-8d0661f0-4fa4-11ed-8fa7-7bab33159b99.json +++ b/packages/citrix_adc/kibana/dashboard/citrix_adc-8d0661f0-4fa4-11ed-8fa7-7bab33159b99.json @@ -1,10 +1,32 @@ { "attributes": { "description": "This Citrix ADC dashboard visualizes Service metrics.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.service" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.service" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +36,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -26,16 +49,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-a008374b-1b33-4196-9e28-a4bcb3c6a702", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6b649adf-bd72-407d-9a43-72766a54483f", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a008374b-1b33-4196-9e28-a4bcb3c6a702": { "columnOrder": [ @@ -101,29 +120,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6b649adf-bd72-407d-9a43-72766a54483f", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.service" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.service" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -168,8 +166,7 @@ }, "panelIndex": "9c9cb657-e287-4214-82c0-f0e7cdc96956", "title": "Requests over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -179,16 +176,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-65ecbe10-9b4b-41aa-b4e6-c6def5d0fdbd", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c5e654ca-86ee-4e91-a1ef-fa5f4f530346", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "65ecbe10-9b4b-41aa-b4e6-c6def5d0fdbd": { "columnOrder": [ @@ -254,29 +247,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c5e654ca-86ee-4e91-a1ef-fa5f4f530346", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.service" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.service" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -341,8 +313,7 @@ }, "panelIndex": "af88c732-5baa-4abc-98e1-716c060f6fba", "title": "Responses over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -352,16 +323,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-97504ab3-bd69-4e81-828f-08a558bdb997", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "36c85bfd-905f-43ae-b648-10281c69dcdf", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "97504ab3-bd69-4e81-828f-08a558bdb997": { "columnOrder": [ @@ -427,29 +394,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "36c85bfd-905f-43ae-b648-10281c69dcdf", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.service" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.service" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -494,8 +440,7 @@ }, "panelIndex": "5e55cf5f-7d94-40be-924e-d765364c10bf", "title": "Frustrating transactions over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -505,16 +450,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-b2603ad2-974e-47f2-9854-58e22c7220ee", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "78112888-4d32-4867-b33f-a6d5933d5fb3", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b2603ad2-974e-47f2-9854-58e22c7220ee": { "columnOrder": [ @@ -580,29 +521,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "78112888-4d32-4867-b33f-a6d5933d5fb3", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.service" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.service" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -647,28 +567,26 @@ }, "panelIndex": "11da9dae-38f1-4570-b0bf-9ed7d5283c80", "title": "Tolerable transactions over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Citrix ADC] Service", "version": 1 }, - "coreMigrationVersion": "8.4.1", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T10:11:11.837Z", "id": "citrix_adc-8d0661f0-4fa4-11ed-8fa7-7bab33159b99", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "9c9cb657-e287-4214-82c0-f0e7cdc96956:indexpattern-datasource-layer-a008374b-1b33-4196-9e28-a4bcb3c6a702", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "9c9cb657-e287-4214-82c0-f0e7cdc96956:6b649adf-bd72-407d-9a43-72766a54483f", + "name": "9c9cb657-e287-4214-82c0-f0e7cdc96956:indexpattern-datasource-layer-a008374b-1b33-4196-9e28-a4bcb3c6a702", "type": "index-pattern" }, { @@ -676,31 +594,17 @@ "name": "af88c732-5baa-4abc-98e1-716c060f6fba:indexpattern-datasource-layer-65ecbe10-9b4b-41aa-b4e6-c6def5d0fdbd", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "af88c732-5baa-4abc-98e1-716c060f6fba:c5e654ca-86ee-4e91-a1ef-fa5f4f530346", - "type": "index-pattern" - }, { "id": "logs-*", "name": "5e55cf5f-7d94-40be-924e-d765364c10bf:indexpattern-datasource-layer-97504ab3-bd69-4e81-828f-08a558bdb997", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "5e55cf5f-7d94-40be-924e-d765364c10bf:36c85bfd-905f-43ae-b648-10281c69dcdf", - "type": "index-pattern" - }, { "id": "logs-*", "name": "11da9dae-38f1-4570-b0bf-9ed7d5283c80:indexpattern-datasource-layer-b2603ad2-974e-47f2-9854-58e22c7220ee", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "11da9dae-38f1-4570-b0bf-9ed7d5283c80:78112888-4d32-4867-b33f-a6d5933d5fb3", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/citrix_adc/kibana/dashboard/citrix_adc-95709fd0-e130-11ee-adb0-b71252739438.json b/packages/citrix_adc/kibana/dashboard/citrix_adc-95709fd0-e130-11ee-adb0-b71252739438.json index 1a2b320dcd7..fc25fb48934 100644 --- a/packages/citrix_adc/kibana/dashboard/citrix_adc-95709fd0-e130-11ee-adb0-b71252739438.json +++ b/packages/citrix_adc/kibana/dashboard/citrix_adc-95709fd0-e130-11ee-adb0-b71252739438.json @@ -9,7 +9,30 @@ "description": "Overview of the Logs collected by the Citrix ADC.", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -60,8 +83,7 @@ }, "panelIndex": "28c460d2-8a65-48ce-8387-37708452304c", "title": "Table of Contents", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -71,11 +93,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a4952cfd-1931-44ff-a055-45881e87fbf9", - "type": "index-pattern" } ], "state": { @@ -99,6 +116,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -115,30 +133,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "a4952cfd-1931-44ff-a055-45881e87fbf9", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -167,8 +162,7 @@ }, "panelIndex": "f7acb623-11e3-4403-9b9b-fc30630b7449", "title": "Total Policies Denied [Logs Citrix ADC] ", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -178,11 +172,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "45a5b385-2216-447e-b0cd-f480a8a4c212", - "type": "index-pattern" } ], "state": { @@ -206,6 +195,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -222,30 +212,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "45a5b385-2216-447e-b0cd-f480a8a4c212", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -274,8 +241,7 @@ }, "panelIndex": "5e9be0e0-4605-4e82-89e2-d18942be9929", "title": "Total UDP Flows [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -285,11 +251,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "57891f44-e3cc-4c13-a561-98af9b658060", - "type": "index-pattern" } ], "state": { @@ -313,6 +274,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -329,30 +291,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "57891f44-e3cc-4c13-a561-98af9b658060", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -381,8 +320,7 @@ }, "panelIndex": "ed9aa7e1-608b-4b65-8f0f-b64432678cd2", "title": "Source Bytes [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -392,11 +330,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a67fd70d-3451-43ad-8947-9549dde00283", - "type": "index-pattern" } ], "state": { @@ -420,6 +353,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -436,30 +370,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "a67fd70d-3451-43ad-8947-9549dde00283", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -488,8 +399,7 @@ }, "panelIndex": "2dfcb670-693f-4f10-9717-e4056e66a4f1", "title": "Total Policies Allowed [Logs Citrix ADC] ", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -499,11 +409,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "90bfe744-969a-453e-af29-e3ef2dd9cc25", - "type": "index-pattern" } ], "state": { @@ -527,6 +432,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -543,30 +449,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "90bfe744-969a-453e-af29-e3ef2dd9cc25", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -595,8 +478,7 @@ }, "panelIndex": "f9e0bb83-7c80-4abb-8a68-5be15c8f096b", "title": "Total TCP Connections [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -606,11 +488,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe0867c1-6ca2-4dac-88ce-6f1b36a9d1bf", - "type": "index-pattern" } ], "state": { @@ -634,6 +511,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -650,30 +528,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "fe0867c1-6ca2-4dac-88ce-6f1b36a9d1bf", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -702,8 +557,7 @@ }, "panelIndex": "6c5b6057-a76c-4a86-9ae5-5648e38c7b71", "title": "Destination Bytes [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -713,11 +567,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-771a3ae6-3454-44c5-8386-30e43d147b04", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9e48fe6b-c833-4cf4-82cc-8323783d52e1", - "type": "index-pattern" } ], "state": { @@ -772,30 +621,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "9e48fe6b-c833-4cf4-82cc-8323783d52e1", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -861,8 +687,7 @@ }, "panelIndex": "4c8a3f96-6e7a-4bdb-acbe-f52e4f7dc6b2", "title": "Events Over Time [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -872,11 +697,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-771a3ae6-3454-44c5-8386-30e43d147b04", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f2fd7484-cb11-4fe0-947b-a5c3e845e677", - "type": "index-pattern" } ], "state": { @@ -931,30 +751,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "f2fd7484-cb11-4fe0-947b-a5c3e845e677", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1020,8 +817,7 @@ }, "panelIndex": "7fd7a318-184d-4c0c-b0ee-b8958117a04a", "title": "Severity Over Time [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1031,11 +827,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f1141519-608f-4767-96cc-24e8842474ca", - "type": "index-pattern" } ], "state": { @@ -1104,30 +895,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "f1141519-608f-4767-96cc-24e8842474ca", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1170,8 +938,7 @@ }, "panelIndex": "b1a20813-82f1-4ba0-b295-695020f85209", "title": "Events by Network Transport [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1181,11 +948,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9e133606-638d-42c5-a4ef-01ec82c06598", - "type": "index-pattern" } ], "state": { @@ -1253,30 +1015,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "9e133606-638d-42c5-a4ef-01ec82c06598", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1319,8 +1058,7 @@ }, "panelIndex": "a2059241-c442-45ca-a3f9-9155480ec367", "title": "Events by Network Protocol [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1330,11 +1068,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cf79bd3f-262a-4663-8fff-63b00b87c34b", - "type": "index-pattern" } ], "state": { @@ -1403,30 +1136,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "cf79bd3f-262a-4663-8fff-63b00b87c34b", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1469,8 +1179,7 @@ }, "panelIndex": "2df4dd1c-9b9c-411a-9aed-c37b6a535b78", "title": "Events by Priority [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1480,11 +1189,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "813eba55-180f-41d5-9693-3bb4cbaa5b93", - "type": "index-pattern" } ], "state": { @@ -1552,30 +1256,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "813eba55-180f-41d5-9693-3bb4cbaa5b93", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1617,8 +1298,7 @@ }, "panelIndex": "87d8f4ae-bff3-4541-93f6-5f0495b22354", "title": "Top 10 Request Domain [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1628,11 +1308,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0000c5e7-f881-4b37-84b1-5f87b3c39298", - "type": "index-pattern" } ], "state": { @@ -1701,30 +1376,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "0000c5e7-f881-4b37-84b1-5f87b3c39298", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1766,8 +1418,7 @@ }, "panelIndex": "6362ec71-d94c-40ae-a3b0-6fd99a74f3fa", "title": "Top 10 Request Path [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1777,11 +1428,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c67b80ce-454e-4e6c-b76d-1b09a8fe8736", - "type": "index-pattern" } ], "state": { @@ -1850,30 +1496,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "c67b80ce-454e-4e6c-b76d-1b09a8fe8736", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1915,8 +1538,7 @@ }, "panelIndex": "04dd2a49-ecb6-4a37-9ed1-ff4cb32e7315", "title": "Top 10 Request Query [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1926,11 +1548,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03db2a39-f594-4c99-9a96-4d0ea0803a78", - "type": "index-pattern" } ], "state": { @@ -1999,30 +1616,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "03db2a39-f594-4c99-9a96-4d0ea0803a78", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2064,8 +1658,7 @@ }, "panelIndex": "6a0db5d9-5c35-4822-8be4-ba29d9e4a414", "title": "Top 10 Source Countries [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2075,11 +1668,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6cf95b00-4a04-4ca9-94f4-877e91791676", - "type": "index-pattern" } ], "state": { @@ -2148,30 +1736,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "6cf95b00-4a04-4ca9-94f4-877e91791676", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2213,8 +1778,7 @@ }, "panelIndex": "6339da61-ce3d-40ff-b7dc-4d5525f5ccf7", "title": "Top 10 Client Countries [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2224,11 +1788,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-56ec7bd9-8eff-4c45-86fb-96ff48db7730", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "244824be-e6fc-4121-8159-e2a4e11c0a2a", - "type": "index-pattern" } ], "state": { @@ -2298,30 +1857,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "244824be-e6fc-4121-8159-e2a4e11c0a2a", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2386,8 +1922,7 @@ }, "panelIndex": "e89299e1-4cd9-49ef-89e8-3864d1224469", "title": "Events by Event Name [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2397,11 +1932,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-56ec7bd9-8eff-4c45-86fb-96ff48db7730", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8e92059b-9b18-4b02-b102-bef8a1787d78", - "type": "index-pattern" } ], "state": { @@ -2469,30 +1999,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "8e92059b-9b18-4b02-b102-bef8a1787d78", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2557,8 +2064,7 @@ }, "panelIndex": "d9220f99-2e6e-4c43-b55a-54cb8b3cb55f", "title": "Events by Event Class [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2568,11 +2074,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-1d2c9c58-fe87-46cd-943e-90fb37a18c6e", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1d0d4d94-f9bb-4246-aa05-c02d3a7d23ec", - "type": "index-pattern" } ], "state": { @@ -2640,30 +2141,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "1d0d4d94-f9bb-4246-aa05-c02d3a7d23ec", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2728,8 +2206,7 @@ }, "panelIndex": "a02365ac-b2de-4f1c-a59f-ec763f0634e7", "title": "Events by Action [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2739,11 +2216,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "baa1a399-bb78-458e-a95e-da29abcb3374", - "type": "index-pattern" } ], "state": { @@ -2811,30 +2283,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "baa1a399-bb78-458e-a95e-da29abcb3374", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -2869,8 +2318,7 @@ }, "panelIndex": "8d5ccace-9260-4464-af7c-6165af68480e", "title": "Top 10 Source IP [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2880,11 +2328,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6cab624e-160d-43ec-8f70-e80787f5d46b", - "type": "index-pattern" } ], "state": { @@ -2953,30 +2396,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "6cab624e-160d-43ec-8f70-e80787f5d46b", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -3011,8 +2431,7 @@ }, "panelIndex": "c5c252e5-add3-46e7-9d63-133881e24666", "title": "Top 10 Destination IP [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -3022,11 +2441,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a5fe18d-b8d0-45d1-9937-9bfe329f4c85", - "type": "index-pattern" } ], "state": { @@ -3095,30 +2509,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "4a5fe18d-b8d0-45d1-9937-9bfe329f4c85", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -3153,8 +2544,7 @@ }, "panelIndex": "c6e8140c-ab76-433a-9309-8bdb471ae311", "title": "Top 10 Server IP [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -3164,11 +2554,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d8c7fbbb-d7dc-4b07-99ca-c30b4334fdf6", - "type": "index-pattern" } ], "state": { @@ -3237,30 +2622,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "d8c7fbbb-d7dc-4b07-99ca-c30b4334fdf6", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "citrix_adc.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "citrix_adc.log" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -3295,17 +2657,16 @@ }, "panelIndex": "26ab28ea-2f8d-4612-92ed-0bc9cf0f56c2", "title": "Top 10 Client IP [Logs Citrix ADC]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { "attributes": { "description": "", "layerListJSON": "[{\"locale\":\"autoselect\",\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"5fa2b795-79cb-4d92-baca-6764236a1761\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"EMS_VECTOR_TILE\",\"color\":\"\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"4d75bc0f-290d-44c9-a3c5-74ecdbc20a06\",\"term\":\"client.geo.country_iso_code\",\"metrics\":[{\"type\":\"count\"}],\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"indexPatternRefName\":\"layer_1_join_0_index_pattern\"}}],\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"iso2\"]},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"__kbnjoin__count__4d75bc0f-290d-44c9-a3c5-74ecdbc20a06\",\"origin\":\"join\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#3d3d3d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__4d75bc0f-290d-44c9-a3c5-74ecdbc20a06\",\"origin\":\"join\"}}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelZoomRange\":{\"options\":{\"useLayerZoomRange\":true,\"minZoom\":0,\"maxZoom\":24}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelPosition\":{\"options\":{\"position\":\"CENTER\"}}},\"isTimeAware\":true},\"id\":\"eee46f19-a419-4463-ad99-acaa52789e83\",\"label\":\"Client Countries\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"includeInFitToBounds\":true,\"type\":\"GEOJSON_VECTOR\",\"disableTooltips\":false},{\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"01cee178-3bd9-42d4-b558-abfd4e64f87a\",\"term\":\"source.geo.country_iso_code\",\"metrics\":[{\"type\":\"count\"}],\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"indexPatternRefName\":\"layer_2_join_0_index_pattern\"}}],\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"iso2\"]},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"__kbnjoin__count__01cee178-3bd9-42d4-b558-abfd4e64f87a\",\"origin\":\"join\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#3d3d3d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__01cee178-3bd9-42d4-b558-abfd4e64f87a\",\"origin\":\"join\"}}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelZoomRange\":{\"options\":{\"useLayerZoomRange\":true,\"minZoom\":0,\"maxZoom\":24}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelPosition\":{\"options\":{\"position\":\"CENTER\"}}},\"isTimeAware\":true},\"id\":\"58d98668-4206-42c5-99d7-58ef15f5b739\",\"label\":\"Source Countries\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"includeInFitToBounds\":true,\"type\":\"GEOJSON_VECTOR\",\"disableTooltips\":false}]", - "mapStateJSON": "{\"adHocDataViews\":[],\"zoom\":1.4,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15y\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":60000},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"field\":\"data_stream.dataset\",\"params\":{\"query\":\"citrix_adc.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"citrix_adc.log\"}},\"$state\":{\"store\":\"appState\"}}],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"keydownScrollZoom\":false,\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "mapStateJSON": "{\"adHocDataViews\":[],\"zoom\":1.4,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":60000},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"keydownScrollZoom\":false,\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", "title": "", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + "uiStateJSON": "{\"isLayerTOCOpen\":false,\"openTOCDetails\":[]}" }, "enhancements": {}, "hiddenLayers": [], @@ -3333,29 +2694,26 @@ }, "panelIndex": "164d7357-8f59-4773-a775-fe7faee555de", "title": "Source/Client Connections [Logs Citrix ADC]", - "type": "map", - "version": "8.7.1" + "type": "map" } ], "timeRestore": false, "title": "[Logs Citrix ADC] Overview", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2024-03-15T10:48:42.289Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T10:25:26.367Z", "id": "citrix_adc-95709fd0-e130-11ee-adb0-b71252739438", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "f7acb623-11e3-4403-9b9b-fc30630b7449:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "f7acb623-11e3-4403-9b9b-fc30630b7449:a4952cfd-1931-44ff-a055-45881e87fbf9", + "name": "f7acb623-11e3-4403-9b9b-fc30630b7449:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" }, { @@ -3363,221 +2721,111 @@ "name": "5e9be0e0-4605-4e82-89e2-d18942be9929:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "5e9be0e0-4605-4e82-89e2-d18942be9929:45a5b385-2216-447e-b0cd-f480a8a4c212", - "type": "index-pattern" - }, { "id": "logs-*", "name": "ed9aa7e1-608b-4b65-8f0f-b64432678cd2:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "ed9aa7e1-608b-4b65-8f0f-b64432678cd2:57891f44-e3cc-4c13-a561-98af9b658060", - "type": "index-pattern" - }, { "id": "logs-*", "name": "2dfcb670-693f-4f10-9717-e4056e66a4f1:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "2dfcb670-693f-4f10-9717-e4056e66a4f1:a67fd70d-3451-43ad-8947-9549dde00283", - "type": "index-pattern" - }, { "id": "logs-*", "name": "f9e0bb83-7c80-4abb-8a68-5be15c8f096b:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "f9e0bb83-7c80-4abb-8a68-5be15c8f096b:90bfe744-969a-453e-af29-e3ef2dd9cc25", - "type": "index-pattern" - }, { "id": "logs-*", "name": "6c5b6057-a76c-4a86-9ae5-5648e38c7b71:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "6c5b6057-a76c-4a86-9ae5-5648e38c7b71:fe0867c1-6ca2-4dac-88ce-6f1b36a9d1bf", - "type": "index-pattern" - }, { "id": "logs-*", "name": "4c8a3f96-6e7a-4bdb-acbe-f52e4f7dc6b2:indexpattern-datasource-layer-771a3ae6-3454-44c5-8386-30e43d147b04", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "4c8a3f96-6e7a-4bdb-acbe-f52e4f7dc6b2:9e48fe6b-c833-4cf4-82cc-8323783d52e1", - "type": "index-pattern" - }, { "id": "logs-*", "name": "7fd7a318-184d-4c0c-b0ee-b8958117a04a:indexpattern-datasource-layer-771a3ae6-3454-44c5-8386-30e43d147b04", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "7fd7a318-184d-4c0c-b0ee-b8958117a04a:f2fd7484-cb11-4fe0-947b-a5c3e845e677", - "type": "index-pattern" - }, { "id": "logs-*", "name": "b1a20813-82f1-4ba0-b295-695020f85209:indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "b1a20813-82f1-4ba0-b295-695020f85209:f1141519-608f-4767-96cc-24e8842474ca", - "type": "index-pattern" - }, { "id": "logs-*", "name": "a2059241-c442-45ca-a3f9-9155480ec367:indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "a2059241-c442-45ca-a3f9-9155480ec367:9e133606-638d-42c5-a4ef-01ec82c06598", - "type": "index-pattern" - }, { "id": "logs-*", "name": "2df4dd1c-9b9c-411a-9aed-c37b6a535b78:indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "2df4dd1c-9b9c-411a-9aed-c37b6a535b78:cf79bd3f-262a-4663-8fff-63b00b87c34b", - "type": "index-pattern" - }, { "id": "logs-*", "name": "87d8f4ae-bff3-4541-93f6-5f0495b22354:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "87d8f4ae-bff3-4541-93f6-5f0495b22354:813eba55-180f-41d5-9693-3bb4cbaa5b93", - "type": "index-pattern" - }, { "id": "logs-*", "name": "6362ec71-d94c-40ae-a3b0-6fd99a74f3fa:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "6362ec71-d94c-40ae-a3b0-6fd99a74f3fa:0000c5e7-f881-4b37-84b1-5f87b3c39298", - "type": "index-pattern" - }, { "id": "logs-*", "name": "04dd2a49-ecb6-4a37-9ed1-ff4cb32e7315:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "04dd2a49-ecb6-4a37-9ed1-ff4cb32e7315:c67b80ce-454e-4e6c-b76d-1b09a8fe8736", - "type": "index-pattern" - }, { "id": "logs-*", "name": "6a0db5d9-5c35-4822-8be4-ba29d9e4a414:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "6a0db5d9-5c35-4822-8be4-ba29d9e4a414:03db2a39-f594-4c99-9a96-4d0ea0803a78", - "type": "index-pattern" - }, { "id": "logs-*", "name": "6339da61-ce3d-40ff-b7dc-4d5525f5ccf7:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "6339da61-ce3d-40ff-b7dc-4d5525f5ccf7:6cf95b00-4a04-4ca9-94f4-877e91791676", - "type": "index-pattern" - }, { "id": "logs-*", "name": "e89299e1-4cd9-49ef-89e8-3864d1224469:indexpattern-datasource-layer-56ec7bd9-8eff-4c45-86fb-96ff48db7730", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "e89299e1-4cd9-49ef-89e8-3864d1224469:244824be-e6fc-4121-8159-e2a4e11c0a2a", - "type": "index-pattern" - }, { "id": "logs-*", "name": "d9220f99-2e6e-4c43-b55a-54cb8b3cb55f:indexpattern-datasource-layer-56ec7bd9-8eff-4c45-86fb-96ff48db7730", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "d9220f99-2e6e-4c43-b55a-54cb8b3cb55f:8e92059b-9b18-4b02-b102-bef8a1787d78", - "type": "index-pattern" - }, { "id": "logs-*", "name": "a02365ac-b2de-4f1c-a59f-ec763f0634e7:indexpattern-datasource-layer-1d2c9c58-fe87-46cd-943e-90fb37a18c6e", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "a02365ac-b2de-4f1c-a59f-ec763f0634e7:1d0d4d94-f9bb-4246-aa05-c02d3a7d23ec", - "type": "index-pattern" - }, { "id": "logs-*", "name": "8d5ccace-9260-4464-af7c-6165af68480e:indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "8d5ccace-9260-4464-af7c-6165af68480e:baa1a399-bb78-458e-a95e-da29abcb3374", - "type": "index-pattern" - }, { "id": "logs-*", "name": "c5c252e5-add3-46e7-9d63-133881e24666:indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "c5c252e5-add3-46e7-9d63-133881e24666:6cab624e-160d-43ec-8f70-e80787f5d46b", - "type": "index-pattern" - }, { "id": "logs-*", "name": "c6e8140c-ab76-433a-9309-8bdb471ae311:indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "c6e8140c-ab76-433a-9309-8bdb471ae311:4a5fe18d-b8d0-45d1-9937-9bfe329f4c85", - "type": "index-pattern" - }, { "id": "logs-*", "name": "26ab28ea-2f8d-4612-92ed-0bc9cf0f56c2:indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "26ab28ea-2f8d-4612-92ed-0bc9cf0f56c2:d8c7fbbb-d7dc-4b07-99ca-c30b4334fdf6", - "type": "index-pattern" - }, { "id": "logs-*", "name": "164d7357-8f59-4773-a775-fe7faee555de:layer_1_join_0_index_pattern", @@ -3609,5 +2857,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/citrix_adc/kibana/dashboard/citrix_adc-abcd5660-4947-11ed-9b28-1f7d06bfd481.json b/packages/citrix_adc/kibana/dashboard/citrix_adc-abcd5660-4947-11ed-9b28-1f7d06bfd481.json index 8a5e7e24967..2f710d81b33 100644 --- a/packages/citrix_adc/kibana/dashboard/citrix_adc-abcd5660-4947-11ed-9b28-1f7d06bfd481.json +++ b/packages/citrix_adc/kibana/dashboard/citrix_adc-abcd5660-4947-11ed-9b28-1f7d06bfd481.json @@ -1,10 +1,32 @@ { "attributes": { "description": "This Citrix ADC dashboard visualizes VPN metrics.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.vpn" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +36,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -26,16 +49,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-843e0f63-4565-4351-8f4c-91a6709a8424", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "61b472dd-d203-430a-a9ea-131cf857a145", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "843e0f63-4565-4351-8f4c-91a6709a8424": { "columnOrder": [ @@ -95,29 +114,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "61b472dd-d203-430a-a9ea-131cf857a145", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.vpn" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.vpn" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -172,8 +170,7 @@ }, "panelIndex": "3d20b250-4c74-4b02-a2ac-f92e52d3cb99", "title": "Connection requests over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -183,16 +180,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-18433b6a-4d65-4394-9cf0-054499e11bdb", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0ebba268-adc5-4dee-a52b-e1eab6c45dba", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "18433b6a-4d65-4394-9cf0-054499e11bdb": { "columnOrder": [ @@ -221,29 +214,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0ebba268-adc5-4dee-a52b-e1eab6c45dba", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.vpn" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.vpn" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -258,7 +230,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -272,8 +244,7 @@ }, "panelIndex": "f363cf44-05b7-4102-a7ce-382437d04a51", "title": "Login page hits [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -283,16 +254,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-c54f26f7-b5d8-4efd-845f-34793e74083a", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fc9fe41-a930-4c2d-882a-092e1cf3523a", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c54f26f7-b5d8-4efd-845f-34793e74083a": { "columnOrder": [ @@ -321,29 +288,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "8fc9fe41-a930-4c2d-882a-092e1cf3523a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.vpn" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.vpn" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -358,7 +304,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -372,8 +318,7 @@ }, "panelIndex": "9021c8e3-be37-4019-9337-8734c6f6132c", "title": "ICA license failure [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -383,16 +328,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-093da8ce-2dbc-4114-aebb-ab469277ddeb", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8bb9f46a-fd01-4c62-9622-e1e13857bb9d", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "093da8ce-2dbc-4114-aebb-ab469277ddeb": { "columnOrder": [ @@ -452,29 +393,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "8bb9f46a-fd01-4c62-9622-e1e13857bb9d", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.vpn" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.vpn" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -543,8 +463,7 @@ }, "panelIndex": "c4996ebe-f05e-4523-bf28-179b0087eca3", "title": "Connection responses over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -554,16 +473,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-5a248697-ae8b-4afe-8eee-b24bbc1cd5ce", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "78e30e2d-36c8-4847-932f-c12853d70c3a", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "5a248697-ae8b-4afe-8eee-b24bbc1cd5ce": { "columnOrder": [ @@ -592,29 +507,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "78e30e2d-36c8-4847-932f-c12853d70c3a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.vpn" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.vpn" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -629,7 +523,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -643,8 +537,7 @@ }, "panelIndex": "99df95a0-7af0-46f1-8390-8908aed2030c", "title": "Login failed due to license unavailability [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -654,16 +547,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-bfa2562f-fffc-493b-81b9-fd2c72ea55dd", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1e88dde7-5efc-4395-b651-d9efd019963a", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "bfa2562f-fffc-493b-81b9-fd2c72ea55dd": { "columnOrder": [ @@ -692,29 +581,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1e88dde7-5efc-4395-b651-d9efd019963a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.vpn" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.vpn" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -729,7 +597,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -743,8 +611,7 @@ }, "panelIndex": "32d25eae-7130-4496-bd27-015a045d01f1", "title": "Client-Server request hits [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -754,16 +621,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-0182c0bb-1428-4aff-84c6-17409944b876", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e44276fa-cc0a-47d5-9650-ea7748922494", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "0182c0bb-1428-4aff-84c6-17409944b876": { "columnOrder": [ @@ -823,29 +686,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e44276fa-cc0a-47d5-9650-ea7748922494", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.vpn" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.vpn" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -902,8 +744,7 @@ }, "panelIndex": "22470ead-e1c5-4df5-8528-4859bfad05d5", "title": "Connections Per Second (CPS) over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -913,16 +754,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-d9971dcf-0dd8-48bf-9e09-198417c12655", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1894cfd-7315-4cb3-a060-9d566c35159f", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "d9971dcf-0dd8-48bf-9e09-198417c12655": { "columnOrder": [ @@ -982,29 +819,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c1894cfd-7315-4cb3-a060-9d566c35159f", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.vpn" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.vpn" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1061,28 +877,26 @@ }, "panelIndex": "afd3d9fe-009b-404d-aa5e-86e2fef6e332", "title": "Secure Ticket Authority (STA) over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Citrix ADC] VPN", "version": 1 }, - "coreMigrationVersion": "8.4.1", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T10:14:22.113Z", "id": "citrix_adc-abcd5660-4947-11ed-9b28-1f7d06bfd481", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "3d20b250-4c74-4b02-a2ac-f92e52d3cb99:indexpattern-datasource-layer-843e0f63-4565-4351-8f4c-91a6709a8424", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "3d20b250-4c74-4b02-a2ac-f92e52d3cb99:61b472dd-d203-430a-a9ea-131cf857a145", + "name": "3d20b250-4c74-4b02-a2ac-f92e52d3cb99:indexpattern-datasource-layer-843e0f63-4565-4351-8f4c-91a6709a8424", "type": "index-pattern" }, { @@ -1090,71 +904,37 @@ "name": "f363cf44-05b7-4102-a7ce-382437d04a51:indexpattern-datasource-layer-18433b6a-4d65-4394-9cf0-054499e11bdb", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "f363cf44-05b7-4102-a7ce-382437d04a51:0ebba268-adc5-4dee-a52b-e1eab6c45dba", - "type": "index-pattern" - }, { "id": "logs-*", "name": "9021c8e3-be37-4019-9337-8734c6f6132c:indexpattern-datasource-layer-c54f26f7-b5d8-4efd-845f-34793e74083a", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "9021c8e3-be37-4019-9337-8734c6f6132c:8fc9fe41-a930-4c2d-882a-092e1cf3523a", - "type": "index-pattern" - }, { "id": "logs-*", "name": "c4996ebe-f05e-4523-bf28-179b0087eca3:indexpattern-datasource-layer-093da8ce-2dbc-4114-aebb-ab469277ddeb", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "c4996ebe-f05e-4523-bf28-179b0087eca3:8bb9f46a-fd01-4c62-9622-e1e13857bb9d", - "type": "index-pattern" - }, { "id": "logs-*", "name": "99df95a0-7af0-46f1-8390-8908aed2030c:indexpattern-datasource-layer-5a248697-ae8b-4afe-8eee-b24bbc1cd5ce", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "99df95a0-7af0-46f1-8390-8908aed2030c:78e30e2d-36c8-4847-932f-c12853d70c3a", - "type": "index-pattern" - }, { "id": "logs-*", "name": "32d25eae-7130-4496-bd27-015a045d01f1:indexpattern-datasource-layer-bfa2562f-fffc-493b-81b9-fd2c72ea55dd", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "32d25eae-7130-4496-bd27-015a045d01f1:1e88dde7-5efc-4395-b651-d9efd019963a", - "type": "index-pattern" - }, { "id": "logs-*", "name": "22470ead-e1c5-4df5-8528-4859bfad05d5:indexpattern-datasource-layer-0182c0bb-1428-4aff-84c6-17409944b876", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "22470ead-e1c5-4df5-8528-4859bfad05d5:e44276fa-cc0a-47d5-9650-ea7748922494", - "type": "index-pattern" - }, { "id": "logs-*", "name": "afd3d9fe-009b-404d-aa5e-86e2fef6e332:indexpattern-datasource-layer-d9971dcf-0dd8-48bf-9e09-198417c12655", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "afd3d9fe-009b-404d-aa5e-86e2fef6e332:c1894cfd-7315-4cb3-a060-9d566c35159f", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/citrix_adc/kibana/dashboard/citrix_adc-b475f280-4eb1-11ed-9db6-73aea65de09b.json b/packages/citrix_adc/kibana/dashboard/citrix_adc-b475f280-4eb1-11ed-9db6-73aea65de09b.json index 16af4d9ac7d..49bc8898fd3 100644 --- a/packages/citrix_adc/kibana/dashboard/citrix_adc-b475f280-4eb1-11ed-9db6-73aea65de09b.json +++ b/packages/citrix_adc/kibana/dashboard/citrix_adc-b475f280-4eb1-11ed-9db6-73aea65de09b.json @@ -1,10 +1,32 @@ { "attributes": { "description": "This Citrix ADC dashboard visualizes Interface metrics.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.interface" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.interface" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +36,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -26,16 +49,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e58ee30c-a1df-4a0a-bd4e-ffc6980efe6c", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a2a48bef-1ec7-4cd5-b0f4-9f4873b4f0f2", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e58ee30c-a1df-4a0a-bd4e-ffc6980efe6c": { "columnOrder": [ @@ -102,29 +121,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a2a48bef-1ec7-4cd5-b0f4-9f4873b4f0f2", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.interface" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.interface" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -195,8 +193,7 @@ }, "panelIndex": "6dd13615-8a4c-4d4f-b565-26fb49690bb0", "title": "Outbound packets dropped by hardware over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -206,16 +203,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-2149bf41-4cea-4cb8-9a09-01af70f4246b", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6100fc5-b7ab-4df2-9abf-1b6c9d52972b", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "2149bf41-4cea-4cb8-9a09-01af70f4246b": { "columnOrder": [ @@ -281,29 +274,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d6100fc5-b7ab-4df2-9abf-1b6c9d52972b", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.interface" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.interface" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -368,8 +340,7 @@ }, "panelIndex": "ef042c51-a09d-4927-a834-774f25189669", "title": "Inbound packets dropped over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -379,16 +350,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-186d3b37-e7d7-48ef-ac4f-29a36706d901", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e39b1225-bec5-4116-bf3c-d0308b042f83", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "186d3b37-e7d7-48ef-ac4f-29a36706d901": { "columnOrder": [ @@ -460,29 +427,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e39b1225-bec5-4116-bf3c-d0308b042f83", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.interface" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.interface" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -527,8 +473,7 @@ }, "panelIndex": "cb848b9e-64d3-4d2c-ada0-49225499c9b7", "title": "Transmitted bytes over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -538,16 +483,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-14ae75d6-40e0-4b65-ba31-3c80bb6f5b76", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eed7f61d-baf7-490c-80bb-d6e088dba657", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "14ae75d6-40e0-4b65-ba31-3c80bb6f5b76": { "columnOrder": [ @@ -619,29 +560,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "eed7f61d-baf7-490c-80bb-d6e088dba657", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.interface" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.interface" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -706,28 +626,26 @@ }, "panelIndex": "f63522ca-8b1e-426e-ac65-52d98adb4dbc", "title": "Received bytes over time [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Citrix ADC] Interface", "version": 1 }, - "coreMigrationVersion": "8.4.1", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T10:15:47.880Z", "id": "citrix_adc-b475f280-4eb1-11ed-9db6-73aea65de09b", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "6dd13615-8a4c-4d4f-b565-26fb49690bb0:indexpattern-datasource-layer-e58ee30c-a1df-4a0a-bd4e-ffc6980efe6c", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "6dd13615-8a4c-4d4f-b565-26fb49690bb0:a2a48bef-1ec7-4cd5-b0f4-9f4873b4f0f2", + "name": "6dd13615-8a4c-4d4f-b565-26fb49690bb0:indexpattern-datasource-layer-e58ee30c-a1df-4a0a-bd4e-ffc6980efe6c", "type": "index-pattern" }, { @@ -735,31 +653,17 @@ "name": "ef042c51-a09d-4927-a834-774f25189669:indexpattern-datasource-layer-2149bf41-4cea-4cb8-9a09-01af70f4246b", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "ef042c51-a09d-4927-a834-774f25189669:d6100fc5-b7ab-4df2-9abf-1b6c9d52972b", - "type": "index-pattern" - }, { "id": "logs-*", "name": "cb848b9e-64d3-4d2c-ada0-49225499c9b7:indexpattern-datasource-layer-186d3b37-e7d7-48ef-ac4f-29a36706d901", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "cb848b9e-64d3-4d2c-ada0-49225499c9b7:e39b1225-bec5-4116-bf3c-d0308b042f83", - "type": "index-pattern" - }, { "id": "logs-*", "name": "f63522ca-8b1e-426e-ac65-52d98adb4dbc:indexpattern-datasource-layer-14ae75d6-40e0-4b65-ba31-3c80bb6f5b76", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f63522ca-8b1e-426e-ac65-52d98adb4dbc:eed7f61d-baf7-490c-80bb-d6e088dba657", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/citrix_adc/kibana/dashboard/citrix_adc-c4b9b970-3d99-11ed-9f8b-1bc5a55dfeec.json b/packages/citrix_adc/kibana/dashboard/citrix_adc-c4b9b970-3d99-11ed-9f8b-1bc5a55dfeec.json index e48bbd981c1..7c001861e3b 100644 --- a/packages/citrix_adc/kibana/dashboard/citrix_adc-c4b9b970-3d99-11ed-9f8b-1bc5a55dfeec.json +++ b/packages/citrix_adc/kibana/dashboard/citrix_adc-c4b9b970-3d99-11ed-9f8b-1bc5a55dfeec.json @@ -1,10 +1,51 @@ { "attributes": { "description": "This Citrix ADC dashboard visualizes metrics related to Interface, Load Balancing Virtual Server, and Service.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "citrix_adc.interface", + "citrix_adc.lbvserver", + "citrix_adc.service" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "citrix_adc.interface" + } + }, + { + "match_phrase": { + "data_stream.dataset": "citrix_adc.lbvserver" + } + }, + { + "match_phrase": { + "data_stream.dataset": "citrix_adc.service" + } + } + ] + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +55,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -26,16 +68,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-22de67d8-7da7-4d4e-b3b7-19d0c462fdcd", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "802ec8a4-5bc0-486d-999d-4fbdfda1a1c8", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "22de67d8-7da7-4d4e-b3b7-19d0c462fdcd": { "columnOrder": [ @@ -230,29 +268,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "802ec8a4-5bc0-486d-999d-4fbdfda1a1c8", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.interface" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.interface" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -331,8 +348,7 @@ }, "panelIndex": "5045d28a-6fd1-46b5-ae46-e25867d3829a", "title": "Statistics of interfaces [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -342,16 +358,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-65ab4dd9-9ddd-436a-a66a-7adf8ff767c3", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f1433360-560a-42da-b29a-af88bb2e71d1", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "65ab4dd9-9ddd-436a-a66a-7adf8ff767c3": { "columnOrder": [ @@ -539,29 +551,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f1433360-560a-42da-b29a-af88bb2e71d1", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.service" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.service" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -642,8 +633,7 @@ }, "panelIndex": "c12f2a4e-eed5-4d01-8d43-ce0370f1e27c", "title": "Statistics of services [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" }, { "embeddableConfig": { @@ -653,16 +643,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-65ab4dd9-9ddd-436a-a66a-7adf8ff767c3", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "505a62b4-d91f-4e51-baca-9b35cfba6274", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "65ab4dd9-9ddd-436a-a66a-7adf8ff767c3": { "columnOrder": [ @@ -892,29 +878,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "505a62b4-d91f-4e51-baca-9b35cfba6274", - "key": "event.dataset", - "negate": false, - "params": { - "query": "citrix_adc.lbvserver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "citrix_adc.lbvserver" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1001,28 +966,26 @@ }, "panelIndex": "e3056439-f8bf-4526-b25c-f08bc74aa37d", "title": "Statistics of Load Balancing Virtual Server [Metrics Citrix ADC]", - "type": "lens", - "version": "8.4.1" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Citrix ADC] Overview", "version": 1 }, - "coreMigrationVersion": "8.4.1", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-13T10:18:26.397Z", "id": "citrix_adc-c4b9b970-3d99-11ed-9f8b-1bc5a55dfeec", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "5045d28a-6fd1-46b5-ae46-e25867d3829a:indexpattern-datasource-layer-22de67d8-7da7-4d4e-b3b7-19d0c462fdcd", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "5045d28a-6fd1-46b5-ae46-e25867d3829a:802ec8a4-5bc0-486d-999d-4fbdfda1a1c8", + "name": "5045d28a-6fd1-46b5-ae46-e25867d3829a:indexpattern-datasource-layer-22de67d8-7da7-4d4e-b3b7-19d0c462fdcd", "type": "index-pattern" }, { @@ -1030,21 +993,12 @@ "name": "c12f2a4e-eed5-4d01-8d43-ce0370f1e27c:indexpattern-datasource-layer-65ab4dd9-9ddd-436a-a66a-7adf8ff767c3", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "c12f2a4e-eed5-4d01-8d43-ce0370f1e27c:f1433360-560a-42da-b29a-af88bb2e71d1", - "type": "index-pattern" - }, { "id": "logs-*", "name": "e3056439-f8bf-4526-b25c-f08bc74aa37d:indexpattern-datasource-layer-65ab4dd9-9ddd-436a-a66a-7adf8ff767c3", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e3056439-f8bf-4526-b25c-f08bc74aa37d:505a62b4-d91f-4e51-baca-9b35cfba6274", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/citrix_adc/manifest.yml b/packages/citrix_adc/manifest.yml index 34ca396f65c..7f92604cc22 100644 --- a/packages/citrix_adc/manifest.yml +++ b/packages/citrix_adc/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: citrix_adc title: Citrix ADC -version: "1.5.1" +version: "1.6.0" description: This Elastic integration collects logs and metrics from Citrix ADC product. type: integration categories: diff --git a/packages/citrix_adc/validation.yml b/packages/citrix_adc/validation.yml deleted file mode 100644 index bcc8f74ac3a..00000000000 --- a/packages/citrix_adc/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00002 diff --git a/packages/cockroachdb/changelog.yml b/packages/cockroachdb/changelog.yml index 56e878dbebf..f9749b65ffd 100644 --- a/packages/cockroachdb/changelog.yml +++ b/packages/cockroachdb/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.10.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: "1.9.0" changes: - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values diff --git a/packages/cockroachdb/kibana/dashboard/cockroachdb-e3ba0c30-9766-11e9-9eea-6f554992ec1f.json b/packages/cockroachdb/kibana/dashboard/cockroachdb-e3ba0c30-9766-11e9-9eea-6f554992ec1f.json index e8b63d9a7e4..f33f1c24555 100644 --- a/packages/cockroachdb/kibana/dashboard/cockroachdb-e3ba0c30-9766-11e9-9eea-6f554992ec1f.json +++ b/packages/cockroachdb/kibana/dashboard/cockroachdb-e3ba0c30-9766-11e9-9eea-6f554992ec1f.json @@ -1,10 +1,32 @@ { "attributes": { "description": "Overview of the CockroachDB server status", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cockroachdb.status" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cockroachdb.status" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -13,6 +35,9 @@ }, "optionsJSON": { "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -28,7 +53,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4e7c2d11-f5be-4c30-be93-9b0e061d2d75": { "columnOrder": [ @@ -187,8 +212,7 @@ }, "panelIndex": "2f4d0af4-077d-4012-9b3d-91e5ad9d0b78", "title": "Number of SQL connections", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -217,7 +241,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "09088526-e63a-474c-8dd9-99791089fc24": { "columnOrder": [ @@ -725,8 +749,7 @@ }, "panelIndex": "d2ab0e05-016c-474b-9b79-0f2dd763fccc", "title": "SQL queries", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -755,7 +778,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "64f54c10-73b0-43c9-8f11-b660c82f95e2": { "columnOrder": [ @@ -1179,8 +1202,7 @@ }, "panelIndex": "274d2aab-2bee-4d2c-a1a8-3e6abd341eed", "title": "Ranges", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -1194,7 +1216,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b283f07d-f9a8-419d-8c6a-87f58045aa39": { "columnOrder": [ @@ -1353,8 +1375,7 @@ }, "panelIndex": "a25e6220-bf77-4bbb-9e3b-7d4cb7dea29d", "title": "Replicas per Store", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -1368,7 +1389,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b552ad9d-9a77-49a1-b1b7-6ce0a0b61c4c": { "columnOrder": [ @@ -1527,8 +1548,7 @@ }, "panelIndex": "30442eb6-b268-488f-ab25-0b36d60932e3", "title": "Replica leaseholders", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -1542,7 +1562,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "6e11af24-40bb-404b-89e3-d6e55ed59c82": { "columnOrder": [ @@ -1664,8 +1684,7 @@ }, "panelIndex": "bff6f0fa-7035-468b-9202-51c563b35973", "title": "SQL service latency", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -1679,7 +1698,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "6e11af24-40bb-404b-89e3-d6e55ed59c82": { "columnOrder": [ @@ -1801,20 +1820,23 @@ }, "panelIndex": "cefdc2be-7998-46c6-9dba-890598779123", "title": "Transaction duration", - "type": "lens", - "version": "8.4.0" + "type": "lens" } ], "timeRestore": false, "title": "[CockroachDB Metrics] Overview", "version": 1 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-22T12:28:18.424Z", "id": "cockroachdb-e3ba0c30-9766-11e9-9eea-6f554992ec1f", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, { "id": "metrics-*", "name": "2f4d0af4-077d-4012-9b3d-91e5ad9d0b78:indexpattern-datasource-layer-4e7c2d11-f5be-4c30-be93-9b0e061d2d75", @@ -1881,5 +1903,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/cockroachdb/manifest.yml b/packages/cockroachdb/manifest.yml index a6860eba91b..2a8a29bb614 100644 --- a/packages/cockroachdb/manifest.yml +++ b/packages/cockroachdb/manifest.yml @@ -1,6 +1,6 @@ name: cockroachdb title: CockroachDB Metrics -version: "1.9.0" +version: "1.10.0" description: Collect metrics from CockroachDB servers with Elastic Agent. type: integration icons: diff --git a/packages/cockroachdb/validation.yml b/packages/cockroachdb/validation.yml deleted file mode 100644 index bcc8f74ac3a..00000000000 --- a/packages/cockroachdb/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00002 diff --git a/packages/hadoop/changelog.yml b/packages/hadoop/changelog.yml index ad2f90ed3cb..5572e2d11d7 100644 --- a/packages/hadoop/changelog.yml +++ b/packages/hadoop/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/9768 - version: "1.5.2" changes: - description: Inline "by reference" visualizations diff --git a/packages/hadoop/kibana/dashboard/hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107.json b/packages/hadoop/kibana/dashboard/hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107.json index 13abf7bc94c..2b0ede0e925 100644 --- a/packages/hadoop/kibana/dashboard/hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107.json +++ b/packages/hadoop/kibana/dashboard/hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107.json @@ -1,660 +1,680 @@ { - "id": "hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.7.0" - }, - "coreMigrationVersion": "8.8.0", - "typeMigrationVersion": "8.7.0", - "updated_at": "2023-11-07T17:16:59.199Z", - "created_at": "2023-11-07T17:16:59.199Z", - "version": "Wzk5LDFd", - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"6df7972b-25f0-453b-829b-c183cddbc2f8\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"hadoop.application.id\",\"title\":\"Applications\",\"id\":\"6df7972b-25f0-453b-829b-c183cddbc2f8\",\"enhancements\":{}}}}" - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-dcf6a578-de72-4570-9fd8-f157f6494eb8", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "dcf6a578-de72-4570-9fd8-f157f6494eb8": { - "columnOrder": [ - "bf367b81-240d-468f-bd19-7b42516a2d6f", - "75832028-a5ee-46c0-b95b-32f5a04b39c4" - ], - "columns": { - "75832028-a5ee-46c0-b95b-32f5a04b39c4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Elapsed Time (ms)", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.time.elapsed" + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"6df7972b-25f0-453b-829b-c183cddbc2f8\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"hadoop.application.id\",\"title\":\"Applications\",\"id\":\"6df7972b-25f0-453b-829b-c183cddbc2f8\",\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" }, - "bf367b81-240d-468f-bd19-7b42516a2d6f": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Application Id", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "75832028-a5ee-46c0-b95b-32f5a04b39c4", - "type": "column" + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "hadoop.application" }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "hadoop.application.id" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "hadoop.application" + } } - }, - "incompleteColumns": {} } - } + ], + "query": { + "language": "kuery", + "query": "" } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dcf6a578-de72-4570-9fd8-f157f6494eb8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "dcf6a578-de72-4570-9fd8-f157f6494eb8": { + "columnOrder": [ + "bf367b81-240d-468f-bd19-7b42516a2d6f", + "75832028-a5ee-46c0-b95b-32f5a04b39c4" + ], + "columns": { + "75832028-a5ee-46c0-b95b-32f5a04b39c4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Elapsed Time (ms)", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.time.elapsed" + }, + "bf367b81-240d-468f-bd19-7b42516a2d6f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Id", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "75832028-a5ee-46c0-b95b-32f5a04b39c4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "hadoop.application.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "75832028-a5ee-46c0-b95b-32f5a04b39c4" + ], + "layerId": "dcf6a578-de72-4570-9fd8-f157f6494eb8", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "bf367b81-240d-468f-bd19-7b42516a2d6f", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "75832028-a5ee-46c0-b95b-32f5a04b39c4" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "layers": [ - { - "accessors": [ - "75832028-a5ee-46c0-b95b-32f5a04b39c4" - ], - "layerId": "dcf6a578-de72-4570-9fd8-f157f6494eb8", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "xAccessor": "bf367b81-240d-468f-bd19-7b42516a2d6f", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "75832028-a5ee-46c0-b95b-32f5a04b39c4" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true + "gridData": { + "h": 24, + "i": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1", + "w": 18, + "x": 0, + "y": 0 }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "panelIndex": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1", + "title": "Elapsed time of different applications [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 24, - "i": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1", - "w": 18, - "x": 0, - "y": 0 - }, - "panelIndex": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1", - "title": "Elapsed time of different applications [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-358c9e71-f4a3-4980-adec-21e72950e734", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "358c9e71-f4a3-4980-adec-21e72950e734": { - "columnOrder": [ - "d03524e9-64ac-4ac9-87e9-680f408594b7" - ], - "columns": { - "d03524e9-64ac-4ac9-87e9-680f408594b7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Average Elapsed Time", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "duration", - "params": { - "decimals": 0, - "fromUnit": "milliseconds" - } + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-358c9e71-f4a3-4980-adec-21e72950e734", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "hadoop.application.time.elapsed" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "d03524e9-64ac-4ac9-87e9-680f408594b7", - "layerId": "358c9e71-f4a3-4980-adec-21e72950e734", - "layerType": "data", - "size": "m", - "textAlign": "center", - "titlePosition": "bottom" - } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "358c9e71-f4a3-4980-adec-21e72950e734": { + "columnOrder": [ + "d03524e9-64ac-4ac9-87e9-680f408594b7" + ], + "columns": { + "d03524e9-64ac-4ac9-87e9-680f408594b7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average Elapsed Time", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "duration", + "params": { + "decimals": 0, + "fromUnit": "milliseconds" + } + } + }, + "scale": "ratio", + "sourceField": "hadoop.application.time.elapsed" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d03524e9-64ac-4ac9-87e9-680f408594b7", + "layerId": "358c9e71-f4a3-4980-adec-21e72950e734", + "layerType": "data", + "size": "m", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "9fed89bd-d709-4c4a-a84a-93b4d805940a", + "w": 8, + "x": 18, + "y": 0 + }, + "panelIndex": "9fed89bd-d709-4c4a-a84a-93b4d805940a", + "title": "Average elapsed time [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 8, - "i": "9fed89bd-d709-4c4a-a84a-93b4d805940a", - "w": 8, - "x": 18, - "y": 0 - }, - "panelIndex": "9fed89bd-d709-4c4a-a84a-93b4d805940a", - "title": "Average elapsed time [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c0d13a02-cbb4-496c-88bd-6187253ec8d8", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "c0d13a02-cbb4-496c-88bd-6187253ec8d8": { - "columnOrder": [ - "71dbc991-2911-4abe-b977-4dda3d9d5bb0", - "b1201382-d991-47f1-9466-b0a4231edf29" - ], - "columns": { - "71dbc991-2911-4abe-b977-4dda3d9d5bb0": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Application Id", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "b1201382-d991-47f1-9466-b0a4231edf29", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c0d13a02-cbb4-496c-88bd-6187253ec8d8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "c0d13a02-cbb4-496c-88bd-6187253ec8d8": { + "columnOrder": [ + "71dbc991-2911-4abe-b977-4dda3d9d5bb0", + "b1201382-d991-47f1-9466-b0a4231edf29" + ], + "columns": { + "71dbc991-2911-4abe-b977-4dda3d9d5bb0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Id", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b1201382-d991-47f1-9466-b0a4231edf29", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "hadoop.application.id" + }, + "b1201382-d991-47f1-9466-b0a4231edf29": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Virtual Cores", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.vcore_seconds" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "hadoop.application.id" + "visualization": { + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "b1201382-d991-47f1-9466-b0a4231edf29" + ], + "layerId": "c0d13a02-cbb4-496c-88bd-6187253ec8d8", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "71dbc991-2911-4abe-b977-4dda3d9d5bb0", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "b1201382-d991-47f1-9466-b0a4231edf29" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide" + } }, - "b1201382-d991-47f1-9466-b0a4231edf29": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Virtual Cores", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.vcore_seconds" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "layers": [ - { - "accessors": [ - "b1201382-d991-47f1-9466-b0a4231edf29" - ], - "layerId": "c0d13a02-cbb4-496c-88bd-6187253ec8d8", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "xAccessor": "71dbc991-2911-4abe-b977-4dda3d9d5bb0", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "b1201382-d991-47f1-9466-b0a4231edf29" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true + "gridData": { + "h": 12, + "i": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0", + "w": 22, + "x": 26, + "y": 0 }, - "preferredSeriesType": "bar_horizontal", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "panelIndex": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0", + "title": "Number of Virtual Cores Allocated [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0", - "w": 22, - "x": 26, - "y": 0 - }, - "panelIndex": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0", - "title": "Number of Virtual Cores Allocated [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-3003026c-64e9-4a34-9256-5500fb1a618a", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "3003026c-64e9-4a34-9256-5500fb1a618a": { - "columnOrder": [ - "a72c3684-ca50-4a1e-bae7-328ae098c42d" - ], - "columns": { - "a72c3684-ca50-4a1e-bae7-328ae098c42d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Max Virtual Cores Allocated", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.allocated.v_cores" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "a72c3684-ca50-4a1e-bae7-328ae098c42d", - "layerId": "3003026c-64e9-4a34-9256-5500fb1a618a", - "layerType": "data", - "size": "m", - "textAlign": "center", - "titlePosition": "bottom" - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3003026c-64e9-4a34-9256-5500fb1a618a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "3003026c-64e9-4a34-9256-5500fb1a618a": { + "columnOrder": [ + "a72c3684-ca50-4a1e-bae7-328ae098c42d" + ], + "columns": { + "a72c3684-ca50-4a1e-bae7-328ae098c42d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Max Virtual Cores Allocated", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.allocated.v_cores" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "a72c3684-ca50-4a1e-bae7-328ae098c42d", + "layerId": "3003026c-64e9-4a34-9256-5500fb1a618a", + "layerType": "data", + "size": "m", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "3a5fad55-3e58-4326-8dbb-a71291fad652", + "w": 8, + "x": 18, + "y": 8 + }, + "panelIndex": "3a5fad55-3e58-4326-8dbb-a71291fad652", + "title": "Maximum virtual cores allocated to the application's running containers [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 8, - "i": "3a5fad55-3e58-4326-8dbb-a71291fad652", - "w": 8, - "x": 18, - "y": 8 - }, - "panelIndex": "3a5fad55-3e58-4326-8dbb-a71291fad652", - "title": "Maximum virtual cores allocated to the application's running containers [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f39f3706-d2c4-42a9-80dc-d5db38283fd0", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "f39f3706-d2c4-42a9-80dc-d5db38283fd0": { - "columnOrder": [ - "d46b83b5-6fd9-4b12-82bc-ab59592531e8", - "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" - ], - "columns": { - "d46b83b5-6fd9-4b12-82bc-ab59592531e8": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Application Id", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f39f3706-d2c4-42a9-80dc-d5db38283fd0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "f39f3706-d2c4-42a9-80dc-d5db38283fd0": { + "columnOrder": [ + "d46b83b5-6fd9-4b12-82bc-ab59592531e8", + "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" + ], + "columns": { + "d46b83b5-6fd9-4b12-82bc-ab59592531e8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Id", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "hadoop.application.id" + }, + "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Amount of Memory (MB)", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.memory_seconds" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "hadoop.application.id" + "visualization": { + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" + ], + "layerId": "f39f3706-d2c4-42a9-80dc-d5db38283fd0", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "d46b83b5-6fd9-4b12-82bc-ab59592531e8", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide" + } }, - "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Amount of Memory (MB)", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.memory_seconds" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "layers": [ - { - "accessors": [ - "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" - ], - "layerId": "f39f3706-d2c4-42a9-80dc-d5db38283fd0", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "xAccessor": "d46b83b5-6fd9-4b12-82bc-ab59592531e8", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true + "gridData": { + "h": 12, + "i": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f", + "w": 22, + "x": 26, + "y": 12 }, - "preferredSeriesType": "bar_horizontal", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "panelIndex": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f", + "title": "Amount of Memory Allocated [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5": { + "columnOrder": [ + "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6" + ], + "columns": { + "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Max Allocated Memory (MB)", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.allocated.mb" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6", + "layerId": "f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", + "layerType": "data", + "size": "m", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "c9df8dfd-25c1-4cea-9b59-71bb227c1826", + "w": 8, + "x": 18, + "y": 16 + }, + "panelIndex": "c9df8dfd-25c1-4cea-9b59-71bb227c1826", + "title": "Maximum memory allocated to the application's running containers [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + } + ], + "timeRestore": false, + "title": "[Metrics Hadoop] Applications", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-20T10:09:35.216Z", + "id": "hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, - "gridData": { - "h": 12, - "i": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f", - "w": 22, - "x": 26, - "y": 12 + { + "id": "logs-*", + "name": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1:indexpattern-datasource-layer-dcf6a578-de72-4570-9fd8-f157f6494eb8", + "type": "index-pattern" }, - "panelIndex": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f", - "title": "Amount of Memory Allocated [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5": { - "columnOrder": [ - "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6" - ], - "columns": { - "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Max Allocated Memory (MB)", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.allocated.mb" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6", - "layerId": "f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", - "layerType": "data", - "size": "m", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + { + "id": "logs-*", + "name": "9fed89bd-d709-4c4a-a84a-93b4d805940a:indexpattern-datasource-layer-358c9e71-f4a3-4980-adec-21e72950e734", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0:indexpattern-datasource-layer-c0d13a02-cbb4-496c-88bd-6187253ec8d8", + "type": "index-pattern" }, - "gridData": { - "h": 8, - "i": "c9df8dfd-25c1-4cea-9b59-71bb227c1826", - "w": 8, - "x": 18, - "y": 16 + { + "id": "logs-*", + "name": "3a5fad55-3e58-4326-8dbb-a71291fad652:indexpattern-datasource-layer-3003026c-64e9-4a34-9256-5500fb1a618a", + "type": "index-pattern" }, - "panelIndex": "c9df8dfd-25c1-4cea-9b59-71bb227c1826", - "title": "Maximum memory allocated to the application's running containers [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" - } + { + "id": "logs-*", + "name": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f:indexpattern-datasource-layer-f39f3706-d2c4-42a9-80dc-d5db38283fd0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9df8dfd-25c1-4cea-9b59-71bb227c1826:indexpattern-datasource-layer-f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_6df7972b-25f0-453b-829b-c183cddbc2f8:optionsListDataView", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Metrics Hadoop] Applications", - "version": 1 - }, - "references": [ - { - "id": "logs-*", - "name": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1:indexpattern-datasource-layer-dcf6a578-de72-4570-9fd8-f157f6494eb8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9fed89bd-d709-4c4a-a84a-93b4d805940a:indexpattern-datasource-layer-358c9e71-f4a3-4980-adec-21e72950e734", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0:indexpattern-datasource-layer-c0d13a02-cbb4-496c-88bd-6187253ec8d8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a5fad55-3e58-4326-8dbb-a71291fad652:indexpattern-datasource-layer-3003026c-64e9-4a34-9256-5500fb1a618a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f:indexpattern-datasource-layer-f39f3706-d2c4-42a9-80dc-d5db38283fd0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9df8dfd-25c1-4cea-9b59-71bb227c1826:indexpattern-datasource-layer-f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_6df7972b-25f0-453b-829b-c183cddbc2f8:optionsListDataView", - "type": "index-pattern" - } - ], - "managed": false + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/hadoop/kibana/dashboard/hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2.json b/packages/hadoop/kibana/dashboard/hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2.json index df069f04758..e0208af7f21 100644 --- a/packages/hadoop/kibana/dashboard/hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2.json +++ b/packages/hadoop/kibana/dashboard/hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2.json @@ -1,573 +1,591 @@ { - "id": "hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.7.0" - }, - "coreMigrationVersion": "8.8.0", - "typeMigrationVersion": "8.7.0", - "updated_at": "2023-11-07T17:16:59.199Z", - "created_at": "2023-11-07T17:16:59.199Z", - "version": "WzEwMCwxXQ==", - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 20, - "i": "de277d30-051b-4343-b67b-b6b243c140f2", - "w": 27, - "x": 0, - "y": 0 - }, - "panelIndex": "de277d30-051b-4343-b67b-b6b243c140f2", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-b8ee20df-453e-488f-806e-6f4079a76be6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "50203b57-c1ac-4ab0-82eb-c7ca168bb650", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9b40dc83-210d-44d7-bbe3-549fbcdb09cb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6c5f4d9b-3a70-4c21-a292-32654686b081", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "b8ee20df-453e-488f-806e-6f4079a76be6": { - "columnOrder": [ - "36dd81fa-f21e-4abd-b930-ad133b3feb10", - "927733e5-8d32-42b5-8b05-e27fb1e2adfc", - "4b6e5372-3e5e-4650-9b95-d6b81250436a", - "331edd36-c03b-4cc5-ba1b-8844d0381903" - ], - "columns": { - "331edd36-c03b-4cc5-ba1b-8844d0381903": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.containers.failed: *" - }, - "isBucketed": false, - "label": "Failed", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.containers.failed" - }, - "36dd81fa-f21e-4abd-b930-ad133b3feb10": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" }, - "4b6e5372-3e5e-4650-9b95-d6b81250436a": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.containers.completed: *" - }, - "isBucketed": false, - "label": "Completed", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.containers.completed" + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "hadoop.node_manager" + }, + "type": "phrase" }, - "927733e5-8d32-42b5-8b05-e27fb1e2adfc": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.containers.running: *" - }, - "isBucketed": false, - "label": "Running", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.containers.running" + "query": { + "match_phrase": { + "data_stream.dataset": "hadoop.node_manager" + } } - }, - "incompleteColumns": {} } - } + ], + "query": { + "language": "kuery", + "query": "" } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "50203b57-c1ac-4ab0-82eb-c7ca168bb650", - "key": "hadoop.node_manager.containers.running", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.containers.running" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9b40dc83-210d-44d7-bbe3-549fbcdb09cb", - "key": "hadoop.node_manager.containers.completed", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.containers.completed" - } - } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-b8ee20df-453e-488f-806e-6f4079a76be6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "50203b57-c1ac-4ab0-82eb-c7ca168bb650", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9b40dc83-210d-44d7-bbe3-549fbcdb09cb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6c5f4d9b-3a70-4c21-a292-32654686b081", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "b8ee20df-453e-488f-806e-6f4079a76be6": { + "columnOrder": [ + "36dd81fa-f21e-4abd-b930-ad133b3feb10", + "927733e5-8d32-42b5-8b05-e27fb1e2adfc", + "4b6e5372-3e5e-4650-9b95-d6b81250436a", + "331edd36-c03b-4cc5-ba1b-8844d0381903" + ], + "columns": { + "331edd36-c03b-4cc5-ba1b-8844d0381903": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.containers.failed: *" + }, + "isBucketed": false, + "label": "Failed", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.containers.failed" + }, + "36dd81fa-f21e-4abd-b930-ad133b3feb10": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "4b6e5372-3e5e-4650-9b95-d6b81250436a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.containers.completed: *" + }, + "isBucketed": false, + "label": "Completed", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.containers.completed" + }, + "927733e5-8d32-42b5-8b05-e27fb1e2adfc": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.containers.running: *" + }, + "isBucketed": false, + "label": "Running", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.containers.running" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "50203b57-c1ac-4ab0-82eb-c7ca168bb650", + "key": "hadoop.node_manager.containers.running", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.containers.running" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "9b40dc83-210d-44d7-bbe3-549fbcdb09cb", + "key": "hadoop.node_manager.containers.completed", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.containers.completed" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6c5f4d9b-3a70-4c21-a292-32654686b081", + "key": "hadoop.node_manager.containers.failed", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.containers.failed" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "927733e5-8d32-42b5-8b05-e27fb1e2adfc", + "4b6e5372-3e5e-4650-9b95-d6b81250436a", + "331edd36-c03b-4cc5-ba1b-8844d0381903" + ], + "layerId": "b8ee20df-453e-488f-806e-6f4079a76be6", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "36dd81fa-f21e-4abd-b930-ad133b3feb10", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "927733e5-8d32-42b5-8b05-e27fb1e2adfc" + }, + { + "axisMode": "left", + "forAccessor": "4b6e5372-3e5e-4650-9b95-d6b81250436a" + }, + { + "axisMode": "left", + "forAccessor": "331edd36-c03b-4cc5-ba1b-8844d0381903" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yTitle": "Containers" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6c5f4d9b-3a70-4c21-a292-32654686b081", - "key": "hadoop.node_manager.containers.failed", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.containers.failed" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 20, + "i": "de277d30-051b-4343-b67b-b6b243c140f2", + "w": 27, + "x": 0, + "y": 0 }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true + "panelIndex": "de277d30-051b-4343-b67b-b6b243c140f2", + "title": "Number of containers over time [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ee8bbb4c-7f64-46b1-965b-daec27ad4251", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d73deed1-d0bd-4f83-8759-602565e70486", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "ee8bbb4c-7f64-46b1-965b-daec27ad4251": { + "columnOrder": [ + "49bd7898-d477-456f-bebd-db0024ea1510", + "96afed27-0108-42ad-a3c6-26f51cd509a2" + ], + "columns": { + "49bd7898-d477-456f-bebd-db0024ea1510": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "96afed27-0108-42ad-a3c6-26f51cd509a2": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.container_launch_duration_avg_time: *" + }, + "isBucketed": false, + "label": "Container Launch Duration Avg Time (s)", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.container_launch_duration_avg_time" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d73deed1-d0bd-4f83-8759-602565e70486", + "key": "hadoop.node_manager.container_launch_duration_avg_time", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.container_launch_duration_avg_time" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "96afed27-0108-42ad-a3c6-26f51cd509a2" + ], + "layerId": "ee8bbb4c-7f64-46b1-965b-daec27ad4251", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "49bd7898-d477-456f-bebd-db0024ea1510", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "96afed27-0108-42ad-a3c6-26f51cd509a2" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yTitle": "Seconds" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "layers": [ - { - "accessors": [ - "927733e5-8d32-42b5-8b05-e27fb1e2adfc", - "4b6e5372-3e5e-4650-9b95-d6b81250436a", - "331edd36-c03b-4cc5-ba1b-8844d0381903" - ], - "layerId": "b8ee20df-453e-488f-806e-6f4079a76be6", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "36dd81fa-f21e-4abd-b930-ad133b3feb10", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "927733e5-8d32-42b5-8b05-e27fb1e2adfc" - }, - { - "axisMode": "left", - "forAccessor": "4b6e5372-3e5e-4650-9b95-d6b81250436a" - }, - { - "axisMode": "left", - "forAccessor": "331edd36-c03b-4cc5-ba1b-8844d0381903" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true + "gridData": { + "h": 14, + "i": "7f0d3056-6f50-4be9-8a4b-cd51685676ec", + "w": 21, + "x": 27, + "y": 0 }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yTitle": "Containers" - } + "panelIndex": "7f0d3056-6f50-4be9-8a4b-cd51685676ec", + "title": "Container average launch duration over time [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" - }, - "title": "Number of containers over time [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 14, - "i": "7f0d3056-6f50-4be9-8a4b-cd51685676ec", - "w": 21, - "x": 27, - "y": 0 - }, - "panelIndex": "7f0d3056-6f50-4be9-8a4b-cd51685676ec", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ee8bbb4c-7f64-46b1-965b-daec27ad4251", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d73deed1-d0bd-4f83-8759-602565e70486", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "ee8bbb4c-7f64-46b1-965b-daec27ad4251": { - "columnOrder": [ - "49bd7898-d477-456f-bebd-db0024ea1510", - "96afed27-0108-42ad-a3c6-26f51cd509a2" - ], - "columns": { - "49bd7898-d477-456f-bebd-db0024ea1510": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ba699ab1-d553-4822-aadd-db43254f7ab0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "052473c7-2ada-4644-b652-9157af03b3b0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "ba699ab1-d553-4822-aadd-db43254f7ab0": { + "columnOrder": [ + "d751311f-5a11-4dcb-a55a-78ef1be7d79e" + ], + "columns": { + "d751311f-5a11-4dcb-a55a-78ef1be7d79e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.container_launch_duration_num_ops: *" + }, + "isBucketed": false, + "label": "Container Launch Duration (Num of Operations)", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.container_launch_duration_num_ops" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "052473c7-2ada-4644-b652-9157af03b3b0", + "key": "hadoop.node_manager.container_launch_duration_num_ops", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.container_launch_duration_num_ops" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d751311f-5a11-4dcb-a55a-78ef1be7d79e", + "layerId": "ba699ab1-d553-4822-aadd-db43254f7ab0", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom" + } }, - "96afed27-0108-42ad-a3c6-26f51cd509a2": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.container_launch_duration_avg_time: *" - }, - "isBucketed": false, - "label": "Container Launch Duration Avg Time (s)", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.container_launch_duration_avg_time" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d73deed1-d0bd-4f83-8759-602565e70486", - "key": "hadoop.node_manager.container_launch_duration_avg_time", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.container_launch_duration_avg_time" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true + "gridData": { + "h": 6, + "i": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b", + "w": 21, + "x": 27, + "y": 14 }, - "layers": [ - { - "accessors": [ - "96afed27-0108-42ad-a3c6-26f51cd509a2" - ], - "layerId": "ee8bbb4c-7f64-46b1-965b-daec27ad4251", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "49bd7898-d477-456f-bebd-db0024ea1510", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "96afed27-0108-42ad-a3c6-26f51cd509a2" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yTitle": "Seconds" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "panelIndex": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b", + "title": "Container launch duration number of operations [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + } + ], + "timeRestore": false, + "title": "[Metrics Hadoop] Node Manager", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-20T10:11:34.548Z", + "id": "hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, - "title": "Container average launch duration over time [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 6, - "i": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b", - "w": 21, - "x": 27, - "y": 14 + { + "id": "metrics-*", + "name": "de277d30-051b-4343-b67b-b6b243c140f2:indexpattern-datasource-layer-b8ee20df-453e-488f-806e-6f4079a76be6", + "type": "index-pattern" }, - "panelIndex": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ba699ab1-d553-4822-aadd-db43254f7ab0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "052473c7-2ada-4644-b652-9157af03b3b0", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "ba699ab1-d553-4822-aadd-db43254f7ab0": { - "columnOrder": [ - "d751311f-5a11-4dcb-a55a-78ef1be7d79e" - ], - "columns": { - "d751311f-5a11-4dcb-a55a-78ef1be7d79e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.container_launch_duration_num_ops: *" - }, - "isBucketed": false, - "label": "Container Launch Duration (Num of Operations)", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.container_launch_duration_num_ops" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "052473c7-2ada-4644-b652-9157af03b3b0", - "key": "hadoop.node_manager.container_launch_duration_num_ops", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.container_launch_duration_num_ops" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "d751311f-5a11-4dcb-a55a-78ef1be7d79e", - "layerId": "ba699ab1-d553-4822-aadd-db43254f7ab0", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" + { + "id": "metrics-*", + "name": "de277d30-051b-4343-b67b-b6b243c140f2:50203b57-c1ac-4ab0-82eb-c7ca168bb650", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "de277d30-051b-4343-b67b-b6b243c140f2:9b40dc83-210d-44d7-bbe3-549fbcdb09cb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "de277d30-051b-4343-b67b-b6b243c140f2:6c5f4d9b-3a70-4c21-a292-32654686b081", + "type": "index-pattern" }, - "title": "Container launch duration number of operations [Metrics Hadoop]" - } + { + "id": "metrics-*", + "name": "7f0d3056-6f50-4be9-8a4b-cd51685676ec:indexpattern-datasource-layer-ee8bbb4c-7f64-46b1-965b-daec27ad4251", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7f0d3056-6f50-4be9-8a4b-cd51685676ec:d73deed1-d0bd-4f83-8759-602565e70486", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b:indexpattern-datasource-layer-ba699ab1-d553-4822-aadd-db43254f7ab0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b:052473c7-2ada-4644-b652-9157af03b3b0", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Metrics Hadoop] Node Manager", - "version": 1 - }, - "references": [ - { - "id": "metrics-*", - "name": "de277d30-051b-4343-b67b-b6b243c140f2:indexpattern-datasource-layer-b8ee20df-453e-488f-806e-6f4079a76be6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "de277d30-051b-4343-b67b-b6b243c140f2:50203b57-c1ac-4ab0-82eb-c7ca168bb650", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "de277d30-051b-4343-b67b-b6b243c140f2:9b40dc83-210d-44d7-bbe3-549fbcdb09cb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "de277d30-051b-4343-b67b-b6b243c140f2:6c5f4d9b-3a70-4c21-a292-32654686b081", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7f0d3056-6f50-4be9-8a4b-cd51685676ec:indexpattern-datasource-layer-ee8bbb4c-7f64-46b1-965b-daec27ad4251", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7f0d3056-6f50-4be9-8a4b-cd51685676ec:d73deed1-d0bd-4f83-8759-602565e70486", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b:indexpattern-datasource-layer-ba699ab1-d553-4822-aadd-db43254f7ab0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b:052473c7-2ada-4644-b652-9157af03b3b0", - "type": "index-pattern" - } - ], - "managed": false + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/hadoop/kibana/dashboard/hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2.json b/packages/hadoop/kibana/dashboard/hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2.json index bbc16094cc3..e769edc590a 100644 --- a/packages/hadoop/kibana/dashboard/hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2.json +++ b/packages/hadoop/kibana/dashboard/hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2.json @@ -1,1143 +1,1188 @@ { - "id": "hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.7.0" - }, - "coreMigrationVersion": "8.8.0", - "typeMigrationVersion": "8.7.0", - "updated_at": "2023-11-07T17:16:59.199Z", - "created_at": "2023-11-07T17:16:59.199Z", - "version": "WzEwMSwxXQ==", - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "ee57a119-2827-4586-82f1-c796c86d76d9": { - "columnOrder": [ - "abfc2ae3-27f7-4529-a9b9-01d7a9896323", - "0a1b5433-d3cf-4c1d-8e22-137912b624bb" - ], - "columns": { - "0a1b5433-d3cf-4c1d-8e22-137912b624bb": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" }, - "abfc2ae3-27f7-4529-a9b9-01d7a9896323": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Data node address", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0a1b5433-d3cf-4c1d-8e22-137912b624bb", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "service.address" + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "hadoop.datanode", + "hadoop.namenode" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "hadoop.datanode" + } + }, + { + "match_phrase": { + "data_stream.dataset": "hadoop.namenode" + } + } + ] + } } - }, - "incompleteColumns": {} } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"hadoop.datanode\" " - }, - "visualization": { - "columns": [ - { - "columnId": "abfc2ae3-27f7-4529-a9b9-01d7a9896323", - "isTransposed": false - }, - { - "columnId": "0a1b5433-d3cf-4c1d-8e22-137912b624bb", - "isTransposed": false - } ], - "layerId": "ee57a119-2827-4586-82f1-c796c86d76d9", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } - }, - "title": "List of data node address [Metrics Hadoop]", - "visualizationType": "lnsDatatable", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ee57a119-2827-4586-82f1-c796c86d76d9", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 12, - "i": "1f52942c-5657-4bab-8e38-5cf69692f448", - "w": 24, - "x": 0, - "y": 0 - }, - "panelIndex": "1f52942c-5657-4bab-8e38-5cf69692f448", - "type": "lens", - "version": "8.6.0" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 7, - "i": "eac20ac9-93ca-483c-ab27-d10a06f4dde0", - "w": 12, - "x": 24, - "y": 0 - }, - "panelIndex": "eac20ac9-93ca-483c-ab27-d10a06f4dde0", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "50b51ba8-f87e-405f-8a53-efea43df987b", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "df057b77-cd5b-4e7a-bb21-ac003f0f4eb8": { - "columnOrder": [ - "f15f3a76-5e86-400f-9af5-c6ab810ffb8e" - ], - "columns": { - "f15f3a76-5e86-400f-9af5-c6ab810ffb8e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.namenode.nodes.num_live_data: *" - }, - "isBucketed": false, - "label": "Live Data Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.namenode.nodes.num_live_data" - } - }, - "incompleteColumns": {} - } - } + "query": { + "language": "kuery", + "query": "" } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "50b51ba8-f87e-405f-8a53-efea43df987b", - "key": "hadoop.namenode.nodes.num_live_data", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.namenode.nodes.num_live_data" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f15f3a76-5e86-400f-9af5-c6ab810ffb8e", - "layerId": "df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of live data nodes [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 7, - "i": "75574416-a16d-43be-a303-2dc31359a8c9", - "w": 12, - "x": 36, - "y": 0 + } }, - "panelIndex": "75574416-a16d-43be-a303-2dc31359a8c9", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-3d40213c-fe67-4c30-bde1-5450fbadcd20", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "0fdf9d17-fb31-40a8-b8db-02850b080c9d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "3d40213c-fe67-4c30-bde1-5450fbadcd20": { - "columnOrder": [ - "b48d5a8f-56b6-4418-bab1-ce62ea15f724" - ], - "columns": { - "b48d5a8f-56b6-4418-bab1-ce62ea15f724": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.namenode.nodes.num_dead_data: *" - }, - "isBucketed": false, - "label": "Dead Data Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.namenode.nodes.num_dead_data" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0fdf9d17-fb31-40a8-b8db-02850b080c9d", - "key": "hadoop.namenode.nodes.num_dead_data", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.namenode.nodes.num_dead_data" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "b48d5a8f-56b6-4418-bab1-ce62ea15f724", - "layerId": "3d40213c-fe67-4c30-bde1-5450fbadcd20", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, - "title": "Number of dead data nodes [Metrics Hadoop]" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "attributes": { - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "efa00ae4-03e1-45c9-aaa9-47610de989d9": { - "columnOrder": [ - "5e28f952-df42-4162-8195-af6ee018c227", - "5e28f952-df42-4162-8195-af6ee018c227X0" - ], - "columns": { - "5e28f952-df42-4162-8195-af6ee018c227": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Cache used", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ee57a119-2827-4586-82f1-c796c86d76d9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a1e89fd9-dfc2-4929-b851-016c12db176d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ee57a119-2827-4586-82f1-c796c86d76d9": { + "columnOrder": [ + "abfc2ae3-27f7-4529-a9b9-01d7a9896323", + "0a1b5433-d3cf-4c1d-8e22-137912b624bb" + ], + "columns": { + "0a1b5433-d3cf-4c1d-8e22-137912b624bb": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "abfc2ae3-27f7-4529-a9b9-01d7a9896323": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Data node address", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0a1b5433-d3cf-4c1d-8e22-137912b624bb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "service.address" + } + }, + "incompleteColumns": {} + } + } + } }, - "formula": "last_value(hadoop.datanode.cache.used)", - "isFormulaBroken": false - }, - "references": [ - "5e28f952-df42-4162-8195-af6ee018c227X0" - ], - "scale": "ratio" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a1e89fd9-dfc2-4929-b851-016c12db176d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "hadoop.datanode" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "hadoop.datanode" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "abfc2ae3-27f7-4529-a9b9-01d7a9896323", + "isTransposed": false + }, + { + "columnId": "0a1b5433-d3cf-4c1d-8e22-137912b624bb", + "isTransposed": false + } + ], + "layerId": "ee57a119-2827-4586-82f1-c796c86d76d9", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } }, - "5e28f952-df42-4162-8195-af6ee018c227X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Cache used", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.cache.used" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"hadoop.datanode\" and hadoop.datanode.cache.capacity : * and hadoop.datanode.cache.used : * " - }, - "visualization": { - "accessor": "5e28f952-df42-4162-8195-af6ee018c227", - "layerId": "efa00ae4-03e1-45c9-aaa9-47610de989d9", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Cache used from total cache [Metrics Hadoop]", - "visualizationType": "lnsLegacyMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-efa00ae4-03e1-45c9-aaa9-47610de989d9", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 7, - "i": "c8a6b036-ae93-4055-aef7-dd575221f10d", - "w": 12, - "x": 24, - "y": 7 - }, - "panelIndex": "c8a6b036-ae93-4055-aef7-dd575221f10d", - "type": "lens", - "version": "8.6.0" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 7, - "i": "f03b0b45-577e-480e-9fb2-9890b62fc30f", - "w": 12, - "x": 36, - "y": 7 - }, - "panelIndex": "f03b0b45-577e-480e-9fb2-9890b62fc30f", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-570e3d96-2c27-4661-8669-77215711bb6e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4e3e29b3-cd97-447c-b679-0130844d95bb", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "570e3d96-2c27-4661-8669-77215711bb6e": { - "columnOrder": [ - "2c8412e8-db24-4dab-8635-32a74ef1873c" - ], - "columns": { - "2c8412e8-db24-4dab-8635-32a74ef1873c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.namenode.nodes.num_decommissioning_data: *" - }, - "isBucketed": false, - "label": "Decommissioning Data Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.namenode.nodes.num_decommissioning_data" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4e3e29b3-cd97-447c-b679-0130844d95bb", - "key": "hadoop.namenode.nodes.num_decommissioning_data", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.namenode.nodes.num_decommissioning_data" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2c8412e8-db24-4dab-8635-32a74ef1873c", - "layerId": "570e3d96-2c27-4661-8669-77215711bb6e", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } + "title": "List of data node address [Metrics Hadoop]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "1f52942c-5657-4bab-8e38-5cf69692f448", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "1f52942c-5657-4bab-8e38-5cf69692f448", + "type": "lens", + "version": "8.10.2" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" - }, - "title": "Number of data nodes decommissioning [Metrics Hadoop]" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "69af342c-71f3-41fe-a76e-cc9f49baafa3": { - "columnOrder": [ - "797ebde1-9d7b-4950-9554-194d5c702684", - "fc0da319-4b72-4ccc-8e27-2c4ebec508c7", - "4b9fcd50-2227-40e5-a93b-ebb16831630d", - "56fd6e61-acf3-45e6-9904-98f7ffa90644" - ], - "columns": { - "4b9fcd50-2227-40e5-a93b-ebb16831630d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes read", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", + "type": "index-pattern" }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.bytes.read" - }, - "56fd6e61-acf3-45e6-9904-98f7ffa90644": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes written", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } + { + "id": "metrics-*", + "name": "50b51ba8-f87e-405f-8a53-efea43df987b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "df057b77-cd5b-4e7a-bb21-ac003f0f4eb8": { + "columnOrder": [ + "f15f3a76-5e86-400f-9af5-c6ab810ffb8e" + ], + "columns": { + "f15f3a76-5e86-400f-9af5-c6ab810ffb8e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.namenode.nodes.num_live_data: *" + }, + "isBucketed": false, + "label": "Live Data Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.namenode.nodes.num_live_data" + } + }, + "incompleteColumns": {} + } + } + } }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.bytes.written" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "50b51ba8-f87e-405f-8a53-efea43df987b", + "key": "hadoop.namenode.nodes.num_live_data", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.namenode.nodes.num_live_data" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f15f3a76-5e86-400f-9af5-c6ab810ffb8e", + "layerId": "df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - "797ebde1-9d7b-4950-9554-194d5c702684": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "eac20ac9-93ca-483c-ab27-d10a06f4dde0", + "w": 12, + "x": 24, + "y": 0 + }, + "panelIndex": "eac20ac9-93ca-483c-ab27-d10a06f4dde0", + "title": "Number of live data nodes [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-3d40213c-fe67-4c30-bde1-5450fbadcd20", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0fdf9d17-fb31-40a8-b8db-02850b080c9d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "3d40213c-fe67-4c30-bde1-5450fbadcd20": { + "columnOrder": [ + "b48d5a8f-56b6-4418-bab1-ce62ea15f724" + ], + "columns": { + "b48d5a8f-56b6-4418-bab1-ce62ea15f724": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.namenode.nodes.num_dead_data: *" + }, + "isBucketed": false, + "label": "Dead Data Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.namenode.nodes.num_dead_data" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0fdf9d17-fb31-40a8-b8db-02850b080c9d", + "key": "hadoop.namenode.nodes.num_dead_data", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.namenode.nodes.num_dead_data" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b48d5a8f-56b6-4418-bab1-ce62ea15f724", + "layerId": "3d40213c-fe67-4c30-bde1-5450fbadcd20", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - "fc0da319-4b72-4ccc-8e27-2c4ebec508c7": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of service.address", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "75574416-a16d-43be-a303-2dc31359a8c9", + "w": 12, + "x": 36, + "y": 0 + }, + "panelIndex": "75574416-a16d-43be-a303-2dc31359a8c9", + "title": "Number of dead data nodes [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-efa00ae4-03e1-45c9-aaa9-47610de989d9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "efa00ae4-03e1-45c9-aaa9-47610de989d9": { + "columnOrder": [ + "5e28f952-df42-4162-8195-af6ee018c227", + "5e28f952-df42-4162-8195-af6ee018c227X0" + ], + "columns": { + "5e28f952-df42-4162-8195-af6ee018c227": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Cache used", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "last_value(hadoop.datanode.cache.used)", + "isFormulaBroken": false + }, + "references": [ + "5e28f952-df42-4162-8195-af6ee018c227X0" + ], + "scale": "ratio" + }, + "5e28f952-df42-4162-8195-af6ee018c227X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Cache used", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.cache.used" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "hadoop.datanode.cache.capacity : * and hadoop.datanode.cache.used : * " }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "service.address" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "fbe5ed56-727a-408f-ab58-b03abf1502da", - "key": "hadoop.datanode.bytes.read", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.datanode.bytes.read" - } - } + "visualization": { + "accessor": "5e28f952-df42-4162-8195-af6ee018c227", + "layerId": "efa00ae4-03e1-45c9-aaa9-47610de989d9", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Cache used from total cache [Metrics Hadoop]", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "37000496-671a-41ab-ab7b-35823e718530", - "key": "hadoop.datanode.bytes.written", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.datanode.bytes.written" - } - } - } - ], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"hadoop.datanode\" " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 7, + "i": "c8a6b036-ae93-4055-aef7-dd575221f10d", + "w": 12, + "x": 24, + "y": 7 }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "panelIndex": "c8a6b036-ae93-4055-aef7-dd575221f10d", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-570e3d96-2c27-4661-8669-77215711bb6e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4e3e29b3-cd97-447c-b679-0130844d95bb", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "570e3d96-2c27-4661-8669-77215711bb6e": { + "columnOrder": [ + "2c8412e8-db24-4dab-8635-32a74ef1873c" + ], + "columns": { + "2c8412e8-db24-4dab-8635-32a74ef1873c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.namenode.nodes.num_decommissioning_data: *" + }, + "isBucketed": false, + "label": "Decommissioning Data Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.namenode.nodes.num_decommissioning_data" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4e3e29b3-cd97-447c-b679-0130844d95bb", + "key": "hadoop.namenode.nodes.num_decommissioning_data", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.namenode.nodes.num_decommissioning_data" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2c8412e8-db24-4dab-8635-32a74ef1873c", + "layerId": "570e3d96-2c27-4661-8669-77215711bb6e", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 + "gridData": { + "h": 7, + "i": "f03b0b45-577e-480e-9fb2-9890b62fc30f", + "w": 12, + "x": 36, + "y": 7 }, - "layers": [ - { - "accessors": [ - "4b9fcd50-2227-40e5-a93b-ebb16831630d", - "56fd6e61-acf3-45e6-9904-98f7ffa90644" - ], - "layerId": "69af342c-71f3-41fe-a76e-cc9f49baafa3", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "fc0da319-4b72-4ccc-8e27-2c4ebec508c7", - "xAccessor": "797ebde1-9d7b-4950-9554-194d5c702684" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" + "panelIndex": "f03b0b45-577e-480e-9fb2-9890b62fc30f", + "title": "Number of data nodes decommissioning [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-69af342c-71f3-41fe-a76e-cc9f49baafa3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7bd76a85-a404-4f51-8794-94a23bc470f6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6f137201-2f5c-41bc-aa69-268f6c6f9b22", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "69af342c-71f3-41fe-a76e-cc9f49baafa3": { + "columnOrder": [ + "797ebde1-9d7b-4950-9554-194d5c702684", + "fc0da319-4b72-4ccc-8e27-2c4ebec508c7", + "4b9fcd50-2227-40e5-a93b-ebb16831630d", + "56fd6e61-acf3-45e6-9904-98f7ffa90644" + ], + "columns": { + "4b9fcd50-2227-40e5-a93b-ebb16831630d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes read", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.bytes.read" + }, + "56fd6e61-acf3-45e6-9904-98f7ffa90644": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes written", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.bytes.written" + }, + "797ebde1-9d7b-4950-9554-194d5c702684": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "fc0da319-4b72-4ccc-8e27-2c4ebec508c7": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of service.address", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "service.address" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "7bd76a85-a404-4f51-8794-94a23bc470f6", + "key": "hadoop.datanode.bytes.read", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.datanode.bytes.read" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6f137201-2f5c-41bc-aa69-268f6c6f9b22", + "key": "hadoop.datanode.bytes.written", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.datanode.bytes.written" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4b9fcd50-2227-40e5-a93b-ebb16831630d", + "56fd6e61-acf3-45e6-9904-98f7ffa90644" + ], + "layerId": "69af342c-71f3-41fe-a76e-cc9f49baafa3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "fc0da319-4b72-4ccc-8e27-2c4ebec508c7", + "xAccessor": "797ebde1-9d7b-4950-9554-194d5c702684" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "xTitle": "Timestamp", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Bytes" + } + }, + "title": "Number of bytes read and written [Hadoop Metrics]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 15, + "i": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", + "w": 24, + "x": 0, + "y": 12 }, - "valueLabels": "hide", - "xTitle": "Timestamp", - "yLeftExtent": { - "mode": "full" + "panelIndex": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", + "title": "Number of bytes read and written [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-bfc4ee7d-e67a-492c-a0de-3ba41b193e52", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "87fdb03b-29d6-48a3-952a-da13b704e34a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "bfc4ee7d-e67a-492c-a0de-3ba41b193e52": { + "columnOrder": [ + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62", + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0" + ], + "columns": { + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Disk Capacity", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "median(hadoop.datanode.disk_space.capacity)", + "isFormulaBroken": false + }, + "references": [ + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0" + ], + "scale": "ratio" + }, + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Disk Capacity (GB)", + "operationType": "median", + "scale": "ratio", + "sourceField": "hadoop.datanode.disk_space.capacity" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "87fdb03b-29d6-48a3-952a-da13b704e34a", + "key": "hadoop.datanode.disk_space.capacity", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.datanode.disk_space.capacity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62", + "layerId": "bfc4ee7d-e67a-492c-a0de-3ba41b193e52", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Data node disk capacity [Metrics Hadoop]", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "yRightExtent": { - "mode": "full" + "gridData": { + "h": 6, + "i": "ed24ad58-0d8a-495f-9767-1d994d65d52f", + "w": 24, + "x": 24, + "y": 14 }, - "yTitle": "Bytes" - } + "panelIndex": "ed24ad58-0d8a-495f-9767-1d994d65d52f", + "type": "lens", + "version": "8.10.2" }, - "title": "Number of bytes read and written [Hadoop Metrics]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-69af342c-71f3-41fe-a76e-cc9f49baafa3", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fbe5ed56-727a-408f-ab58-b03abf1502da", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "37000496-671a-41ab-ab7b-35823e718530", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 15, - "i": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", - "w": 24, - "x": 0, - "y": 12 - }, - "panelIndex": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", - "title": "Number of bytes read and written [Metrics Hadoop]", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "bfc4ee7d-e67a-492c-a0de-3ba41b193e52": { - "columnOrder": [ - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62", - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0" - ], - "columns": { - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Disk Capacity", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-011f4580-0ed6-43f2-aeb7-64965ecd5e83", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "011f4580-0ed6-43f2-aeb7-64965ecd5e83": { + "columnOrder": [ + "7fd9ea12-b127-443d-a3d9-a07be9982c13" + ], + "columns": { + "7fd9ea12-b127-443d-a3d9-a07be9982c13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed volumes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.volumes.failed" + } + }, + "incompleteColumns": {} + } + } + } }, - "formula": "median(hadoop.datanode.disk_space.capacity)", - "isFormulaBroken": false - }, - "references": [ - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0" - ], - "scale": "ratio" + "filters": [], + "query": { + "language": "kuery", + "query": "hadoop.datanode.volumes.failed : * " + }, + "visualization": { + "accessor": "7fd9ea12-b127-443d-a3d9-a07be9982c13", + "layerId": "011f4580-0ed6-43f2-aeb7-64965ecd5e83", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Disk Capacity (GB)", - "operationType": "median", - "scale": "ratio", - "sourceField": "hadoop.datanode.disk_space.capacity" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "87fdb03b-29d6-48a3-952a-da13b704e34a", - "key": "hadoop.datanode.disk_space.capacity", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.datanode.disk_space.capacity" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62", - "layerId": "bfc4ee7d-e67a-492c-a0de-3ba41b193e52", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } + "title": "Failed Volumes [Metrics Hadoop]", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "21f37466-b62d-4219-bc1a-d787833a8dbf", + "w": 12, + "x": 24, + "y": 20 + }, + "panelIndex": "21f37466-b62d-4219-bc1a-d787833a8dbf", + "type": "lens", + "version": "8.10.2" }, - "title": "Data node disk capacity [Metrics Hadoop]", - "visualizationType": "lnsLegacyMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-bfc4ee7d-e67a-492c-a0de-3ba41b193e52", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "87fdb03b-29d6-48a3-952a-da13b704e34a", - "type": "index-pattern" - } - ] - } + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-781bec53-7762-43ba-bc46-4a54c6b985ae", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "781bec53-7762-43ba-bc46-4a54c6b985ae": { + "columnOrder": [ + "931e5379-b427-4096-8030-51a9ad546b02" + ], + "columns": { + "931e5379-b427-4096-8030-51a9ad546b02": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Cached blocks", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.blocks.cached" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "hadoop.datanode.blocks.cached : * " + }, + "visualization": { + "accessor": "931e5379-b427-4096-8030-51a9ad546b02", + "layerId": "781bec53-7762-43ba-bc46-4a54c6b985ae", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Cached blocks [Metrics Hadoop]", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "da4e4113-6794-4a85-977c-51879f500a0a", + "w": 12, + "x": 36, + "y": 20 + }, + "panelIndex": "da4e4113-6794-4a85-977c-51879f500a0a", + "type": "lens", + "version": "8.10.2" + } + ], + "timeRestore": false, + "title": "[Metrics Hadoop] Data nodes", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-26T05:56:55.262Z", + "id": "hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, - "gridData": { - "h": 6, - "i": "ed24ad58-0d8a-495f-9767-1d994d65d52f", - "w": 24, - "x": 24, - "y": 14 + { + "id": "metrics-*", + "name": "1f52942c-5657-4bab-8e38-5cf69692f448:indexpattern-datasource-layer-ee57a119-2827-4586-82f1-c796c86d76d9", + "type": "index-pattern" }, - "panelIndex": "ed24ad58-0d8a-495f-9767-1d994d65d52f", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "attributes": { - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "011f4580-0ed6-43f2-aeb7-64965ecd5e83": { - "columnOrder": [ - "7fd9ea12-b127-443d-a3d9-a07be9982c13" - ], - "columns": { - "7fd9ea12-b127-443d-a3d9-a07be9982c13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Failed volumes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.volumes.failed" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "hadoop.datanode.volumes.failed : * " - }, - "visualization": { - "accessor": "7fd9ea12-b127-443d-a3d9-a07be9982c13", - "layerId": "011f4580-0ed6-43f2-aeb7-64965ecd5e83", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Failed Volumes [Metrics Hadoop]", - "visualizationType": "lnsLegacyMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-011f4580-0ed6-43f2-aeb7-64965ecd5e83", - "type": "index-pattern" - } - ] - } + { + "id": "metrics-*", + "name": "1f52942c-5657-4bab-8e38-5cf69692f448:a1e89fd9-dfc2-4929-b851-016c12db176d", + "type": "index-pattern" }, - "gridData": { - "h": 7, - "i": "21f37466-b62d-4219-bc1a-d787833a8dbf", - "w": 12, - "x": 24, - "y": 20 + { + "id": "metrics-*", + "name": "eac20ac9-93ca-483c-ab27-d10a06f4dde0:indexpattern-datasource-layer-df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", + "type": "index-pattern" }, - "panelIndex": "21f37466-b62d-4219-bc1a-d787833a8dbf", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "781bec53-7762-43ba-bc46-4a54c6b985ae": { - "columnOrder": [ - "931e5379-b427-4096-8030-51a9ad546b02" - ], - "columns": { - "931e5379-b427-4096-8030-51a9ad546b02": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Cached blocks", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.blocks.cached" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "hadoop.datanode.blocks.cached : * " - }, - "visualization": { - "accessor": "931e5379-b427-4096-8030-51a9ad546b02", - "layerId": "781bec53-7762-43ba-bc46-4a54c6b985ae", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Cached blocks [Metrics Hadoop]", - "visualizationType": "lnsLegacyMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-781bec53-7762-43ba-bc46-4a54c6b985ae", - "type": "index-pattern" - } - ] - } + { + "id": "metrics-*", + "name": "eac20ac9-93ca-483c-ab27-d10a06f4dde0:50b51ba8-f87e-405f-8a53-efea43df987b", + "type": "index-pattern" }, - "gridData": { - "h": 7, - "i": "da4e4113-6794-4a85-977c-51879f500a0a", - "w": 12, - "x": 36, - "y": 20 + { + "id": "metrics-*", + "name": "75574416-a16d-43be-a303-2dc31359a8c9:indexpattern-datasource-layer-3d40213c-fe67-4c30-bde1-5450fbadcd20", + "type": "index-pattern" }, - "panelIndex": "da4e4113-6794-4a85-977c-51879f500a0a", - "type": "lens", - "version": "8.6.0" - } + { + "id": "metrics-*", + "name": "75574416-a16d-43be-a303-2dc31359a8c9:0fdf9d17-fb31-40a8-b8db-02850b080c9d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c8a6b036-ae93-4055-aef7-dd575221f10d:indexpattern-datasource-layer-efa00ae4-03e1-45c9-aaa9-47610de989d9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f03b0b45-577e-480e-9fb2-9890b62fc30f:indexpattern-datasource-layer-570e3d96-2c27-4661-8669-77215711bb6e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f03b0b45-577e-480e-9fb2-9890b62fc30f:4e3e29b3-cd97-447c-b679-0130844d95bb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:indexpattern-datasource-layer-69af342c-71f3-41fe-a76e-cc9f49baafa3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:7bd76a85-a404-4f51-8794-94a23bc470f6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:6f137201-2f5c-41bc-aa69-268f6c6f9b22", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:indexpattern-datasource-layer-bfc4ee7d-e67a-492c-a0de-3ba41b193e52", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:87fdb03b-29d6-48a3-952a-da13b704e34a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "21f37466-b62d-4219-bc1a-d787833a8dbf:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "21f37466-b62d-4219-bc1a-d787833a8dbf:indexpattern-datasource-layer-011f4580-0ed6-43f2-aeb7-64965ecd5e83", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "da4e4113-6794-4a85-977c-51879f500a0a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "da4e4113-6794-4a85-977c-51879f500a0a:indexpattern-datasource-layer-781bec53-7762-43ba-bc46-4a54c6b985ae", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Metrics Hadoop] Data nodes", - "version": 1 - }, - "references": [ - { - "id": "metrics-*", - "name": "eac20ac9-93ca-483c-ab27-d10a06f4dde0:indexpattern-datasource-layer-df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "eac20ac9-93ca-483c-ab27-d10a06f4dde0:50b51ba8-f87e-405f-8a53-efea43df987b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75574416-a16d-43be-a303-2dc31359a8c9:indexpattern-datasource-layer-3d40213c-fe67-4c30-bde1-5450fbadcd20", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75574416-a16d-43be-a303-2dc31359a8c9:0fdf9d17-fb31-40a8-b8db-02850b080c9d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f03b0b45-577e-480e-9fb2-9890b62fc30f:indexpattern-datasource-layer-570e3d96-2c27-4661-8669-77215711bb6e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f03b0b45-577e-480e-9fb2-9890b62fc30f:4e3e29b3-cd97-447c-b679-0130844d95bb", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "1f52942c-5657-4bab-8e38-5cf69692f448:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "1f52942c-5657-4bab-8e38-5cf69692f448:indexpattern-datasource-layer-ee57a119-2827-4586-82f1-c796c86d76d9", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "c8a6b036-ae93-4055-aef7-dd575221f10d:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "c8a6b036-ae93-4055-aef7-dd575221f10d:indexpattern-datasource-layer-efa00ae4-03e1-45c9-aaa9-47610de989d9", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:indexpattern-datasource-layer-69af342c-71f3-41fe-a76e-cc9f49baafa3", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:fbe5ed56-727a-408f-ab58-b03abf1502da", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:37000496-671a-41ab-ab7b-35823e718530", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:indexpattern-datasource-layer-bfc4ee7d-e67a-492c-a0de-3ba41b193e52", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:87fdb03b-29d6-48a3-952a-da13b704e34a", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "21f37466-b62d-4219-bc1a-d787833a8dbf:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "21f37466-b62d-4219-bc1a-d787833a8dbf:indexpattern-datasource-layer-011f4580-0ed6-43f2-aeb7-64965ecd5e83", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "da4e4113-6794-4a85-977c-51879f500a0a:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "da4e4113-6794-4a85-977c-51879f500a0a:indexpattern-datasource-layer-781bec53-7762-43ba-bc46-4a54c6b985ae", - "id": "metrics-*" - } - ], - "managed": false + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/hadoop/kibana/dashboard/hadoop-cb235590-cd24-11ec-be30-1d9331f0b107.json b/packages/hadoop/kibana/dashboard/hadoop-cb235590-cd24-11ec-be30-1d9331f0b107.json index 846835b3541..49eb917c583 100644 --- a/packages/hadoop/kibana/dashboard/hadoop-cb235590-cd24-11ec-be30-1d9331f0b107.json +++ b/packages/hadoop/kibana/dashboard/hadoop-cb235590-cd24-11ec-be30-1d9331f0b107.json @@ -1,1295 +1,1308 @@ { - "id": "hadoop-cb235590-cd24-11ec-be30-1d9331f0b107", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.7.0" - }, - "coreMigrationVersion": "8.8.0", - "typeMigrationVersion": "8.7.0", - "updated_at": "2023-11-07T17:16:59.199Z", - "created_at": "2023-11-07T17:16:59.199Z", - "version": "WzEwMiwxXQ==", - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 18, - "i": "08fde296-94c6-4dbd-bd1f-77c67e0125e6", - "w": 24, - "x": 0, - "y": 0 - }, - "panelIndex": "08fde296-94c6-4dbd-bd1f-77c67e0125e6", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-35726819-8a70-4f5e-b150-1626c191f380", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4b01387d-bd18-4e16-b860-005e4a71e957", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d846e0a6-42a9-4840-82e4-f217959a63fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c50d822a-587a-4198-90c1-847fe7355fa1", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e78473e3-a006-46cf-bada-e75ab9c4b279", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "35726819-8a70-4f5e-b150-1626c191f380": { - "columnOrder": [ - "c4649608-0cba-486f-8aec-460655407f67", - "39e015f6-e8f8-4a9a-80e3-2570606d310c", - "09a20c96-905b-40c8-9c40-77bfb5edb5b7", - "3708838a-0567-4295-8e77-3a39aca246cd", - "02f59eb1-8c13-41d6-a537-58fb1f051f84" - ], - "columns": { - "02f59eb1-8c13-41d6-a537-58fb1f051f84": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.node_managers.num_lost: *" - }, - "isBucketed": false, - "label": "Lost", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.node_managers.num_lost" + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" }, - "09a20c96-905b-40c8-9c40-77bfb5edb5b7": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.node_managers.num_unhealthy: *" - }, - "isBucketed": false, - "label": "Unhealthy", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.node_managers.num_unhealthy" + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "hadoop.cluster" + }, + "type": "phrase" }, - "3708838a-0567-4295-8e77-3a39aca246cd": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.node_managers.num_decommissioned: *" - }, - "isBucketed": false, - "label": "Decommissioned", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.node_managers.num_decommissioned" - }, - "39e015f6-e8f8-4a9a-80e3-2570606d310c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.node_managers.num_active: *" - }, - "isBucketed": false, - "label": "Active", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.node_managers.num_active" - }, - "c4649608-0cba-486f-8aec-460655407f67": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" + "query": { + "match_phrase": { + "data_stream.dataset": "hadoop.cluster" + } } - }, - "incompleteColumns": {} } - } + ], + "query": { + "language": "kuery", + "query": "" } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4b01387d-bd18-4e16-b860-005e4a71e957", - "key": "hadoop.cluster.node_managers.num_active", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.node_managers.num_active" - } - } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-35726819-8a70-4f5e-b150-1626c191f380", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4b01387d-bd18-4e16-b860-005e4a71e957", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d846e0a6-42a9-4840-82e4-f217959a63fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c50d822a-587a-4198-90c1-847fe7355fa1", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e78473e3-a006-46cf-bada-e75ab9c4b279", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "35726819-8a70-4f5e-b150-1626c191f380": { + "columnOrder": [ + "c4649608-0cba-486f-8aec-460655407f67", + "39e015f6-e8f8-4a9a-80e3-2570606d310c", + "09a20c96-905b-40c8-9c40-77bfb5edb5b7", + "3708838a-0567-4295-8e77-3a39aca246cd", + "02f59eb1-8c13-41d6-a537-58fb1f051f84" + ], + "columns": { + "02f59eb1-8c13-41d6-a537-58fb1f051f84": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.node_managers.num_lost: *" + }, + "isBucketed": false, + "label": "Lost", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.node_managers.num_lost" + }, + "09a20c96-905b-40c8-9c40-77bfb5edb5b7": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.node_managers.num_unhealthy: *" + }, + "isBucketed": false, + "label": "Unhealthy", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.node_managers.num_unhealthy" + }, + "3708838a-0567-4295-8e77-3a39aca246cd": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.node_managers.num_decommissioned: *" + }, + "isBucketed": false, + "label": "Decommissioned", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.node_managers.num_decommissioned" + }, + "39e015f6-e8f8-4a9a-80e3-2570606d310c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.node_managers.num_active: *" + }, + "isBucketed": false, + "label": "Active", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.node_managers.num_active" + }, + "c4649608-0cba-486f-8aec-460655407f67": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4b01387d-bd18-4e16-b860-005e4a71e957", + "key": "hadoop.cluster.node_managers.num_active", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.node_managers.num_active" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d846e0a6-42a9-4840-82e4-f217959a63fb", + "key": "hadoop.cluster.node_managers.num_unhealthy", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.node_managers.num_unhealthy" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c50d822a-587a-4198-90c1-847fe7355fa1", + "key": "hadoop.cluster.node_managers.num_decommissioned", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.node_managers.num_decommissioned" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e78473e3-a006-46cf-bada-e75ab9c4b279", + "key": "hadoop.cluster.node_managers.num_lost", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.node_managers.num_lost" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "39e015f6-e8f8-4a9a-80e3-2570606d310c", + "09a20c96-905b-40c8-9c40-77bfb5edb5b7", + "3708838a-0567-4295-8e77-3a39aca246cd", + "02f59eb1-8c13-41d6-a537-58fb1f051f84" + ], + "layerId": "35726819-8a70-4f5e-b150-1626c191f380", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "c4649608-0cba-486f-8aec-460655407f67", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "39e015f6-e8f8-4a9a-80e3-2570606d310c" + }, + { + "axisMode": "left", + "forAccessor": "09a20c96-905b-40c8-9c40-77bfb5edb5b7" + }, + { + "axisMode": "left", + "forAccessor": "3708838a-0567-4295-8e77-3a39aca246cd" + }, + { + "axisMode": "left", + "forAccessor": "02f59eb1-8c13-41d6-a537-58fb1f051f84" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "xTitle": "Timestamp", + "yTitle": "Node Managers" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d846e0a6-42a9-4840-82e4-f217959a63fb", - "key": "hadoop.cluster.node_managers.num_unhealthy", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.node_managers.num_unhealthy" - } - } + "gridData": { + "h": 18, + "i": "08fde296-94c6-4dbd-bd1f-77c67e0125e6", + "w": 24, + "x": 0, + "y": 0 }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c50d822a-587a-4198-90c1-847fe7355fa1", - "key": "hadoop.cluster.node_managers.num_decommissioned", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.node_managers.num_decommissioned" - } - } + "panelIndex": "08fde296-94c6-4dbd-bd1f-77c67e0125e6", + "title": "Number of node managers over time [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b880f665-29b3-40b9-bd45-459f3105c645", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5199984c-035a-4e47-9d4a-d63d01735d8b": { + "columnOrder": [ + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" + ], + "columns": { + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.nodes.active: *" + }, + "isBucketed": false, + "label": "Active Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.nodes.active" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b880f665-29b3-40b9-bd45-459f3105c645", + "key": "hadoop.cluster.nodes.active", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.nodes.active" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", + "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e78473e3-a006-46cf-bada-e75ab9c4b279", - "key": "hadoop.cluster.node_managers.num_lost", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.node_managers.num_lost" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 5, + "i": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f", + "w": 8, + "x": 24, + "y": 0 + }, + "panelIndex": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f", + "title": "Number of active nodes [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b98d7344-acd9-4e73-a62b-a34aee54465c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5199984c-035a-4e47-9d4a-d63d01735d8b": { + "columnOrder": [ + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" + ], + "columns": { + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.nodes.lost: *" + }, + "isBucketed": false, + "label": "Lost Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.nodes.lost" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b98d7344-acd9-4e73-a62b-a34aee54465c", + "key": "hadoop.cluster.nodes.lost", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.nodes.lost" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", + "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true + "gridData": { + "h": 5, + "i": "9d55a200-501c-45bf-94a9-a3c36744865d", + "w": 8, + "x": 32, + "y": 0 }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 + "panelIndex": "9d55a200-501c-45bf-94a9-a3c36744865d", + "title": "Number of lost nodes [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1965ff1a-73c8-4f6c-be65-230190b5ca22", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5199984c-035a-4e47-9d4a-d63d01735d8b": { + "columnOrder": [ + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" + ], + "columns": { + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.nodes.unhealthy: *" + }, + "isBucketed": false, + "label": "Unhealthy Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.nodes.unhealthy" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1965ff1a-73c8-4f6c-be65-230190b5ca22", + "key": "hadoop.cluster.nodes.unhealthy", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.nodes.unhealthy" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", + "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "layers": [ - { - "accessors": [ - "39e015f6-e8f8-4a9a-80e3-2570606d310c", - "09a20c96-905b-40c8-9c40-77bfb5edb5b7", - "3708838a-0567-4295-8e77-3a39aca246cd", - "02f59eb1-8c13-41d6-a537-58fb1f051f84" - ], - "layerId": "35726819-8a70-4f5e-b150-1626c191f380", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "c4649608-0cba-486f-8aec-460655407f67", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "39e015f6-e8f8-4a9a-80e3-2570606d310c" - }, - { - "axisMode": "left", - "forAccessor": "09a20c96-905b-40c8-9c40-77bfb5edb5b7" - }, - { - "axisMode": "left", - "forAccessor": "3708838a-0567-4295-8e77-3a39aca246cd" - }, - { - "axisMode": "left", - "forAccessor": "02f59eb1-8c13-41d6-a537-58fb1f051f84" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true + "gridData": { + "h": 5, + "i": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886", + "title": "Number of unhealthy nodes [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-faa4a447-faac-4424-9e42-5a29b0ad1137", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6289f262-f60c-4d6c-9480-c8d037633755", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c26ffbdc-b9a3-4a13-870a-6e83389b4007", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "70536a90-2ac2-4561-a8ed-1d0b7897fb04", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "faa4a447-faac-4424-9e42-5a29b0ad1137": { + "columnOrder": [ + "55139a89-d014-4b5e-9195-8d7874ae4a47", + "aac01fd6-85b3-4678-a105-90b6bfef291a", + "2c271321-b9d9-4fc0-8bb4-0483f527c16b", + "88d60efa-e82b-43e6-bd18-e523c386af79" + ], + "columns": { + "2c271321-b9d9-4fc0-8bb4-0483f527c16b": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.applications.pending: *" + }, + "isBucketed": false, + "label": "Pending", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.applications.pending" + }, + "55139a89-d014-4b5e-9195-8d7874ae4a47": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "88d60efa-e82b-43e6-bd18-e523c386af79": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.applications.failed: *" + }, + "isBucketed": false, + "label": "Failed", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.applications.failed" + }, + "aac01fd6-85b3-4678-a105-90b6bfef291a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.applications.running: *" + }, + "isBucketed": false, + "label": "Running", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.applications.running" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6289f262-f60c-4d6c-9480-c8d037633755", + "key": "hadoop.cluster.applications.running", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.applications.running" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c26ffbdc-b9a3-4a13-870a-6e83389b4007", + "key": "hadoop.cluster.applications.pending", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.applications.pending" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "70536a90-2ac2-4561-a8ed-1d0b7897fb04", + "key": "hadoop.cluster.applications.failed", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.applications.failed" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "aac01fd6-85b3-4678-a105-90b6bfef291a", + "2c271321-b9d9-4fc0-8bb4-0483f527c16b", + "88d60efa-e82b-43e6-bd18-e523c386af79" + ], + "layerId": "faa4a447-faac-4424-9e42-5a29b0ad1137", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "55139a89-d014-4b5e-9195-8d7874ae4a47", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "aac01fd6-85b3-4678-a105-90b6bfef291a" + }, + { + "axisMode": "left", + "forAccessor": "2c271321-b9d9-4fc0-8bb4-0483f527c16b" + }, + { + "axisMode": "left", + "forAccessor": "88d60efa-e82b-43e6-bd18-e523c386af79" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yTitle": "Applications" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 18, + "i": "d78560b6-a798-4b6b-b702-252c1319af9c", + "w": 24, + "x": 24, + "y": 5 + }, + "panelIndex": "d78560b6-a798-4b6b-b702-252c1319af9c", + "title": "Number of applications over time [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "446aea27-ddc3-4f7b-8623-2fe664c9af1d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { + "columnOrder": [ + "36a555dc-487f-4e1c-a3ae-2afa0f535519" + ], + "columns": { + "36a555dc-487f-4e1c-a3ae-2afa0f535519": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.containers.allocated: *" + }, + "isBucketed": false, + "label": "Containers Allocated", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.containers.allocated" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "446aea27-ddc3-4f7b-8623-2fe664c9af1d", + "key": "hadoop.cluster.containers.allocated", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.containers.allocated" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", + "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 5, + "i": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272", + "w": 8, + "x": 0, + "y": 18 }, - "valueLabels": "hide", - "xTitle": "Timestamp", - "yTitle": "Node Managers" - } + "panelIndex": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272", + "title": "Number of containers allocated [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "022a0e4d-13e0-47d7-8fd4-7fc3671f864d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { + "columnOrder": [ + "36a555dc-487f-4e1c-a3ae-2afa0f535519" + ], + "columns": { + "36a555dc-487f-4e1c-a3ae-2afa0f535519": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.containers.pending: *" + }, + "isBucketed": false, + "label": "Containers Pending", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.containers.pending" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "022a0e4d-13e0-47d7-8fd4-7fc3671f864d", + "key": "hadoop.cluster.containers.pending", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.containers.pending" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", + "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 5, + "i": "3078cc84-cf45-47c1-9761-a2cf0be99c2e", + "w": 8, + "x": 8, + "y": 18 + }, + "panelIndex": "3078cc84-cf45-47c1-9761-a2cf0be99c2e", + "title": "Number of containers pending [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d1592d8a-7e50-4768-a449-a05551db392d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { + "columnOrder": [ + "36a555dc-487f-4e1c-a3ae-2afa0f535519" + ], + "columns": { + "36a555dc-487f-4e1c-a3ae-2afa0f535519": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.containers.reserved: *" + }, + "isBucketed": false, + "label": "Containers Reserved", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.containers.reserved" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d1592d8a-7e50-4768-a449-a05551db392d", + "key": "hadoop.cluster.containers.reserved", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.containers.reserved" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", + "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 5, + "i": "589a1406-7ccf-49b7-a6b7-618841e3339b", + "w": 8, + "x": 16, + "y": 18 + }, + "panelIndex": "589a1406-7ccf-49b7-a6b7-618841e3339b", + "title": "Number of containers reserved [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + } + ], + "timeRestore": false, + "title": "[Metrics Hadoop] Cluster overview", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-20T10:14:59.671Z", + "id": "hadoop-cb235590-cd24-11ec-be30-1d9331f0b107", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, - "title": "Number of node managers over time [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f", - "w": 8, - "x": 24, - "y": 0 + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:indexpattern-datasource-layer-35726819-8a70-4f5e-b150-1626c191f380", + "type": "index-pattern" }, - "panelIndex": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b880f665-29b3-40b9-bd45-459f3105c645", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "5199984c-035a-4e47-9d4a-d63d01735d8b": { - "columnOrder": [ - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" - ], - "columns": { - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.nodes.active: *" - }, - "isBucketed": false, - "label": "Active Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.nodes.active" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b880f665-29b3-40b9-bd45-459f3105c645", - "key": "hadoop.cluster.nodes.active", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.nodes.active" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", - "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:4b01387d-bd18-4e16-b860-005e4a71e957", + "type": "index-pattern" }, - "title": "Number of active nodes [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "9d55a200-501c-45bf-94a9-a3c36744865d", - "w": 8, - "x": 32, - "y": 0 + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:d846e0a6-42a9-4840-82e4-f217959a63fb", + "type": "index-pattern" }, - "panelIndex": "9d55a200-501c-45bf-94a9-a3c36744865d", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b98d7344-acd9-4e73-a62b-a34aee54465c", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "5199984c-035a-4e47-9d4a-d63d01735d8b": { - "columnOrder": [ - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" - ], - "columns": { - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.nodes.lost: *" - }, - "isBucketed": false, - "label": "Lost Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.nodes.lost" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b98d7344-acd9-4e73-a62b-a34aee54465c", - "key": "hadoop.cluster.nodes.lost", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.nodes.lost" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", - "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:c50d822a-587a-4198-90c1-847fe7355fa1", + "type": "index-pattern" }, - "title": "Number of lost nodes [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886", - "w": 8, - "x": 40, - "y": 0 + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:e78473e3-a006-46cf-bada-e75ab9c4b279", + "type": "index-pattern" }, - "panelIndex": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1965ff1a-73c8-4f6c-be65-230190b5ca22", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "5199984c-035a-4e47-9d4a-d63d01735d8b": { - "columnOrder": [ - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" - ], - "columns": { - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.nodes.unhealthy: *" - }, - "isBucketed": false, - "label": "Unhealthy Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.nodes.unhealthy" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1965ff1a-73c8-4f6c-be65-230190b5ca22", - "key": "hadoop.cluster.nodes.unhealthy", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.nodes.unhealthy" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", - "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" + { + "id": "metrics-*", + "name": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" }, - "title": "Number of unhealthy nodes [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 18, - "i": "d78560b6-a798-4b6b-b702-252c1319af9c", - "w": 24, - "x": 24, - "y": 5 + { + "id": "metrics-*", + "name": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f:b880f665-29b3-40b9-bd45-459f3105c645", + "type": "index-pattern" }, - "panelIndex": "d78560b6-a798-4b6b-b702-252c1319af9c", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-faa4a447-faac-4424-9e42-5a29b0ad1137", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6289f262-f60c-4d6c-9480-c8d037633755", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c26ffbdc-b9a3-4a13-870a-6e83389b4007", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "70536a90-2ac2-4561-a8ed-1d0b7897fb04", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "faa4a447-faac-4424-9e42-5a29b0ad1137": { - "columnOrder": [ - "55139a89-d014-4b5e-9195-8d7874ae4a47", - "aac01fd6-85b3-4678-a105-90b6bfef291a", - "2c271321-b9d9-4fc0-8bb4-0483f527c16b", - "88d60efa-e82b-43e6-bd18-e523c386af79" - ], - "columns": { - "2c271321-b9d9-4fc0-8bb4-0483f527c16b": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.applications.pending: *" - }, - "isBucketed": false, - "label": "Pending", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.applications.pending" - }, - "55139a89-d014-4b5e-9195-8d7874ae4a47": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "88d60efa-e82b-43e6-bd18-e523c386af79": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.applications.failed: *" - }, - "isBucketed": false, - "label": "Failed", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.applications.failed" - }, - "aac01fd6-85b3-4678-a105-90b6bfef291a": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.applications.running: *" - }, - "isBucketed": false, - "label": "Running", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.applications.running" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6289f262-f60c-4d6c-9480-c8d037633755", - "key": "hadoop.cluster.applications.running", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.applications.running" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c26ffbdc-b9a3-4a13-870a-6e83389b4007", - "key": "hadoop.cluster.applications.pending", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.applications.pending" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "70536a90-2ac2-4561-a8ed-1d0b7897fb04", - "key": "hadoop.cluster.applications.failed", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.applications.failed" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "aac01fd6-85b3-4678-a105-90b6bfef291a", - "2c271321-b9d9-4fc0-8bb4-0483f527c16b", - "88d60efa-e82b-43e6-bd18-e523c386af79" - ], - "layerId": "faa4a447-faac-4424-9e42-5a29b0ad1137", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "55139a89-d014-4b5e-9195-8d7874ae4a47", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "aac01fd6-85b3-4678-a105-90b6bfef291a" - }, - { - "axisMode": "left", - "forAccessor": "2c271321-b9d9-4fc0-8bb4-0483f527c16b" - }, - { - "axisMode": "left", - "forAccessor": "88d60efa-e82b-43e6-bd18-e523c386af79" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yTitle": "Applications" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + { + "id": "metrics-*", + "name": "9d55a200-501c-45bf-94a9-a3c36744865d:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" }, - "title": "Number of applications over time [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272", - "w": 8, - "x": 0, - "y": 18 + { + "id": "metrics-*", + "name": "9d55a200-501c-45bf-94a9-a3c36744865d:b98d7344-acd9-4e73-a62b-a34aee54465c", + "type": "index-pattern" }, - "panelIndex": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "446aea27-ddc3-4f7b-8623-2fe664c9af1d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { - "columnOrder": [ - "36a555dc-487f-4e1c-a3ae-2afa0f535519" - ], - "columns": { - "36a555dc-487f-4e1c-a3ae-2afa0f535519": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.containers.allocated: *" - }, - "isBucketed": false, - "label": "Containers Allocated", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.containers.allocated" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "446aea27-ddc3-4f7b-8623-2fe664c9af1d", - "key": "hadoop.cluster.containers.allocated", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.containers.allocated" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", - "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" + { + "id": "metrics-*", + "name": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" }, - "title": "Number of containers allocated [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "3078cc84-cf45-47c1-9761-a2cf0be99c2e", - "w": 8, - "x": 8, - "y": 18 + { + "id": "metrics-*", + "name": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886:1965ff1a-73c8-4f6c-be65-230190b5ca22", + "type": "index-pattern" }, - "panelIndex": "3078cc84-cf45-47c1-9761-a2cf0be99c2e", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "022a0e4d-13e0-47d7-8fd4-7fc3671f864d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { - "columnOrder": [ - "36a555dc-487f-4e1c-a3ae-2afa0f535519" - ], - "columns": { - "36a555dc-487f-4e1c-a3ae-2afa0f535519": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.containers.pending: *" - }, - "isBucketed": false, - "label": "Containers Pending", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.containers.pending" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "022a0e4d-13e0-47d7-8fd4-7fc3671f864d", - "key": "hadoop.cluster.containers.pending", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.containers.pending" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", - "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" + { + "id": "metrics-*", + "name": "d78560b6-a798-4b6b-b702-252c1319af9c:indexpattern-datasource-layer-faa4a447-faac-4424-9e42-5a29b0ad1137", + "type": "index-pattern" }, - "title": "Number of containers pending [Metrics Hadoop]" - }, - { - "version": "8.7.0", - "type": "lens", - "gridData": { - "h": 5, - "i": "589a1406-7ccf-49b7-a6b7-618841e3339b", - "w": 8, - "x": 16, - "y": 18 + { + "id": "metrics-*", + "name": "d78560b6-a798-4b6b-b702-252c1319af9c:6289f262-f60c-4d6c-9480-c8d037633755", + "type": "index-pattern" }, - "panelIndex": "589a1406-7ccf-49b7-a6b7-618841e3339b", - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d1592d8a-7e50-4768-a449-a05551db392d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { - "columnOrder": [ - "36a555dc-487f-4e1c-a3ae-2afa0f535519" - ], - "columns": { - "36a555dc-487f-4e1c-a3ae-2afa0f535519": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.containers.reserved: *" - }, - "isBucketed": false, - "label": "Containers Reserved", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.containers.reserved" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d1592d8a-7e50-4768-a449-a05551db392d", - "key": "hadoop.cluster.containers.reserved", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.containers.reserved" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", - "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true, - "type": "lens" + { + "id": "metrics-*", + "name": "d78560b6-a798-4b6b-b702-252c1319af9c:c26ffbdc-b9a3-4a13-870a-6e83389b4007", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d78560b6-a798-4b6b-b702-252c1319af9c:70536a90-2ac2-4561-a8ed-1d0b7897fb04", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272:446aea27-ddc3-4f7b-8623-2fe664c9af1d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3078cc84-cf45-47c1-9761-a2cf0be99c2e:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3078cc84-cf45-47c1-9761-a2cf0be99c2e:022a0e4d-13e0-47d7-8fd4-7fc3671f864d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "589a1406-7ccf-49b7-a6b7-618841e3339b:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" }, - "title": "Number of containers reserved [Metrics Hadoop]" - } + { + "id": "metrics-*", + "name": "589a1406-7ccf-49b7-a6b7-618841e3339b:d1592d8a-7e50-4768-a449-a05551db392d", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Metrics Hadoop] Cluster overview", - "version": 1 - }, - "references": [ - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:indexpattern-datasource-layer-35726819-8a70-4f5e-b150-1626c191f380", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:4b01387d-bd18-4e16-b860-005e4a71e957", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:d846e0a6-42a9-4840-82e4-f217959a63fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:c50d822a-587a-4198-90c1-847fe7355fa1", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:e78473e3-a006-46cf-bada-e75ab9c4b279", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f:b880f665-29b3-40b9-bd45-459f3105c645", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9d55a200-501c-45bf-94a9-a3c36744865d:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9d55a200-501c-45bf-94a9-a3c36744865d:b98d7344-acd9-4e73-a62b-a34aee54465c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886:1965ff1a-73c8-4f6c-be65-230190b5ca22", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d78560b6-a798-4b6b-b702-252c1319af9c:indexpattern-datasource-layer-faa4a447-faac-4424-9e42-5a29b0ad1137", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d78560b6-a798-4b6b-b702-252c1319af9c:6289f262-f60c-4d6c-9480-c8d037633755", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d78560b6-a798-4b6b-b702-252c1319af9c:c26ffbdc-b9a3-4a13-870a-6e83389b4007", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d78560b6-a798-4b6b-b702-252c1319af9c:70536a90-2ac2-4561-a8ed-1d0b7897fb04", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272:446aea27-ddc3-4f7b-8623-2fe664c9af1d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3078cc84-cf45-47c1-9761-a2cf0be99c2e:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3078cc84-cf45-47c1-9761-a2cf0be99c2e:022a0e4d-13e0-47d7-8fd4-7fc3671f864d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "589a1406-7ccf-49b7-a6b7-618841e3339b:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "589a1406-7ccf-49b7-a6b7-618841e3339b:d1592d8a-7e50-4768-a449-a05551db392d", - "type": "index-pattern" - } - ], - "managed": false + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/hadoop/manifest.yml b/packages/hadoop/manifest.yml index 29f4d217e62..95d9a39ed6a 100644 --- a/packages/hadoop/manifest.yml +++ b/packages/hadoop/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: hadoop title: Hadoop -version: "1.5.2" +version: "1.6.0" description: Collect metrics from Apache Hadoop with Elastic Agent. type: integration categories: diff --git a/packages/hadoop/validation.yml b/packages/hadoop/validation.yml deleted file mode 100644 index efdb1de132d..00000000000 --- a/packages/hadoop/validation.yml +++ /dev/null @@ -1,4 +0,0 @@ -errors: - exclude_checks: - - SVR00004 - - SVR00002 From efff6d2566bdda09f9f85c0bb4f9bac89f238116 Mon Sep 17 00:00:00 2001 From: Thijs Xhaflaire Date: Thu, 20 Jun 2024 05:51:17 +0200 Subject: [PATCH 030/105] [Jamf Protect] - add support for new Telemetry Data Stream (#10152) Jamf Protect contains a feature called Telemetry, soon this feature will migrate over to a new data model. The existing version of Telemetry will remain available and renamed to Telemetry (Legacy). This PR makes this integration compatible with the upcoming changes. --- .../jamf_protect/_dev/build/docs/README.md | 2 +- .../_dev/deploy/docker/docker-compose.yml | 8 + .../docker/sample_logs/telemetry-legacy.log | 1 + .../deploy/docker/sample_logs/telemetry.log | 2 +- packages/jamf_protect/changelog.yml | 5 + .../data_stream/alerts/sample_event.json | 14 +- ...est-jamf-protect-telemetry-sample-logs.log | 39 +- ...ct-telemetry-sample-logs.log-expected.json | 4044 ++++++++++++++--- .../telemetry/agent/stream/aws-s3.yml.hbs | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 401 +- .../pipeline_event_authentication.yml | 478 ++ .../pipeline_event_bios_uefi.yml | 22 + .../pipeline_event_btm_launch_item_add.yml | 356 ++ .../pipeline_event_btm_launch_item_remove.yml | 384 ++ .../ingest_pipeline/pipeline_event_chroot.yml | 22 + .../pipeline_event_cs_invalidated.yml | 15 + .../ingest_pipeline/pipeline_event_exec.yml | 196 + .../pipeline_event_file_collection.yml | 19 + .../pipeline_event_kextload.yml | 26 + .../pipeline_event_kextunload.yml | 26 + .../pipeline_event_log_collection.yml | 19 + .../pipeline_event_login_login.yml | 44 + .../pipeline_event_login_logout.yml | 30 + .../pipeline_event_lw_session_lock.yml | 30 + .../pipeline_event_lw_session_login.yml | 30 + .../pipeline_event_lw_session_logout.yml | 30 + .../pipeline_event_lw_session_unlock.yml | 30 + .../ingest_pipeline/pipeline_event_mount.yml | 34 + .../pipeline_event_od_attribute_set.yml | 199 + .../pipeline_event_od_attribute_value_add.yml | 198 + ...peline_event_od_attribute_value_remove.yml | 198 + .../pipeline_event_od_create_group.yml | 189 + .../pipeline_event_od_create_user.yml | 189 + .../pipeline_event_od_delete_group.yml | 189 + .../pipeline_event_od_delete_user.yml | 189 + .../pipeline_event_od_disable_user.yml | 189 + .../pipeline_event_od_enable_user.yml | 189 + .../pipeline_event_od_group_add.yml | 189 + .../pipeline_event_od_group_remove.yml | 189 + .../pipeline_event_od_group_set.yml | 189 + .../pipeline_event_od_modify_password.yml | 277 ++ .../pipeline_event_openssh_login.yml | 83 + .../pipeline_event_openssh_logout.yml | 59 + .../pipeline_event_profile_add.yml | 212 + .../pipeline_event_profile_remove.yml | 206 + .../pipeline_event_remount.yml | 34 + .../pipeline_event_screensharing_attach.yml | 87 + .../pipeline_event_screensharing_detach.yml | 51 + .../pipeline_event_settime.yml | 21 + .../ingest_pipeline/pipeline_event_su.yml | 100 + .../ingest_pipeline/pipeline_event_sudo.yml | 32 + .../pipeline_event_system_performance.yml | 21 + .../pipeline_event_unmount.yml | 34 + .../pipeline_event_xp_malware_detected.yml | 29 + .../pipeline_event_xp_malware_remediated.yml | 47 + .../pipeline_instigator_object.yml | 81 + .../pipeline_object_process.yml | 164 + .../data_stream/telemetry/fields/ecs.yml | 419 +- .../data_stream/telemetry/fields/fields.yml | 889 +--- .../data_stream/telemetry/manifest.yml | 2 +- .../data_stream/telemetry/sample_event.json | 220 +- ...f-protect-telemetry-legacy-sample-logs.log | 7 + ...metry-legacy-sample-logs.log-expected.json | 885 ++++ .../test/system/test-http-endpoint-config.yml | 8 + .../agent/stream/aws-s3.yml.hbs | 118 + .../agent/stream/http_endpoint.yml.hbs | 35 + .../elasticsearch/ingest_pipeline/default.yml | 54 + .../ingest_pipeline/pipeline_audit.yml | 0 .../ingest_pipeline/pipeline_aue_accept.yml | 0 .../pipeline_aue_arguments.yml | 0 .../ingest_pipeline/pipeline_aue_auth.yml | 0 .../pipeline_aue_bind_and_aue_connect.yml | 0 .../ingest_pipeline/pipeline_aue_chdir.yml | 0 .../ingest_pipeline/pipeline_aue_chroot.yml | 0 .../ingest_pipeline/pipeline_aue_execve.yml | 0 .../ingest_pipeline/pipeline_aue_exit.yml | 0 .../ingest_pipeline/pipeline_aue_fork.yml | 0 .../ingest_pipeline/pipeline_aue_kill.yml | 0 .../ingest_pipeline/pipeline_aue_listen.yml | 0 .../ingest_pipeline/pipeline_aue_logout.yml | 0 .../ingest_pipeline/pipeline_aue_mount.yml | 0 .../pipeline_aue_pidfortask.yml | 0 .../pipeline_aue_posix_spawn.yml | 0 ...remove_from_group_and_aue_mac_set_proc.yml | 0 .../ingest_pipeline/pipeline_aue_session.yml | 0 .../pipeline_aue_setpriority.yml | 0 .../pipeline_aue_socketpair.yml | 0 .../pipeline_aue_ssauthint.yml | 0 .../pipeline_aue_taskforpid.yml | 0 .../pipeline_aue_tasknameforpid.yml | 0 .../ingest_pipeline/pipeline_aue_unmount.yml | 0 .../ingest_pipeline/pipeline_event.yml | 0 .../pipeline_exec_chain_child_object.yml | 0 .../pipeline_identity_object.yml | 0 .../pipeline_process_object.yml | 0 .../pipeline_system_performance_metrics.yml | 0 .../telemetry_legacy/fields/agent.yml | 183 + .../telemetry_legacy/fields/base-fields.yml | 20 + .../telemetry_legacy/fields/ecs.yml | 84 + .../telemetry_legacy/fields/fields.yml | 656 +++ .../data_stream/telemetry_legacy/manifest.yml | 166 + .../telemetry_legacy/sample_event.json | 168 + ...otect-threat-sample-logs.log-expected.json | 8 + .../elasticsearch/ingest_pipeline/default.yml | 3 + .../web_threat_events/sample_event.json | 15 +- ...tect-traffic-sample-logs.log-expected.json | 6 + .../elasticsearch/ingest_pipeline/default.yml | 3 + .../web_traffic_events/sample_event.json | 15 +- packages/jamf_protect/docs/README.md | 698 ++- packages/jamf_protect/manifest.yml | 2 +- 110 files changed, 12835 insertions(+), 1972 deletions(-) create mode 100644 packages/jamf_protect/_dev/deploy/docker/sample_logs/telemetry-legacy.log create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_authentication.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_bios_uefi.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_add.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_remove.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_chroot.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_cs_invalidated.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_file_collection.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextload.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextunload.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_log_collection.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_login.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_logout.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_lock.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_login.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_logout.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_unlock.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_mount.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_set.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_add.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_remove.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_group.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_user.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_group.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_user.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_disable_user.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_enable_user.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_add.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_remove.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_set.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_modify_password.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_login.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_logout.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_add.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_remove.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_remount.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_attach.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_detach.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_settime.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_su.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_sudo.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_system_performance.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_unmount.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_detected.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_remediated.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_instigator_object.yml create mode 100644 packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_object_process.yml create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/pipeline/test-jamf-protect-telemetry-legacy-sample-logs.log create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/pipeline/test-jamf-protect-telemetry-legacy-sample-logs.log-expected.json create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/system/test-http-endpoint-config.yml create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/agent/stream/aws-s3.yml.hbs create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/agent/stream/http_endpoint.yml.hbs create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/default.yml rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_audit.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_session.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_event.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_identity_object.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_process_object.yml (100%) rename packages/jamf_protect/data_stream/{telemetry => telemetry_legacy}/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml (100%) create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/fields/agent.yml create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/fields/base-fields.yml create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/fields/ecs.yml create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/fields/fields.yml create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/manifest.yml create mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/sample_event.json diff --git a/packages/jamf_protect/_dev/build/docs/README.md b/packages/jamf_protect/_dev/build/docs/README.md index 3caa70f154c..e76ec4f8f01 100644 --- a/packages/jamf_protect/_dev/build/docs/README.md +++ b/packages/jamf_protect/_dev/build/docs/README.md @@ -122,4 +122,4 @@ This is the `Network Traffic Stream` dataset. {{event "web_traffic_events"}} -{{fields "web_traffic_events"}} \ No newline at end of file +{{fields "web_traffic_events"}} diff --git a/packages/jamf_protect/_dev/deploy/docker/docker-compose.yml b/packages/jamf_protect/_dev/deploy/docker/docker-compose.yml index fd79353dde7..095d27ae16c 100644 --- a/packages/jamf_protect/_dev/deploy/docker/docker-compose.yml +++ b/packages/jamf_protect/_dev/deploy/docker/docker-compose.yml @@ -16,6 +16,14 @@ services: - STREAM_PROTOCOL=webhook - STREAM_ADDR=http://elastic-agent:9550/ command: log --start-signal=SIGHUP --delay=5s /sample_logs/telemetry.log + jamf-protect-telemetry-legacy-http-endpoint: + image: docker.elastic.co/observability/stream:v0.15.0 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9555/ + command: log --start-signal=SIGHUP --delay=5s /sample_logs/telemetry-legacy.log jamf-protect-webthreats-http-endpoint: image: docker.elastic.co/observability/stream:v0.15.0 volumes: diff --git a/packages/jamf_protect/_dev/deploy/docker/sample_logs/telemetry-legacy.log b/packages/jamf_protect/_dev/deploy/docker/sample_logs/telemetry-legacy.log new file mode 100644 index 00000000000..8f9ee859774 --- /dev/null +++ b/packages/jamf_protect/_dev/deploy/docker/sample_logs/telemetry-legacy.log @@ -0,0 +1 @@ +{"arguments":{"child_PID":70851},"attributes":{"device":0,"file_access_mode":33261,"file_system_id":16777229,"node_id":632456,"owner_group_id":0,"owner_group_name":"wheel","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"/usr/bin/profiles","2":"status","3":"-type","4":"enrollment"},"args_compiled":"/usr/bin/profiles,status,-type,enrollment"},"exec_chain":{"thread_uuid":"EB3B7725-EB0E-4710-BCA6-F390DD9AE309"},"exec_chain_parent":{"uuid":"87F2E500-EDF1-4F12-A489-C5E05B0F523E"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","PWD":"/"},"env_compiled":"PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":442,"time_seconds_epoch":1707235294,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"a2c787fe5e26ead7c68909e45a75edced4147c68","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"FF48B7F5-C8CD-42E6-8782-5A92D1BD87CE","path":["/usr/bin/profiles","/usr/bin/profiles"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"9cfc802baf45b74693d146686ebe9ec59ac6367f","process_id":70848,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","responsible_process_id":70837,"responsible_process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} \ No newline at end of file diff --git a/packages/jamf_protect/_dev/deploy/docker/sample_logs/telemetry.log b/packages/jamf_protect/_dev/deploy/docker/sample_logs/telemetry.log index 8f9ee859774..fa4a2669918 100644 --- a/packages/jamf_protect/_dev/deploy/docker/sample_logs/telemetry.log +++ b/packages/jamf_protect/_dev/deploy/docker/sample_logs/telemetry.log @@ -1 +1 @@ -{"arguments":{"child_PID":70851},"attributes":{"device":0,"file_access_mode":33261,"file_system_id":16777229,"node_id":632456,"owner_group_id":0,"owner_group_name":"wheel","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"/usr/bin/profiles","2":"status","3":"-type","4":"enrollment"},"args_compiled":"/usr/bin/profiles,status,-type,enrollment"},"exec_chain":{"thread_uuid":"EB3B7725-EB0E-4710-BCA6-F390DD9AE309"},"exec_chain_parent":{"uuid":"87F2E500-EDF1-4F12-A489-C5E05B0F523E"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","PWD":"/"},"env_compiled":"PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":442,"time_seconds_epoch":1707235294,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"a2c787fe5e26ead7c68909e45a75edced4147c68","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"FF48B7F5-C8CD-42E6-8782-5A92D1BD87CE","path":["/usr/bin/profiles","/usr/bin/profiles"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"9cfc802baf45b74693d146686ebe9ec59ac6367f","process_id":70848,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","responsible_process_id":70837,"responsible_process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} \ No newline at end of file +{"action":{"result":{"result":{"auth":1},"result_type":0}},"action_type":1,"deadline":0,"event":{"exec":{"args":["/bin/zsh","-c","/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/eicar"],"cwd":{"path":"/","path_truncated":false,"stat":{"st_atimespec":"2024-05-07T07:01:44.000Z","st_birthtimespec":"2024-05-07T07:01:44.000Z","st_blksize":4096,"st_blocks":0,"st_ctimespec":"2024-05-07T07:01:44.000Z","st_dev":16777231,"st_flags":1048576,"st_gen":0,"st_gid":0,"st_ino":2,"st_mode":16877,"st_mtimespec":"2024-05-07T07:01:44.000Z","st_nlink":20,"st_rdev":0,"st_size":640,"st_uid":0}},"dyld_exec_path":"/bin/zsh","env":["USER=jappleseed","COMMAND_MODE=unix2003","__CFBundleIdentifier=com.txhaflaire.JamfCheck","PATH=/usr/bin:/bin:/usr/sbin:/sbin","LOGNAME=jappleseed","SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.Ah3WvMOC65/Listeners","HOME=/Users/jappleseed","SHELL=/bin/zsh","TMPDIR=/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/","__CF_USER_TEXT_ENCODING=0x1F6:0x0:0x0","XPC_SERVICE_NAME=application.com.txhaflaire.JamfCheck.30852344.30852350","XPC_FLAGS=0x0"],"fds":[{"fd":0,"fdtype":1},{"fd":1,"fdtype":1},{"fd":2,"fdtype":1}],"image_cpusubtype":-2147483646,"image_cputype":16777228,"last_fd":2,"target":{"audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":91306,"pidversion":546968,"rgid":20,"ruid":502,"uuid":"1278137C-15D6-53CE-AB0A-FC9499BC8E05"},"cdhash":"23c70bd9b41017f9878af49bc2c46f7c8a70680b","codesigning_flags":570493697,"executable":{"path":"/bin/zsh","path_truncated":false,"stat":{"st_atimespec":"2024-05-07T07:01:44.000Z","st_birthtimespec":"2024-05-07T07:01:44.000Z","st_blksize":4096,"st_blocks":1472,"st_ctimespec":"2024-05-07T07:01:44.000Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312524830,"st_mode":33261,"st_mtimespec":"2024-05-07T07:01:44.000Z","st_nlink":1,"st_rdev":0,"st_size":1361200,"st_uid":0}},"group_id":91306,"is_es_client":false,"is_platform_binary":true,"original_ppid":64632,"parent_audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":64632,"pidversion":466330,"rgid":20,"ruid":502,"uuid":"A7EDC884-C034-50E7-A3AA-2E281B3E0777"},"ppid":64632,"responsible_audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":64632,"pidversion":466330,"rgid":20,"ruid":502,"uuid":"A7EDC884-C034-50E7-A3AA-2E281B3E0777"},"session_id":1,"signing_id":"com.apple.zsh","start_time":"2024-05-31T09:47:12.000Z"}}},"event_type":9,"glob_seq_num":202,"host":{"hostname":"MacBookPro","ips":["192.168.11.251","192.168.64.1","192.168.11.232"],"os":"Version 14.5 (Build 23F79)","protectVersion":"5.5.0.6","provisioningUDID":"00006030-001E301C0228001C","serial":"123ABC456DJ"},"mach_time":5362529651384,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":91306,"pidversion":546967,"rgid":20,"ruid":502,"uuid":"C9D6DF39-0239-57A1-AEFC-9D6B53AF2687"},"cdhash":"31c0815ee1b3904a826405c6fb9bc1e3ebae2b79","codesigning_flags":570503953,"executable":{"path":"/Applications/JamfCheck.app/Contents/MacOS/JamfCheck","path_truncated":false,"stat":{"st_atimespec":"2024-05-31T00:03:43.455Z","st_birthtimespec":"2024-05-16T12:02:51.000Z","st_blksize":4096,"st_blocks":6048,"st_ctimespec":"2024-05-16T13:40:19.640Z","st_dev":16777231,"st_flags":0,"st_gen":0,"st_gid":80,"st_ino":30852350,"st_mode":33261,"st_mtimespec":"2024-05-16T12:02:51.000Z","st_nlink":1,"st_rdev":0,"st_size":3094752,"st_uid":0}},"group_id":64632,"is_es_client":false,"is_platform_binary":false,"original_ppid":64632,"parent_audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":64632,"pidversion":466330,"rgid":20,"ruid":502,"uuid":"A7EDC884-C034-50E7-A3AA-2E281B3E0777"},"ppid":64632,"responsible_audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":64632,"pidversion":466330,"rgid":20,"ruid":502,"uuid":"A7EDC884-C034-50E7-A3AA-2E281B3E0777"},"session_id":1,"signing_id":"com.txhaflaire.JamfCheck","start_time":"2024-05-31T09:47:12.000Z","team_id":"CLQKFNPCCP"},"seq_num":190,"thread":{"thread_id":5215860,"uuid":"A052B956-572A-5458-8FB8-C9296E00E156"},"time":"2024-05-31T09:47:12.436Z","uuid":"CDB31202-8CB4-4C72-A9C6-7F494CD5F598","version":7} diff --git a/packages/jamf_protect/changelog.yml b/packages/jamf_protect/changelog.yml index a2e4c2ad900..9d89330ef53 100644 --- a/packages/jamf_protect/changelog.yml +++ b/packages/jamf_protect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Adding support for new Telemetry stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/10152 - version: "1.0.0" changes: - description: Release package as GA. diff --git a/packages/jamf_protect/data_stream/alerts/sample_event.json b/packages/jamf_protect/data_stream/alerts/sample_event.json index dac7837bbb6..ef8cb0292bf 100644 --- a/packages/jamf_protect/data_stream/alerts/sample_event.json +++ b/packages/jamf_protect/data_stream/alerts/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2024-05-17T00:09:29.807Z", + "@timestamp": "2024-06-12T21:15:48.751Z", "agent": { - "ephemeral_id": "dd1cb398-e758-40c0-87b6-4ce4fb3611b2", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "f61f65a0-cfe1-43bc-8b7e-b2bec2ad3fe1", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.13.0" + "version": "8.13.2" }, "data_stream": { "dataset": "jamf_protect.alerts", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "snapshot": false, - "version": "8.13.0" + "version": "8.13.2" }, "event": { "action": "CustomURLHandlerCreation", @@ -29,7 +29,7 @@ ], "dataset": "jamf_protect.alerts", "id": "6bdb0697-6d07-47bc-a37d-6c3348a5d953", - "ingested": "2024-05-17T00:09:39Z", + "ingested": "2024-06-12T21:15:58Z", "kind": "alert", "provider": "Jamf Protect", "reason": "Application that uses custom url handler created", diff --git a/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log b/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log index 5d88378a17a..d07dcf54e99 100644 --- a/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log +++ b/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log @@ -1,7 +1,32 @@ -{"arguments":{"child_PID":70851},"attributes":{"device":0,"file_access_mode":33261,"file_system_id":16777229,"node_id":632456,"owner_group_id":0,"owner_group_name":"wheel","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"/usr/bin/profiles","2":"status","3":"-type","4":"enrollment"},"args_compiled":"/usr/bin/profiles,status,-type,enrollment"},"exec_chain":{"thread_uuid":"EB3B7725-EB0E-4710-BCA6-F390DD9AE309"},"exec_chain_parent":{"uuid":"87F2E500-EDF1-4F12-A489-C5E05B0F523E"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","PWD":"/"},"env_compiled":"PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":442,"time_seconds_epoch":1707235294,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"a2c787fe5e26ead7c68909e45a75edced4147c68","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"FF48B7F5-C8CD-42E6-8782-5A92D1BD87CE","path":["/usr/bin/profiles","/usr/bin/profiles"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"9cfc802baf45b74693d146686ebe9ec59ac6367f","process_id":70848,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","responsible_process_id":70837,"responsible_process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} -{"arguments":{"child_PID":70848},"attributes":{"device":0,"file_access_mode":33261,"file_system_id":16777229,"node_id":63665431,"owner_group_id":80,"owner_group_name":"admin","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"EdgeUpdater","2":"--server","3":"--service=update","4":"--enable-logging","5":"--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2","6":"--system"},"args_compiled":"EdgeUpdater,--server,--service=update,--enable-logging,--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2,--system"},"exec_chain":{"thread_uuid":"19B9384C-9C21-4C6C-9954-355AD780910C"},"exec_chain_child":{"parent_path":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","parent_pid":70844,"parent_uuid":"93082F2D-206D-4FA8-925B-6548C6B247C1"},"exec_chain_parent":{"uuid":"EB3B7725-EB0E-4710-BCA6-F390DD9AE309"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","PWD":"/"},"env_compiled":"PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":427,"time_seconds_epoch":1707235294,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"abbed514a26c2f8c80e08a6d81d72ea8029739fe","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"0BE676E2-FFDB-4A75-BBEA-F783E0E573E8","path":["/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"0237c54b185a3b516bb2918132d9d05de10eaa7c","process_id":70847,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher","responsible_process_id":70837,"responsible_process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} -{"arguments":{"child_PID":70843},"attributes":{"device":0,"file_access_mode":35309,"file_system_id":16777229,"node_id":63665429,"owner_group_id":80,"owner_group_name":"admin","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher","2":"--internal"},"args_compiled":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher,--internal"},"exec_chain":{"thread_uuid":"3DB0D0B9-31ED-4E4D-9366-C07B622AEBEB"},"exec_chain_parent":{"uuid":"93E2DBD5-9546-430E-ADA0-CA460E0A80C9"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","XPC_FLAGS":"0x0","XPC_SERVICE_NAME":"com.microsoft.EdgeUpdater.wake.system"},"env_compiled":"XPC_SERVICE_NAME=com.microsoft.EdgeUpdater.wake.system,PATH=/usr/bin:/bin:/usr/sbin:/sbin,XPC_FLAGS=0x0"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":316,"time_seconds_epoch":1707235293,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"a2c787fe5e26ead7c68909e45a75edced4147c68","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"18922E6D-7EDA-460B-A5DC-D9B92BA8085E","path":["/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher","/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"9cfc802baf45b74693d146686ebe9ec59ac6367f","process_id":70840,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","responsible_process_id":70837,"responsible_process_name":"/usr/libexec/xpcproxy","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} -{"arguments":{"fd":4},"exec_chain":{"thread_uuid":"2AE4FC6A-7F96-4B7A-B045-D6B3FDED39FE"},"header":{"event_id":32,"event_modifier":0,"event_name":"AUE_CONNECT","time_milliseconds_offset":755,"time_seconds_epoch":1707235837,"version":11},"host_info":{"host_name":"Goomba","host_uuid":"667A9510-585B-526B-9B61-47BD834C8ECE","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WHM0PAQ6NV"},"identity":{"cd_hash":"67ed44d08677ea5d2eb9c7db71be23b127bd3e99","signer_id":"com.apple.nfcd","signer_id_truncated":false,"signer_type":1,"team_id":"","team_id_truncated":false},"key":"B9C086AE-78C8-4F01-A77D-4AE422F9366D","return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":260,"effective_group_name":"_applepay","effective_user_id":260,"effective_user_name":"_applepay","group_id":260,"group_name":"_applepay","process_hash":"137517d0be201cfbf8e9dd97765b3f38f0ae4de5","process_id":1002,"process_name":"/usr/libexec/nfcd","responsible_process_id":1002,"responsible_process_name":"/usr/libexec/nfcd","session_id":100015,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":260,"user_name":"_applepay"}} -{"arguments":{"fd":5},"exec_chain":{"thread_uuid":"39896B66-2B2C-4D33-9A75-58154E8EB508"},"header":{"event_id":32,"event_modifier":0,"event_name":"AUE_CONNECT","time_milliseconds_offset":473,"time_seconds_epoch":1707235836,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"beef65d6aeba15d0dd7ef1a076d4bcbd386c1652","signer_id":"com.apple.mdmclient","signer_id_truncated":false,"signer_type":1,"team_id":"","team_id_truncated":false},"key":"F3DBBFB9-2FF7-4A14-A57F-A18F9D9E6FD1","return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"b71712207edc22d9b5753aac0d927a7d9ded719d","process_id":70971,"process_name":"/usr/libexec/mdmclient","responsible_process_id":70971,"responsible_process_name":"/usr/libexec/mdmclient","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} -{"exec_chain":{"thread_uuid":"340F694C-4A80-4008-8B99-AEF108250576"},"header":{"event_id":45025,"event_modifier":0,"event_name":"AUE_ssauthorize","time_milliseconds_offset":477,"time_seconds_epoch":1707234868,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"fc3dce73c15ec7a1cba507101fec3a47e268fa27","signer_id":"com.apple.authd","signer_id_truncated":false,"signer_type":1,"team_id":"","team_id_truncated":false},"key":"DF67FD17-2BE4-4811-933F-78CBA33BAD93","rateLimitingSeconds":1800,"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"b71712207edc22d9b5753aac0d927a7d9ded719d","process_id":69544,"process_name":"/usr/libexec/mdmclient","responsible_process_id":69544,"responsible_process_name":"/usr/libexec/mdmclient","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":959597,"type":4},"user_id":0,"user_name":"root"},"texts":["com.apple.ServiceManagement.daemons.modify","client /usr/libexec/mdmclient","creator /usr/libexec/mdmclient"]} -{"arguments":{"am_failure":0,"am_success":0,"sflags":0},"exec_chain":{"thread_uuid":"8FEACD31-E575-45F4-9A31-F81A6EDF68A8"},"header":{"event_id":44903,"event_modifier":0,"event_name":"AUE_SESSION_END","time_milliseconds_offset":272,"time_seconds_epoch":1707235736,"version":11},"host_info":{"host_name":"Goomba","host_uuid":"667A9510-585B-526B-9B61-47BD834C8ECE","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WHM0PAQ6NV"},"key":"79C80894-E1A4-4BC3-A974-B6EC69CB172D","return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"","process_id":0,"process_name":"","responsible_process_id":0,"responsible_process_name":"","session_id":101188,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} \ No newline at end of file +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"lw_session_lock":{"graphical_session_id":257,"username":"allen.golbig"}},"event_type":116,"glob_seq_num":16661,"host":{"hostname":"MacBookPro","ips":["192.168.4.252"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006000-000C043C22A1801E","serial":"123ABC456DJ"},"mach_time":11045772512581,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100018,"auid":502,"egid":20,"euid":502,"pid":388,"pidversion":869,"rgid":20,"ruid":0,"uuid":"80301337-AD04-56F0-BCCC-BC88FD235D82"},"cdhash":"5dce46942a1ecfcaed58bdcafe5159393f767f74","codesigning_flags":570522369,"executable":{"path":"/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":3240,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777229,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312132489,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2706208,"st_uid":0}},"group_id":388,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":542,"rgid":0,"ruid":0,"uuid":"012139F5-CEED-5A0E-9862-451CDA9E492E"},"ppid":1,"responsible_audit_token":{"asid":100018,"auid":502,"egid":20,"euid":502,"pid":388,"pidversion":869,"rgid":20,"ruid":0,"uuid":"80301337-AD04-56F0-BCCC-BC88FD235D82"},"session_id":388,"signing_id":"com.apple.loginwindow","start_time":"2024-04-30T13:17:30.000Z"},"seq_num":2,"thread":{"thread_id":18306755,"uuid":"5AF185F8-1E6E-5E94-A61C-B98942A253C7"},"time":"2024-05-15T00:12:12.555Z","uuid":"7ADBC305-732C-4A9C-B3EF-14435A500AF4","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"lw_session_unlock":{"graphical_session_id":257,"username":"allen.golbig"}},"event_type":117,"glob_seq_num":16676,"host":{"hostname":"MacBookPro","ips":["192.168.4.252"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006000-000C043C22A1801E","serial":"123ABC456DJ"},"mach_time":11045816416987,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100018,"auid":502,"egid":20,"euid":502,"pid":388,"pidversion":869,"rgid":20,"ruid":0,"uuid":"80301337-AD04-56F0-BCCC-BC88FD235D82"},"cdhash":"5dce46942a1ecfcaed58bdcafe5159393f767f74","codesigning_flags":570522369,"executable":{"path":"/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":3240,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777229,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312132489,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2706208,"st_uid":0}},"group_id":388,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":542,"rgid":0,"ruid":0,"uuid":"012139F5-CEED-5A0E-9862-451CDA9E492E"},"ppid":1,"responsible_audit_token":{"asid":100018,"auid":502,"egid":20,"euid":502,"pid":388,"pidversion":869,"rgid":20,"ruid":0,"uuid":"80301337-AD04-56F0-BCCC-BC88FD235D82"},"session_id":388,"signing_id":"com.apple.loginwindow","start_time":"2024-04-30T13:17:30.000Z"},"seq_num":3,"thread":{"thread_id":3504,"uuid":"4FB5BE8F-CBF6-5016-812D-BFA537A09327"},"time":"2024-05-15T00:12:14.384Z","uuid":"339DA1DB-C084-4064-A593-5225BFAC9907","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"od_enable_user":{"db_path":"/var/db/dslocal/nodes/Default","error_code":0,"instigator":{"audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":20762,"pidversion":290785,"rgid":0,"ruid":0,"uuid":"1E61CAFF-22DD-50B0-993E-DA33D8263C2F"},"cdhash":"eb36abccc318d3bc15f253b8b47606f68d7fc9a7","codesigning_flags":570506001,"executable":{"path":"/usr/bin/pwpolicy","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":80,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312525396,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":175648,"st_uid":0}},"group_id":20757,"is_es_client":false,"is_platform_binary":true,"original_ppid":20757,"parent_audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":20757,"pidversion":290773,"rgid":0,"ruid":502,"uuid":"82DE3938-6F90-5B78-8A01-C180CFA4E1C5"},"ppid":20757,"responsible_audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":9451,"pidversion":262417,"rgid":20,"ruid":502,"uuid":"9C4BFB3D-5E3B-52FC-B9D5-B32C412DBB5E"},"session_id":9493,"signing_id":"com.apple.pwpolicy","start_time":"2024-04-25T13:39:21.000Z","tty":{"path":"/dev/ttys005","path_truncated":false,"stat":{"st_atimespec":"2024-04-25T13:39:21.064Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-04-25T13:39:21.233Z","st_dev":-874482363,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":823,"st_mode":8592,"st_mtimespec":"2024-04-25T13:39:21.233Z","st_nlink":1,"st_rdev":268435461,"st_size":0,"st_uid":502}}},"node_name":"/Local/Default","user_name":"user1"}},"event_type":137,"glob_seq_num":72,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":4539429177111,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"cdhash":"9ecb45e62974e8153b565d533dab43a77443f1e0","codesigning_flags":570522385,"executable":{"path":"/usr/libexec/opendirectoryd","path_truncated":false,"sha1":"b497d64c9f44eb9265b042e814af735cf661026d","sha256":"6826c7ce113504b5126b7ee893d789ba643e45a589335f6ded1522d8206da3df","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1600,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527524,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2287728,"st_uid":0}},"group_id":340,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"session_id":340,"signing_id":"com.apple.opendirectoryd","start_time":"2024-04-16T19:23:32.001Z"},"seq_num":1,"thread":{"thread_id":3915265,"uuid":"CFD76840-2F84-5DF2-B448-AF13CB15FC8A"},"time":"2024-04-25T13:39:21.234Z","uuid":"85EB995E-5185-478F-854C-27E7E86A6A93","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"sudo":{"command":"/usr/local/bin/protectctl","from_uid":501,"from_username":"jappleseed","success":true,"to_uid":0,"to_username":"root"}},"event_type":131,"glob_seq_num":1180,"host":{"hostname":"sevro","ips":["192.168.5.190"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0-Hardcoded.Telemetry.v2.19","provisioningUDID":"0000FE00-F18DE97EF425BB7B","serial":"123ABC456DJ"},"mach_time":6408369395,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100004,"auid":501,"egid":20,"euid":0,"pid":707,"pidversion":1812,"rgid":20,"ruid":501,"uuid":"77783CCE-A480-54D9-91D9-DF530889AF2C"},"cdhash":"f04dc37184cb13f5bdc645c4146a86b8e4b90f86","codesigning_flags":570522385,"executable":{"path":"/usr/bin/sudo","path_truncated":false,"sha1":"fbf5661422c9d06eb93828f756878529d26ca4bf","sha256":"88b58d11983de9930f6ef9ff6518b6cd0712db6842a56f8d1cbb1f7c90569e28","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1344,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777232,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312525593,"st_mode":35145,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":1429808,"st_uid":0}},"group_id":707,"is_es_client":false,"is_platform_binary":true,"original_ppid":637,"parent_audit_token":{"asid":100004,"auid":501,"egid":20,"euid":501,"pid":637,"pidversion":1610,"rgid":20,"ruid":501,"uuid":"E34963DB-0286-5C1C-A5FB-95A31B9F5794"},"ppid":637,"responsible_audit_token":{"asid":100004,"auid":501,"egid":20,"euid":501,"pid":415,"pidversion":963,"rgid":20,"ruid":501,"uuid":"ACE8E24F-A3F2-58E5-B46A-929D707D0B1A"},"session_id":636,"signing_id":"com.apple.sudo","start_time":"2024-04-30T20:14:13.000Z","tty":{"path":"/dev/ttys001","path_truncated":false,"stat":{"st_atimespec":"2024-04-30T20:14:22.123Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-04-30T20:14:22.123Z","st_dev":-1797915486,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":703,"st_mode":8592,"st_mtimespec":"2024-04-30T20:14:22.123Z","st_nlink":1,"st_rdev":268435457,"st_size":0,"st_uid":501}}},"seq_num":3,"thread":{"thread_id":7219,"uuid":"5E0470DA-BFD6-5F44-9C25-CD4E3AB81737"},"time":"2024-04-30T20:14:22.264Z","uuid":"048927E3-EF0A-4E81-8411-A4610619FEEA","version":7} +{"action":{"result":{"result":{"auth":1},"result_type":0}},"action_type":1,"deadline":0,"event":{"exec":{"args":["/bin/zsh","-c","/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/eicar"],"cwd":{"path":"/","path_truncated":false,"stat":{"st_atimespec":"2024-05-07T07:01:44.000Z","st_birthtimespec":"2024-05-07T07:01:44.000Z","st_blksize":4096,"st_blocks":0,"st_ctimespec":"2024-05-07T07:01:44.000Z","st_dev":16777231,"st_flags":1048576,"st_gen":0,"st_gid":0,"st_ino":2,"st_mode":16877,"st_mtimespec":"2024-05-07T07:01:44.000Z","st_nlink":20,"st_rdev":0,"st_size":640,"st_uid":0}},"dyld_exec_path":"/bin/zsh","env":["USER=jappleseed","COMMAND_MODE=unix2003","__CFBundleIdentifier=com.txhaflaire.JamfCheck","PATH=/usr/bin:/bin:/usr/sbin:/sbin","LOGNAME=jappleseed","SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.Ah3WvMOC65/Listeners","HOME=/Users/jappleseed","SHELL=/bin/zsh","TMPDIR=/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/","__CF_USER_TEXT_ENCODING=0x1F6:0x0:0x0","XPC_SERVICE_NAME=application.com.txhaflaire.JamfCheck.30852344.30852350","XPC_FLAGS=0x0"],"fds":[{"fd":0,"fdtype":1},{"fd":1,"fdtype":1},{"fd":2,"fdtype":1}],"image_cpusubtype":-2147483646,"image_cputype":16777228,"last_fd":2,"target":{"audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":91306,"pidversion":546968,"rgid":20,"ruid":502,"uuid":"1278137C-15D6-53CE-AB0A-FC9499BC8E05"},"cdhash":"23c70bd9b41017f9878af49bc2c46f7c8a70680b","codesigning_flags":570493697,"executable":{"path":"/bin/zsh","path_truncated":false,"stat":{"st_atimespec":"2024-05-07T07:01:44.000Z","st_birthtimespec":"2024-05-07T07:01:44.000Z","st_blksize":4096,"st_blocks":1472,"st_ctimespec":"2024-05-07T07:01:44.000Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312524830,"st_mode":33261,"st_mtimespec":"2024-05-07T07:01:44.000Z","st_nlink":1,"st_rdev":0,"st_size":1361200,"st_uid":0}},"group_id":91306,"is_es_client":false,"is_platform_binary":true,"original_ppid":64632,"parent_audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":64632,"pidversion":466330,"rgid":20,"ruid":502,"uuid":"A7EDC884-C034-50E7-A3AA-2E281B3E0777"},"ppid":64632,"responsible_audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":64632,"pidversion":466330,"rgid":20,"ruid":502,"uuid":"A7EDC884-C034-50E7-A3AA-2E281B3E0777"},"session_id":1,"signing_id":"com.apple.zsh","start_time":"2024-05-31T09:47:12.000Z"}}},"event_type":9,"glob_seq_num":202,"host":{"hostname":"MacBookPro","ips":["192.168.11.251","192.168.64.1","192.168.11.232"],"os":"Version 14.5 (Build 23F79)","protectVersion":"5.5.0.6","provisioningUDID":"00006030-001E301C0228001C","serial":"123ABC456DJ"},"mach_time":5362529651384,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":91306,"pidversion":546967,"rgid":20,"ruid":502,"uuid":"C9D6DF39-0239-57A1-AEFC-9D6B53AF2687"},"cdhash":"31c0815ee1b3904a826405c6fb9bc1e3ebae2b79","codesigning_flags":570503953,"executable":{"path":"/Applications/JamfCheck.app/Contents/MacOS/JamfCheck","path_truncated":false,"stat":{"st_atimespec":"2024-05-31T00:03:43.455Z","st_birthtimespec":"2024-05-16T12:02:51.000Z","st_blksize":4096,"st_blocks":6048,"st_ctimespec":"2024-05-16T13:40:19.640Z","st_dev":16777231,"st_flags":0,"st_gen":0,"st_gid":80,"st_ino":30852350,"st_mode":33261,"st_mtimespec":"2024-05-16T12:02:51.000Z","st_nlink":1,"st_rdev":0,"st_size":3094752,"st_uid":0}},"group_id":64632,"is_es_client":false,"is_platform_binary":false,"original_ppid":64632,"parent_audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":64632,"pidversion":466330,"rgid":20,"ruid":502,"uuid":"A7EDC884-C034-50E7-A3AA-2E281B3E0777"},"ppid":64632,"responsible_audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":64632,"pidversion":466330,"rgid":20,"ruid":502,"uuid":"A7EDC884-C034-50E7-A3AA-2E281B3E0777"},"session_id":1,"signing_id":"com.txhaflaire.JamfCheck","start_time":"2024-05-31T09:47:12.000Z","team_id":"CLQKFNPCCP"},"seq_num":190,"thread":{"thread_id":5215860,"uuid":"A052B956-572A-5458-8FB8-C9296E00E156"},"time":"2024-05-31T09:47:12.436Z","uuid":"CDB31202-8CB4-4C72-A9C6-7F494CD5F598","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"od_group_set":{"db_path":"/var/db/dslocal/nodes/Default","error_code":0,"group_name":"group1","instigator":{"audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":86240,"pidversion":206644,"rgid":0,"ruid":0,"uuid":"DDE623EB-F2EC-59A8-A20B-6468C4C02423"},"cdhash":"9c1f4b0463787307f3730876b3e0e8fa76b6ec5f","codesigning_flags":570506001,"executable":{"path":"/usr/bin/dscl","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":320,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312524625,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":424592,"st_uid":0}},"group_id":86239,"is_es_client":false,"is_platform_binary":true,"original_ppid":86239,"parent_audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":86239,"pidversion":206642,"rgid":0,"ruid":502,"uuid":"E6DCCB86-1543-5107-AFBD-56BD9A88A7E0"},"ppid":86239,"responsible_audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":712,"pidversion":1695,"rgid":20,"ruid":502,"uuid":"32648F68-FC35-5EAA-A81F-5FEAAB9AA187"},"session_id":38537,"signing_id":"com.apple.dscl","start_time":"2024-04-23T15:59:19.000Z","tty":{"path":"/dev/ttys007","path_truncated":false,"stat":{"st_atimespec":"2024-04-23T15:59:19.121Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-04-23T15:59:19.123Z","st_dev":-874482363,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":709,"st_mode":8592,"st_mtimespec":"2024-04-23T15:59:19.123Z","st_nlink":1,"st_rdev":268435463,"st_size":0,"st_uid":502}}},"members":{"member_array":["admin"],"member_type":0},"node_name":"/Local/Default"}},"event_type":134,"glob_seq_num":76,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":3349857042583,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"cdhash":"9ecb45e62974e8153b565d533dab43a77443f1e0","codesigning_flags":570522385,"executable":{"path":"/usr/libexec/opendirectoryd","path_truncated":false,"sha1":"b497d64c9f44eb9265b042e814af735cf661026d","sha256":"6826c7ce113504b5126b7ee893d789ba643e45a589335f6ded1522d8206da3df","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1600,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527524,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2287728,"st_uid":0}},"group_id":340,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"session_id":340,"signing_id":"com.apple.opendirectoryd","start_time":"2024-04-16T19:23:32.001Z"},"seq_num":1,"thread":{"thread_id":2930663,"uuid":"BDAB742D-F3B8-5238-8A87-BD5985C4E162"},"time":"2024-04-23T15:59:19.205Z","uuid":"3A3A35AF-B9F0-47E1-B8D8-B0AC736C82ED","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"od_group_remove":{"db_path":"/var/db/dslocal/nodes/Default","error_code":0,"group_name":"group1","instigator":{"audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":86397,"pidversion":206955,"rgid":0,"ruid":0,"uuid":"475F424A-DA52-533E-BAD0-36C733F2C1E8"},"cdhash":"9c1f4b0463787307f3730876b3e0e8fa76b6ec5f","codesigning_flags":570506001,"executable":{"path":"/usr/bin/dscl","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":320,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312524625,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":424592,"st_uid":0}},"group_id":86396,"is_es_client":false,"is_platform_binary":true,"original_ppid":86396,"parent_audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":86396,"pidversion":206953,"rgid":0,"ruid":502,"uuid":"6575F576-09D5-5849-839A-281527615C08"},"ppid":86396,"responsible_audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":712,"pidversion":1695,"rgid":20,"ruid":502,"uuid":"32648F68-FC35-5EAA-A81F-5FEAAB9AA187"},"session_id":38537,"signing_id":"com.apple.dscl","start_time":"2024-04-23T16:00:31.001Z","tty":{"path":"/dev/ttys007","path_truncated":false,"stat":{"st_atimespec":"2024-04-23T16:00:31.818Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-04-23T16:00:31.825Z","st_dev":-874482363,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":709,"st_mode":8592,"st_mtimespec":"2024-04-23T16:00:31.825Z","st_nlink":1,"st_rdev":268435463,"st_size":0,"st_uid":502}}},"member":{"member_type":0,"member_value":"admin"},"node_name":"/Local/Default"}},"event_type":133,"glob_seq_num":556,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":3351600968138,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"cdhash":"9ecb45e62974e8153b565d533dab43a77443f1e0","codesigning_flags":570522385,"executable":{"path":"/usr/libexec/opendirectoryd","path_truncated":false,"sha1":"b497d64c9f44eb9265b042e814af735cf661026d","sha256":"6826c7ce113504b5126b7ee893d789ba643e45a589335f6ded1522d8206da3df","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1600,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527524,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2287728,"st_uid":0}},"group_id":340,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"session_id":340,"signing_id":"com.apple.opendirectoryd","start_time":"2024-04-16T19:23:32.001Z"},"seq_num":0,"thread":{"thread_id":2933870,"uuid":"1D018B37-FECF-59E7-842E-6A9BEF95F062"},"time":"2024-04-23T16:00:31.869Z","uuid":"D4E0A162-77C7-4E60-AAC3-5DBD69030C8F","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"od_delete_group":{"db_path":"/var/db/dslocal/nodes/Default","error_code":0,"group_name":"group1","instigator":{"audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":85603,"pidversion":205068,"rgid":20,"ruid":502,"uuid":"C9271101-B1BD-5906-83C8-4C47F3647FA8"},"cdhash":"ba99b2e3dbb05dc41e9b35d6d2c48d188c8cfece","codesigning_flags":570522369,"executable":{"path":"/System/Library/ExtensionKit/Extensions/UsersGroups.appex/Contents/MacOS/UsersGroups","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":2192,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312143171,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2599312,"st_uid":0}},"group_id":85603,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":85603,"pidversion":205068,"rgid":20,"ruid":502,"uuid":"C9271101-B1BD-5906-83C8-4C47F3647FA8"},"session_id":85603,"signing_id":"com.apple.Users-Groups-Settings.extension","start_time":"2024-04-23T15:52:35.001Z"},"node_name":"/Local/Default"}},"event_type":144,"glob_seq_num":957,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":3353005234324,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"cdhash":"9ecb45e62974e8153b565d533dab43a77443f1e0","codesigning_flags":570522385,"executable":{"path":"/usr/libexec/opendirectoryd","path_truncated":false,"sha1":"b497d64c9f44eb9265b042e814af735cf661026d","sha256":"6826c7ce113504b5126b7ee893d789ba643e45a589335f6ded1522d8206da3df","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1600,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527524,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2287728,"st_uid":0}},"group_id":340,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"session_id":340,"signing_id":"com.apple.opendirectoryd","start_time":"2024-04-16T19:23:32.001Z"},"seq_num":0,"thread":{"thread_id":2935684,"uuid":"F30AC798-62A3-5513-A144-94A9C5B3B239"},"time":"2024-04-23T16:01:30.380Z","uuid":"394EA894-C632-4FAD-8F9F-757D90FAFEEA","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"od_modify_password":{"account_name":"user1","account_type":0,"db_path":"","error_code":5301,"instigator":{"audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":29722,"pidversion":314088,"rgid":20,"ruid":502,"uuid":"9FBB80FD-ED13-5C40-810D-5D5E307D305E"},"cdhash":"ba99b2e3dbb05dc41e9b35d6d2c48d188c8cfece","codesigning_flags":570522369,"executable":{"path":"/System/Library/ExtensionKit/Extensions/UsersGroups.appex/Contents/MacOS/UsersGroups","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":2192,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312143171,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2599312,"st_uid":0}},"group_id":29722,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":29722,"pidversion":314088,"rgid":20,"ruid":502,"uuid":"9FBB80FD-ED13-5C40-810D-5D5E307D305E"},"session_id":29722,"signing_id":"com.apple.Users-Groups-Settings.extension","start_time":"2024-04-25T20:13:47.000Z"},"node_name":"/Local/Default"}},"event_type":135,"glob_seq_num":833,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":5010271318045,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"cdhash":"9ecb45e62974e8153b565d533dab43a77443f1e0","codesigning_flags":570522385,"executable":{"path":"/usr/libexec/opendirectoryd","path_truncated":false,"sha1":"b497d64c9f44eb9265b042e814af735cf661026d","sha256":"6826c7ce113504b5126b7ee893d789ba643e45a589335f6ded1522d8206da3df","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1600,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527524,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2287728,"st_uid":0}},"group_id":340,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"session_id":340,"signing_id":"com.apple.opendirectoryd","start_time":"2024-04-16T19:23:32.001Z"},"seq_num":2,"thread":{"thread_id":4275233,"uuid":"9A8024C3-EA6D-5900-AEBD-7C1D504D80E2"},"time":"2024-04-25T20:14:43.615Z","uuid":"183683D3-EF99-48F3-963A-C45D9FB4F1DB","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"od_attribute_value_add":{"attribute_name":"dsAttrTypeStandard:AltSecurityIdentities","attribute_value":"Kerberos:maggie.zirnhelt@jamf.com","db_path":"/var/db/dslocal/nodes/Default","error_code":0,"instigator":{"audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":17753,"pidversion":282948,"rgid":0,"ruid":0,"uuid":"74D421A1-C440-5FD1-B675-3FB4E4A35985"},"cdhash":"9c1f4b0463787307f3730876b3e0e8fa76b6ec5f","codesigning_flags":570506001,"executable":{"path":"/usr/bin/dscl","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":320,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312524625,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":424592,"st_uid":0}},"group_id":17751,"is_es_client":false,"is_platform_binary":true,"original_ppid":17751,"parent_audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":17751,"pidversion":282943,"rgid":0,"ruid":502,"uuid":"5A35DAE8-8E1A-587E-90CA-CC66560A01CB"},"ppid":17751,"responsible_audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":9451,"pidversion":262417,"rgid":20,"ruid":502,"uuid":"9C4BFB3D-5E3B-52FC-B9D5-B32C412DBB5E"},"session_id":17547,"signing_id":"com.apple.dscl","start_time":"2024-04-24T20:56:08.000Z","tty":{"path":"/dev/ttys010","path_truncated":false,"stat":{"st_atimespec":"2024-04-24T20:56:08.086Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-04-24T20:56:08.086Z","st_dev":-874482363,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":835,"st_mode":8592,"st_mtimespec":"2024-04-24T20:56:08.086Z","st_nlink":1,"st_rdev":268435466,"st_size":0,"st_uid":502}}},"node_name":"/Local/Default","record_name":"jappleseed","record_type":0}},"event_type":138,"glob_seq_num":55,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":4456752621809,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"cdhash":"9ecb45e62974e8153b565d533dab43a77443f1e0","codesigning_flags":570522385,"executable":{"path":"/usr/libexec/opendirectoryd","path_truncated":false,"sha1":"b497d64c9f44eb9265b042e814af735cf661026d","sha256":"6826c7ce113504b5126b7ee893d789ba643e45a589335f6ded1522d8206da3df","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1600,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527524,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2287728,"st_uid":0}},"group_id":340,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"session_id":340,"signing_id":"com.apple.opendirectoryd","start_time":"2024-04-16T19:23:32.001Z"},"seq_num":0,"thread":{"thread_id":3822468,"uuid":"3A490916-9893-5175-A78E-A4BF2CC2EF2E"},"time":"2024-04-24T20:56:08.289Z","uuid":"491E6FAF-9F73-4ADA-A71A-A220F8FBA5EB","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"od_attribute_value_remove":{"attribute_name":"dsAttrTypeStandard:AltSecurityIdentities","attribute_value":"Kerberos:maggie.zirnhelt@jamf.com","db_path":"/var/db/dslocal/nodes/Default","error_code":0,"instigator":{"audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":18070,"pidversion":283600,"rgid":0,"ruid":0,"uuid":"33FE9FCC-22C3-5E4E-A7AC-3B5656E08B3B"},"cdhash":"9c1f4b0463787307f3730876b3e0e8fa76b6ec5f","codesigning_flags":570506001,"executable":{"path":"/usr/bin/dscl","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":320,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312524625,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":424592,"st_uid":0}},"group_id":18069,"is_es_client":false,"is_platform_binary":true,"original_ppid":18069,"parent_audit_token":{"asid":100019,"auid":502,"egid":0,"euid":0,"pid":18069,"pidversion":283598,"rgid":0,"ruid":502,"uuid":"2EC711AB-099E-5111-93FE-C2938AAAB3EE"},"ppid":18069,"responsible_audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":9451,"pidversion":262417,"rgid":20,"ruid":502,"uuid":"9C4BFB3D-5E3B-52FC-B9D5-B32C412DBB5E"},"session_id":17547,"signing_id":"com.apple.dscl","start_time":"2024-04-24T20:58:16.000Z","tty":{"path":"/dev/ttys010","path_truncated":false,"stat":{"st_atimespec":"2024-04-24T20:58:16.209Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-04-24T20:58:16.213Z","st_dev":-874482363,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":835,"st_mode":8592,"st_mtimespec":"2024-04-24T20:58:16.213Z","st_nlink":1,"st_rdev":268435466,"st_size":0,"st_uid":502}}},"node_name":"/Local/Default","record_name":"jappleseed","record_type":0}},"event_type":139,"glob_seq_num":1039,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":4459824192608,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"cdhash":"9ecb45e62974e8153b565d533dab43a77443f1e0","codesigning_flags":570522385,"executable":{"path":"/usr/libexec/opendirectoryd","path_truncated":false,"sha1":"b497d64c9f44eb9265b042e814af735cf661026d","sha256":"6826c7ce113504b5126b7ee893d789ba643e45a589335f6ded1522d8206da3df","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1600,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527524,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2287728,"st_uid":0}},"group_id":340,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"session_id":340,"signing_id":"com.apple.opendirectoryd","start_time":"2024-04-16T19:23:32.001Z"},"seq_num":0,"thread":{"thread_id":3830588,"uuid":"434FD15F-D210-59C9-A035-12F7EA23AC6E"},"time":"2024-04-24T20:58:16.270Z","uuid":"15894BA2-D220-4AD0-B2DD-2C9CF58F294B","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"od_attribute_set":{"attribute_name":"directory_path","attribute_value_count":1,"attribute_values":["/Users/user1/Public"],"db_path":"/var/db/dslocal/nodes/Default","error_code":0,"instigator":{"audit_token":{"asid":102256,"auid":4294967295,"egid":0,"euid":0,"pid":86670,"pidversion":207480,"rgid":0,"ruid":0,"uuid":"55745E6D-15FA-590E-A171-966919422D9B"},"cdhash":"7eabd81b27487335a7513942169ab1f52a28f650","codesigning_flags":570522369,"executable":{"path":"/System/Library/PrivateFrameworks/SharePointManagement.framework/XPCServices/SharePointManagementService.xpc/Contents/MacOS/SharePointManagementService","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":96,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312358573,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":194800,"st_uid":0}},"group_id":86670,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":85690,"pidversion":205314,"rgid":0,"ruid":0,"uuid":"E44BFA8B-ADDB-5704-AA90-ECEDD148BE78"},"session_id":86670,"signing_id":"com.apple.coreservices.SharePointManagementService","start_time":"2024-04-23T16:02:30.000Z"},"node_name":"/Local/Default","record_name":"user1’s Public Folder","record_type":1}},"event_type":140,"glob_seq_num":1408,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":3354443782160,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"cdhash":"9ecb45e62974e8153b565d533dab43a77443f1e0","codesigning_flags":570522385,"executable":{"path":"/usr/libexec/opendirectoryd","path_truncated":false,"sha1":"b497d64c9f44eb9265b042e814af735cf661026d","sha256":"6826c7ce113504b5126b7ee893d789ba643e45a589335f6ded1522d8206da3df","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1600,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527524,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2287728,"st_uid":0}},"group_id":340,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":340,"pidversion":782,"rgid":0,"ruid":0,"uuid":"9DEAD2C4-5CCD-51C9-8966-FE2BF1A2E03E"},"session_id":340,"signing_id":"com.apple.opendirectoryd","start_time":"2024-04-16T19:23:32.001Z"},"seq_num":36,"thread":{"thread_id":2937111,"uuid":"8166A64E-A939-5F10-8A4D-03DD1FF50568"},"time":"2024-04-23T16:02:30.320Z","uuid":"69C67801-3701-4232-B669-E669282252CE","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"authentication":{"data":{"touchid":{"instigator":{"audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":53394,"pidversion":105387,"rgid":0,"ruid":0,"uuid":"5F9A782E-2163-5144-99B5-DF443F9625B7"},"cdhash":"f370aa21b69ac09c8ec8d0d98de5b260777abf77","codesigning_flags":570522385,"executable":{"path":"/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":712,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777229,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312174408,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":952736,"st_uid":0}},"group_id":53394,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":542,"rgid":0,"ruid":0,"uuid":"012139F5-CEED-5A0E-9862-451CDA9E492E"},"ppid":1,"responsible_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":53394,"pidversion":105387,"rgid":0,"ruid":0,"uuid":"5F9A782E-2163-5144-99B5-DF443F9625B7"},"session_id":53394,"signing_id":"com.apple.coreauthd","start_time":"2024-04-30T20:00:17.000Z"},"touchid_mode":1,"uid":502}},"success":true,"type":1}},"event_type":111,"glob_seq_num":16291,"host":{"hostname":"MacBookPro","ips":["192.168.4.252"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006000-000C043C22A1801E","serial":"123ABC456DJ"},"mach_time":11041696351060,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":90702,"pidversion":3078442,"rgid":0,"ruid":0,"uuid":"CD7D11B2-FEBD-5DD8-8DC0-D9CC44A7BE66"},"cdhash":"a48e2195bd6c440ce9663eb0988fef1919cbb9d3","codesigning_flags":570522385,"executable":{"path":"/usr/libexec/biometrickitd","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1088,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777229,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527193,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":1422144,"st_uid":0}},"group_id":90702,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":542,"rgid":0,"ruid":0,"uuid":"012139F5-CEED-5A0E-9862-451CDA9E492E"},"ppid":1,"responsible_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":90702,"pidversion":3078442,"rgid":0,"ruid":0,"uuid":"CD7D11B2-FEBD-5DD8-8DC0-D9CC44A7BE66"},"session_id":90702,"signing_id":"com.apple.biometrickitd","start_time":"2024-05-14T18:16:00.001Z"},"seq_num":74,"thread":{"thread_id":17894822,"uuid":"0DDE1522-43DA-577C-83BA-1207D20EE701"},"time":"2024-05-15T00:09:22.719Z","uuid":"634A53C7-D790-4B29-8914-635F6894FCA6","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"lw_session_lock":{"graphical_session_id":257,"username":"allen.golbig"}},"event_type":116,"glob_seq_num":16661,"host":{"hostname":"MacBookPro","ips":["192.168.4.252"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006000-000C043C22A1801E","serial":"123ABC456DJ"},"mach_time":11045772512581,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100018,"auid":502,"egid":20,"euid":502,"pid":388,"pidversion":869,"rgid":20,"ruid":0,"uuid":"80301337-AD04-56F0-BCCC-BC88FD235D82"},"cdhash":"5dce46942a1ecfcaed58bdcafe5159393f767f74","codesigning_flags":570522369,"executable":{"path":"/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":3240,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777229,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312132489,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":2706208,"st_uid":0}},"group_id":388,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":542,"rgid":0,"ruid":0,"uuid":"012139F5-CEED-5A0E-9862-451CDA9E492E"},"ppid":1,"responsible_audit_token":{"asid":100018,"auid":502,"egid":20,"euid":502,"pid":388,"pidversion":869,"rgid":20,"ruid":0,"uuid":"80301337-AD04-56F0-BCCC-BC88FD235D82"},"session_id":388,"signing_id":"com.apple.loginwindow","start_time":"2024-04-30T13:17:30.000Z"},"seq_num":2,"thread":{"thread_id":18306755,"uuid":"5AF185F8-1E6E-5E94-A61C-B98942A253C7"},"time":"2024-05-15T00:12:12.555Z","uuid":"7ADBC305-732C-4A9C-B3EF-14435A500AF4","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"openssh_login":{"result_type":2,"source_address":"192.168.4.252","source_address_type":1,"success":true,"uid":501,"username":"jappleseed"}},"event_type":120,"glob_seq_num":1073,"host":{"hostname":"sevro","ips":["192.168.5.190"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.5","provisioningUDID":"0000FE00-F18DE97EF425BB7B","serial":"123ABC456DJ"},"mach_time":61413429404,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100069,"auid":501,"egid":0,"euid":0,"pid":1178,"pidversion":3061,"rgid":0,"ruid":0,"uuid":"8218403B-D48C-5DEA-8DF0-737501B8FF8C"},"cdhash":"153e203e26743ff3bc3f1e91fc6c0596ad574126","codesigning_flags":570522385,"executable":{"path":"/usr/sbin/sshd","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1472,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312528280,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":1554496,"st_uid":0}},"group_id":1178,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":7,"rgid":0,"ruid":0,"uuid":"0547F075-3A15-5FBC-B13B-4F28B75ACD31"},"ppid":1,"responsible_audit_token":{"asid":100069,"auid":501,"egid":0,"euid":0,"pid":1178,"pidversion":3061,"rgid":0,"ruid":0,"uuid":"8218403B-D48C-5DEA-8DF0-737501B8FF8C"},"session_id":1178,"signing_id":"com.apple.sshd","start_time":"2024-05-13T19:16:23.001Z"},"seq_num":15,"thread":{"thread_id":20871,"uuid":"D028B95D-FC58-56F5-96CC-CDE8981AA67E"},"time":"2024-05-13T19:16:27.167Z","uuid":"3DBBD44F-7709-44AB-8025-44F076BDF723","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"login_logout":{"uid":502,"username":"jappleseed"}},"event_type":123,"glob_seq_num":419,"host":{"hostname":"MacBookPro","ips":["192.168.11.251","192.168.11.232"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006030-001E301C0228001C","serial":"123ABC456DJ"},"mach_time":28430114731946,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":125078,"auid":502,"egid":20,"euid":0,"pid":44014,"pidversion":47168126,"rgid":20,"ruid":502,"uuid":"108167E6-C144-5803-A1E9-E58F66A4BBC3"},"cdhash":"0e4c9421c8c505eda1f06b8f8c601b908e15f44e","codesigning_flags":570522385,"executable":{"path":"/usr/bin/login","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":56,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312525006,"st_mode":35181,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":139312,"st_uid":0}},"group_id":44014,"is_es_client":false,"is_platform_binary":true,"original_ppid":42919,"parent_audit_token":{"asid":125014,"auid":502,"egid":20,"euid":502,"pid":42919,"pidversion":47165582,"rgid":20,"ruid":502,"uuid":"F6DF1E37-4D2F-5AAF-BC45-A4B38181C045"},"ppid":42919,"responsible_audit_token":{"asid":125014,"auid":502,"egid":20,"euid":502,"pid":42335,"pidversion":47164210,"rgid":20,"ruid":502,"uuid":"024ED444-A0FB-5E9C-95F3-101026839338"},"session_id":42919,"signing_id":"com.apple.login","start_time":"2024-05-22T06:43:27.000Z","tty":{"path":"/dev/ttys003","path_truncated":false,"stat":{"st_atimespec":"2024-05-22T06:43:42.644Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-05-22T06:43:42.644Z","st_dev":1060821753,"st_flags":0,"st_gen":0,"st_gid":0,"st_ino":1363,"st_mode":8630,"st_mtimespec":"2024-05-22T06:43:42.644Z","st_nlink":1,"st_rdev":268435459,"st_size":0,"st_uid":0}}},"seq_num":0,"thread":{"thread_id":93275992,"uuid":"5E574301-CBD0-5C72-99E1-92CAF0CB207F"},"time":"2024-05-22T06:43:42.671Z","uuid":"856A87D9-7ABC-4589-A9C2-ED3E4782B34C","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"login_login":{"success":true,"uid":502,"username":"jappleseed"}},"event_type":122,"glob_seq_num":381,"host":{"hostname":"MacBookPro","ips":["192.168.11.251","192.168.11.232"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006030-001E301C0228001C","serial":"123ABC456DJ"},"mach_time":28429962942316,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":125078,"auid":502,"egid":20,"euid":0,"pid":44014,"pidversion":47168126,"rgid":20,"ruid":502,"uuid":"108167E6-C144-5803-A1E9-E58F66A4BBC3"},"cdhash":"0e4c9421c8c505eda1f06b8f8c601b908e15f44e","codesigning_flags":570522385,"executable":{"path":"/usr/bin/login","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":56,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312525006,"st_mode":35181,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":139312,"st_uid":0}},"group_id":44014,"is_es_client":false,"is_platform_binary":true,"original_ppid":42919,"parent_audit_token":{"asid":125014,"auid":502,"egid":20,"euid":502,"pid":42919,"pidversion":47165582,"rgid":20,"ruid":502,"uuid":"F6DF1E37-4D2F-5AAF-BC45-A4B38181C045"},"ppid":42919,"responsible_audit_token":{"asid":125014,"auid":502,"egid":20,"euid":502,"pid":42335,"pidversion":47164210,"rgid":20,"ruid":502,"uuid":"024ED444-A0FB-5E9C-95F3-101026839338"},"session_id":42919,"signing_id":"com.apple.login","start_time":"2024-05-22T06:43:27.000Z","tty":{"path":"/dev/ttys003","path_truncated":false,"stat":{"st_atimespec":"2024-05-22T06:43:36.178Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-05-22T06:43:36.179Z","st_dev":1060821753,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":1363,"st_mode":8592,"st_mtimespec":"2024-05-22T06:43:36.179Z","st_nlink":1,"st_rdev":268435459,"st_size":0,"st_uid":502}}},"seq_num":0,"thread":{"thread_id":93275992,"uuid":"5E574301-CBD0-5C72-99E1-92CAF0CB207F"},"time":"2024-05-22T06:43:36.346Z","uuid":"870EBE27-C9C5-4DFC-9012-A1DAA42FA42A","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"xp_malware_remediated":{"action_type":"path_delete","incident_identifier":"48AF332D-094E-4F16-A11E-4FE40E8BD933","malware_identifier":"MACOS.KEYSTEAL.A.User","remediated_path":"/Library/Caches/com.apple.server","result_description":"Success","signature_version":"131","success":true}},"event_type":113,"glob_seq_num":1253,"host":{"hostname":"sevro","ips":["192.168.5.190"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0-Hardcoded.Telemetry.v2.19","provisioningUDID":"0000FE00-F18DE97EF425BB7B","serial":"123ABC456DJ"},"mach_time":6126755846,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100004,"auid":501,"egid":20,"euid":501,"pid":721,"pidversion":1857,"rgid":20,"ruid":501,"uuid":"D012B237-0F57-5704-96A7-D131C4829C87"},"cdhash":"a6c077b9c8e9e8928282554cb01efd6bd05cf608","codesigning_flags":570522369,"executable":{"path":"/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorKeySteal","path_truncated":false,"sha1":"eb9ae761d3f674eb4825ed44c0a123a2fc661cb6","sha256":"3f5067e550b7a5810e4d9df707dfd5d045d000bd97eb1c369569a256d88f31a5","stat":{"st_atimespec":"2024-04-18T02:33:19.000Z","st_birthtimespec":"2024-04-18T02:33:19.000Z","st_blksize":4096,"st_blocks":1904,"st_ctimespec":"2024-04-29T15:01:53.308Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":48762,"st_mode":33261,"st_mtimespec":"2024-04-18T02:33:19.000Z","st_nlink":1,"st_rdev":0,"st_size":2332576,"st_uid":0}},"group_id":721,"is_es_client":false,"is_platform_binary":true,"original_ppid":703,"parent_audit_token":{"asid":100004,"auid":501,"egid":20,"euid":501,"pid":703,"pidversion":1819,"rgid":20,"ruid":501,"uuid":"7768699A-095C-5177-920C-4112827C959A"},"ppid":703,"responsible_audit_token":{"asid":100004,"auid":501,"egid":20,"euid":501,"pid":643,"pidversion":1656,"rgid":20,"ruid":501,"uuid":"3C3CDAAE-D66A-572C-B6FB-C1767E278136"},"session_id":702,"signing_id":"com.apple.XProtectFramework.plugins.KeySteal","start_time":"2024-04-29T16:04:18.000Z","tty":{"path":"/dev/ttys000","path_truncated":false,"stat":{"st_atimespec":"2024-04-29T16:04:17.381Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-04-29T16:04:18.381Z","st_dev":386561853,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":703,"st_mode":8592,"st_mtimespec":"2024-04-29T16:04:18.381Z","st_nlink":1,"st_rdev":268435456,"st_size":0,"st_uid":501}}},"seq_num":1,"thread":{"thread_id":6934,"uuid":"51E50BB5-50D6-5FC9-B037-B5BBB6753254"},"time":"2024-04-29T16:04:18.467Z","uuid":"3EFFC29C-CB54-4885-B675-25B7E609A8A1","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"xp_malware_detected":{"detected_path":"/Users/jappleseed/Downloads/CloudMensis/WindowServer","incident_identifier":"63BFD08A-0A9B-42DA-AC93-2803E2B09CD0","malware_identifier":"SNOWDRIFT"}},"event_type":112,"glob_seq_num":463,"host":{"hostname":"sevro","ips":["192.168.5.190"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0-Hardcoded.Telemetry.v2.19","provisioningUDID":"0000FE00-F18DE97EF425BB7B","serial":"123ABC456DJ"},"mach_time":77475584398,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100142,"auid":4294967295,"egid":20,"euid":501,"pid":1420,"pidversion":3949,"rgid":20,"ruid":501,"uuid":"2A513A83-CBCE-5922-8779-327EBC8341E7"},"cdhash":"d95f0868f7413d39865ac0aeda54959dd33a11c0","codesigning_flags":570522369,"executable":{"path":"/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService","path_truncated":false,"sha1":"5552c129be45cd82d3f00da10ef596545d229a77","sha256":"4e51d34b4168a154df733fce18fa543743117bbf601835f26fa80e5ea2b9561e","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":256,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312447538,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":365088,"st_uid":0}},"group_id":1420,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":7,"rgid":0,"ruid":0,"uuid":"0547F075-3A15-5FBC-B13B-4F28B75ACD31"},"ppid":1,"responsible_audit_token":{"asid":100069,"auid":501,"egid":20,"euid":501,"pid":1063,"pidversion":2931,"rgid":20,"ruid":501,"uuid":"DFD18C6A-5DA9-589F-A9C6-DB6021B80416"},"session_id":1420,"signing_id":"com.apple.XprotectFramework.AnalysisService","start_time":"2024-04-29T15:01:42.001Z"},"seq_num":0,"thread":{"thread_id":32614,"uuid":"29B845B6-192D-58EE-A334-B94ACC61C902"},"time":"2024-04-29T15:39:31.670Z","uuid":"08C6BA59-A4DD-49EE-B6B0-758190E52321","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"su":{"argc":1,"argv":["zsh"],"env":["COLORTERM=truecolor","COMMAND_MODE=unix2003","HOME=/Users/jappleseed","LC_CTYPE=UTF-8","LOGNAME=jappleseed","LaunchInstanceID=11F38ACD-A27F-40B4-848D-421BBB0A4919","PATH=/Library/Frameworks/Python.framework/Versions/3.10/bin:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/Library/Apple/usr/bin:/Applications/VMware Fusion Tech Preview.app/Contents/Public:~/.dotnet/tools","SECURITYSESSIONID=1e856","SHELL=/bin/zsh","SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.omLbuLOqvv/Listeners","SSH_SOCKET_DIR=~/.ssh","TERM=xterm-256color","TERM_PROGRAM=WarpTerminal","TERM_PROGRAM_VERSION=v0.2024.05.14.08.01.stable_04","USER=jappleseed","WARP_COMBINED_PROMPT_COMMAND_GRID=0","WARP_HONOR_PS1=1","WARP_IS_LOCAL_SHELL_SESSION=1","WARP_USE_SSH_WRAPPER=1","XPC_FLAGS=0x0","XPC_SERVICE_NAME=0","__CFBundleIdentifier=dev.warp.Warp-Stable","__CF_USER_TEXT_ENCODING=0x0:0:0","SHLVL=1","PWD=/Users/jappleseed/Documents/GitHub/Elastic/integrations/packages/jamf_protect","OLDPWD=/Users/jappleseed","HOMEBREW_PREFIX=/opt/homebrew","HOMEBREW_CELLAR=/opt/homebrew/Cellar","HOMEBREW_REPOSITORY=/opt/homebrew","MANPATH=/opt/homebrew/share/man::","INFOPATH=/opt/homebrew/share/info:","ZSH=/Users/jappleseed/.oh-my-zsh","PAGER=less","LESS=-R","LSCOLORS=Gxfxcxdxbxegedabagacad","CONDA_CHANGEPS1=false","_=/usr/bin/su"],"env_count":37,"from_uid":502,"from_username":"jappleseed","shell":"/bin/zsh","success":true,"to_uid":502,"to_username":"jappleseed"}},"event_type":128,"glob_seq_num":776,"host":{"hostname":"MacBookPro","ips":["192.168.11.251","192.168.11.232","192.168.64.1","169.254.100.182"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006030-001E301C0228001C","serial":"123ABC456DJ"},"mach_time":28574849800998,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":125014,"auid":502,"egid":20,"euid":502,"pid":59259,"pidversion":47202106,"rgid":20,"ruid":502,"uuid":"D3398C01-3855-5B82-8BC8-4C4FD7B0660E"},"cdhash":"30bb7dae586bcb5e6f4e9c6842bed0381fc73aec","codesigning_flags":570522385,"executable":{"path":"/usr/bin/su","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":48,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312525591,"st_mode":35309,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":121920,"st_uid":0}},"group_id":59259,"is_es_client":false,"is_platform_binary":true,"original_ppid":59258,"parent_audit_token":{"asid":125014,"auid":502,"egid":20,"euid":0,"pid":59258,"pidversion":47202105,"rgid":20,"ruid":502,"uuid":"B3DF0942-6827-56F0-817A-ED114B670078"},"ppid":59258,"responsible_audit_token":{"asid":125014,"auid":502,"egid":20,"euid":502,"pid":42335,"pidversion":47164210,"rgid":20,"ruid":502,"uuid":"024ED444-A0FB-5E9C-95F3-101026839338"},"session_id":42905,"signing_id":"com.apple.su","start_time":"2024-05-22T08:24:13.000Z","tty":{"path":"/dev/ttys002","path_truncated":false,"stat":{"st_atimespec":"2024-05-22T08:24:13.146Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-05-22T08:24:13.146Z","st_dev":1060821753,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":1361,"st_mode":8592,"st_mtimespec":"2024-05-22T08:24:13.146Z","st_nlink":1,"st_rdev":268435458,"st_size":0,"st_uid":502}}},"seq_num":1,"thread":{"thread_id":93443428,"uuid":"35724D49-CC3D-5A9C-86E1-A35638BB67C0"},"time":"2024-05-22T08:24:13.310Z","uuid":"B1DE3F31-EF1C-40B0-BABB-DEE367224EF1","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"screensharing_attach":{"authentication_type":"RSA-SRP","authentication_username":"jappleseed","existing_session":true,"graphical_session_id":257,"session_username":"jappleseed","source_address":"192.168.4.252","source_address_type":1,"success":true,"viewer_appleid":""}},"event_type":118,"glob_seq_num":342,"host":{"hostname":"sevro","ips":["192.168.5.190"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.5","provisioningUDID":"0000FE00-F18DE97EF425BB7B","serial":"123ABC456DJ"},"mach_time":8128008667,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":754,"pidversion":1946,"rgid":0,"ruid":0,"uuid":"B1621139-6613-5D8D-BFE5-9B57EF557C34"},"cdhash":"90c483e0b8d3ad0d30c21ba8a41f52af8cd84fe7","codesigning_flags":570522385,"executable":{"path":"/System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":1336,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312126428,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":1527872,"st_uid":0}},"group_id":754,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":7,"rgid":0,"ruid":0,"uuid":"0547F075-3A15-5FBC-B13B-4F28B75ACD31"},"ppid":1,"responsible_audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":754,"pidversion":1946,"rgid":0,"ruid":0,"uuid":"B1621139-6613-5D8D-BFE5-9B57EF557C34"},"session_id":754,"signing_id":"com.apple.screensharing.daemon","start_time":"2024-05-13T18:39:16.000Z"},"seq_num":0,"thread":{"thread_id":7083,"uuid":"A5306973-F91C-51B6-8538-14CC68136DB9"},"time":"2024-05-13T18:39:26.942Z","uuid":"A1EB740E-CB42-4745-97F4-F5C2EF89750A","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"kextload":{"identifier":"com.apple.driver.AppleUSBAudio"}},"event_type":17,"glob_seq_num":8582,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":1720417150058,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":330,"pidversion":769,"rgid":0,"ruid":0,"uuid":"D72BF411-CD8E-591C-81EE-73A18F09F32E"},"cdhash":"cd9586cd7c6599c6bc8fed4d3823dce4eb1c91fc","codesigning_flags":570522369,"executable":{"path":"/usr/libexec/kernelmanagerd","path_truncated":false,"sha1":"a28a8e1654d65cedb05a268e825563d65b1fbbc0","sha256":"2d90d5798155f919965565a72e6065d3a1de6fd0c0f2134acdd3d1bced0a6114","stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":3832,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527400,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":4046864,"st_uid":0}},"group_id":330,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":514,"rgid":0,"ruid":0,"uuid":"87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9"},"ppid":1,"responsible_audit_token":{"asid":100016,"auid":4294967295,"egid":0,"euid":0,"pid":330,"pidversion":769,"rgid":0,"ruid":0,"uuid":"D72BF411-CD8E-591C-81EE-73A18F09F32E"},"session_id":330,"signing_id":"com.apple.kernelmanagerd","start_time":"2024-04-16T19:23:32.001Z"},"seq_num":0,"thread":{"thread_id":1612753,"uuid":"020F4BCF-C3A1-5C1E-B065-C6F4E3F78134"},"time":"2024-04-19T15:11:43.771Z","uuid":"ED83CFC8-27E9-4F23-862D-48448CBE8A7B","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"profile_add":{"instigator":{"audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":3804,"pidversion":10032,"rgid":0,"ruid":0,"uuid":"A28E3E65-BBFB-5EEB-9001-DF5BF72BE2B9"},"cdhash":"beef65d6aeba15d0dd7ef1a076d4bcbd386c1652","codesigning_flags":570522369,"executable":{"path":"/usr/libexec/mdmclient","path_truncated":false,"stat":{"st_atimespec":"2023-12-15T14:43:29.000Z","st_birthtimespec":"2023-12-15T14:43:29.000Z","st_blksize":4096,"st_blocks":3232,"st_ctimespec":"2023-12-15T14:43:29.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312514216,"st_mode":33261,"st_mtimespec":"2023-12-15T14:43:29.000Z","st_nlink":1,"st_rdev":0,"st_size":3555280,"st_uid":0}},"group_id":3804,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":7,"rgid":0,"ruid":0,"uuid":"30C61A05-D41A-5837-A42E-F11FD2434A00"},"ppid":1,"responsible_audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":3804,"pidversion":10032,"rgid":0,"ruid":0,"uuid":"A28E3E65-BBFB-5EEB-9001-DF5BF72BE2B9"},"session_id":3804,"signing_id":"com.apple.mdmclient","start_time":"2024-04-18T18:09:16.000Z"},"is_update":false,"profile":{"display_name":"Maggie Plan - Jamf Protect Configuration","identifier":"com.jamf.protect.7b528ecd-2906-4526-8e57-1d9a7d4a70a9","install_source":1,"organization":"Jamf Protect","scope":"system","uuid":"7b528ecd-2906-4526-8e57-1d9a7d4a70a9"}}},"event_type":126,"glob_seq_num":250,"host":{"hostname":"Direct’s Virtual Machine","ips":["192.168.1.37"],"os":"Version 14.2.1 (Build 23C71)","protectVersion":"5.4.0-Hardcoded.Telemetry.v2.19","provisioningUDID":"0000FE00-64704499391F1E47","serial":"123ABC456DJ"},"mach_time":266713644066,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":3804,"pidversion":10032,"rgid":0,"ruid":0,"uuid":"A28E3E65-BBFB-5EEB-9001-DF5BF72BE2B9"},"cdhash":"beef65d6aeba15d0dd7ef1a076d4bcbd386c1652","codesigning_flags":570522369,"executable":{"path":"/usr/libexec/mdmclient","path_truncated":false,"sha1":"00165fc9440c7b06bc8699c9cab74cb815c0230c","sha256":"6c887e996293d840838fe89dceeb7859f252c94c1d155291724a87ea344ce7b1","stat":{"st_atimespec":"2023-12-15T14:43:29.000Z","st_birthtimespec":"2023-12-15T14:43:29.000Z","st_blksize":4096,"st_blocks":3232,"st_ctimespec":"2023-12-15T14:43:29.000Z","st_dev":16777233,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312514216,"st_mode":33261,"st_mtimespec":"2023-12-15T14:43:29.000Z","st_nlink":1,"st_rdev":0,"st_size":3555280,"st_uid":0}},"group_id":3804,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":7,"rgid":0,"ruid":0,"uuid":"30C61A05-D41A-5837-A42E-F11FD2434A00"},"ppid":1,"responsible_audit_token":{"asid":100001,"auid":4294967295,"egid":0,"euid":0,"pid":3804,"pidversion":10032,"rgid":0,"ruid":0,"uuid":"A28E3E65-BBFB-5EEB-9001-DF5BF72BE2B9"},"session_id":3804,"signing_id":"com.apple.mdmclient","start_time":"2024-04-18T18:09:16.000Z"},"seq_num":0,"thread":{"thread_id":202079,"uuid":"CC3D7FCA-9EC4-5D93-AA55-28168E0EEC6D"},"time":"2024-04-18T18:09:24.453Z","uuid":"F1764069-5A47-41A3-A8A2-BBB96EEED11C","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"settime":{}},"event_type":75,"glob_seq_num":645,"host":{"hostname":"MacBookPro","ips":["192.168.4.252"],"os":"Version 14.5 (Build 23F79)","protectVersion":"5.5.0.6","provisioningUDID":"00006000-000C043C22A1801E","serial":"123ABC456DJ"},"mach_time":3027057347308,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100012,"auid":502,"egid":0,"euid":0,"pid":70350,"pidversion":857553,"rgid":0,"ruid":0,"uuid":"392478E9-0928-541C-9951-65041BD708CD"},"cdhash":"19bcee646078eb8ba59e1582baaa2e24ab46b577","codesigning_flags":570506001,"executable":{"path":"/usr/bin/sntp","path_truncated":false,"stat":{"st_atimespec":"2024-05-07T07:01:44.000Z","st_birthtimespec":"2024-05-07T07:01:44.000Z","st_blksize":4096,"st_blocks":48,"st_ctimespec":"2024-05-07T07:01:44.000Z","st_dev":16777229,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312526234,"st_mode":33261,"st_mtimespec":"2024-05-07T07:01:44.000Z","st_nlink":1,"st_rdev":0,"st_size":120032,"st_uid":0}},"group_id":70346,"is_es_client":false,"is_platform_binary":true,"original_ppid":70346,"parent_audit_token":{"asid":100012,"auid":502,"egid":0,"euid":0,"pid":70346,"pidversion":857545,"rgid":0,"ruid":502,"uuid":"5C5D5D79-2B3D-52BE-A494-74FA963791BC"},"ppid":70346,"responsible_audit_token":{"asid":100012,"auid":502,"egid":20,"euid":502,"pid":1479,"pidversion":725382,"rgid":20,"ruid":502,"uuid":"65D76688-092C-5D45-91EE-D8397C30BF20"},"session_id":70208,"signing_id":"com.apple.sntp","start_time":"2024-05-22T14:21:37.000Z","tty":{"path":"/dev/ttys014","path_truncated":false,"stat":{"st_atimespec":"2024-05-22T14:21:35.514Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-05-22T14:21:37.280Z","st_dev":-568281092,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":985,"st_mode":8592,"st_mtimespec":"2024-05-22T14:21:37.280Z","st_nlink":1,"st_rdev":268435470,"st_size":0,"st_uid":502}}},"seq_num":0,"thread":{"thread_id":5072757,"uuid":"EF22072B-5388-560F-B960-D002F84389F9"},"time":"2024-05-22T14:21:37.280Z","uuid":"69E87430-917B-4863-B394-537F52E91976","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"btm_launch_item_add":{"app":{"audit_token":{"asid":125014,"auid":502,"egid":20,"euid":502,"pid":44888,"pidversion":47626957,"rgid":20,"ruid":502,"uuid":"B0BDE4C4-0787-57F5-891A-4D8AA2D33BB9"},"cdhash":"31c0815ee1b3904a826405c6fb9bc1e3ebae2b79","codesigning_flags":570503953,"executable":{"path":"/Applications/JamfCheck.app/Contents/MacOS/JamfCheck","path_truncated":false,"stat":{"st_atimespec":"2024-05-23T06:06:16.494Z","st_birthtimespec":"2024-05-16T12:02:51.000Z","st_blksize":4096,"st_blocks":6048,"st_ctimespec":"2024-05-16T13:40:19.640Z","st_dev":16777231,"st_flags":0,"st_gen":0,"st_gid":80,"st_ino":30852350,"st_mode":33261,"st_mtimespec":"2024-05-16T12:02:51.000Z","st_nlink":1,"st_rdev":0,"st_size":3094752,"st_uid":0}},"group_id":44888,"is_es_client":false,"is_platform_binary":false,"original_ppid":1,"parent_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":551,"rgid":0,"ruid":0,"uuid":"650F695A-E78B-547C-B6B9-34D752DB435F"},"ppid":1,"responsible_audit_token":{"asid":125014,"auid":502,"egid":20,"euid":502,"pid":44888,"pidversion":47626957,"rgid":20,"ruid":502,"uuid":"B0BDE4C4-0787-57F5-891A-4D8AA2D33BB9"},"session_id":1,"signing_id":"com.txhaflaire.JamfCheck","start_time":"2024-05-23T06:06:15.001Z","team_id":"CLQKFNPCCP"},"executable_path":"Contents/Resources/com.txhaflaire.JamfCheck.helper","item":{"app_url":"file:///Applications/JamfCheck.app/","item_type":4,"item_url":"Contents/Library/LaunchDaemons/com.txhaflaire.JamfCheck.helper.plist","legacy":false,"managed":false,"uid":502}}},"event_type":124,"glob_seq_num":3229,"host":{"hostname":"MacBookPro","ips":["192.168.11.251","192.168.11.232","192.168.64.1"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006030-001E301C0228001C","serial":"123ABC456DJ"},"mach_time":30288357151084,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":28267,"pidversion":47589294,"rgid":0,"ruid":0,"uuid":"CB0CAAE3-08B8-56CA-BDCA-BD5F44B17CE4"},"cdhash":"1c01957ea34ce597bbbb6f52245e0a3cb4917cab","codesigning_flags":570522369,"executable":{"path":"/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":448,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312287141,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":611840,"st_uid":0}},"group_id":28267,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":551,"rgid":0,"ruid":0,"uuid":"650F695A-E78B-547C-B6B9-34D752DB435F"},"ppid":1,"responsible_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":28267,"pidversion":47589294,"rgid":0,"ruid":0,"uuid":"CB0CAAE3-08B8-56CA-BDCA-BD5F44B17CE4"},"session_id":28267,"signing_id":"com.apple.backgroundtaskmanagementd","start_time":"2024-05-23T03:54:49.001Z"},"seq_num":4,"thread":{"thread_id":96260554,"uuid":"5F7AC103-400C-510A-A0F4-51339535A555"},"time":"2024-05-23T06:06:16.840Z","uuid":"073C2E43-ABA3-470D-9641-4494F202869D","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"btm_launch_item_remove":{"item":{"app_url":"","item_type":3,"item_url":"file:///Library/LaunchAgents/inSyncAgent.plist","legacy":true,"managed":true,"uid":502}}},"event_type":125,"glob_seq_num":1068,"host":{"hostname":"MacBookPro","ips":["192.168.11.251","192.168.11.232","192.168.64.1"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006030-001E301C0228001C","serial":"123ABC456DJ"},"mach_time":30270988724172,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":28267,"pidversion":47589294,"rgid":0,"ruid":0,"uuid":"CB0CAAE3-08B8-56CA-BDCA-BD5F44B17CE4"},"cdhash":"1c01957ea34ce597bbbb6f52245e0a3cb4917cab","codesigning_flags":570522369,"executable":{"path":"/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":448,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312287141,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":611840,"st_uid":0}},"group_id":28267,"is_es_client":false,"is_platform_binary":true,"original_ppid":1,"parent_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":1,"pidversion":551,"rgid":0,"ruid":0,"uuid":"650F695A-E78B-547C-B6B9-34D752DB435F"},"ppid":1,"responsible_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":28267,"pidversion":47589294,"rgid":0,"ruid":0,"uuid":"CB0CAAE3-08B8-56CA-BDCA-BD5F44B17CE4"},"session_id":28267,"signing_id":"com.apple.backgroundtaskmanagementd","start_time":"2024-05-23T03:54:49.001Z"},"seq_num":1,"thread":{"thread_id":96231556,"uuid":"05973043-9E0A-5366-9E3D-B64947F5BF43"},"time":"2024-05-23T05:53:39.686Z","uuid":"BE5A2C6D-75D6-4ECA-BCFE-FB1B676DBE1E","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"cs_invalidate":{}},"event_type":94,"glob_seq_num":13820,"host":{"hostname":"MacBookPro","ips":["192.168.1.27"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.4.0.1","provisioningUDID":"00006020-000C69E03633C01E","serial":"123ABC456DJ"},"mach_time":1753178733092,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":55767,"pidversion":128858,"rgid":20,"ruid":502,"uuid":"F06AF30C-2C9B-5227-9BCD-48078F09C78C"},"cdhash":"21012241103cd6658464ef81e04cb153d67f53e5","codesigning_flags":587334146,"executable":{"path":"/Users/jappleseed/Downloads/common/sleep","path_truncated":false,"sha1":"774ad8206f412d07161d174b6519d40ef601c02a","sha256":"d4791b942dbd4dd0eee0b31e46424fe673df586e2fdd166b6fe4f303a19767b4","stat":{"st_atimespec":"2024-04-19T15:33:31.392Z","st_birthtimespec":"2024-04-19T15:32:37.060Z","st_blksize":4096,"st_blocks":72,"st_ctimespec":"2024-04-19T15:32:37.060Z","st_dev":16777233,"st_flags":0,"st_gen":0,"st_gid":20,"st_ino":30081940,"st_mode":33261,"st_mtimespec":"2024-04-19T15:32:37.060Z","st_nlink":1,"st_rdev":0,"st_size":33432,"st_uid":502}},"group_id":55767,"is_es_client":false,"is_platform_binary":false,"original_ppid":55484,"parent_audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":55484,"pidversion":128242,"rgid":20,"ruid":502,"uuid":"732B7C17-3D83-52FC-B114-08FBE9FC43FA"},"ppid":55484,"responsible_audit_token":{"asid":100019,"auid":502,"egid":20,"euid":502,"pid":712,"pidversion":1695,"rgid":20,"ruid":502,"uuid":"32648F68-FC35-5EAA-A81F-5FEAAB9AA187"},"session_id":55483,"signing_id":"sleep","start_time":"2024-04-19T15:33:31.000Z","tty":{"path":"/dev/ttys003","path_truncated":false,"stat":{"st_atimespec":"2024-04-19T15:33:14.382Z","st_birthtimespec":"1970-01-01T00:00:00.000Z","st_blksize":65536,"st_blocks":0,"st_ctimespec":"2024-04-19T15:33:31.387Z","st_dev":-874482363,"st_flags":0,"st_gen":0,"st_gid":4,"st_ino":723,"st_mode":8592,"st_mtimespec":"2024-04-19T15:33:31.387Z","st_nlink":1,"st_rdev":268435459,"st_size":0,"st_uid":502}}},"seq_num":0,"time":"2024-04-19T15:34:28.834Z","uuid":"415148AF-9371-4C01-8D60-72DBEEEC71F2","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"chroot":{"target":{"path":"/private/var/folders/2f/w7qslkks19ncxg48w_559zp80000gn/T","path_truncated":false,"stat":{"st_atimespec":"2024-05-03T13:41:50.517Z","st_birthtimespec":"2024-01-26T13:05:32.470Z","st_blksize":4096,"st_blocks":0,"st_ctimespec":"2024-05-06T06:40:35.185Z","st_dev":16777231,"st_flags":1048576,"st_gen":0,"st_gid":20,"st_ino":26462,"st_mode":16832,"st_mtimespec":"2024-05-06T06:40:35.185Z","st_nlink":4,"st_rdev":0,"st_size":128,"st_uid":501}}}},"event_type":57,"glob_seq_num":4183,"host":{"hostname":"MacBookPro","ips":["192.168.11.251","192.168.11.232","192.168.64.1"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"5.5.0.6","provisioningUDID":"00006030-001E301C0228001C","serial":"123ABC456DJ"},"mach_time":29994345187967,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":14802,"pidversion":47557822,"rgid":0,"ruid":0,"uuid":"257005DD-1A0C-5F6F-8563-D790DABEF5B7"},"cdhash":"2680cbf567b9aff559d740365e00603fe93bccdf","codesigning_flags":570522369,"executable":{"path":"/usr/libexec/dirhelper","path_truncated":false,"stat":{"st_atimespec":"2024-03-21T06:13:23.000Z","st_birthtimespec":"2024-03-21T06:13:23.000Z","st_blksize":4096,"st_blocks":72,"st_ctimespec":"2024-03-21T06:13:23.000Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312527264,"st_mode":33261,"st_mtimespec":"2024-03-21T06:13:23.000Z","st_nlink":1,"st_rdev":0,"st_size":182288,"st_uid":0}},"group_id":14795,"is_es_client":false,"is_platform_binary":true,"original_ppid":14795,"parent_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":14795,"pidversion":47557809,"rgid":0,"ruid":0,"uuid":"5BA4345F-357E-550B-9236-0BE320B979A9"},"ppid":14795,"responsible_audit_token":{"asid":100015,"auid":4294967295,"egid":0,"euid":0,"pid":14795,"pidversion":47557809,"rgid":0,"ruid":0,"uuid":"5BA4345F-357E-550B-9236-0BE320B979A9"},"session_id":14795,"signing_id":"com.apple.dirhelper","start_time":"2024-05-23T01:35:28.000Z"},"seq_num":2,"thread":{"thread_id":95725389,"uuid":"4D26A299-1C49-5205-94DD-B3676DA161AF"},"time":"2024-05-23T01:35:29.599Z","uuid":"29204089-B6AB-44F9-97B2-A72C09A8B783","version":7} +{"action":{"result":{"result":{"auth":0},"result_type":0}},"action_type":1,"deadline":0,"event":{"mount":{"statfs":{"f_bavail":3674,"f_bfree":3674,"f_blocks":14122,"f_bsize":4096,"f_ffree":146960,"f_files":147256,"f_flags":77633049,"f_flags_ext":0,"f_fsid":[16777248,26],"f_fssubtype":0,"f_fstypename":"apfs","f_iosize":1048576,"f_mntfromname":"/dev/disk9s1","f_mntonname":"/Volumes/JamfConnect","f_owner":502,"f_type":26}}},"event_type":22,"glob_seq_num":106336,"host":{"hostname":"MacBookPro-Sjaffy (2)","ips":["192.168.11.251","192.168.64.1","192.168.11.232"],"os":"Version 14.5 (Build 23F79)","protectVersion":"6.0.1.11","provisioningUDID":"00006030-001E301C0228001C","serial":"KJQMQP4XW0"},"is_telemetry":true,"mach_time":15726279369169,"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"process":{"audit_token":{"asid":100010,"auid":4294967295,"egid":20,"euid":502,"pid":26932,"pidversion":1379581,"rgid":20,"ruid":502,"uuid":"39AE3A81-23C1-5E15-9871-295A85E0FEA1"},"cdhash":"7804bd9c2e3b5e16cf9fcfba943564485fb6f20f","codesigning_flags":570522369,"executable":{"path":"/System/Library/Filesystems/apfs.fs/Contents/Resources/mount_apfs","path_truncated":false,"stat":{"st_atimespec":"2024-05-07T07:01:44.000Z","st_birthtimespec":"2024-05-07T07:01:44.000Z","st_blksize":4096,"st_blocks":64,"st_ctimespec":"2024-05-07T07:01:44.000Z","st_dev":16777231,"st_flags":524320,"st_gen":0,"st_gid":0,"st_ino":1152921500312156599,"st_mode":33261,"st_mtimespec":"2024-05-07T07:01:44.000Z","st_nlink":1,"st_rdev":0,"st_size":139824,"st_uid":0}},"group_id":1148,"is_es_client":false,"is_platform_binary":true,"original_ppid":26930,"parent_audit_token":{"asid":100010,"auid":4294967295,"egid":20,"euid":502,"pid":26930,"pidversion":1379579,"rgid":20,"ruid":502,"uuid":"F7ED3BE5-780C-5F1B-AD74-F5F01CB3DC39"},"ppid":26930,"responsible_audit_token":{"asid":100010,"auid":4294967295,"egid":0,"euid":0,"pid":1148,"pidversion":2434,"rgid":0,"ruid":0,"uuid":"6FC75B65-1B69-5020-A07F-7541488904C3"},"session_id":1148,"signing_id":"com.apple.mount_apfs","start_time":"2024-06-11T11:35:28.000Z","team_id":null,"tty":null},"seq_num":31,"thread":{"thread_id":15379585,"uuid":"83C515F9-CD46-5ECF-AEC2-FB6840024437"},"time":"2024-06-11T11:35:28.142Z","uuid":"0CAC3D00-385F-4F44-872A-B6035375C197","version":7} +{"event":{"file_collection":{"contents":"Date/Time: 2024-04-17 18:19:13.962 -0500\nEnd time: 2024-04-17 18:21:05.619 -0500\n","file":{"path":"/Library/Logs/DiagnosticReports/spotlightknowledged_MacBook-Pro.cpu_resource.diag","size":28}}},"event_type":9002,"host":{"hostname":"MacBookPro","ips":["192.168.0.185"],"os":"Version 14.5 (Build 23F79)","protectVersion":"6.0.0.1","provisioningUDID":"00006000-001C58882238801E","serial":"123ABC456DE"},"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"time":"2024-05-28T05:45:58.729Z","uuid":"06CE8D4D-6848-4562-B947-2D607580283A"} +{"event":{"bios_uefi":{"architecture":"arm64","bios":{"firmware-version":"iBoot-10151.101.3","system-firmware-version":"iBoot-10151.101.3"}}},"event_type":9004,"host":{"hostname":"MacBookPro","ips":["192.168.0.185"],"os":"Version 14.4.1 (Build 23E224)","protectVersion":"6.0.0.1","provisioningUDID":"00006000-001C58882238801E","serial":"LFQ5YXH377"},"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"time":"2024-05-22T16:49:22.294Z","uuid":"DDFDF887-D3F1-4F01-A8E1-0506BBCCD2BF"} +{"event":{"system_performance":{"metrics":{"hw_model":"MacBookPro18,3","tasks":[{"bytes_received":0,"bytes_received_per_s":0,"bytes_sent":0,"bytes_sent_per_s":0,"cputime_ms_per_s":202.193,"cputime_ns":1013161791,"cputime_sample_ms_per_s":202.187,"cputime_userland_ratio":0.573927,"diskio_bytesread":380928,"diskio_bytesread_per_s":76020.3,"diskio_byteswritten":0,"diskio_byteswritten_per_s":0,"energy_impact":3140.59,"energy_impact_per_s":626.755,"idle_wakeups":0,"interval_ns":5010874875,"intr_wakeups_per_s":0.199566,"name":"SourceKitService","packets_received":0,"packets_received_per_s":0,"packets_sent":0,"packets_sent_per_s":0,"pageins":0,"pageins_per_s":0,"pid":36354,"qos_background_ms_per_s":0,"qos_background_ns":0,"qos_default_ms_per_s":202.086,"qos_default_ns":1012626541,"qos_disabled_ms_per_s":0,"qos_disabled_ns":0,"qos_maintenance_ms_per_s":0,"qos_maintenance_ns":0,"qos_user_initiated_ms_per_s":0.105654,"qos_user_initiated_ns":529416,"qos_user_interactive_ms_per_s":0,"qos_user_interactive_ns":0,"qos_utility_ms_per_s":0,"qos_utility_ns":0,"started_abstime_ns":1968573181764,"timer_wakeups":[{"wakeups":1},{"wakeups":0}]},{"bytes_received":0,"bytes_received_per_s":0,"bytes_sent":0,"bytes_sent_per_s":0,"cputime_ms_per_s":138.511,"cputime_ns":694060541,"cputime_sample_ms_per_s":138.507,"cputime_userland_ratio":0.879748,"diskio_bytesread":151552,"diskio_bytesread_per_s":30244.6,"diskio_byteswritten":3981312,"diskio_byteswritten_per_s":794534,"energy_impact":1258.85,"energy_impact_per_s":251.224,"idle_wakeups":2,"interval_ns":5010874875,"intr_wakeups_per_s":58.872,"name":"Xcode","packets_received":0,"packets_received_per_s":0,"packets_sent":0,"packets_sent_per_s":0,"pageins":3,"pageins_per_s":0.598698,"pid":36337,"qos_background_ms_per_s":0.0153998,"qos_background_ns":77166,"qos_default_ms_per_s":11.2632,"qos_default_ns":56438500,"qos_disabled_ms_per_s":0,"qos_disabled_ns":0,"qos_maintenance_ms_per_s":0,"qos_maintenance_ns":0,"qos_user_initiated_ms_per_s":11.1361,"qos_user_initiated_ns":55801625,"qos_user_interactive_ms_per_s":114.393,"qos_user_interactive_ns":573208208,"qos_utility_ms_per_s":1.7033,"qos_utility_ns":8535041,"started_abstime_ns":1968419476399,"timer_wakeups":[{"wakeups":2},{"wakeups":174}]},{"bytes_received":0,"bytes_received_per_s":0,"bytes_sent":0,"bytes_sent_per_s":0,"cputime_ms_per_s":83.7332,"cputime_ns":419576500,"cputime_sample_ms_per_s":83.7307,"cputime_userland_ratio":0.981833,"diskio_bytesread":57344,"diskio_bytesread_per_s":11443.9,"diskio_byteswritten":0,"diskio_byteswritten_per_s":0,"energy_impact":1198.09,"energy_impact_per_s":239.099,"idle_wakeups":0,"interval_ns":5010874875,"intr_wakeups_per_s":0.199566,"name":"JamfProtect","packets_received":0,"packets_received_per_s":0,"packets_sent":0,"packets_sent_per_s":0,"pageins":0,"pageins_per_s":0,"pid":58824,"qos_background_ms_per_s":0,"qos_background_ns":0,"qos_default_ms_per_s":82.6678,"qos_default_ns":414237833,"qos_disabled_ms_per_s":0,"qos_disabled_ns":0,"qos_maintenance_ms_per_s":0,"qos_maintenance_ns":0,"qos_user_initiated_ms_per_s":1.06542,"qos_user_initiated_ns":5338666,"qos_user_interactive_ms_per_s":0,"qos_user_interactive_ns":0,"qos_utility_ms_per_s":0,"qos_utility_ns":0,"started_abstime_ns":2357421081500,"timer_wakeups":[{"wakeups":0},{"wakeups":0}]}]},"page_info":{"page":1,"total":4}}},"event_type":9001,"host":{"hostname":"MacBookPro","ips":["192.168.100.102"],"os":"Version 14.5 (Build 23F79)","protectVersion":"6.0.1.1","provisioningUDID":"00006000-001C58882238801E","serial":"123ABC456DE"},"metadata":{"product":"Device Telemetry Stream","schemaVersion":"1.0","vendor":"Jamf"},"time":"2024-06-04T09:41:38.708Z","uuid":"710782C4-489E-4003-945C-316F65C50379"} diff --git a/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log-expected.json b/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log-expected.json index 2b186323874..46898412d10 100644 --- a/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log-expected.json +++ b/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log-expected.json @@ -1,883 +1,3697 @@ { "expected": [ { - "@timestamp": "2024-02-06T16:01:34.442Z", + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, "ecs": { "version": "8.11.0" }, - "error": { - "code": "0" - }, "event": { - "action": "aue_posix_spawn", + "action": "lw_session_lock", "category": [ + "process", "authentication" ], - "code": "43190", + "code": "116", + "id": "7ADBC305-732C-4A9C-B3EF-14435A500AF4", "kind": "event", - "outcome": "success", + "provider": "Jamf Protect", + "reason": "A user has locked the screen", + "sequence": 16661, + "start": "2024-05-15T00:12:12.555Z", "type": [ - "info" + "info", + "start" ] }, "host": { - "hostname": "Mac mini", - "id": "H2WGF2U9Q6NV", + "hostname": "MacBookPro", + "id": "00006000-000C043C22A1801E", "ip": [ - "0.0.0.0" + "192.168.4.252" ], "os": { - "version": "Version 14.2.1 (Build 23C71)" + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" } }, "jamf_protect": { "telemetry": { - "arguments": { - "child": { - "pid": 70851 - } - }, - "dataset": "audit", - "exec_args": { - "args_compiled": "/usr/bin/profiles,status,-type,enrollment" - }, - "exec_chain_parent": { - "uuid": "87F2E500-EDF1-4F12-A489-C5E05B0F523E" - }, - "exec_env": { - "env": { - "compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin" - } - }, - "header": { - "event_modifier": "0", - "version": "11" - }, - "host_info": { - "host": { - "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" - } - }, - "identity": { - "cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68", - "signer": { - "id_truncated": "false", - "type": "0" - } - }, - "path": [ - "/usr/bin/profiles", - "/usr/bin/profiles" - ], - "return": { - "description": "success" - }, - "subject": { - "effective": { - "group": { - "id": "0", - "name": "wheel" - } - }, - "process": { - "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", - "pid": 70848 - }, - "session": { - "id": "100016" - }, - "terminal_id": { - "port": 0, - "type": "4" - } - } + "code_directory_hash": "5dce46942a1ecfcaed58bdcafe5159393f767f74", + "es_client": false, + "event_allowed_by_esclient": true, + "graphical_authentication_username": "257", + "platform_binary": true } }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, "process": { - "args": [ - "/usr/bin/profiles", - "status", - "-type", - "enrollment" - ], "code_signature": { - "signing_id": "com.microsoft.EdgeUpdater", - "team_id": "UBF8T346G9" - }, - "exit_code": 0, - "hash": { - "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + "signing_id": "com.apple.loginwindow" }, - "real_group": { - "id": "0", - "name": "wheel" + "entity_id": "80301337-AD04-56F0-BCCC-BC88FD235D82", + "executable": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", + "group_leader": { + "entity_id": "80301337-AD04-56F0-BCCC-BC88FD235D82", + "pid": 388, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "502" + } }, - "real_user": { - "id": "4294967295" + "interactive": false, + "parent": { + "entity_id": "012139F5-CEED-5A0E-9862-451CDA9E492E", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } }, - "user": { - "id": "0", - "name": "root" + "pid": 388, + "start": "2024-04-30T13:17:30.000Z", + "thread": { + "id": 18306755 } }, "related": { - "hash": [ - "9cfc802baf45b74693d146686ebe9ec59ac6367f" - ], "hosts": [ - "Mac mini" + "MacBookPro" ], "ip": [ - "0.0.0.0" - ], - "user": [ - "root" + "192.168.4.252" ] }, "user": { - "id": "0", - "name": [ - "root" - ] + "effective": { + "id": [ + "502" + ] + }, + "name": "allen.golbig" } }, { - "@timestamp": "2024-02-06T16:01:34.427Z", + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, "ecs": { "version": "8.11.0" }, - "error": { - "code": "0" - }, "event": { - "action": "aue_posix_spawn", + "action": "lw_session_unlock", "category": [ + "process", "authentication" ], - "code": "43190", + "code": "117", + "id": "339DA1DB-C084-4064-A593-5225BFAC9907", "kind": "event", - "outcome": "success", + "provider": "Jamf Protect", + "reason": "A user has unlocked the screen from the Login Window", + "sequence": 16676, + "start": "2024-05-15T00:12:14.384Z", "type": [ - "info" + "info", + "start" ] }, "host": { - "hostname": "Mac mini", - "id": "H2WGF2U9Q6NV", + "hostname": "MacBookPro", + "id": "00006000-000C043C22A1801E", "ip": [ - "0.0.0.0" + "192.168.4.252" ], "os": { - "version": "Version 14.2.1 (Build 23C71)" + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" } }, "jamf_protect": { "telemetry": { - "arguments": { - "child": { - "pid": 70848 - } - }, - "dataset": "audit", - "exec_args": { - "args_compiled": "EdgeUpdater,--server,--service=update,--enable-logging,--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2,--system" - }, - "exec_chain_parent": { - "uuid": "EB3B7725-EB0E-4710-BCA6-F390DD9AE309" - }, - "exec_env": { - "env": { - "compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin" - } - }, - "header": { - "event_modifier": "0", - "version": "11" - }, - "host_info": { - "host": { - "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" - } - }, - "identity": { - "cd_hash": "abbed514a26c2f8c80e08a6d81d72ea8029739fe", - "signer": { - "id_truncated": "false", - "type": "0" - } - }, - "path": [ - "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", - "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater" - ], - "return": { - "description": "success" - }, - "subject": { - "effective": { - "group": { - "id": "0", - "name": "wheel" - } - }, - "process": { - "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher", - "pid": 70847 - }, - "session": { - "id": "100016" - }, - "terminal_id": { - "port": 0, - "type": "4" - } - } + "code_directory_hash": "5dce46942a1ecfcaed58bdcafe5159393f767f74", + "es_client": false, + "event_allowed_by_esclient": true, + "graphical_authentication_username": "257", + "platform_binary": true } }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, "process": { - "args": [ - "EdgeUpdater", - "--server", - "--service=update", - "--enable-logging", - "--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2", - "--system" - ], "code_signature": { - "signing_id": "com.microsoft.EdgeUpdater", - "team_id": "UBF8T346G9" - }, - "exit_code": 0, - "hash": { - "sha1": "0237c54b185a3b516bb2918132d9d05de10eaa7c" + "signing_id": "com.apple.loginwindow" }, - "real_group": { - "id": "0", - "name": "wheel" + "entity_id": "80301337-AD04-56F0-BCCC-BC88FD235D82", + "executable": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", + "group_leader": { + "entity_id": "80301337-AD04-56F0-BCCC-BC88FD235D82", + "pid": 388, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "502" + } }, - "real_user": { - "id": "4294967295" + "interactive": false, + "parent": { + "entity_id": "012139F5-CEED-5A0E-9862-451CDA9E492E", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } }, - "user": { - "id": "0", - "name": "root" + "pid": 388, + "start": "2024-04-30T13:17:30.000Z", + "thread": { + "id": 3504 } }, "related": { - "hash": [ - "0237c54b185a3b516bb2918132d9d05de10eaa7c" - ], "hosts": [ - "Mac mini" + "MacBookPro" ], "ip": [ - "0.0.0.0" - ], - "user": [ - "root" + "192.168.4.252" ] }, "user": { - "id": "0", - "name": [ - "root" - ] + "effective": { + "id": [ + "502" + ] + }, + "name": "allen.golbig" } }, { - "@timestamp": "2024-02-06T16:01:33.316Z", + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, "ecs": { "version": "8.11.0" }, - "error": { - "code": "0" - }, "event": { - "action": "aue_posix_spawn", + "action": "od_enable_user", "category": [ - "authentication" + "process", + "configuration" ], - "code": "43190", + "code": "137", + "id": "85EB995E-5185-478F-854C-27E7E86A6A93", "kind": "event", - "outcome": "success", + "provider": "Jamf Protect", + "reason": "A user has been enabled using Open Directory", + "sequence": 72, + "start": "2024-04-25T13:39:21.234Z", "type": [ - "info" + "info", + "change" ] }, + "file": { + "path": "/var/db/dslocal/nodes/Default" + }, "host": { - "hostname": "Mac mini", - "id": "H2WGF2U9Q6NV", + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", "ip": [ - "0.0.0.0" + "192.168.1.27" ], "os": { - "version": "Version 14.2.1 (Build 23C71)" + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" } }, "jamf_protect": { "telemetry": { - "arguments": { - "child": { - "pid": 70843 - } - }, - "dataset": "audit", - "exec_args": { - "args_compiled": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher,--internal" - }, - "exec_chain_parent": { - "uuid": "93E2DBD5-9546-430E-ADA0-CA460E0A80C9" - }, - "exec_env": { - "env": { - "compiled": "XPC_SERVICE_NAME=com.microsoft.EdgeUpdater.wake.system,PATH=/usr/bin:/bin:/usr/sbin:/sbin,XPC_FLAGS=0x0", - "xpc": { - "flags": "0x0" - } - } - }, - "header": { - "event_modifier": "0", - "version": "11" - }, - "host_info": { - "host": { - "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" - } - }, - "identity": { - "cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68", - "signer": { - "id_truncated": "false", - "type": "0" - } - }, - "path": [ - "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher", - "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher" - ], - "return": { - "description": "success" - }, - "subject": { - "effective": { - "group": { - "id": "0", - "name": "wheel" - } - }, - "process": { - "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", - "pid": 70840 - }, - "session": { - "id": "100016" - }, - "terminal_id": { - "port": 0, - "type": "4" - } - } + "code_directory_hash": "eb36abccc318d3bc15f253b8b47606f68d7fc9a7", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true, + "tty": "/dev/ttys005" } }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, "process": { - "args": [ - "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher", - "--internal" - ], "code_signature": { - "signing_id": "com.microsoft.EdgeUpdater", - "team_id": "UBF8T346G9" - }, - "exit_code": 0, - "hash": { - "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + "signing_id": "com.apple.pwpolicy" }, - "real_group": { - "id": "0", - "name": "wheel" + "entity_id": "1E61CAFF-22DD-50B0-993E-DA33D8263C2F", + "executable": "/usr/bin/pwpolicy", + "group_leader": { + "entity_id": "9C4BFB3D-5E3B-52FC-B9D5-B32C412DBB5E", + "pid": 9451, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } }, - "real_user": { - "id": "4294967295" + "interactive": true, + "parent": { + "entity_id": "82DE3938-6F90-5B78-8A01-C180CFA4E1C5", + "pid": 20757, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "0" + } }, - "user": { - "id": "0", - "name": "root" + "pid": 20762, + "start": "2024-04-25T13:39:21.000Z", + "thread": { + "id": 3915265 } }, "related": { - "hash": [ - "9cfc802baf45b74693d146686ebe9ec59ac6367f" - ], "hosts": [ - "Mac mini" + "MacBookPro" ], "ip": [ - "0.0.0.0" - ], - "user": [ - "root" + "192.168.1.27" ] }, "user": { - "id": "0", - "name": [ - "root" - ] + "effective": { + "id": [ + "0" + ] + }, + "name": "user1" } }, { - "@timestamp": "2024-02-06T16:10:37.755Z", + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, "ecs": { "version": "8.11.0" }, - "error": { - "code": "0" - }, "event": { - "action": "aue_connect", + "action": "sudo", "category": [ - "authentication" + "process" ], - "code": "32", + "code": "131", + "id": "048927E3-EF0A-4E81-8411-A4610619FEEA", "kind": "event", - "outcome": "success", + "provider": "Jamf Protect", + "reason": "A sudo attempt occurred", + "sequence": 1180, + "start": "2024-04-30T20:14:22.264Z", "type": [ - "info" + "info", + "start" ] }, "host": { - "hostname": "Goomba", - "id": "H2WHM0PAQ6NV", + "hostname": "sevro", + "id": "0000FE00-F18DE97EF425BB7B", "ip": [ - "0.0.0.0" + "192.168.5.190" ], "os": { - "version": "Version 14.2.1 (Build 23C71)" + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" } }, "jamf_protect": { "telemetry": { - "arguments": { - "fd": "4" - }, - "dataset": "audit", - "header": { - "event_modifier": "0", - "version": "11" - }, - "host_info": { - "host": { - "uuid": "667A9510-585B-526B-9B61-47BD834C8ECE" - } - }, - "identity": { - "cd_hash": "67ed44d08677ea5d2eb9c7db71be23b127bd3e99", - "signer": { - "id_truncated": "false", - "type": "1" - } - }, - "return": { - "description": "success" - }, - "subject": { - "effective": { - "group": { - "id": "260", - "name": "_applepay" - } - }, - "process": { - "name": "/usr/libexec/nfcd", - "pid": 1002 - }, - "session": { - "id": "100015" - }, - "terminal_id": { - "port": 0, - "type": "4" - } - } + "code_directory_hash": "f04dc37184cb13f5bdc645c4146a86b8e4b90f86", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true } }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0-Hardcoded.Telemetry.v2.19" + }, "process": { "code_signature": { - "signing_id": "com.apple.nfcd" + "signing_id": "com.apple.sudo" }, - "exit_code": 0, - "hash": { - "sha1": "137517d0be201cfbf8e9dd97765b3f38f0ae4de5" + "command_line": "/usr/local/bin/protectctl", + "entity_id": "77783CCE-A480-54D9-91D9-DF530889AF2C", + "executable": "/usr/bin/sudo", + "group_leader": { + "entity_id": "ACE8E24F-A3F2-58E5-B46A-929D707D0B1A", + "pid": 415, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "user": { + "id": "501" + } }, - "real_group": { - "id": "260", - "name": "_applepay" + "hash": { + "sha1": "fbf5661422c9d06eb93828f756878529d26ca4bf", + "sha256": "88b58d11983de9930f6ef9ff6518b6cd0712db6842a56f8d1cbb1f7c90569e28" }, - "real_user": { - "id": "4294967295" + "interactive": true, + "parent": { + "entity_id": "E34963DB-0286-5C1C-A5FB-95A31B9F5794", + "pid": 637, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "user": { + "id": "501" + } }, - "user": { - "id": "260", - "name": "_applepay" + "pid": 707, + "start": "2024-04-30T20:14:13.000Z", + "thread": { + "id": 7219 } }, "related": { "hash": [ - "137517d0be201cfbf8e9dd97765b3f38f0ae4de5" + "fbf5661422c9d06eb93828f756878529d26ca4bf", + "88b58d11983de9930f6ef9ff6518b6cd0712db6842a56f8d1cbb1f7c90569e28" ], "hosts": [ - "Goomba" + "sevro" ], "ip": [ - "0.0.0.0" - ], - "user": [ - "_applepay" + "192.168.5.190" ] }, "user": { - "id": "260", - "name": [ - "_applepay" - ] + "effective": { + "id": [ + "0" + ] + } } }, { - "@timestamp": "2024-02-06T16:10:36.473Z", + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, "ecs": { "version": "8.11.0" }, - "error": { - "code": "0" - }, "event": { - "action": "aue_connect", + "action": "exec", "category": [ - "authentication" + "process" ], - "code": "32", + "code": "9", + "id": "CDB31202-8CB4-4C72-A9C6-7F494CD5F598", "kind": "event", - "outcome": "success", + "provider": "Jamf Protect", + "reason": "A new process has been executed", + "sequence": 202, + "start": "2024-05-31T09:47:12.436Z", "type": [ - "info" + "info", + "start" ] }, "host": { - "hostname": "Mac mini", - "id": "H2WGF2U9Q6NV", + "hostname": "MacBookPro", + "id": "00006030-001E301C0228001C", "ip": [ - "0.0.0.0" + "192.168.11.251", + "192.168.64.1", + "192.168.11.232" ], "os": { - "version": "Version 14.2.1 (Build 23C71)" + "family": "macos", + "full": "14.5 (Build 23F79)", + "name": "macOS", + "type": "macos", + "version": "14.5" } }, "jamf_protect": { "telemetry": { - "arguments": { - "fd": "5" - }, - "dataset": "audit", - "header": { - "event_modifier": "0", - "version": "11" - }, - "host_info": { - "host": { - "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" - } - }, - "identity": { - "cd_hash": "beef65d6aeba15d0dd7ef1a076d4bcbd386c1652", - "signer": { - "id_truncated": "false", - "type": "1" - } - }, - "return": { - "description": "success" - }, - "subject": { - "effective": { - "group": { - "id": "0", - "name": "wheel" - } - }, - "process": { - "name": "/usr/libexec/mdmclient", - "pid": 70971 - }, - "session": { - "id": "100016" - }, - "terminal_id": { - "port": 0, - "type": "4" - } - } + "code_directory_hash": "23c70bd9b41017f9878af49bc2c46f7c8a70680b", + "es_client": false, + "event_allowed_by_esclient": false, + "platform_binary": true } }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, "process": { + "args": [ + "/bin/zsh", + "-c", + "/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/eicar" + ], + "args_count": 3, "code_signature": { - "signing_id": "com.apple.mdmclient" + "signing_id": "com.apple.zsh" }, - "exit_code": 0, - "hash": { - "sha1": "b71712207edc22d9b5753aac0d927a7d9ded719d" + "entity_id": "1278137C-15D6-53CE-AB0A-FC9499BC8E05", + "env_vars": [ + "USER=jappleseed", + "COMMAND_MODE=unix2003", + "__CFBundleIdentifier=com.txhaflaire.JamfCheck", + "PATH=/usr/bin:/bin:/usr/sbin:/sbin", + "LOGNAME=jappleseed", + "SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.Ah3WvMOC65/Listeners", + "HOME=/Users/jappleseed", + "SHELL=/bin/zsh", + "TMPDIR=/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/", + "__CF_USER_TEXT_ENCODING=0x1F6:0x0:0x0", + "XPC_SERVICE_NAME=application.com.txhaflaire.JamfCheck.30852344.30852350", + "XPC_FLAGS=0x0" + ], + "executable": "/bin/zsh", + "group_leader": { + "entity_id": "A7EDC884-C034-50E7-A3AA-2E281B3E0777", + "pid": 64632, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } }, - "real_group": { - "id": "0", - "name": "wheel" + "interactive": false, + "parent": { + "entity_id": "A7EDC884-C034-50E7-A3AA-2E281B3E0777", + "pid": 64632, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } }, - "real_user": { - "id": "4294967295" + "pid": 91306, + "start": "2024-05-31T09:47:12.000Z", + "thread": { + "id": 5215860 }, - "user": { - "id": "0", - "name": "root" - } + "working_directory": "/" }, "related": { - "hash": [ - "b71712207edc22d9b5753aac0d927a7d9ded719d" - ], "hosts": [ - "Mac mini" + "MacBookPro" ], "ip": [ - "0.0.0.0" - ], - "user": [ - "root" + "192.168.11.251", + "192.168.64.1", + "192.168.11.232" ] }, "user": { - "id": "0", - "name": [ - "root" - ] + "effective": { + "id": [ + "502" + ] + } } }, { - "@timestamp": "2024-02-06T15:54:28.477Z", + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, "ecs": { "version": "8.11.0" }, - "error": { - "code": "0" - }, "event": { - "action": "aue_ssauthorize", + "action": "od_group_set", "category": [ - "authentication" + "process", + "configuration" ], - "code": "45025", + "code": "134", + "id": "3A3A35AF-B9F0-47E1-B8D8-B0AC736C82ED", "kind": "event", - "outcome": "success", + "provider": "Jamf Protect", + "reason": "A group has a member initialised or replaced using Open Directory", + "sequence": 76, + "start": "2024-04-23T15:59:19.205Z", "type": [ - "info" + "info", + "creation" ] }, + "file": { + "path": "/var/db/dslocal/nodes/Default" + }, + "group": { + "name": "group1" + }, "host": { - "hostname": "Mac mini", - "id": "H2WGF2U9Q6NV", + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", "ip": [ - "0.0.0.0" + "192.168.1.27" ], "os": { - "version": "Version 14.2.1 (Build 23C71)" + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" } }, "jamf_protect": { "telemetry": { - "dataset": "audit", - "header": { - "event_modifier": "0", - "version": "11" - }, - "host_info": { - "host": { - "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" - } - }, - "identity": { - "cd_hash": "fc3dce73c15ec7a1cba507101fec3a47e268fa27", - "signer": { - "id_truncated": "false", - "type": "1" - } - }, - "return": { - "description": "success" - }, - "subject": { - "effective": { - "group": { - "id": "0", - "name": "wheel" - } - }, - "process": { - "name": "/usr/libexec/mdmclient", - "pid": 69544 - }, - "session": { - "id": "100016" - }, - "terminal_id": { - "port": 959597, - "type": "4" - } - }, - "texts": [ - "com.apple.ServiceManagement.daemons.modify", - "client /usr/libexec/mdmclient", - "creator /usr/libexec/mdmclient" - ] + "code_directory_hash": "9c1f4b0463787307f3730876b3e0e8fa76b6ec5f", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true, + "tty": "/dev/ttys007" } }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, "process": { "code_signature": { - "signing_id": "com.apple.authd" + "signing_id": "com.apple.dscl" }, - "exit_code": 0, - "hash": { - "sha1": "b71712207edc22d9b5753aac0d927a7d9ded719d" - }, - "real_group": { - "id": "0", - "name": "wheel" + "entity_id": "DDE623EB-F2EC-59A8-A20B-6468C4C02423", + "executable": "/usr/bin/dscl", + "group_leader": { + "entity_id": "32648F68-FC35-5EAA-A81F-5FEAAB9AA187", + "pid": 712, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } }, - "real_user": { - "id": "4294967295" + "interactive": true, + "parent": { + "entity_id": "E6DCCB86-1543-5107-AFBD-56BD9A88A7E0", + "pid": 86239, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "0" + } }, - "user": { - "id": "0", - "name": "root" + "pid": 86240, + "start": "2024-04-23T15:59:19.000Z", + "thread": { + "id": 2930663 } }, "related": { - "hash": [ - "b71712207edc22d9b5753aac0d927a7d9ded719d" - ], "hosts": [ - "Mac mini" + "MacBookPro" ], "ip": [ - "0.0.0.0" - ], - "user": [ - "root" + "192.168.1.27" ] }, "user": { - "id": "0", + "effective": { + "id": [ + "0" + ] + }, "name": [ - "root" + "admin" ] } }, { - "@timestamp": "2024-02-06T16:08:56.272Z", + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, "ecs": { "version": "8.11.0" }, - "error": { - "code": "0" - }, "event": { - "action": "aue_session_end", + "action": "od_group_remove", "category": [ - "authentication" + "process", + "configuration" ], - "code": "44903", + "code": "133", + "id": "D4E0A162-77C7-4E60-AAC3-5DBD69030C8F", "kind": "event", - "outcome": "success", + "provider": "Jamf Protect", + "reason": "A member has been removed from a group using Open Directory", + "sequence": 556, + "start": "2024-04-23T16:00:31.869Z", "type": [ - "info" + "info", + "change" ] }, + "file": { + "path": "/var/db/dslocal/nodes/Default" + }, + "group": { + "name": "group1" + }, "host": { - "hostname": "Goomba", - "id": "H2WHM0PAQ6NV", + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", "ip": [ - "0.0.0.0" + "192.168.1.27" ], "os": { - "version": "Version 14.2.1 (Build 23C71)" + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" } }, "jamf_protect": { "telemetry": { - "arguments": { - "am_failure": "0", - "am_success": "0", - "sflags": "0" + "code_directory_hash": "9c1f4b0463787307f3730876b3e0e8fa76b6ec5f", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true, + "tty": "/dev/ttys007" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.dscl" + }, + "entity_id": "475F424A-DA52-533E-BAD0-36C733F2C1E8", + "executable": "/usr/bin/dscl", + "group_leader": { + "entity_id": "32648F68-FC35-5EAA-A81F-5FEAAB9AA187", + "pid": 712, + "real_group": { + "id": "20" }, - "dataset": "audit", - "header": { - "event_modifier": "0", - "version": "11" + "real_user": { + "id": "502" }, - "host_info": { - "host": { - "uuid": "667A9510-585B-526B-9B61-47BD834C8ECE" - } + "user": { + "id": "502" + } + }, + "interactive": true, + "parent": { + "entity_id": "6575F576-09D5-5849-839A-281527615C08", + "pid": 86396, + "real_group": { + "id": "0" }, - "return": { - "description": "success" + "real_user": { + "id": "502" }, - "subject": { - "effective": { - "group": { - "id": "0", - "name": "wheel" - } - }, - "process": { - "pid": 0 - }, - "session": { - "id": "101188" - }, - "terminal_id": { - "port": 0, - "type": "4" - } + "user": { + "id": "0" } - } - }, - "process": { - "exit_code": 0, - "real_group": { - "id": "0", - "name": "wheel" }, - "real_user": { - "id": "4294967295" - }, - "user": { - "id": "0", - "name": "root" + "pid": 86397, + "start": "2024-04-23T16:00:31.001Z", + "thread": { + "id": 2933870 } }, "related": { "hosts": [ - "Goomba" + "MacBookPro" ], "ip": [ - "0.0.0.0" - ], - "user": [ - "root" + "192.168.1.27" ] }, "user": { - "id": "0", - "name": [ - "root" + "effective": { + "id": [ + "0" + ] + }, + "name": "admin" + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "od_delete_group", + "category": [ + "process", + "configuration" + ], + "code": "144", + "id": "394EA894-C632-4FAD-8F9F-757D90FAFEEA", + "kind": "event", + "provider": "Jamf Protect", + "reason": "A group has been deleted using Open Directory", + "sequence": 957, + "start": "2024-04-23T16:01:30.380Z", + "type": [ + "info", + "deletion" + ] + }, + "file": { + "path": "/var/db/dslocal/nodes/Default" + }, + "group": { + "name": "group1" + }, + "host": { + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", + "ip": [ + "192.168.1.27" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "ba99b2e3dbb05dc41e9b35d6d2c48d188c8cfece", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.Users-Groups-Settings.extension" + }, + "entity_id": "C9271101-B1BD-5906-83C8-4C47F3647FA8", + "executable": "/System/Library/ExtensionKit/Extensions/UsersGroups.appex/Contents/MacOS/UsersGroups", + "group_leader": { + "entity_id": "C9271101-B1BD-5906-83C8-4C47F3647FA8", + "pid": 85603, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "interactive": false, + "parent": { + "entity_id": "87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 85603, + "start": "2024-04-23T15:52:35.001Z", + "thread": { + "id": 2935684 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.1.27" + ] + }, + "user": { + "effective": { + "id": [ + "502" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "od_modify_password", + "category": [ + "process", + "configuration" + ], + "code": "135", + "id": "183683D3-EF99-48F3-963A-C45D9FB4F1DB", + "kind": "event", + "provider": "Jamf Protect", + "reason": "A user password is modified via Open Directory", + "sequence": 833, + "start": "2024-04-25T20:14:43.615Z", + "type": [ + "info", + "change" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", + "ip": [ + "192.168.1.27" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "account_type": "User", + "code_directory_hash": "ba99b2e3dbb05dc41e9b35d6d2c48d188c8cfece", + "error_message": "kODErrorCredentialsAccountDisabled", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.Users-Groups-Settings.extension" + }, + "entity_id": "9FBB80FD-ED13-5C40-810D-5D5E307D305E", + "executable": "/System/Library/ExtensionKit/Extensions/UsersGroups.appex/Contents/MacOS/UsersGroups", + "group_leader": { + "entity_id": "9FBB80FD-ED13-5C40-810D-5D5E307D305E", + "pid": 29722, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "interactive": false, + "parent": { + "entity_id": "87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 29722, + "start": "2024-04-25T20:13:47.000Z", + "thread": { + "id": 4275233 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.1.27" + ] + }, + "user": { + "effective": { + "id": [ + "502" + ] + }, + "name": "user1" + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "od_attribute_value_add", + "category": [ + "process", + "configuration" + ], + "code": "138", + "id": "491E6FAF-9F73-4ADA-A71A-A220F8FBA5EB", + "kind": "event", + "provider": "Jamf Protect", + "reason": "Attribute added to a user or group using Open Directory", + "sequence": 55, + "start": "2024-04-24T20:56:08.289Z", + "type": [ + "info", + "creation" + ] + }, + "file": { + "path": "/var/db/dslocal/nodes/Default" + }, + "host": { + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", + "ip": [ + "192.168.1.27" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "attribute_name": "dsAttrTypeStandard:AltSecurityIdentities", + "attribute_value": "Kerberos:maggie.zirnhelt@jamf.com", + "code_directory_hash": "9c1f4b0463787307f3730876b3e0e8fa76b6ec5f", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true, + "tty": "/dev/ttys010" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.dscl" + }, + "entity_id": "74D421A1-C440-5FD1-B675-3FB4E4A35985", + "executable": "/usr/bin/dscl", + "group_leader": { + "entity_id": "9C4BFB3D-5E3B-52FC-B9D5-B32C412DBB5E", + "pid": 9451, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "interactive": true, + "parent": { + "entity_id": "5A35DAE8-8E1A-587E-90CA-CC66560A01CB", + "pid": 17751, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "0" + } + }, + "pid": 17753, + "start": "2024-04-24T20:56:08.000Z", + "thread": { + "id": 3822468 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.1.27" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + }, + "name": "jappleseed" + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "od_attribute_value_remove", + "category": [ + "process", + "configuration" + ], + "code": "139", + "id": "15894BA2-D220-4AD0-B2DD-2C9CF58F294B", + "kind": "event", + "provider": "Jamf Protect", + "reason": "Attribute removed from a user or group using Open Directory", + "sequence": 1039, + "start": "2024-04-24T20:58:16.270Z", + "type": [ + "info", + "deletion" + ] + }, + "file": { + "path": "/var/db/dslocal/nodes/Default" + }, + "host": { + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", + "ip": [ + "192.168.1.27" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "attribute_name": "dsAttrTypeStandard:AltSecurityIdentities", + "attribute_value": "Kerberos:maggie.zirnhelt@jamf.com", + "code_directory_hash": "9c1f4b0463787307f3730876b3e0e8fa76b6ec5f", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true, + "tty": "/dev/ttys010" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.dscl" + }, + "entity_id": "33FE9FCC-22C3-5E4E-A7AC-3B5656E08B3B", + "executable": "/usr/bin/dscl", + "group_leader": { + "entity_id": "9C4BFB3D-5E3B-52FC-B9D5-B32C412DBB5E", + "pid": 9451, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "interactive": true, + "parent": { + "entity_id": "2EC711AB-099E-5111-93FE-C2938AAAB3EE", + "pid": 18069, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "0" + } + }, + "pid": 18070, + "start": "2024-04-24T20:58:16.000Z", + "thread": { + "id": 3830588 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.1.27" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + }, + "name": "jappleseed" + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "od_attribute_set", + "category": [ + "process", + "configuration" + ], + "code": "140", + "id": "69C67801-3701-4232-B669-E669282252CE", + "kind": "event", + "provider": "Jamf Protect", + "reason": "Attribute set on user or group using Open Directory", + "sequence": 1408, + "start": "2024-04-23T16:02:30.320Z", + "type": [ + "info", + "creation" + ] + }, + "file": { + "path": "/var/db/dslocal/nodes/Default" + }, + "host": { + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", + "ip": [ + "192.168.1.27" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "attribute_name": "directory_path", + "code_directory_hash": "7eabd81b27487335a7513942169ab1f52a28f650", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true, + "record_name": "user1’s Public Folder" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.coreservices.SharePointManagementService" + }, + "entity_id": "55745E6D-15FA-590E-A171-966919422D9B", + "executable": "/System/Library/PrivateFrameworks/SharePointManagement.framework/XPCServices/SharePointManagementService.xpc/Contents/MacOS/SharePointManagementService", + "group_leader": { + "entity_id": "E44BFA8B-ADDB-5704-AA90-ECEDD148BE78", + "pid": 85690, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "interactive": false, + "parent": { + "entity_id": "87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 86670, + "start": "2024-04-23T16:02:30.000Z", + "thread": { + "id": 2937111 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.1.27" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "authentication", + "category": [ + "process", + "authentication" + ], + "code": "111", + "id": "634A53C7-D790-4B29-8914-635F6894FCA6", + "kind": "event", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "A user authentication happened using touchid", + "sequence": 16291, + "start": "2024-05-15T00:09:22.719Z", + "type": [ + "info" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006000-000C043C22A1801E", + "ip": [ + "192.168.4.252" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "authentication_method": "touchid", + "code_directory_hash": "f370aa21b69ac09c8ec8d0d98de5b260777abf77", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.coreauthd" + }, + "entity_id": "5F9A782E-2163-5144-99B5-DF443F9625B7", + "executable": "/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd", + "group_leader": { + "entity_id": "5F9A782E-2163-5144-99B5-DF443F9625B7", + "pid": 53394, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "interactive": false, + "parent": { + "entity_id": "012139F5-CEED-5A0E-9862-451CDA9E492E", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 53394, + "start": "2024-04-30T20:00:17.000Z", + "thread": { + "id": 17894822 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.4.252" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "lw_session_lock", + "category": [ + "process", + "authentication" + ], + "code": "116", + "id": "7ADBC305-732C-4A9C-B3EF-14435A500AF4", + "kind": "event", + "provider": "Jamf Protect", + "reason": "A user has locked the screen", + "sequence": 16661, + "start": "2024-05-15T00:12:12.555Z", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006000-000C043C22A1801E", + "ip": [ + "192.168.4.252" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "5dce46942a1ecfcaed58bdcafe5159393f767f74", + "es_client": false, + "event_allowed_by_esclient": true, + "graphical_authentication_username": "257", + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.loginwindow" + }, + "entity_id": "80301337-AD04-56F0-BCCC-BC88FD235D82", + "executable": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", + "group_leader": { + "entity_id": "80301337-AD04-56F0-BCCC-BC88FD235D82", + "pid": 388, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "502" + } + }, + "interactive": false, + "parent": { + "entity_id": "012139F5-CEED-5A0E-9862-451CDA9E492E", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 388, + "start": "2024-04-30T13:17:30.000Z", + "thread": { + "id": 18306755 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.4.252" + ] + }, + "user": { + "effective": { + "id": [ + "502" + ] + }, + "name": "allen.golbig" + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "openssh_login", + "category": [ + "process", + "authentication", + "session" + ], + "code": "120", + "id": "3DBBD44F-7709-44AB-8025-44F076BDF723", + "kind": "event", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "A user has logged into the system via OpenSSH", + "sequence": 1073, + "start": "2024-05-13T19:16:27.167Z", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "sevro", + "id": "0000FE00-F18DE97EF425BB7B", + "ip": [ + "192.168.5.190" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "authentication_result_type": "Success", + "code_directory_hash": "153e203e26743ff3bc3f1e91fc6c0596ad574126", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true, + "source_address_type": "IPv4" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.5" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.sshd" + }, + "entity_id": "8218403B-D48C-5DEA-8DF0-737501B8FF8C", + "executable": "/usr/sbin/sshd", + "group_leader": { + "entity_id": "8218403B-D48C-5DEA-8DF0-737501B8FF8C", + "pid": 1178, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "interactive": false, + "parent": { + "entity_id": "0547F075-3A15-5FBC-B13B-4F28B75ACD31", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 1178, + "start": "2024-05-13T19:16:23.001Z", + "thread": { + "id": 20871 + } + }, + "related": { + "hosts": [ + "sevro" + ], + "ip": [ + "192.168.5.190" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + }, + "name": "jappleseed" + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "login_logout", + "category": [ + "process", + "authentication" + ], + "code": "123", + "id": "856A87D9-7ABC-4589-A9C2-ED3E4782B34C", + "kind": "event", + "provider": "Jamf Protect", + "reason": "A user logged out from /usr/bin/login", + "sequence": 419, + "start": "2024-05-22T06:43:42.671Z", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006030-001E301C0228001C", + "ip": [ + "192.168.11.251", + "192.168.11.232" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "0e4c9421c8c505eda1f06b8f8c601b908e15f44e", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.login" + }, + "entity_id": "108167E6-C144-5803-A1E9-E58F66A4BBC3", + "executable": "/usr/bin/login", + "group_leader": { + "entity_id": "024ED444-A0FB-5E9C-95F3-101026839338", + "pid": 42335, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "interactive": true, + "parent": { + "entity_id": "F6DF1E37-4D2F-5AAF-BC45-A4B38181C045", + "pid": 42919, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "pid": 44014, + "start": "2024-05-22T06:43:27.000Z", + "thread": { + "id": 93275992 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.11.251", + "192.168.11.232" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + }, + "id": "502", + "name": "jappleseed" + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "login_login", + "category": [ + "process", + "authentication" + ], + "code": "122", + "id": "870EBE27-C9C5-4DFC-9012-A1DAA42FA42A", + "kind": "event", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "A user attempted to log in using /usr/bin/login", + "sequence": 381, + "start": "2024-05-22T06:43:36.346Z", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006030-001E301C0228001C", + "ip": [ + "192.168.11.251", + "192.168.11.232" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "0e4c9421c8c505eda1f06b8f8c601b908e15f44e", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.login" + }, + "entity_id": "108167E6-C144-5803-A1E9-E58F66A4BBC3", + "executable": "/usr/bin/login", + "group_leader": { + "entity_id": "024ED444-A0FB-5E9C-95F3-101026839338", + "pid": 42335, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "interactive": true, + "parent": { + "entity_id": "F6DF1E37-4D2F-5AAF-BC45-A4B38181C045", + "pid": 42919, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "pid": 44014, + "start": "2024-05-22T06:43:27.000Z", + "thread": { + "id": 93275992 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.11.251", + "192.168.11.232" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + }, + "id": "502", + "name": "jappleseed" + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "xp_malware_remediated", + "category": [ + "process", + "malware" + ], + "code": "113", + "id": "3EFFC29C-CB54-4885-B675-25B7E609A8A1", + "kind": "event", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "Apple’s XProtect remediated malware on the system", + "sequence": 1253, + "start": "2024-04-29T16:04:18.467Z", + "type": [ + "info" + ] + }, + "host": { + "hostname": "sevro", + "id": "0000FE00-F18DE97EF425BB7B", + "ip": [ + "192.168.5.190" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "a6c077b9c8e9e8928282554cb01efd6bd05cf608", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0-Hardcoded.Telemetry.v2.19" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.XProtectFramework.plugins.KeySteal" + }, + "entity_id": "D012B237-0F57-5704-96A7-D131C4829C87", + "executable": "/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorKeySteal", + "group_leader": { + "entity_id": "3C3CDAAE-D66A-572C-B6FB-C1767E278136", + "pid": 643, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "user": { + "id": "501" + } + }, + "hash": { + "sha1": "eb9ae761d3f674eb4825ed44c0a123a2fc661cb6", + "sha256": "3f5067e550b7a5810e4d9df707dfd5d045d000bd97eb1c369569a256d88f31a5" + }, + "interactive": true, + "parent": { + "entity_id": "7768699A-095C-5177-920C-4112827C959A", + "pid": 703, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "user": { + "id": "501" + } + }, + "pid": 721, + "start": "2024-04-29T16:04:18.000Z", + "thread": { + "id": 6934 + } + }, + "related": { + "hash": [ + "eb9ae761d3f674eb4825ed44c0a123a2fc661cb6", + "3f5067e550b7a5810e4d9df707dfd5d045d000bd97eb1c369569a256d88f31a5" + ], + "hosts": [ + "sevro" + ], + "ip": [ + "192.168.5.190" + ] + }, + "rule": { + "name": "MACOS.KEYSTEAL.A.User", + "version": "131" + }, + "threat": { + "indicator": { + "file": { + "path": "/Library/Caches/com.apple.server" + }, + "type": "file" + } + }, + "user": { + "effective": { + "id": [ + "501" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "xp_malware_detected", + "category": [ + "process", + "malware" + ], + "code": "112", + "id": "08C6BA59-A4DD-49EE-B6B0-758190E52321", + "kind": "event", + "provider": "Jamf Protect", + "reason": "Apple’s XProtect detected malware on the system", + "sequence": 463, + "start": "2024-04-29T15:39:31.670Z", + "type": [ + "info" + ] + }, + "host": { + "hostname": "sevro", + "id": "0000FE00-F18DE97EF425BB7B", + "ip": [ + "192.168.5.190" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "d95f0868f7413d39865ac0aeda54959dd33a11c0", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0-Hardcoded.Telemetry.v2.19" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.XprotectFramework.AnalysisService" + }, + "entity_id": "2A513A83-CBCE-5922-8779-327EBC8341E7", + "executable": "/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService", + "group_leader": { + "entity_id": "DFD18C6A-5DA9-589F-A9C6-DB6021B80416", + "pid": 1063, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "user": { + "id": "501" + } + }, + "hash": { + "sha1": "5552c129be45cd82d3f00da10ef596545d229a77", + "sha256": "4e51d34b4168a154df733fce18fa543743117bbf601835f26fa80e5ea2b9561e" + }, + "interactive": false, + "parent": { + "entity_id": "0547F075-3A15-5FBC-B13B-4F28B75ACD31", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 1420, + "start": "2024-04-29T15:01:42.001Z", + "thread": { + "id": 32614 + } + }, + "related": { + "hash": [ + "5552c129be45cd82d3f00da10ef596545d229a77", + "4e51d34b4168a154df733fce18fa543743117bbf601835f26fa80e5ea2b9561e" + ], + "hosts": [ + "sevro" + ], + "ip": [ + "192.168.5.190" + ] + }, + "rule": { + "name": "SNOWDRIFT" + }, + "threat": { + "indicator": { + "file": { + "path": "/Users/jappleseed/Downloads/CloudMensis/WindowServer" + }, + "type": "file" + } + }, + "user": { + "effective": { + "id": [ + "501" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "su", + "category": [ + "process", + "authentication" + ], + "code": "128", + "id": "B1DE3F31-EF1C-40B0-BABB-DEE367224EF1", + "kind": "event", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "A user attempts to start a new shell using a substitute user identity", + "sequence": 776, + "start": "2024-05-22T08:24:13.310Z", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006030-001E301C0228001C", + "ip": [ + "192.168.11.251", + "192.168.11.232", + "192.168.64.1", + "169.254.100.182" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "30bb7dae586bcb5e6f4e9c6842bed0381fc73aec", + "env_count": "37", + "es_client": false, + "event_allowed_by_esclient": true, + "from_username": "jappleseed", + "platform_binary": true, + "shell": "/bin/zsh", + "to_username": "jappleseed" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, + "process": { + "args": [ + "zsh" + ], + "args_count": 1, + "code_signature": { + "signing_id": "com.apple.su" + }, + "entity_id": "D3398C01-3855-5B82-8BC8-4C4FD7B0660E", + "env_vars": [ + "COLORTERM=truecolor", + "COMMAND_MODE=unix2003", + "HOME=/Users/jappleseed", + "LC_CTYPE=UTF-8", + "LOGNAME=jappleseed", + "LaunchInstanceID=11F38ACD-A27F-40B4-848D-421BBB0A4919", + "PATH=/Library/Frameworks/Python.framework/Versions/3.10/bin:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/Library/Apple/usr/bin:/Applications/VMware Fusion Tech Preview.app/Contents/Public:~/.dotnet/tools", + "SECURITYSESSIONID=1e856", + "SHELL=/bin/zsh", + "SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.omLbuLOqvv/Listeners", + "SSH_SOCKET_DIR=~/.ssh", + "TERM=xterm-256color", + "TERM_PROGRAM=WarpTerminal", + "TERM_PROGRAM_VERSION=v0.2024.05.14.08.01.stable_04", + "USER=jappleseed", + "WARP_COMBINED_PROMPT_COMMAND_GRID=0", + "WARP_HONOR_PS1=1", + "WARP_IS_LOCAL_SHELL_SESSION=1", + "WARP_USE_SSH_WRAPPER=1", + "XPC_FLAGS=0x0", + "XPC_SERVICE_NAME=0", + "__CFBundleIdentifier=dev.warp.Warp-Stable", + "__CF_USER_TEXT_ENCODING=0x0:0:0", + "SHLVL=1", + "PWD=/Users/jappleseed/Documents/GitHub/Elastic/integrations/packages/jamf_protect", + "OLDPWD=/Users/jappleseed", + "HOMEBREW_PREFIX=/opt/homebrew", + "HOMEBREW_CELLAR=/opt/homebrew/Cellar", + "HOMEBREW_REPOSITORY=/opt/homebrew", + "MANPATH=/opt/homebrew/share/man::", + "INFOPATH=/opt/homebrew/share/info:", + "ZSH=/Users/jappleseed/.oh-my-zsh", + "PAGER=less", + "LESS=-R", + "LSCOLORS=Gxfxcxdxbxegedabagacad", + "CONDA_CHANGEPS1=false", + "_=/usr/bin/su" + ], + "executable": "/usr/bin/su", + "group_leader": { + "entity_id": "024ED444-A0FB-5E9C-95F3-101026839338", + "pid": 42335, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "interactive": true, + "parent": { + "entity_id": "B3DF0942-6827-56F0-817A-ED114B670078", + "pid": 59258, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "0" + } + }, + "pid": 59259, + "start": "2024-05-22T08:24:13.000Z", + "thread": { + "id": 93443428 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.11.251", + "192.168.11.232", + "192.168.64.1", + "169.254.100.182" + ] + }, + "user": { + "effective": { + "id": [ + "502" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "screensharing_attach", + "category": [ + "process", + "session" + ], + "code": "118", + "id": "A1EB740E-CB42-4745-97F4-F5C2EF89750A", + "kind": "event", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "A screen sharing session has attached to a graphical session", + "sequence": 342, + "start": "2024-05-13T18:39:26.942Z", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "sevro", + "id": "0000FE00-F18DE97EF425BB7B", + "ip": [ + "192.168.5.190" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "authentication_type": "RSA-SRP", + "code_directory_hash": "90c483e0b8d3ad0d30c21ba8a41f52af8cd84fe7", + "es_client": false, + "event_allowed_by_esclient": true, + "existing_session": true, + "graphical_authentication_username": "jappleseed", + "platform_binary": true, + "session_username": "jappleseed" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.5" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.screensharing.daemon" + }, + "entity_id": "B1621139-6613-5D8D-BFE5-9B57EF557C34", + "executable": "/System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd", + "group_leader": { + "entity_id": "B1621139-6613-5D8D-BFE5-9B57EF557C34", + "pid": 754, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "interactive": false, + "parent": { + "entity_id": "0547F075-3A15-5FBC-B13B-4F28B75ACD31", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 754, + "start": "2024-05-13T18:39:16.000Z", + "thread": { + "id": 7083 + } + }, + "related": { + "hosts": [ + "sevro" + ], + "ip": [ + "192.168.5.190" + ] + }, + "source": { + "ip": "192.168.4.252" + }, + "user": { + "effective": { + "id": [ + "0" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "kextload", + "category": [ + "process", + "configuration" + ], + "code": "17", + "id": "ED83CFC8-27E9-4F23-862D-48448CBE8A7B", + "kind": "event", + "provider": "Jamf Protect", + "reason": "A kernel extension (kext) was loaded", + "sequence": 8582, + "start": "2024-04-19T15:11:43.771Z", + "type": [ + "info", + "change" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", + "ip": [ + "192.168.1.27" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "cd9586cd7c6599c6bc8fed4d3823dce4eb1c91fc", + "es_client": false, + "event_allowed_by_esclient": true, + "identifier": "com.apple.driver.AppleUSBAudio", + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.kernelmanagerd" + }, + "entity_id": "D72BF411-CD8E-591C-81EE-73A18F09F32E", + "executable": "/usr/libexec/kernelmanagerd", + "group_leader": { + "entity_id": "D72BF411-CD8E-591C-81EE-73A18F09F32E", + "pid": 330, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "hash": { + "sha1": "a28a8e1654d65cedb05a268e825563d65b1fbbc0", + "sha256": "2d90d5798155f919965565a72e6065d3a1de6fd0c0f2134acdd3d1bced0a6114" + }, + "interactive": false, + "parent": { + "entity_id": "87BE8C81-EE7F-5C5B-BFCD-D59AE17723C9", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 330, + "start": "2024-04-16T19:23:32.001Z", + "thread": { + "id": 1612753 + } + }, + "related": { + "hash": [ + "a28a8e1654d65cedb05a268e825563d65b1fbbc0", + "2d90d5798155f919965565a72e6065d3a1de6fd0c0f2134acdd3d1bced0a6114" + ], + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.1.27" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "profile_add", + "category": [ + "process", + "configuration" + ], + "code": "126", + "id": "F1764069-5A47-41A3-A8A2-BBB96EEED11C", + "kind": "event", + "provider": "Jamf Protect", + "reason": "A configuration profile is installed on the system", + "sequence": 250, + "start": "2024-04-18T18:09:24.453Z", + "type": [ + "info", + "creation" + ] + }, + "host": { + "hostname": "Direct’s Virtual Machine", + "id": "0000FE00-64704499391F1E47", + "ip": [ + "192.168.1.37" + ], + "os": { + "family": "macos", + "full": "14.2.1 (Build 23C71)", + "name": "macOS", + "type": "macos", + "version": "14.2.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "beef65d6aeba15d0dd7ef1a076d4bcbd386c1652", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true, + "profile_display_name": "Maggie Plan - Jamf Protect Configuration", + "profile_identifier": "com.jamf.protect.7b528ecd-2906-4526-8e57-1d9a7d4a70a9", + "profile_install_source": "1", + "profile_is_updated": false, + "profile_organization": "Jamf Protect", + "profile_scope": "system", + "profile_uuid": "7b528ecd-2906-4526-8e57-1d9a7d4a70a9" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0-Hardcoded.Telemetry.v2.19" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.mdmclient" + }, + "entity_id": "A28E3E65-BBFB-5EEB-9001-DF5BF72BE2B9", + "executable": "/usr/libexec/mdmclient", + "group_leader": { + "entity_id": "A28E3E65-BBFB-5EEB-9001-DF5BF72BE2B9", + "pid": 3804, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "interactive": false, + "parent": { + "entity_id": "30C61A05-D41A-5837-A42E-F11FD2434A00", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 3804, + "start": "2024-04-18T18:09:16.000Z", + "thread": { + "id": 202079 + } + }, + "related": { + "hosts": [ + "Direct’s Virtual Machine" + ], + "ip": [ + "192.168.1.37" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "settime", + "category": [ + "process", + "configuration" + ], + "code": "75", + "id": "69E87430-917B-4863-B394-537F52E91976", + "kind": "event", + "provider": "Jamf Protect", + "reason": "The system time was attempted to be set", + "sequence": 645, + "start": "2024-05-22T14:21:37.280Z", + "type": [ + "info", + "change" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006000-000C043C22A1801E", + "ip": [ + "192.168.4.252" + ], + "os": { + "family": "macos", + "full": "14.5 (Build 23F79)", + "name": "macOS", + "type": "macos", + "version": "14.5" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "19bcee646078eb8ba59e1582baaa2e24ab46b577", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.sntp" + }, + "entity_id": "392478E9-0928-541C-9951-65041BD708CD", + "executable": "/usr/bin/sntp", + "group_leader": { + "entity_id": "65D76688-092C-5D45-91EE-D8397C30BF20", + "pid": 1479, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "interactive": true, + "parent": { + "entity_id": "5C5D5D79-2B3D-52BE-A494-74FA963791BC", + "pid": 70346, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "0" + } + }, + "pid": 70350, + "start": "2024-05-22T14:21:37.000Z", + "thread": { + "id": 5072757 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.4.252" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "btm_launch_item_add", + "category": [ + "process", + "configuration" + ], + "code": "124", + "id": "073C2E43-ABA3-470D-9641-4494F202869D", + "kind": "event", + "provider": "Jamf Protect", + "reason": "Apple’s Background Task Manager notified that an item has been added", + "sequence": 3229, + "start": "2024-05-23T06:06:16.840Z", + "type": [ + "info", + "change" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006030-001E301C0228001C", + "ip": [ + "192.168.11.251", + "192.168.11.232", + "192.168.64.1" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "btm_executable_path": "Contents/Resources/com.txhaflaire.JamfCheck.helper", + "btm_item_app_url": "file:///Applications/JamfCheck.app/", + "btm_item_is_legacy": false, + "btm_item_is_managed": false, + "btm_item_type": "LaunchDaemon", + "btm_item_url": "Contents/Library/LaunchDaemons/com.txhaflaire.JamfCheck.helper.plist", + "btm_item_user_uid": "502", + "code_directory_hash": "31c0815ee1b3904a826405c6fb9bc1e3ebae2b79", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": false + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, + "process": { + "code_signature": { + "signing_id": "com.txhaflaire.JamfCheck", + "team_id": "CLQKFNPCCP" + }, + "entity_id": "B0BDE4C4-0787-57F5-891A-4D8AA2D33BB9", + "executable": "/Applications/JamfCheck.app/Contents/MacOS/JamfCheck", + "group_leader": { + "entity_id": "B0BDE4C4-0787-57F5-891A-4D8AA2D33BB9", + "pid": 44888, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "interactive": false, + "parent": { + "entity_id": "650F695A-E78B-547C-B6B9-34D752DB435F", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 44888, + "start": "2024-05-23T06:06:15.001Z", + "thread": { + "id": 96260554 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.11.251", + "192.168.11.232", + "192.168.64.1" + ] + }, + "user": { + "effective": { + "id": [ + "502" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "btm_launch_item_remove", + "category": [ + "process", + "configuration" + ], + "code": "125", + "id": "BE5A2C6D-75D6-4ECA-BCFE-FB1B676DBE1E", + "kind": "event", + "provider": "Jamf Protect", + "reason": "Apple’s Background Task Manager notified that an existing item has been removed", + "sequence": 1068, + "start": "2024-05-23T05:53:39.686Z", + "type": [ + "info", + "change" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006030-001E301C0228001C", + "ip": [ + "192.168.11.251", + "192.168.11.232", + "192.168.64.1" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "btm_item_is_legacy": true, + "btm_item_is_managed": true, + "btm_item_type": "LaunchAgent", + "btm_item_url": "file:///Library/LaunchAgents/inSyncAgent.plist", + "btm_item_user_uid": "502", + "code_directory_hash": "1c01957ea34ce597bbbb6f52245e0a3cb4917cab", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.backgroundtaskmanagementd" + }, + "entity_id": "CB0CAAE3-08B8-56CA-BDCA-BD5F44B17CE4", + "executable": "/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd", + "group_leader": { + "entity_id": "CB0CAAE3-08B8-56CA-BDCA-BD5F44B17CE4", + "pid": 28267, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "interactive": false, + "parent": { + "entity_id": "650F695A-E78B-547C-B6B9-34D752DB435F", + "pid": 1, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 28267, + "start": "2024-05-23T03:54:49.001Z", + "thread": { + "id": 96231556 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.11.251", + "192.168.11.232", + "192.168.64.1" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + } + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "cs_invalidate", + "category": [ + "process" + ], + "code": "94", + "id": "415148AF-9371-4C01-8D60-72DBEEEC71F2", + "kind": "event", + "provider": "Jamf Protect", + "sequence": 13820, + "start": "2024-04-19T15:34:28.834Z", + "type": [ + "info" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006020-000C69E03633C01E", + "ip": [ + "192.168.1.27" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "event_allowed_by_esclient": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.4.0.1" + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.1.27" + ] + } + }, + { + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "chroot", + "category": [ + "process" + ], + "code": "57", + "id": "29204089-B6AB-44F9-97B2-A72C09A8B783", + "kind": "event", + "provider": "Jamf Protect", + "reason": "Software has changed its apparent root directory in which it's actively operating out of", + "sequence": 4183, + "start": "2024-05-23T01:35:29.599Z", + "type": [ + "info", + "change" + ] + }, + "file": { + "path": "/private/var/folders/2f/w7qslkks19ncxg48w_559zp80000gn/T" + }, + "host": { + "hostname": "MacBookPro", + "id": "00006030-001E301C0228001C", + "ip": [ + "192.168.11.251", + "192.168.11.232", + "192.168.64.1" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "2680cbf567b9aff559d740365e00603fe93bccdf", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.dirhelper" + }, + "entity_id": "257005DD-1A0C-5F6F-8563-D790DABEF5B7", + "executable": "/usr/libexec/dirhelper", + "group_leader": { + "entity_id": "5BA4345F-357E-550B-9236-0BE320B979A9", + "pid": 14795, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "interactive": false, + "parent": { + "entity_id": "5BA4345F-357E-550B-9236-0BE320B979A9", + "pid": 14795, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "pid": 14802, + "start": "2024-05-23T01:35:28.000Z", + "thread": { + "id": 95725389 + } + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.11.251", + "192.168.11.232", + "192.168.64.1" + ] + }, + "user": { + "effective": { + "id": [ + "0" + ] + } + } + }, + { + "device": { + "id": "KJQMQP4XW0", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "mount", + "category": [ + "process" + ], + "code": "22", + "id": "0CAC3D00-385F-4F44-872A-B6035375C197", + "kind": "event", + "provider": "Jamf Protect", + "reason": "A file system has been mounted", + "sequence": 106336, + "start": "2024-06-11T11:35:28.142Z", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "MacBookPro-Sjaffy (2)", + "id": "00006030-001E301C0228001C", + "ip": [ + "192.168.11.251", + "192.168.64.1", + "192.168.11.232" + ], + "os": { + "family": "macos", + "full": "14.5 (Build 23F79)", + "name": "macOS", + "type": "macos", + "version": "14.5" + } + }, + "jamf_protect": { + "telemetry": { + "code_directory_hash": "7804bd9c2e3b5e16cf9fcfba943564485fb6f20f", + "es_client": false, + "event_allowed_by_esclient": true, + "platform_binary": true + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "6.0.1.11" + }, + "process": { + "code_signature": { + "signing_id": "com.apple.mount_apfs" + }, + "entity_id": "39AE3A81-23C1-5E15-9871-295A85E0FEA1", + "executable": "/System/Library/Filesystems/apfs.fs/Contents/Resources/mount_apfs", + "group_leader": { + "entity_id": "6FC75B65-1B69-5020-A07F-7541488904C3", + "pid": 1148, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "user": { + "id": "0" + } + }, + "interactive": false, + "parent": { + "entity_id": "F7ED3BE5-780C-5F1B-AD74-F5F01CB3DC39", + "pid": 26930, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } + }, + "pid": 26932, + "start": "2024-06-11T11:35:28.000Z", + "thread": { + "id": 15379585 + } + }, + "related": { + "hosts": [ + "MacBookPro-Sjaffy (2)" + ], + "ip": [ + "192.168.11.251", + "192.168.64.1", + "192.168.11.232" + ] + }, + "user": { + "effective": { + "id": [ + "502" + ] + } + }, + "volume": { + "device_name": "/dev/disk9s1", + "file_system_type": "apfs", + "mount_name": "/Volumes/JamfConnect", + "size": 4096 + } + }, + { + "device": { + "id": "123ABC456DE", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "file_collection", + "category": [ + "process" + ], + "code": "9002", + "id": "06CE8D4D-6848-4562-B947-2D607580283A", + "kind": "event", + "provider": "Jamf Protect", + "reason": "A crash or diagnostic file is detected being created", + "start": "2024-05-28T05:45:58.729Z", + "type": [ + "info" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006000-001C58882238801E", + "ip": [ + "192.168.0.185" + ], + "os": { + "family": "macos", + "full": "14.5 (Build 23F79)", + "name": "macOS", + "type": "macos", + "version": "14.5" + } + }, + "jamf_protect": { + "telemetry": { + "log_entries": "Date/Time: 2024-04-17 18:19:13.962 -0500\nEnd time: 2024-04-17 18:21:05.619 -0500\n" + } + }, + "log": { + "file": { + "path": "/Library/Logs/DiagnosticReports/spotlightknowledged_MacBook-Pro.cpu_resource.diag" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "6.0.0.1" + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.0.185" + ] + } + }, + { + "device": { + "id": "LFQ5YXH377", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "bios_uefi", + "category": [ + "process" + ], + "code": "9004", + "id": "DDFDF887-D3F1-4F01-A8E1-0506BBCCD2BF", + "kind": "event", + "provider": "Jamf Protect", + "reason": "Collection of bios data", + "start": "2024-05-22T16:49:22.294Z", + "type": [ + "info" + ] + }, + "host": { + "architecture": "arm64", + "hostname": "MacBookPro", + "id": "00006000-001C58882238801E", + "ip": [ + "192.168.0.185" + ], + "os": { + "family": "macos", + "full": "14.4.1 (Build 23E224)", + "name": "macOS", + "type": "macos", + "version": "14.4.1" + } + }, + "jamf_protect": { + "telemetry": { + "bios_firmware_version": "iBoot-10151.101.3", + "bios_system_firmware_version": "iBoot-10151.101.3" + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "6.0.0.1" + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.0.185" + ] + } + }, + { + "device": { + "id": "123ABC456DE", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "system_performance", + "category": [ + "process", + "host" + ], + "code": "9001", + "id": "710782C4-489E-4003-945C-316F65C50379", + "kind": "event", + "provider": "Jamf Protect", + "reason": "Collection of system system_performance data", + "start": "2024-06-04T09:41:38.708Z", + "type": [ + "info" + ] + }, + "host": { + "hostname": "MacBookPro", + "id": "00006000-001C58882238801E", + "ip": [ + "192.168.100.102" + ], + "os": { + "family": "macos", + "full": "14.5 (Build 23F79)", + "name": "macOS", + "type": "macos", + "version": "14.5" + } + }, + "jamf_protect": { + "telemetry": { + "system_performance": [ + { + "bytes_received": 0, + "bytes_received_per_s": 0, + "bytes_sent": 0, + "bytes_sent_per_s": 0, + "cputime_ms_per_s": 202.193, + "cputime_ns": 1013161791, + "cputime_sample_ms_per_s": 202.187, + "cputime_userland_ratio": 0.573927, + "diskio_bytesread": 380928, + "diskio_bytesread_per_s": 76020.3, + "diskio_byteswritten": 0, + "diskio_byteswritten_per_s": 0, + "energy_impact": 3140.59, + "energy_impact_per_s": 626.755, + "idle_wakeups": 0, + "interval_ns": 5010874875, + "intr_wakeups_per_s": 0.199566, + "name": "SourceKitService", + "packets_received": 0, + "packets_received_per_s": 0, + "packets_sent": 0, + "packets_sent_per_s": 0, + "pageins": 0, + "pageins_per_s": 0, + "pid": 36354, + "qos_background_ms_per_s": 0, + "qos_background_ns": 0, + "qos_default_ms_per_s": 202.086, + "qos_default_ns": 1012626541, + "qos_disabled_ms_per_s": 0, + "qos_disabled_ns": 0, + "qos_maintenance_ms_per_s": 0, + "qos_maintenance_ns": 0, + "qos_user_initiated_ms_per_s": 0.105654, + "qos_user_initiated_ns": 529416, + "qos_user_interactive_ms_per_s": 0, + "qos_user_interactive_ns": 0, + "qos_utility_ms_per_s": 0, + "qos_utility_ns": 0, + "started_abstime_ns": 1968573181764, + "timer_wakeups": [ + { + "wakeups": 1 + }, + { + "wakeups": 0 + } + ] + }, + { + "bytes_received": 0, + "bytes_received_per_s": 0, + "bytes_sent": 0, + "bytes_sent_per_s": 0, + "cputime_ms_per_s": 138.511, + "cputime_ns": 694060541, + "cputime_sample_ms_per_s": 138.507, + "cputime_userland_ratio": 0.879748, + "diskio_bytesread": 151552, + "diskio_bytesread_per_s": 30244.6, + "diskio_byteswritten": 3981312, + "diskio_byteswritten_per_s": 794534, + "energy_impact": 1258.85, + "energy_impact_per_s": 251.224, + "idle_wakeups": 2, + "interval_ns": 5010874875, + "intr_wakeups_per_s": 58.872, + "name": "Xcode", + "packets_received": 0, + "packets_received_per_s": 0, + "packets_sent": 0, + "packets_sent_per_s": 0, + "pageins": 3, + "pageins_per_s": 0.598698, + "pid": 36337, + "qos_background_ms_per_s": 0.0153998, + "qos_background_ns": 77166, + "qos_default_ms_per_s": 11.2632, + "qos_default_ns": 56438500, + "qos_disabled_ms_per_s": 0, + "qos_disabled_ns": 0, + "qos_maintenance_ms_per_s": 0, + "qos_maintenance_ns": 0, + "qos_user_initiated_ms_per_s": 11.1361, + "qos_user_initiated_ns": 55801625, + "qos_user_interactive_ms_per_s": 114.393, + "qos_user_interactive_ns": 573208208, + "qos_utility_ms_per_s": 1.7033, + "qos_utility_ns": 8535041, + "started_abstime_ns": 1968419476399, + "timer_wakeups": [ + { + "wakeups": 2 + }, + { + "wakeups": 174 + } + ] + }, + { + "bytes_received": 0, + "bytes_received_per_s": 0, + "bytes_sent": 0, + "bytes_sent_per_s": 0, + "cputime_ms_per_s": 83.7332, + "cputime_ns": 419576500, + "cputime_sample_ms_per_s": 83.7307, + "cputime_userland_ratio": 0.981833, + "diskio_bytesread": 57344, + "diskio_bytesread_per_s": 11443.9, + "diskio_byteswritten": 0, + "diskio_byteswritten_per_s": 0, + "energy_impact": 1198.09, + "energy_impact_per_s": 239.099, + "idle_wakeups": 0, + "interval_ns": 5010874875, + "intr_wakeups_per_s": 0.199566, + "name": "JamfProtect", + "packets_received": 0, + "packets_received_per_s": 0, + "packets_sent": 0, + "packets_sent_per_s": 0, + "pageins": 0, + "pageins_per_s": 0, + "pid": 58824, + "qos_background_ms_per_s": 0, + "qos_background_ns": 0, + "qos_default_ms_per_s": 82.6678, + "qos_default_ns": 414237833, + "qos_disabled_ms_per_s": 0, + "qos_disabled_ns": 0, + "qos_maintenance_ms_per_s": 0, + "qos_maintenance_ns": 0, + "qos_user_initiated_ms_per_s": 1.06542, + "qos_user_initiated_ns": 5338666, + "qos_user_interactive_ms_per_s": 0, + "qos_user_interactive_ns": 0, + "qos_utility_ms_per_s": 0, + "qos_utility_ns": 0, + "started_abstime_ns": 2357421081500, + "timer_wakeups": [ + { + "wakeups": 0 + }, + { + "wakeups": 0 + } + ] + } + ] + } + }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "6.0.1.1" + }, + "related": { + "hosts": [ + "MacBookPro" + ], + "ip": [ + "192.168.100.102" ] } } diff --git a/packages/jamf_protect/data_stream/telemetry/agent/stream/aws-s3.yml.hbs b/packages/jamf_protect/data_stream/telemetry/agent/stream/aws-s3.yml.hbs index 41fb564abf0..4b6c9a0ff80 100644 --- a/packages/jamf_protect/data_stream/telemetry/agent/stream/aws-s3.yml.hbs +++ b/packages/jamf_protect/data_stream/telemetry/agent/stream/aws-s3.yml.hbs @@ -115,4 +115,4 @@ publisher_pipeline.disable_host: true {{#if processors}} processors: {{processors}} -{{/if}} \ No newline at end of file +{{/if}} diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml index 12cf8ae9493..9a0bf579698 100644 --- a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml @@ -1,54 +1,361 @@ --- description: Pipeline for Jamf Protect Telemetry logs. processors: - - set: - field: ecs.version - value: '8.11.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_system_performance_metrics" }}' - if: ctx.json?.header?.event_name == 'SYSTEM_PERFORMANCE_METRICS' - - pipeline: - name: '{{ IngestPipeline "pipeline_audit" }}' - if: ctx.json?.header?.event_name != null && ctx.json?.header?.event_name.startsWith('AUE_') - - pipeline: - name: '{{ IngestPipeline "pipeline_bios_firmware_versions" }}' - if: ctx.json?.header?.event_name == 'BIOS_FIRMWARE_VERSIONS' - - pipeline: - name: '{{ IngestPipeline "pipeline_event" }}' - if: "['FILE_COLLECTION_EVENT','PLAINTEXT_LOG_COLLECTION'].contains(ctx.json?.header?.event_name)" - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - - remove: - field: json - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); + - set: + field: ecs.version + value: '8.11.0' + - json: + field: message + target_field: jamf_protect.telemetry + if: ctx.message != null + - rename: + field: json + target_field: jamf_protect.telemetry + if: ctx.json != null + +########################## +## ECS Observer Mapping ## +########################## + - set: + field: observer.product + value: Jamf Protect + - set: + field: observer.vendor + value: Jamf + - set: + field: observer.type + value: Endpoint Security + - rename: + field: jamf_protect.telemetry.host.protectVersion + target_field: observer.version + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### + - set: + field: event.kind + value: event + - append: + field: event.type + value: info + - append: + field: event.category + value: process + - set: + field: event.provider + value: Jamf Protect + - date: + field: jamf_protect.telemetry.time + target_field: event.start + formats: + - date_optional_time + if: ctx.jamf_protect?.telemetry?.time != null + - rename: + field: jamf_protect.telemetry.uuid + target_field: event.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.glob_seq_num + target_field: event.sequence + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event_type + target_field: event.code + type: string + ignore_missing: true + - script: + description: Populates event.action with the name of the event + lang: painless + source: > + if (ctx.jamf_protect.telemetry.containsKey('event')) { + def eventObject = ctx.jamf_protect.telemetry.event; + for (def key : eventObject.keySet()) { + if (eventObject[key] != null) { + if (!ctx.containsKey('event')) { + ctx.event = new HashMap(); + } + ctx.event.action = key; + break; + } + } + } + ignore_failure: true + - script: + lang: painless + params: + authTypeMap: + '0': true + '1': false + source: | + if (ctx.jamf_protect?.telemetry?.action?.result?.result?.auth != null) { + def authValue = ctx.jamf_protect.telemetry.action.result.result.auth.toString(); + def authTypeBoolean = params.authTypeMap.containsKey(authValue) ? params.authTypeMap[authValue] : 'Unknown'; + ctx.jamf_protect.telemetry = ctx.jamf_protect.telemetry != null ? ctx.jamf_protect.telemetry : new HashMap(); + ctx.jamf_protect.telemetry.event_allowed_by_esclient = authTypeBoolean; + } +####################### +## ECS Host Mapping ## +####################### + - rename: + field: jamf_protect.telemetry.host.hostname + target_field: host.hostname + ignore_missing: true + - rename: + field: jamf_protect.telemetry.host.provisioningUDID + target_field: host.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.host.ips + target_field: host.ip + if: ctx.jamf_protect?.telemetry?.host?.ips != null && ctx.jamf_protect?.telemetry?.host?.ips != "" + - rename: + field: jamf_protect.telemetry.host.os + target_field: host.os.full + ignore_missing: true + - gsub: + field: host.os.full + pattern: '^Version\s*' + replacement: "" + if: ctx.host?.os?.full != null + - gsub: + field: host.os.full + pattern: ^([^\s]+).* + replacement: "$1" + target_field: host.os.version + if: ctx.host?.os?.full != null + - set: + field: host.os.family + value: macos + - set: + field: host.os.type + value: macos + - set: + field: host.os.name + value: macOS +####################### +## ECS Device Mapping ## +####################### + - rename: + field: jamf_protect.telemetry.host.serial + target_field: device.id + ignore_missing: true + - set: + field: device.manufacturer + value: Apple +######################## +# ECS Related Mapping ## +######################## + - append: + field: related.hosts + value: '{{{ host.hostname }}}' + if: ctx.host?.hostname != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: "{{{ user.name }}}" + if: ctx.user?.name != null + allow_duplicates: false + - foreach: + field: host.ip + if: ctx.host?.ip instanceof List + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false +####################### +## ECS Pipelines ## +####################### + - pipeline: + name: '{{ IngestPipeline "pipeline_event_exec" }}' + if: ctx.event.action == "exec" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_kextload" }}' + if: ctx.event.action == "kextload" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_kextunload" }}' + if: ctx.event.action == "kextunload" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_mount" }}' + if: ctx.event.action == "mount" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_unmount" }}' + if: ctx.event.action == "unmount" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_chroot" }}' + if: ctx.event.action == "chroot" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_settime" }}' + if: ctx.event.action == "settime" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_cs_invalidated" }}' + if: ctx.event.action == "cs_invalidated" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_remount" }}' + if: ctx.event.action == "remount" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_xp_malware_detected" }}' + if: ctx.event.action == "xp_malware_detected" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_xp_malware_remediated" }}' + if: ctx.event.action == "xp_malware_remediated" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_lw_session_login" }}' + if: ctx.event.action == "lw_session_login" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_lw_session_logout" }}' + if: ctx.event.action == "lw_session_logout" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_lw_session_lock" }}' + if: ctx.event.action == "lw_session_lock" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_lw_session_unlock" }}' + if: ctx.event.action == "lw_session_unlock" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_screensharing_attach" }}' + if: ctx.event.action == "screensharing_attach" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_screensharing_detach" }}' + if: ctx.event.action == "screensharing_detach" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_openssh_login" }}' + if: ctx.event.action == "openssh_login" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_openssh_logout" }}' + if: ctx.event.action == "openssh_logout" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_login_login" }}' + if: ctx.event.action == "login_login" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_login_logout" }}' + if: ctx.event.action == "login_logout" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_btm_launch_item_add" }}' + if: ctx.event.action == "btm_launch_item_add" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_btm_launch_item_remove" }}' + if: ctx.event.action == "btm_launch_item_remove" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_profile_add" }}' + if: ctx.event.action == "profile_add" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_profile_remove" }}' + if: ctx.event.action == "profile_remove" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_su" }}' + if: ctx.event.action == "su" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_authentication" }}' + if: ctx.event.action == "authentication" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_sudo" }}' + if: ctx.event.action == "sudo" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_group_add" }}' + if: ctx.event.action == "od_group_add" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_group_remove" }}' + if: ctx.event.action == "od_group_remove" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_group_set" }}' + if: ctx.event.action == "od_group_set" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_modify_password" }}' + if: ctx.event.action == "od_modify_password" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_disable_user" }}' + if: ctx.event.action == "od_disable_user" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_enable_user" }}' + if: ctx.event.action == "od_enable_user" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_attribute_value_add" }}' + if: ctx.event.action == "od_attribute_value_add" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_attribute_value_remove" }}' + if: ctx.event.action == "od_attribute_value_remove" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_attribute_set" }}' + if: ctx.event.action == "od_attribute_set" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_create_user" }}' + if: ctx.event.action == "od_create_user" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_create_group" }}' + if: ctx.event.action == "od_create_group" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_delete_user" }}' + if: ctx.event.action == "od_delete_user" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_od_delete_group" }}' + if: ctx.event.action == "od_delete_group" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_log_collection" }}' + if: ctx.event.action == "log_collection" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_file_collection" }}' + if: ctx.event.action == "file_collection" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_system_performance" }}' + if: ctx.event.action == "system_performance" + - pipeline: + name: '{{ IngestPipeline "pipeline_event_bios_uefi" }}' + if: ctx.event.action == "bios_uefi" + - remove: + field: event.original + if: ctx.tags == null || !ctx.tags.contains('preserve_original_event') + ignore_failure: true + +############# +## Cleanup ## +############# + - remove: + field: + # - jamf_protect.telemetry + - jamf_protect.telemetry.event + - jamf_protect.telemetry.process + - jamf_protect.telemetry.action.result.result.auth + - jamf_protect.telemetry.action.result.result_type + - jamf_protect.telemetry.action_type + - jamf_protect.telemetry.deadline + - jamf_protect.telemetry.event_type + - jamf_protect.telemetry.is_telemetry + - jamf_protect.telemetry.mach_time + - jamf_protect.telemetry.metadata.product + - jamf_protect.telemetry.metadata.schemaVersion + - jamf_protect.telemetry.metadata.vendor + - jamf_protect.telemetry.seq_num + - jamf_protect.telemetry.thread.uuid + - jamf_protect.telemetry.time + - jamf_protect.telemetry.version + - message + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; } - return false; - } - dropEmptyFields(ctx); + dropEmptyFields(ctx); on_failure: - set: + field: event.kind + value: pipeline_error + - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_authentication.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_authentication.yml new file mode 100644 index 00000000000..c5c50dded14 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_authentication.yml @@ -0,0 +1,478 @@ +--- +description: Pipeline for parsing specific fields related to authentication events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - append: + field: event.category + value: authentication + - script: + description: Populates the authentication method that is used. + lang: painless + source: | + if (ctx.jamf_protect.telemetry.event.authentication.containsKey('data')) { + def eventObject = ctx.jamf_protect.telemetry.event.authentication.data; + for (def key : eventObject.keySet()) { + if (eventObject[key] != null) { + ctx.jamf_protect.telemetry.authentication_method = key; + break; + } + } + } + ignore_failure: true + - script: + lang: painless + source: > + ctx.event.reason = 'A user authentication happened using ' + ctx.jamf_protect.telemetry.authentication_method; + - script: + lang: painless + source: | + ctx.event = ctx.event != null ? ctx.event : new HashMap(); + if (ctx.jamf_protect?.telemetry?.event?.authentication?.success instanceof boolean) { + if (ctx.jamf_protect.telemetry.event.authentication.success) { + ctx.event.outcome = 'success'; + } else { + ctx.event.outcome = 'failure'; + } + } + if (ctx.event.outcome == null) { + ctx.event.outcome = 'unknown'; + } + ignore_failure: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.start_time + target_field: process.start + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.start_time + target_field: process.start + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.start_time + target_field: process.start + ignore_missing: false + + - convert: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.authentication.instigator.audit_token.egid + type: string + ignore_missing: true + ignore_failure: false + - convert: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.authentication.instigator.audit_token.egid + type: string + ignore_missing: true + ignore_failure: false + - convert: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.authentication.instigator.audit_token.egid + type: string + ignore_missing: true + ignore_failure: false + + - convert: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.authentication.instigator.audit_token.euid + type: string + ignore_missing: true + ignore_failure: false + - convert: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.authentication.instigator.audit_token.euid + type: string + ignore_missing: true + ignore_failure: false + - convert: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.authentication.instigator.audit_token.euid + type: string + ignore_missing: true + ignore_failure: false + + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.authentication.data.od.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.authentication?.data?.od?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.authentication.data.token.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.authentication?.data?.token?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.authentication.data.touchid.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.authentication?.data?.touchid?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.authentication?.data?.od?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.authentication?.data?.od?.instigator?.tty == null + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.authentication?.data?.token?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.authentication?.data?.token?.instigator?.tty == null + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.authentication?.data?.touchid?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.authentication?.data?.touchid?.instigator?.tty == null + + - convert: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.executable.path + target_field: process.executable + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.authentication.data.od.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.token.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.authentication.data.touchid.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true + + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' + if: ctx.jamf_protect?.telemetry?.event?.authentication?.data?.od == null && ctx.jamf_protect?.telemetry?.event?.authentication?.data?.token == null && ctx.jamf_protect?.telemetry?.event?.authentication?.data?.touchid == null diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_bios_uefi.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_bios_uefi.yml new file mode 100644 index 00000000000..ee8c1828905 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_bios_uefi.yml @@ -0,0 +1,22 @@ +--- +description: Pipeline for parsing specific fields related to bios events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Collection of bios data + - rename: + field: jamf_protect.telemetry.event.bios_uefi.architecture + target_field: host.architecture + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.bios_uefi.bios.firmware-version + target_field: jamf_protect.telemetry.bios_firmware_version + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.bios_uefi.bios.system-firmware-version + target_field: jamf_protect.telemetry.bios_system_firmware_version + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_add.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_add.yml new file mode 100644 index 00000000000..2b7eaa2063e --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_add.yml @@ -0,0 +1,356 @@ +--- +description: Pipeline for parsing specific fields related to btm add events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Apple’s Background Task Manager notified that an item has been added + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.item.app_url + target_field: jamf_protect.telemetry.btm_item_app_url + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.item.item_url + target_field: jamf_protect.telemetry.btm_item_url + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.item.uid + target_field: jamf_protect.telemetry.btm_item_user_uid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.item.legacy + target_field: jamf_protect.telemetry.btm_item_is_legacy + type: boolean + ignore_missing: true + ignore_failure: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.item.managed + target_field: jamf_protect.telemetry.btm_item_is_managed + type: boolean + ignore_missing: true + ignore_failure: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.executable_path + target_field: jamf_protect.telemetry.btm_executable_path + type: string + ignore_missing: true + - script: + lang: painless + params: + itemTypeMap: + '0': User_Item + '1': App + '2': LoginItem + '3': LaunchAgent + '4': LaunchDaemon + source: > + if (ctx.jamf_protect?.telemetry?.event?.btm_launch_item_add?.item?.item_type != null) { + String itemType = ctx.jamf_protect.telemetry.event.btm_launch_item_add.item.item_type.toString(); + def itemTypeString = params.itemTypeMap.containsKey(itemType) ? params.itemTypeMap[itemType] : 'Unknown'; + ctx.jamf_protect = ctx.jamf_protect != null ? ctx.jamf_protect : new HashMap(); + ctx.jamf_protect.telemetry.btm_item_type = itemTypeString; + } + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.start_time + target_field: process.start + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.audit_token.egid + target_field: jamf_protect.telemetry.event.btm_launch_item_add.app.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.audit_token.euid + target_field: jamf_protect.telemetry.event.btm_launch_item_add.app.audit_token.euid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.btm_launch_item_add.app.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_add?.app?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.btm_launch_item_add.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_add?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_add?.app?.tty != null + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_add?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_add?.app?.tty == null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_add?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.executable.path + target_field: process.executable + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.team_id + target_field: process.code_signature.team_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true + + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' + if: ctx.jamf_protect?.telemetry?.event?.btm_launch_item_add?.instigator == null && ctx.jamf_protect?.telemetry?.event?.btm_launch_item_add?.app == null diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_remove.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_remove.yml new file mode 100644 index 00000000000..8677b9ee63a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_remove.yml @@ -0,0 +1,384 @@ +--- +description: Pipeline for parsing specific fields related to btm remove events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Apple’s Background Task Manager notified that an existing item has been removed + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.item.app_url + target_field: jamf_protect.telemetry.btm_item_app_url + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.item.item_url + target_field: jamf_protect.telemetry.btm_item_url + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.item.uid + target_field: jamf_protect.telemetry.btm_item_user_uid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.item.legacy + target_field: jamf_protect.telemetry.btm_item_is_legacy + type: boolean + ignore_missing: true + ignore_failure: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.item.managed + target_field: jamf_protect.telemetry.btm_item_is_managed + type: boolean + ignore_missing: true + ignore_failure: true + - script: + lang: painless + params: + itemTypeMap: + '0': User_Item + '1': App + '2': LoginItem + '3': LaunchAgent + '4': LaunchDaemon + source: > + if (ctx.jamf_protect?.telemetry?.event?.btm_launch_item_remove?.item?.item_type != null) { + String itemType = ctx.jamf_protect.telemetry.event.btm_launch_item_remove.item.item_type.toString(); + def itemTypeString = params.itemTypeMap.containsKey(itemType) ? params.itemTypeMap[itemType] : 'Unknown'; + ctx.jamf_protect = ctx.jamf_protect != null ? ctx.jamf_protect : new HashMap(); + ctx.jamf_protect.telemetry.btm_item_type = itemTypeString; + } + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.start_time + target_field: process.start + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.start_time + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.audit_token.egid + target_field: jamf_protect.telemetry.event.btm_launch_item_remove.app.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.audit_token.egid + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.audit_token.euid + target_field: jamf_protect.telemetry.event.btm_launch_item_remove.app.audit_token.euid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.audit_token.euid + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.btm_launch_item_remove.app.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.btm_launch_item_remove.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.instigator?.audit_token?.euid != null && ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.executable.sha1 + target_field: process.hash.sha1 + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.app.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_add.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.executable.sha1 + target_field: process.hash.sha1 + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.executable.sha256 + target_field: process.hash.sha256 + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.tty.path + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app?.tty != null + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.instigator?.tty != null && ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app?.tty == null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.instigator?.tty == null && ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.audit_token.pid + target_field: process.pid + type: long + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.audit_token.uuid + target_field: process.entity_id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.executable.path + target_field: process.executable + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.signing_id + target_field: process.code_signature.signing_id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.team_id + target_field: process.code_signature.team_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.team_id + target_field: process.code_signature.team_id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.parent_audit_token.pid + target_field: process.parent.pid + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.parent_audit_token.euid + target_field: process.parent.user.id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + type: string + ignore_missing: true + + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.app.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.btm_launch_item_remove.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + if: ctx.jamf_protect.telemetry?.event?.btm_launch_item_remove?.app == null + type: string + ignore_missing: true + + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' + if: ctx.jamf_protect?.telemetry?.event?.btm_launch_item_remove?.instigator == null && ctx.jamf_protect?.telemetry?.event?.btm_launch_item_remove?.app == null diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_chroot.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_chroot.yml new file mode 100644 index 00000000000..ad7fbe8abe7 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_chroot.yml @@ -0,0 +1,22 @@ +--- +description: Pipeline for parsing specific fields related to chroot events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Software has changed its apparent root directory in which it's actively operating out of + - rename: + field: jamf_protect.telemetry.event.chroot.target.path + target_field: file.path + ignore_missing: true +########################## +## ECS Process ## +########################## + - append: + field: event.type + value: change + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_cs_invalidated.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_cs_invalidated.yml new file mode 100644 index 00000000000..a515f343db6 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_cs_invalidated.yml @@ -0,0 +1,15 @@ +--- +description: Pipeline for parsing specific fields related to codesignature invalid events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: The system detected that a process has had its code signature marked as invalid +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml new file mode 100644 index 00000000000..2d233305768 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml @@ -0,0 +1,196 @@ +--- +description: Pipeline for parsing specific fields related to exec events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A new process has been executed + - append: + field: event.type + value: start + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.exec.target.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.exec.target.audit_token.egid + target_field: jamf_protect.telemetry.event.exec.target.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.exec.target.audit_token.euid + target_field: jamf_protect.telemetry.event.exec.target.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.exec.target.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.exec?.target?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.exec.target.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.exec.target.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.exec.target.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.exec.target.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.exec.target.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.exec.target.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.exec?.target?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.exec?.target?.tty == null + - convert: + field: jamf_protect.telemetry.event.exec.target.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.exec.target.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.exec.target.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.exec.args + target_field: process.args + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.exec?.args != null + - script: + description: Counts the indexes of the arguments + lang: painless + source: > + if (ctx.process.args instanceof List) { + ctx.process.args_count = ctx.process.args.size(); + } else { + ctx.process = ctx.process != null ? ctx.process : new HashMap(); + ctx.process.args_count = 0; + } + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.exec.env + target_field: process.env_vars + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.exec?.env != null + - rename: + field: jamf_protect.telemetry.event.exec.cwd.path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.exec?.cwd?.path != null + - rename: + field: jamf_protect.telemetry.event.exec.target.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.exec.target.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.exec.target.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.exec.target.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.exec.target.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.exec.target.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.exec.target.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.exec.target.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.exec.target.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.exec.target.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.exec.target.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.exec.target.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_file_collection.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_file_collection.yml new file mode 100644 index 00000000000..91a1bd62070 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_file_collection.yml @@ -0,0 +1,19 @@ +--- +description: Pipeline for Jamf Protect Telemetry crash and diagnostic events. +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A crash or diagnostic file is detected being created + - rename: + field: jamf_protect.telemetry.event.file_collection.file.path + target_field: log.file.path + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.file_collection.contents + target_field: jamf_protect.telemetry.log_entries + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextload.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextload.yml new file mode 100644 index 00000000000..9c8a47a9b46 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextload.yml @@ -0,0 +1,26 @@ +--- +description: Pipeline for parsing specific fields related to kext load events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A kernel extension (kext) was loaded + - convert: + field: jamf_protect.telemetry.event.kextload.identifier + target_field: jamf_protect.telemetry.identifier + type: string + ignore_missing: true + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextunload.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextunload.yml new file mode 100644 index 00000000000..40636334b31 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextunload.yml @@ -0,0 +1,26 @@ +--- +description: Pipeline for parsing specific fields related to kext unload events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A kernel extension (kext) was unloaded + - convert: + field: jamf_protect.telemetry.event.kextunload.identifier + target_field: jamf_protect.telemetry.identifier + type: string + ignore_missing: true + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_log_collection.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_log_collection.yml new file mode 100644 index 00000000000..e2ee75833f4 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_log_collection.yml @@ -0,0 +1,19 @@ +--- +description: Pipeline for Jamf Protect Telemetry log collection events. +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: New entries have been collected from a log file + - rename: + field: jamf_protect.telemetry.event.log_collection.path + target_field: log.file.path + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.log_collection.texts + target_field: jamf_protect.telemetry.log_entries + type: string + ignore_missing: true \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_login.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_login.yml new file mode 100644 index 00000000000..fac7768ec0d --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_login.yml @@ -0,0 +1,44 @@ +--- +description: Pipeline for parsing specific fields related to login using /usr/bin/login events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user attempted to log in using /usr/bin/login + - append: + field: event.type + value: start + - append: + field: event.category + value: authentication + - script: + lang: painless + source: > + ctx.event = ctx.event != null ? ctx.event : new HashMap(); + if (ctx.jamf_protect?.telemetry?.event?.login_login?.success instanceof boolean) { + if (ctx.jamf_protect.telemetry.event.login_login.success) { + ctx.event.outcome = 'success'; + } else { + ctx.event.outcome = 'failure'; + } + } + if (ctx.event.outcome == null) { + ctx.event.outcome = 'unknown'; + } + - rename: + field: jamf_protect.telemetry.event.login_login.username + target_field: user.name + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.login_login.uid + target_field: user.id + type: string + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_logout.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_logout.yml new file mode 100644 index 00000000000..04f4a2731a4 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_logout.yml @@ -0,0 +1,30 @@ +--- +description: Pipeline for parsing specific fields related to logout using /usr/bin/logout events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user logged out from /usr/bin/login + - append: + field: event.type + value: end + - append: + field: event.category + value: authentication + - rename: + field: jamf_protect.telemetry.event.login_logout.username + target_field: user.name + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.login_logout.uid + target_field: user.id + type: string + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_lock.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_lock.yml new file mode 100644 index 00000000000..00ed0f8ed91 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_lock.yml @@ -0,0 +1,30 @@ +--- +description: Pipeline for parsing specific fields related to loginwindow lock events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has locked the screen + - append: + field: event.type + value: start + - append: + field: event.category + value: authentication + - convert: + field: jamf_protect.telemetry.event.lw_session_lock.graphical_session_id + target_field: jamf_protect.telemetry.graphical_authentication_username + type: string + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.lw_session_lock.username + target_field: user.name + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_login.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_login.yml new file mode 100644 index 00000000000..30af818c7cf --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_login.yml @@ -0,0 +1,30 @@ +--- +description: Pipeline for parsing specific fields related to loginwindow login events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has logged in via the Login Window + - append: + field: event.type + value: start + - append: + field: event.category + value: authentication + - convert: + field: jamf_protect.telemetry.event.lw_session_login.graphical_session_id + target_field: jamf_protect.telemetry.graphical_authentication_username + type: string + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.lw_session_login.username + target_field: user.name + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_logout.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_logout.yml new file mode 100644 index 00000000000..d5ee23ea5a4 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_logout.yml @@ -0,0 +1,30 @@ +--- +description: Pipeline for parsing specific fields related to loginwindow logout events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has logged out of an active graphical session + - append: + field: event.type + value: end + - append: + field: event.category + value: authentication + - convert: + field: jamf_protect.telemetry.event.lw_session_logout.graphical_session_id + target_field: jamf_protect.telemetry.graphical_authentication_username + type: string + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.lw_session_logout.username + target_field: user.name + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_unlock.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_unlock.yml new file mode 100644 index 00000000000..04ad4ef6e9b --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_unlock.yml @@ -0,0 +1,30 @@ +--- +description: Pipeline for parsing specific fields related to loginwindow unloack events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has unlocked the screen from the Login Window + - append: + field: event.type + value: start + - append: + field: event.category + value: authentication + - convert: + field: jamf_protect.telemetry.event.lw_session_unlock.graphical_session_id + target_field: jamf_protect.telemetry.graphical_authentication_username + type: string + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.lw_session_unlock.username + target_field: user.name + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_mount.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_mount.yml new file mode 100644 index 00000000000..588cb15628b --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_mount.yml @@ -0,0 +1,34 @@ +--- +description: Pipeline for parsing specific fields related to volumen mount events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A file system has been mounted + - append: + field: event.type + value: start + - rename: + field: jamf_protect.telemetry.event.mount.statfs.f_mntfromname + target_field: volume.device_name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.mount.statfs.f_mntonname + target_field: volume.mount_name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.mount.statfs.f_fstypename + target_field: volume.file_system_type + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.mount.statfs.f_bsize + target_field: volume.size + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_set.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_set.yml new file mode 100644 index 00000000000..92c8be3975e --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_set.yml @@ -0,0 +1,199 @@ +--- +description: Pipeline for parsing specific fields related to attribute set events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Attribute set on user or group using Open Directory + - append: + field: event.type + value: creation + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.db_path + target_field: file.path + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.record_name + target_field: jamf_protect.telemetry.record_name + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.attribute_name + target_field: jamf_protect.telemetry.attribute_name + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.attribute_value + target_field: jamf_protect.telemetry.attribute_value + type: string + ignore_missing: true +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_attribute_set.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_attribute_set.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_attribute_set.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_attribute_set?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_attribute_set?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_attribute_set?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_attribute_set?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_set.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_add.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_add.yml new file mode 100644 index 00000000000..688f73e97b3 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_add.yml @@ -0,0 +1,198 @@ +--- +description: Pipeline for parsing specific fields related to attribute value add events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Attribute added to a user or group using Open Directory + - append: + field: event.type + value: creation + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.record_name + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.db_path + target_field: file.path + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.attribute_name + target_field: jamf_protect.telemetry.attribute_name + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.attribute_value + target_field: jamf_protect.telemetry.attribute_value + type: string + ignore_missing: true +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_attribute_value_add.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_attribute_value_add?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_attribute_value_add?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_attribute_value_add?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_attribute_value_add?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_add.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_remove.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_remove.yml new file mode 100644 index 00000000000..3fe3128f00c --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_remove.yml @@ -0,0 +1,198 @@ +--- +description: Pipeline for parsing specific fields related to attribute value remove events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Attribute removed from a user or group using Open Directory + - append: + field: event.type + value: deletion + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.record_name + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.db_path + target_field: file.path + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.attribute_name + target_field: jamf_protect.telemetry.attribute_name + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.attribute_value + target_field: jamf_protect.telemetry.attribute_value + type: string + ignore_missing: true +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_attribute_value_remove.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_attribute_value_remove?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_attribute_value_remove?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_attribute_value_remove?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_attribute_value_remove?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_attribute_value_remove.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_group.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_group.yml new file mode 100644 index 00000000000..e74ae9ea0d5 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_group.yml @@ -0,0 +1,189 @@ +--- +description: Pipeline for parsing specific fields related to opendirectory group events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A group has been created using Open Directory + - append: + field: event.type + value: creation + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_create_group.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.members.member_array + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.db_path + target_field: file.path + ignore_missing: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_group.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_create_group.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_group.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_create_group.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_create_group.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_create_group?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_create_group?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_create_group?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_create_group.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_create_group?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_group.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_group.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_group.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_group.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_group.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_group.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_group.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_user.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_user.yml new file mode 100644 index 00000000000..589e75419a6 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_user.yml @@ -0,0 +1,189 @@ +--- +description: Pipeline for parsing specific fields related to opendirectory user events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has been created using Open Directory + - append: + field: event.type + value: creation + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_create_user.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.user_name + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.db_path + target_field: file.path + ignore_missing: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_user.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_create_user.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_user.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_create_user.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_create_user.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_create_user?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_create_user?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_create_user?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_create_user.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_create_user?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_user.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_user.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_user.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_create_user.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_user.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_user.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_create_user.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_group.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_group.yml new file mode 100644 index 00000000000..38cb68dcb78 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_group.yml @@ -0,0 +1,189 @@ +--- +description: Pipeline for parsing specific fields related to opendirectory group delete events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A group has been deleted using Open Directory + - append: + field: event.type + value: deletion + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_delete_group.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.members.member_array + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.db_path + target_field: file.path + ignore_missing: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_group.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_delete_group.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_group.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_delete_group.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_delete_group.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_delete_group?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_delete_group?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_delete_group?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_delete_group.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_delete_group?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_group.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_group.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_group.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_group.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_group.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_group.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_group.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_user.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_user.yml new file mode 100644 index 00000000000..833cf93e692 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_user.yml @@ -0,0 +1,189 @@ +--- +description: Pipeline for parsing specific fields related to opendirectory user delete events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has been deleted using Open Directory + - append: + field: event.type + value: creation + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_delete_user.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.user_name + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.db_path + target_field: file.path + ignore_missing: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_user.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_delete_user.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_user.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_delete_user.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_delete_user.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_delete_user?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_delete_user?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_delete_user?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_delete_user.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_delete_user?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_user.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_user.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_user.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_delete_user.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_user.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_user.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_delete_user.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_disable_user.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_disable_user.yml new file mode 100644 index 00000000000..bfe2c18a7fc --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_disable_user.yml @@ -0,0 +1,189 @@ +--- +description: Pipeline for parsing specific fields related to opendirectory disable user events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has been disabled using Open Directory + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_disable_user.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.user_name + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.db_path + target_field: file.path + ignore_missing: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_disable_user.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_disable_user.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_disable_user.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_disable_user.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_disable_user.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_disable_user?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_disable_user?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_disable_user?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_disable_user.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_disable_user?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_disable_user.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_disable_user.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_disable_user.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_disable_user.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_disable_user.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_disable_user.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_disable_user.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_enable_user.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_enable_user.yml new file mode 100644 index 00000000000..f85b3013e8a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_enable_user.yml @@ -0,0 +1,189 @@ +--- +description: Pipeline for parsing specific fields related to opendirectory enable user events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has been enabled using Open Directory + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_enable_user.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.user_name + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.db_path + target_field: file.path + ignore_missing: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_enable_user.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_enable_user.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_enable_user.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_enable_user.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_enable_user.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_enable_user?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_enable_user?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_enable_user?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_enable_user.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_enable_user?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_enable_user.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_enable_user.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_enable_user.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_enable_user.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_enable_user.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_enable_user.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_enable_user.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_add.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_add.yml new file mode 100644 index 00000000000..74e88a886fd --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_add.yml @@ -0,0 +1,189 @@ +--- +description: Pipeline for parsing specific fields related to opendirectory group added events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A member has been added to a group using Open Directory + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_group_add.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.member.member_value + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.db_path + target_field: file.path + ignore_missing: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_add.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_group_add.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_add.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_group_add.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_group_add.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_group_add?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_group_add?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_group_add?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_group_add.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_group_add?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_add.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_add.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_add.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_add.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_add.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_add.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_add.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_remove.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_remove.yml new file mode 100644 index 00000000000..f40ec9b24b6 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_remove.yml @@ -0,0 +1,189 @@ +--- +description: Pipeline for parsing specific fields related to opendirectory group removed events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A member has been removed from a group using Open Directory + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_group_remove.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.member.member_value + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.db_path + target_field: file.path + ignore_missing: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_remove.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_group_remove.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_remove.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_group_remove.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_group_remove.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_group_remove?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_group_remove?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_group_remove?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_group_remove.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_group_remove?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_remove.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_remove.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_remove.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_remove.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_remove.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_remove.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_remove.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_set.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_set.yml new file mode 100644 index 00000000000..4e14c0f98ac --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_set.yml @@ -0,0 +1,189 @@ +--- +description: Pipeline for parsing specific fields related to group set events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A group has a member initialised or replaced using Open Directory + - append: + field: event.type + value: creation + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_group_set.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.members.member_array + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.db_path + target_field: file.path + ignore_missing: true + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_set.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_group_set.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_set.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_group_set.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_group_set.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_group_set?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_group_set?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_group_set?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_group_set.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_group_set?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_set.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_set.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_set.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_group_set.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_set.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_set.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_group_set.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_modify_password.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_modify_password.yml new file mode 100644 index 00000000000..08a55a92b7c --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_modify_password.yml @@ -0,0 +1,277 @@ +--- +description: Pipeline for parsing specific fields related to password change events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user password is modified via Open Directory + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration + - rename: + field: jamf_protect.telemetry.event.od_modify_password.group_name + target_field: group.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.account_name + target_field: user.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.db_path + target_field: file.path + ignore_missing: true + - script: + lang: painless + params: + itemTypeMap: + '0': User + '1': Computer + source: > + if (ctx.jamf_protect?.telemetry?.event?.od_modify_password?.account_type != null) { + String itemType = ctx.jamf_protect.telemetry.event.od_modify_password.account_type.toString(); + def itemTypeString = params.itemTypeMap.containsKey(itemType) ? params.itemTypeMap[itemType] : 'Unknown'; + ctx.jamf_protect = ctx.jamf_protect != null ? ctx.jamf_protect : new HashMap(); + ctx.jamf_protect.telemetry.account_type = itemTypeString; + } + - script: + lang: painless + params: + itemTypeMap: + '0': kODErrorSuccess + '1000': kODErrorSessionLocalOnlyDaemonInUse + '1001': kODErrorSessionNormalDaemonInUse + '1002': kODErrorSessionDaemonNotRunning + '1003': kODErrorSessionDaemonRefused + '1100': kODErrorSessionProxyCommunicationError + '1101': kODErrorSessionProxyVersionMismatch + '1102': kODErrorSessionProxyIPUnreachable + '1103': kODErrorSessionProxyUnknownHost + '2000': kODErrorNodeUnknownName + '2001': kODErrorNodeUnknownType + '2002': kODErrorNodeDisabled + '2100': kODErrorNodeConnectionFailed + '2200': kODErrorNodeUnknownHost + '3000': kODErrorQuerySynchronize + '3100': kODErrorQueryInvalidMatchType + '3101': kODErrorQueryUnsupportedMatchType + '3102': kODErrorQueryTimeout + '4000': kODErrorRecordReadOnlyNode + '4001': kODErrorRecordPermissionError + '4100': kODErrorRecordParameterError + '4101': kODErrorRecordInvalidType + '4102': kODErrorRecordAlreadyExists + '4103': kODErrorRecordTypeDisabled + '4104': kODErrorRecordNoLongerExists + '4200': kODErrorRecordAttributeUnknownType + '4201': kODErrorRecordAttributeNotFound + '4202': kODErrorRecordAttributeValueSchemaError + '4203': kODErrorRecordAttributeValueNotFound + '5000': kODErrorCredentialsInvalid + '5100': kODErrorCredentialsMethodNotSupported + '5101': kODErrorCredentialsNotAuthorized + '5102': kODErrorCredentialsParameterError + '5103': kODErrorCredentialsOperationFailed + '5200': kODErrorCredentialsServerUnreachable + '5201': kODErrorCredentialsServerNotFound + '5202': kODErrorCredentialsServerError + '5203': kODErrorCredentialsServerTimeout + '5204': kODErrorCredentialsContactPrimary + '5205': kODErrorCredentialsContactPrimary + '5206': kODErrorCredentialsServerCommunicationError + '5300': kODErrorCredentialsAccountNotFound + '5301': kODErrorCredentialsAccountDisabled + '5302': kODErrorCredentialsAccountExpired + '5303': kODErrorCredentialsAccountInactive + '5304': kODErrorCredentialsAccountTemporarilyLocked + '5305': kODErrorCredentialsAccountLocked + '5400': kODErrorCredentialsPasswordExpired + '5401': kODErrorCredentialsPasswordChangeRequired + '5402': kODErrorCredentialsPasswordQualityFailed + '5403': kODErrorCredentialsPasswordTooShort + '5404': kODErrorCredentialsPasswordTooLong + '5405': kODErrorCredentialsPasswordNeedsLetter + '5406': kODErrorCredentialsPasswordNeedsDigit + '5407': kODErrorCredentialsPasswordChangeTooSoon + '5408': kODErrorCredentialsPasswordUnrecoverable + '5500': kODErrorCredentialsInvalidLogonHours + '5501': kODErrorCredentialsInvalidComputer + '6000': kODErrorPolicyUnsupported + '6001': kODErrorPolicyOutOfRange + '10000': kODErrorPluginOperationNotSupported + '10001': kODErrorPluginError + '10002': kODErrorDaemonError + '10003': kODErrorPluginOperationTimeout + source: > + if (ctx.jamf_protect?.telemetry?.event?.od_modify_password?.error_code != null) { + String itemType = ctx.jamf_protect.telemetry.event.od_modify_password.error_code.toString(); + def itemTypeString = params.itemTypeMap.containsKey(itemType) ? params.itemTypeMap[itemType] : 'Unknown'; + ctx.jamf_protect = ctx.jamf_protect != null ? ctx.jamf_protect : new HashMap(); + ctx.jamf_protect.telemetry.error_message = itemTypeString; + } + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_modify_password.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.od_modify_password.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_modify_password.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.od_modify_password.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.od_modify_password.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.od_modify_password?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.od_modify_password?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.od_modify_password?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.od_modify_password.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.od_modify_password?.db_path != null + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_modify_password.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_modify_password.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_modify_password.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.od_modify_password.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_modify_password.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_modify_password.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.od_modify_password.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_login.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_login.yml new file mode 100644 index 00000000000..cef5b90cc5a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_login.yml @@ -0,0 +1,83 @@ +--- +description: Pipeline for parsing specific fields related to openssh login events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has logged into the system via OpenSSH + - append: + field: event.type + value: start + - append: + field: event.category + value: authentication + - append: + field: event.category + value: session + - script: + lang: painless + source: | + ctx.event = ctx.event != null ? ctx.event : new HashMap(); + if (ctx.jamf_protect?.telemetry?.event?.openssh_login?.success instanceof boolean) { + if (ctx.jamf_protect.telemetry.event.openssh_login.success) { + ctx.event.outcome = 'success'; + } else { + ctx.event.outcome = 'failure'; + } + } + if (ctx.event.outcome == null) { + ctx.event.outcome = 'unknown'; + } + - convert: + field: jamf_protect.telemetry.event.openssh_login.graphical_session_id + target_field: jamf_protect.telemetry.graphical_authentication_username + type: string + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.openssh_login.username + target_field: user.name + ignore_missing: true + - script: + lang: painless + params: + itemTypeMap: + '0': Unknown + '1': IPv4 + '2': IPv6 + '3': UNIX Socket + source: > + if (ctx.jamf_protect?.telemetry?.event?.openssh_login?.source_address_type != null) { + String itemType = ctx.jamf_protect.telemetry.event.openssh_login.source_address_type.toString(); + def itemTypeString = params.itemTypeMap.containsKey(itemType) ? params.itemTypeMap[itemType] : 'Unknown'; + ctx.jamf_protect = ctx.jamf_protect != null ? ctx.jamf_protect : new HashMap(); + ctx.jamf_protect.telemetry.source_address_type = itemTypeString; + } + - script: + lang: painless + params: + itemTypeMap: + '0': Exceeded maximum attempts + '1': Denied by root + '2': Success + '3': no reason + '4': Password + '5': kbdint + '6': public key + '7': Host based + '8': gss api + '9': invalid user + source: > + if (ctx.jamf_protect?.telemetry?.event?.openssh_login?.result_type != null) { + String itemType = ctx.jamf_protect.telemetry.event.openssh_login.result_type.toString(); + def itemTypeString = params.itemTypeMap.containsKey(itemType) ? params.itemTypeMap[itemType] : 'Unknown'; + ctx.jamf_protect = ctx.jamf_protect != null ? ctx.jamf_protect : new HashMap(); + ctx.jamf_protect.telemetry.authentication_result_type = itemTypeString; + } +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_logout.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_logout.yml new file mode 100644 index 00000000000..5bac4027b32 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_logout.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for parsing specific fields related to openssh logout events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user has logged out of an OpenSSH session + - append: + field: event.type + value: start + - append: + field: event.category + value: authentication + - append: + field: event.category + value: session + - convert: + field: jamf_protect.telemetry.event.openssh_logout.graphical_session_id + target_field: jamf_protect.telemetry.graphical_authentication_username + type: string + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.openssh_logout.username + target_field: user.name + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.openssh_logout.uid + target_field: user.id + type: string + ignore_missing: true + + - rename: + field: jamf_protect.telemetry.event.openssh_logout.source_address + target_field: source.ip + ignore_missing: true + - script: + lang: painless + params: + itemTypeMap: + '0': Unknown + '1': IPv4 + '2': IPv6 + '3': UNIX Socket + source: > + if (ctx.jamf_protect?.telemetry?.event?.openssh_logout?.source_address_type != null) { + String itemType = ctx.jamf_protect.telemetry.event.openssh_logout.source_address_type.toString(); + def itemTypeString = params.itemTypeMap.containsKey(itemType) ? params.itemTypeMap[itemType] : 'Unknown'; + ctx.jamf_protect = ctx.jamf_protect != null ? ctx.jamf_protect : new HashMap(); + ctx.jamf_protect.telemetry.source_address_type = itemTypeString; + } + +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_add.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_add.yml new file mode 100644 index 00000000000..1a9201260f1 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_add.yml @@ -0,0 +1,212 @@ +--- +description: Pipeline for parsing specific fields related to profile added events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A configuration profile is installed on the system + - append: + field: event.type + value: creation + - append: + field: event.category + value: configuration + - convert: + field: jamf_protect.telemetry.event.profile_add.profile.scope + target_field: jamf_protect.telemetry.profile_scope + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.profile.identifier + target_field: jamf_protect.telemetry.profile_identifier + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.profile.uuid + target_field: jamf_protect.telemetry.profile_uuid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.profile.display_name + target_field: jamf_protect.telemetry.profile_display_name + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.profile.install_source + target_field: jamf_protect.telemetry.profile_install_source + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.profile.organization + target_field: jamf_protect.telemetry.profile_organization + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.is_update + target_field: jamf_protect.telemetry.profile_is_updated + type: boolean + ignore_missing: true + ignore_failure: true +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.profile_add.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.profile_add.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.profile_add.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.profile_add?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.profile_add?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.profile_add?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.profile_add.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_add.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.profile_add?.db_path != null + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_add.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_add.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_remove.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_remove.yml new file mode 100644 index 00000000000..d1586cb266a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_remove.yml @@ -0,0 +1,206 @@ +--- +description: Pipeline for parsing specific fields related to profile removed events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A configuration profile is removed from the system + - append: + field: event.type + value: creation + - append: + field: event.category + value: configuration + - convert: + field: jamf_protect.telemetry.event.profile_remove.profile.scope + target_field: jamf_protect.telemetry.profile_scope + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.profile.identifier + target_field: jamf_protect.telemetry.profile_identifier + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.profile.uuid + target_field: jamf_protect.telemetry.profile_uuid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.profile.display_name + target_field: jamf_protect.telemetry.profile_display_name + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.profile.install_source + target_field: jamf_protect.telemetry.profile_install_source + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.profile.organization + target_field: jamf_protect.telemetry.profile_organization + type: string + ignore_missing: true +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.instigator.audit_token.egid + target_field: jamf_protect.telemetry.event.profile_remove.instigator.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.instigator.audit_token.euid + target_field: jamf_protect.telemetry.event.profile_remove.instigator.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.event.profile_remove.instigator.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.event?.profile_remove?.instigator?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.event?.profile_remove?.instigator?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.event?.profile_remove?.instigator?.tty == null + - convert: + field: jamf_protect.telemetry.event.profile_remove.instigator.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.profile_remove?.db_path != null + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.instigator.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.instigator.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.instigator.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.profile_remove.instigator.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.instigator.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.instigator.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.profile_remove.instigator.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_remount.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_remount.yml new file mode 100644 index 00000000000..26e90db7a3c --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_remount.yml @@ -0,0 +1,34 @@ +--- +description: Pipeline for parsing specific fields related to vollume remount events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - append: + field: event.type + value: start + - set: + field: event.reason + value: A file system has been remounted + - rename: + field: jamf_protect.telemetry.event.remount.statfs.f_mntfromname + target_field: volume.device_name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.remount.statfs.f_mntonname + target_field: volume.mount_name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.remount.statfs.f_fstypename + target_field: volume.file_system_type + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.remount.statfs.f_bsize + target_field: volume.size + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_attach.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_attach.yml new file mode 100644 index 00000000000..f03db5379c9 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_attach.yml @@ -0,0 +1,87 @@ +--- +description: Pipeline for parsing specific fields related to screenscharing attached events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A screen sharing session has attached to a graphical session + - append: + field: event.type + value: start + - append: + field: event.category + value: session + - script: + lang: painless + source: | + ctx.event = ctx.event != null ? ctx.event : new HashMap(); + if (ctx.jamf_protect?.telemetry?.event?.screensharing_attach?.success instanceof boolean) { + if (ctx.jamf_protect.telemetry.event.screensharing_attach.success) { + ctx.event.outcome = 'success'; + } else { + ctx.event.outcome = 'failure'; + } + } + if (ctx.event.outcome == null) { + ctx.event.outcome = 'unknown'; + } + - convert: + field: jamf_protect.telemetry.event.screensharing_attach.existing_session + target_field: jamf_protect.telemetry.existing_session + type: boolean + ignore_missing: true + ignore_failure: true + - convert: + field: jamf_protect.telemetry.event.screensharing_attach.graphical_session_id + target_field: jamf_protect.telemetry.graphical_authentication_username + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.screensharing_attach.authentication_username + target_field: jamf_protect.telemetry.graphical_authentication_username + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.screensharing_attach.session_username + target_field: jamf_protect.telemetry.session_username + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.screensharing_attach.viewer_appleid + target_field: jamf_protect.viewer_appleid + type: string + if: ctx.jamf_protect.telemetry?.event?.screensharing_attach?.viewer_appleid != null + ignore_missing: true + ignore_failure: true + - convert: + field: jamf_protect.telemetry.event.screensharing_attach.authentication_type + target_field: jamf_protect.telemetry.authentication_type + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.screensharing_attach.authentication_type + target_field: jamf_protect.telemetry.authentication_type + type: string + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.screensharing_attach.source_address + target_field: source.ip + ignore_missing: true + - append: + field: related.user + value: '{{{jamf_protect.telemetry.session_username}}}' + if: ctx.jamf_protect?.session_username != null + allow_duplicates: false + - append: + field: related.user + value: '{{{jamf_protect.telemetry.graphical_authentication_username}}}' + if: ctx.jamf_protect?.graphical_authentication_username != null + allow_duplicates: false +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_detach.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_detach.yml new file mode 100644 index 00000000000..2f94341c1c0 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_detach.yml @@ -0,0 +1,51 @@ +--- +description: Pipeline for parsing specific fields related to screensharing detached events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A screen sharing session has detached from a graphical session + - append: + field: event.type + value: end + - append: + field: event.category + value: session + - script: + lang: painless + source: | + ctx.event = ctx.event != null ? ctx.event : new HashMap(); + if (ctx.jamf_protect?.telemetry?.event?.screensharing_detach?.success instanceof boolean) { + if (ctx.jamf_protect.telemetry.event.screensharing_detach.success) { + ctx.event.outcome = 'success'; + } else { + ctx.event.outcome = 'failure'; + } + } + if (ctx.event.outcome == null) { + ctx.event.outcome = 'unknown'; + } + - convert: + field: jamf_protect.telemetry.event.screensharing_detach.graphical_session_id + target_field: jamf_protect.telemetry.graphical_authentication_username + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.screensharing_detach.viewer_appleid + target_field: jamf_protect.viewer_appleid + type: string + if: ctx.jamf_protect.telemetry?.event?.screensharing_detach?.viewer_appleid != null + ignore_missing: true + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.screensharing_detach.source_address + target_field: source.ip + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_settime.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_settime.yml new file mode 100644 index 00000000000..58c5bfd3812 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_settime.yml @@ -0,0 +1,21 @@ +--- +description: Pipeline for parsing specific fields related to settime events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: The system time was attempted to be set + - append: + field: event.type + value: change + - append: + field: event.category + value: configuration +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_su.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_su.yml new file mode 100644 index 00000000000..dd0b2cdeadd --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_su.yml @@ -0,0 +1,100 @@ +--- +description: Pipeline for parsing specific fields related to su events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A user attempts to start a new shell using a substitute user identity + - append: + field: event.type + value: start + - append: + field: event.category + value: authentication + - script: + lang: painless + source: > + ctx.event = ctx.event != null ? ctx.event : new HashMap(); + if (ctx.jamf_protect?.telemetry?.event?.su?.success instanceof boolean) { + if (ctx.jamf_protect.telemetry.event.su.success) { + ctx.event.outcome = 'success'; + } else { + ctx.event.outcome = 'failure'; + } + } + if (ctx.event.outcome == null) { + ctx.event.outcome = 'unknown'; + } + - rename: + field: jamf_protect.telemetry.event.su.username + target_field: user.name + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.su.uid + target_field: user.id + type: string + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.su.argv + target_field: process.args + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.su?.argv != null + - script: + description: Counts the indexes of the arguments + lang: painless + source: > + if (ctx.process.args instanceof List) { + ctx.process.args_count = ctx.process.args.size(); + } else { + ctx.process = ctx.process != null ? ctx.process : new HashMap(); + ctx.process.args_count = 0; + } + ignore_failure: true + - rename: + field: jamf_protect.telemetry.event.su.env + target_field: process.env_vars + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.event?.su?.env != null + - convert: + field: jamf_protect.telemetry.event.su.env_count + target_field: jamf_protect.telemetry.env_count + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.su.shell + target_field: jamf_protect.telemetry.shell + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.su.from_username + target_field: jamf_protect.telemetry.from_username + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.su.to_username + target_field: jamf_protect.telemetry.to_username + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.su.failure_message + target_field: jamf_protect.failure_reason + type: string + ignore_missing: true + - append: + field: related.user + value: '{{{jamf_protect.telemetry.to_username}}}' + if: ctx.jamf_protect?.to_username != null + allow_duplicates: false + - append: + field: related.user + value: '{{{jamf_protect.telemetry.from_username}}}' + if: ctx.jamf_protect?.from_username != null + allow_duplicates: false +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_sudo.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_sudo.yml new file mode 100644 index 00000000000..ee936ddcfb7 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_sudo.yml @@ -0,0 +1,32 @@ +--- +description: Pipeline for parsing specific fields related to sudo events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A sudo attempt occurred + - append: + field: event.type + value: start + - rename: + field: jamf_protect.telemetry.event.sudo.command + target_field: process.command_line + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.sudo.attribute_name + target_field: jamf_protect.telemetry.attribute_name + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.event.sudo.attribute_value + target_field: jamf_protect.telemetry.attribute_value + type: string + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_system_performance.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_system_performance.yml new file mode 100644 index 00000000000..b1098160011 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_system_performance.yml @@ -0,0 +1,21 @@ +--- +description: Pipeline for Jamf Protect Telemetry system_performance events. +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Collection of system system_performance data + - append: + field: event.category + value: host + - rename: + field: jamf_protect.telemetry.event.system_performance.metrics.tasks + target_field: jamf_protect.telemetry.system_performance + ignore_missing: true +on_failure: +- append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_unmount.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_unmount.yml new file mode 100644 index 00000000000..1765059828f --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_unmount.yml @@ -0,0 +1,34 @@ +--- +description: Pipeline for parsing specific fields related to volume remount events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: A file system has been unmounted + - append: + field: event.type + value: end + - rename: + field: jamf_protect.telemetry.event.unmount.statfs.f_mntfromname + target_field: volume.device_name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.unmount.statfs.f_mntonname + target_field: volume.mount_name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.unmount.statfs.f_fstypename + target_field: volume.file_system_type + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.unmount.statfs.f_bsize + target_field: volume.size + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_detected.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_detected.yml new file mode 100644 index 00000000000..e910d23b89a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_detected.yml @@ -0,0 +1,29 @@ +--- +description: Pipeline for parsing specific fields related to xprotect malware detected events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Apple’s XProtect detected malware on the system + - append: + field: event.category + value: malware + - rename: + field: jamf_protect.telemetry.event.xp_malware_detected.detected_path + target_field: threat.indicator.file.path + ignore_missing: true + - set: + field: threat.indicator.type + value: file + - rename: + field: jamf_protect.telemetry.event.xp_malware_detected.malware_identifier + target_field: rule.name + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_remediated.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_remediated.yml new file mode 100644 index 00000000000..5e8804e3c9c --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_remediated.yml @@ -0,0 +1,47 @@ +--- +description: Pipeline for parsing specific fields related to xprotect malware remediated events in Jamf Protect +processors: + +########################## +## ECS Event Specific ## +########################## + - set: + field: event.reason + value: Apple’s XProtect remediated malware on the system + - append: + field: event.category + value: malware + - script: + lang: painless + source: > + ctx.event = ctx.event != null ? ctx.event : new HashMap(); + if (ctx.jamf_protect?.telemetry?.event?.xp_malware_remediated?.success instanceof boolean) { + if (ctx.jamf_protect.telemetry.event.xp_malware_remediated.success) { + ctx.event.outcome = 'success'; + } else { + ctx.event.outcome = 'failure'; + } + } + if (ctx.event.outcome == null) { + ctx.event.outcome = 'unknown'; + } + - rename: + field: jamf_protect.telemetry.event.xp_malware_remediated.remediated_path + target_field: threat.indicator.file.path + ignore_missing: true + - set: + field: threat.indicator.type + value: file + - rename: + field: jamf_protect.telemetry.event.xp_malware_remediated.malware_identifier + target_field: rule.name + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.xp_malware_remediated.signature_version + target_field: rule.version + ignore_missing: true +########################## +## ECS Process ## +########################## + - pipeline: + name: '{{ IngestPipeline "pipeline_object_process" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_instigator_object.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_instigator_object.yml new file mode 100644 index 00000000000..8cb9345a186 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_instigator_object.yml @@ -0,0 +1,81 @@ +--- +description: Pipeline for Jamf instigator_object audit logs. +processors: +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.process.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.process.audit_token.egid + target_field: jamf_protect.telemetry.process.audit_token.egid + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: jamf_protect.telemetry.process.audit_token.euid + target_field: jamf_protect.telemetry.process.audit_token.euid + type: string + ignore_missing: true + ignore_failure: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.process.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.process?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.process.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.custom.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.process?.tty != null + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.process.executable.sha1}}}' + if: ctx.jamf_protect.telemetry?.process?.instigator?.executable?.sha1 != null + allow_duplicates: false + ignore_failure: true + - convert: + field: jamf_protect.telemetry.process.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.process.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + + +########################## +## ECS Code Signing ## +########################## + + - rename: + field: jamf_protect.telemetry.process.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_object_process.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_object_process.yml new file mode 100644 index 00000000000..7c09a0edda7 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_object_process.yml @@ -0,0 +1,164 @@ +--- +description: Pipeline for parsing process objects in specific Jamf Protect Telemetry events. This pipeline is called in events where there is no instigator existing and therefore parsing the process object itself. +processors: + +########################## +## ECS Process ## +########################## + - rename: + field: jamf_protect.telemetry.process.start_time + target_field: process.start + ignore_missing: true + - convert: + field: jamf_protect.telemetry.process.audit_token.egid + target_field: jamf_protect.telemetry.process.audit_token.egid + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.process.audit_token.euid + target_field: jamf_protect.telemetry.process.audit_token.euid + type: string + ignore_missing: true + - append: + field: user.effective.id + value: '{{{jamf_protect.telemetry.process.audit_token.euid}}}' + if: ctx.jamf_protect.telemetry?.process?.audit_token?.euid != null + allow_duplicates: false + ignore_failure: true + - rename: + field: jamf_protect.telemetry.process.is_platform_binary + target_field: jamf_protect.telemetry.platform_binary + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.is_es_client + target_field: jamf_protect.telemetry.es_client + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.cdhash + target_field: jamf_protect.telemetry.code_directory_hash + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.executable.sha1 + target_field: process.hash.sha1 + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.executable.sha256 + target_field: process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{process.hash.sha256}}}' + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.code_directory_hash}}}' + if: ctx.jamf_protect?.code_directory_hash != null + allow_duplicates: false + - rename: + field: jamf_protect.telemetry.custom.tty.path + target_field: jamf_protect.telemetry.tty + ignore_missing: true + - set: + field: process.interactive + value: true + if: ctx.jamf_protect.telemetry?.process?.tty != null + - set: + field: process.interactive + value: false + if: ctx.jamf_protect.telemetry?.process?.tty == null + - convert: + field: jamf_protect.telemetry.process.audit_token.pid + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: jamf_protect.telemetry.process.audit_token.uuid + target_field: process.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.executable.path + target_field: process.executable + ignore_missing: true + - rename: + field: jamf_protect.telemetry.thread.thread_id + target_field: process.thread.id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.event.xp_malware_remediated.db_path + target_field: process.working_directory + ignore_missing: true + if: ctx.jamf_protect?.telemetry?.process?.db_path != null + - rename: + field: jamf_protect.telemetry.process.signing_id + target_field: process.code_signature.signing_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.team_id + target_field: process.code_signature.team_id + ignore_missing: true + +########################## +## ECS Parent Process ## +########################## + + - rename: + field: jamf_protect.telemetry.process.parent_audit_token.uuid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.parent_audit_token.pid + target_field: process.parent.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.process.parent_audit_token.euid + target_field: process.parent.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.process.parent_audit_token.ruid + target_field: process.parent.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.process.parent_audit_token.rgid + target_field: process.parent.real_group.id + type: string + ignore_missing: true + +########################## +## ECS Responsible Process ## +########################## + + - rename: + field: jamf_protect.telemetry.process.responsible_audit_token.uuid + target_field: process.group_leader.entity_id + ignore_missing: true + - rename: + field: jamf_protect.telemetry.process.responsible_audit_token.pid + target_field: process.group_leader.pid + ignore_missing: true + - convert: + field: jamf_protect.telemetry.process.responsible_audit_token.euid + target_field: process.group_leader.user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.process.responsible_audit_token.ruid + target_field: process.group_leader.real_user.id + type: string + ignore_missing: true + - convert: + field: jamf_protect.telemetry.process.responsible_audit_token.rgid + target_field: process.group_leader.real_group.id + type: string + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml b/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml index bc907350357..b1a023ec96c 100644 --- a/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml +++ b/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml @@ -1,177 +1,282 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. +- external: ecs + name: observer.version +- external: ecs + name: device.id +- external: ecs + name: device.manufacturer +- external: ecs + name: process.env_vars +- external: ecs + name: process.interactive +- external: ecs + name: process.thread.id +- external: ecs name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, `@timestamp` should be used. +- external: ecs name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. +- external: ecs + name: event.code +- external: ecs + name: event.ingested +- external: ecs name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false +- external: ecs name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. +- external: ecs name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.category +- external: ecs + name: event.id +- external: ecs + name: event.timezone +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: user.name +- external: ecs + name: user.id +- external: ecs + name: user.effective.id +- external: ecs + name: user.domain +- external: ecs + name: user.email +- external: ecs + name: related.hosts +- external: ecs + name: related.hash +- external: ecs name: process.args - type: keyword -- description: |- - The exit code of the process, if this is a termination event. - The field should be absent if there is no exit code for the event (e.g. process start). - name: process.exit_code - type: long -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. +- external: ecs + name: process.working_directory +- external: ecs + name: process.args_count +- external: ecs + name: process.executable +- external: ecs name: process.parent.pid - type: long -- description: Unique identifier for the group on the system/platform. +- external: ecs + name: process.group_leader.group.id +- external: ecs name: process.real_group.id - type: keyword -- description: Name of the group. - name: process.real_group.name - type: keyword -- description: Unique identifier of the user. +- external: ecs + name: process.parent.real_group.id +- external: ecs + name: process.group_leader.real_group.id +- external: ecs + name: process.entity_id +- external: ecs name: process.real_user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: process.real_user.name - type: keyword -- description: Unique identifier of the user. +- external: ecs + name: process.parent.real_user.id +- external: ecs + name: process.group_leader.real_user.id +- external: ecs name: process.user.id +- external: ecs + name: process.parent.user.id +- external: ecs + name: process.group_leader.user.id +- external: ecs + name: process.group_leader.pid +- external: ecs + name: process.exit_code +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: process.hash.md5 +- external: ecs + name: process.hash.sha1 +- external: ecs + name: process.hash.sha256 +- external: ecs + name: process.code_signature.signing_id +- external: ecs + name: process.code_signature.status +- external: ecs + name: process.code_signature.team_id +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: file.gid +- external: ecs + name: file.inode +- external: ecs + name: file.mode +- external: ecs + name: file.size +- external: ecs + name: file.uid +- external: ecs + name: file.code_signature.signing_id +- external: ecs + name: file.code_signature.status +- external: ecs + name: file.code_signature.team_id +- external: ecs + name: destination.address +- external: ecs + name: destination.as.number +- external: ecs + name: destination.as.organization.name +- external: ecs + name: destination.domain +- external: ecs + name: destination.geo.continent_name +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.country_name +- external: ecs + name: destination.geo.location +- external: ecs + name: destination.ip +- external: ecs + name: destination.port +- external: ecs + name: network.direction +- external: ecs + name: network.transport +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- external: ecs + name: threat.tactic.id +- external: ecs + name: threat.tactic.reference +- external: ecs + name: threat.tactic.name +- external: ecs + name: threat.technique.id +- external: ecs + name: threat.technique.name +- external: ecs + name: threat.technique.reference +- external: ecs + name: threat.enrichments +- external: ecs + name: threat.software.platforms +- external: ecs + name: threat.indicator.file.path +- external: ecs + name: threat.indicator.type +- external: ecs + name: rule.version +- external: ecs + name: container.image.tag +- external: ecs + name: container.runtime +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.duration +- external: ecs + name: event.end +- external: ecs + name: event.provider +- external: ecs + name: event.type +- external: ecs + name: file.extension +- external: ecs + name: file.hash.sha512 +- external: ecs + name: log.file.path +- external: ecs + name: log.logger +- external: ecs + name: message +- external: ecs + name: observer.name +- external: ecs + name: observer.product +- external: ecs + name: observer.type +- external: ecs + name: observer.vendor +- external: ecs + name: process.command_line +- external: ecs + name: process.parent.name +- external: ecs + name: process.parent.executable +- external: ecs + name: process.parent.entity_id +- external: ecs + name: process.parent.start +- external: ecs + name: process.parent.code_signature.signing_id +- external: ecs + name: process.parent.code_signature.status +- external: ecs + name: process.parent.code_signature.team_id +- external: ecs + name: process.group_leader.name +- external: ecs + name: process.group_leader.executable +- external: ecs + name: process.group_leader.start +- external: ecs + name: process.group_leader.entity_id +- external: ecs + name: process.start +- external: ecs + name: rule.description +- external: ecs + name: rule.name +- external: ecs + name: threat.framework +- external: ecs + name: group.id +- external: ecs + name: group.name +- name: volume.device_name type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: process.user.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: All the user names or other user identifiers seen on the event. - name: related.user +- name: volume.mount_name type: keyword -- description: List of keywords used to tag each event. - name: tags +- name: volume.file_system_type type: keyword -- description: Unique identifier of the user. - name: user.effective.id +- name: volume.bus_type type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.effective.name +- name: volume.nt_name type: keyword -- description: User email address. - name: user.email +- name: volume.product_id type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id +- name: volume.product_name type: keyword -- description: Name of the group. - name: user.group.name +- name: volume.removable + type: boolean +- name: volume.serial_number type: keyword -- description: Unique identifier of the user. - name: user.id +- name: volume.size + type: long +- name: volume.vendor_id type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name +- name: volume.vendor_name type: keyword -- external: ecs - name: process.code_signature.signing_id -- external: ecs - name: process.code_signature.status -- external: ecs - name: process.code_signature.team_id +- name: volume.writable + type: boolean diff --git a/packages/jamf_protect/data_stream/telemetry/fields/fields.yml b/packages/jamf_protect/data_stream/telemetry/fields/fields.yml index acd0afa74b7..de9d25bb582 100644 --- a/packages/jamf_protect/data_stream/telemetry/fields/fields.yml +++ b/packages/jamf_protect/data_stream/telemetry/fields/fields.yml @@ -1,656 +1,271 @@ - name: jamf_protect.telemetry type: group fields: - - name: arguments + - name: failure_reason + type: keyword + description: The reason that contains why the outcome of the event failed + - name: event_allowed_by_esclient + type: boolean + description: Value to indicate if the event was allowed or denied + - name: attribute_name + type: keyword + description: The name of the attribute that got set + - name: attribute_value + type: keyword + description: The value of the attribute that got set + - name: authorization_judgement_results + type: object + object_type: keyword + description: Results of the authorization judgement + - name: authorization_petition_flags + type: integer + description: Flags associated with the authorization petition + - name: authorization_petition_right_count + type: integer + description: The count of rights in the authorization petition + - name: authorization_petition_rights + type: keyword + description: Rights associated with the authorization petition + - name: bios_firmware_version + type: keyword + description: Version of the BIOS firmware + - name: bios_system_firmware_version + type: keyword + description: Version of the system firmware in BIOS + - name: btm_executable_path + type: keyword + description: Path to the executable in BTM + - name: btm_item_app_url + type: keyword + description: URL of the app in BTM item + - name: btm_item_is_legacy + type: boolean + description: Indicates if the BTM item is legacy + - name: btm_item_is_managed + type: boolean + description: Indicates if the BTM item is managed + - name: btm_item_type + type: keyword + description: Type of the BTM item + - name: btm_item_url + type: keyword + description: URL of the BTM item + - name: btm_item_user_uid + type: keyword + description: UID of the user associated with the BTM item + - name: env_count + type: integer + description: Count of environment variables + - name: from_username + type: keyword + description: Username from which an action originated + - name: graphical_session_id + type: keyword + description: ID of the graphical session + - name: identifier + type: keyword + description: Identifier for an entity or action + - name: profile_display_name + type: keyword + description: Display name of the profile + - name: profile_identifier + type: keyword + description: Identifier of the profile + - name: profile_install_source + type: keyword + description: Source from which the profile was installed + - name: profile_is_updated + type: boolean + description: Indicates if the profile is updated + - name: profile_organization + type: keyword + description: Organization associated with the profile + - name: profile_scope + type: keyword + description: Scope of the profile + - name: profile_uuid + type: keyword + description: UUID of the profile + - name: record_name + type: keyword + description: Name of the record + - name: shell + type: keyword + description: Shell associated with the user or process + - name: to_username + type: keyword + description: Username to which an action is directed + - name: tty + type: keyword + description: Software terminal device file that the process is associated with + - name: code_directory_hash + type: keyword + description: Code directory hash of a application bundle + - name: platform_binary + type: boolean + description: This is set to true for all binaries that are shipped with macOS + - name: es_client + type: boolean + description: Set to true if the process is an Endpoint Security client + - name: authentication_method + type: keyword + description: Method used to authenticate + - name: source_address_type + type: keyword + description: Defines the source address type + - name: authentication_result_type + type: keyword + description: Defines the source address type + - name: account_type + type: keyword + description: Defines if it's a user or group + - name: log_entries + type: object + object_type: keyword + description: Log entries being collected in an event + - name: authentication_type + type: keyword + description: Type of authentication used to authenticate the user + - name: existing_session + type: boolean + description: If an existing user session was attached to, this is true + - name: graphical_authentication_username + type: keyword + description: The username used for authentication + - name: session_username + type: keyword + description: Username of the loginwindow session + - name: system_performance type: group + description: An array containing system performance metrics fields: - - name: addr - type: keyword - - name: am_failure - type: keyword - - name: am_success - type: keyword - - name: authenticated - type: flattened - - name: child - type: group - fields: - - name: pid - type: long - - name: data - type: keyword - - name: detail - type: keyword - - name: domain - type: keyword - - name: fd - type: keyword - - name: flags - type: keyword - - name: flattened - type: flattened - - name: known_uid - type: keyword - - name: pid + - name: bytes_received type: long - - name: port + description: Bytes received by the task + - name: bytes_received_per_s + type: double + description: Bytes received per second by the task + - name: bytes_sent type: long - - name: priority + description: Bytes sent by the task + - name: bytes_sent_per_s + type: double + description: Bytes sent per second by the task + - name: cputime_ms_per_s + type: double + description: CPU time in milliseconds per second for the task + - name: cputime_ns type: long - - name: process - type: keyword - - name: protocol - type: keyword - - name: request - type: keyword - - name: sflags - type: keyword - - name: signal - type: keyword - - name: target - type: group - fields: - - name: port - type: long - - name: task - type: group - fields: - - name: port - type: long - - name: type - type: keyword - - name: which - type: keyword - - name: who - type: keyword - - name: attributes - type: group - fields: - - name: device - type: keyword - - name: file - type: group - fields: - - name: access_mode - type: keyword - - name: system - type: group - fields: - - name: id - type: keyword - - name: node - type: group - fields: - - name: id - type: keyword - - name: owner - type: group - fields: - - name: group - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: dataset - type: keyword - - name: event_attributes - type: group - fields: - - name: activity_identifier - type: keyword - - name: assessments_enabled + description: CPU time in nanoseconds for the task + - name: cputime_sample_ms_per_s + type: double + description: CPU sample time in milliseconds per second for the task + - name: cputime_userland_ratio + type: double + description: Userland CPU time ratio for the task + - name: diskio_bytesread type: long - - name: attributes - type: group - fields: - - name: ctime - type: date - - name: mtime - type: date - - name: path - type: keyword - - name: quarantine - type: group - fields: - - name: agent_bundle_identifier - type: keyword - - name: agent_name - type: keyword - - name: data_url_string - type: keyword - - name: event_identifier - type: keyword - - name: origin_url_string - type: keyword - - name: timestamp - type: date - - name: requirement - type: keyword - - name: audit_event - type: group - fields: - - name: excluded_processes - type: keyword - - name: excluded_users - type: keyword - - name: audit_event_log_verbose_messages - type: keyword - - name: audit_level + description: Bytes read by disk I/O for the task + - name: diskio_bytesread_per_s + type: double + description: Bytes read per second by disk I/O for the task + - name: diskio_byteswritten type: long - - name: backtrace - type: group - fields: - - name: frames - type: group - fields: - - name: image_offset - type: long - - name: image_uuid - type: keyword - - name: build_alias_of - type: keyword - - name: build_version - type: keyword - - name: category - type: keyword - - name: cf_bundle_short_version_string - type: keyword - - name: cf_bundle_version - type: keyword - - name: dev_id_enabled + description: Bytes written by disk I/O for the task + - name: diskio_byteswritten_per_s + type: double + description: Bytes written per second by disk I/O for the task + - name: energy_impact + type: double + description: Energy impact of the task + - name: energy_impact_per_s + type: double + description: Energy impact per second of the task + - name: idle_wakeups type: long - - name: event - type: group - fields: - - name: message - type: keyword - - name: type - type: keyword - - name: file_event - type: group - fields: - - name: exclusion_paths - type: keyword - - name: inclusion_paths - type: keyword - - name: use_fuzzy_match - type: long - - name: file_license_info - type: group - fields: - - name: license_expiration_date - type: date - - name: license_key - type: keyword - - name: license_type - type: keyword - - name: license_version - type: keyword - - name: format_string - type: keyword - - name: job - type: group - fields: - - name: completed_time - type: date - - name: creation_time - type: date - - name: destination - type: keyword - - name: format - type: keyword - - name: id - type: keyword - - name: processing_time - type: date - - name: size - type: keyword - - name: state - type: keyword - - name: title - type: keyword - - name: user - type: keyword - - name: log - type: group - fields: - - name: file - type: group - fields: - - name: location - type: keyword - - name: max_number_backups - type: long - - name: max_size_mega_bytes - type: long - - name: ownership - type: keyword - - name: permission - type: keyword - - name: remote_endpoint_enabled - type: long - - name: remote_endpoint_type - type: keyword - - name: remote_endpoint_type_awskinesis - type: group - fields: - - name: access_key_id - type: keyword - - name: region - type: keyword - - name: secret_key - type: keyword - - name: stream_name - type: keyword - - name: remote_endpoint_url - type: keyword - - name: mach_timestamp - type: keyword - - name: opaque_version - type: keyword - - name: parent_activity_identifier - type: keyword - - name: path - type: keyword - - name: process - type: group - fields: - - name: id - type: long - - name: image - type: group - fields: - - name: path - type: keyword - - name: uuid - type: keyword - - name: project_name - type: keyword - - name: sender - type: group - fields: - - name: id - type: long - - name: image - type: group - fields: - - name: path - type: keyword - - name: uuid - type: keyword - - name: program_counter - type: long - - name: source - type: keyword - - name: source_version - type: keyword - - name: subsystem - type: keyword - - name: timestamp - type: date - - name: timezone_name - type: keyword - - name: thread_id - type: keyword - - name: trace_id - type: keyword - - name: unified_log_predicates - type: keyword - - name: version - type: keyword - - name: event_score - type: long - - name: exec_args - type: group - fields: - - name: args - type: flattened - - name: args_compiled - type: keyword - - name: exec_chain_child - type: group - fields: - - name: parent - type: group - fields: - - name: path - type: text - - name: uuid - type: keyword - - name: exec_chain_parent - type: group - fields: - - name: uuid - type: keyword - - name: exec_env - type: group - fields: - - name: env - type: group - fields: - - name: arch - type: keyword - - name: compiled - type: keyword - - name: malwarebytes_group - type: keyword - - name: path - type: text - - name: shell - type: keyword - - name: ssh_auth_sock - type: keyword - - name: tmpdir - type: keyword - - name: xpc - type: group - fields: - - name: flags - type: keyword - - name: service_name - type: keyword - - name: env_compiled - type: keyword - - name: exit - type: group - fields: - - name: return - type: group - fields: - - name: value - type: long - - name: status - type: keyword - - name: file_event_info - type: group - fields: - - name: eventid_wrapped - type: boolean - - name: history_done - type: boolean - - name: item - type: group - fields: - - name: change_owner - type: boolean - - name: cloned - type: boolean - - name: created - type: boolean - - name: extended_attribute_modified - type: boolean - - name: finder_info_modified - type: boolean - - name: inode_metadata_modified - type: boolean - - name: is_directory - type: boolean - - name: is_file - type: boolean - - name: is_hard_link - type: boolean - - name: is_last_hard_link - type: boolean - - name: is_sym_link - type: boolean - - name: removed - type: boolean - - name: renamed - type: boolean - - name: updated - type: boolean - - name: kernel_dropped - type: boolean - - name: mount - type: boolean - - name: must_scan_sub_dir - type: boolean - - name: none - type: boolean - - name: own_event - type: boolean - - name: root_changed - type: boolean - - name: unmount - type: boolean - - name: user_dropped - type: boolean - - name: hardware_event_info - type: group - fields: - - name: device - type: group - fields: - - name: class - type: keyword - - name: name - type: keyword - - name: status - type: keyword - - name: device_attributes - type: group - fields: - - name: io - type: group - fields: - - name: cf_plugin_types - type: flattened - - name: class_name_override - type: keyword - - name: power_management - type: group - fields: - - name: capability_flags - type: keyword - - name: current_power_state - type: long - - name: device_power_state - type: long - - name: driver_power_state - type: long - - name: max_power_state - type: long - - name: iserial_number - type: long - - name: removable - type: keyword - - name: usb - type: group - fields: - - name: product_name - type: keyword - - name: vendor_name - type: keyword - - name: header - type: group - fields: - - name: action - type: keyword - - name: event_modifier - type: keyword - - name: time_milliseconds_offset + description: Number of idle wakeups for the task + - name: interval_ns type: long - - name: version - type: keyword - - name: host_info - type: group - fields: - - name: host - type: group - fields: - - name: uuid - type: keyword - - name: identity - type: group - fields: - - name: cd_hash + description: Interval in nanoseconds + - name: intr_wakeups_per_s + type: double + description: Interrupt wakeups per second for the task + - name: name type: keyword - - name: signer - type: group - fields: - - name: id - type: keyword - - name: id_truncated - type: keyword - - name: type - type: keyword - - name: team - type: group - fields: - - name: id - type: keyword - - name: id_truncated - type: keyword - - name: path - type: keyword - - name: process - type: group - fields: - - name: effective - type: group - fields: - - name: group - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: user - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: group - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword + description: Name of the task + - name: packets_received + type: long + description: Packets received by the task + - name: packets_received_per_s + type: double + description: Packets received per second by the task + - name: packets_sent + type: long + description: Packets sent by the task + - name: packets_sent_per_s + type: double + description: Packets sent per second by the task + - name: pageins + type: long + description: Page-ins by the task + - name: pageins_per_s + type: double + description: Page-ins per second by the task - name: pid type: long - - name: name - type: keyword - - name: session - type: group - fields: - - name: id - type: keyword - - name: terminal_id - type: group - fields: - - name: addr - type: keyword - - name: ip_address - type: ip - - name: port - type: long - - name: type - type: keyword - - name: user - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: return - type: group - fields: - - name: description - type: keyword - - name: signal_event_info - type: group - fields: - - name: signal + description: Process ID of the task + - name: qos_background_ms_per_s + type: double + description: QoS background time in milliseconds per second for the task + - name: qos_background_ns type: long - - name: socket - type: group - fields: - - name: inet - type: group - fields: - - name: addr - type: keyword - - name: family - type: keyword - - name: id - type: keyword - - name: unix - type: group - fields: - - name: family - type: keyword - - name: path - type: text - - name: subject - type: group - fields: - - name: audit - type: group - fields: - - name: id - type: keyword - - name: user - type: group - fields: - - name: name - type: keyword - - name: effective - type: group - fields: - - name: group - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: user - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: process - type: group - fields: - - name: name - type: keyword - - name: pid - type: long - - name: responsible - type: group - fields: - - name: process - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: session - type: group - fields: - - name: id - type: keyword - - name: terminal_id - type: group + description: QoS background time in nanoseconds for the task + - name: qos_default_ms_per_s + type: double + description: QoS default time in milliseconds per second for the task + - name: qos_default_ns + type: long + description: QoS default time in nanoseconds for the task + - name: qos_disabled_ms_per_s + type: double + description: QoS disabled time in milliseconds per second for the task + - name: qos_disabled_ns + type: long + description: QoS disabled time in nanoseconds for the task + - name: qos_maintenance_ms_per_s + type: double + description: QoS maintenance time in milliseconds per second for the task + - name: qos_maintenance_ns + type: long + description: QoS maintenance time in nanoseconds for the task + - name: qos_user_initiated_ms_per_s + type: double + description: QoS user-initiated time in milliseconds per second for the task + - name: qos_user_initiated_ns + type: long + description: QoS user-initiated time in nanoseconds for the task + - name: qos_user_interactive_ms_per_s + type: double + description: QoS user-interactive time in milliseconds per second for the task + - name: qos_user_interactive_ns + type: long + description: QoS user-interactive time in nanoseconds for the task + - name: qos_utility_ms_per_s + type: double + description: QoS utility time in milliseconds per second for the task + - name: qos_utility_ns + type: long + description: QoS utility time in nanoseconds for the task + - name: started_abstime_ns + type: long + description: Absolute start time in nanoseconds for the task + - name: timer_wakeups + type: nested + description: Timer wakeups for the task fields: - - name: addr - type: keyword - - name: port + - name: wakeups type: long - - name: type - type: keyword - - name: texts + description: Number of wakeups + - name: error_message type: keyword -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. + description: Contains the event specific error message diff --git a/packages/jamf_protect/data_stream/telemetry/manifest.yml b/packages/jamf_protect/data_stream/telemetry/manifest.yml index edb31113742..4db1c2ec960 100644 --- a/packages/jamf_protect/data_stream/telemetry/manifest.yml +++ b/packages/jamf_protect/data_stream/telemetry/manifest.yml @@ -73,7 +73,7 @@ streams: multi: false required: false show_user: true - default: protect-/telemetries/ + default: protect-/telemetriesV2/ description: Prefix to apply for the list request to the S3 bucket. - name: jamf_protect_bucket_name type: text diff --git a/packages/jamf_protect/data_stream/telemetry/sample_event.json b/packages/jamf_protect/data_stream/telemetry/sample_event.json index bfd5decf38a..ab63f16e7e9 100644 --- a/packages/jamf_protect/data_stream/telemetry/sample_event.json +++ b/packages/jamf_protect/data_stream/telemetry/sample_event.json @@ -1,168 +1,154 @@ { - "@timestamp": "2024-02-06T16:01:34.442Z", + "@timestamp": "2024-06-12T21:17:49.148Z", "agent": { - "ephemeral_id": "a0a97e34-86ea-435f-8629-308f4c17a3b1", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "693d67f8-0ad2-49d0-898d-eab743600cca", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.13.0" + "version": "8.13.2" }, "data_stream": { "dataset": "jamf_protect.telemetry", "namespace": "ep", "type": "logs" }, - "ecs": { - "version": "8.11.0" - }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "snapshot": false, - "version": "8.13.0" + "version": "8.13.2" + }, + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" }, - "error": { - "code": "0" + "ecs": { + "version": "8.11.0" }, "event": { - "action": "aue_posix_spawn", - "agent_id_status": "verified", + "action": "exec", "category": [ - "authentication" + "process" ], - "code": "43190", - "dataset": "jamf_protect.telemetry", - "ingested": "2024-05-17T00:10:39Z", + "code": "9", + "id": "CDB31202-8CB4-4C72-A9C6-7F494CD5F598", "kind": "event", - "outcome": "success", + "provider": "Jamf Protect", + "reason": "A new process has been executed", + "sequence": 202, + "start": "2024-05-31T09:47:12.436Z", "type": [ - "info" + "info", + "start" ] }, "host": { - "hostname": "Mac mini", - "id": "H2WGF2U9Q6NV", + "hostname": "MacBookPro", + "id": "00006030-001E301C0228001C", "ip": [ - "0.0.0.0" + "192.168.11.251", + "192.168.64.1", + "192.168.11.232" ], "os": { - "version": "Version 14.2.1 (Build 23C71)" + "family": "macos", + "full": "14.5 (Build 23F79)", + "name": "macOS", + "type": "macos", + "version": "14.5" } }, - "input": { - "type": "http_endpoint" - }, "jamf_protect": { "telemetry": { - "arguments": { - "child": { - "pid": 70851 - } - }, - "dataset": "audit", - "exec_args": { - "args_compiled": "/usr/bin/profiles,status,-type,enrollment" - }, - "exec_chain_parent": { - "uuid": "87F2E500-EDF1-4F12-A489-C5E05B0F523E" - }, - "exec_env": { - "env": { - "compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin" - } - }, - "header": { - "event_modifier": "0", - "version": "11" - }, - "host_info": { - "host": { - "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" - } - }, - "identity": { - "cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68", - "signer": { - "id_truncated": "false", - "type": "0" - } - }, - "path": [ - "/usr/bin/profiles", - "/usr/bin/profiles" - ], - "return": { - "description": "success" - }, - "subject": { - "effective": { - "group": { - "id": "0", - "name": "wheel" - } - }, - "process": { - "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", - "pid": 70848 - }, - "session": { - "id": "100016" - }, - "terminal_id": { - "port": 0, - "type": "4" - } - } + "code_directory_hash": "23c70bd9b41017f9878af49bc2c46f7c8a70680b", + "es_client": false, + "event_allowed_by_esclient": false, + "platform_binary": true } }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, "process": { "args": [ - "/usr/bin/profiles", - "status", - "-type", - "enrollment" + "/bin/zsh", + "-c", + "/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/eicar" ], + "args_count": 3, "code_signature": { - "signing_id": "com.microsoft.EdgeUpdater", - "team_id": "UBF8T346G9" + "signing_id": "com.apple.zsh" }, - "exit_code": 0, - "hash": { - "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + "entity_id": "1278137C-15D6-53CE-AB0A-FC9499BC8E05", + "env_vars": [ + "USER=jappleseed", + "COMMAND_MODE=unix2003", + "__CFBundleIdentifier=com.txhaflaire.JamfCheck", + "PATH=/usr/bin:/bin:/usr/sbin:/sbin", + "LOGNAME=jappleseed", + "SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.Ah3WvMOC65/Listeners", + "HOME=/Users/jappleseed", + "SHELL=/bin/zsh", + "TMPDIR=/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/", + "__CF_USER_TEXT_ENCODING=0x1F6:0x0:0x0", + "XPC_SERVICE_NAME=application.com.txhaflaire.JamfCheck.30852344.30852350", + "XPC_FLAGS=0x0" + ], + "executable": "/bin/zsh", + "group_leader": { + "entity_id": "A7EDC884-C034-50E7-A3AA-2E281B3E0777", + "pid": 64632, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } }, - "real_group": { - "id": "0", - "name": "wheel" + "interactive": false, + "parent": { + "entity_id": "A7EDC884-C034-50E7-A3AA-2E281B3E0777", + "pid": 64632, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } }, - "real_user": { - "id": "4294967295" + "pid": 91306, + "start": "2024-05-31T09:47:12.000Z", + "thread": { + "id": 5215860 }, - "user": { - "id": "0", - "name": "root" - } + "working_directory": "/" }, "related": { "hash": [ - "9cfc802baf45b74693d146686ebe9ec59ac6367f" + "23c70bd9b41017f9878af49bc2c46f7c8a70680b" ], "hosts": [ - "Mac mini" + "MacBookPro" ], "ip": [ - "0.0.0.0" - ], - "user": [ - "root" + "192.168.11.251", + "192.168.64.1", + "192.168.11.232" ] }, - "tags": [ - "forwarded", - "jamf_protect-telemetry" - ], "user": { - "id": "0", - "name": [ - "root" - ] + "effective": { + "id": [ + "502" + ] + } } } \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/pipeline/test-jamf-protect-telemetry-legacy-sample-logs.log b/packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/pipeline/test-jamf-protect-telemetry-legacy-sample-logs.log new file mode 100644 index 00000000000..c69289167df --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/pipeline/test-jamf-protect-telemetry-legacy-sample-logs.log @@ -0,0 +1,7 @@ +{"arguments":{"child_PID":70851},"attributes":{"device":0,"file_access_mode":33261,"file_system_id":16777229,"node_id":632456,"owner_group_id":0,"owner_group_name":"wheel","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"/usr/bin/profiles","2":"status","3":"-type","4":"enrollment"},"args_compiled":"/usr/bin/profiles,status,-type,enrollment"},"exec_chain":{"thread_uuid":"EB3B7725-EB0E-4710-BCA6-F390DD9AE309"},"exec_chain_parent":{"uuid":"87F2E500-EDF1-4F12-A489-C5E05B0F523E"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","PWD":"/"},"env_compiled":"PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":442,"time_seconds_epoch":1707235294,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"a2c787fe5e26ead7c68909e45a75edced4147c68","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"FF48B7F5-C8CD-42E6-8782-5A92D1BD87CE","path":["/usr/bin/profiles","/usr/bin/profiles"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"9cfc802baf45b74693d146686ebe9ec59ac6367f","process_id":70848,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","responsible_process_id":70837,"responsible_process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} +{"arguments":{"child_PID":70848},"attributes":{"device":0,"file_access_mode":33261,"file_system_id":16777229,"node_id":63665431,"owner_group_id":80,"owner_group_name":"admin","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"EdgeUpdater","2":"--server","3":"--service=update","4":"--enable-logging","5":"--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2","6":"--system"},"args_compiled":"EdgeUpdater,--server,--service=update,--enable-logging,--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2,--system"},"exec_chain":{"thread_uuid":"19B9384C-9C21-4C6C-9954-355AD780910C"},"exec_chain_child":{"parent_path":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","parent_pid":70844,"parent_uuid":"93082F2D-206D-4FA8-925B-6548C6B247C1"},"exec_chain_parent":{"uuid":"EB3B7725-EB0E-4710-BCA6-F390DD9AE309"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","PWD":"/"},"env_compiled":"PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":427,"time_seconds_epoch":1707235294,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"abbed514a26c2f8c80e08a6d81d72ea8029739fe","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"0BE676E2-FFDB-4A75-BBEA-F783E0E573E8","path":["/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"0237c54b185a3b516bb2918132d9d05de10eaa7c","process_id":70847,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher","responsible_process_id":70837,"responsible_process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} +{"arguments":{"child_PID":70843},"attributes":{"device":0,"file_access_mode":35309,"file_system_id":16777229,"node_id":63665429,"owner_group_id":80,"owner_group_name":"admin","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher","2":"--internal"},"args_compiled":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher,--internal"},"exec_chain":{"thread_uuid":"3DB0D0B9-31ED-4E4D-9366-C07B622AEBEB"},"exec_chain_parent":{"uuid":"93E2DBD5-9546-430E-ADA0-CA460E0A80C9"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","XPC_FLAGS":"0x0","XPC_SERVICE_NAME":"com.microsoft.EdgeUpdater.wake.system"},"env_compiled":"XPC_SERVICE_NAME=com.microsoft.EdgeUpdater.wake.system,PATH=/usr/bin:/bin:/usr/sbin:/sbin,XPC_FLAGS=0x0"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":316,"time_seconds_epoch":1707235293,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"a2c787fe5e26ead7c68909e45a75edced4147c68","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"18922E6D-7EDA-460B-A5DC-D9B92BA8085E","path":["/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher","/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"9cfc802baf45b74693d146686ebe9ec59ac6367f","process_id":70840,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","responsible_process_id":70837,"responsible_process_name":"/usr/libexec/xpcproxy","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} +{"arguments":{"fd":4},"exec_chain":{"thread_uuid":"2AE4FC6A-7F96-4B7A-B045-D6B3FDED39FE"},"header":{"event_id":32,"event_modifier":0,"event_name":"AUE_CONNECT","time_milliseconds_offset":755,"time_seconds_epoch":1707235837,"version":11},"host_info":{"host_name":"Goomba","host_uuid":"667A9510-585B-526B-9B61-47BD834C8ECE","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WHM0PAQ6NV"},"identity":{"cd_hash":"67ed44d08677ea5d2eb9c7db71be23b127bd3e99","signer_id":"com.apple.nfcd","signer_id_truncated":false,"signer_type":1,"team_id":"","team_id_truncated":false},"key":"B9C086AE-78C8-4F01-A77D-4AE422F9366D","return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":260,"effective_group_name":"_applepay","effective_user_id":260,"effective_user_name":"_applepay","group_id":260,"group_name":"_applepay","process_hash":"137517d0be201cfbf8e9dd97765b3f38f0ae4de5","process_id":1002,"process_name":"/usr/libexec/nfcd","responsible_process_id":1002,"responsible_process_name":"/usr/libexec/nfcd","session_id":100015,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":260,"user_name":"_applepay"}} +{"arguments":{"fd":5},"exec_chain":{"thread_uuid":"39896B66-2B2C-4D33-9A75-58154E8EB508"},"header":{"event_id":32,"event_modifier":0,"event_name":"AUE_CONNECT","time_milliseconds_offset":473,"time_seconds_epoch":1707235836,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"beef65d6aeba15d0dd7ef1a076d4bcbd386c1652","signer_id":"com.apple.mdmclient","signer_id_truncated":false,"signer_type":1,"team_id":"","team_id_truncated":false},"key":"F3DBBFB9-2FF7-4A14-A57F-A18F9D9E6FD1","return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"b71712207edc22d9b5753aac0d927a7d9ded719d","process_id":70971,"process_name":"/usr/libexec/mdmclient","responsible_process_id":70971,"responsible_process_name":"/usr/libexec/mdmclient","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} +{"exec_chain":{"thread_uuid":"340F694C-4A80-4008-8B99-AEF108250576"},"header":{"event_id":45025,"event_modifier":0,"event_name":"AUE_ssauthorize","time_milliseconds_offset":477,"time_seconds_epoch":1707234868,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"fc3dce73c15ec7a1cba507101fec3a47e268fa27","signer_id":"com.apple.authd","signer_id_truncated":false,"signer_type":1,"team_id":"","team_id_truncated":false},"key":"DF67FD17-2BE4-4811-933F-78CBA33BAD93","rateLimitingSeconds":1800,"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"b71712207edc22d9b5753aac0d927a7d9ded719d","process_id":69544,"process_name":"/usr/libexec/mdmclient","responsible_process_id":69544,"responsible_process_name":"/usr/libexec/mdmclient","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":959597,"type":4},"user_id":0,"user_name":"root"},"texts":["com.apple.ServiceManagement.daemons.modify","client /usr/libexec/mdmclient","creator /usr/libexec/mdmclient"]} +{"arguments":{"am_failure":0,"am_success":0,"sflags":0},"exec_chain":{"thread_uuid":"8FEACD31-E575-45F4-9A31-F81A6EDF68A8"},"header":{"event_id":44903,"event_modifier":0,"event_name":"AUE_SESSION_END","time_milliseconds_offset":272,"time_seconds_epoch":1707235736,"version":11},"host_info":{"host_name":"Goomba","host_uuid":"667A9510-585B-526B-9B61-47BD834C8ECE","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WHM0PAQ6NV"},"key":"79C80894-E1A4-4BC3-A974-B6EC69CB172D","return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"","process_id":0,"process_name":"","responsible_process_id":0,"responsible_process_name":"","session_id":101188,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/pipeline/test-jamf-protect-telemetry-legacy-sample-logs.log-expected.json b/packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/pipeline/test-jamf-protect-telemetry-legacy-sample-logs.log-expected.json new file mode 100644 index 00000000000..2b186323874 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/pipeline/test-jamf-protect-telemetry-legacy-sample-logs.log-expected.json @@ -0,0 +1,885 @@ +{ + "expected": [ + { + "@timestamp": "2024-02-06T16:01:34.442Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_posix_spawn", + "category": [ + "authentication" + ], + "code": "43190", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "child": { + "pid": 70851 + } + }, + "dataset": "audit", + "exec_args": { + "args_compiled": "/usr/bin/profiles,status,-type,enrollment" + }, + "exec_chain_parent": { + "uuid": "87F2E500-EDF1-4F12-A489-C5E05B0F523E" + }, + "exec_env": { + "env": { + "compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin" + } + }, + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68", + "signer": { + "id_truncated": "false", + "type": "0" + } + }, + "path": [ + "/usr/bin/profiles", + "/usr/bin/profiles" + ], + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", + "pid": 70848 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "args": [ + "/usr/bin/profiles", + "status", + "-type", + "enrollment" + ], + "code_signature": { + "signing_id": "com.microsoft.EdgeUpdater", + "team_id": "UBF8T346G9" + }, + "exit_code": 0, + "hash": { + "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "9cfc802baf45b74693d146686ebe9ec59ac6367f" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T16:01:34.427Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_posix_spawn", + "category": [ + "authentication" + ], + "code": "43190", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "child": { + "pid": 70848 + } + }, + "dataset": "audit", + "exec_args": { + "args_compiled": "EdgeUpdater,--server,--service=update,--enable-logging,--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2,--system" + }, + "exec_chain_parent": { + "uuid": "EB3B7725-EB0E-4710-BCA6-F390DD9AE309" + }, + "exec_env": { + "env": { + "compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin" + } + }, + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "abbed514a26c2f8c80e08a6d81d72ea8029739fe", + "signer": { + "id_truncated": "false", + "type": "0" + } + }, + "path": [ + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater" + ], + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher", + "pid": 70847 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "args": [ + "EdgeUpdater", + "--server", + "--service=update", + "--enable-logging", + "--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2", + "--system" + ], + "code_signature": { + "signing_id": "com.microsoft.EdgeUpdater", + "team_id": "UBF8T346G9" + }, + "exit_code": 0, + "hash": { + "sha1": "0237c54b185a3b516bb2918132d9d05de10eaa7c" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "0237c54b185a3b516bb2918132d9d05de10eaa7c" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T16:01:33.316Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_posix_spawn", + "category": [ + "authentication" + ], + "code": "43190", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "child": { + "pid": 70843 + } + }, + "dataset": "audit", + "exec_args": { + "args_compiled": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher,--internal" + }, + "exec_chain_parent": { + "uuid": "93E2DBD5-9546-430E-ADA0-CA460E0A80C9" + }, + "exec_env": { + "env": { + "compiled": "XPC_SERVICE_NAME=com.microsoft.EdgeUpdater.wake.system,PATH=/usr/bin:/bin:/usr/sbin:/sbin,XPC_FLAGS=0x0", + "xpc": { + "flags": "0x0" + } + } + }, + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68", + "signer": { + "id_truncated": "false", + "type": "0" + } + }, + "path": [ + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher", + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher" + ], + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", + "pid": 70840 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "args": [ + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher", + "--internal" + ], + "code_signature": { + "signing_id": "com.microsoft.EdgeUpdater", + "team_id": "UBF8T346G9" + }, + "exit_code": 0, + "hash": { + "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "9cfc802baf45b74693d146686ebe9ec59ac6367f" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T16:10:37.755Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_connect", + "category": [ + "authentication" + ], + "code": "32", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Goomba", + "id": "H2WHM0PAQ6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "fd": "4" + }, + "dataset": "audit", + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "667A9510-585B-526B-9B61-47BD834C8ECE" + } + }, + "identity": { + "cd_hash": "67ed44d08677ea5d2eb9c7db71be23b127bd3e99", + "signer": { + "id_truncated": "false", + "type": "1" + } + }, + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "260", + "name": "_applepay" + } + }, + "process": { + "name": "/usr/libexec/nfcd", + "pid": 1002 + }, + "session": { + "id": "100015" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "code_signature": { + "signing_id": "com.apple.nfcd" + }, + "exit_code": 0, + "hash": { + "sha1": "137517d0be201cfbf8e9dd97765b3f38f0ae4de5" + }, + "real_group": { + "id": "260", + "name": "_applepay" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "260", + "name": "_applepay" + } + }, + "related": { + "hash": [ + "137517d0be201cfbf8e9dd97765b3f38f0ae4de5" + ], + "hosts": [ + "Goomba" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "_applepay" + ] + }, + "user": { + "id": "260", + "name": [ + "_applepay" + ] + } + }, + { + "@timestamp": "2024-02-06T16:10:36.473Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_connect", + "category": [ + "authentication" + ], + "code": "32", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "fd": "5" + }, + "dataset": "audit", + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "beef65d6aeba15d0dd7ef1a076d4bcbd386c1652", + "signer": { + "id_truncated": "false", + "type": "1" + } + }, + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/usr/libexec/mdmclient", + "pid": 70971 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "code_signature": { + "signing_id": "com.apple.mdmclient" + }, + "exit_code": 0, + "hash": { + "sha1": "b71712207edc22d9b5753aac0d927a7d9ded719d" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "b71712207edc22d9b5753aac0d927a7d9ded719d" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T15:54:28.477Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_ssauthorize", + "category": [ + "authentication" + ], + "code": "45025", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "dataset": "audit", + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "fc3dce73c15ec7a1cba507101fec3a47e268fa27", + "signer": { + "id_truncated": "false", + "type": "1" + } + }, + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/usr/libexec/mdmclient", + "pid": 69544 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 959597, + "type": "4" + } + }, + "texts": [ + "com.apple.ServiceManagement.daemons.modify", + "client /usr/libexec/mdmclient", + "creator /usr/libexec/mdmclient" + ] + } + }, + "process": { + "code_signature": { + "signing_id": "com.apple.authd" + }, + "exit_code": 0, + "hash": { + "sha1": "b71712207edc22d9b5753aac0d927a7d9ded719d" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "b71712207edc22d9b5753aac0d927a7d9ded719d" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T16:08:56.272Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_session_end", + "category": [ + "authentication" + ], + "code": "44903", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Goomba", + "id": "H2WHM0PAQ6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "am_failure": "0", + "am_success": "0", + "sflags": "0" + }, + "dataset": "audit", + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "667A9510-585B-526B-9B61-47BD834C8ECE" + } + }, + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "pid": 0 + }, + "session": { + "id": "101188" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "exit_code": 0, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "Goomba" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/system/test-http-endpoint-config.yml b/packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/system/test-http-endpoint-config.yml new file mode 100644 index 00000000000..31891978eba --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/_dev/test/system/test-http-endpoint-config.yml @@ -0,0 +1,8 @@ +service: jamf-protect-telemetry-legacy-http-endpoint +service_notify_signal: SIGHUP +input: http_endpoint +vars: ~ +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9555 diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/agent/stream/aws-s3.yml.hbs b/packages/jamf_protect/data_stream/telemetry_legacy/agent/stream/aws-s3.yml.hbs new file mode 100644 index 00000000000..4b6c9a0ff80 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/agent/stream/aws-s3.yml.hbs @@ -0,0 +1,118 @@ +{{! The aws-s3 input can be configured to read from an SQS queue or an S3 bucket. }} + +{{! +When using an S3 bucket, you can specify only one of the following options: +- An AWS bucket ARN +- A non-AWS bucket name +}} + +{{#if collect_s3_logs}} +{{! shared S3 bucket polling options }} +{{#if number_of_workers }} +number_of_workers: {{ number_of_workers }} +{{/if}} + +{{#if bucket_list_prefix }} +bucket_list_prefix: {{ bucket_list_prefix }} +{{/if}} + +{{#if bucket_list_interval }} +bucket_list_interval: {{ bucket_list_interval }} +{{/if}} + +{{! AWS S3 bucket ARN options }} +{{#unless non_aws_bucket_name}} +{{#if bucket_arn }} +bucket_arn: {{ bucket_arn }} +{{/if}} +{{/unless}} + +{{! non-AWS S3 bucket ARN options }} +{{#unless bucket_arn}} +{{#if jamf_protect_bucket_name }} +non_aws_bucket_name: {{jamf_protect_bucket_name}} +{{else if global_bucket_name}} +non_aws_bucket_name: {{global_bucket_name}} +{{/if}} +{{/unless}} + +{{else}} + +{{#if queue_url_telemetry}} +queue_url: {{queue_url_telemetry}} +{{else if queue_url}} +queue_url: {{queue_url}} +{{/if}} + +{{#if visibility_timeout}} +visibility_timeout: {{visibility_timeout}} +{{/if}} + +{{#if api_timeout}} +api_timeout: {{api_timeout}} +{{/if}} + +{{#if max_number_of_messages}} +max_number_of_messages: {{max_number_of_messages}} +{{/if}} + +{{#if file_selectors}} +file_selectors: +{{file_selectors}} +{{/if}} +{{! end SQS queue }} + +{{/if}} + +{{#if access_key_id}} +access_key_id: {{access_key_id}} +{{/if}} +{{#if secret_access_key}} +secret_access_key: {{secret_access_key}} +{{/if}} +{{#if session_token}} +session_token: {{session_token}} +{{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} +{{#if credential_profile_name}} +credential_profile_name: {{credential_profile_name}} +{{/if}} +{{#if role_arn}} +role_arn: {{role_arn}} +{{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if default_region}} +default_region: {{default_region}} +{{/if}} +{{#if fips_enabled}} +fips_enabled: {{fips_enabled}} +{{/if}} +{{#if proxy_url}} +proxy_url: {{proxy_url}} +{{/if}} +tags: +{{#if collect_s3_logs}} +- collect_s3_logs +{{else}} +- collect_sqs_logs +{{/if}} +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} +- preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/agent/stream/http_endpoint.yml.hbs b/packages/jamf_protect/data_stream/telemetry_legacy/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..b1f76c36101 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,35 @@ +listen_address: {{listen_address}} +listen_port: {{listen_port}} +url: {{url}} +{{#if secret_header}} +secret.header: {{secret_header}} +{{/if}} +{{#if secret_value}} +secret.value: {{secret_value}} +{{/if}} +{{#if preserve_original_event}} +preserve_original_event: true +{{/if}} +{{#if preserve_duplicate_custom_fields}} +preserve_duplicate_custom_fields: true +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..12cf8ae9493 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,54 @@ +--- +description: Pipeline for Jamf Protect Telemetry logs. +processors: + - set: + field: ecs.version + value: '8.11.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_system_performance_metrics" }}' + if: ctx.json?.header?.event_name == 'SYSTEM_PERFORMANCE_METRICS' + - pipeline: + name: '{{ IngestPipeline "pipeline_audit" }}' + if: ctx.json?.header?.event_name != null && ctx.json?.header?.event_name.startsWith('AUE_') + - pipeline: + name: '{{ IngestPipeline "pipeline_bios_firmware_versions" }}' + if: ctx.json?.header?.event_name == 'BIOS_FIRMWARE_VERSIONS' + - pipeline: + name: '{{ IngestPipeline "pipeline_event" }}' + if: "['FILE_COLLECTION_EVENT','PLAINTEXT_LOG_COLLECTION'].contains(ctx.json?.header?.event_name)" + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + - remove: + field: json + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_audit.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_audit.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_audit.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_audit.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_session.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_session.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_session.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_session.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_event.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_event.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_identity_object.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_identity_object.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_identity_object.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_identity_object.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_process_object.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_process_object.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_process_object.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_process_object.yml diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml similarity index 100% rename from packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml rename to packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/fields/agent.yml b/packages/jamf_protect/data_stream/telemetry_legacy/fields/agent.yml new file mode 100644 index 00000000000..2919f7a30c6 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/fields/agent.yml @@ -0,0 +1,183 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container ID. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." + - name: ip + level: core + type: ip + description: Host IP addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + - name: containerized + type: boolean + description: >- + If the host is a container. + - name: os.build + type: keyword + example: "18D109" + description: >- + OS build information. + - name: os.codename + type: keyword + example: "stretch" + description: >- + OS codename, if any. +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/fields/base-fields.yml b/packages/jamf_protect/data_stream/telemetry_legacy/fields/base-fields.yml new file mode 100644 index 00000000000..1971182835c --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Name of the dataset. + value: jamf_protect.telemetry_legacy +- name: event.module + type: constant_keyword + description: Event module. + value: jamf_protect +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/fields/ecs.yml b/packages/jamf_protect/data_stream/telemetry_legacy/fields/ecs.yml new file mode 100644 index 00000000000..6804143d1fe --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/fields/ecs.yml @@ -0,0 +1,84 @@ +- external: ecs + name: ecs.version +- external: ecs + name: error.code +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.code +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.type +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.path +- external: ecs + name: host.os.type +- external: ecs + name: process.args +- external: ecs + name: process.exit_code +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: process.parent.pid +- external: ecs + name: process.hash.sha1 +- external: ecs + name: process.hash.sha256 +- external: ecs + name: process.real_group.id +- external: ecs + name: process.real_group.name +- external: ecs + name: process.real_user.id +- external: ecs + name: process.real_user.name +- external: ecs + name: process.user.id +- external: ecs + name: process.user.name +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: server.ip +- external: ecs + name: server.port +- external: ecs + name: related.user +- external: ecs + name: tags +- external: ecs + name: user.effective.id +- external: ecs + name: user.effective.name +- external: ecs + name: user.email +- external: ecs + name: user.group.id +- external: ecs + name: user.group.name +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: process.code_signature.signing_id +- external: ecs + name: process.code_signature.status +- external: ecs + name: process.code_signature.team_id diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/fields/fields.yml b/packages/jamf_protect/data_stream/telemetry_legacy/fields/fields.yml new file mode 100644 index 00000000000..acd0afa74b7 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/fields/fields.yml @@ -0,0 +1,656 @@ +- name: jamf_protect.telemetry + type: group + fields: + - name: arguments + type: group + fields: + - name: addr + type: keyword + - name: am_failure + type: keyword + - name: am_success + type: keyword + - name: authenticated + type: flattened + - name: child + type: group + fields: + - name: pid + type: long + - name: data + type: keyword + - name: detail + type: keyword + - name: domain + type: keyword + - name: fd + type: keyword + - name: flags + type: keyword + - name: flattened + type: flattened + - name: known_uid + type: keyword + - name: pid + type: long + - name: port + type: long + - name: priority + type: long + - name: process + type: keyword + - name: protocol + type: keyword + - name: request + type: keyword + - name: sflags + type: keyword + - name: signal + type: keyword + - name: target + type: group + fields: + - name: port + type: long + - name: task + type: group + fields: + - name: port + type: long + - name: type + type: keyword + - name: which + type: keyword + - name: who + type: keyword + - name: attributes + type: group + fields: + - name: device + type: keyword + - name: file + type: group + fields: + - name: access_mode + type: keyword + - name: system + type: group + fields: + - name: id + type: keyword + - name: node + type: group + fields: + - name: id + type: keyword + - name: owner + type: group + fields: + - name: group + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: dataset + type: keyword + - name: event_attributes + type: group + fields: + - name: activity_identifier + type: keyword + - name: assessments_enabled + type: long + - name: attributes + type: group + fields: + - name: ctime + type: date + - name: mtime + type: date + - name: path + type: keyword + - name: quarantine + type: group + fields: + - name: agent_bundle_identifier + type: keyword + - name: agent_name + type: keyword + - name: data_url_string + type: keyword + - name: event_identifier + type: keyword + - name: origin_url_string + type: keyword + - name: timestamp + type: date + - name: requirement + type: keyword + - name: audit_event + type: group + fields: + - name: excluded_processes + type: keyword + - name: excluded_users + type: keyword + - name: audit_event_log_verbose_messages + type: keyword + - name: audit_level + type: long + - name: backtrace + type: group + fields: + - name: frames + type: group + fields: + - name: image_offset + type: long + - name: image_uuid + type: keyword + - name: build_alias_of + type: keyword + - name: build_version + type: keyword + - name: category + type: keyword + - name: cf_bundle_short_version_string + type: keyword + - name: cf_bundle_version + type: keyword + - name: dev_id_enabled + type: long + - name: event + type: group + fields: + - name: message + type: keyword + - name: type + type: keyword + - name: file_event + type: group + fields: + - name: exclusion_paths + type: keyword + - name: inclusion_paths + type: keyword + - name: use_fuzzy_match + type: long + - name: file_license_info + type: group + fields: + - name: license_expiration_date + type: date + - name: license_key + type: keyword + - name: license_type + type: keyword + - name: license_version + type: keyword + - name: format_string + type: keyword + - name: job + type: group + fields: + - name: completed_time + type: date + - name: creation_time + type: date + - name: destination + type: keyword + - name: format + type: keyword + - name: id + type: keyword + - name: processing_time + type: date + - name: size + type: keyword + - name: state + type: keyword + - name: title + type: keyword + - name: user + type: keyword + - name: log + type: group + fields: + - name: file + type: group + fields: + - name: location + type: keyword + - name: max_number_backups + type: long + - name: max_size_mega_bytes + type: long + - name: ownership + type: keyword + - name: permission + type: keyword + - name: remote_endpoint_enabled + type: long + - name: remote_endpoint_type + type: keyword + - name: remote_endpoint_type_awskinesis + type: group + fields: + - name: access_key_id + type: keyword + - name: region + type: keyword + - name: secret_key + type: keyword + - name: stream_name + type: keyword + - name: remote_endpoint_url + type: keyword + - name: mach_timestamp + type: keyword + - name: opaque_version + type: keyword + - name: parent_activity_identifier + type: keyword + - name: path + type: keyword + - name: process + type: group + fields: + - name: id + type: long + - name: image + type: group + fields: + - name: path + type: keyword + - name: uuid + type: keyword + - name: project_name + type: keyword + - name: sender + type: group + fields: + - name: id + type: long + - name: image + type: group + fields: + - name: path + type: keyword + - name: uuid + type: keyword + - name: program_counter + type: long + - name: source + type: keyword + - name: source_version + type: keyword + - name: subsystem + type: keyword + - name: timestamp + type: date + - name: timezone_name + type: keyword + - name: thread_id + type: keyword + - name: trace_id + type: keyword + - name: unified_log_predicates + type: keyword + - name: version + type: keyword + - name: event_score + type: long + - name: exec_args + type: group + fields: + - name: args + type: flattened + - name: args_compiled + type: keyword + - name: exec_chain_child + type: group + fields: + - name: parent + type: group + fields: + - name: path + type: text + - name: uuid + type: keyword + - name: exec_chain_parent + type: group + fields: + - name: uuid + type: keyword + - name: exec_env + type: group + fields: + - name: env + type: group + fields: + - name: arch + type: keyword + - name: compiled + type: keyword + - name: malwarebytes_group + type: keyword + - name: path + type: text + - name: shell + type: keyword + - name: ssh_auth_sock + type: keyword + - name: tmpdir + type: keyword + - name: xpc + type: group + fields: + - name: flags + type: keyword + - name: service_name + type: keyword + - name: env_compiled + type: keyword + - name: exit + type: group + fields: + - name: return + type: group + fields: + - name: value + type: long + - name: status + type: keyword + - name: file_event_info + type: group + fields: + - name: eventid_wrapped + type: boolean + - name: history_done + type: boolean + - name: item + type: group + fields: + - name: change_owner + type: boolean + - name: cloned + type: boolean + - name: created + type: boolean + - name: extended_attribute_modified + type: boolean + - name: finder_info_modified + type: boolean + - name: inode_metadata_modified + type: boolean + - name: is_directory + type: boolean + - name: is_file + type: boolean + - name: is_hard_link + type: boolean + - name: is_last_hard_link + type: boolean + - name: is_sym_link + type: boolean + - name: removed + type: boolean + - name: renamed + type: boolean + - name: updated + type: boolean + - name: kernel_dropped + type: boolean + - name: mount + type: boolean + - name: must_scan_sub_dir + type: boolean + - name: none + type: boolean + - name: own_event + type: boolean + - name: root_changed + type: boolean + - name: unmount + type: boolean + - name: user_dropped + type: boolean + - name: hardware_event_info + type: group + fields: + - name: device + type: group + fields: + - name: class + type: keyword + - name: name + type: keyword + - name: status + type: keyword + - name: device_attributes + type: group + fields: + - name: io + type: group + fields: + - name: cf_plugin_types + type: flattened + - name: class_name_override + type: keyword + - name: power_management + type: group + fields: + - name: capability_flags + type: keyword + - name: current_power_state + type: long + - name: device_power_state + type: long + - name: driver_power_state + type: long + - name: max_power_state + type: long + - name: iserial_number + type: long + - name: removable + type: keyword + - name: usb + type: group + fields: + - name: product_name + type: keyword + - name: vendor_name + type: keyword + - name: header + type: group + fields: + - name: action + type: keyword + - name: event_modifier + type: keyword + - name: time_milliseconds_offset + type: long + - name: version + type: keyword + - name: host_info + type: group + fields: + - name: host + type: group + fields: + - name: uuid + type: keyword + - name: identity + type: group + fields: + - name: cd_hash + type: keyword + - name: signer + type: group + fields: + - name: id + type: keyword + - name: id_truncated + type: keyword + - name: type + type: keyword + - name: team + type: group + fields: + - name: id + type: keyword + - name: id_truncated + type: keyword + - name: path + type: keyword + - name: process + type: group + fields: + - name: effective + type: group + fields: + - name: group + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: user + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: group + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: pid + type: long + - name: name + type: keyword + - name: session + type: group + fields: + - name: id + type: keyword + - name: terminal_id + type: group + fields: + - name: addr + type: keyword + - name: ip_address + type: ip + - name: port + type: long + - name: type + type: keyword + - name: user + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: return + type: group + fields: + - name: description + type: keyword + - name: signal_event_info + type: group + fields: + - name: signal + type: long + - name: socket + type: group + fields: + - name: inet + type: group + fields: + - name: addr + type: keyword + - name: family + type: keyword + - name: id + type: keyword + - name: unix + type: group + fields: + - name: family + type: keyword + - name: path + type: text + - name: subject + type: group + fields: + - name: audit + type: group + fields: + - name: id + type: keyword + - name: user + type: group + fields: + - name: name + type: keyword + - name: effective + type: group + fields: + - name: group + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: user + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: process + type: group + fields: + - name: name + type: keyword + - name: pid + type: long + - name: responsible + type: group + fields: + - name: process + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: session + type: group + fields: + - name: id + type: keyword + - name: terminal_id + type: group + fields: + - name: addr + type: keyword + - name: port + type: long + - name: type + type: keyword + - name: texts + type: keyword +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/manifest.yml b/packages/jamf_protect/data_stream/telemetry_legacy/manifest.yml new file mode 100644 index 00000000000..00798f14d54 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/manifest.yml @@ -0,0 +1,166 @@ +title: Jamf Protect Telemetry (Legacy). +type: logs +streams: + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Jamf Protect Telemetry (Legacy) + description: Receives Telemetry (Legacy) from Jamf Protect with Elastic Agent. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number the listener binds to. + multi: false + required: true + show_user: true + default: 9550 + - name: url + type: text + title: URL + description: This option specifies which URL path to accept requests on. Defaults to /. + multi: false + required: false + show_user: false + default: / + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - jamf_protect-telemetry-legacy + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve custom fields for all ECS mappings. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: aws-s3 + title: Jamf Protect Telemetry (Legacy) + description: Collect Telemetry (Legacy) from Jamf Protect via S3 or SQS. + template_path: aws-s3.yml.hbs + vars: + - name: queue_url_telemetry_legacy + type: text + title: "[Telemetry][SQS] Queue URL" + multi: false + required: false + show_user: true + description: "URL of the AWS SQS queue that messages will be received from.\nThis is only required if you want to collect logs via AWS SQS.\nThis is a Telemetry data stream specific queue URL. This will override the global queue URL if provided." + - name: bucket_list_prefix + type: text + title: '[S3] Bucket Prefix' + multi: false + required: false + show_user: true + default: protect-/telemetries/ + description: Prefix to apply for the list request to the S3 bucket. + - name: jamf_protect_bucket_name + type: text + title: "[Telemetry][S3] Bucket Name" + multi: false + required: false + show_user: true + description: "Jamf Protect is an S3-compatible, globally distributed object storage. This parameter can replace Bucket ARN with a Bucket Name for collecting logs or another 3rd party S3-compatible service. It will override the global Bucket Name if provided." + - name: interval + type: text + title: '[S3] Interval' + multi: false + required: false + show_user: true + default: 1m + description: Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s. + - name: number_of_workers + type: integer + title: '[S3] Number of Workers' + multi: false + required: false + show_user: true + default: 5 + description: Number of workers that will process the S3 objects listed. + - name: visibility_timeout + type: text + title: '[SQS] Visibility Timeout' + multi: false + required: false + show_user: true + default: 300s + description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Valid time units are h, m, s. + - name: api_timeout + type: text + title: '[SQS] API Timeout' + multi: false + required: false + show_user: true + default: 120s + description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Valid time units are h, m, s. + - name: max_number_of_messages + type: integer + title: '[SQS] Maximum Concurrent SQS Messages' + required: false + show_user: true + default: 5 + description: The maximum number of SQS messages that can be inflight at any time. + - name: file_selectors + type: yaml + title: '[SQS] File Selectors' + multi: false + required: false + show_user: false + default: | + - regex: 'protect-/telemetries/.+' + description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - jamf_protect-telemetry-legacy + - jamf_protect.telemetry-legacy + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve custom fields for all ECS mappings. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/sample_event.json b/packages/jamf_protect/data_stream/telemetry_legacy/sample_event.json new file mode 100644 index 00000000000..b283946963b --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry_legacy/sample_event.json @@ -0,0 +1,168 @@ +{ + "@timestamp": "2024-02-06T16:01:34.442Z", + "agent": { + "ephemeral_id": "9120e1ff-3b37-400b-a22a-799044a284ae", + "id": "8e815812-b6dc-4364-9622-da2462209a37", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.13.2" + }, + "data_stream": { + "dataset": "jamf_protect.telemetry_legacy", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "8e815812-b6dc-4364-9622-da2462209a37", + "snapshot": false, + "version": "8.13.2" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_posix_spawn", + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "code": "43190", + "dataset": "jamf_protect.telemetry_legacy", + "ingested": "2024-06-12T21:19:53Z", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "input": { + "type": "http_endpoint" + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "child": { + "pid": 70851 + } + }, + "dataset": "audit", + "exec_args": { + "args_compiled": "/usr/bin/profiles,status,-type,enrollment" + }, + "exec_chain_parent": { + "uuid": "87F2E500-EDF1-4F12-A489-C5E05B0F523E" + }, + "exec_env": { + "env": { + "compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin" + } + }, + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68", + "signer": { + "id_truncated": "false", + "type": "0" + } + }, + "path": [ + "/usr/bin/profiles", + "/usr/bin/profiles" + ], + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", + "pid": 70848 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "args": [ + "/usr/bin/profiles", + "status", + "-type", + "enrollment" + ], + "code_signature": { + "signing_id": "com.microsoft.EdgeUpdater", + "team_id": "UBF8T346G9" + }, + "exit_code": 0, + "hash": { + "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "9cfc802baf45b74693d146686ebe9ec59ac6367f" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "tags": [ + "forwarded", + "jamf_protect-telemetry-legacy" + ], + "user": { + "id": "0", + "name": [ + "root" + ] + } +} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log-expected.json b/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log-expected.json index d2a05b2c012..8f9ae35fab4 100644 --- a/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log-expected.json +++ b/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log-expected.json @@ -41,6 +41,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -84,6 +85,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -131,6 +133,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -178,6 +181,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -225,6 +229,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -272,6 +277,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -319,6 +325,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -366,6 +373,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { diff --git a/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml index cda2efaabec..1058b4adb1b 100644 --- a/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml @@ -22,6 +22,9 @@ processors: - set: field: observer.vendor value: Jamf + - set: + field: observer.type + value: Endpoint Security ####################### ## ECS Event Mapping ## diff --git a/packages/jamf_protect/data_stream/web_threat_events/sample_event.json b/packages/jamf_protect/data_stream/web_threat_events/sample_event.json index a064a2f58b9..a0d0bf85179 100644 --- a/packages/jamf_protect/data_stream/web_threat_events/sample_event.json +++ b/packages/jamf_protect/data_stream/web_threat_events/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2024-05-17T00:11:29.057Z", + "@timestamp": "2024-06-12T21:21:39.714Z", "agent": { - "ephemeral_id": "0eddc4c4-e383-459e-925e-3ba00e7abfbf", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "c0c550fc-7c58-4392-9ea9-b49f7a181825", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.13.0" + "version": "8.13.2" }, "data_stream": { "dataset": "jamf_protect.web_threat_events", @@ -21,9 +21,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "snapshot": false, - "version": "8.13.0" + "version": "8.13.2" }, "event": { "action": "Detected", @@ -33,7 +33,7 @@ ], "dataset": "jamf_protect.web_threat_events", "id": "013b15c9-8f62-4bf1-948a-d82367af2a10", - "ingested": "2024-05-17T00:11:39Z", + "ingested": "2024-06-12T21:21:49Z", "kind": "alert", "provider": "Jamf Protect", "reason": "Sideloaded App", @@ -63,6 +63,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { diff --git a/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log-expected.json b/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log-expected.json index cffa5f8e5f5..7bf42b717fa 100644 --- a/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log-expected.json +++ b/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log-expected.json @@ -43,6 +43,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -94,6 +95,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -146,6 +148,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -202,6 +205,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -258,6 +262,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -314,6 +319,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { diff --git a/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml index 11635be341f..dc545ad450b 100644 --- a/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml @@ -22,6 +22,9 @@ processors: - set: field: observer.vendor value: Jamf + - set: + field: observer.type + value: Endpoint Security ####################### ## ECS Event Mapping ## diff --git a/packages/jamf_protect/data_stream/web_traffic_events/sample_event.json b/packages/jamf_protect/data_stream/web_traffic_events/sample_event.json index e757e0d8659..b99bcb57ae9 100644 --- a/packages/jamf_protect/data_stream/web_traffic_events/sample_event.json +++ b/packages/jamf_protect/data_stream/web_traffic_events/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2024-05-17T00:12:27.062Z", + "@timestamp": "2024-06-12T21:23:32.864Z", "agent": { - "ephemeral_id": "ffca4568-15a9-4780-bc89-e026120c233e", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "82b058ea-7609-4a92-9ec4-8a9d84c83c69", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.13.0" + "version": "8.13.2" }, "data_stream": { "dataset": "jamf_protect.web_traffic_events", @@ -28,9 +28,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "snapshot": false, - "version": "8.13.0" + "version": "8.13.2" }, "event": { "action": "DNS Lookup", @@ -40,7 +40,7 @@ "network" ], "dataset": "jamf_protect.web_traffic_events", - "ingested": "2024-05-17T00:12:37Z", + "ingested": "2024-06-12T21:23:42Z", "kind": "event", "outcome": [ "success" @@ -65,6 +65,7 @@ }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { diff --git a/packages/jamf_protect/docs/README.md b/packages/jamf_protect/docs/README.md index d5bb452444e..a05b9804c29 100644 --- a/packages/jamf_protect/docs/README.md +++ b/packages/jamf_protect/docs/README.md @@ -94,13 +94,13 @@ An example event for `alerts` looks as following: ```json { - "@timestamp": "2024-05-17T00:09:29.807Z", + "@timestamp": "2024-06-12T21:15:48.751Z", "agent": { - "ephemeral_id": "dd1cb398-e758-40c0-87b6-4ce4fb3611b2", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "f61f65a0-cfe1-43bc-8b7e-b2bec2ad3fe1", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.13.0" + "version": "8.13.2" }, "data_stream": { "dataset": "jamf_protect.alerts", @@ -111,9 +111,9 @@ An example event for `alerts` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "snapshot": false, - "version": "8.13.0" + "version": "8.13.2" }, "event": { "action": "CustomURLHandlerCreation", @@ -124,7 +124,7 @@ An example event for `alerts` looks as following: ], "dataset": "jamf_protect.alerts", "id": "6bdb0697-6d07-47bc-a37d-6c3348a5d953", - "ingested": "2024-05-17T00:09:39Z", + "ingested": "2024-06-12T21:15:58Z", "kind": "alert", "provider": "Jamf Protect", "reason": "Application that uses custom url handler created", @@ -437,171 +437,157 @@ An example event for `telemetry` looks as following: ```json { - "@timestamp": "2024-02-06T16:01:34.442Z", + "@timestamp": "2024-06-12T21:17:49.148Z", "agent": { - "ephemeral_id": "a0a97e34-86ea-435f-8629-308f4c17a3b1", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "693d67f8-0ad2-49d0-898d-eab743600cca", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.13.0" + "version": "8.13.2" }, "data_stream": { "dataset": "jamf_protect.telemetry", "namespace": "ep", "type": "logs" }, - "ecs": { - "version": "8.11.0" - }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "snapshot": false, - "version": "8.13.0" + "version": "8.13.2" }, - "error": { - "code": "0" + "device": { + "id": "123ABC456DJ", + "manufacturer": "Apple" + }, + "ecs": { + "version": "8.11.0" }, "event": { - "action": "aue_posix_spawn", - "agent_id_status": "verified", + "action": "exec", "category": [ - "authentication" + "process" ], - "code": "43190", - "dataset": "jamf_protect.telemetry", - "ingested": "2024-05-17T00:10:39Z", + "code": "9", + "id": "CDB31202-8CB4-4C72-A9C6-7F494CD5F598", "kind": "event", - "outcome": "success", + "provider": "Jamf Protect", + "reason": "A new process has been executed", + "sequence": 202, + "start": "2024-05-31T09:47:12.436Z", "type": [ - "info" + "info", + "start" ] }, "host": { - "hostname": "Mac mini", - "id": "H2WGF2U9Q6NV", + "hostname": "MacBookPro", + "id": "00006030-001E301C0228001C", "ip": [ - "0.0.0.0" + "192.168.11.251", + "192.168.64.1", + "192.168.11.232" ], "os": { - "version": "Version 14.2.1 (Build 23C71)" + "family": "macos", + "full": "14.5 (Build 23F79)", + "name": "macOS", + "type": "macos", + "version": "14.5" } }, - "input": { - "type": "http_endpoint" - }, "jamf_protect": { "telemetry": { - "arguments": { - "child": { - "pid": 70851 - } - }, - "dataset": "audit", - "exec_args": { - "args_compiled": "/usr/bin/profiles,status,-type,enrollment" - }, - "exec_chain_parent": { - "uuid": "87F2E500-EDF1-4F12-A489-C5E05B0F523E" - }, - "exec_env": { - "env": { - "compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin" - } - }, - "header": { - "event_modifier": "0", - "version": "11" - }, - "host_info": { - "host": { - "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" - } - }, - "identity": { - "cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68", - "signer": { - "id_truncated": "false", - "type": "0" - } - }, - "path": [ - "/usr/bin/profiles", - "/usr/bin/profiles" - ], - "return": { - "description": "success" - }, - "subject": { - "effective": { - "group": { - "id": "0", - "name": "wheel" - } - }, - "process": { - "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", - "pid": 70848 - }, - "session": { - "id": "100016" - }, - "terminal_id": { - "port": 0, - "type": "4" - } - } + "code_directory_hash": "23c70bd9b41017f9878af49bc2c46f7c8a70680b", + "es_client": false, + "event_allowed_by_esclient": false, + "platform_binary": true } }, + "observer": { + "product": "Jamf Protect", + "type": "Endpoint Security", + "vendor": "Jamf", + "version": "5.5.0.6" + }, "process": { "args": [ - "/usr/bin/profiles", - "status", - "-type", - "enrollment" + "/bin/zsh", + "-c", + "/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/eicar" ], + "args_count": 3, "code_signature": { - "signing_id": "com.microsoft.EdgeUpdater", - "team_id": "UBF8T346G9" + "signing_id": "com.apple.zsh" }, - "exit_code": 0, - "hash": { - "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + "entity_id": "1278137C-15D6-53CE-AB0A-FC9499BC8E05", + "env_vars": [ + "USER=jappleseed", + "COMMAND_MODE=unix2003", + "__CFBundleIdentifier=com.txhaflaire.JamfCheck", + "PATH=/usr/bin:/bin:/usr/sbin:/sbin", + "LOGNAME=jappleseed", + "SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.Ah3WvMOC65/Listeners", + "HOME=/Users/jappleseed", + "SHELL=/bin/zsh", + "TMPDIR=/var/folders/fm/j970swbn73dfnkjgsqjxxvj40000gp/T/", + "__CF_USER_TEXT_ENCODING=0x1F6:0x0:0x0", + "XPC_SERVICE_NAME=application.com.txhaflaire.JamfCheck.30852344.30852350", + "XPC_FLAGS=0x0" + ], + "executable": "/bin/zsh", + "group_leader": { + "entity_id": "A7EDC884-C034-50E7-A3AA-2E281B3E0777", + "pid": 64632, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } }, - "real_group": { - "id": "0", - "name": "wheel" + "interactive": false, + "parent": { + "entity_id": "A7EDC884-C034-50E7-A3AA-2E281B3E0777", + "pid": 64632, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "502" + }, + "user": { + "id": "502" + } }, - "real_user": { - "id": "4294967295" + "pid": 91306, + "start": "2024-05-31T09:47:12.000Z", + "thread": { + "id": 5215860 }, - "user": { - "id": "0", - "name": "root" - } + "working_directory": "/" }, "related": { "hash": [ - "9cfc802baf45b74693d146686ebe9ec59ac6367f" + "23c70bd9b41017f9878af49bc2c46f7c8a70680b" ], "hosts": [ - "Mac mini" + "MacBookPro" ], "ip": [ - "0.0.0.0" - ], - "user": [ - "root" + "192.168.11.251", + "192.168.64.1", + "192.168.11.232" ] }, - "tags": [ - "forwarded", - "jamf_protect-telemetry" - ], "user": { - "id": "0", - "name": [ - "root" - ] + "effective": { + "id": [ + "502" + ] + } } } ``` @@ -622,26 +608,65 @@ An example event for `telemetry` looks as following: | cloud.region | Region in which this host is running. | keyword | | container.id | Unique container ID. | keyword | | container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | | container.labels | Image labels. | object | | container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| device.id | The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. | keyword | +| device.manufacturer | The vendor name of the device manufacturer. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Name of the dataset. | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | +| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | | event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | | file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | | file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | @@ -657,260 +682,198 @@ An example event for `telemetry` looks as following: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | -| jamf_protect.telemetry.arguments.addr | | keyword | -| jamf_protect.telemetry.arguments.am_failure | | keyword | -| jamf_protect.telemetry.arguments.am_success | | keyword | -| jamf_protect.telemetry.arguments.authenticated | | flattened | -| jamf_protect.telemetry.arguments.child.pid | | long | -| jamf_protect.telemetry.arguments.data | | keyword | -| jamf_protect.telemetry.arguments.detail | | keyword | -| jamf_protect.telemetry.arguments.domain | | keyword | -| jamf_protect.telemetry.arguments.fd | | keyword | -| jamf_protect.telemetry.arguments.flags | | keyword | -| jamf_protect.telemetry.arguments.flattened | | flattened | -| jamf_protect.telemetry.arguments.known_uid | | keyword | -| jamf_protect.telemetry.arguments.pid | | long | -| jamf_protect.telemetry.arguments.port | | long | -| jamf_protect.telemetry.arguments.priority | | long | -| jamf_protect.telemetry.arguments.process | | keyword | -| jamf_protect.telemetry.arguments.protocol | | keyword | -| jamf_protect.telemetry.arguments.request | | keyword | -| jamf_protect.telemetry.arguments.sflags | | keyword | -| jamf_protect.telemetry.arguments.signal | | keyword | -| jamf_protect.telemetry.arguments.target.port | | long | -| jamf_protect.telemetry.arguments.task.port | | long | -| jamf_protect.telemetry.arguments.type | | keyword | -| jamf_protect.telemetry.arguments.which | | keyword | -| jamf_protect.telemetry.arguments.who | | keyword | -| jamf_protect.telemetry.attributes.device | | keyword | -| jamf_protect.telemetry.attributes.file.access_mode | | keyword | -| jamf_protect.telemetry.attributes.file.system.id | | keyword | -| jamf_protect.telemetry.attributes.node.id | | keyword | -| jamf_protect.telemetry.attributes.owner.group.id | | keyword | -| jamf_protect.telemetry.attributes.owner.group.name | | keyword | -| jamf_protect.telemetry.dataset | | keyword | -| jamf_protect.telemetry.event_attributes.activity_identifier | | keyword | -| jamf_protect.telemetry.event_attributes.assessments_enabled | | long | -| jamf_protect.telemetry.event_attributes.attributes.ctime | | date | -| jamf_protect.telemetry.event_attributes.attributes.mtime | | date | -| jamf_protect.telemetry.event_attributes.attributes.path | | keyword | -| jamf_protect.telemetry.event_attributes.attributes.quarantine.agent_bundle_identifier | | keyword | -| jamf_protect.telemetry.event_attributes.attributes.quarantine.agent_name | | keyword | -| jamf_protect.telemetry.event_attributes.attributes.quarantine.data_url_string | | keyword | -| jamf_protect.telemetry.event_attributes.attributes.quarantine.event_identifier | | keyword | -| jamf_protect.telemetry.event_attributes.attributes.quarantine.origin_url_string | | keyword | -| jamf_protect.telemetry.event_attributes.attributes.quarantine.timestamp | | date | -| jamf_protect.telemetry.event_attributes.attributes.requirement | | keyword | -| jamf_protect.telemetry.event_attributes.audit_event.excluded_processes | | keyword | -| jamf_protect.telemetry.event_attributes.audit_event.excluded_users | | keyword | -| jamf_protect.telemetry.event_attributes.audit_event_log_verbose_messages | | keyword | -| jamf_protect.telemetry.event_attributes.audit_level | | long | -| jamf_protect.telemetry.event_attributes.backtrace.frames.image_offset | | long | -| jamf_protect.telemetry.event_attributes.backtrace.frames.image_uuid | | keyword | -| jamf_protect.telemetry.event_attributes.build_alias_of | | keyword | -| jamf_protect.telemetry.event_attributes.build_version | | keyword | -| jamf_protect.telemetry.event_attributes.category | | keyword | -| jamf_protect.telemetry.event_attributes.cf_bundle_short_version_string | | keyword | -| jamf_protect.telemetry.event_attributes.cf_bundle_version | | keyword | -| jamf_protect.telemetry.event_attributes.dev_id_enabled | | long | -| jamf_protect.telemetry.event_attributes.event.message | | keyword | -| jamf_protect.telemetry.event_attributes.event.type | | keyword | -| jamf_protect.telemetry.event_attributes.file_event.exclusion_paths | | keyword | -| jamf_protect.telemetry.event_attributes.file_event.inclusion_paths | | keyword | -| jamf_protect.telemetry.event_attributes.file_event.use_fuzzy_match | | long | -| jamf_protect.telemetry.event_attributes.file_license_info.license_expiration_date | | date | -| jamf_protect.telemetry.event_attributes.file_license_info.license_key | | keyword | -| jamf_protect.telemetry.event_attributes.file_license_info.license_type | | keyword | -| jamf_protect.telemetry.event_attributes.file_license_info.license_version | | keyword | -| jamf_protect.telemetry.event_attributes.format_string | | keyword | -| jamf_protect.telemetry.event_attributes.job.completed_time | | date | -| jamf_protect.telemetry.event_attributes.job.creation_time | | date | -| jamf_protect.telemetry.event_attributes.job.destination | | keyword | -| jamf_protect.telemetry.event_attributes.job.format | | keyword | -| jamf_protect.telemetry.event_attributes.job.id | | keyword | -| jamf_protect.telemetry.event_attributes.job.processing_time | | date | -| jamf_protect.telemetry.event_attributes.job.size | | keyword | -| jamf_protect.telemetry.event_attributes.job.state | | keyword | -| jamf_protect.telemetry.event_attributes.job.title | | keyword | -| jamf_protect.telemetry.event_attributes.job.user | | keyword | -| jamf_protect.telemetry.event_attributes.log.file.location | | keyword | -| jamf_protect.telemetry.event_attributes.log.file.max_number_backups | | long | -| jamf_protect.telemetry.event_attributes.log.file.max_size_mega_bytes | | long | -| jamf_protect.telemetry.event_attributes.log.file.ownership | | keyword | -| jamf_protect.telemetry.event_attributes.log.file.permission | | keyword | -| jamf_protect.telemetry.event_attributes.log.remote_endpoint_enabled | | long | -| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type | | keyword | -| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type_awskinesis.access_key_id | | keyword | -| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type_awskinesis.region | | keyword | -| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type_awskinesis.secret_key | | keyword | -| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type_awskinesis.stream_name | | keyword | -| jamf_protect.telemetry.event_attributes.log.remote_endpoint_url | | keyword | -| jamf_protect.telemetry.event_attributes.mach_timestamp | | keyword | -| jamf_protect.telemetry.event_attributes.opaque_version | | keyword | -| jamf_protect.telemetry.event_attributes.parent_activity_identifier | | keyword | -| jamf_protect.telemetry.event_attributes.path | | keyword | -| jamf_protect.telemetry.event_attributes.process.id | | long | -| jamf_protect.telemetry.event_attributes.process.image.path | | keyword | -| jamf_protect.telemetry.event_attributes.process.image.uuid | | keyword | -| jamf_protect.telemetry.event_attributes.project_name | | keyword | -| jamf_protect.telemetry.event_attributes.sender.id | | long | -| jamf_protect.telemetry.event_attributes.sender.image.path | | keyword | -| jamf_protect.telemetry.event_attributes.sender.image.uuid | | keyword | -| jamf_protect.telemetry.event_attributes.sender.program_counter | | long | -| jamf_protect.telemetry.event_attributes.source | | keyword | -| jamf_protect.telemetry.event_attributes.source_version | | keyword | -| jamf_protect.telemetry.event_attributes.subsystem | | keyword | -| jamf_protect.telemetry.event_attributes.thread_id | | keyword | -| jamf_protect.telemetry.event_attributes.timestamp | | date | -| jamf_protect.telemetry.event_attributes.timezone_name | | keyword | -| jamf_protect.telemetry.event_attributes.trace_id | | keyword | -| jamf_protect.telemetry.event_attributes.unified_log_predicates | | keyword | -| jamf_protect.telemetry.event_attributes.version | | keyword | -| jamf_protect.telemetry.event_score | | long | -| jamf_protect.telemetry.exec_args.args | | flattened | -| jamf_protect.telemetry.exec_args.args_compiled | | keyword | -| jamf_protect.telemetry.exec_chain_child.parent.path | | text | -| jamf_protect.telemetry.exec_chain_child.parent.uuid | | keyword | -| jamf_protect.telemetry.exec_chain_parent.uuid | | keyword | -| jamf_protect.telemetry.exec_env.env.arch | | keyword | -| jamf_protect.telemetry.exec_env.env.compiled | | keyword | -| jamf_protect.telemetry.exec_env.env.malwarebytes_group | | keyword | -| jamf_protect.telemetry.exec_env.env.path | | text | -| jamf_protect.telemetry.exec_env.env.shell | | keyword | -| jamf_protect.telemetry.exec_env.env.ssh_auth_sock | | keyword | -| jamf_protect.telemetry.exec_env.env.tmpdir | | keyword | -| jamf_protect.telemetry.exec_env.env.xpc.flags | | keyword | -| jamf_protect.telemetry.exec_env.env.xpc.service_name | | keyword | -| jamf_protect.telemetry.exec_env.env_compiled | | keyword | -| jamf_protect.telemetry.exit.return.value | | long | -| jamf_protect.telemetry.exit.status | | keyword | -| jamf_protect.telemetry.file_event_info.eventid_wrapped | | boolean | -| jamf_protect.telemetry.file_event_info.history_done | | boolean | -| jamf_protect.telemetry.file_event_info.item.change_owner | | boolean | -| jamf_protect.telemetry.file_event_info.item.cloned | | boolean | -| jamf_protect.telemetry.file_event_info.item.created | | boolean | -| jamf_protect.telemetry.file_event_info.item.extended_attribute_modified | | boolean | -| jamf_protect.telemetry.file_event_info.item.finder_info_modified | | boolean | -| jamf_protect.telemetry.file_event_info.item.inode_metadata_modified | | boolean | -| jamf_protect.telemetry.file_event_info.item.is_directory | | boolean | -| jamf_protect.telemetry.file_event_info.item.is_file | | boolean | -| jamf_protect.telemetry.file_event_info.item.is_hard_link | | boolean | -| jamf_protect.telemetry.file_event_info.item.is_last_hard_link | | boolean | -| jamf_protect.telemetry.file_event_info.item.is_sym_link | | boolean | -| jamf_protect.telemetry.file_event_info.item.removed | | boolean | -| jamf_protect.telemetry.file_event_info.item.renamed | | boolean | -| jamf_protect.telemetry.file_event_info.item.updated | | boolean | -| jamf_protect.telemetry.file_event_info.kernel_dropped | | boolean | -| jamf_protect.telemetry.file_event_info.mount | | boolean | -| jamf_protect.telemetry.file_event_info.must_scan_sub_dir | | boolean | -| jamf_protect.telemetry.file_event_info.none | | boolean | -| jamf_protect.telemetry.file_event_info.own_event | | boolean | -| jamf_protect.telemetry.file_event_info.root_changed | | boolean | -| jamf_protect.telemetry.file_event_info.unmount | | boolean | -| jamf_protect.telemetry.file_event_info.user_dropped | | boolean | -| jamf_protect.telemetry.hardware_event_info.device.class | | keyword | -| jamf_protect.telemetry.hardware_event_info.device.name | | keyword | -| jamf_protect.telemetry.hardware_event_info.device.status | | keyword | -| jamf_protect.telemetry.hardware_event_info.device_attributes.io.cf_plugin_types | | flattened | -| jamf_protect.telemetry.hardware_event_info.device_attributes.io.class_name_override | | keyword | -| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.capability_flags | | keyword | -| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.current_power_state | | long | -| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.device_power_state | | long | -| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.driver_power_state | | long | -| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.max_power_state | | long | -| jamf_protect.telemetry.hardware_event_info.device_attributes.iserial_number | | long | -| jamf_protect.telemetry.hardware_event_info.device_attributes.removable | | keyword | -| jamf_protect.telemetry.hardware_event_info.device_attributes.usb.product_name | | keyword | -| jamf_protect.telemetry.hardware_event_info.device_attributes.usb.vendor_name | | keyword | -| jamf_protect.telemetry.header.action | | keyword | -| jamf_protect.telemetry.header.event_modifier | | keyword | -| jamf_protect.telemetry.header.time_milliseconds_offset | | long | -| jamf_protect.telemetry.header.version | | keyword | -| jamf_protect.telemetry.host_info.host.uuid | | keyword | -| jamf_protect.telemetry.identity.cd_hash | | keyword | -| jamf_protect.telemetry.identity.signer.id | | keyword | -| jamf_protect.telemetry.identity.signer.id_truncated | | keyword | -| jamf_protect.telemetry.identity.signer.type | | keyword | -| jamf_protect.telemetry.identity.team.id | | keyword | -| jamf_protect.telemetry.identity.team.id_truncated | | keyword | -| jamf_protect.telemetry.path | | keyword | -| jamf_protect.telemetry.process.effective.group.id | | keyword | -| jamf_protect.telemetry.process.effective.group.name | | keyword | -| jamf_protect.telemetry.process.effective.user.id | | keyword | -| jamf_protect.telemetry.process.effective.user.name | | keyword | -| jamf_protect.telemetry.process.group.id | | keyword | -| jamf_protect.telemetry.process.group.name | | keyword | -| jamf_protect.telemetry.process.name | | keyword | -| jamf_protect.telemetry.process.pid | | long | -| jamf_protect.telemetry.process.session.id | | keyword | -| jamf_protect.telemetry.process.terminal_id.addr | | keyword | -| jamf_protect.telemetry.process.terminal_id.ip_address | | ip | -| jamf_protect.telemetry.process.terminal_id.port | | long | -| jamf_protect.telemetry.process.terminal_id.type | | keyword | -| jamf_protect.telemetry.process.user.id | | keyword | -| jamf_protect.telemetry.process.user.name | | keyword | -| jamf_protect.telemetry.return.description | | keyword | -| jamf_protect.telemetry.signal_event_info.signal | | long | -| jamf_protect.telemetry.socket.inet.addr | | keyword | -| jamf_protect.telemetry.socket.inet.family | | keyword | -| jamf_protect.telemetry.socket.inet.id | | keyword | -| jamf_protect.telemetry.socket.unix.family | | keyword | -| jamf_protect.telemetry.socket.unix.path | | text | -| jamf_protect.telemetry.subject.audit.id | | keyword | -| jamf_protect.telemetry.subject.audit.user.name | | keyword | -| jamf_protect.telemetry.subject.effective.group.id | | keyword | -| jamf_protect.telemetry.subject.effective.group.name | | keyword | -| jamf_protect.telemetry.subject.effective.user.id | | keyword | -| jamf_protect.telemetry.subject.effective.user.name | | keyword | -| jamf_protect.telemetry.subject.process.name | | keyword | -| jamf_protect.telemetry.subject.process.pid | | long | -| jamf_protect.telemetry.subject.responsible.process.id | | keyword | -| jamf_protect.telemetry.subject.responsible.process.name | | keyword | -| jamf_protect.telemetry.subject.session.id | | keyword | -| jamf_protect.telemetry.subject.terminal_id.addr | | keyword | -| jamf_protect.telemetry.subject.terminal_id.port | | long | -| jamf_protect.telemetry.subject.terminal_id.type | | keyword | -| jamf_protect.telemetry.texts | | keyword | +| jamf_protect.telemetry.account_type | Defines if it's a user or group | keyword | +| jamf_protect.telemetry.attribute_name | The name of the attribute that got set | keyword | +| jamf_protect.telemetry.attribute_value | The value of the attribute that got set | keyword | +| jamf_protect.telemetry.authentication_method | Method used to authenticate | keyword | +| jamf_protect.telemetry.authentication_result_type | Defines the source address type | keyword | +| jamf_protect.telemetry.authentication_type | Type of authentication used to authenticate the user | keyword | +| jamf_protect.telemetry.authorization_judgement_results | Results of the authorization judgement | object | +| jamf_protect.telemetry.authorization_petition_flags | Flags associated with the authorization petition | integer | +| jamf_protect.telemetry.authorization_petition_right_count | The count of rights in the authorization petition | integer | +| jamf_protect.telemetry.authorization_petition_rights | Rights associated with the authorization petition | keyword | +| jamf_protect.telemetry.bios_firmware_version | Version of the BIOS firmware | keyword | +| jamf_protect.telemetry.bios_system_firmware_version | Version of the system firmware in BIOS | keyword | +| jamf_protect.telemetry.btm_executable_path | Path to the executable in BTM | keyword | +| jamf_protect.telemetry.btm_item_app_url | URL of the app in BTM item | keyword | +| jamf_protect.telemetry.btm_item_is_legacy | Indicates if the BTM item is legacy | boolean | +| jamf_protect.telemetry.btm_item_is_managed | Indicates if the BTM item is managed | boolean | +| jamf_protect.telemetry.btm_item_type | Type of the BTM item | keyword | +| jamf_protect.telemetry.btm_item_url | URL of the BTM item | keyword | +| jamf_protect.telemetry.btm_item_user_uid | UID of the user associated with the BTM item | keyword | +| jamf_protect.telemetry.code_directory_hash | Code directory hash of a application bundle | keyword | +| jamf_protect.telemetry.env_count | Count of environment variables | integer | +| jamf_protect.telemetry.error_message | Contains the event specific error message | keyword | +| jamf_protect.telemetry.es_client | Set to true if the process is an Endpoint Security client | boolean | +| jamf_protect.telemetry.event_allowed_by_esclient | Value to indicate if the event was allowed or denied | boolean | +| jamf_protect.telemetry.existing_session | If an existing user session was attached to, this is true | boolean | +| jamf_protect.telemetry.failure_reason | The reason that contains why the outcome of the event failed | keyword | +| jamf_protect.telemetry.from_username | Username from which an action originated | keyword | +| jamf_protect.telemetry.graphical_authentication_username | The username used for authentication | keyword | +| jamf_protect.telemetry.graphical_session_id | ID of the graphical session | keyword | +| jamf_protect.telemetry.identifier | Identifier for an entity or action | keyword | +| jamf_protect.telemetry.log_entries | Log entries being collected in an event | object | +| jamf_protect.telemetry.platform_binary | This is set to true for all binaries that are shipped with macOS | boolean | +| jamf_protect.telemetry.profile_display_name | Display name of the profile | keyword | +| jamf_protect.telemetry.profile_identifier | Identifier of the profile | keyword | +| jamf_protect.telemetry.profile_install_source | Source from which the profile was installed | keyword | +| jamf_protect.telemetry.profile_is_updated | Indicates if the profile is updated | boolean | +| jamf_protect.telemetry.profile_organization | Organization associated with the profile | keyword | +| jamf_protect.telemetry.profile_scope | Scope of the profile | keyword | +| jamf_protect.telemetry.profile_uuid | UUID of the profile | keyword | +| jamf_protect.telemetry.record_name | Name of the record | keyword | +| jamf_protect.telemetry.session_username | Username of the loginwindow session | keyword | +| jamf_protect.telemetry.shell | Shell associated with the user or process | keyword | +| jamf_protect.telemetry.source_address_type | Defines the source address type | keyword | +| jamf_protect.telemetry.system_performance.bytes_received | Bytes received by the task | long | +| jamf_protect.telemetry.system_performance.bytes_received_per_s | Bytes received per second by the task | double | +| jamf_protect.telemetry.system_performance.bytes_sent | Bytes sent by the task | long | +| jamf_protect.telemetry.system_performance.bytes_sent_per_s | Bytes sent per second by the task | double | +| jamf_protect.telemetry.system_performance.cputime_ms_per_s | CPU time in milliseconds per second for the task | double | +| jamf_protect.telemetry.system_performance.cputime_ns | CPU time in nanoseconds for the task | long | +| jamf_protect.telemetry.system_performance.cputime_sample_ms_per_s | CPU sample time in milliseconds per second for the task | double | +| jamf_protect.telemetry.system_performance.cputime_userland_ratio | Userland CPU time ratio for the task | double | +| jamf_protect.telemetry.system_performance.diskio_bytesread | Bytes read by disk I/O for the task | long | +| jamf_protect.telemetry.system_performance.diskio_bytesread_per_s | Bytes read per second by disk I/O for the task | double | +| jamf_protect.telemetry.system_performance.diskio_byteswritten | Bytes written by disk I/O for the task | long | +| jamf_protect.telemetry.system_performance.diskio_byteswritten_per_s | Bytes written per second by disk I/O for the task | double | +| jamf_protect.telemetry.system_performance.energy_impact | Energy impact of the task | double | +| jamf_protect.telemetry.system_performance.energy_impact_per_s | Energy impact per second of the task | double | +| jamf_protect.telemetry.system_performance.idle_wakeups | Number of idle wakeups for the task | long | +| jamf_protect.telemetry.system_performance.interval_ns | Interval in nanoseconds | long | +| jamf_protect.telemetry.system_performance.intr_wakeups_per_s | Interrupt wakeups per second for the task | double | +| jamf_protect.telemetry.system_performance.name | Name of the task | keyword | +| jamf_protect.telemetry.system_performance.packets_received | Packets received by the task | long | +| jamf_protect.telemetry.system_performance.packets_received_per_s | Packets received per second by the task | double | +| jamf_protect.telemetry.system_performance.packets_sent | Packets sent by the task | long | +| jamf_protect.telemetry.system_performance.packets_sent_per_s | Packets sent per second by the task | double | +| jamf_protect.telemetry.system_performance.pageins | Page-ins by the task | long | +| jamf_protect.telemetry.system_performance.pageins_per_s | Page-ins per second by the task | double | +| jamf_protect.telemetry.system_performance.pid | Process ID of the task | long | +| jamf_protect.telemetry.system_performance.qos_background_ms_per_s | QoS background time in milliseconds per second for the task | double | +| jamf_protect.telemetry.system_performance.qos_background_ns | QoS background time in nanoseconds for the task | long | +| jamf_protect.telemetry.system_performance.qos_default_ms_per_s | QoS default time in milliseconds per second for the task | double | +| jamf_protect.telemetry.system_performance.qos_default_ns | QoS default time in nanoseconds for the task | long | +| jamf_protect.telemetry.system_performance.qos_disabled_ms_per_s | QoS disabled time in milliseconds per second for the task | double | +| jamf_protect.telemetry.system_performance.qos_disabled_ns | QoS disabled time in nanoseconds for the task | long | +| jamf_protect.telemetry.system_performance.qos_maintenance_ms_per_s | QoS maintenance time in milliseconds per second for the task | double | +| jamf_protect.telemetry.system_performance.qos_maintenance_ns | QoS maintenance time in nanoseconds for the task | long | +| jamf_protect.telemetry.system_performance.qos_user_initiated_ms_per_s | QoS user-initiated time in milliseconds per second for the task | double | +| jamf_protect.telemetry.system_performance.qos_user_initiated_ns | QoS user-initiated time in nanoseconds for the task | long | +| jamf_protect.telemetry.system_performance.qos_user_interactive_ms_per_s | QoS user-interactive time in milliseconds per second for the task | double | +| jamf_protect.telemetry.system_performance.qos_user_interactive_ns | QoS user-interactive time in nanoseconds for the task | long | +| jamf_protect.telemetry.system_performance.qos_utility_ms_per_s | QoS utility time in milliseconds per second for the task | double | +| jamf_protect.telemetry.system_performance.qos_utility_ns | QoS utility time in nanoseconds for the task | long | +| jamf_protect.telemetry.system_performance.started_abstime_ns | Absolute start time in nanoseconds for the task | long | +| jamf_protect.telemetry.system_performance.timer_wakeups.wakeups | Number of wakeups | long | +| jamf_protect.telemetry.to_username | Username to which an action is directed | keyword | +| jamf_protect.telemetry.tty | Software terminal device file that the process is associated with | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.env_vars | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.group_leader.executable | Absolute path to the process executable. | keyword | +| process.group_leader.executable.text | Multi-field of `process.group_leader.executable`. | match_only_text | +| process.group_leader.group.id | Unique identifier for the group on the system/platform. | keyword | +| process.group_leader.name | Process name. Sometimes called program name or similar. | keyword | +| process.group_leader.name.text | Multi-field of `process.group_leader.name`. | match_only_text | +| process.group_leader.pid | Process id. | long | +| process.group_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | +| process.group_leader.real_user.id | Unique identifier of the user. | keyword | +| process.group_leader.start | The time the process started. | date | +| process.group_leader.user.id | Unique identifier of the user. | keyword | +| process.hash.md5 | MD5 hash. | keyword | | process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | process.parent.pid | Process id. | long | +| process.parent.real_group.id | Unique identifier for the group on the system/platform. | keyword | +| process.parent.real_user.id | Unique identifier of the user. | keyword | +| process.parent.start | The time the process started. | date | +| process.parent.user.id | Unique identifier of the user. | keyword | | process.pid | Process id. | long | | process.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.real_group.name | Name of the group. | keyword | | process.real_user.id | Unique identifier of the user. | keyword | -| process.real_user.name | Short name or login of the user. | keyword | -| process.real_user.name.text | Multi-field of `process.real_user.name`. | match_only_text | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | | process.user.id | Unique identifier of the user. | keyword | -| process.user.name | Short name or login of the user. | keyword | -| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | +| rule.description | The description of the rule generating the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.version | The version / revision of the rule being used for analysis. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | | tags | List of keywords used to tag each event. | keyword | +| threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| threat.indicator.file.path.text | Multi-field of `threat.indicator.file.path`. | match_only_text | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.software.platforms | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.effective.id | Unique identifier of the user. | keyword | -| user.effective.name | Short name or login of the user. | keyword | -| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | | user.email | User email address. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| volume.bus_type | | keyword | +| volume.device_name | | keyword | +| volume.file_system_type | | keyword | +| volume.mount_name | | keyword | +| volume.nt_name | | keyword | +| volume.product_id | | keyword | +| volume.product_name | | keyword | +| volume.removable | | boolean | +| volume.serial_number | | keyword | +| volume.size | | long | +| volume.vendor_id | | keyword | +| volume.vendor_name | | keyword | +| volume.writable | | boolean | #### threats event stream @@ -923,13 +886,13 @@ An example event for `web_threat_events` looks as following: ```json { - "@timestamp": "2024-05-17T00:11:29.057Z", + "@timestamp": "2024-06-12T21:21:39.714Z", "agent": { - "ephemeral_id": "0eddc4c4-e383-459e-925e-3ba00e7abfbf", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "c0c550fc-7c58-4392-9ea9-b49f7a181825", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.13.0" + "version": "8.13.2" }, "data_stream": { "dataset": "jamf_protect.web_threat_events", @@ -945,9 +908,9 @@ An example event for `web_threat_events` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "snapshot": false, - "version": "8.13.0" + "version": "8.13.2" }, "event": { "action": "Detected", @@ -957,7 +920,7 @@ An example event for `web_threat_events` looks as following: ], "dataset": "jamf_protect.web_threat_events", "id": "013b15c9-8f62-4bf1-948a-d82367af2a10", - "ingested": "2024-05-17T00:11:39Z", + "ingested": "2024-06-12T21:21:49Z", "kind": "alert", "provider": "Jamf Protect", "reason": "Sideloaded App", @@ -987,6 +950,7 @@ An example event for `web_threat_events` looks as following: }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -1189,13 +1153,13 @@ An example event for `web_traffic_events` looks as following: ```json { - "@timestamp": "2024-05-17T00:12:27.062Z", + "@timestamp": "2024-06-12T21:23:32.864Z", "agent": { - "ephemeral_id": "ffca4568-15a9-4780-bc89-e026120c233e", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "82b058ea-7609-4a92-9ec4-8a9d84c83c69", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.13.0" + "version": "8.13.2" }, "data_stream": { "dataset": "jamf_protect.web_traffic_events", @@ -1218,9 +1182,9 @@ An example event for `web_traffic_events` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8e815812-b6dc-4364-9622-da2462209a37", "snapshot": false, - "version": "8.13.0" + "version": "8.13.2" }, "event": { "action": "DNS Lookup", @@ -1230,7 +1194,7 @@ An example event for `web_traffic_events` looks as following: "network" ], "dataset": "jamf_protect.web_traffic_events", - "ingested": "2024-05-17T00:12:37Z", + "ingested": "2024-06-12T21:23:42Z", "kind": "event", "outcome": [ "success" @@ -1255,6 +1219,7 @@ An example event for `web_traffic_events` looks as following: }, "observer": { "product": "Jamf Protect", + "type": "Endpoint Security", "vendor": "Jamf" }, "organization": { @@ -1403,3 +1368,4 @@ An example event for `web_traffic_events` looks as following: | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/jamf_protect/manifest.yml b/packages/jamf_protect/manifest.yml index 84f2bcec4a0..57199646a62 100644 --- a/packages/jamf_protect/manifest.yml +++ b/packages/jamf_protect/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: jamf_protect title: Jamf Protect -version: "1.0.0" +version: "2.0.0" description: Receives events from Jamf Protect with Elastic Agent. type: integration categories: From 119664bbf8fb93d8279374f34d1faf7e960777e2 Mon Sep 17 00:00:00 2001 From: Rob Bavey Date: Thu, 20 Jun 2024 10:32:11 -0400 Subject: [PATCH 031/105] [Logstash] Add pipeline info to pipeline screen (#10164) * Add pipeline info to pipelines dashboard This commit adds additional information from the `pipelines` endpoint to the `pipeline` data_stream --- packages/logstash/changelog.yml | 5 + .../pipeline/agent/stream/cel.yml.hbs | 12 +- .../data_stream/pipeline/fields/fields.yml | 17 ++ packages/logstash/docs/README.md | 4 + ...-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json | 2 +- ...-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json | 4 +- ...-c0594170-526a-11ee-9ecc-31444cb79548.json | 264 +++++++++++++++++- packages/logstash/manifest.yml | 2 +- 8 files changed, 295 insertions(+), 15 deletions(-) diff --git a/packages/logstash/changelog.yml b/packages/logstash/changelog.yml index 2f5b9b4fd84..1dc8e96f39a 100644 --- a/packages/logstash/changelog.yml +++ b/packages/logstash/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.4.10" + changes: + - description: Add Pipeline information to Pipelines View page + type: enhancement + link: https://github.com/elastic/integrations/pull/10164 - version: "2.4.9" changes: - description: Add pipeline level worker utilization graphs, and remove incorrect flow metrics information diff --git a/packages/logstash/data_stream/pipeline/agent/stream/cel.yml.hbs b/packages/logstash/data_stream/pipeline/agent/stream/cel.yml.hbs index ba459e1e66c..e70d5c48c8d 100644 --- a/packages/logstash/data_stream/pipeline/agent/stream/cel.yml.hbs +++ b/packages/logstash/data_stream/pipeline/agent/stream/cel.yml.hbs @@ -1,6 +1,6 @@ config_version: "2" interval: {{period}} -resource.url: "{{url}}/_node/stats?graph=true&vertices=true" +resource.url: "{{url}}/_node" {{#if resource_ssl}} resource.ssl: {{resource_ssl}} @@ -21,9 +21,17 @@ redact: program: | - get(state.url).as(resp, bytes(resp.Body).decode_json().as(body, + get(state.url + "/stats?graph=true&vertices=true").as(resp, bytes(resp.Body).decode_json().as(body, body.pipelines.map(pipeline_name, pipeline_name != ".monitoring-logstash", { "name": pipeline_name, + "info": get(state.url + "/pipelines/" + pipeline_name).as(resp, + bytes(resp.Body).decode_json().as(pipes, + has(pipes.pipelines) ? + pipes.pipelines[pipeline_name] + : + [] + ) + ), "elasticsearch.cluster.id": has(body.pipelines[pipeline_name].vertices) ? body.pipelines[pipeline_name].vertices.map(vertex, has(vertex.cluster_uuid), vertex.cluster_uuid) : diff --git a/packages/logstash/data_stream/pipeline/fields/fields.yml b/packages/logstash/data_stream/pipeline/fields/fields.yml index b4dccd2453e..6cafdb86517 100644 --- a/packages/logstash/data_stream/pipeline/fields/fields.yml +++ b/packages/logstash/data_stream/pipeline/fields/fields.yml @@ -8,6 +8,23 @@ - name: elasticsearch.cluster.id type: keyword description: Elasticsearch clusters this Logstash pipeline is attached to + - name: info + description: Information about a Logstash Pipeline + type: group + fields: + - name: batch_size + type: long + description: Batch size for the running pipeline + - name: batch_delay + type: long + description: Batch delay for the running pipeline + - name: workers + type: long + description: Number of workers for the running pipeline + - name: ephemeral_id + type: keyword + dimension: true + description: Ephemeral Id for the running pipeline - name: host description: Information about the host running the pipeline type: group diff --git a/packages/logstash/docs/README.md b/packages/logstash/docs/README.md index 31ee47039dd..9bc66a4c434 100644 --- a/packages/logstash/docs/README.md +++ b/packages/logstash/docs/README.md @@ -881,6 +881,10 @@ This is the `pipeline` dataset, which drives the Pipeline dashboard pages. | logstash.pipeline.elasticsearch.cluster.id | Elasticsearch clusters this Logstash pipeline is attached to | keyword | | | | logstash.pipeline.host.address | address hosting this instance of logstash | keyword | | | | logstash.pipeline.host.name | Host name of the node running logstash | keyword | | | +| logstash.pipeline.info.batch_delay | Batch delay for the running pipeline | long | | | +| logstash.pipeline.info.batch_size | Batch size for the running pipeline | long | | | +| logstash.pipeline.info.ephemeral_id | Ephemeral Id for the running pipeline | keyword | | | +| logstash.pipeline.info.workers | Number of workers for the running pipeline | long | | | | logstash.pipeline.name | Logstash Pipeline id/name | keyword | | | | logstash.pipeline.total.events.filtered | Number of events filtered by the pipeline | long | | counter | | logstash.pipeline.total.events.in | Number of events received by the pipeline | long | | counter | diff --git a/packages/logstash/kibana/dashboard/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json b/packages/logstash/kibana/dashboard/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json index b4eb3eb02ca..1ff8e48c105 100644 --- a/packages/logstash/kibana/dashboard/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json +++ b/packages/logstash/kibana/dashboard/logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5.json @@ -1761,7 +1761,7 @@ "coreMigrationVersion": "8.8.0", "created_at": "2024-06-05T19:53:56.470Z", "id": "logstash-a42d7060-45e6-11ee-957b-3720c0b0fbc5", - "managed": false, + "managed": true, "references": [ { "id": "logstash-sm-metrics", diff --git a/packages/logstash/kibana/dashboard/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json b/packages/logstash/kibana/dashboard/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json index 23313cd48ab..80dc8ed6bcf 100644 --- a/packages/logstash/kibana/dashboard/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json +++ b/packages/logstash/kibana/dashboard/logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc.json @@ -50,7 +50,7 @@ } }, "gridData": { - "h": 183, + "h": 195, "i": "1b7d4c91-b582-4639-a771-7853e72a94b6", "w": 8, "x": 0, @@ -6997,7 +6997,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-06-12T18:52:56.240Z", + "created_at": "2024-06-13T20:58:43.098Z", "id": "logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc", "managed": true, "references": [ diff --git a/packages/logstash/kibana/dashboard/logstash-c0594170-526a-11ee-9ecc-31444cb79548.json b/packages/logstash/kibana/dashboard/logstash-c0594170-526a-11ee-9ecc-31444cb79548.json index 719592f40c4..56695e2e393 100644 --- a/packages/logstash/kibana/dashboard/logstash-c0594170-526a-11ee-9ecc-31444cb79548.json +++ b/packages/logstash/kibana/dashboard/logstash-c0594170-526a-11ee-9ecc-31444cb79548.json @@ -50,7 +50,7 @@ } }, "gridData": { - "h": 46, + "h": 53, "i": "3edb2e9f-2807-4e65-9adc-259c15debce9", "w": 8, "x": 0, @@ -447,6 +447,242 @@ "title": "[Metrics Logstash] Total Events Emitted viz", "type": "lens" }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logstash-sm-metrics", + "name": "indexpattern-datasource-layer-af02f11d-c2e6-46a1-87fc-76139bbe0998", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logstash-sm-metrics", + "layers": { + "af02f11d-c2e6-46a1-87fc-76139bbe0998": { + "columnOrder": [ + "2b095037-5d7d-4cb4-a265-afb041616816", + "aebb5ff5-0a64-4ab9-9eb1-d62a05caa84b", + "e473562a-74f9-4f25-b1b3-c3af641bc4a9", + "c7ebb950-07b9-434c-b257-6d9e8fbc7feb", + "86a537af-27a7-487e-bc70-bba77171e65c", + "ad2e68ef-89fe-401f-b470-341b6f720797" + ], + "columns": { + "2b095037-5d7d-4cb4-a265-afb041616816": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Pipeline name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "aebb5ff5-0a64-4ab9-9eb1-d62a05caa84b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 1000 + }, + "scale": "ordinal", + "sourceField": "logstash.pipeline.name" + }, + "86a537af-27a7-487e-bc70-bba77171e65c": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "\"logstash.pipeline.total.queues.type\": *" + }, + "isBucketed": false, + "label": "Queue Type", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "logstash.pipeline.total.queues.type" + }, + "ad2e68ef-89fe-401f-b470-341b6f720797": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"logstash.pipeline.total.queues.type\": \"persisted\" " + }, + "isBucketed": false, + "label": "Queue Size", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "logstash.pipeline.total.queues.current_size.bytes" + }, + "aebb5ff5-0a64-4ab9-9eb1-d62a05caa84b": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"logstash.pipeline.info.workers\": *" + }, + "isBucketed": false, + "label": "Workers", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "logstash.pipeline.info.workers" + }, + "c7ebb950-07b9-434c-b257-6d9e8fbc7feb": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"logstash.pipeline.info.batch_delay\": *" + }, + "isBucketed": false, + "label": "Batch Delay", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "logstash.pipeline.info.batch_delay" + }, + "e473562a-74f9-4f25-b1b3-c3af641bc4a9": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"logstash.pipeline.info.batch_size\": *" + }, + "isBucketed": false, + "label": "Batch Size", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "logstash.pipeline.info.batch_size" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logstash-sm-metrics", + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "2b095037-5d7d-4cb4-a265-afb041616816", + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "aebb5ff5-0a64-4ab9-9eb1-d62a05caa84b", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "e473562a-74f9-4f25-b1b3-c3af641bc4a9", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "c7ebb950-07b9-434c-b257-6d9e8fbc7feb", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "86a537af-27a7-487e-bc70-bba77171e65c", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "ad2e68ef-89fe-401f-b470-341b6f720797", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "af02f11d-c2e6-46a1-87fc-76139bbe0998", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [ + { + "action": { + "config": { + "openInNewTab": true, + "useCurrentDateRange": true, + "useCurrentFilters": true + }, + "factoryId": "DASHBOARD_TO_DASHBOARD_DRILLDOWN", + "name": "Go to Dashboard" + }, + "eventId": "ace863df-5d1f-415c-a5d0-cecc3e9beedd", + "triggers": [ + "FILTER_TRIGGER" + ] + } + ] + } + }, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "1e868693-305b-40f1-bbbc-28d249bba95a", + "w": 40, + "x": 8, + "y": 5 + }, + "panelIndex": "1e868693-305b-40f1-bbbc-28d249bba95a", + "title": "Pipelines Info", + "type": "lens" + }, { "embeddableConfig": { "attributes": { @@ -1018,7 +1254,7 @@ "i": "7f8d9886-3037-425d-bcb4-ae92a2b0d16e", "w": 40, "x": 8, - "y": 5 + "y": 12 }, "panelIndex": "7f8d9886-3037-425d-bcb4-ae92a2b0d16e", "title": "Pipelines", @@ -1265,7 +1501,7 @@ "i": "6609ea37-a262-4072-ac19-90aabff49e12", "w": 40, "x": 8, - "y": 12 + "y": 19 }, "panelIndex": "6609ea37-a262-4072-ac19-90aabff49e12", "title": "Average Time processed per event (ms)", @@ -1437,7 +1673,7 @@ "i": "ea9af11b-6332-4b3c-bbe4-c6d8e9833985", "w": 40, "x": 8, - "y": 21 + "y": 28 }, "panelIndex": "ea9af11b-6332-4b3c-bbe4-c6d8e9833985", "title": "Worker Utilization (%)", @@ -1586,7 +1822,7 @@ "i": "1a42a8c2-9823-4178-90ae-f3a403b63711", "w": 20, "x": 8, - "y": 30 + "y": 37 }, "panelIndex": "1a42a8c2-9823-4178-90ae-f3a403b63711", "title": "Events received per second", @@ -1836,7 +2072,7 @@ "i": "d290b2f1-1769-41f4-9d29-41755eef8871", "w": 20, "x": 28, - "y": 30 + "y": 37 }, "panelIndex": "d290b2f1-1769-41f4-9d29-41755eef8871", "title": "Persistent Queue utilization (%)", @@ -2003,7 +2239,7 @@ "i": "09177cfd-5361-4e91-b7c3-64eeb7837ce8", "w": 20, "x": 8, - "y": 38 + "y": 45 }, "panelIndex": "09177cfd-5361-4e91-b7c3-64eeb7837ce8", "title": "Events emitted per second", @@ -2151,7 +2387,7 @@ "i": "4017b8f5-f8f2-46b9-86fe-501f46d551c3", "w": 20, "x": 28, - "y": 38 + "y": 45 }, "panelIndex": "4017b8f5-f8f2-46b9-86fe-501f46d551c3", "title": "Persistent Queue size (events)", @@ -2163,7 +2399,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-06-05T20:51:12.261Z", + "created_at": "2024-06-13T18:58:36.595Z", "id": "logstash-c0594170-526a-11ee-9ecc-31444cb79548", "managed": false, "references": [ @@ -2187,6 +2423,16 @@ "name": "8199ac33-4d5b-46e0-b3cd-3683204cc65c:indexpattern-datasource-layer-69a27ae4-5987-429d-89e1-84e7fb1b8af8", "type": "index-pattern" }, + { + "id": "logstash-sm-metrics", + "name": "1e868693-305b-40f1-bbbc-28d249bba95a:indexpattern-datasource-layer-af02f11d-c2e6-46a1-87fc-76139bbe0998", + "type": "index-pattern" + }, + { + "id": "logstash-bc1a8050-5ee1-11ee-8e78-bf6865bc3ffc", + "name": "1e868693-305b-40f1-bbbc-28d249bba95a:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:ace863df-5d1f-415c-a5d0-cecc3e9beedd:dashboardId", + "type": "dashboard" + }, { "id": "logstash-sm-metrics", "name": "7f8d9886-3037-425d-bcb4-ae92a2b0d16e:indexpattern-datasource-layer-af02f11d-c2e6-46a1-87fc-76139bbe0998", diff --git a/packages/logstash/manifest.yml b/packages/logstash/manifest.yml index 367f2b5af12..511ef2766c6 100644 --- a/packages/logstash/manifest.yml +++ b/packages/logstash/manifest.yml @@ -1,6 +1,6 @@ name: logstash title: Logstash -version: 2.4.9 +version: 2.4.10 description: Collect logs and metrics from Logstash with Elastic Agent. type: integration icons: From 746fb3a8766dc7c6327e3f966e0893e400b23eb4 Mon Sep 17 00:00:00 2001 From: Alphabeet <52979715+Alphayeeeet@users.noreply.github.com> Date: Thu, 20 Jun 2024 19:22:02 +0200 Subject: [PATCH 032/105] [Apache.Access] Added response_time in microseconds as a field to apache access data_stream (#9913) * Added response_time to apache access logs and re-generated test specs * Added pull request url to changelog * Changed _dev/build_docs README and rebuild * Incremented manifest version * Integrated new field in existing grok pattern to reduce pattern count --- packages/apache/_dev/build/docs/README.md | 5 + packages/apache/changelog.yml | 5 + .../_dev/test/pipeline/test-access-basic.log | 2 + .../test-access-basic.log-expected.json | 169 +++++++++++++- .../test-access-darwin.log-expected.json | 12 +- .../test-access-ssl-request.log-expected.json | 4 +- .../test-access-ubuntu.log-expected.json | 18 +- .../test-access-vhost.log-expected.json | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 11 +- .../data_stream/access/fields/fields.yml | 4 + .../test-error-basic.log-expected.json | 8 +- .../test-error-darwin.log-expected.json | 4 +- .../test-error-trace.log-expected.json | 2 +- .../test-error-ubuntu.log-expected.json | 14 +- packages/apache/docs/README.md | 206 +++++++++--------- packages/apache/manifest.yml | 2 +- 16 files changed, 323 insertions(+), 145 deletions(-) diff --git a/packages/apache/_dev/build/docs/README.md b/packages/apache/_dev/build/docs/README.md index 7ab6354742d..e9b75558b2d 100644 --- a/packages/apache/_dev/build/docs/README.md +++ b/packages/apache/_dev/build/docs/README.md @@ -33,6 +33,11 @@ Supported format for the access logs are: >```%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" X-Forwarded-For=\"%{X-Forwarded-For}i\"``` - Example: >```127.0.0.1 user-identifier frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://datawarehouse.us.oracle.com/datamining/contents.htm" "Mozilla/4.7 [en] (WinNT; I)" X-Forwarded-For="10.225.192.17, 10.2.2.121"``` +- Combined Log Format + X-Forwarded-For header + Response time + - Defined in apache `LogFormat` by: + >```%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\" X-Forwarded-For=\"%{X-Forwarded-For}i\"``` + - Example: + >```127.0.0.1 user-identifier frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 3413 "http://datawarehouse.us.oracle.com/datamining/contents.htm" "Mozilla/4.7 [en] (WinNT; I)" X-Forwarded-For="10.225.192.17, 10.2.2.121"``` ### Error Logs diff --git a/packages/apache/changelog.yml b/packages/apache/changelog.yml index 54c8452c642..4cfeeebec6a 100644 --- a/packages/apache/changelog.yml +++ b/packages/apache/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Add optional response-time field in access logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/9913 - version: "1.19.0" changes: - description: Add global filter on data_stream.dataset to improve performance. diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log index 04d6db9c240..c85b742c2fa 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log @@ -8,4 +8,6 @@ monitoring-server - - [29/May/2017:19:02:48 +0000] "GET /A%20Beka%20G1%20Howe/02 89.160.20.112 - - [29/May/2017:19:02:48 +0000] "GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" X-Forwarded-For="10.0.0.2,10.0.0.1" 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - [29/May/2017:19:02:48 +0000] "GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" X-Forwarded-For="10.225.192.17, 10.2.2.121" monitoring-server - - [17/May/2022:21:41:43 +0000] "GET / HTTP/1.1" 200 45 "-" "curl/7.79.1" X-Forwarded-For="192.168.0.2" +2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - [29/May/2017:19:02:48 +0000] "GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1" 200 612 3413 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" X-Forwarded-For="10.225.192.17, 10.2.2.121" +monitoring-server - - [17/May/2022:21:41:43 +0000] "GET / HTTP/1.1" 200 45 "-" "curl/7.79.1" X-Forwarded-For="192.168.0.2" 127.0.0.1 user-identity frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 \ No newline at end of file diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json index 3aaa3a337a0..4c0142833d3 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json @@ -17,7 +17,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872114404Z", + "ingested": "2024-05-17T10:26:40.255125597Z", "kind": "event", "original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209", "outcome": "failure" @@ -67,7 +67,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872146631Z", + "ingested": "2024-05-17T10:26:40.255139957Z", "kind": "event", "original": "192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "outcome": "failure" @@ -130,7 +130,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872151737Z", + "ingested": "2024-05-17T10:26:40.255143007Z", "kind": "event", "original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -", "outcome": "failure" @@ -168,7 +168,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872156019Z", + "ingested": "2024-05-17T10:26:40.255145157Z", "kind": "event", "original": "172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "outcome": "failure" @@ -231,7 +231,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872160167Z", + "ingested": "2024-05-17T10:26:40.255147097Z", "kind": "event", "original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /status HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "outcome": "success" @@ -294,7 +294,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872164337Z", + "ingested": "2024-05-17T10:26:40.255149177Z", "kind": "event", "original": "127.0.0.1 - - [02/Feb/2019:05:38:45 +0100] \"-\" 408 152 \"-\" \"-\"", "outcome": "failure" @@ -345,7 +345,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872168538Z", + "ingested": "2024-05-17T10:26:40.255151307Z", "kind": "event", "original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" X-Forwarded-For=\"-\"", "outcome": "success" @@ -414,7 +414,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872172626Z", + "ingested": "2024-05-17T10:26:40.255153547Z", "kind": "event", "original": "89.160.20.112 - - [29/May/2017:19:02:48 +0000] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" X-Forwarded-For=\"10.0.0.2,10.0.0.1\"", "outcome": "success" @@ -504,7 +504,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872176723Z", + "ingested": "2024-05-17T10:26:40.255155577Z", "kind": "event", "original": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - [29/May/2017:19:02:48 +0000] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" X-Forwarded-For=\"10.225.192.17, 10.2.2.121\"", "outcome": "success" @@ -584,7 +584,154 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872180798Z", + "ingested": "2024-05-17T10:26:40.255157547Z", + "kind": "event", + "original": "monitoring-server - - [17/May/2022:21:41:43 +0000] \"GET / HTTP/1.1\" 200 45 \"-\" \"curl/7.79.1\" X-Forwarded-For=\"192.168.0.2\"", + "outcome": "success" + }, + "http": { + "request": { + "method": "GET", + "referrer": "-" + }, + "response": { + "body": { + "bytes": 45 + }, + "status_code": 200 + }, + "version": "1.1" + }, + "network": { + "forwarded_ip": "192.168.0.2" + }, + "source": { + "address": "monitoring-server", + "domain": "monitoring-server" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/", + "path": "/" + }, + "user": { + "name": "-" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "curl", + "original": "curl/7.79.1", + "version": "7.79.1" + } + }, + { + "@timestamp": "2017-05-29T19:02:48.000Z", + "apache": { + "access": { + "remote_addresses": [ + "10.225.192.17", + "10.2.2.121", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "response_time": 3413 + } + }, + "client": { + "ip": "10.225.192.17" + }, + "ecs": { + "version": "8.5.1" + }, + "event": { + "category": [ + "web" + ], + "created": "2020-04-28T11:07:58.223Z", + "ingested": "2024-05-17T10:26:40.255159597Z", + "kind": "event", + "original": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - [29/May/2017:19:02:48 +0000] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 200 612 3413 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" X-Forwarded-For=\"10.225.192.17, 10.2.2.121\"", + "outcome": "success" + }, + "http": { + "request": { + "method": "GET", + "referrer": "-" + }, + "response": { + "body": { + "bytes": 612 + }, + "status_code": 200 + }, + "version": "1.1" + }, + "network": { + "forwarded_ip": "10.225.192.17" + }, + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "mp4", + "original": "/A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4", + "path": "/A Beka G1 Howe/029_AND_30/15 reading elephants.mp4" + }, + "user": { + "name": "-" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox Alpha", + "original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", + "os": { + "full": "Windows 7", + "name": "Windows", + "version": "7" + }, + "version": "15.0.a2" + } + }, + { + "@timestamp": "2022-05-17T21:41:43.000Z", + "apache": { + "access": { + "remote_addresses": [ + "192.168.0.2", + "monitoring-server" + ] + } + }, + "client": { + "ip": "192.168.0.2" + }, + "ecs": { + "version": "8.5.1" + }, + "event": { + "category": [ + "web" + ], + "created": "2020-04-28T11:07:58.223Z", + "ingested": "2024-05-17T10:26:40.255161587Z", "kind": "event", "original": "monitoring-server - - [17/May/2022:21:41:43 +0000] \"GET / HTTP/1.1\" 200 45 \"-\" \"curl/7.79.1\" X-Forwarded-For=\"192.168.0.2\"", "outcome": "success" @@ -646,7 +793,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:19.872184902Z", + "ingested": "2024-05-17T10:26:40.255163497Z", "kind": "event", "original": "127.0.0.1 user-identity frank [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326", "outcome": "success" diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json index 84f21533f44..25c56870f7a 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json @@ -17,7 +17,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.139680586Z", + "ingested": "2024-05-17T10:26:40.340913374Z", "kind": "event", "original": "::1 - - [26/Dec/2016:16:16:28 +0200] \"GET / HTTP/1.1\" 200 45", "outcome": "success" @@ -66,7 +66,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.139715385Z", + "ingested": "2024-05-17T10:26:40.340932754Z", "kind": "event", "original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209", "outcome": "failure" @@ -116,7 +116,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.139720504Z", + "ingested": "2024-05-17T10:26:40.340935844Z", "kind": "event", "original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -", "outcome": "failure" @@ -154,7 +154,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.139724615Z", + "ingested": "2024-05-17T10:26:40.340938244Z", "kind": "event", "original": "89.160.20.156 - - [26/Dec/2016:18:23:35 +0200] \"GET / HTTP/1.1\" 200 45", "outcome": "success" @@ -221,7 +221,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.139728696Z", + "ingested": "2024-05-17T10:26:40.340940504Z", "kind": "event", "original": "89.160.20.156 - - [26/Dec/2016:18:23:41 +0200] \"GET /notfound HTTP/1.1\" 404 206", "outcome": "failure" @@ -288,7 +288,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.139732611Z", + "ingested": "2024-05-17T10:26:40.340942494Z", "kind": "event", "original": "89.160.20.156 - - [26/Dec/2016:18:23:45 +0200] \"GET /hmm HTTP/1.1\" 404 201", "outcome": "failure" diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json index 4695dc83d46..08437e8170b 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json @@ -21,7 +21,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.342081887Z", + "ingested": "2024-05-17T10:26:40.405314051Z", "kind": "event", "original": "[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1\" 1375" }, @@ -76,7 +76,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.342133974Z", + "ingested": "2024-05-17T10:26:40.405334691Z", "kind": "event", "original": "[16/Oct/2019:11:53:47 +0200] 89.160.20.156 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1\" -" }, diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json index 740f8a73e1e..5f2f71669a6 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json @@ -17,7 +17,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.540597482Z", + "ingested": "2024-05-17T10:26:40.464952445Z", "kind": "event", "original": "127.0.0.1 - - [26/Dec/2016:16:18:09 +0000] \"GET / HTTP/1.1\" 200 491 \"-\" \"Wget/1.13.4 (linux-gnu)\"", "outcome": "success" @@ -78,7 +78,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.540653442Z", + "ingested": "2024-05-17T10:26:40.464972435Z", "kind": "event", "original": "192.168.33.1 - - [26/Dec/2016:16:22:00 +0000] \"GET / HTTP/1.1\" 200 484 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "outcome": "success" @@ -141,7 +141,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.540661612Z", + "ingested": "2024-05-17T10:26:40.464975465Z", "kind": "event", "original": "192.168.33.1 - - [26/Dec/2016:16:22:00 +0000] \"GET /favicon.ico HTTP/1.1\" 404 504 \"http://192.168.33.72/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "outcome": "failure" @@ -205,7 +205,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.540668805Z", + "ingested": "2024-05-17T10:26:40.464977815Z", "kind": "event", "original": "192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] \"GET / HTTP/1.1\" 200 484 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "outcome": "success" @@ -268,7 +268,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.540676244Z", + "ingested": "2024-05-17T10:26:40.464979965Z", "kind": "event", "original": "192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] \"GET /favicon.ico HTTP/1.1\" 404 504 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "outcome": "failure" @@ -332,7 +332,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.540682849Z", + "ingested": "2024-05-17T10:26:40.464982085Z", "kind": "event", "original": "192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] \"GET /favicon.ico HTTP/1.1\" 404 504 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "outcome": "failure" @@ -396,7 +396,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.540689341Z", + "ingested": "2024-05-17T10:26:40.464984015Z", "kind": "event", "original": "192.168.33.1 - - [26/Dec/2016:16:22:10 +0000] \"GET /test HTTP/1.1\" 404 498 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "outcome": "failure" @@ -459,7 +459,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.540695675Z", + "ingested": "2024-05-17T10:26:40.464986035Z", "kind": "event", "original": "192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "outcome": "failure" @@ -522,7 +522,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.540702271Z", + "ingested": "2024-05-17T10:26:40.464987985Z", "kind": "event", "original": "192.168.33.1 - - [26/Dec/2016:16:22:17 +0000] \"GET /crap HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "outcome": "failure" diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json index d9d2fc30098..cc1ad5b0f78 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json @@ -20,7 +20,7 @@ "web" ], "created": "2020-04-28T11:07:58.223Z", - "ingested": "2024-05-08T10:22:20.825711762Z", + "ingested": "2024-05-17T10:26:40.532640672Z", "kind": "event", "original": "vhost1.domaine.fr 192.168.33.2 - - [26/Dec/2016:16:22:14 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "outcome": "failure" diff --git a/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml index f17ab164f58..36f7021c4bb 100644 --- a/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml @@ -25,7 +25,7 @@ processors: patterns: - '(%{IPORHOST:destination.domain} )?%{IPORHOST:source.address} %{DATA:apache.access.identity} %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\] "(?:%{WORD:http.request.method} %{DATA:_tmp.url_orig} HTTP/%{NUMBER:http.version}|-)?" - %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)( + %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)( %{NUMBER:apache.access.response_time})?( "%{DATA:http.request.referrer}")?( "%{DATA:user_agent.original}")?( X-Forwarded-For="%{ADDRESS_LIST:apache.access.remote_addresses}")?' - '%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\] "-" %{NUMBER:http.response.status_code:long} -' @@ -197,6 +197,15 @@ processors: } } handleMap(ctx); + - convert: + field: apache.access.response_time + tag: 'convert_response_time_to_long' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - remove: field: event.original if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" diff --git a/packages/apache/data_stream/access/fields/fields.yml b/packages/apache/data_stream/access/fields/fields.yml index aed9cb815b7..b8fc128ad76 100644 --- a/packages/apache/data_stream/access/fields/fields.yml +++ b/packages/apache/data_stream/access/fields/fields.yml @@ -18,3 +18,7 @@ type: keyword description: | The client's identity, as specified in RFC 1413, determined by the identd on the client's machine. + - name: response_time + type: long + description: Time to serve the request in microseconds. + unit: micros \ No newline at end of file diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json index 78f929ed4e1..e720bf1c7bc 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json @@ -12,7 +12,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:22.163414352Z", + "ingested": "2024-05-17T10:26:40.734063422Z", "kind": "event", "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico", "timezone": "GMT+2", @@ -49,7 +49,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:22.163449749Z", + "ingested": "2024-05-17T10:26:40.734078302Z", "kind": "event", "original": "[Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'", "timezone": "GMT+2", @@ -82,7 +82,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:22.163454309Z", + "ingested": "2024-05-17T10:26:40.734081212Z", "kind": "event", "original": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.156] File does not exist: /usr/local/apache2/htdocs/favicon.ico", "timezone": "GMT+2", @@ -143,7 +143,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:22.163458029Z", + "ingested": "2024-05-17T10:26:40.734083342Z", "kind": "event", "original": "[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 89.160.20.156:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html", "timezone": "GMT+2", diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json index 1b57e168a46..29b6d02b541 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json @@ -14,7 +14,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:22.455312537Z", + "ingested": "2024-05-17T10:26:40.792377134Z", "kind": "event", "original": "[Mon Dec 26 16:15:55.103522 2016] [mpm_prefork:notice] [pid 11379] AH00163: Apache/2.4.23 (Unix) configured -- resuming normal operations", "timezone": "GMT+2", @@ -47,7 +47,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:22.455349060Z", + "ingested": "2024-05-17T10:26:40.792402724Z", "kind": "event", "original": "[Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'", "timezone": "GMT+2", diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json index 99769b855f2..0471df7011e 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json @@ -14,7 +14,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:22.795167257Z", + "ingested": "2024-05-17T10:26:40.848780172Z", "kind": "event", "original": "[Wed Oct 20 19:20:59.121211 2021] [rewrite:trace3] [pid 121591:tid 140413273032448] mod_rewrite.c(470): [client 10.121.192.8:38350] 10.121.192.8 - - [dev.elastic.co/sid#55a374e851c8][rid#7fb438083ac0/initial] applying pattern '^/import/?(.*)$' to uri '/'", "timezone": "GMT+2", diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json index 05c1ad1db8a..765e98e901b 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json @@ -12,7 +12,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:23.044840419Z", + "ingested": "2024-05-17T10:26:40.905684775Z", "kind": "event", "original": "[Mon Dec 26 16:17:53 2016] [notice] Apache/2.2.22 (Ubuntu) configured -- resuming normal operations", "timezone": "GMT+2", @@ -40,7 +40,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:23.044890203Z", + "ingested": "2024-05-17T10:26:40.905706715Z", "kind": "event", "original": "[Mon Dec 26 16:22:00 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico, referer: http://192.168.33.72/", "timezone": "GMT+2", @@ -80,7 +80,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:23.044898761Z", + "ingested": "2024-05-17T10:26:40.905709575Z", "kind": "event", "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico", "timezone": "GMT+2", @@ -115,7 +115,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:23.044906086Z", + "ingested": "2024-05-17T10:26:40.905711945Z", "kind": "event", "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico", "timezone": "GMT+2", @@ -150,7 +150,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:23.044913004Z", + "ingested": "2024-05-17T10:26:40.905714025Z", "kind": "event", "original": "[Mon Dec 26 16:22:10 2016] [error] [client 192.168.33.1] File does not exist: /var/www/test", "timezone": "GMT+2", @@ -185,7 +185,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:23.044919962Z", + "ingested": "2024-05-17T10:26:40.905716155Z", "kind": "event", "original": "[Mon Dec 26 16:22:13 2016] [error] [client 192.168.33.1] File does not exist: /var/www/hello", "timezone": "GMT+2", @@ -220,7 +220,7 @@ "category": [ "web" ], - "ingested": "2024-05-08T10:22:23.044927917Z", + "ingested": "2024-05-17T10:26:40.905718125Z", "kind": "event", "original": "[Mon Dec 26 16:22:17 2016] [error] [client 192.168.33.1] File does not exist: /var/www/crap", "timezone": "GMT+2", diff --git a/packages/apache/docs/README.md b/packages/apache/docs/README.md index 039244c8214..491c2eb6692 100644 --- a/packages/apache/docs/README.md +++ b/packages/apache/docs/README.md @@ -16,106 +16,107 @@ Access logs collects the Apache access logs. **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| apache.access.identity | The client's identity, as specified in RFC 1413, determined by the identd on the client's machine. | keyword | -| apache.access.remote_addresses | An array of remote addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. | keyword | -| apache.access.ssl.cipher | SSL cipher name. - name: nginx.access | keyword | -| apache.access.ssl.protocol | SSL protocol version. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| process.pid | Process id. | long | -| process.thread.id | Thread ID. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | +| Field | Description | Type | Unit | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| apache.access.identity | The client's identity, as specified in RFC 1413, determined by the identd on the client's machine. | keyword | | +| apache.access.remote_addresses | An array of remote addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. | keyword | | +| apache.access.response_time | Time to serve the request in microseconds. | long | micros | +| apache.access.ssl.cipher | SSL cipher name. - name: nginx.access | keyword | | +| apache.access.ssl.protocol | SSL protocol version. | keyword | | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | +| error.message | Error message. | match_only_text | | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | +| event.dataset | Event dataset | constant_keyword | | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | +| event.module | Event module | constant_keyword | | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | | +| file.path.text | Multi-field of `file.path`. | match_only_text | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | +| http.request.referrer | Referrer for this HTTP request. | keyword | | +| http.response.body.bytes | Size in bytes of the response body. | long | | +| http.response.status_code | HTTP response status code. | long | | +| http.version | HTTP version. | keyword | | +| input.type | Input type | keyword | | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | +| log.offset | Log offset | long | | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | +| process.pid | Process id. | long | | +| process.thread.id | Thread ID. | long | | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | +| source.as.organization.name | Organization name. | keyword | | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | +| source.geo.city_name | City name. | keyword | | +| source.geo.continent_name | Name of the continent. | keyword | | +| source.geo.country_iso_code | Country ISO code. | keyword | | +| source.geo.country_name | Country name. | keyword | | +| source.geo.location | Longitude and latitude. | geo_point | | +| source.geo.region_iso_code | Region ISO code. | keyword | | +| source.geo.region_name | Region name. | keyword | | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | +| tags | List of keywords used to tag each event. | keyword | | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | | +| tls.version | Numeric part of the version parsed from the original string. | keyword | | +| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | | +| url.original.text | Multi-field of `url.original`. | match_only_text | | +| url.path | Path of the request, such as "/search". | wildcard | | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | | +| user.name | Short name or login of the user. | keyword | | +| user.name.text | Multi-field of `user.name`. | match_only_text | | +| user_agent.device.name | Name of the device. | keyword | | +| user_agent.name | Name of the user agent. | keyword | | +| user_agent.original | Unparsed user_agent string. | keyword | | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | | +| user_agent.os.name | Operating system name, without the version. | keyword | | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | | +| user_agent.os.version | Operating system version as a raw string. | keyword | | +| user_agent.version | Version of the user agent. | keyword | | Supported format for the access logs are: @@ -135,6 +136,11 @@ Supported format for the access logs are: >```%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" X-Forwarded-For=\"%{X-Forwarded-For}i\"``` - Example: >```127.0.0.1 user-identifier frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://datawarehouse.us.oracle.com/datamining/contents.htm" "Mozilla/4.7 [en] (WinNT; I)" X-Forwarded-For="10.225.192.17, 10.2.2.121"``` +- Combined Log Format + X-Forwarded-For header + Response time + - Defined in apache `LogFormat` by: + >```%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\" X-Forwarded-For=\"%{X-Forwarded-For}i\"``` + - Example: + >```127.0.0.1 user-identifier frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 3413 "http://datawarehouse.us.oracle.com/datamining/contents.htm" "Mozilla/4.7 [en] (WinNT; I)" X-Forwarded-For="10.225.192.17, 10.2.2.121"``` ### Error Logs diff --git a/packages/apache/manifest.yml b/packages/apache/manifest.yml index 9a0dc7522b1..0dea6f5b3cf 100644 --- a/packages/apache/manifest.yml +++ b/packages/apache/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.4 name: apache title: Apache HTTP Server -version: "1.19.0" +version: "1.20.0" source: license: Elastic-2.0 description: Collect logs and metrics from Apache servers with Elastic Agent. From 3d91b6107453e35039f8d137b8d8502de63d8d47 Mon Sep 17 00:00:00 2001 From: Alex K <8418476+fearful-symmetry@users.noreply.github.com> Date: Thu, 20 Jun 2024 11:55:09 -0700 Subject: [PATCH 033/105] Fix formatting of filesystem ignore types (#10180) --- packages/system/changelog.yml | 5 +++++ .../data_stream/filesystem/agent/stream/stream.yml.hbs | 5 ++++- packages/system/manifest.yml | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 18ca0f27c5d..151e1de7228 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.58.2" + changes: + - description: Fix filesystem ignore_types + type: bugfix + link: https://github.com/elastic/integrations/pull/10180 - version: "1.58.1" changes: - description: Fix metrics overview dashboard. diff --git a/packages/system/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/data_stream/filesystem/agent/stream/stream.yml.hbs index 13a98485e9b..e26f1534438 100644 --- a/packages/system/data_stream/filesystem/agent/stream/stream.yml.hbs +++ b/packages/system/data_stream/filesystem/agent/stream/stream.yml.hbs @@ -2,7 +2,10 @@ metricsets: ["filesystem"] period: {{period}} processors: {{processors}} {{#if filesystem.ignore_types}} -filesystem.ignore_types: {{filesystem.ignore_types}} +filesystem.ignore_types: +{{#each filesystem.ignore_types as |type i|}} +- {{type}} +{{/each}} {{/if}} {{#if system.hostfs}} system.hostfs: {{system.hostfs}} diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 16403ddc7a2..4222f71910e 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: system title: System -version: 1.58.1 +version: 1.58.2 description: Collect system logs and metrics from your servers with Elastic Agent. type: integration categories: From ba948537e687b2a2501cee10f97dd33a0c77094f Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Sat, 22 Jun 2024 06:36:08 +0930 Subject: [PATCH 034/105] all: migrate ssi packages to ecs@mappings (#10135) Migration performed using ecs-update. go run github.com/andrewkroh/go-examples/ecs-update@014b35dfe4c9832b51e7c909a39a48257d6a005d \ -ecs-version=8.11.0 \ -ecs-git-ref=v8.11.0 \ -fields-yml-drop-ecs \ -kibana-version=^8.13.0 \ -drop-import-mappings \ -pr=10135 \ -owner=elastic/security-service-integrations \ packages/* * [1password] - Updated fields definitions * [akamai] - Updated fields definitions * [amazon_security_lake] - removed ecs import_mappings * [atlassian_bitbucket] - Updated fields definitions * [atlassian_confluence] - Updated fields definitions * [atlassian_jira] - Updated fields definitions * [auth0] - Updated fields definitions * [aws_bedrock] - Updated fields definitions * [azure_blob_storage] - removed ecs import_mappings * [azure_frontdoor] - Updated fields definitions * [azure_network_watcher_nsg] - removed ecs import_mappings * [azure_network_watcher_vnet] - removed ecs import_mappings * [barracuda] - Updated fields definitions * [barracuda_cloudgen_firewall] - Updated fields definitions * [bbot] - removed ecs import_mappings * [bitdefender] - Updated fields definitions * [bitwarden] - removed ecs import_mappings * [box_events] - Updated fields definitions * [carbon_black_cloud] - Updated fields definitions * [carbonblack_edr] - Updated fields definitions * [cel] - Updated fields definitions * [cisa_kevs] - Updated fields definitions * [cisco_duo] - Updated fields definitions * [cisco_meraki] - Updated fields definitions * [cisco_secure_endpoint] - Updated fields definitions * [cisco_umbrella] - Updated fields definitions * [cloudflare] - Updated fields definitions * [cloudflare_logpush] - Updated fields definitions * [cribl] - change to ECS version git@v8.11.0 * [crowdstrike] - removed ecs import_mappings * [cyberarkpas] - Updated fields definitions * [cyberark_pta] - Updated fields definitions * [cybereason] - removed ecs import_mappings * [cylance] - Updated fields definitions * [darktrace] - Updated fields definitions * [entityanalytics_ad] - removed ecs import_mappings * [entityanalytics_okta] - removed ecs import_mappings * [eset_protect] - Updated fields definitions * [f5_bigip] - Updated fields definitions * [fireeye] - Updated fields definitions * [forcepoint_web] - Updated fields definitions * [forgerock] - Updated fields definitions * [gcp_pubsub] - Updated fields definitions * [github] - Updated fields definitions * [gitlab] - Updated fields definitions * [google_cloud_storage] - removed ecs import_mappings * [google_scc] - removed ecs import_mappings * [google_workspace] - removed ecs import_mappings * [http_endpoint] - Updated fields definitions * [httpjson] - Updated fields definitions * [imperva_cloud_waf] - Updated fields definitions * [infoblox_bloxone_ddi] - Updated fields definitions * [infoblox_nios] - Updated fields definitions * [jamf_compliance_reporter] - Updated fields definitions * [jamf_protect] - Updated fields definitions * [jumpcloud] - Updated fields definitions * [keycloak] - Updated fields definitions * [lastpass] - Updated fields definitions * [lumos] - Updated fields definitions * [lyve_cloud] - Updated fields definitions * [m365_defender] - removed ecs import_mappings * [mattermost] - Updated fields definitions * [menlo] - Updated fields definitions * [microsoft_defender_cloud] - removed ecs import_mappings * [microsoft_defender_endpoint] - Updated fields definitions * [microsoft_exchange_online_message_trace] - Updated fields definitions * [mimecast] - Updated fields definitions * [netskope] - Updated fields definitions * [o365] - Updated fields definitions * [okta] - Updated fields definitions * [opencanary] - Updated fields definitions * [panw_cortex_xdr] - Updated fields definitions * [ping_one] - Updated fields definitions * [pps] - Updated fields definitions * [prisma_cloud] - removed ecs import_mappings * [proofpoint_tap] - Updated fields definitions * [pulse_connect_secure] - Updated fields definitions * [qualys_vmdr] - removed ecs import_mappings * [rapid7_insightvm] - removed ecs import_mappings * [santa] - Updated fields definitions * [sentinel_one] - Updated fields definitions * [sentinel_one_cloud_funnel] - Updated fields definitions * [slack] - Updated fields definitions * [snyk] - Updated fields definitions * [sophos_central] - removed ecs import_mappings * [symantec_edr_cloud] - removed ecs import_mappings * [symantec_endpoint] - Updated fields definitions * [symantec_endpoint_security] - removed ecs import_mappings * [tanium] - removed ecs import_mappings * [tenable_io] - Updated fields definitions * [tenable_sc] - Updated fields definitions * [thycotic_ss] - Updated fields definitions * [ti_abusech] - Updated fields definitions * [ti_anomali] - Updated fields definitions * [ti_cif3] - Updated fields definitions * [ti_crowdstrike] - Updated fields definitions * [ti_cybersixgill] - Updated fields definitions * [ti_eclecticiq] - change to ECS version git@v8.11.0 * [ti_eset] - Updated fields definitions * [ti_maltiverse] - Updated fields definitions * [ti_mandiant_advantage] - change to ECS version git@v8.11.0 * [ti_misp] - Updated fields definitions * [tines] - Updated fields definitions * [ti_opencti] - removed ecs import_mappings * [ti_otx] - Updated fields definitions * [ti_rapid7_threat_command] - Updated fields definitions * [ti_recordedfuture] - Updated fields definitions * [ti_threatconnect] - removed ecs import_mappings * [ti_threatq] - Updated fields definitions * [ti_util] - change to kibana constraint to ^8.13.0 * [trellix_edr_cloud] - removed ecs import_mappings * [trellix_epo_cloud] - removed ecs import_mappings * [trendmicro] - removed ecs import_mappings * [trend_micro_vision_one] - Updated fields definitions * [vectra_detect] - removed ecs import_mappings * [wiz] - removed ecs import_mappings * [zerofox] - Updated fields definitions * [zeronetworks] - Updated fields definitions * [zoom] - Updated fields definitions * [zscaler_zia] - removed ecs import_mappings * [zscaler_zpa] - removed ecs import_mappings --- packages/1password/changelog.yml | 5 + .../data_stream/audit_events/fields/ecs.yml | 44 - .../data_stream/item_usages/fields/ecs.yml | 48 - .../signin_attempts/fields/ecs.yml | 50 - packages/1password/docs/README.md | 79 - packages/1password/manifest.yml | 4 +- packages/akamai/changelog.yml | 5 + .../akamai/data_stream/siem/fields/agent.yml | 93 +- .../akamai/data_stream/siem/fields/beats.yml | 3 - .../akamai/data_stream/siem/fields/ecs.yml | 126 - packages/akamai/docs/README.md | 81 - packages/akamai/manifest.yml | 4 +- .../amazon_security_lake/_dev/build/build.yml | 1 - packages/amazon_security_lake/changelog.yml | 5 + .../application_activity/fields/beats.yml | 6 - .../data_stream/discovery/fields/beats.yml | 6 - .../data_stream/event/fields/beats.yml | 3 - .../data_stream/findings/fields/beats.yml | 6 - .../data_stream/iam/fields/beats.yml | 6 - .../network_activity/fields/beats.yml | 6 - .../system_activity/fields/beats.yml | 6 - packages/amazon_security_lake/docs/README.md | 1 - packages/amazon_security_lake/manifest.yml | 4 +- packages/atlassian_bitbucket/changelog.yml | 5 + .../data_stream/audit/fields/agent.yml | 167 +- .../data_stream/audit/fields/ecs.yml | 70 - packages/atlassian_bitbucket/docs/README.md | 68 - packages/atlassian_bitbucket/manifest.yml | 4 +- packages/atlassian_confluence/changelog.yml | 5 + .../data_stream/audit/fields/agent.yml | 167 +- .../data_stream/audit/fields/ecs.yml | 84 - packages/atlassian_confluence/docs/README.md | 75 - packages/atlassian_confluence/manifest.yml | 4 +- packages/atlassian_jira/changelog.yml | 5 + .../data_stream/audit/fields/agent.yml | 167 +- .../data_stream/audit/fields/ecs.yml | 84 - packages/atlassian_jira/docs/README.md | 75 - packages/atlassian_jira/manifest.yml | 4 +- packages/auth0/changelog.yml | 5 + .../auth0/data_stream/logs/fields/ecs.yml | 128 - packages/auth0/docs/README.md | 76 - packages/auth0/manifest.yml | 4 +- packages/aws_bedrock/changelog.yml | 5 + .../data_stream/invocation/fields/agent.yml | 53 - .../data_stream/invocation/fields/ecs.yml | 10 - .../data_stream/invocation/fields/input.yml | 2 - packages/aws_bedrock/docs/README.md | 32 - packages/aws_bedrock/manifest.yml | 4 +- .../azure_blob_storage/_dev/build/build.yml | 1 - packages/azure_blob_storage/changelog.yml | 5 + packages/azure_blob_storage/fields/agent.yml | 3 - packages/azure_blob_storage/fields/beats.yml | 3 - packages/azure_blob_storage/manifest.yml | 7 +- packages/azure_blob_storage/sample_event.json | 2 +- packages/azure_frontdoor/changelog.yml | 5 + .../data_stream/access/fields/agent.yml | 50 - .../data_stream/access/fields/base-fields.yml | 3 - .../data_stream/access/fields/ecs.yml | 114 - .../data_stream/waf/fields/agent.yml | 50 - .../data_stream/waf/fields/base-fields.yml | 3 - .../data_stream/waf/fields/ecs.yml | 90 - packages/azure_frontdoor/docs/README.md | 169 -- packages/azure_frontdoor/manifest.yml | 4 +- .../_dev/build/build.yml | 1 - .../azure_network_watcher_nsg/changelog.yml | 5 + .../data_stream/log/fields/beats.yml | 3 - .../azure_network_watcher_nsg/docs/README.md | 1 - .../azure_network_watcher_nsg/manifest.yml | 4 +- .../_dev/build/build.yml | 1 - .../azure_network_watcher_vnet/changelog.yml | 5 + .../data_stream/log/fields/beats.yml | 3 - .../azure_network_watcher_vnet/docs/README.md | 1 - .../azure_network_watcher_vnet/manifest.yml | 4 +- packages/barracuda/changelog.yml | 5 + .../barracuda/data_stream/waf/fields/ecs.yml | 275 -- packages/barracuda/docs/README.md | 150 - packages/barracuda/manifest.yml | 4 +- .../barracuda_cloudgen_firewall/changelog.yml | 5 + .../data_stream/log/fields/ecs.yml | 194 -- .../docs/README.md | 106 - .../barracuda_cloudgen_firewall/manifest.yml | 4 +- packages/bbot/_dev/build/build.yml | 1 - packages/bbot/changelog.yml | 5 + .../test-bbot-ndjson.log-expected.json | 20 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/asm_intel/fields/beats.yml | 3 - .../bbot/data_stream/asm_intel/fields/ecs.yml | 16 - .../data_stream/asm_intel/fields/fields.yml | 9 +- .../data_stream/asm_intel/sample_event.json | 2 +- packages/bbot/docs/README.md | 12 +- ...-8abcb381-42b3-4d99-a177-c103255eedd9.json | 2528 ++++++++--------- ...-45ce1599-99e3-4c4e-9c1a-07254be0e274.json | 216 +- packages/bbot/manifest.yml | 4 +- packages/bitdefender/changelog.yml | 5 + .../push_configuration/fields/ecs.yml | 4 - .../push_notifications/fields/ecs.yml | 202 -- .../push_statistics/fields/ecs.yml | 4 - packages/bitdefender/docs/README.md | 123 - packages/bitdefender/manifest.yml | 4 +- packages/bitwarden/_dev/build/build.yml | 1 - packages/bitwarden/changelog.yml | 5 + .../data_stream/collection/fields/beats.yml | 3 - .../data_stream/event/fields/beats.yml | 3 - .../data_stream/group/fields/beats.yml | 3 - .../data_stream/member/fields/beats.yml | 3 - .../data_stream/policy/fields/beats.yml | 3 - packages/bitwarden/docs/README.md | 5 - packages/bitwarden/manifest.yml | 4 +- packages/box_events/changelog.yml | 5 + .../data_stream/events/fields/agent.yml | 57 - .../data_stream/events/fields/ecs.yml | 140 - packages/box_events/docs/README.md | 102 - packages/box_events/manifest.yml | 4 +- packages/carbon_black_cloud/changelog.yml | 5 + .../data_stream/alert/fields/agent.yml | 134 +- .../data_stream/alert/fields/ecs.yml | 36 - .../data_stream/alert_v7/fields/agent.yml | 134 +- .../data_stream/alert_v7/fields/ecs.yml | 58 - .../fields/agent.yml | 134 +- .../fields/ecs.yml | 14 - .../data_stream/audit/fields/agent.yml | 134 +- .../data_stream/audit/fields/ecs.yml | 24 - .../endpoint_event/fields/agent.yml | 134 +- .../data_stream/endpoint_event/fields/ecs.yml | 80 - .../watchlist_hit/fields/agent.yml | 134 +- .../data_stream/watchlist_hit/fields/ecs.yml | 46 - packages/carbon_black_cloud/docs/README.md | 276 -- packages/carbon_black_cloud/manifest.yml | 4 +- packages/carbonblack_edr/changelog.yml | 5 + .../data_stream/log/fields/agent.yml | 75 +- .../data_stream/log/fields/beats.yml | 3 - .../data_stream/log/fields/ecs.yml | 112 - packages/carbonblack_edr/docs/README.md | 74 - packages/carbonblack_edr/manifest.yml | 4 +- packages/cel/changelog.yml | 5 + packages/cel/fields/input.yml | 9 - packages/cel/manifest.yml | 8 +- packages/cel/sample_event.json | 2 +- packages/cisa_kevs/changelog.yml | 7 +- .../data_stream/vulnerability/fields/ecs.yml | 24 - packages/cisa_kevs/docs/README.md | 13 - packages/cisa_kevs/manifest.yml | 4 +- packages/cisco_duo/changelog.yml | 5 + .../data_stream/admin/fields/agent.yml | 147 - .../data_stream/admin/fields/ecs.yml | 40 - .../data_stream/auth/fields/agent.yml | 147 - .../cisco_duo/data_stream/auth/fields/ecs.yml | 72 - .../offline_enrollment/fields/agent.yml | 147 - .../offline_enrollment/fields/ecs.yml | 14 - .../pipeline/test-summary.log-expected.json | 4 +- .../data_stream/summary/fields/agent.yml | 147 - .../data_stream/summary/fields/ecs.yml | 8 - .../data_stream/telephony/fields/agent.yml | 147 - .../data_stream/telephony/fields/ecs.yml | 10 - packages/cisco_duo/docs/README.md | 211 -- packages/cisco_duo/manifest.yml | 4 +- packages/cisco_meraki/changelog.yml | 5 + .../test/system/test-meraki-https-config.yml | 2 +- .../data_stream/events/fields/agent.yml | 139 +- .../data_stream/events/fields/base-fields.yml | 4 - .../data_stream/events/fields/ecs.yml | 246 -- .../log/_dev/test/system/test-udp-config.yml | 10 +- .../data_stream/log/fields/agent.yml | 139 +- .../data_stream/log/fields/base-fields.yml | 4 - .../data_stream/log/fields/ecs.yml | 296 -- packages/cisco_meraki/docs/README.md | 341 --- packages/cisco_meraki/manifest.yml | 4 +- packages/cisco_secure_endpoint/changelog.yml | 5 + .../data_stream/event/fields/agent.yml | 162 +- .../data_stream/event/fields/base-fields.yml | 4 - .../data_stream/event/fields/ecs.yml | 118 - packages/cisco_secure_endpoint/docs/README.md | 92 - packages/cisco_secure_endpoint/manifest.yml | 4 +- packages/cisco_umbrella/changelog.yml | 5 + .../data_stream/log/fields/agent.yml | 139 +- .../data_stream/log/fields/base-fields.yml | 4 - .../data_stream/log/fields/ecs.yml | 216 -- packages/cisco_umbrella/docs/README.md | 139 - packages/cisco_umbrella/manifest.yml | 4 +- packages/cloudflare/changelog.yml | 5 + .../data_stream/audit/fields/agent.yml | 50 - .../data_stream/audit/fields/beats.yml | 3 - .../data_stream/audit/fields/ecs.yml | 50 - .../data_stream/logpull/fields/agent.yml | 93 +- .../data_stream/logpull/fields/beats.yml | 3 - .../data_stream/logpull/fields/ecs.yml | 222 -- packages/cloudflare/docs/README.md | 190 -- packages/cloudflare/manifest.yml | 4 +- packages/cloudflare_logpush/changelog.yml | 5 + .../access_request/fields/agent.yml | 147 - .../data_stream/access_request/fields/ecs.yml | 56 - .../data_stream/audit/fields/agent.yml | 147 - .../data_stream/audit/fields/ecs.yml | 32 - .../data_stream/casb/fields/agent.yml | 147 - .../data_stream/casb/fields/ecs.yml | 42 - .../device_posture/fields/agent.yml | 147 - .../data_stream/device_posture/fields/ecs.yml | 32 - .../data_stream/dns/fields/agent.yml | 147 - .../data_stream/dns/fields/ecs.yml | 22 - .../data_stream/dns_firewall/fields/agent.yml | 147 - .../data_stream/dns_firewall/fields/ecs.yml | 52 - .../firewall_event/fields/agent.yml | 147 - .../data_stream/firewall_event/fields/ecs.yml | 58 - .../data_stream/gateway_dns/fields/agent.yml | 147 - .../data_stream/gateway_dns/fields/ecs.yml | 111 - .../data_stream/gateway_http/fields/agent.yml | 147 - .../data_stream/gateway_http/fields/ecs.yml | 124 - .../gateway_network/fields/agent.yml | 147 - .../gateway_network/fields/ecs.yml | 94 - .../data_stream/http_request/fields/agent.yml | 147 - .../data_stream/http_request/fields/ecs.yml | 64 - .../data_stream/magic_ids/fields/agent.yml | 147 - .../data_stream/magic_ids/fields/ecs.yml | 82 - .../data_stream/nel_report/fields/agent.yml | 147 - .../data_stream/nel_report/fields/ecs.yml | 16 - .../network_analytics/fields/agent.yml | 147 - .../network_analytics/fields/ecs.yml | 40 - .../network_session/fields/agent.yml | 147 - .../network_session/fields/ecs.yml | 106 - .../sinkhole_http/fields/agent.yml | 147 - .../data_stream/sinkhole_http/fields/ecs.yml | 130 - .../spectrum_event/fields/agent.yml | 147 - .../data_stream/spectrum_event/fields/ecs.yml | 50 - .../workers_trace/fields/agent.yml | 147 - .../data_stream/workers_trace/fields/ecs.yml | 48 - packages/cloudflare_logpush/docs/README.md | 1082 ------- packages/cloudflare_logpush/manifest.yml | 4 +- packages/cribl/_dev/build/build.yml | 3 +- packages/cribl/changelog.yml | 5 + .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../cribl/data_stream/logs/fields/ecs.yml | 4 - packages/cribl/manifest.yml | 2 +- packages/crowdstrike/_dev/build/build.yml | 1 - packages/crowdstrike/changelog.yml | 5 + .../data_stream/alert/fields/beats.yml | 3 - .../data_stream/falcon/fields/agent.yml | 159 +- .../data_stream/falcon/fields/beats.yml | 2 - .../data_stream/falcon/fields/ecs.yml | 166 -- .../data_stream/fdr/fields/ecs.yml | 242 -- .../data_stream/host/fields/beats.yml | 3 - packages/crowdstrike/docs/README.md | 254 -- packages/crowdstrike/manifest.yml | 4 +- packages/cyberark_pta/changelog.yml | 5 + .../data_stream/events/fields/ecs.yml | 38 - packages/cyberark_pta/docs/README.md | 21 - packages/cyberark_pta/manifest.yml | 4 +- packages/cyberarkpas/changelog.yml | 5 + ...lear-users-history-start.log-expected.json | 2 +- ...-clear-users-history-end.log-expected.json | 2 +- ...tor-dr-replication-start.log-expected.json | 2 +- ...nitor-dr-replication-end.log-expected.json | 2 +- ...7-monitor-fw-rules-start.log-expected.json | 2 +- ...358-monitor-fw-rules-end.log-expected.json | 2 +- ...ault-certificate-is-sha1.log-expected.json | 2 +- ...st-59-clear-safe-history.log-expected.json | 2 +- .../test-88-set-password.log-expected.json | 2 +- .../test-legacysyslog.log-expected.json | 2 +- .../_dev/test/system/test-logfile-config.yml | 2 +- .../_dev/test/system/test-tcp-config.yml | 2 +- .../_dev/test/system/test-tls-config.yml | 2 +- .../_dev/test/system/test-udp-config.yml | 10 +- .../data_stream/audit/fields/beats.yml | 3 - .../data_stream/audit/fields/ecs.yml | 114 - packages/cyberarkpas/docs/README.md | 66 - packages/cyberarkpas/manifest.yml | 4 +- packages/cybereason/_dev/build/build.yml | 1 - packages/cybereason/changelog.yml | 5 + .../logon_session/fields/beats.yml | 3 - .../malop_connection/fields/beats.yml | 3 - .../malop_process/fields/beats.yml | 3 - .../data_stream/malware/fields/beats.yml | 3 - .../data_stream/poll_malop/fields/beats.yml | 3 - .../suspicions_process/fields/beats.yml | 3 - packages/cybereason/docs/README.md | 6 - packages/cybereason/manifest.yml | 4 +- packages/cylance/changelog.yml | 5 + .../protect/fields/base-fields.yml | 14 - .../data_stream/protect/fields/ecs.yml | 216 -- packages/cylance/docs/README.md | 122 - packages/cylance/manifest.yml | 4 +- packages/darktrace/changelog.yml | 5 + .../ai_analyst_alert/fields/agent.yml | 128 - .../ai_analyst_alert/fields/ecs.yml | 64 - .../model_breach_alert/fields/agent.yml | 128 - .../model_breach_alert/fields/ecs.yml | 74 - .../system_status_alert/fields/agent.yml | 138 - .../system_status_alert/fields/ecs.yml | 48 - packages/darktrace/docs/README.md | 162 -- packages/darktrace/manifest.yml | 4 +- .../entityanalytics_ad/_dev/build/build.yml | 1 - packages/entityanalytics_ad/changelog.yml | 5 + .../user/_dev/test/pipeline/test-user.json | 11 +- .../data_stream/user/fields/beats.yml | 3 - .../data_stream/user/fields/fields.yml | 1 - packages/entityanalytics_ad/docs/README.md | 1 - packages/entityanalytics_ad/manifest.yml | 2 +- .../entityanalytics_okta/_dev/build/build.yml | 1 - packages/entityanalytics_okta/changelog.yml | 5 + .../data_stream/user/fields/beats.yml | 3 - packages/entityanalytics_okta/docs/README.md | 1 - packages/entityanalytics_okta/manifest.yml | 4 +- packages/eset_protect/changelog.yml | 5 + .../data_stream/detection/fields/beats.yml | 3 - .../data_stream/device_task/fields/beats.yml | 3 - .../data_stream/event/fields/beats.yml | 3 - packages/eset_protect/docs/README.md | 3 - packages/eset_protect/manifest.yml | 2 +- packages/f5_bigip/changelog.yml | 5 + .../f5_bigip/data_stream/log/fields/agent.yml | 147 - .../f5_bigip/data_stream/log/fields/ecs.yml | 114 - packages/f5_bigip/docs/README.md | 89 - packages/f5_bigip/manifest.yml | 4 +- packages/fireeye/changelog.yml | 5 + .../fireeye/data_stream/nx/fields/agent.yml | 143 - .../fireeye/data_stream/nx/fields/ecs.yml | 156 - packages/fireeye/docs/README.md | 110 - packages/fireeye/manifest.yml | 4 +- packages/forcepoint_web/changelog.yml | 5 + .../data_stream/logs/fields/ecs.yml | 220 -- packages/forcepoint_web/docs/README.md | 117 - packages/forcepoint_web/manifest.yml | 4 +- packages/forgerock/changelog.yml | 5 + .../am_access/fields/base-fields.yml | 6 - .../data_stream/am_access/fields/ecs.yml | 38 - .../am_activity/fields/base-fields.yml | 6 - .../data_stream/am_activity/fields/ecs.yml | 20 - .../am_authentication/fields/base-fields.yml | 6 - .../am_authentication/fields/ecs.yml | 16 - .../am_config/fields/base-fields.yml | 6 - .../data_stream/am_config/fields/ecs.yml | 18 - .../am_core/fields/base-fields.yml | 6 - .../data_stream/am_core/fields/ecs.yml | 18 - .../idm_access/fields/base-fields.yml | 6 - .../data_stream/idm_access/fields/ecs.yml | 20 - .../idm_activity/fields/base-fields.yml | 6 - .../data_stream/idm_activity/fields/ecs.yml | 14 - .../idm_authentication/fields/base-fields.yml | 6 - .../idm_authentication/fields/ecs.yml | 12 - .../idm_config/fields/base-fields.yml | 6 - .../data_stream/idm_config/fields/ecs.yml | 14 - .../idm_core/fields/base-fields.yml | 6 - .../data_stream/idm_core/fields/ecs.yml | 6 - .../idm_sync/fields/base-fields.yml | 6 - .../data_stream/idm_sync/fields/ecs.yml | 14 - packages/forgerock/docs/README.md | 120 - packages/forgerock/manifest.yml | 4 +- packages/gcp_pubsub/changelog.yml | 5 + packages/gcp_pubsub/fields/agent.yml | 167 +- packages/gcp_pubsub/fields/ecs.yml | 10 - packages/gcp_pubsub/manifest.yml | 5 +- packages/gcp_pubsub/sample_event.json | 2 +- packages/github/changelog.yml | 5 + .../github/data_stream/audit/fields/agent.yml | 93 +- .../github/data_stream/audit/fields/ecs.yml | 54 - .../code_scanning/fields/agent.yml | 93 +- .../data_stream/code_scanning/fields/ecs.yml | 20 - .../data_stream/dependabot/fields/agent.yml | 93 +- .../data_stream/dependabot/fields/ecs.yml | 36 - .../data_stream/issues/fields/agent.yml | 93 +- .../github/data_stream/issues/fields/ecs.yml | 22 - .../secret_scanning/fields/agent.yml | 93 +- .../secret_scanning/fields/ecs.yml | 10 - packages/github/docs/README.md | 148 - packages/github/manifest.yml | 4 +- packages/gitlab/changelog.yml | 5 + .../gitlab/data_stream/api/fields/agent.yml | 11 - .../data_stream/production/fields/agent.yml | 11 - packages/gitlab/docs/README.md | 2 - packages/gitlab/manifest.yml | 2 +- .../google_cloud_storage/_dev/build/build.yml | 1 - packages/google_cloud_storage/changelog.yml | 5 + .../google_cloud_storage/fields/agent.yml | 3 - .../google_cloud_storage/fields/beats.yml | 3 - packages/google_cloud_storage/manifest.yml | 6 +- .../google_cloud_storage/sample_event.json | 2 +- packages/google_scc/_dev/build/build.yml | 1 - packages/google_scc/changelog.yml | 5 + .../data_stream/asset/fields/beats.yml | 3 - .../data_stream/audit/fields/beats.yml | 3 - .../data_stream/finding/fields/beats.yml | 3 - .../data_stream/source/fields/beats.yml | 3 - packages/google_scc/docs/README.md | 4 - packages/google_scc/manifest.yml | 4 +- .../google_workspace/_dev/build/build.yml | 1 - packages/google_workspace/changelog.yml | 5 + .../access_transparency/fields/beats.yml | 3 - .../data_stream/admin/fields/beats.yml | 3 - .../data_stream/alert/fields/beats.yml | 3 - .../context_aware_access/fields/beats.yml | 3 - .../data_stream/device/fields/beats.yml | 3 - .../data_stream/drive/fields/beats.yml | 3 - .../data_stream/gcp/fields/beats.yml | 3 - .../group_enterprise/fields/beats.yml | 3 - .../data_stream/groups/fields/beats.yml | 3 - .../data_stream/login/fields/beats.yml | 3 - .../data_stream/rules/fields/beats.yml | 3 - .../data_stream/saml/fields/beats.yml | 3 - .../data_stream/token/fields/beats.yml | 3 - .../user_accounts/fields/beats.yml | 3 - packages/google_workspace/docs/README.md | 14 - packages/google_workspace/manifest.yml | 4 +- packages/http_endpoint/changelog.yml | 5 + packages/http_endpoint/fields/agent.yml | 3 - packages/http_endpoint/fields/beats.yml | 3 - packages/http_endpoint/fields/ecs.yml | 12 - packages/http_endpoint/manifest.yml | 2 +- packages/http_endpoint/sample_event.json | 2 +- packages/httpjson/changelog.yml | 5 + .../data_stream/generic/fields/beats.yml | 3 - .../data_stream/generic/fields/ecs.yml | 6 - packages/httpjson/manifest.yml | 4 +- packages/imperva_cloud_waf/changelog.yml | 5 + .../_dev/test/pipeline/test-common-config.yml | 1 - .../data_stream/event/fields/beats.yml | 3 - packages/imperva_cloud_waf/docs/README.md | 1 - packages/imperva_cloud_waf/manifest.yml | 2 +- packages/infoblox_bloxone_ddi/changelog.yml | 5 + .../data_stream/dhcp_lease/fields/agent.yml | 137 - .../data_stream/dhcp_lease/fields/ecs.yml | 30 - .../data_stream/dns_config/fields/agent.yml | 147 - .../data_stream/dns_config/fields/ecs.yml | 22 - .../data_stream/dns_data/fields/agent.yml | 147 - .../data_stream/dns_data/fields/ecs.yml | 37 - packages/infoblox_bloxone_ddi/docs/README.md | 120 - packages/infoblox_bloxone_ddi/manifest.yml | 4 +- packages/infoblox_nios/changelog.yml | 5 + .../data_stream/log/fields/agent.yml | 143 - .../data_stream/log/fields/ecs.yml | 90 - packages/infoblox_nios/docs/README.md | 72 - packages/infoblox_nios/manifest.yml | 4 +- .../jamf_compliance_reporter/changelog.yml | 5 + .../data_stream/log/fields/agent.yml | 147 - .../data_stream/log/fields/ecs.yml | 78 - .../jamf_compliance_reporter/docs/README.md | 71 - .../jamf_compliance_reporter/manifest.yml | 4 +- packages/jamf_protect/changelog.yml | 5 + .../data_stream/alerts/fields/agent.yml | 147 - .../data_stream/alerts/fields/ecs.yml | 232 -- .../data_stream/telemetry/fields/agent.yml | 147 - .../data_stream/telemetry/fields/ecs.yml | 256 -- .../telemetry_legacy/fields/agent.yml | 147 - .../telemetry_legacy/fields/ecs.yml | 84 - .../web_threat_events/fields/agent.yml | 147 - .../web_threat_events/fields/ecs.yml | 214 -- .../web_traffic_events/fields/agent.yml | 147 - .../web_traffic_events/fields/ecs.yml | 166 -- packages/jamf_protect/docs/README.md | 573 ---- packages/jamf_protect/manifest.yml | 4 +- packages/jumpcloud/changelog.yml | 5 + .../data_stream/events/fields/ecs.yml | 122 - packages/jumpcloud/docs/README.md | 68 - packages/jumpcloud/manifest.yml | 4 +- packages/keycloak/changelog.yml | 5 + .../keycloak/data_stream/log/fields/agent.yml | 167 +- .../keycloak/data_stream/log/fields/beats.yml | 3 - .../keycloak/data_stream/log/fields/ecs.yml | 86 - .../keycloak/data_stream/log/manifest.yml | 2 +- packages/keycloak/docs/README.md | 73 - packages/keycloak/manifest.yml | 4 +- packages/lastpass/changelog.yml | 5 + .../detailed_shared_folder/fields/agent.yml | 147 - .../detailed_shared_folder/fields/ecs.yml | 16 - .../data_stream/event_report/fields/agent.yml | 147 - .../data_stream/event_report/fields/ecs.yml | 34 - .../data_stream/user/fields/agent.yml | 147 - .../lastpass/data_stream/user/fields/ecs.yml | 24 - packages/lastpass/docs/README.md | 116 - packages/lastpass/manifest.yml | 4 +- packages/lumos/changelog.yml | 5 + .../data_stream/activity_logs/fields/ecs.yml | 4 - .../activity_logs/fields/fields.yml | 12 - packages/lumos/docs/README.md | 6 - packages/lumos/manifest.yml | 4 +- packages/lyve_cloud/changelog.yml | 5 + .../data_stream/audit/fields/agent.yml | 167 +- .../data_stream/audit/fields/ecs.yml | 76 - packages/lyve_cloud/docs/README.md | 70 - packages/lyve_cloud/manifest.yml | 4 +- packages/m365_defender/_dev/build/build.yml | 1 - packages/m365_defender/changelog.yml | 5 + .../data_stream/alert/fields/beats.yml | 3 - .../pipeline/test-device.log-expected.json | 2 + .../data_stream/event/fields/agent.yml | 147 - .../data_stream/event/fields/ecs.yml | 306 -- .../data_stream/incident/fields/agent.yml | 147 - .../data_stream/incident/fields/ecs.yml | 104 - .../data_stream/log/fields/agent.yml | 167 +- .../data_stream/log/fields/ecs.yml | 90 - packages/m365_defender/docs/README.md | 356 --- packages/m365_defender/manifest.yml | 4 +- packages/mattermost/changelog.yml | 5 + .../data_stream/audit/fields/agent.yml | 167 +- .../data_stream/audit/fields/beats.yml | 3 - .../data_stream/audit/fields/ecs.yml | 74 - packages/mattermost/docs/README.md | 71 - packages/mattermost/manifest.yml | 4 +- packages/menlo/changelog.yml | 5 + .../menlo/data_stream/dlp/fields/agent.yml | 138 - packages/menlo/data_stream/dlp/fields/ecs.yml | 54 - .../menlo/data_stream/web/fields/agent.yml | 138 - packages/menlo/data_stream/web/fields/ecs.yml | 104 - packages/menlo/docs/README.md | 134 - packages/menlo/manifest.yml | 2 +- .../_dev/build/build.yml | 1 - .../microsoft_defender_cloud/changelog.yml | 5 + .../data_stream/event/fields/beats.yml | 3 - .../microsoft_defender_cloud/docs/README.md | 1 - .../microsoft_defender_cloud/manifest.yml | 4 +- .../microsoft_defender_endpoint/changelog.yml | 5 + .../data_stream/log/fields/agent.yml | 167 +- .../data_stream/log/fields/ecs.yml | 92 - .../docs/README.md | 76 - .../microsoft_defender_endpoint/manifest.yml | 4 +- .../changelog.yml | 5 + .../data_stream/log/fields/ecs.yml | 114 - .../docs/README.md | 61 - .../manifest.yml | 4 +- packages/mimecast/changelog.yml | 5 + .../archive_search_logs/fields/agent.yml | 151 - .../archive_search_logs/fields/ecs.yml | 22 - .../data_stream/audit_events/fields/agent.yml | 167 +- .../data_stream/audit_events/fields/ecs.yml | 58 - .../data_stream/dlp_logs/fields/agent.yml | 167 +- .../data_stream/dlp_logs/fields/ecs.yml | 22 - .../data_stream/siem_logs/fields/agent.yml | 167 +- .../data_stream/siem_logs/fields/ecs.yml | 82 - .../fields/agent.yml | 167 +- .../fields/ecs.yml | 30 - .../fields/agent.yml | 167 +- .../threat_intel_malware_grid/fields/ecs.yml | 30 - .../data_stream/ttp_ap_logs/fields/agent.yml | 167 +- .../data_stream/ttp_ap_logs/fields/ecs.yml | 32 - .../data_stream/ttp_ip_logs/fields/agent.yml | 167 +- .../data_stream/ttp_ip_logs/fields/ecs.yml | 28 - .../data_stream/ttp_url_logs/fields/agent.yml | 167 +- .../data_stream/ttp_url_logs/fields/ecs.yml | 32 - packages/mimecast/docs/README.md | 414 --- packages/mimecast/manifest.yml | 4 +- packages/netskope/changelog.yml | 5 + .../_dev/test/pipeline/test-common-config.yml | 1 - .../data_stream/alerts/fields/agent.yml | 127 - .../data_stream/alerts/fields/ecs.yml | 106 - .../_dev/test/pipeline/test-common-config.yml | 1 - .../data_stream/events/fields/agent.yml | 140 - .../data_stream/events/fields/ecs.yml | 128 - packages/netskope/docs/README.md | 178 -- packages/netskope/manifest.yml | 4 +- packages/o365/changelog.yml | 5 + .../o365/data_stream/audit/fields/agent.yml | 152 +- .../o365/data_stream/audit/fields/beats.yml | 3 - .../o365/data_stream/audit/fields/ecs.yml | 156 - packages/o365/docs/README.md | 116 - packages/o365/manifest.yml | 4 +- packages/okta/changelog.yml | 5 + .../okta/data_stream/system/fields/agent.yml | 164 +- .../okta/data_stream/system/fields/beats.yml | 3 - .../okta/data_stream/system/fields/ecs.yml | 144 - packages/okta/docs/README.md | 113 - packages/okta/manifest.yml | 2 +- packages/opencanary/changelog.yml | 5 + .../pipeline/test-events.log-expected.json | 2 +- .../data_stream/events/fields/agent.yml | 167 +- .../data_stream/events/fields/ecs.yml | 327 --- packages/opencanary/docs/README.md | 203 -- packages/opencanary/manifest.yml | 4 +- packages/panw_cortex_xdr/changelog.yml | 5 + .../data_stream/alerts/fields/agent.yml | 139 +- .../data_stream/alerts/fields/beats.yml | 3 - .../data_stream/alerts/fields/ecs.yml | 156 - .../data_stream/incidents/fields/agent.yml | 139 +- .../data_stream/incidents/fields/beats.yml | 3 - .../data_stream/incidents/fields/ecs.yml | 32 - packages/panw_cortex_xdr/docs/README.md | 162 -- packages/panw_cortex_xdr/manifest.yml | 4 +- packages/ping_one/changelog.yml | 5 + .../data_stream/audit/fields/agent.yml | 147 - .../ping_one/data_stream/audit/fields/ecs.yml | 38 - packages/ping_one/docs/README.md | 48 - packages/ping_one/manifest.yml | 4 +- packages/pps/changelog.yml | 5 + packages/pps/data_stream/log/fields/ecs.yml | 20 - packages/pps/docs/README.md | 11 - packages/pps/manifest.yml | 4 +- packages/prisma_cloud/_dev/build/build.yml | 1 - packages/prisma_cloud/changelog.yml | 5 + .../data_stream/alert/fields/beats.yml | 3 - .../data_stream/audit/fields/beats.yml | 3 - .../data_stream/host/fields/beats.yml | 3 - .../data_stream/host_profile/fields/beats.yml | 3 - .../incident_audit/fields/beats.yml | 3 - packages/prisma_cloud/docs/README.md | 5 - packages/prisma_cloud/manifest.yml | 4 +- packages/proofpoint_tap/changelog.yml | 5 + .../clicks_blocked/fields/agent.yml | 147 - .../data_stream/clicks_blocked/fields/ecs.yml | 84 - .../data_stream/clicks_blocked/manifest.yml | 10 +- .../clicks_permitted/fields/agent.yml | 147 - .../clicks_permitted/fields/ecs.yml | 84 - .../data_stream/clicks_permitted/manifest.yml | 9 +- .../message_blocked/fields/agent.yml | 147 - .../message_blocked/fields/ecs.yml | 72 - .../data_stream/message_blocked/manifest.yml | 10 +- .../message_delivered/fields/agent.yml | 147 - .../message_delivered/fields/ecs.yml | 72 - .../message_delivered/manifest.yml | 10 +- packages/proofpoint_tap/docs/README.md | 276 -- packages/proofpoint_tap/manifest.yml | 4 +- packages/pulse_connect_secure/changelog.yml | 5 + .../data_stream/log/fields/agent.yml | 147 - .../data_stream/log/fields/ecs.yml | 90 - packages/pulse_connect_secure/docs/README.md | 77 - packages/pulse_connect_secure/manifest.yml | 4 +- packages/qualys_vmdr/_dev/build/build.yml | 1 - packages/qualys_vmdr/changelog.yml | 5 + .../asset_host_detection/fields/beats.yml | 3 - .../knowledge_base/fields/beats.yml | 3 - .../data_stream/user_activity/fields/ecs.yml | 32 - packages/qualys_vmdr/docs/README.md | 20 - packages/qualys_vmdr/manifest.yml | 4 +- .../rapid7_insightvm/_dev/build/build.yml | 1 - packages/rapid7_insightvm/changelog.yml | 5 + .../data_stream/asset/fields/beats.yml | 3 - .../vulnerability/fields/beats.yml | 3 - packages/rapid7_insightvm/docs/README.md | 2 - packages/rapid7_insightvm/manifest.yml | 4 +- packages/santa/changelog.yml | 5 + .../santa/data_stream/log/fields/agent.yml | 167 +- packages/santa/data_stream/log/fields/ecs.yml | 46 - packages/santa/docs/README.md | 54 - packages/santa/manifest.yml | 4 +- .../_dev/deploy/docker/files/config.yml | 4 +- packages/sentinel_one/changelog.yml | 5 + .../data_stream/activity/fields/agent.yml | 147 - .../data_stream/activity/fields/ecs.yml | 60 - .../data_stream/agent/fields/agent.yml | 147 - .../data_stream/agent/fields/ecs.yml | 44 - .../data_stream/alert/fields/agent.yml | 147 - .../data_stream/alert/fields/ecs.yml | 116 - .../data_stream/group/fields/agent.yml | 147 - .../data_stream/group/fields/ecs.yml | 24 - .../data_stream/threat/fields/agent.yml | 147 - .../data_stream/threat/fields/ecs.yml | 72 - packages/sentinel_one/docs/README.md | 305 -- packages/sentinel_one/manifest.yml | 4 +- .../sentinel_one_cloud_funnel/changelog.yml | 5 + .../data_stream/event/fields/beats.yml | 3 - .../sentinel_one_cloud_funnel/docs/README.md | 1 - .../sentinel_one_cloud_funnel/manifest.yml | 2 +- packages/slack/changelog.yml | 5 + .../slack/data_stream/audit/fields/agent.yml | 50 - .../slack/data_stream/audit/fields/beats.yml | 3 - .../slack/data_stream/audit/fields/ecs.yml | 72 - packages/slack/docs/README.md | 68 - packages/slack/manifest.yml | 4 +- .../snyk/_dev/deploy/docker/files/config.yml | 2 - packages/snyk/changelog.yml | 5 + .../snyk/data_stream/audit/fields/agent.yml | 93 +- .../snyk/data_stream/audit/fields/beats.yml | 3 - .../snyk/data_stream/audit/fields/ecs.yml | 14 - .../_dev/test/pipeline/test-snyk-audit.json | 124 +- .../test-snyk-audit.json-expected.json | 40 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/audit_logs/fields/agent.yml | 93 +- .../data_stream/audit_logs/fields/beats.yml | 3 - .../data_stream/audit_logs/fields/ecs.yml | 28 - .../data_stream/audit_logs/sample_event.json | 2 +- .../snyk/data_stream/issues/fields/agent.yml | 93 +- .../snyk/data_stream/issues/fields/beats.yml | 3 - .../snyk/data_stream/issues/fields/ecs.yml | 34 - .../vulnerabilities/fields/agent.yml | 93 +- .../vulnerabilities/fields/beats.yml | 3 - .../vulnerabilities/fields/ecs.yml | 32 - packages/snyk/docs/README.md | 117 +- packages/snyk/manifest.yml | 4 +- packages/sophos_central/_dev/build/build.yml | 1 - packages/sophos_central/changelog.yml | 5 + .../data_stream/alert/fields/beats.yml | 3 - .../data_stream/event/fields/beats.yml | 3 - packages/sophos_central/docs/README.md | 2 - packages/sophos_central/manifest.yml | 4 +- .../symantec_edr_cloud/_dev/build/build.yml | 1 - packages/symantec_edr_cloud/changelog.yml | 5 + .../data_stream/incident/fields/beats.yml | 3 - packages/symantec_edr_cloud/docs/README.md | 1 - packages/symantec_edr_cloud/manifest.yml | 4 +- packages/symantec_endpoint/changelog.yml | 5 + .../pipeline/test-rfc3164.log-expected.json | 2 +- .../data_stream/log/fields/agent.yml | 164 +- .../data_stream/log/fields/ecs.yml | 158 -- packages/symantec_endpoint/docs/README.md | 113 - packages/symantec_endpoint/manifest.yml | 4 +- .../_dev/build/build.yml | 1 - .../symantec_endpoint_security/changelog.yml | 5 + .../data_stream/event/fields/beats.yml | 3 - .../symantec_endpoint_security/docs/README.md | 1 - .../symantec_endpoint_security/manifest.yml | 4 +- packages/tanium/_dev/build/build.yml | 1 - packages/tanium/changelog.yml | 5 + .../action_history/fields/beats.yml | 3 - .../client_status/fields/beats.yml | 3 - .../data_stream/discover/fields/beats.yml | 3 - .../endpoint_config/fields/beats.yml | 3 - .../data_stream/reporting/fields/beats.yml | 3 - .../threat_response/fields/beats.yml | 3 - packages/tanium/docs/README.md | 6 - packages/tanium/manifest.yml | 4 +- packages/tenable_io/changelog.yml | 5 + .../data_stream/asset/fields/agent.yml | 167 +- .../data_stream/asset/fields/ecs.yml | 20 - .../asset/fields/overridden-ecs.yml | 4 - .../data_stream/plugin/fields/agent.yml | 167 +- .../data_stream/plugin/fields/ecs.yml | 22 - .../plugin/fields/overridden-ecs.yml | 4 - .../data_stream/scan/fields/agent.yml | 167 +- .../data_stream/scan/fields/ecs.yml | 18 - .../scan/fields/overridden-ecs.yml | 4 - .../vulnerability/fields/agent.yml | 167 +- .../data_stream/vulnerability/fields/ecs.yml | 40 - .../vulnerability/fields/overridden-ecs.yml | 4 - packages/tenable_io/docs/README.md | 158 -- packages/tenable_io/manifest.yml | 4 +- packages/tenable_sc/changelog.yml | 5 + .../data_stream/asset/fields/agent.yml | 147 - .../data_stream/asset/fields/ecs.yml | 16 - .../data_stream/plugin/fields/agent.yml | 147 - .../data_stream/plugin/fields/ecs.yml | 14 - .../vulnerability/fields/agent.yml | 147 - .../data_stream/vulnerability/fields/ecs.yml | 42 - packages/tenable_sc/docs/README.md | 115 - packages/tenable_sc/manifest.yml | 4 +- packages/thycotic_ss/changelog.yml | 5 + .../data_stream/logs/fields/ecs.yml | 88 - packages/thycotic_ss/docs/README.md | 47 - packages/thycotic_ss/manifest.yml | 4 +- packages/ti_abusech/changelog.yml | 5 + .../data_stream/malware/fields/agent.yml | 167 +- .../data_stream/malware/fields/beats.yml | 3 - .../data_stream/malware/fields/ecs.yml | 47 - .../malwarebazaar/fields/agent.yml | 167 +- .../malwarebazaar/fields/beats.yml | 3 - .../data_stream/malwarebazaar/fields/ecs.yml | 78 - .../data_stream/threatfox/fields/agent.yml | 167 +- .../data_stream/threatfox/fields/beats.yml | 3 - .../data_stream/threatfox/fields/ecs.yml | 88 - .../test-abusechurl-dump.log-expected.json | 8 +- .../data_stream/url/fields/agent.yml | 167 +- .../data_stream/url/fields/beats.yml | 3 - .../ti_abusech/data_stream/url/fields/ecs.yml | 54 - packages/ti_abusech/docs/README.md | 243 -- .../transform/latest_malware/fields/ecs.yml | 2 +- .../latest_malwarebazaar/fields/ecs.yml | 2 +- .../transform/latest_url/fields/ecs.yml | 2 +- packages/ti_abusech/manifest.yml | 4 +- packages/ti_anomali/changelog.yml | 5 + .../data_stream/threatstream/fields/agent.yml | 167 +- .../data_stream/threatstream/fields/beats.yml | 3 - .../data_stream/threatstream/fields/ecs.yml | 72 - packages/ti_anomali/docs/README.md | 66 - packages/ti_anomali/manifest.yml | 4 +- packages/ti_cif3/changelog.yml | 5 + .../ti_cif3/data_stream/feed/fields/beats.yml | 3 - .../ti_cif3/data_stream/feed/fields/ecs.yml | 102 - packages/ti_cif3/docs/README.md | 55 - packages/ti_cif3/manifest.yml | 4 +- packages/ti_crowdstrike/changelog.yml | 5 + .../_dev/test/pipeline/test-common-config.yml | 1 - .../data_stream/intel/fields/beats.yml | 3 - .../data_stream/ioc/fields/beats.yml | 3 - packages/ti_crowdstrike/docs/README.md | 2 - .../transform/latest_intel/fields/ecs.yml | 2 +- .../transform/latest_ioc/fields/ecs.yml | 2 +- packages/ti_crowdstrike/manifest.yml | 2 +- packages/ti_cybersixgill/changelog.yml | 5 + .../data_stream/threat/fields/agent.yml | 167 +- .../data_stream/threat/fields/ecs.yml | 69 - packages/ti_cybersixgill/docs/README.md | 61 - .../transform/latest_ioc/fields/ecs.yml | 2 +- packages/ti_cybersixgill/manifest.yml | 4 +- packages/ti_eclecticiq/_dev/build/build.yml | 2 +- packages/ti_eclecticiq/changelog.yml | 5 + ...est-outgoing-feed-event.json-expected.json | 54 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/threat/fields/ecs.yml | 96 - .../data_stream/threat/sample_event.json | 4 +- packages/ti_eclecticiq/docs/README.md | 58 +- .../transform/latest_ioc/fields/ecs.yml | 2 +- packages/ti_eclecticiq/manifest.yml | 4 +- packages/ti_eset/changelog.yml | 5 + .../ti_eset/data_stream/apt/fields/agent.yml | 167 +- .../ti_eset/data_stream/apt/fields/ecs.yml | 92 - .../data_stream/botnet/fields/agent.yml | 167 +- .../ti_eset/data_stream/botnet/fields/ecs.yml | 42 - .../ti_eset/data_stream/cc/fields/agent.yml | 167 +- .../ti_eset/data_stream/cc/fields/ecs.yml | 36 - .../data_stream/domains/fields/agent.yml | 167 +- .../data_stream/domains/fields/ecs.yml | 38 - .../data_stream/files/fields/agent.yml | 167 +- .../ti_eset/data_stream/files/fields/ecs.yml | 42 - .../ti_eset/data_stream/ip/fields/agent.yml | 167 +- .../ti_eset/data_stream/ip/fields/ecs.yml | 40 - .../ti_eset/data_stream/url/fields/agent.yml | 167 +- .../ti_eset/data_stream/url/fields/ecs.yml | 36 - packages/ti_eset/docs/README.md | 352 --- packages/ti_eset/manifest.yml | 4 +- packages/ti_maltiverse/changelog.yml | 5 + .../data_stream/indicator/fields/ecs.yml | 88 - packages/ti_maltiverse/docs/README.md | 47 - packages/ti_maltiverse/manifest.yml | 4 +- .../_dev/build/build.yml | 2 +- packages/ti_mandiant_advantage/changelog.yml | 5 + .../threat_intelligence/fields/ecs.yml | 161 -- .../threat_intelligence/sample_event.json | 4 +- packages/ti_mandiant_advantage/docs/README.md | 87 +- packages/ti_mandiant_advantage/manifest.yml | 4 +- packages/ti_misp/changelog.yml | 5 + .../data_stream/threat/fields/agent.yml | 167 +- .../data_stream/threat/fields/beats.yml | 3 - .../ti_misp/data_stream/threat/fields/ecs.yml | 76 - .../threat_attributes/fields/agent.yml | 167 +- .../threat_attributes/fields/beats.yml | 3 - .../threat_attributes/fields/ecs.yml | 80 - packages/ti_misp/docs/README.md | 136 - packages/ti_misp/manifest.yml | 4 +- packages/ti_opencti/_dev/build/build.yml | 1 - packages/ti_opencti/changelog.yml | 5 + .../data_stream/indicator/fields/ecs.yml | 166 -- packages/ti_opencti/docs/README.md | 84 - packages/ti_opencti/manifest.yml | 4 +- packages/ti_otx/changelog.yml | 5 + .../pulses_subscribed/fields/agent.yml | 50 - .../pulses_subscribed/fields/beats.yml | 3 - .../pulses_subscribed/fields/ecs.yml | 58 - .../data_stream/threat/fields/agent.yml | 167 +- .../data_stream/threat/fields/beats.yml | 3 - .../ti_otx/data_stream/threat/fields/ecs.yml | 58 - packages/ti_otx/docs/README.md | 116 - packages/ti_otx/manifest.yml | 4 +- .../ti_rapid7_threat_command/changelog.yml | 5 + .../data_stream/alert/fields/agent.yml | 147 - .../data_stream/alert/fields/ecs.yml | 20 - .../data_stream/ioc/fields/agent.yml | 147 - .../data_stream/ioc/fields/ecs.yml | 103 - .../vulnerability/fields/agent.yml | 147 - .../data_stream/vulnerability/fields/ecs.yml | 32 - .../vulnerability/fields/overridden-ecs.yml | 4 - .../ti_rapid7_threat_command/docs/README.md | 158 -- .../ti_rapid7_threat_command/manifest.yml | 4 +- packages/ti_recordedfuture/changelog.yml | 5 + .../data_stream/threat/fields/agent.yml | 167 +- .../data_stream/threat/fields/beats.yml | 3 - .../data_stream/threat/fields/ecs.yml | 76 - packages/ti_recordedfuture/docs/README.md | 68 - packages/ti_recordedfuture/manifest.yml | 4 +- .../ti_threatconnect/_dev/build/build.yml | 1 - packages/ti_threatconnect/changelog.yml | 5 + .../data_stream/indicator/fields/beats.yml | 3 - packages/ti_threatconnect/docs/README.md | 1 - packages/ti_threatconnect/manifest.yml | 4 +- packages/ti_threatq/changelog.yml | 5 + .../data_stream/threat/fields/agent.yml | 167 +- .../data_stream/threat/fields/beats.yml | 3 - .../data_stream/threat/fields/ecs.yml | 66 - packages/ti_threatq/docs/README.md | 62 - .../transform/latest_ioc/fields/ecs.yml | 1 - packages/ti_threatq/manifest.yml | 4 +- packages/ti_util/changelog.yml | 5 + packages/ti_util/manifest.yml | 4 +- packages/ti_util/validation.yml | 6 +- packages/tines/changelog.yml | 5 + .../data_stream/audit_logs/fields/ecs.yml | 110 - .../data_stream/time_saved/fields/ecs.yml | 110 - packages/tines/docs/README.md | 124 - packages/tines/manifest.yml | 4 +- .../trellix_edr_cloud/_dev/build/build.yml | 1 - packages/trellix_edr_cloud/changelog.yml | 5 + .../data_stream/event/fields/beats.yml | 3 - packages/trellix_edr_cloud/docs/README.md | 1 - packages/trellix_edr_cloud/manifest.yml | 4 +- .../trellix_epo_cloud/_dev/build/build.yml | 1 - packages/trellix_epo_cloud/changelog.yml | 5 + .../data_stream/device/fields/beats.yml | 3 - .../data_stream/event/fields/beats.yml | 3 - .../data_stream/group/fields/beats.yml | 3 - packages/trellix_epo_cloud/docs/README.md | 3 - packages/trellix_epo_cloud/manifest.yml | 4 +- packages/trend_micro_vision_one/changelog.yml | 5 + .../data_stream/alert/fields/agent.yml | 167 +- .../data_stream/alert/fields/ecs.yml | 34 - .../data_stream/audit/fields/agent.yml | 167 +- .../data_stream/audit/fields/ecs.yml | 20 - .../data_stream/detection/fields/agent.yml | 167 +- .../data_stream/detection/fields/ecs.yml | 90 - .../trend_micro_vision_one/docs/README.md | 159 -- packages/trend_micro_vision_one/manifest.yml | 4 +- packages/trendmicro/_dev/build/build.yml | 1 - packages/trendmicro/changelog.yml | 5 + .../deep_security/fields/beats.yml | 3 - packages/trendmicro/docs/README.md | 1 - packages/trendmicro/manifest.yml | 4 +- packages/vectra_detect/_dev/build/build.yml | 1 - packages/vectra_detect/changelog.yml | 5 + .../_dev/test/pipeline/test-common-config.yml | 2 +- .../log/_dev/test/system/test-tcp-config.yml | 2 +- .../log/_dev/test/system/test-tls-config.yml | 2 +- .../log/_dev/test/system/test-udp-config.yml | 2 +- .../data_stream/log/fields/beats.yml | 3 - packages/vectra_detect/docs/README.md | 1 - packages/vectra_detect/manifest.yml | 4 +- packages/wiz/_dev/build/build.yml | 1 - packages/wiz/changelog.yml | 5 + .../wiz/data_stream/audit/fields/beats.yml | 3 - .../pipeline/test-issue.log-expected.json | 4 +- .../wiz/data_stream/issue/fields/beats.yml | 3 - .../test-vulnerability.log-expected.json | 6 +- .../vulnerability/fields/beats.yml | 3 - packages/wiz/docs/README.md | 3 - packages/wiz/manifest.yml | 4 +- packages/zerofox/changelog.yml | 5 + .../data_stream/alerts/fields/agent.yml | 167 +- .../data_stream/alerts/fields/base-fields.yml | 5 - .../zerofox/data_stream/alerts/fields/ecs.yml | 32 - packages/zerofox/docs/README.md | 44 - packages/zerofox/manifest.yml | 4 +- packages/zeronetworks/changelog.yml | 5 + .../data_stream/audit/fields/agent.yml | 50 - .../data_stream/audit/fields/ecs.yml | 24 - .../data_stream/audit/fields/fields.yml | 15 +- packages/zeronetworks/manifest.yml | 5 +- packages/zoom/changelog.yml | 5 + .../zoom/data_stream/webhook/fields/agent.yml | 167 +- .../zoom/data_stream/webhook/fields/ecs.yml | 78 - packages/zoom/docs/README.md | 72 - packages/zoom/manifest.yml | 4 +- packages/zscaler_zia/_dev/build/build.yml | 1 - packages/zscaler_zia/changelog.yml | 5 + .../data_stream/alerts/fields/beats.yml | 3 - .../data_stream/dns/fields/beats.yml | 3 - .../data_stream/firewall/fields/beats.yml | 3 - .../data_stream/tunnel/fields/beats.yml | 3 - .../data_stream/web/fields/beats.yml | 3 - packages/zscaler_zia/docs/README.md | 5 - packages/zscaler_zia/manifest.yml | 4 +- packages/zscaler_zpa/_dev/build/build.yml | 1 - packages/zscaler_zpa/changelog.yml | 5 + .../app_connector_status/fields/beats.yml | 3 - .../data_stream/audit/fields/beats.yml | 3 - .../browser_access/fields/beats.yml | 3 - .../user_activity/fields/beats.yml | 3 - .../data_stream/user_status/fields/beats.yml | 3 - packages/zscaler_zpa/docs/README.md | 5 - packages/zscaler_zpa/manifest.yml | 4 +- 951 files changed, 2512 insertions(+), 48735 deletions(-) delete mode 100644 packages/1password/data_stream/audit_events/fields/ecs.yml delete mode 100644 packages/1password/data_stream/item_usages/fields/ecs.yml delete mode 100644 packages/1password/data_stream/signin_attempts/fields/ecs.yml delete mode 100644 packages/akamai/data_stream/siem/fields/ecs.yml delete mode 100644 packages/atlassian_bitbucket/data_stream/audit/fields/ecs.yml delete mode 100644 packages/atlassian_confluence/data_stream/audit/fields/ecs.yml delete mode 100644 packages/atlassian_jira/data_stream/audit/fields/ecs.yml delete mode 100644 packages/auth0/data_stream/logs/fields/ecs.yml delete mode 100644 packages/aws_bedrock/data_stream/invocation/fields/ecs.yml delete mode 100644 packages/azure_frontdoor/data_stream/access/fields/ecs.yml delete mode 100644 packages/azure_frontdoor/data_stream/waf/fields/ecs.yml delete mode 100644 packages/barracuda/data_stream/waf/fields/ecs.yml delete mode 100644 packages/bbot/data_stream/asm_intel/fields/ecs.yml delete mode 100644 packages/box_events/data_stream/events/fields/ecs.yml delete mode 100644 packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml delete mode 100644 packages/carbon_black_cloud/data_stream/alert_v7/fields/ecs.yml delete mode 100644 packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/ecs.yml delete mode 100644 packages/carbon_black_cloud/data_stream/audit/fields/ecs.yml delete mode 100644 packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml delete mode 100644 packages/carbon_black_cloud/data_stream/watchlist_hit/fields/ecs.yml delete mode 100644 packages/carbonblack_edr/data_stream/log/fields/ecs.yml delete mode 100644 packages/cisa_kevs/data_stream/vulnerability/fields/ecs.yml delete mode 100644 packages/cisco_duo/data_stream/admin/fields/ecs.yml delete mode 100644 packages/cisco_duo/data_stream/auth/fields/ecs.yml delete mode 100644 packages/cisco_duo/data_stream/offline_enrollment/fields/ecs.yml delete mode 100644 packages/cisco_duo/data_stream/summary/fields/ecs.yml delete mode 100644 packages/cisco_duo/data_stream/telephony/fields/ecs.yml delete mode 100644 packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml delete mode 100644 packages/cloudflare/data_stream/audit/fields/ecs.yml delete mode 100644 packages/cloudflare/data_stream/logpull/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/access_request/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/audit/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/casb/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/device_posture/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/dns/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/dns_firewall/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/firewall_event/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/gateway_dns/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/gateway_http/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/gateway_network/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/http_request/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/magic_ids/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/nel_report/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/network_analytics/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/network_session/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/sinkhole_http/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/spectrum_event/fields/ecs.yml delete mode 100644 packages/cloudflare_logpush/data_stream/workers_trace/fields/ecs.yml delete mode 100644 packages/cribl/data_stream/logs/fields/ecs.yml delete mode 100644 packages/crowdstrike/data_stream/falcon/fields/ecs.yml delete mode 100644 packages/crowdstrike/data_stream/fdr/fields/ecs.yml delete mode 100644 packages/cyberark_pta/data_stream/events/fields/ecs.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/fields/ecs.yml delete mode 100644 packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml delete mode 100644 packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml delete mode 100644 packages/darktrace/data_stream/system_status_alert/fields/ecs.yml delete mode 100644 packages/f5_bigip/data_stream/log/fields/ecs.yml delete mode 100644 packages/fireeye/data_stream/nx/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/am_access/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/am_activity/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/am_authentication/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/am_config/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/am_core/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/idm_access/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/idm_activity/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/idm_authentication/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/idm_config/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/idm_core/fields/ecs.yml delete mode 100644 packages/forgerock/data_stream/idm_sync/fields/ecs.yml delete mode 100644 packages/gcp_pubsub/fields/ecs.yml delete mode 100644 packages/github/data_stream/audit/fields/ecs.yml delete mode 100644 packages/github/data_stream/code_scanning/fields/ecs.yml delete mode 100644 packages/github/data_stream/dependabot/fields/ecs.yml delete mode 100644 packages/github/data_stream/issues/fields/ecs.yml delete mode 100644 packages/github/data_stream/secret_scanning/fields/ecs.yml delete mode 100644 packages/http_endpoint/fields/ecs.yml delete mode 100644 packages/httpjson/data_stream/generic/fields/ecs.yml delete mode 100644 packages/infoblox_bloxone_ddi/data_stream/dhcp_lease/fields/ecs.yml delete mode 100644 packages/infoblox_bloxone_ddi/data_stream/dns_config/fields/ecs.yml delete mode 100644 packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml delete mode 100644 packages/infoblox_nios/data_stream/log/fields/ecs.yml delete mode 100644 packages/jamf_compliance_reporter/data_stream/log/fields/ecs.yml delete mode 100644 packages/jamf_protect/data_stream/telemetry_legacy/fields/ecs.yml delete mode 100644 packages/jamf_protect/data_stream/web_traffic_events/fields/ecs.yml delete mode 100644 packages/jumpcloud/data_stream/events/fields/ecs.yml delete mode 100644 packages/lastpass/data_stream/detailed_shared_folder/fields/ecs.yml delete mode 100644 packages/lastpass/data_stream/event_report/fields/ecs.yml delete mode 100644 packages/lastpass/data_stream/user/fields/ecs.yml delete mode 100644 packages/lumos/data_stream/activity_logs/fields/ecs.yml delete mode 100644 packages/m365_defender/data_stream/incident/fields/ecs.yml delete mode 100644 packages/m365_defender/data_stream/log/fields/ecs.yml delete mode 100644 packages/mattermost/data_stream/audit/fields/ecs.yml delete mode 100644 packages/menlo/data_stream/dlp/fields/ecs.yml delete mode 100644 packages/menlo/data_stream/web/fields/ecs.yml delete mode 100644 packages/microsoft_defender_endpoint/data_stream/log/fields/ecs.yml delete mode 100644 packages/microsoft_exchange_online_message_trace/data_stream/log/fields/ecs.yml delete mode 100644 packages/mimecast/data_stream/archive_search_logs/fields/ecs.yml delete mode 100644 packages/mimecast/data_stream/audit_events/fields/ecs.yml delete mode 100644 packages/mimecast/data_stream/dlp_logs/fields/ecs.yml delete mode 100644 packages/mimecast/data_stream/siem_logs/fields/ecs.yml delete mode 100644 packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml delete mode 100644 packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml delete mode 100644 packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml delete mode 100644 packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml delete mode 100644 packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml delete mode 100644 packages/netskope/data_stream/alerts/fields/ecs.yml delete mode 100644 packages/netskope/data_stream/events/fields/ecs.yml delete mode 100644 packages/o365/data_stream/audit/fields/ecs.yml delete mode 100644 packages/okta/data_stream/system/fields/ecs.yml delete mode 100644 packages/opencanary/data_stream/events/fields/ecs.yml delete mode 100644 packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml delete mode 100644 packages/panw_cortex_xdr/data_stream/incidents/fields/ecs.yml delete mode 100644 packages/ping_one/data_stream/audit/fields/ecs.yml delete mode 100644 packages/pps/data_stream/log/fields/ecs.yml delete mode 100644 packages/proofpoint_tap/data_stream/clicks_blocked/fields/ecs.yml delete mode 100644 packages/proofpoint_tap/data_stream/clicks_permitted/fields/ecs.yml delete mode 100644 packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml delete mode 100644 packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml delete mode 100644 packages/qualys_vmdr/data_stream/user_activity/fields/ecs.yml delete mode 100644 packages/santa/data_stream/log/fields/ecs.yml delete mode 100644 packages/sentinel_one/data_stream/activity/fields/ecs.yml delete mode 100644 packages/sentinel_one/data_stream/agent/fields/ecs.yml delete mode 100644 packages/sentinel_one/data_stream/alert/fields/ecs.yml delete mode 100644 packages/sentinel_one/data_stream/group/fields/ecs.yml delete mode 100644 packages/sentinel_one/data_stream/threat/fields/ecs.yml delete mode 100644 packages/slack/data_stream/audit/fields/ecs.yml delete mode 100644 packages/snyk/data_stream/audit/fields/ecs.yml delete mode 100644 packages/snyk/data_stream/audit_logs/fields/ecs.yml delete mode 100644 packages/snyk/data_stream/issues/fields/ecs.yml delete mode 100644 packages/snyk/data_stream/vulnerabilities/fields/ecs.yml delete mode 100644 packages/symantec_endpoint/data_stream/log/fields/ecs.yml delete mode 100644 packages/tenable_io/data_stream/asset/fields/ecs.yml delete mode 100644 packages/tenable_io/data_stream/asset/fields/overridden-ecs.yml delete mode 100644 packages/tenable_io/data_stream/plugin/fields/ecs.yml delete mode 100644 packages/tenable_io/data_stream/plugin/fields/overridden-ecs.yml delete mode 100644 packages/tenable_io/data_stream/scan/fields/ecs.yml delete mode 100644 packages/tenable_io/data_stream/scan/fields/overridden-ecs.yml delete mode 100644 packages/tenable_io/data_stream/vulnerability/fields/ecs.yml delete mode 100644 packages/tenable_io/data_stream/vulnerability/fields/overridden-ecs.yml delete mode 100644 packages/tenable_sc/data_stream/asset/fields/ecs.yml delete mode 100644 packages/tenable_sc/data_stream/plugin/fields/ecs.yml delete mode 100644 packages/tenable_sc/data_stream/vulnerability/fields/ecs.yml delete mode 100644 packages/ti_abusech/data_stream/malware/fields/ecs.yml delete mode 100644 packages/ti_abusech/data_stream/malwarebazaar/fields/ecs.yml delete mode 100644 packages/ti_abusech/data_stream/threatfox/fields/ecs.yml delete mode 100644 packages/ti_abusech/data_stream/url/fields/ecs.yml delete mode 100644 packages/ti_anomali/data_stream/threatstream/fields/ecs.yml delete mode 100644 packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml delete mode 100644 packages/ti_eclecticiq/data_stream/threat/fields/ecs.yml delete mode 100644 packages/ti_eset/data_stream/apt/fields/ecs.yml delete mode 100644 packages/ti_eset/data_stream/botnet/fields/ecs.yml delete mode 100644 packages/ti_eset/data_stream/cc/fields/ecs.yml delete mode 100644 packages/ti_eset/data_stream/domains/fields/ecs.yml delete mode 100644 packages/ti_eset/data_stream/files/fields/ecs.yml delete mode 100644 packages/ti_eset/data_stream/ip/fields/ecs.yml delete mode 100644 packages/ti_eset/data_stream/url/fields/ecs.yml delete mode 100644 packages/ti_maltiverse/data_stream/indicator/fields/ecs.yml delete mode 100644 packages/ti_misp/data_stream/threat/fields/ecs.yml delete mode 100644 packages/ti_otx/data_stream/pulses_subscribed/fields/agent.yml delete mode 100644 packages/ti_rapid7_threat_command/data_stream/alert/fields/ecs.yml delete mode 100644 packages/ti_rapid7_threat_command/data_stream/ioc/fields/ecs.yml delete mode 100644 packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/ecs.yml delete mode 100644 packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/overridden-ecs.yml delete mode 100644 packages/ti_recordedfuture/data_stream/threat/fields/ecs.yml delete mode 100644 packages/ti_threatq/data_stream/threat/fields/ecs.yml delete mode 100644 packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml delete mode 100644 packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml delete mode 100644 packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml delete mode 100644 packages/zerofox/data_stream/alerts/fields/ecs.yml delete mode 100644 packages/zeronetworks/data_stream/audit/fields/ecs.yml delete mode 100644 packages/zoom/data_stream/webhook/fields/ecs.yml diff --git a/packages/1password/changelog.yml b/packages/1password/changelog.yml index 243cef9384e..376d8c5444d 100644 --- a/packages/1password/changelog.yml +++ b/packages/1password/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.29.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.28.0" changes: - description: Improve handling of empty responses. diff --git a/packages/1password/data_stream/audit_events/fields/ecs.yml b/packages/1password/data_stream/audit_events/fields/ecs.yml deleted file mode 100644 index c8cee87db6b..00000000000 --- a/packages/1password/data_stream/audit_events/fields/ecs.yml +++ /dev/null @@ -1,44 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: related.user -- external: ecs - name: related.ip -- external: ecs - name: event.kind -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.created -- external: ecs - name: event.action -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.email -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: tags diff --git a/packages/1password/data_stream/item_usages/fields/ecs.yml b/packages/1password/data_stream/item_usages/fields/ecs.yml deleted file mode 100644 index 72692451bb2..00000000000 --- a/packages/1password/data_stream/item_usages/fields/ecs.yml +++ /dev/null @@ -1,48 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: related.user -- external: ecs - name: related.ip -- external: ecs - name: event.kind -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.created -- external: ecs - name: event.action -- external: ecs - name: user.id -- external: ecs - name: user.full_name -- external: ecs - name: user.email -- external: ecs - name: host.os.name -- external: ecs - name: host.os.version -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: tags diff --git a/packages/1password/data_stream/signin_attempts/fields/ecs.yml b/packages/1password/data_stream/signin_attempts/fields/ecs.yml deleted file mode 100644 index 4f2aa0facb7..00000000000 --- a/packages/1password/data_stream/signin_attempts/fields/ecs.yml +++ /dev/null @@ -1,50 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: related.user -- external: ecs - name: related.ip -- external: ecs - name: event.kind -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.action -- external: ecs - name: event.outcome -- external: ecs - name: event.created -- external: ecs - name: user.id -- external: ecs - name: user.full_name -- external: ecs - name: user.email -- external: ecs - name: host.os.name -- external: ecs - name: host.os.version -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: tags diff --git a/packages/1password/docs/README.md b/packages/1password/docs/README.md index 70eb4954f86..70b7836aaa7 100644 --- a/packages/1password/docs/README.md +++ b/packages/1password/docs/README.md @@ -31,18 +31,8 @@ Use the 1Password Events API to retrieve information about sign-in attempts. Eve | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.version | Operating system version as a raw string. | keyword | | input.type | Input type | keyword | | onepassword.client.app_name | The name of the 1Password app that attempted to sign in to the account | keyword | | onepassword.client.app_version | The version number of the 1Password app | keyword | @@ -53,24 +43,6 @@ Use the 1Password Events API to retrieve information about sign-in attempts. Eve | onepassword.session_uuid | The UUID of the session that created the event | keyword | | onepassword.type | Details about the sign-in attempt | keyword | | onepassword.uuid | The UUID of the event | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | An example event for `signin_attempts` looks as following: @@ -174,17 +146,8 @@ This uses the 1Password Events API to retrieve information about items in shared | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.version | Operating system version as a raw string. | keyword | | input.type | Input type | keyword | | onepassword.client.app_name | The name of the 1Password app the item was accessed from | keyword | | onepassword.client.app_version | The version number of the 1Password app | keyword | @@ -194,24 +157,6 @@ This uses the 1Password Events API to retrieve information about items in shared | onepassword.used_version | The version of the item that was accessed | integer | | onepassword.uuid | The UUID of the event | keyword | | onepassword.vault_uuid | The UUID of the vault the item is in | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | An example event for `item_usages` looks as following: @@ -315,14 +260,8 @@ This uses the 1Password Events API to retrieve information about audit events. E | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Input type | keyword | | onepassword.actor_details.email | The email of the actor. | keyword | | onepassword.actor_details.name | The name of the actor. | keyword | @@ -343,24 +282,6 @@ This uses the 1Password Events API to retrieve information about audit events. E | onepassword.session.login_time | The login time of the session used to create the event. | date | | onepassword.session.uuid | The session uuid of the session used to create the event. | keyword | | onepassword.uuid | The UUID of the event. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | An example event for `audit_events` looks as following: diff --git a/packages/1password/manifest.yml b/packages/1password/manifest.yml index d5727968f2f..252412719fa 100644 --- a/packages/1password/manifest.yml +++ b/packages/1password/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: 1password title: "1Password" -version: "1.28.0" +version: "1.29.0" description: Collect logs from 1Password with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - credential_management conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/1password-signinattempts-screenshot.png title: Sign-in attempts diff --git a/packages/akamai/changelog.yml b/packages/akamai/changelog.yml index 639790bd9f0..abd2a2b028a 100644 --- a/packages/akamai/changelog.yml +++ b/packages/akamai/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.24.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.23.2" changes: - description: Handle HTTP headers without values. diff --git a/packages/akamai/data_stream/siem/fields/agent.yml b/packages/akamai/data_stream/siem/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/akamai/data_stream/siem/fields/agent.yml +++ b/packages/akamai/data_stream/siem/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/akamai/data_stream/siem/fields/beats.yml b/packages/akamai/data_stream/siem/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/akamai/data_stream/siem/fields/beats.yml +++ b/packages/akamai/data_stream/siem/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/akamai/data_stream/siem/fields/ecs.yml b/packages/akamai/data_stream/siem/fields/ecs.yml deleted file mode 100644 index dafaa93238b..00000000000 --- a/packages/akamai/data_stream/siem/fields/ecs.yml +++ /dev/null @@ -1,126 +0,0 @@ -- name: client.as.number - external: ecs -- name: client.as.organization.name - external: ecs -- name: client.domain - external: ecs -- name: client.geo.city_name - external: ecs -- name: client.geo.country_name - external: ecs -- name: client.geo.country_iso_code - external: ecs -- name: client.geo.continent_name - external: ecs -- name: client.geo.region_iso_code - external: ecs -- name: client.geo.location - external: ecs -- name: client.geo.region_name - external: ecs -- name: client.ip - external: ecs -- name: client.address - external: ecs -- name: client.bytes - external: ecs -- name: client.port - external: ecs -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.action - external: ecs -- name: event.category - external: ecs -- name: event.ingested - external: ecs -- name: event.created - external: ecs -- name: event.start - external: ecs -- name: event.kind - external: ecs -- name: event.original - external: ecs -- name: event.outcome - external: ecs -- name: event.type - external: ecs -- name: related.ip - external: ecs -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.bytes - external: ecs -- name: source.domain - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: source.port - external: ecs -- name: tags - external: ecs -- name: url.domain - external: ecs -- name: url.password - external: ecs -- name: url.port - external: ecs -- name: url.username - external: ecs -- name: url.path - external: ecs -- name: url.query - external: ecs -- name: url.extension - external: ecs -- name: url.scheme - external: ecs -- name: url.full - external: ecs -- name: tls.cipher - external: ecs -- name: tls.version - external: ecs -- name: tls.version_protocol - external: ecs -- name: network.protocol - external: ecs -- name: network.transport - external: ecs -- name: http.response.status_code - external: ecs -- name: http.response.bytes - external: ecs -- name: http.request.method - external: ecs -- name: http.request.id - external: ecs -- name: http.version - external: ecs -- name: observer.type - external: ecs -- name: observer.vendor - external: ecs diff --git a/packages/akamai/docs/README.md b/packages/akamai/docs/README.md index 43074ae0ed7..dfcb3bd3c73 100644 --- a/packages/akamai/docs/README.md +++ b/packages/akamai/docs/README.md @@ -57,98 +57,17 @@ See [Akamai API get started](https://techdocs.akamai.com/siem-integration/refere | akamai.siem.user_risk.status | Status code indicating any errors that might have occurred when calculating the risk score. | long | | akamai.siem.user_risk.trust | Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. | flattened | | akamai.siem.user_risk.uuid | Unique identifier of the user whose risk data is being provided. | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | An example event for `siem` looks as following: diff --git a/packages/akamai/manifest.yml b/packages/akamai/manifest.yml index 7e332f7b83b..370e396285f 100644 --- a/packages/akamai/manifest.yml +++ b/packages/akamai/manifest.yml @@ -1,13 +1,13 @@ name: akamai title: Akamai -version: "2.23.2" +version: "2.24.0" description: Collect logs from Akamai with Elastic Agent. type: integration format_version: "3.0.2" categories: [security, cdn_security] conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/akamai_logo.svg title: Akamai diff --git a/packages/amazon_security_lake/_dev/build/build.yml b/packages/amazon_security_lake/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/amazon_security_lake/_dev/build/build.yml +++ b/packages/amazon_security_lake/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml index 882ad77c701..dc0c175a2dd 100644 --- a/packages/amazon_security_lake/changelog.yml +++ b/packages/amazon_security_lake/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.2.1" changes: - description: Removed SQS support since we don't support sqs based parquet decoding at the input level. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/beats.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/beats.yml index 2d2699c8fe1..e2a02e078e8 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/beats.yml @@ -7,12 +7,6 @@ - description: Offset of the entry in the log file. name: log.offset type: long -- description: Path to the log file. - name: log.file.path - type: keyword - description: Log message optimized for viewing in a log viewer. name: event.message type: text -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/beats.yml b/packages/amazon_security_lake/data_stream/discovery/fields/beats.yml index 2d2699c8fe1..e2a02e078e8 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/beats.yml @@ -7,12 +7,6 @@ - description: Offset of the entry in the log file. name: log.offset type: long -- description: Path to the log file. - name: log.file.path - type: keyword - description: Log message optimized for viewing in a log viewer. name: event.message type: text -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/amazon_security_lake/data_stream/event/fields/beats.yml b/packages/amazon_security_lake/data_stream/event/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/beats.yml b/packages/amazon_security_lake/data_stream/findings/fields/beats.yml index 2d2699c8fe1..e2a02e078e8 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/beats.yml @@ -7,12 +7,6 @@ - description: Offset of the entry in the log file. name: log.offset type: long -- description: Path to the log file. - name: log.file.path - type: keyword - description: Log message optimized for viewing in a log viewer. name: event.message type: text -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/beats.yml b/packages/amazon_security_lake/data_stream/iam/fields/beats.yml index 2d2699c8fe1..e2a02e078e8 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/beats.yml @@ -7,12 +7,6 @@ - description: Offset of the entry in the log file. name: log.offset type: long -- description: Path to the log file. - name: log.file.path - type: keyword - description: Log message optimized for viewing in a log viewer. name: event.message type: text -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/beats.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/beats.yml index 2d2699c8fe1..e2a02e078e8 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/beats.yml @@ -7,12 +7,6 @@ - description: Offset of the entry in the log file. name: log.offset type: long -- description: Path to the log file. - name: log.file.path - type: keyword - description: Log message optimized for viewing in a log viewer. name: event.message type: text -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/beats.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/beats.yml index 2d2699c8fe1..e2a02e078e8 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/beats.yml @@ -7,12 +7,6 @@ - description: Offset of the entry in the log file. name: log.offset type: long -- description: Path to the log file. - name: log.file.path - type: keyword - description: Log message optimized for viewing in a log viewer. name: event.message type: text -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index a89851deb77..11926e7b611 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -1960,4 +1960,3 @@ This is the `Event` dataset. | process.user.full_name | | keyword | | process.user.group.id | | keyword | | process.user.group.name | | keyword | -| tags | User defined tags. | keyword | diff --git a/packages/amazon_security_lake/manifest.yml b/packages/amazon_security_lake/manifest.yml index 59714638667..e5c91e5a5e2 100644 --- a/packages/amazon_security_lake/manifest.yml +++ b/packages/amazon_security_lake/manifest.yml @@ -1,13 +1,13 @@ format_version: "3.0.3" name: amazon_security_lake title: Amazon Security Lake -version: "1.2.1" +version: "1.3.0" description: Collect logs from Amazon Security Lake with Elastic Agent. type: integration categories: ["aws", "security"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/atlassian_bitbucket/changelog.yml b/packages/atlassian_bitbucket/changelog.yml index 2a6caed7174..82b7365c2af 100644 --- a/packages/atlassian_bitbucket/changelog.yml +++ b/packages/atlassian_bitbucket/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.0.0" changes: - description: Make `event.type` field conform to ECS field definition. diff --git a/packages/atlassian_bitbucket/data_stream/audit/fields/agent.yml b/packages/atlassian_bitbucket/data_stream/audit/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/atlassian_bitbucket/data_stream/audit/fields/agent.yml +++ b/packages/atlassian_bitbucket/data_stream/audit/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/atlassian_bitbucket/data_stream/audit/fields/ecs.yml b/packages/atlassian_bitbucket/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 97d95f430af..00000000000 --- a/packages/atlassian_bitbucket/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,70 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.created -- external: ecs - name: tags -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.full_name -- external: ecs - name: user.target.full_name -- external: ecs - name: user.target.name -- external: ecs - name: user.target.group.name -- external: ecs - name: user.target.group.id -- external: ecs - name: user.target.id -- external: ecs - name: user.changes.name -- external: ecs - name: user.changes.full_name -- external: ecs - name: group.name -- external: ecs - name: group.id -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.bytes - external: ecs -- name: source.domain - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: log.file.path - external: ecs -- name: service.address - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: related.hosts - external: ecs diff --git a/packages/atlassian_bitbucket/docs/README.md b/packages/atlassian_bitbucket/docs/README.md index e036ed6aa85..de88df20eb9 100644 --- a/packages/atlassian_bitbucket/docs/README.md +++ b/packages/atlassian_bitbucket/docs/README.md @@ -25,85 +25,17 @@ The Bitbucket integration collects audit logs from the audit log files or the au | bitbucket.audit.type.category | Category | keyword | | bitbucket.audit.type.categoryI18nKey | categoryI18nKey | keyword | | bitbucket.audit.type.level | Audit Level | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.changes.full_name | User's full name, if available. | keyword | -| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | -| user.changes.name | Short name or login of the user. | keyword | -| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.full_name | User's full name, if available. | keyword | -| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | An example event for `audit` looks as following: diff --git a/packages/atlassian_bitbucket/manifest.yml b/packages/atlassian_bitbucket/manifest.yml index f181d4e8baf..77dccc738aa 100644 --- a/packages/atlassian_bitbucket/manifest.yml +++ b/packages/atlassian_bitbucket/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: atlassian_bitbucket title: Atlassian Bitbucket -version: "2.0.0" +version: "2.1.0" description: Collect logs from Atlassian Bitbucket with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/bitbucket-logo.svg title: Bitbucket Logo diff --git a/packages/atlassian_confluence/changelog.yml b/packages/atlassian_confluence/changelog.yml index 6c2f78ca1d3..f4cd9a92a9b 100644 --- a/packages/atlassian_confluence/changelog.yml +++ b/packages/atlassian_confluence/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.24.0" changes: - description: Set sensitive values as secret. diff --git a/packages/atlassian_confluence/data_stream/audit/fields/agent.yml b/packages/atlassian_confluence/data_stream/audit/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/atlassian_confluence/data_stream/audit/fields/agent.yml +++ b/packages/atlassian_confluence/data_stream/audit/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/atlassian_confluence/data_stream/audit/fields/ecs.yml b/packages/atlassian_confluence/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 49469eb61eb..00000000000 --- a/packages/atlassian_confluence/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,84 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: log.file.path -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: service.address -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: user.changes.email -- external: ecs - name: user.changes.full_name -- external: ecs - name: user.changes.name -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.target.email -- external: ecs - name: user.target.full_name -- external: ecs - name: user.target.group.id -- external: ecs - name: user.target.group.name -- external: ecs - name: user.target.id -- external: ecs - name: user.target.name diff --git a/packages/atlassian_confluence/docs/README.md b/packages/atlassian_confluence/docs/README.md index 06e7f9e9bce..cbc3e6425f0 100644 --- a/packages/atlassian_confluence/docs/README.md +++ b/packages/atlassian_confluence/docs/README.md @@ -19,15 +19,7 @@ The Confluence integration collects audit logs from the audit log files or the a | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | confluence.audit.affected_objects | Affected Objects | flattened | | confluence.audit.changed_values | Changed Values | flattened | | confluence.audit.external_collaborator | Whether the user is an external collaborator user | boolean | @@ -39,83 +31,16 @@ The Confluence integration collects audit logs from the audit log files or the a | confluence.audit.type.category | Category | keyword | | confluence.audit.type.categoryI18nKey | categoryI18nKey | keyword | | confluence.audit.type.level | Audit Level | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.changes.email | User email address. | keyword | -| user.changes.full_name | User's full name, if available. | keyword | -| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | -| user.changes.name | Short name or login of the user. | keyword | -| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.email | User email address. | keyword | -| user.target.full_name | User's full name, if available. | keyword | -| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | An example event for `audit` looks as following: diff --git a/packages/atlassian_confluence/manifest.yml b/packages/atlassian_confluence/manifest.yml index 2a69a95862d..1db4b34d02c 100644 --- a/packages/atlassian_confluence/manifest.yml +++ b/packages/atlassian_confluence/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: atlassian_confluence title: Atlassian Confluence -version: "1.24.0" +version: "1.25.0" description: Collect logs from Atlassian Confluence with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/confluence-logo.svg title: Confluence Logo diff --git a/packages/atlassian_jira/changelog.yml b/packages/atlassian_jira/changelog.yml index 4deb00a2021..e45e96a061b 100644 --- a/packages/atlassian_jira/changelog.yml +++ b/packages/atlassian_jira/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.26.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.25.0" changes: - description: Improve handling of empty responses. diff --git a/packages/atlassian_jira/data_stream/audit/fields/agent.yml b/packages/atlassian_jira/data_stream/audit/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/atlassian_jira/data_stream/audit/fields/agent.yml +++ b/packages/atlassian_jira/data_stream/audit/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/atlassian_jira/data_stream/audit/fields/ecs.yml b/packages/atlassian_jira/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 467fad1fd0b..00000000000 --- a/packages/atlassian_jira/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,84 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.type -- external: ecs - name: group.name -- external: ecs - name: log.file.path -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: service.address -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: user.changes.email -- external: ecs - name: user.changes.full_name -- external: ecs - name: user.changes.name -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.target.email -- external: ecs - name: user.target.full_name -- external: ecs - name: user.target.group.name -- external: ecs - name: user.target.id -- external: ecs - name: user.target.name diff --git a/packages/atlassian_jira/docs/README.md b/packages/atlassian_jira/docs/README.md index 14c04d88b18..aa3fb18d168 100644 --- a/packages/atlassian_jira/docs/README.md +++ b/packages/atlassian_jira/docs/README.md @@ -19,52 +19,15 @@ The Jira integration collects audit logs from the audit log files or the audit A | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | jira.audit.affected_objects | Affected Objects | flattened | | jira.audit.changed_values | Changed Values | flattened | @@ -76,45 +39,7 @@ The Jira integration collects audit logs from the audit log files or the audit A | jira.audit.type.category | Category | keyword | | jira.audit.type.categoryI18nKey | categoryI18nKey | keyword | | jira.audit.type.level | Audit Level | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.changes.email | User email address. | keyword | -| user.changes.full_name | User's full name, if available. | keyword | -| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | -| user.changes.name | Short name or login of the user. | keyword | -| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.email | User email address. | keyword | -| user.target.full_name | User's full name, if available. | keyword | -| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | An example event for `audit` looks as following: diff --git a/packages/atlassian_jira/manifest.yml b/packages/atlassian_jira/manifest.yml index 9f9dc5bc0f1..5c8f9322dca 100644 --- a/packages/atlassian_jira/manifest.yml +++ b/packages/atlassian_jira/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: atlassian_jira title: Atlassian Jira -version: "1.25.0" +version: "1.26.0" description: Collect logs from Atlassian Jira with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/jira-software-logo.svg title: Jira Software Logo diff --git a/packages/auth0/changelog.yml b/packages/auth0/changelog.yml index a0a8fa2997c..108a9137866 100644 --- a/packages/auth0/changelog.yml +++ b/packages/auth0/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.15.0" changes: - description: Set sensitive values as secret. diff --git a/packages/auth0/data_stream/logs/fields/ecs.yml b/packages/auth0/data_stream/logs/fields/ecs.yml deleted file mode 100644 index 0dbcc9a5ffa..00000000000 --- a/packages/auth0/data_stream/logs/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- external: ecs - name: destination.user.domain -- external: ecs - name: destination.user.id -- external: ecs - name: destination.user.name -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.outcome -- external: ecs - name: event.original -- external: ecs - name: event.provider -- external: ecs - name: event.sequence -- external: ecs - name: event.type -- external: ecs - name: event.id -- external: ecs - name: file.directory -- external: ecs - name: file.extension -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: host.name -- external: ecs - name: log.level -- external: ecs - name: process.args -- external: ecs - name: process.args_count -- external: ecs - name: process.command_line -- external: ecs - name: process.entity_id -- external: ecs - name: process.executable -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: process.title -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.user.domain -- external: ecs - name: source.user.id -- external: ecs - name: source.user.name -- external: ecs - name: user.domain -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: source.ip -- external: ecs - name: network.type -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.version -- external: ecs - name: user_agent.os.family -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.kernel -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.platform -- external: ecs - name: user_agent.os.type -- external: ecs - name: user_agent.os.version -- external: ecs - name: tags diff --git a/packages/auth0/docs/README.md b/packages/auth0/docs/README.md index 0d25dae75f8..c6cd7a81b1a 100644 --- a/packages/auth0/docs/README.md +++ b/packages/auth0/docs/README.md @@ -87,85 +87,9 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event timestamp. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event timestamp. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | input.type | Input type. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `logs` looks as following: diff --git a/packages/auth0/manifest.yml b/packages/auth0/manifest.yml index 3c28fe3fd23..f1108d1a8d2 100644 --- a/packages/auth0/manifest.yml +++ b/packages/auth0/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: auth0 title: "Auth0" -version: "1.15.0" +version: "1.16.0" description: Collect logs from Auth0 with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - iam conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/auth0-screenshot.png title: Auth0 Dashboard diff --git a/packages/aws_bedrock/changelog.yml b/packages/aws_bedrock/changelog.yml index dc35ffa9c52..7d90ba0347f 100644 --- a/packages/aws_bedrock/changelog.yml +++ b/packages/aws_bedrock/changelog.yml @@ -1,3 +1,8 @@ +- version: "0.2.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "0.1.3" changes: - description: Fix name canonicalization routines. diff --git a/packages/aws_bedrock/data_stream/invocation/fields/agent.yml b/packages/aws_bedrock/data_stream/invocation/fields/agent.yml index 1efbd1f3b9a..4481cca42e2 100644 --- a/packages/aws_bedrock/data_stream/invocation/fields/agent.yml +++ b/packages/aws_bedrock/data_stream/invocation/fields/agent.yml @@ -1,65 +1,12 @@ - name: cloud type: group fields: - - name: account.id - external: ecs - - name: availability_zone - external: ecs - - name: instance.id - external: ecs - - name: instance.name - external: ecs - - name: machine.type - external: ecs - - name: provider - external: ecs - - name: region - external: ecs - - name: project.id - external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - type: group - fields: - - name: id - external: ecs - - name: image.name - external: ecs - - name: labels - external: ecs - - name: name - external: ecs - name: host type: group fields: - - name: architecture - external: ecs - - name: domain - external: ecs - - name: hostname - external: ecs - - name: id - external: ecs - - name: ip - external: ecs - - name: mac - external: ecs - - name: name - external: ecs - - name: os.family - external: ecs - - name: os.kernel - external: ecs - - name: os.name - external: ecs - - name: os.platform - external: ecs - - name: os.version - external: ecs - - name: type - external: ecs - name: containerized type: boolean description: > diff --git a/packages/aws_bedrock/data_stream/invocation/fields/ecs.yml b/packages/aws_bedrock/data_stream/invocation/fields/ecs.yml deleted file mode 100644 index aabaf0c27ab..00000000000 --- a/packages/aws_bedrock/data_stream/invocation/fields/ecs.yml +++ /dev/null @@ -1,10 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- name: event.original - external: ecs -- name: tags - external: ecs -- name: user.id - external: ecs diff --git a/packages/aws_bedrock/data_stream/invocation/fields/input.yml b/packages/aws_bedrock/data_stream/invocation/fields/input.yml index 9710d7290f6..e7adaa1f668 100644 --- a/packages/aws_bedrock/data_stream/invocation/fields/input.yml +++ b/packages/aws_bedrock/data_stream/invocation/fields/input.yml @@ -20,8 +20,6 @@ - name: object.key type: keyword description: Name of the S3 object that this log retrieved from. -- name: log.file.path - external: ecs - name: log.offset type: long description: Log offset diff --git a/packages/aws_bedrock/docs/README.md b/packages/aws_bedrock/docs/README.md index 87f610cc231..97f7abfc060 100644 --- a/packages/aws_bedrock/docs/README.md +++ b/packages/aws_bedrock/docs/README.md @@ -130,26 +130,12 @@ list log events from the specified log group. | aws_bedrock.invocation.schema_type | | keyword | | aws_bedrock.invocation.schema_version | | keyword | | aws_bedrock.invocation.task_type | | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | gen_ai.analysis.action_recommended | Recommended actions based on the analysis. | keyword | | gen_ai.analysis.findings | Detailed findings from security tools. | nested | | gen_ai.analysis.function | Name of the security or analysis function used. | keyword | @@ -214,27 +200,9 @@ list log events from the specified log group. | gen_ai.usage.prompt_tokens | Number of tokens in the user's request. | integer | | gen_ai.user.id | Unique identifier for the user. | keyword | | gen_ai.user.rn | Unique resource name for the user. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.id | Unique identifier of the user. | keyword | diff --git a/packages/aws_bedrock/manifest.yml b/packages/aws_bedrock/manifest.yml index 3e1d3f54825..d6a160bfcb9 100644 --- a/packages/aws_bedrock/manifest.yml +++ b/packages/aws_bedrock/manifest.yml @@ -3,12 +3,12 @@ name: aws_bedrock title: AWS Bedrock description: Collect AWS Bedrock model invocation logs with Elastic Agent. type: integration -version: "0.1.3" +version: "0.2.0" categories: - aws conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic policy_templates: diff --git a/packages/azure_blob_storage/_dev/build/build.yml b/packages/azure_blob_storage/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/azure_blob_storage/_dev/build/build.yml +++ b/packages/azure_blob_storage/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/azure_blob_storage/changelog.yml b/packages/azure_blob_storage/changelog.yml index e0938fa7a04..fd1807dc970 100644 --- a/packages/azure_blob_storage/changelog.yml +++ b/packages/azure_blob_storage/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: ECS version updated to 8.11.0. Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.0.0" changes: - description: Converted Azure Blob Storage to input package type. diff --git a/packages/azure_blob_storage/fields/agent.yml b/packages/azure_blob_storage/fields/agent.yml index 230f7bc911d..9638d2992eb 100644 --- a/packages/azure_blob_storage/fields/agent.yml +++ b/packages/azure_blob_storage/fields/agent.yml @@ -5,9 +5,6 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. diff --git a/packages/azure_blob_storage/fields/beats.yml b/packages/azure_blob_storage/fields/beats.yml index 8c03b061f7c..6d9a7862671 100644 --- a/packages/azure_blob_storage/fields/beats.yml +++ b/packages/azure_blob_storage/fields/beats.yml @@ -1,9 +1,6 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags - name: log.offset type: long description: Log offset diff --git a/packages/azure_blob_storage/manifest.yml b/packages/azure_blob_storage/manifest.yml index 56f183ea3db..dfba13faa95 100644 --- a/packages/azure_blob_storage/manifest.yml +++ b/packages/azure_blob_storage/manifest.yml @@ -3,10 +3,10 @@ name: azure_blob_storage title: Custom Azure Blob Storage Input description: Collect log data from configured Azure Blob Storage Container with Elastic Agent. type: input -version: "2.0.0" +version: "2.1.0" conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" categories: - custom - cloud @@ -92,7 +92,6 @@ policy_templates: title: Containers description: > This attribute contains the details about a specific container like, name, number_of_workers, poll, poll_interval etc. The attribute 'name' is specific to a container as it describes the container name, while the fields number_of_workers, poll, poll_interval can exist both at the container level and at the global level. If you have already defined the attributes globally, then you can only specify the container name in this yaml config. If you want to override any specific attribute for a container, then, you can define it here. Any attribute defined in the yaml will override the global definitions. Please see the relevant [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html#attrib-containers) for further information. - required: true show_user: true default: | @@ -114,7 +113,6 @@ policy_templates: # - regex: "event/" description: > If the container will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which is made up of regex patters. The regex should match the container filepath. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: timestamp_epoch type: integer title: Timestamp Epoch @@ -129,7 +127,6 @@ policy_templates: show_user: false description: > If the file-set using this input expects to receive multiple messages bundled under a specific field or an array of objects then the config option for 'expand_event_list_from_field' can be specified. This setting will be able to split the messages under the group value into separate events. This can be specified at the global level or at the container level. For more info please refer to the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html#attrib-expand_event_list_from_field). - - name: preserve_original_event required: true show_user: true diff --git a/packages/azure_blob_storage/sample_event.json b/packages/azure_blob_storage/sample_event.json index f69f9e1774f..29ba5dedc8b 100644 --- a/packages/azure_blob_storage/sample_event.json +++ b/packages/azure_blob_storage/sample_event.json @@ -27,7 +27,7 @@ "type": "logs" }, "ecs": { - "version": "8.0.0" + "version": "8.11.0" }, "elastic_agent": { "id": "08985f2a-c29f-4867-90dc-787df2a6e4ce", diff --git a/packages/azure_frontdoor/changelog.yml b/packages/azure_frontdoor/changelog.yml index 95c4f7a0305..8ac051e2d31 100644 --- a/packages/azure_frontdoor/changelog.yml +++ b/packages/azure_frontdoor/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.8.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.7.0" changes: - description: Set sensitive values as secret. diff --git a/packages/azure_frontdoor/data_stream/access/fields/agent.yml b/packages/azure_frontdoor/data_stream/access/fields/agent.yml index bca66ea4ae0..4b15225a4d4 100644 --- a/packages/azure_frontdoor/data_stream/access/fields/agent.yml +++ b/packages/azure_frontdoor/data_stream/access/fields/agent.yml @@ -1,56 +1,6 @@ -- name: cloud.account.id - external: ecs -- name: cloud.availability_zone - external: ecs -- name: cloud.instance.id - external: ecs -- name: cloud.instance.name - external: ecs -- name: cloud.machine.type - external: ecs -- name: cloud.provider - external: ecs -- name: cloud.region - external: ecs -- name: cloud.project.id - external: ecs - name: cloud.image.id type: keyword description: Image ID for the cloud instance. -- name: container.id - external: ecs -- name: container.image.name - external: ecs -- name: container.labels - external: ecs -- name: container.name - external: ecs -- name: host.architecture - external: ecs -- name: host.domain - external: ecs -- name: host.hostname - external: ecs -- name: host.id - external: ecs -- name: host.ip - external: ecs -- name: host.mac - external: ecs -- name: host.name - external: ecs -- name: host.os.family - external: ecs -- name: host.os.kernel - external: ecs -- name: host.os.name - external: ecs -- name: host.os.platform - external: ecs -- name: host.os.version - external: ecs -- name: host.type - external: ecs - name: host.containerized type: boolean description: If the host is a container. diff --git a/packages/azure_frontdoor/data_stream/access/fields/base-fields.yml b/packages/azure_frontdoor/data_stream/access/fields/base-fields.yml index f245714ba9e..208aa91eeb8 100644 --- a/packages/azure_frontdoor/data_stream/access/fields/base-fields.yml +++ b/packages/azure_frontdoor/data_stream/access/fields/base-fields.yml @@ -16,6 +16,3 @@ - name: log.offset type: long description: Log offset. -- name: log.file.path - type: keyword - description: Log file path. diff --git a/packages/azure_frontdoor/data_stream/access/fields/ecs.yml b/packages/azure_frontdoor/data_stream/access/fields/ecs.yml deleted file mode 100644 index f2d91664dec..00000000000 --- a/packages/azure_frontdoor/data_stream/access/fields/ecs.yml +++ /dev/null @@ -1,114 +0,0 @@ -- name: client.ip - external: ecs -- name: client.address - external: ecs -- name: client.port - external: ecs -- name: destination.address - external: ecs -- name: destination.as.number - external: ecs -- name: destination.as.organization.name - external: ecs -- name: destination.ip - external: ecs -- name: destination.port - external: ecs -- name: ecs.version - external: ecs -- name: message - external: ecs -- name: event.action - external: ecs -- name: event.category - external: ecs -- name: event.created - external: ecs -- name: event.id - external: ecs -- name: event.ingested - external: ecs -- name: event.kind - external: ecs -- name: event.type - external: ecs -- name: file.mime_type - external: ecs -- name: file.size - external: ecs -- name: network.community_id - external: ecs -- name: network.protocol - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: log.level - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: source.port - external: ecs -- name: user.full_name - external: ecs -- name: user.domain - external: ecs -- name: user.id - external: ecs -- name: user.name - external: ecs -- name: tags - external: ecs -- name: url.original - external: ecs -- name: http.request.bytes - external: ecs -- name: http.request.method - external: ecs -- name: http.response.bytes - external: ecs -- name: http.response.status_code - external: ecs -- name: http.version - external: ecs -- name: tls.version - external: ecs -- name: tls.version_protocol - external: ecs -- name: user_agent.original - external: ecs -- name: user_agent.device.name - external: ecs -- name: user_agent.name - external: ecs -- name: user_agent.os.full - external: ecs -- name: user_agent.os.name - external: ecs -- name: user_agent.os.version - external: ecs -- name: user_agent.version - external: ecs diff --git a/packages/azure_frontdoor/data_stream/waf/fields/agent.yml b/packages/azure_frontdoor/data_stream/waf/fields/agent.yml index bca66ea4ae0..4b15225a4d4 100644 --- a/packages/azure_frontdoor/data_stream/waf/fields/agent.yml +++ b/packages/azure_frontdoor/data_stream/waf/fields/agent.yml @@ -1,56 +1,6 @@ -- name: cloud.account.id - external: ecs -- name: cloud.availability_zone - external: ecs -- name: cloud.instance.id - external: ecs -- name: cloud.instance.name - external: ecs -- name: cloud.machine.type - external: ecs -- name: cloud.provider - external: ecs -- name: cloud.region - external: ecs -- name: cloud.project.id - external: ecs - name: cloud.image.id type: keyword description: Image ID for the cloud instance. -- name: container.id - external: ecs -- name: container.image.name - external: ecs -- name: container.labels - external: ecs -- name: container.name - external: ecs -- name: host.architecture - external: ecs -- name: host.domain - external: ecs -- name: host.hostname - external: ecs -- name: host.id - external: ecs -- name: host.ip - external: ecs -- name: host.mac - external: ecs -- name: host.name - external: ecs -- name: host.os.family - external: ecs -- name: host.os.kernel - external: ecs -- name: host.os.name - external: ecs -- name: host.os.platform - external: ecs -- name: host.os.version - external: ecs -- name: host.type - external: ecs - name: host.containerized type: boolean description: If the host is a container. diff --git a/packages/azure_frontdoor/data_stream/waf/fields/base-fields.yml b/packages/azure_frontdoor/data_stream/waf/fields/base-fields.yml index f245714ba9e..208aa91eeb8 100644 --- a/packages/azure_frontdoor/data_stream/waf/fields/base-fields.yml +++ b/packages/azure_frontdoor/data_stream/waf/fields/base-fields.yml @@ -16,6 +16,3 @@ - name: log.offset type: long description: Log offset. -- name: log.file.path - type: keyword - description: Log file path. diff --git a/packages/azure_frontdoor/data_stream/waf/fields/ecs.yml b/packages/azure_frontdoor/data_stream/waf/fields/ecs.yml deleted file mode 100644 index 7e9667634cb..00000000000 --- a/packages/azure_frontdoor/data_stream/waf/fields/ecs.yml +++ /dev/null @@ -1,90 +0,0 @@ -- name: client.ip - external: ecs -- name: client.address - external: ecs -- name: client.port - external: ecs -- name: destination.address - external: ecs -- name: destination.as.number - external: ecs -- name: destination.as.organization.name - external: ecs -- name: destination.ip - external: ecs -- name: destination.port - external: ecs -- name: ecs.version - external: ecs -- name: message - external: ecs -- name: event.action - external: ecs -- name: event.category - external: ecs -- name: event.created - external: ecs -- name: event.id - external: ecs -- name: event.ingested - external: ecs -- name: event.kind - external: ecs -- name: event.type - external: ecs -- name: file.mime_type - external: ecs -- name: file.size - external: ecs -- name: network.community_id - external: ecs -- name: network.protocol - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: log.level - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: source.port - external: ecs -- name: user.full_name - external: ecs -- name: user.domain - external: ecs -- name: user.id - external: ecs -- name: user.name - external: ecs -- name: tags - external: ecs -- name: url.original - external: ecs -- name: url.domain - external: ecs -- name: rule.name - external: ecs diff --git a/packages/azure_frontdoor/docs/README.md b/packages/azure_frontdoor/docs/README.md index 09930e849bf..45b6d1c7253 100644 --- a/packages/azure_frontdoor/docs/README.md +++ b/packages/azure_frontdoor/docs/README.md @@ -73,107 +73,15 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th | azure.frontdoor.operation_name | Azure operation name. | keyword | | azure.frontdoor.resource_id | Azure Resource ID. | keyword | | azure.frontdoor.tracking_reference | The unique reference string that identifies a request served by AFD, also sent as X-Azure-Ref header to the client. Required for searching details in the access logs for a specific request. | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Input type. | keyword | -| log.file.path | Log file path. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | ## WAF Logs @@ -192,90 +100,13 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th | azure.frontdoor.waf.policy | WAF policy name. | keyword | | azure.frontdoor.waf.policy_mode | WAF policy mode. | keyword | | azure.frontdoor.waf.time | The date and time when the AFD edge delivered requested contents to client (in UTC). | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | -| log.file.path | Log file path. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/azure_frontdoor/manifest.yml b/packages/azure_frontdoor/manifest.yml index 34427459aaa..2bf8e6c01d9 100644 --- a/packages/azure_frontdoor/manifest.yml +++ b/packages/azure_frontdoor/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: azure_frontdoor title: "Azure Frontdoor" -version: "1.7.0" +version: "1.8.0" description: "This Elastic integration collects logs from Azure Frontdoor." type: integration categories: @@ -11,7 +11,7 @@ categories: - web conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" screenshots: - src: /img/azure-frontdoor-overview.png title: Azure Frontdoor Overview diff --git a/packages/azure_network_watcher_nsg/_dev/build/build.yml b/packages/azure_network_watcher_nsg/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/azure_network_watcher_nsg/_dev/build/build.yml +++ b/packages/azure_network_watcher_nsg/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/azure_network_watcher_nsg/changelog.yml b/packages/azure_network_watcher_nsg/changelog.yml index 1cc58ec7ce6..8fd6ed043a0 100644 --- a/packages/azure_network_watcher_nsg/changelog.yml +++ b/packages/azure_network_watcher_nsg/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: 0.1.0 changes: - description: Initial release. diff --git a/packages/azure_network_watcher_nsg/data_stream/log/fields/beats.yml b/packages/azure_network_watcher_nsg/data_stream/log/fields/beats.yml index 80cbae91cae..cc9fcebf29b 100644 --- a/packages/azure_network_watcher_nsg/data_stream/log/fields/beats.yml +++ b/packages/azure_network_watcher_nsg/data_stream/log/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/azure_network_watcher_nsg/docs/README.md b/packages/azure_network_watcher_nsg/docs/README.md index a6733bff235..6a39e15b95d 100644 --- a/packages/azure_network_watcher_nsg/docs/README.md +++ b/packages/azure_network_watcher_nsg/docs/README.md @@ -438,5 +438,4 @@ An example event for `log` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | diff --git a/packages/azure_network_watcher_nsg/manifest.yml b/packages/azure_network_watcher_nsg/manifest.yml index 1a820562ea3..304c80719b0 100644 --- a/packages/azure_network_watcher_nsg/manifest.yml +++ b/packages/azure_network_watcher_nsg/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.2 name: azure_network_watcher_nsg title: Azure Network Watcher NSG -version: 0.1.0 +version: "0.2.0" description: Collect logs from Azure Network Watcher NSG with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/azure_network_watcher_vnet/_dev/build/build.yml b/packages/azure_network_watcher_vnet/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/azure_network_watcher_vnet/_dev/build/build.yml +++ b/packages/azure_network_watcher_vnet/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/azure_network_watcher_vnet/changelog.yml b/packages/azure_network_watcher_vnet/changelog.yml index 409cd975795..585b475a4c0 100644 --- a/packages/azure_network_watcher_vnet/changelog.yml +++ b/packages/azure_network_watcher_vnet/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: 0.1.0 changes: - description: Initial release. diff --git a/packages/azure_network_watcher_vnet/data_stream/log/fields/beats.yml b/packages/azure_network_watcher_vnet/data_stream/log/fields/beats.yml index 80cbae91cae..cc9fcebf29b 100644 --- a/packages/azure_network_watcher_vnet/data_stream/log/fields/beats.yml +++ b/packages/azure_network_watcher_vnet/data_stream/log/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/azure_network_watcher_vnet/docs/README.md b/packages/azure_network_watcher_vnet/docs/README.md index 69013cdbc26..7b6af8bc33f 100644 --- a/packages/azure_network_watcher_vnet/docs/README.md +++ b/packages/azure_network_watcher_vnet/docs/README.md @@ -804,5 +804,4 @@ An example event for `log` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | diff --git a/packages/azure_network_watcher_vnet/manifest.yml b/packages/azure_network_watcher_vnet/manifest.yml index d48d99ff2d8..9f673edf658 100644 --- a/packages/azure_network_watcher_vnet/manifest.yml +++ b/packages/azure_network_watcher_vnet/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.2 name: azure_network_watcher_vnet title: Azure Network Watcher VNet -version: 0.1.0 +version: "0.2.0" description: Collect logs from Azure Network Watcher VNet with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/barracuda/changelog.yml b/packages/barracuda/changelog.yml index d4c288c8f0b..3a2b280f0d1 100644 --- a/packages/barracuda/changelog.yml +++ b/packages/barracuda/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.14.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.13.0" changes: - description: Make `host.ip` field conform to ECS field definition. diff --git a/packages/barracuda/data_stream/waf/fields/ecs.yml b/packages/barracuda/data_stream/waf/fields/ecs.yml deleted file mode 100644 index d88833d12a5..00000000000 --- a/packages/barracuda/data_stream/waf/fields/ecs.yml +++ /dev/null @@ -1,275 +0,0 @@ -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.location -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name -- external: ecs - name: client.user.name -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.duration -- external: ecs - name: event.end -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.provider -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: file.path -- external: ecs - name: labels -- external: ecs - name: http.request.id -- external: ecs - name: http.request.referrer -- external: ecs - name: http.request.method -- external: ecs - name: http.request.bytes -- external: ecs - name: http.response.bytes -- external: ecs - name: http.response.status_code -- external: ecs - name: http.version -- external: ecs - name: log.file.path -- external: ecs - name: log.level -- external: ecs - name: message -- external: ecs - name: network.bytes -- external: ecs - name: network.community_id -- external: ecs - name: network.direction -- external: ecs - name: network.forwarded_ip -- external: ecs - name: network.iana_number -- external: ecs - name: network.inner - type: group -- external: ecs - name: network.inner.vlan.id -- external: ecs - name: network.inner.vlan.name -- external: ecs - name: network.protocol -- external: ecs - name: network.transport -- external: ecs - name: network.type -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.egress.zone -- external: ecs - name: observer.hostname -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.ingress.zone -- external: ecs - name: observer.ip -- external: ecs - name: observer.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.category -- external: ecs - name: rule.description -- external: ecs - name: rule.name -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.nat.ip -- external: ecs - name: source.nat.port -- external: ecs - name: source.port -- external: ecs - name: source.user.domain -- external: ecs - name: source.user.name -- external: ecs - name: source.user.id -- external: ecs - name: source.user.group.name -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.full -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: user.id -- external: ecs - name: url.username -- external: ecs - name: user.email -- external: ecs - name: user.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version -- external: ecs - name: server.domain -- external: ecs - name: server.address -- external: ecs - name: server.port -- external: ecs - name: server.ip -- external: ecs - name: server.user.name -- external: ecs - name: server.geo.city_name -- external: ecs - name: server.geo.continent_name -- external: ecs - name: server.geo.country_iso_code -- external: ecs - name: server.geo.country_name -- external: ecs - name: server.geo.location -- external: ecs - name: server.geo.region_iso_code -- external: ecs - name: server.geo.region_name -- external: ecs - name: client.domain -- external: ecs - name: client.address -- external: ecs - name: client.port -- external: ecs - name: client.ip -- external: ecs - name: client.user.id diff --git a/packages/barracuda/docs/README.md b/packages/barracuda/docs/README.md index e9cc7d27498..087b6616139 100644 --- a/packages/barracuda/docs/README.md +++ b/packages/barracuda/docs/README.md @@ -133,160 +133,10 @@ An example event for `waf` looks as following: | barracuda.waf.unit_name | Specifies the name of the unit. | keyword | | barracuda.waf.user_id | The identifier of the user. | keyword | | barracuda.waf.wf_matched | Specifies whether the request is valid. Values:INVALID, VALID. | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.user.id | Unique identifier of the user. | keyword | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Input type | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | group | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/barracuda/manifest.yml b/packages/barracuda/manifest.yml index 4542a70db12..01c018f574c 100644 --- a/packages/barracuda/manifest.yml +++ b/packages/barracuda/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: barracuda title: "Barracuda Web Application Firewall" -version: "1.13.0" +version: "1.14.0" description: "Collect logs from Barracuda Web Application Firewall with Elastic Agent." type: integration source: @@ -12,7 +12,7 @@ categories: - web_application_firewall conditions: kibana: - version: ^8.4.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/barracuda_cloudgen_firewall/changelog.yml b/packages/barracuda_cloudgen_firewall/changelog.yml index 8ea2464cbc3..45406c8cbcb 100644 --- a/packages/barracuda_cloudgen_firewall/changelog.yml +++ b/packages/barracuda_cloudgen_firewall/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.11.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/barracuda_cloudgen_firewall/data_stream/log/fields/ecs.yml b/packages/barracuda_cloudgen_firewall/data_stream/log/fields/ecs.yml index bf39f98bbf8..adb0dc85322 100644 --- a/packages/barracuda_cloudgen_firewall/data_stream/log/fields/ecs.yml +++ b/packages/barracuda_cloudgen_firewall/data_stream/log/fields/ecs.yml @@ -1,196 +1,2 @@ - external: ecs name: '@timestamp' -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.bytes -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: destination.mac -- external: ecs - name: destination.nat.ip -- external: ecs - name: destination.packets -- external: ecs - name: destination.port -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.code -- external: ecs - name: event.ingested -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.timezone -- external: ecs - name: http.request.body.bytes -- external: ecs - name: http.request.bytes -- external: ecs - name: http.request.method -- external: ecs - name: http.request.mime_type -- external: ecs - name: http.request.referrer -- external: ecs - name: http.response.body.bytes -- external: ecs - name: http.response.bytes -- external: ecs - name: http.response.status_code -- external: ecs - name: http.version -- external: ecs - name: labels -- external: ecs - name: log.level -- external: ecs - name: message -- external: ecs - name: network.community_id -- external: ecs - name: network.iana_number -- external: ecs - name: network.transport -- external: ecs - name: network.type -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.hostname -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.product -- external: ecs - name: observer.serial_number -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.category -- external: ecs - name: rule.description -- external: ecs - name: rule.name -- external: ecs - name: rule.ruleset -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.nat.ip -- external: ecs - name: source.packets -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.full -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.scheme -- external: ecs - name: url.username -- external: ecs - name: user.domain -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/barracuda_cloudgen_firewall/docs/README.md b/packages/barracuda_cloudgen_firewall/docs/README.md index dd1860554b2..359fad18c1d 100644 --- a/packages/barracuda_cloudgen_firewall/docs/README.md +++ b/packages/barracuda_cloudgen_firewall/docs/README.md @@ -160,114 +160,8 @@ An example event for `log` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.origin_address | Remote address where the log originated. | keyword | | labels.origin_client_subject | Distinguished name of subject of the x.509 certificate presented by the origin client when mutual TLS is enabled. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/barracuda_cloudgen_firewall/manifest.yml b/packages/barracuda_cloudgen_firewall/manifest.yml index 9821b00bf6c..4dfe48e12c5 100644 --- a/packages/barracuda_cloudgen_firewall/manifest.yml +++ b/packages/barracuda_cloudgen_firewall/manifest.yml @@ -1,13 +1,13 @@ format_version: "3.0.3" name: barracuda_cloudgen_firewall title: Barracuda CloudGen Firewall Logs -version: "1.11.0" +version: "1.12.0" description: Collect logs from Barracuda CloudGen Firewall devices with Elastic Agent. categories: ["network", "security", "firewall_security"] type: integration conditions: kibana: - version: "^8.5.0" + version: "^8.13.0" policy_templates: - name: barracuda_cloudgen_firewall title: Barracuda CloudGen Firewall Logs diff --git a/packages/bbot/_dev/build/build.yml b/packages/bbot/_dev/build/build.yml index 1f4fa988f6e..e2b012548e0 100644 --- a/packages/bbot/_dev/build/build.yml +++ b/packages/bbot/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: git@v8.11.0 - import_mappings: true diff --git a/packages/bbot/changelog.yml b/packages/bbot/changelog.yml index bdb726760d2..dfb40ebde34 100644 --- a/packages/bbot/changelog.yml +++ b/packages/bbot/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: ECS version updated to 8.11.0. Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "0.1.0" changes: - description: Initial release of the bbot package diff --git a/packages/bbot/data_stream/asm_intel/_dev/test/pipeline/test-bbot-ndjson.log-expected.json b/packages/bbot/data_stream/asm_intel/_dev/test/pipeline/test-bbot-ndjson.log-expected.json index f97a322a430..935393ad03e 100644 --- a/packages/bbot/data_stream/asm_intel/_dev/test/pipeline/test-bbot-ndjson.log-expected.json +++ b/packages/bbot/data_stream/asm_intel/_dev/test/pipeline/test-bbot-ndjson.log-expected.json @@ -25,7 +25,7 @@ "type": "DNS_NAME" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" @@ -67,7 +67,7 @@ "type": "ORG_STUB" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" @@ -100,7 +100,7 @@ "type": "PROTOCOL" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" @@ -142,7 +142,7 @@ "type": "DNS_NAME" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" @@ -188,7 +188,7 @@ "type": "TECHNOLOGY" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" @@ -235,7 +235,7 @@ "type": "FINDING" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" @@ -276,7 +276,7 @@ "type": "PROTOCOL" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" @@ -322,7 +322,7 @@ "type": "ASN" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" @@ -355,7 +355,7 @@ "web_spider_distance": 0 }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" @@ -408,7 +408,7 @@ "type": "WAF" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "kind": "asset" diff --git a/packages/bbot/data_stream/asm_intel/elasticsearch/ingest_pipeline/default.yml b/packages/bbot/data_stream/asm_intel/elasticsearch/ingest_pipeline/default.yml index a047fcb7674..4971e4b7a93 100644 --- a/packages/bbot/data_stream/asm_intel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/bbot/data_stream/asm_intel/elasticsearch/ingest_pipeline/default.yml @@ -7,7 +7,7 @@ processors: #################### - set: field: ecs.version - value: 8.12.0 + value: 8.11.0 - set: field: event.kind value: asset diff --git a/packages/bbot/data_stream/asm_intel/fields/beats.yml b/packages/bbot/data_stream/asm_intel/fields/beats.yml index 3415608ae37..cc9fcebf29b 100644 --- a/packages/bbot/data_stream/asm_intel/fields/beats.yml +++ b/packages/bbot/data_stream/asm_intel/fields/beats.yml @@ -1,9 +1,6 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags. - name: log.offset type: long description: Log offset. diff --git a/packages/bbot/data_stream/asm_intel/fields/ecs.yml b/packages/bbot/data_stream/asm_intel/fields/ecs.yml deleted file mode 100644 index 5f506ad1f66..00000000000 --- a/packages/bbot/data_stream/asm_intel/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.kind -- external: ecs - name: message -- external: ecs - name: event.original -- external: ecs - name: host.ip -- external: ecs - name: url.port -- external: ecs - name: vulnerability.severity -- external: ecs - name: url.full diff --git a/packages/bbot/data_stream/asm_intel/fields/fields.yml b/packages/bbot/data_stream/asm_intel/fields/fields.yml index 3e0a5ae571d..e16a006d1b1 100644 --- a/packages/bbot/data_stream/asm_intel/fields/fields.yml +++ b/packages/bbot/data_stream/asm_intel/fields/fields.yml @@ -133,16 +133,12 @@ - name: source type: keyword - - name: tags type: keyword - - name: timestamp type: date - - name: type type: keyword - - name: web_spider_distance type: integer description: > @@ -163,12 +159,12 @@ description: > Description of the asn. - - name: data.asn.name + - name: data.asn.name type: keyword description: > Name discovered for the asn. - - name: data.asn.subnet + - name: data.asn.subnet type: keyword description: > Subnet discovered for the asn. @@ -242,3 +238,4 @@ type: keyword description: > URL of the data finding. + diff --git a/packages/bbot/data_stream/asm_intel/sample_event.json b/packages/bbot/data_stream/asm_intel/sample_event.json index f1a0bd9fb3b..76fece33b85 100644 --- a/packages/bbot/data_stream/asm_intel/sample_event.json +++ b/packages/bbot/data_stream/asm_intel/sample_event.json @@ -29,7 +29,7 @@ "type": "logs" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "elastic_agent": { "id": "bcb4b946-41b8-4916-9308-849b3bf23f46", diff --git a/packages/bbot/docs/README.md b/packages/bbot/docs/README.md index 850520ca77b..5c6001af9c4 100644 --- a/packages/bbot/docs/README.md +++ b/packages/bbot/docs/README.md @@ -66,7 +66,7 @@ An example event for `asm_intel` looks as following: "type": "logs" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "elastic_agent": { "id": "bcb4b946-41b8-4916-9308-849b3bf23f46", @@ -167,16 +167,6 @@ An example event for `asm_intel` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.ip | Host ip addresses. | ip | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | User defined tags. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.port | Port of the request, such as 443. | long | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/bbot/kibana/dashboard/bbot-8abcb381-42b3-4d99-a177-c103255eedd9.json b/packages/bbot/kibana/dashboard/bbot-8abcb381-42b3-4d99-a177-c103255eedd9.json index 4b368794744..40c32b82e5e 100644 --- a/packages/bbot/kibana/dashboard/bbot-8abcb381-42b3-4d99-a177-c103255eedd9.json +++ b/packages/bbot/kibana/dashboard/bbot-8abcb381-42b3-4d99-a177-c103255eedd9.json @@ -1,1265 +1,1265 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"7b900e62-ba4a-468b-a99f-aa5bf4a3a526\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7b900e62-ba4a-468b-a99f-aa5bf4a3a526\",\"fieldName\":\"bbot.scan\",\"title\":\"Scan ID:\",\"grow\":true,\"width\":\"medium\",\"selectedOptions\":[],\"enhancements\":{}}}}" - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b041b892-4b58-48f3-9f5e-52e0e604cfb0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2604eb17-0109-4f38-993e-ed797031d791", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "b041b892-4b58-48f3-9f5e-52e0e604cfb0": { - "columnOrder": [ - "b77c2eee-54f7-4fa0-9aa6-936d9064ff4f", - "436a5f51-90a1-4193-b109-25b90ab29fb0" - ], - "columns": { - "436a5f51-90a1-4193-b109-25b90ab29fb0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "b77c2eee-54f7-4fa0-9aa6-936d9064ff4f": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Date of scan", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "1w" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "2604eb17-0109-4f38-993e-ed797031d791", - "key": "event.dataset", - "negate": false, - "params": { - "query": "bbot.asm_intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "bbot.asm_intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "436a5f51-90a1-4193-b109-25b90ab29fb0" - ], - "layerId": "b041b892-4b58-48f3-9f5e-52e0e604cfb0", - "layerType": "data", - "seriesType": "bar", - "xAccessor": "b77c2eee-54f7-4fa0-9aa6-936d9064ff4f", - "yConfig": [ - { - "color": "#e7664c", - "forAccessor": "436a5f51-90a1-4193-b109-25b90ab29fb0" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "show" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false, - "timeRange": { - "from": "now-2y", - "to": "now" - } - }, - "gridData": { - "h": 6, - "i": "ff18251e-b13b-42f6-8a10-6a6e61e2e74a", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "ff18251e-b13b-42f6-8a10-6a6e61e2e74a", - "title": "Scans over time", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "description": "This is a count of all url.domains found. There is some overlap between this field and the host.name field.", - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d7a416f6-fbb4-4477-8760-363e18f9554c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "34706177-15e3-422e-942e-450494312e3f": { - "columnOrder": [ - "8847f861-0519-4914-b269-405389c0df68" - ], - "columns": { - "8847f861-0519-4914-b269-405389c0df68": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Records of Domain", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "url.domain" - } - }, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d7a416f6-fbb4-4477-8760-363e18f9554c", - "key": "event.dataset", - "negate": false, - "params": { - "query": "bbot.asm_intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "bbot.asm_intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#E7664C", - "layerId": "34706177-15e3-422e-942e-450494312e3f", - "layerType": "data", - "metricAccessor": "8847f861-0519-4914-b269-405389c0df68" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "description": "This is a count of all url.domains found. There is some overlap between this field and the host.name field.", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 5, - "i": "e2b473cb-83a3-43b9-9845-01a865ebba81", - "w": 15, - "x": 0, - "y": 6 - }, - "panelIndex": "e2b473cb-83a3-43b9-9845-01a865ebba81", - "title": "Unique Domains Found ", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "description": "This is a count of all related.hosts found. This field contains IPv4, IPv6 and Domain Names. ", - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ceb45dbd-8837-4fae-884c-5eef1f068cd9", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "34706177-15e3-422e-942e-450494312e3f": { - "columnOrder": [ - "8847f861-0519-4914-b269-405389c0df68" - ], - "columns": { - "8847f861-0519-4914-b269-405389c0df68": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Records Found for Related Hosts", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "related.hosts" - } - }, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "ceb45dbd-8837-4fae-884c-5eef1f068cd9", - "key": "event.dataset", - "negate": false, - "params": { - "query": "bbot.asm_intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "bbot.asm_intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#E7664C", - "layerId": "34706177-15e3-422e-942e-450494312e3f", - "layerType": "data", - "metricAccessor": "8847f861-0519-4914-b269-405389c0df68" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "description": "This is a count of all related.hosts found. This field contains IPv4, IPv6 and Domain Names. ", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 5, - "i": "8d154799-5342-4d9f-931a-8ac541b10235", - "w": 15, - "x": 15, - "y": 6 - }, - "panelIndex": "8d154799-5342-4d9f-931a-8ac541b10235", - "title": "Related Hosts Found - Count of Records", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-9236266e-4c6d-4cb0-8d5c-49493bf23532", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "52db8b89-498c-4aa2-ba42-d65b2025598f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "9236266e-4c6d-4cb0-8d5c-49493bf23532": { - "columnOrder": [ - "0896481f-8b3d-45f6-bb23-665ece65f846", - "8be8fd12-8e1b-45d8-93e5-3903ae887fc8" - ], - "columns": { - "0896481f-8b3d-45f6-bb23-665ece65f846": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Module", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "8be8fd12-8e1b-45d8-93e5-3903ae887fc8", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "bbot.module" - }, - "8be8fd12-8e1b-45d8-93e5-3903ae887fc8": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "52db8b89-498c-4aa2-ba42-d65b2025598f", - "key": "event.dataset", - "negate": false, - "params": { - "query": "bbot.asm_intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "bbot.asm_intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "8be8fd12-8e1b-45d8-93e5-3903ae887fc8" - ], - "layerId": "9236266e-4c6d-4cb0-8d5c-49493bf23532", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "xAccessor": "0896481f-8b3d-45f6-bb23-665ece65f846", - "yConfig": [ - { - "color": "#e7664c", - "forAccessor": "8be8fd12-8e1b-45d8-93e5-3903ae887fc8" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 21, - "i": "fd6001b7-89f1-4008-b56e-9fee8d3111b1", - "w": 18, - "x": 30, - "y": 6 - }, - "panelIndex": "fd6001b7-89f1-4008-b56e-9fee8d3111b1", - "title": "Popular Module Findings", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-934f50cd-f1e9-47ea-be3a-3ceff354f1ad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1877a3bb-aa1f-420e-ad3b-b82ad23d1f0a", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "934f50cd-f1e9-47ea-be3a-3ceff354f1ad": { - "columnOrder": [ - "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621", - "f4935493-86bc-4383-b231-651c7b375e59" - ], - "columns": { - "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621": { - "dataType": "string", - "isBucketed": true, - "label": "Top 5 values of url.domain", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "f4935493-86bc-4383-b231-651c7b375e59", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 5 - }, - "scale": "ordinal", - "sourceField": "url.domain" - }, - "f4935493-86bc-4383-b231-651c7b375e59": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1877a3bb-aa1f-420e-ad3b-b82ad23d1f0a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "bbot.asm_intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "bbot.asm_intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "emptySizeRatio": 0.54, - "layerId": "934f50cd-f1e9-47ea-be3a-3ceff354f1ad", - "layerType": "data", - "legendDisplay": "default", - "metrics": [ - "f4935493-86bc-4383-b231-651c7b375e59" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621" - ] - } - ], - "palette": { - "name": "negative", - "type": "palette" - }, - "shape": "donut" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 16, - "i": "ec50cd13-16ea-463b-8677-d6fc126fcaf8", - "w": 15, - "x": 0, - "y": 11 - }, - "panelIndex": "ec50cd13-16ea-463b-8677-d6fc126fcaf8", - "title": "Top 5 Domain Records", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-934f50cd-f1e9-47ea-be3a-3ceff354f1ad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e6909ac9-f732-4420-a24d-69ffc4fe319c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "934f50cd-f1e9-47ea-be3a-3ceff354f1ad": { - "columnOrder": [ - "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621", - "f4935493-86bc-4383-b231-651c7b375e59" - ], - "columns": { - "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621": { - "dataType": "string", - "isBucketed": true, - "label": "Top 5 values of related.hosts", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "f4935493-86bc-4383-b231-651c7b375e59", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "related.hosts" - }, - "f4935493-86bc-4383-b231-651c7b375e59": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e6909ac9-f732-4420-a24d-69ffc4fe319c", - "key": "event.dataset", - "negate": false, - "params": { - "query": "bbot.asm_intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "bbot.asm_intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "emptySizeRatio": 0.54, - "layerId": "934f50cd-f1e9-47ea-be3a-3ceff354f1ad", - "layerType": "data", - "legendDisplay": "default", - "metrics": [ - "f4935493-86bc-4383-b231-651c7b375e59" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621" - ] - } - ], - "palette": { - "name": "negative", - "type": "palette" - }, - "shape": "donut" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "description": "", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 16, - "i": "b7513787-adcc-4e88-8211-42e9c559f09c", - "w": 15, - "x": 15, - "y": 11 - }, - "panelIndex": "b7513787-adcc-4e88-8211-42e9c559f09c", - "title": "Top 5 Related Hosts Found", - "type": "lens" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 21, - "i": "81963b3c-596f-4008-80de-286537f0c45d", - "w": 30, - "x": 0, - "y": 27 - }, - "panelIndex": "81963b3c-596f-4008-80de-286537f0c45d", - "panelRefName": "panel_81963b3c-596f-4008-80de-286537f0c45d", - "type": "search" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6dc81d5-5b2a-40b4-b17a-2b8034ac3bb0", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "34706177-15e3-422e-942e-450494312e3f": { - "columnOrder": [ - "8847f861-0519-4914-b269-405389c0df68" - ], - "columns": { - "8847f861-0519-4914-b269-405389c0df68": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "vulnerability.severity : * " - }, - "isBucketed": false, - "label": "Hosts found with Vulnerabilities", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "url.domain" - } - }, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f6dc81d5-5b2a-40b4-b17a-2b8034ac3bb0", - "key": "event.dataset", - "negate": false, - "params": { - "query": "bbot.asm_intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "bbot.asm_intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#ffffff", - "layerId": "34706177-15e3-422e-942e-450494312e3f", - "layerType": "data", - "metricAccessor": "8847f861-0519-4914-b269-405389c0df68" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "description": "", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 6, - "i": "17ab65a3-eb4a-47df-8e8c-91c8ca504c67", - "w": 18, - "x": 30, - "y": 27 - }, - "panelIndex": "17ab65a3-eb4a-47df-8e8c-91c8ca504c67", - "title": "Vulnerable Hosts", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "34e57322-6c1b-479e-95aa-318340186b2f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "34706177-15e3-422e-942e-450494312e3f": { - "columnOrder": [ - "2170eae6-6ab4-4fce-ac60-fbbd4301da66", - "b6a09dd7-f423-43e6-8068-db01ebfa9855" - ], - "columns": { - "2170eae6-6ab4-4fce-ac60-fbbd4301da66": { - "dataType": "string", - "isBucketed": true, - "label": "Top 5 values of vulnerability.severity", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "vulnerability.severity" - }, - "b6a09dd7-f423-43e6-8068-db01ebfa9855": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Severity Percentage", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "vulnerability.severity" - } - }, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "34e57322-6c1b-479e-95aa-318340186b2f", - "key": "event.dataset", - "negate": false, - "params": { - "query": "bbot.asm_intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "bbot.asm_intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "b6a09dd7-f423-43e6-8068-db01ebfa9855" - ], - "layerId": "34706177-15e3-422e-942e-450494312e3f", - "layerType": "data", - "palette": { - "name": "negative", - "type": "palette" - }, - "seriesType": "bar_percentage_stacked", - "splitAccessor": "2170eae6-6ab4-4fce-ac60-fbbd4301da66" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_percentage_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "show" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "a45187ab-0e94-44ba-b3bd-12f7a06c623e", - "w": 18, - "x": 30, - "y": 33 - }, - "panelIndex": "a45187ab-0e94-44ba-b3bd-12f7a06c623e", - "title": "Vulnerability Severity", - "type": "lens" - } - ], - "timeRestore": false, - "title": "BBOT Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2024-03-21T19:29:20.744Z", - "id": "bbot-8abcb381-42b3-4d99-a177-c103255eedd9", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "ff18251e-b13b-42f6-8a10-6a6e61e2e74a:indexpattern-datasource-layer-b041b892-4b58-48f3-9f5e-52e0e604cfb0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ff18251e-b13b-42f6-8a10-6a6e61e2e74a:2604eb17-0109-4f38-993e-ed797031d791", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e2b473cb-83a3-43b9-9845-01a865ebba81:indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e2b473cb-83a3-43b9-9845-01a865ebba81:d7a416f6-fbb4-4477-8760-363e18f9554c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8d154799-5342-4d9f-931a-8ac541b10235:indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8d154799-5342-4d9f-931a-8ac541b10235:ceb45dbd-8837-4fae-884c-5eef1f068cd9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd6001b7-89f1-4008-b56e-9fee8d3111b1:indexpattern-datasource-layer-9236266e-4c6d-4cb0-8d5c-49493bf23532", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd6001b7-89f1-4008-b56e-9fee8d3111b1:52db8b89-498c-4aa2-ba42-d65b2025598f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ec50cd13-16ea-463b-8677-d6fc126fcaf8:indexpattern-datasource-layer-934f50cd-f1e9-47ea-be3a-3ceff354f1ad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ec50cd13-16ea-463b-8677-d6fc126fcaf8:1877a3bb-aa1f-420e-ad3b-b82ad23d1f0a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b7513787-adcc-4e88-8211-42e9c559f09c:indexpattern-datasource-layer-934f50cd-f1e9-47ea-be3a-3ceff354f1ad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b7513787-adcc-4e88-8211-42e9c559f09c:e6909ac9-f732-4420-a24d-69ffc4fe319c", - "type": "index-pattern" - }, - { - "id": "bbot-45ce1599-99e3-4c4e-9c1a-07254be0e274", - "name": "81963b3c-596f-4008-80de-286537f0c45d:panel_81963b3c-596f-4008-80de-286537f0c45d", - "type": "search" - }, - { - "id": "logs-*", - "name": "17ab65a3-eb4a-47df-8e8c-91c8ca504c67:indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "17ab65a3-eb4a-47df-8e8c-91c8ca504c67:f6dc81d5-5b2a-40b4-b17a-2b8034ac3bb0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a45187ab-0e94-44ba-b3bd-12f7a06c623e:indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a45187ab-0e94-44ba-b3bd-12f7a06c623e:34e57322-6c1b-479e-95aa-318340186b2f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_7b900e62-ba4a-468b-a99f-aa5bf4a3a526:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard", - "typeMigrationVersion": "8.9.0" +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"7b900e62-ba4a-468b-a99f-aa5bf4a3a526\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7b900e62-ba4a-468b-a99f-aa5bf4a3a526\",\"fieldName\":\"bbot.scan\",\"title\":\"Scan ID:\",\"grow\":true,\"width\":\"medium\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b041b892-4b58-48f3-9f5e-52e0e604cfb0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2604eb17-0109-4f38-993e-ed797031d791", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b041b892-4b58-48f3-9f5e-52e0e604cfb0": { + "columnOrder": [ + "b77c2eee-54f7-4fa0-9aa6-936d9064ff4f", + "436a5f51-90a1-4193-b109-25b90ab29fb0" + ], + "columns": { + "436a5f51-90a1-4193-b109-25b90ab29fb0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "b77c2eee-54f7-4fa0-9aa6-936d9064ff4f": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Date of scan", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "1w" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "2604eb17-0109-4f38-993e-ed797031d791", + "key": "event.dataset", + "negate": false, + "params": { + "query": "bbot.asm_intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "bbot.asm_intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "436a5f51-90a1-4193-b109-25b90ab29fb0" + ], + "layerId": "b041b892-4b58-48f3-9f5e-52e0e604cfb0", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "b77c2eee-54f7-4fa0-9aa6-936d9064ff4f", + "yConfig": [ + { + "color": "#e7664c", + "forAccessor": "436a5f51-90a1-4193-b109-25b90ab29fb0" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "timeRange": { + "from": "now-2y", + "to": "now" + } + }, + "gridData": { + "h": 6, + "i": "ff18251e-b13b-42f6-8a10-6a6e61e2e74a", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "ff18251e-b13b-42f6-8a10-6a6e61e2e74a", + "title": "Scans over time", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "This is a count of all url.domains found. There is some overlap between this field and the host.name field.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d7a416f6-fbb4-4477-8760-363e18f9554c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "34706177-15e3-422e-942e-450494312e3f": { + "columnOrder": [ + "8847f861-0519-4914-b269-405389c0df68" + ], + "columns": { + "8847f861-0519-4914-b269-405389c0df68": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Records of Domain", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "url.domain" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d7a416f6-fbb4-4477-8760-363e18f9554c", + "key": "event.dataset", + "negate": false, + "params": { + "query": "bbot.asm_intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "bbot.asm_intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#E7664C", + "layerId": "34706177-15e3-422e-942e-450494312e3f", + "layerType": "data", + "metricAccessor": "8847f861-0519-4914-b269-405389c0df68" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "This is a count of all url.domains found. There is some overlap between this field and the host.name field.", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 5, + "i": "e2b473cb-83a3-43b9-9845-01a865ebba81", + "w": 15, + "x": 0, + "y": 6 + }, + "panelIndex": "e2b473cb-83a3-43b9-9845-01a865ebba81", + "title": "Unique Domains Found ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "This is a count of all related.hosts found. This field contains IPv4, IPv6 and Domain Names. ", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ceb45dbd-8837-4fae-884c-5eef1f068cd9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "34706177-15e3-422e-942e-450494312e3f": { + "columnOrder": [ + "8847f861-0519-4914-b269-405389c0df68" + ], + "columns": { + "8847f861-0519-4914-b269-405389c0df68": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Records Found for Related Hosts", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "related.hosts" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ceb45dbd-8837-4fae-884c-5eef1f068cd9", + "key": "event.dataset", + "negate": false, + "params": { + "query": "bbot.asm_intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "bbot.asm_intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#E7664C", + "layerId": "34706177-15e3-422e-942e-450494312e3f", + "layerType": "data", + "metricAccessor": "8847f861-0519-4914-b269-405389c0df68" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "This is a count of all related.hosts found. This field contains IPv4, IPv6 and Domain Names. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 5, + "i": "8d154799-5342-4d9f-931a-8ac541b10235", + "w": 15, + "x": 15, + "y": 6 + }, + "panelIndex": "8d154799-5342-4d9f-931a-8ac541b10235", + "title": "Related Hosts Found - Count of Records", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9236266e-4c6d-4cb0-8d5c-49493bf23532", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "52db8b89-498c-4aa2-ba42-d65b2025598f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9236266e-4c6d-4cb0-8d5c-49493bf23532": { + "columnOrder": [ + "0896481f-8b3d-45f6-bb23-665ece65f846", + "8be8fd12-8e1b-45d8-93e5-3903ae887fc8" + ], + "columns": { + "0896481f-8b3d-45f6-bb23-665ece65f846": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Module", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8be8fd12-8e1b-45d8-93e5-3903ae887fc8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "bbot.module" + }, + "8be8fd12-8e1b-45d8-93e5-3903ae887fc8": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "52db8b89-498c-4aa2-ba42-d65b2025598f", + "key": "event.dataset", + "negate": false, + "params": { + "query": "bbot.asm_intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "bbot.asm_intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "8be8fd12-8e1b-45d8-93e5-3903ae887fc8" + ], + "layerId": "9236266e-4c6d-4cb0-8d5c-49493bf23532", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "0896481f-8b3d-45f6-bb23-665ece65f846", + "yConfig": [ + { + "color": "#e7664c", + "forAccessor": "8be8fd12-8e1b-45d8-93e5-3903ae887fc8" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 21, + "i": "fd6001b7-89f1-4008-b56e-9fee8d3111b1", + "w": 18, + "x": 30, + "y": 6 + }, + "panelIndex": "fd6001b7-89f1-4008-b56e-9fee8d3111b1", + "title": "Popular Module Findings", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-934f50cd-f1e9-47ea-be3a-3ceff354f1ad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1877a3bb-aa1f-420e-ad3b-b82ad23d1f0a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "934f50cd-f1e9-47ea-be3a-3ceff354f1ad": { + "columnOrder": [ + "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621", + "f4935493-86bc-4383-b231-651c7b375e59" + ], + "columns": { + "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of url.domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f4935493-86bc-4383-b231-651c7b375e59", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "url.domain" + }, + "f4935493-86bc-4383-b231-651c7b375e59": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1877a3bb-aa1f-420e-ad3b-b82ad23d1f0a", + "key": "event.dataset", + "negate": false, + "params": { + "query": "bbot.asm_intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "bbot.asm_intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "emptySizeRatio": 0.54, + "layerId": "934f50cd-f1e9-47ea-be3a-3ceff354f1ad", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "f4935493-86bc-4383-b231-651c7b375e59" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621" + ] + } + ], + "palette": { + "name": "negative", + "type": "palette" + }, + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "ec50cd13-16ea-463b-8677-d6fc126fcaf8", + "w": 15, + "x": 0, + "y": 11 + }, + "panelIndex": "ec50cd13-16ea-463b-8677-d6fc126fcaf8", + "title": "Top 5 Domain Records", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-934f50cd-f1e9-47ea-be3a-3ceff354f1ad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e6909ac9-f732-4420-a24d-69ffc4fe319c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "934f50cd-f1e9-47ea-be3a-3ceff354f1ad": { + "columnOrder": [ + "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621", + "f4935493-86bc-4383-b231-651c7b375e59" + ], + "columns": { + "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of related.hosts", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f4935493-86bc-4383-b231-651c7b375e59", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "related.hosts" + }, + "f4935493-86bc-4383-b231-651c7b375e59": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e6909ac9-f732-4420-a24d-69ffc4fe319c", + "key": "event.dataset", + "negate": false, + "params": { + "query": "bbot.asm_intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "bbot.asm_intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "emptySizeRatio": 0.54, + "layerId": "934f50cd-f1e9-47ea-be3a-3ceff354f1ad", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "f4935493-86bc-4383-b231-651c7b375e59" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "eebfb3a7-f1b5-4ca3-97e0-95eb896f8621" + ] + } + ], + "palette": { + "name": "negative", + "type": "palette" + }, + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "b7513787-adcc-4e88-8211-42e9c559f09c", + "w": 15, + "x": 15, + "y": 11 + }, + "panelIndex": "b7513787-adcc-4e88-8211-42e9c559f09c", + "title": "Top 5 Related Hosts Found", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 21, + "i": "81963b3c-596f-4008-80de-286537f0c45d", + "w": 30, + "x": 0, + "y": 27 + }, + "panelIndex": "81963b3c-596f-4008-80de-286537f0c45d", + "panelRefName": "panel_81963b3c-596f-4008-80de-286537f0c45d", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f6dc81d5-5b2a-40b4-b17a-2b8034ac3bb0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "34706177-15e3-422e-942e-450494312e3f": { + "columnOrder": [ + "8847f861-0519-4914-b269-405389c0df68" + ], + "columns": { + "8847f861-0519-4914-b269-405389c0df68": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "vulnerability.severity : * " + }, + "isBucketed": false, + "label": "Hosts found with Vulnerabilities", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "url.domain" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f6dc81d5-5b2a-40b4-b17a-2b8034ac3bb0", + "key": "event.dataset", + "negate": false, + "params": { + "query": "bbot.asm_intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "bbot.asm_intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#ffffff", + "layerId": "34706177-15e3-422e-942e-450494312e3f", + "layerType": "data", + "metricAccessor": "8847f861-0519-4914-b269-405389c0df68" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "17ab65a3-eb4a-47df-8e8c-91c8ca504c67", + "w": 18, + "x": 30, + "y": 27 + }, + "panelIndex": "17ab65a3-eb4a-47df-8e8c-91c8ca504c67", + "title": "Vulnerable Hosts", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "34e57322-6c1b-479e-95aa-318340186b2f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "34706177-15e3-422e-942e-450494312e3f": { + "columnOrder": [ + "2170eae6-6ab4-4fce-ac60-fbbd4301da66", + "b6a09dd7-f423-43e6-8068-db01ebfa9855" + ], + "columns": { + "2170eae6-6ab4-4fce-ac60-fbbd4301da66": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of vulnerability.severity", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vulnerability.severity" + }, + "b6a09dd7-f423-43e6-8068-db01ebfa9855": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Severity Percentage", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "vulnerability.severity" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "34e57322-6c1b-479e-95aa-318340186b2f", + "key": "event.dataset", + "negate": false, + "params": { + "query": "bbot.asm_intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "bbot.asm_intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b6a09dd7-f423-43e6-8068-db01ebfa9855" + ], + "layerId": "34706177-15e3-422e-942e-450494312e3f", + "layerType": "data", + "palette": { + "name": "negative", + "type": "palette" + }, + "seriesType": "bar_percentage_stacked", + "splitAccessor": "2170eae6-6ab4-4fce-ac60-fbbd4301da66" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_percentage_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a45187ab-0e94-44ba-b3bd-12f7a06c623e", + "w": 18, + "x": 30, + "y": 33 + }, + "panelIndex": "a45187ab-0e94-44ba-b3bd-12f7a06c623e", + "title": "Vulnerability Severity", + "type": "lens" + } + ], + "timeRestore": false, + "title": "BBOT Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-21T19:29:20.744Z", + "id": "bbot-8abcb381-42b3-4d99-a177-c103255eedd9", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "ff18251e-b13b-42f6-8a10-6a6e61e2e74a:indexpattern-datasource-layer-b041b892-4b58-48f3-9f5e-52e0e604cfb0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ff18251e-b13b-42f6-8a10-6a6e61e2e74a:2604eb17-0109-4f38-993e-ed797031d791", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e2b473cb-83a3-43b9-9845-01a865ebba81:indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e2b473cb-83a3-43b9-9845-01a865ebba81:d7a416f6-fbb4-4477-8760-363e18f9554c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d154799-5342-4d9f-931a-8ac541b10235:indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d154799-5342-4d9f-931a-8ac541b10235:ceb45dbd-8837-4fae-884c-5eef1f068cd9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fd6001b7-89f1-4008-b56e-9fee8d3111b1:indexpattern-datasource-layer-9236266e-4c6d-4cb0-8d5c-49493bf23532", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fd6001b7-89f1-4008-b56e-9fee8d3111b1:52db8b89-498c-4aa2-ba42-d65b2025598f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ec50cd13-16ea-463b-8677-d6fc126fcaf8:indexpattern-datasource-layer-934f50cd-f1e9-47ea-be3a-3ceff354f1ad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ec50cd13-16ea-463b-8677-d6fc126fcaf8:1877a3bb-aa1f-420e-ad3b-b82ad23d1f0a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7513787-adcc-4e88-8211-42e9c559f09c:indexpattern-datasource-layer-934f50cd-f1e9-47ea-be3a-3ceff354f1ad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7513787-adcc-4e88-8211-42e9c559f09c:e6909ac9-f732-4420-a24d-69ffc4fe319c", + "type": "index-pattern" + }, + { + "id": "bbot-45ce1599-99e3-4c4e-9c1a-07254be0e274", + "name": "81963b3c-596f-4008-80de-286537f0c45d:panel_81963b3c-596f-4008-80de-286537f0c45d", + "type": "search" + }, + { + "id": "logs-*", + "name": "17ab65a3-eb4a-47df-8e8c-91c8ca504c67:indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "17ab65a3-eb4a-47df-8e8c-91c8ca504c67:f6dc81d5-5b2a-40b4-b17a-2b8034ac3bb0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45187ab-0e94-44ba-b3bd-12f7a06c623e:indexpattern-datasource-layer-34706177-15e3-422e-942e-450494312e3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45187ab-0e94-44ba-b3bd-12f7a06c623e:34e57322-6c1b-479e-95aa-318340186b2f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_7b900e62-ba4a-468b-a99f-aa5bf4a3a526:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/bbot/kibana/search/bbot-45ce1599-99e3-4c4e-9c1a-07254be0e274.json b/packages/bbot/kibana/search/bbot-45ce1599-99e3-4c4e-9c1a-07254be0e274.json index 1298c05cb0a..81d2e0a0aa9 100644 --- a/packages/bbot/kibana/search/bbot-45ce1599-99e3-4c4e-9c1a-07254be0e274.json +++ b/packages/bbot/kibana/search/bbot-45ce1599-99e3-4c4e-9c1a-07254be0e274.json @@ -1,109 +1,109 @@ -{ - "attributes": { - "columns": [ - "url.domain", - "url.full", - "host.name", - "related.hosts", - "bbot.tags", - "bbot.module" - ], - "description": "This is used with the official BBOT dashboard.", - "grid": { - "columns": { - "@timestamp": { - "width": 303 - }, - "bbot.data.ASN.asn": { - "width": 268 - }, - "bbot.module": { - "width": 135 - }, - "bbot.tags": { - "width": 177 - }, - "host.ip": { - "width": 352 - }, - "host.name": { - "width": 201 - }, - "related.hosts": { - "width": 175 - }, - "url.domain": { - "width": 235 - }, - "url.full": { - "width": 350 - }, - "url.port": { - "width": 147 - } - } - }, - "hideChart": false, - "isTextBasedQuery": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "bbot.asm_intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "bbot.asm_intel" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "rowsPerPage": 50, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "timeRestore": false, - "title": "[BBOT] Detailed Findings", - "usesAdHocDataView": false - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2024-03-21T19:17:35.011Z", - "id": "bbot-45ce1599-99e3-4c4e-9c1a-07254be0e274", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search", - "typeMigrationVersion": "8.0.0" +{ + "attributes": { + "columns": [ + "url.domain", + "url.full", + "host.name", + "related.hosts", + "bbot.tags", + "bbot.module" + ], + "description": "This is used with the official BBOT dashboard.", + "grid": { + "columns": { + "@timestamp": { + "width": 303 + }, + "bbot.data.ASN.asn": { + "width": 268 + }, + "bbot.module": { + "width": 135 + }, + "bbot.tags": { + "width": 177 + }, + "host.ip": { + "width": 352 + }, + "host.name": { + "width": 201 + }, + "related.hosts": { + "width": 175 + }, + "url.domain": { + "width": 235 + }, + "url.full": { + "width": 350 + }, + "url.port": { + "width": 147 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "bbot.asm_intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "bbot.asm_intel" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "rowsPerPage": 50, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "[BBOT] Detailed Findings", + "usesAdHocDataView": false + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-21T19:17:35.011Z", + "id": "bbot-45ce1599-99e3-4c4e-9c1a-07254be0e274", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "8.0.0" } \ No newline at end of file diff --git a/packages/bbot/manifest.yml b/packages/bbot/manifest.yml index 6553f20da81..d66d347eb92 100644 --- a/packages/bbot/manifest.yml +++ b/packages/bbot/manifest.yml @@ -1,14 +1,14 @@ format_version: 3.1.2 name: bbot title: "BBOT (Bighuge BLS OSINT Tool)" -version: 0.1.0 +version: "0.2.0" description: "BBOT is a recursive internet scanner inspired by Spiderfoot, but designed to be faster, more reliable, and friendlier to pentesters, bug bounty hunters, and developers. " type: integration categories: - security conditions: kibana: - version: "^8.12.1" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/bitdefender/changelog.yml b/packages/bitdefender/changelog.yml index 28fcd34360e..1211e0779e8 100644 --- a/packages/bitdefender/changelog.yml +++ b/packages/bitdefender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.14.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.13.0" changes: - description: Update doc with input limitation collecting jsonRPC format. diff --git a/packages/bitdefender/data_stream/push_configuration/fields/ecs.yml b/packages/bitdefender/data_stream/push_configuration/fields/ecs.yml index e84a56b4f0e..c2fbf7e6e5a 100644 --- a/packages/bitdefender/data_stream/push_configuration/fields/ecs.yml +++ b/packages/bitdefender/data_stream/push_configuration/fields/ecs.yml @@ -6,7 +6,3 @@ name: data_stream.namespace - external: ecs name: '@timestamp' -- external: ecs - name: tags -- external: ecs - name: ecs.version diff --git a/packages/bitdefender/data_stream/push_notifications/fields/ecs.yml b/packages/bitdefender/data_stream/push_notifications/fields/ecs.yml index 944bfecf443..b7e148e95ed 100644 --- a/packages/bitdefender/data_stream/push_notifications/fields/ecs.yml +++ b/packages/bitdefender/data_stream/push_notifications/fields/ecs.yml @@ -6,205 +6,3 @@ name: data_stream.dataset - external: ecs name: data_stream.namespace -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: destination.user.domain -- external: ecs - name: destination.user.id -- external: ecs - name: destination.user.name -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.nat.ip -- external: ecs - name: ecs.version -- external: ecs - name: email.sender.address -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.outcome -- external: ecs - name: event.original -- external: ecs - name: event.provider -- external: ecs - name: event.sequence -- external: ecs - name: event.type -- external: ecs - name: event.id -- external: ecs - name: file.directory -- external: ecs - name: file.extension -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.size -- external: ecs - name: host.name -- external: ecs - name: log.level -- external: ecs - name: message -- external: ecs - name: network.type -- external: ecs - name: organization.id -- external: ecs - name: organization.name -- external: ecs - name: process.args -- external: ecs - name: process.args_count -- external: ecs - name: process.command_line -- external: ecs - name: process.entity_id -- external: ecs - name: process.executable -- external: ecs - name: process.name -- external: ecs - name: process.parent.executable -- external: ecs - name: process.parent.pid -- external: ecs - name: process.pid -- external: ecs - name: process.title -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.user.domain -- external: ecs - name: source.user.id -- external: ecs - name: source.user.name -- external: ecs - name: source.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: tags -- external: ecs - name: user_agent.os.version -- external: ecs - name: threat.technique.id -- external: ecs - name: threat.technique.name -- external: ecs - name: threat.software.name -- external: ecs - name: user.domain -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.version -- external: ecs - name: user_agent.os.family -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.kernel -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.platform -- external: ecs - name: user_agent.os.type -- external: ecs - name: url.original -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: url.query -- external: ecs - name: vulnerability.id diff --git a/packages/bitdefender/data_stream/push_statistics/fields/ecs.yml b/packages/bitdefender/data_stream/push_statistics/fields/ecs.yml index e84a56b4f0e..c2fbf7e6e5a 100644 --- a/packages/bitdefender/data_stream/push_statistics/fields/ecs.yml +++ b/packages/bitdefender/data_stream/push_statistics/fields/ecs.yml @@ -6,7 +6,3 @@ name: data_stream.namespace - external: ecs name: '@timestamp' -- external: ecs - name: tags -- external: ecs - name: ecs.version diff --git a/packages/bitdefender/docs/README.md b/packages/bitdefender/docs/README.md index c58cd32eff4..563c4f02c5b 100644 --- a/packages/bitdefender/docs/README.md +++ b/packages/bitdefender/docs/README.md @@ -306,17 +306,6 @@ All BitDefender GravityZone log events are available in the `bitdefender_gravity | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.nat.as.number | | long | | destination.nat.as.organization.name | | keyword | | destination.nat.geo.city_name | | keyword | @@ -326,115 +315,7 @@ All BitDefender GravityZone log events are available in the `bitdefender_gravity | destination.nat.geo.location | | geo_point | | destination.nat.geo.region_iso_code | | keyword | | destination.nat.geo.region_name | | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.port | Port of the destination. | long | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | input.type | | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.software.name | The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | An example event for `push_notifications` looks as following: @@ -556,9 +437,7 @@ All BitDefender GravityZone push notification configuration states are available | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | input.type | | keyword | -| tags | List of keywords used to tag each event. | keyword | An example event for `push_configuration` looks as following: @@ -676,9 +555,7 @@ All BitDefender GravityZone push notification statistics are available in the `b | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | input.type | | keyword | -| tags | List of keywords used to tag each event. | keyword | An example event for `push_statistics` looks as following: diff --git a/packages/bitdefender/manifest.yml b/packages/bitdefender/manifest.yml index 7436557c080..e60834c450f 100644 --- a/packages/bitdefender/manifest.yml +++ b/packages/bitdefender/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: bitdefender title: "BitDefender" -version: "1.13.0" +version: "1.14.0" source: license: "Elastic-2.0" description: "Ingest BitDefender GravityZone logs and data" @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/bitwarden/_dev/build/build.yml b/packages/bitwarden/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/bitwarden/_dev/build/build.yml +++ b/packages/bitwarden/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/bitwarden/changelog.yml b/packages/bitwarden/changelog.yml index 498ef88c757..5aeeeef8af1 100644 --- a/packages/bitwarden/changelog.yml +++ b/packages/bitwarden/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.12.0" changes: - description: Improve handling of empty responses. diff --git a/packages/bitwarden/data_stream/collection/fields/beats.yml b/packages/bitwarden/data_stream/collection/fields/beats.yml index 3415608ae37..cc9fcebf29b 100644 --- a/packages/bitwarden/data_stream/collection/fields/beats.yml +++ b/packages/bitwarden/data_stream/collection/fields/beats.yml @@ -1,9 +1,6 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags. - name: log.offset type: long description: Log offset. diff --git a/packages/bitwarden/data_stream/event/fields/beats.yml b/packages/bitwarden/data_stream/event/fields/beats.yml index 3415608ae37..cc9fcebf29b 100644 --- a/packages/bitwarden/data_stream/event/fields/beats.yml +++ b/packages/bitwarden/data_stream/event/fields/beats.yml @@ -1,9 +1,6 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags. - name: log.offset type: long description: Log offset. diff --git a/packages/bitwarden/data_stream/group/fields/beats.yml b/packages/bitwarden/data_stream/group/fields/beats.yml index 3415608ae37..cc9fcebf29b 100644 --- a/packages/bitwarden/data_stream/group/fields/beats.yml +++ b/packages/bitwarden/data_stream/group/fields/beats.yml @@ -1,9 +1,6 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags. - name: log.offset type: long description: Log offset. diff --git a/packages/bitwarden/data_stream/member/fields/beats.yml b/packages/bitwarden/data_stream/member/fields/beats.yml index 3415608ae37..cc9fcebf29b 100644 --- a/packages/bitwarden/data_stream/member/fields/beats.yml +++ b/packages/bitwarden/data_stream/member/fields/beats.yml @@ -1,9 +1,6 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags. - name: log.offset type: long description: Log offset. diff --git a/packages/bitwarden/data_stream/policy/fields/beats.yml b/packages/bitwarden/data_stream/policy/fields/beats.yml index 3415608ae37..cc9fcebf29b 100644 --- a/packages/bitwarden/data_stream/policy/fields/beats.yml +++ b/packages/bitwarden/data_stream/policy/fields/beats.yml @@ -1,9 +1,6 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags. - name: log.offset type: long description: Log offset. diff --git a/packages/bitwarden/docs/README.md b/packages/bitwarden/docs/README.md index b9b0a66254d..3b5fa2d748b 100644 --- a/packages/bitwarden/docs/README.md +++ b/packages/bitwarden/docs/README.md @@ -122,7 +122,6 @@ An example event for `collection` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Event @@ -266,7 +265,6 @@ An example event for `event` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Group @@ -367,7 +365,6 @@ An example event for `group` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Member @@ -493,7 +490,6 @@ An example event for `member` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Policy @@ -615,4 +611,3 @@ An example event for `policy` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | diff --git a/packages/bitwarden/manifest.yml b/packages/bitwarden/manifest.yml index e709799da03..c5b43233a39 100644 --- a/packages/bitwarden/manifest.yml +++ b/packages/bitwarden/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: bitwarden title: Bitwarden -version: "1.12.0" +version: "1.13.0" source: license: Elastic-2.0 description: Collect logs from Bitwarden with Elastic Agent. @@ -11,7 +11,7 @@ categories: - credential_management conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/box_events/changelog.yml b/packages/box_events/changelog.yml index 381b0b953ad..f5b2ae08ebe 100644 --- a/packages/box_events/changelog.yml +++ b/packages/box_events/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.9.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.8.0" changes: - description: Use `event_id` field for document fingerprinting. diff --git a/packages/box_events/data_stream/events/fields/agent.yml b/packages/box_events/data_stream/events/fields/agent.yml index 6048dca3d44..8e1c9f999da 100644 --- a/packages/box_events/data_stream/events/fields/agent.yml +++ b/packages/box_events/data_stream/events/fields/agent.yml @@ -1,65 +1,12 @@ - name: cloud type: group fields: - - name: account.id - external: ecs - - name: availability_zone - external: ecs - - name: instance.id - external: ecs - - name: instance.name - external: ecs - - name: machine.type - external: ecs - - name: provider - external: ecs - - name: region - external: ecs - - name: project.id - external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - type: group - fields: - - name: id - external: ecs - - name: image.name - external: ecs - - name: labels - external: ecs - - name: name - external: ecs - name: host type: group fields: - - name: architecture - external: ecs - - name: domain - external: ecs - - name: hostname - external: ecs - - name: id - external: ecs - - name: ip - external: ecs - - name: mac - external: ecs - - name: name - external: ecs - - name: os.family - external: ecs - - name: os.kernel - external: ecs - - name: os.name - external: ecs - - name: os.platform - external: ecs - - name: os.version - external: ecs - - name: type - external: ecs - name: containerized type: boolean description: > @@ -82,10 +29,6 @@ description: > Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - name: disk.read.bytes - external: ecs - - name: disk.write.bytes - external: ecs - name: network.in.bytes type: long description: > diff --git a/packages/box_events/data_stream/events/fields/ecs.yml b/packages/box_events/data_stream/events/fields/ecs.yml deleted file mode 100644 index f0aaa28f258..00000000000 --- a/packages/box_events/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,140 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: client.ip -- external: ecs - name: client.user.id -- external: ecs - name: client.user.full_name -- external: ecs - name: client.user.email -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.risk_score -- external: ecs - name: event.sequence -- external: ecs - name: event.type -- external: ecs - name: file.type -- external: ecs - name: file.directory -- external: ecs - name: file.name -- external: ecs - name: file.created -- external: ecs - name: file.ctime -- external: ecs - name: file.mtime -- external: ecs - name: file.size -- external: ecs - name: file.hash.sha1 -- external: ecs - name: message -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.category -- external: ecs - name: rule.id -- external: ecs - name: rule.uuid -- external: ecs - name: rule.name -- external: ecs - name: tags -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.as.organization.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.enrichments -- external: ecs - name: threat.enrichments.indicator.as.number -- external: ecs - name: threat.enrichments.indicator.as.organization.name -- external: ecs - name: threat.enrichments.indicator.description -- external: ecs - name: threat.enrichments.indicator.first_seen -- external: ecs - name: threat.enrichments.indicator.geo.city_name -- external: ecs - name: threat.enrichments.indicator.geo.continent_name -- external: ecs - name: threat.enrichments.indicator.geo.country_iso_code -- external: ecs - name: threat.enrichments.indicator.geo.country_name -- external: ecs - name: threat.enrichments.indicator.geo.location -- external: ecs - name: threat.enrichments.indicator.geo.region_iso_code -- external: ecs - name: threat.enrichments.indicator.geo.region_name -- external: ecs - name: threat.enrichments.indicator.ip -- external: ecs - name: threat.enrichments.indicator.last_seen -- external: ecs - name: threat.enrichments.indicator.provider -- external: ecs - name: threat.enrichments.indicator.reference -- external: ecs - name: threat.enrichments.indicator.type -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.geo.city_name -- external: ecs - name: threat.indicator.geo.continent_name -- external: ecs - name: threat.indicator.geo.country_iso_code -- external: ecs - name: threat.indicator.geo.country_name -- name: threat.indicator.geo.location - external: ecs -- external: ecs - name: threat.indicator.geo.region_iso_code -- external: ecs - name: threat.indicator.geo.region_name -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.reference -- external: ecs - name: threat.indicator.sightings -- external: ecs - name: threat.indicator.type -- external: ecs - name: user.effective.id -- external: ecs - name: user.effective.name -- external: ecs - name: user.effective.email diff --git a/packages/box_events/docs/README.md b/packages/box_events/docs/README.md index 320dcfb9268..b24efb95035 100644 --- a/packages/box_events/docs/README.md +++ b/packages/box_events/docs/README.md @@ -252,124 +252,22 @@ Preserves a raw copy of the original event, added to the field `event.original`. | box.source.synced | Legacy property for compatibility with Box Desktop | boolean | | box.source.timezone | Timezone | boolean | | box.source.trashed_at | The time at which this file was put in the trash | boolean | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.email | User email address. | keyword | -| client.user.full_name | User's full name, if available. | keyword | -| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.mtime | Last time the file content was modified. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | -| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | long | | host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | | host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | long | | host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | related.description | Array of `description` derived from `threat[.enrichments].indicator.description` | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.indicator_type | Array of `indicator_type` derived from `threat[.enrichments].indicator.type` | keyword | -| related.ip | All of the IPs seen on your event. | ip | | related.location | Array of `location` derived from `related.ip` | geo_point | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | -| threat.enrichments.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.enrichments.indicator.as.organization.name | Organization name. | keyword | -| threat.enrichments.indicator.as.organization.name.text | Multi-field of `threat.enrichments.indicator.as.organization.name`. | match_only_text | -| threat.enrichments.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.enrichments.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.enrichments.indicator.geo.city_name | City name. | keyword | -| threat.enrichments.indicator.geo.continent_name | Name of the continent. | keyword | -| threat.enrichments.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.enrichments.indicator.geo.country_name | Country name. | keyword | -| threat.enrichments.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.enrichments.indicator.geo.region_iso_code | Region ISO code. | keyword | -| threat.enrichments.indicator.geo.region_name | Region name. | keyword | -| threat.enrichments.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.enrichments.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.enrichments.indicator.provider | The name of the indicator's provider. | keyword | -| threat.enrichments.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.enrichments.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.city_name | City name. | keyword | -| threat.indicator.geo.continent_name | Name of the continent. | keyword | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.country_name | Country name. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.geo.region_iso_code | Region ISO code. | keyword | -| threat.indicator.geo.region_name | Region name. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| user.effective.email | User email address. | keyword | -| user.effective.id | Unique identifier of the user. | keyword | -| user.effective.name | Short name or login of the user. | keyword | -| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | diff --git a/packages/box_events/manifest.yml b/packages/box_events/manifest.yml index f6f41d49534..b582b23eba2 100644 --- a/packages/box_events/manifest.yml +++ b/packages/box_events/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: box_events title: Box Events -version: "2.8.0" +version: "2.9.0" description: "Collect logs from Box with Elastic Agent" type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" screenshots: - src: /img/box_screenshot.png title: "[Logs Box Events Integration] Events Dashboard" diff --git a/packages/carbon_black_cloud/changelog.yml b/packages/carbon_black_cloud/changelog.yml index 107d90505d5..acede149602 100644 --- a/packages/carbon_black_cloud/changelog.yml +++ b/packages/carbon_black_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.1.0" changes: - description: Improve handling of empty responses. diff --git a/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml index bf2dfff6756..48f513b61aa 100644 --- a/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml @@ -5,147 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml deleted file mode 100644 index 1a0c0a5368f..00000000000 --- a/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,36 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.end -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.reason -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: process.entity_id -- external: ecs - name: process.executable -- external: ecs - name: process.name -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.domain -- external: ecs - name: user.name diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/fields/agent.yml b/packages/carbon_black_cloud/data_stream/alert_v7/fields/agent.yml index bf2dfff6756..48f513b61aa 100644 --- a/packages/carbon_black_cloud/data_stream/alert_v7/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/alert_v7/fields/agent.yml @@ -5,147 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/alert_v7/fields/ecs.yml deleted file mode 100644 index 397d0af5c9e..00000000000 --- a/packages/carbon_black_cloud/data_stream/alert_v7/fields/ecs.yml +++ /dev/null @@ -1,58 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.end -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.reason -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: process.entity_id -- external: ecs - name: process.executable -- external: ecs - name: process.name -- external: ecs - name: process.command_line -- external: ecs - name: process.pid -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.hash.md5 -- external: ecs - name: process.parent.entity_id -- external: ecs - name: process.parent.executable -- external: ecs - name: process.parent.name -- external: ecs - name: process.parent.command_line -- external: ecs - name: process.parent.pid -- external: ecs - name: process.parent.hash.sha256 -- external: ecs - name: process.parent.hash.md5 -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.domain -- external: ecs - name: user.name diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml index bf2dfff6756..48f513b61aa 100644 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml @@ -5,147 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/ecs.yml deleted file mode 100644 index e40d2676a61..00000000000 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/ecs.yml +++ /dev/null @@ -1,14 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: related.hosts -- external: ecs - name: tags -- external: ecs - name: vulnerability.score.base -- external: ecs - name: vulnerability.severity diff --git a/packages/carbon_black_cloud/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/data_stream/audit/fields/agent.yml index bf2dfff6756..48f513b61aa 100644 --- a/packages/carbon_black_cloud/data_stream/audit/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/audit/fields/agent.yml @@ -5,147 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/carbon_black_cloud/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 3edf889adfa..00000000000 --- a/packages/carbon_black_cloud/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,24 +0,0 @@ -- external: ecs - name: client.ip -- external: ecs - name: client.user.id -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.reason -- external: ecs - name: organization.name -- external: ecs - name: related.ip -- external: ecs - name: tags -- external: ecs - name: url.original diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml index bf2dfff6756..48f513b61aa 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml @@ -5,147 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml deleted file mode 100644 index fa3c12ea3f5..00000000000 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml +++ /dev/null @@ -1,80 +0,0 @@ -- external: ecs - name: client.ip -- external: ecs - name: client.port -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: dll.hash.md5 -- external: ecs - name: dll.hash.sha256 -- external: ecs - name: dll.path -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.original -- external: ecs - name: event.reason -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.path -- external: ecs - name: network.direction -- external: ecs - name: network.transport -- external: ecs - name: process.command_line -- external: ecs - name: process.entity_id -- external: ecs - name: process.executable -- external: ecs - name: process.hash.md5 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.parent.command_line -- external: ecs - name: process.parent.entity_id -- external: ecs - name: process.parent.executable -- external: ecs - name: process.parent.hash.md5 -- external: ecs - name: process.parent.hash.sha256 -- external: ecs - name: process.parent.pid -- external: ecs - name: process.pid -- external: ecs - name: registry.path -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.address -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: user.domain diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml index bf2dfff6756..48f513b61aa 100644 --- a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml @@ -5,147 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/ecs.yml deleted file mode 100644 index 484cce18ef3..00000000000 --- a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/ecs.yml +++ /dev/null @@ -1,46 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.severity -- external: ecs - name: process.command_line -- external: ecs - name: process.entity_id -- external: ecs - name: process.executable -- external: ecs - name: process.hash.md5 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.parent.command_line -- external: ecs - name: process.parent.entity_id -- external: ecs - name: process.parent.executable -- external: ecs - name: process.parent.hash.md5 -- external: ecs - name: process.parent.hash.sha256 -- external: ecs - name: process.parent.pid -- external: ecs - name: process.pid -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.domain diff --git a/packages/carbon_black_cloud/docs/README.md b/packages/carbon_black_cloud/docs/README.md index f7f0a558d3b..409c00a0729 100644 --- a/packages/carbon_black_cloud/docs/README.md +++ b/packages/carbon_black_cloud/docs/README.md @@ -159,52 +159,17 @@ An example event for `audit` looks as following: | @timestamp | Event timestamp. | date | | carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean | | carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.mac | Host mac addresses. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | ### Alert @@ -380,59 +345,17 @@ An example event for `alert` looks as following: | carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date | | carbon_black_cloud.alert.workflow.remediation | N/A. | keyword | | carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.mac | Host mac addresses. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### Alert @@ -783,74 +706,17 @@ An example event for `alert_v7` looks as following: | carbon_black_cloud.alert.workflow.changed_by_type | The type of user who changed the workflow. | keyword | | carbon_black_cloud.alert.workflow.closure_reason | Reason for which the workflow was closed. | keyword | | carbon_black_cloud.alert.workflow.status | The status of the workflow. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.mac | Host mac addresses. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### Endpoint Event @@ -1022,83 +888,17 @@ An example event for `endpoint_event` looks as following: | carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword | | carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword | | carbon_black_cloud.endpoint_event.type | The event type. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dll.hash.md5 | MD5 hash. | keyword | -| dll.hash.sha256 | SHA256 hash. | keyword | -| dll.path | Full file path of the library. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.mac | Host mac addresses. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| registry.path | Full path, including hive, key and value | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | ### Watchlist Hit @@ -1268,65 +1068,17 @@ An example event for `watchlist_hit` looks as following: | carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword | | carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword | | carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.mac | Host mac addresses. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | ### Asset Vulnerability Summary @@ -1427,42 +1179,14 @@ An example event for `asset_vulnerability_summary` looks as following: | carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword | | carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword | | carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.mac | Host mac addresses. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/carbon_black_cloud/manifest.yml b/packages/carbon_black_cloud/manifest.yml index 6a039df6fe1..315c0c9647e 100644 --- a/packages/carbon_black_cloud/manifest.yml +++ b/packages/carbon_black_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: carbon_black_cloud title: VMware Carbon Black Cloud -version: "2.1.0" +version: "2.2.0" description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/carbon_black_cloud-screenshot.png title: Carbon Black Cloud alert dashboard screenshot diff --git a/packages/carbonblack_edr/changelog.yml b/packages/carbonblack_edr/changelog.yml index 776174ec3a9..5fb93221fd3 100644 --- a/packages/carbonblack_edr/changelog.yml +++ b/packages/carbonblack_edr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.17.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/carbonblack_edr/data_stream/log/fields/agent.yml b/packages/carbonblack_edr/data_stream/log/fields/agent.yml index 8d787b7c8dc..bc42d0a853b 100644 --- a/packages/carbonblack_edr/data_stream/log/fields/agent.yml +++ b/packages/carbonblack_edr/data_stream/log/fields/agent.yml @@ -1,82 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/carbonblack_edr/data_stream/log/fields/beats.yml b/packages/carbonblack_edr/data_stream/log/fields/beats.yml index 9275638f93a..582ff946c0d 100644 --- a/packages/carbonblack_edr/data_stream/log/fields/beats.yml +++ b/packages/carbonblack_edr/data_stream/log/fields/beats.yml @@ -7,9 +7,6 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. - name: log.source.address type: keyword description: Source address from which the log event was read / sent from. diff --git a/packages/carbonblack_edr/data_stream/log/fields/ecs.yml b/packages/carbonblack_edr/data_stream/log/fields/ecs.yml deleted file mode 100644 index e490e93cb9f..00000000000 --- a/packages/carbonblack_edr/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,112 +0,0 @@ -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.action - external: ecs -- name: event.category - external: ecs -- name: event.created - external: ecs -- name: event.duration - external: ecs -- name: event.end - external: ecs -- name: event.id - external: ecs -- name: event.ingested - external: ecs -- name: event.kind - external: ecs -- name: event.original - external: ecs -- name: event.outcome - external: ecs -- name: event.start - external: ecs -- name: event.type - external: ecs -- name: file.attributes - external: ecs -- name: file.code_signature.exists - external: ecs -- name: file.code_signature.status - external: ecs -- name: file.code_signature.subject_name - external: ecs -- name: file.hash.md5 - external: ecs -- name: file.path - external: ecs -- name: file.pe.architecture - external: ecs -- name: file.size - external: ecs -- name: host.name - external: ecs -- name: host.os.name - external: ecs -- name: host.os.type - external: ecs -- name: network.direction - external: ecs -- name: network.transport - external: ecs -- name: network.iana_number - external: ecs -- name: observer.name - external: ecs -- name: observer.product - external: ecs -- name: observer.type - external: ecs -- name: observer.vendor - external: ecs -- name: observer.version - external: ecs -- name: process.command_line - external: ecs -- name: process.entity_id - external: ecs -- name: process.executable - external: ecs -- name: process.hash.md5 - external: ecs -- name: process.name - external: ecs -- name: process.parent.entity_id - external: ecs -- name: process.parent.hash.md5 - external: ecs -- name: process.parent.name - external: ecs -- name: process.parent.pid - external: ecs -- name: process.pid - external: ecs -- name: process.start - external: ecs -- name: registry.path - external: ecs -- name: related.hash - external: ecs -- name: rule.id - external: ecs -- name: rule.name - external: ecs -- name: tags - external: ecs -- name: threat.indicator.type - external: ecs -- name: threat.indicator.url.domain - external: ecs -- name: threat.indicator.ip - external: ecs -- name: threat.indicator.file.hash.md5 - external: ecs -- name: threat.indicator.port - external: ecs -- name: tls.client.ja3 - external: ecs -- name: tls.server.ja3s - external: ecs diff --git a/packages/carbonblack_edr/docs/README.md b/packages/carbonblack_edr/docs/README.md index 91830774746..da604b58305 100644 --- a/packages/carbonblack_edr/docs/README.md +++ b/packages/carbonblack_edr/docs/README.md @@ -264,88 +264,14 @@ An example event for `log` looks as following: | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| file.code_signature.subject_name | Subject name of the code signer | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.pe.architecture | CPU architecture target for the file. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| registry.path | Full path, including hive, key and value | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | diff --git a/packages/carbonblack_edr/manifest.yml b/packages/carbonblack_edr/manifest.yml index 97243c9291e..840d63ed13d 100644 --- a/packages/carbonblack_edr/manifest.yml +++ b/packages/carbonblack_edr/manifest.yml @@ -1,13 +1,13 @@ name: carbonblack_edr title: VMware Carbon Black EDR -version: "1.17.0" +version: "1.18.0" description: Collect logs from VMware Carbon Black EDR with Elastic Agent. type: integration format_version: "3.0.3" categories: [security, edr_xdr] conditions: kibana: - version: ^7.14.0 || ^8.0.0 + version: "^8.13.0" policy_templates: - name: log title: Carbon Black EDR logs diff --git a/packages/cel/changelog.yml b/packages/cel/changelog.yml index 6e834e8c630..8126f0be8ea 100644 --- a/packages/cel/changelog.yml +++ b/packages/cel/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.12.0" + changes: + - description: ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.11.0" changes: - description: Enable use of Digest Authentication. diff --git a/packages/cel/fields/input.yml b/packages/cel/fields/input.yml index 0830dd1e248..3f2775fe36b 100644 --- a/packages/cel/fields/input.yml +++ b/packages/cel/fields/input.yml @@ -1,9 +1,5 @@ - name: "@timestamp" external: ecs -- name: ecs.version - external: ecs -- name: message - external: ecs - name: input.name type: constant_keyword - name: input.type @@ -21,8 +17,3 @@ external: ecs type: constant_keyword value: cel -- name: event.dataset - external: ecs - type: constant_keyword -- name: tags - external: ecs diff --git a/packages/cel/manifest.yml b/packages/cel/manifest.yml index 21734a919f7..db203af2bfe 100644 --- a/packages/cel/manifest.yml +++ b/packages/cel/manifest.yml @@ -3,12 +3,12 @@ name: cel title: Custom API using Common Expression Language description: Collect custom events from an API with Elastic agent type: input -version: "1.11.0" +version: "1.12.0" categories: - custom conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" policy_templates: @@ -118,7 +118,7 @@ policy_templates: secret: true - name: digest_no_reuse type: bool - title: Digest No Challenge Reuse + title: Digest No Challenge Reuse show_user: true required: false description: Selecting no challenge reuse prevents the transport from reusing digest challenges @@ -337,7 +337,6 @@ policy_templates: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - name: tags type: text title: Tags @@ -353,7 +352,6 @@ policy_templates: show_user: false description: > The request tracer logs HTTP requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. - owner: github: elastic/security-service-integrations type: elastic diff --git a/packages/cel/sample_event.json b/packages/cel/sample_event.json index 8e26cb7756f..396bb0d6899 100644 --- a/packages/cel/sample_event.json +++ b/packages/cel/sample_event.json @@ -13,7 +13,7 @@ "type": "logs" }, "ecs": { - "version": "8.0.0" + "version": "8.11.0" }, "elastic_agent": { "id": "8c8782fa-cd5b-4ae8-94a0-ee8e3ea9a8df", diff --git a/packages/cisa_kevs/changelog.yml b/packages/cisa_kevs/changelog.yml index 8ed89383aff..30952d1b239 100644 --- a/packages/cisa_kevs/changelog.yml +++ b/packages/cisa_kevs/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.1.0" changes: - description: Improve handling of empty responses. @@ -6,7 +11,7 @@ link: https://github.com/elastic/integrations/pull/9974 - version: "1.0.1" changes: - - description: Update logo to align w/ Elastic Integrations page, fix description wording + - description: Update logo to align w/ Elastic Integrations page, fix description wording type: bugfix link: https://github.com/elastic/integrations/pull/9631 - version: "1.0.0" diff --git a/packages/cisa_kevs/data_stream/vulnerability/fields/ecs.yml b/packages/cisa_kevs/data_stream/vulnerability/fields/ecs.yml deleted file mode 100644 index c8f59ebea1b..00000000000 --- a/packages/cisa_kevs/data_stream/vulnerability/fields/ecs.yml +++ /dev/null @@ -1,24 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: tags -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: vulnerability.id -- external: ecs - name: vulnerability.description diff --git a/packages/cisa_kevs/docs/README.md b/packages/cisa_kevs/docs/README.md index 662f82be7aa..ab11a409701 100644 --- a/packages/cisa_kevs/docs/README.md +++ b/packages/cisa_kevs/docs/README.md @@ -125,17 +125,4 @@ An example event for `vulnerability` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Type of Filebeat input. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | -| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | diff --git a/packages/cisa_kevs/manifest.yml b/packages/cisa_kevs/manifest.yml index 9d39055e51f..02798ef3db9 100644 --- a/packages/cisa_kevs/manifest.yml +++ b/packages/cisa_kevs/manifest.yml @@ -1,14 +1,14 @@ format_version: 3.0.3 name: cisa_kevs title: "CISA Known Exploited Vulnerabilities" -version: 1.1.0 +version: "1.2.0" description: "This package allows the ingest of known exploited vulnerabilities according to the Cybersecurity and Infrastructure Security Agency of the United States of America. This information could be used to enrich or track exisiting vulnerabilities that are known to be exploited in the wild." type: integration categories: - security conditions: kibana: - version: "^8.11.4" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml index ff303fb2492..f78aa3184a8 100644 --- a/packages/cisco_duo/changelog.yml +++ b/packages/cisco_duo/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.24.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.23.0" changes: - description: Improve error handling. diff --git a/packages/cisco_duo/data_stream/admin/fields/agent.yml b/packages/cisco_duo/data_stream/admin/fields/agent.yml index 215021047d4..f833857d0fe 100644 --- a/packages/cisco_duo/data_stream/admin/fields/agent.yml +++ b/packages/cisco_duo/data_stream/admin/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/cisco_duo/data_stream/admin/fields/ecs.yml b/packages/cisco_duo/data_stream/admin/fields/ecs.yml deleted file mode 100644 index ee7c0848dbb..00000000000 --- a/packages/cisco_duo/data_stream/admin/fields/ecs.yml +++ /dev/null @@ -1,40 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.agent_id_status -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.reason -- external: ecs - name: event.type -- external: ecs - name: message -- external: ecs - name: related.user -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: tags -- external: ecs - name: user.changes.email -- external: ecs - name: user.changes.name -- external: ecs - name: user.email -- external: ecs - name: user.name -- external: ecs - name: user.target.name diff --git a/packages/cisco_duo/data_stream/auth/fields/agent.yml b/packages/cisco_duo/data_stream/auth/fields/agent.yml index 215021047d4..f833857d0fe 100644 --- a/packages/cisco_duo/data_stream/auth/fields/agent.yml +++ b/packages/cisco_duo/data_stream/auth/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/cisco_duo/data_stream/auth/fields/ecs.yml b/packages/cisco_duo/data_stream/auth/fields/ecs.yml deleted file mode 100644 index 1915d7b7ccc..00000000000 --- a/packages/cisco_duo/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,72 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.agent_id_status -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.reason -- external: ecs - name: event.type -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: source.address -- external: ecs - name: source.user.email -- external: ecs - name: source.user.id -- external: ecs - name: source.user.name -- external: ecs - name: source.user.group.name -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: tags -- external: ecs - name: user.email -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/cisco_duo/data_stream/offline_enrollment/fields/agent.yml b/packages/cisco_duo/data_stream/offline_enrollment/fields/agent.yml index 215021047d4..f833857d0fe 100644 --- a/packages/cisco_duo/data_stream/offline_enrollment/fields/agent.yml +++ b/packages/cisco_duo/data_stream/offline_enrollment/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/cisco_duo/data_stream/offline_enrollment/fields/ecs.yml b/packages/cisco_duo/data_stream/offline_enrollment/fields/ecs.yml deleted file mode 100644 index 8082727b549..00000000000 --- a/packages/cisco_duo/data_stream/offline_enrollment/fields/ecs.yml +++ /dev/null @@ -1,14 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.name diff --git a/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json b/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json index 20dd9e8fae5..5e8c15d22ea 100644 --- a/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json +++ b/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2024-05-12T22:53:11.467044414Z", + "@timestamp": "2024-06-20T03:53:31.527976915Z", "cisco_duo": { "summary": { "admin_count": 6, @@ -21,7 +21,7 @@ ] }, { - "@timestamp": "2024-05-12T22:53:11.467103248Z", + "@timestamp": "2024-06-20T03:53:31.527986750Z", "cisco_duo": { "summary": { "admin_count": 3, diff --git a/packages/cisco_duo/data_stream/summary/fields/agent.yml b/packages/cisco_duo/data_stream/summary/fields/agent.yml index 215021047d4..f833857d0fe 100644 --- a/packages/cisco_duo/data_stream/summary/fields/agent.yml +++ b/packages/cisco_duo/data_stream/summary/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/cisco_duo/data_stream/summary/fields/ecs.yml b/packages/cisco_duo/data_stream/summary/fields/ecs.yml deleted file mode 100644 index b334910e040..00000000000 --- a/packages/cisco_duo/data_stream/summary/fields/ecs.yml +++ /dev/null @@ -1,8 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: tags diff --git a/packages/cisco_duo/data_stream/telephony/fields/agent.yml b/packages/cisco_duo/data_stream/telephony/fields/agent.yml index 215021047d4..f833857d0fe 100644 --- a/packages/cisco_duo/data_stream/telephony/fields/agent.yml +++ b/packages/cisco_duo/data_stream/telephony/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/cisco_duo/data_stream/telephony/fields/ecs.yml b/packages/cisco_duo/data_stream/telephony/fields/ecs.yml deleted file mode 100644 index a24c00497b5..00000000000 --- a/packages/cisco_duo/data_stream/telephony/fields/ecs.yml +++ /dev/null @@ -1,10 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: tags diff --git a/packages/cisco_duo/docs/README.md b/packages/cisco_duo/docs/README.md index fac374627c3..de8bc065feb 100644 --- a/packages/cisco_duo/docs/README.md +++ b/packages/cisco_duo/docs/README.md @@ -102,67 +102,17 @@ An example event for `admin` looks as following: | cisco_duo.admin.action_performed_on | The object that was acted on. | keyword | | cisco_duo.admin.flattened | ES flattened datatype for objects where the subfields aren't known in advance. | flattened | | cisco_duo.admin.user.name | The full name of the administrator who performed the action in the Duo Admin Panel. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.changes.email | User email address. | keyword | -| user.changes.name | Short name or login of the user. | keyword | -| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | ### Authentication @@ -360,83 +310,17 @@ An example event for `auth` looks as following: | cisco_duo.auth.result | The result of the authentication attempt. | keyword | | cisco_duo.auth.trusted_endpoint_status | Status of Trusted Endpoint. | keyword | | cisco_duo.auth.txid | The transaction ID of the event. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | ### Offline Enrollment @@ -523,51 +407,17 @@ An example event for `offline_enrollment` looks as following: | cisco_duo.offline_enrollment.description.user_agent | The Duo Windows Logon application version information and the Windows OS version and platform information. | keyword | | cisco_duo.offline_enrollment.object | The Duo Windows Logon integration's name. | keyword | | cisco_duo.offline_enrollment.user.name | The Duo username | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### Summary @@ -635,47 +485,17 @@ An example event for `summary` looks as following: | cisco_duo.summary.integration_count | Current number of integrations in the account. | integer | | cisco_duo.summary.telephony_credits_remaining | Current total number of telephony credits available in the account. This is the sum of all types of telephony credits. | integer | | cisco_duo.summary.user_count | Current number of users in the account. | integer | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| tags | List of keywords used to tag each event. | keyword | ### Telephony @@ -744,45 +564,14 @@ An example event for `telephony` looks as following: | cisco_duo.telephony.event_type | How this telephony event was initiated. | keyword | | cisco_duo.telephony.phone_number | The phone number that initiated this event. | keyword | | cisco_duo.telephony.type | This type of telephony Event. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/cisco_duo/manifest.yml b/packages/cisco_duo/manifest.yml index d2f98281134..8d5f297db56 100644 --- a/packages/cisco_duo/manifest.yml +++ b/packages/cisco_duo/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_duo title: Cisco Duo -version: "1.23.0" +version: "1.24.0" description: Collect logs from Cisco Duo with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - iam conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/cisco_duo-screenshot.png title: Cisco Duo authentication log dashboard diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml index 49a815c257b..b25e86da52e 100644 --- a/packages/cisco_meraki/changelog.yml +++ b/packages/cisco_meraki/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.22.0" changes: - description: Retain message for all events. diff --git a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml index 062f0400af8..af321ff7ea2 100644 --- a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml +++ b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml @@ -61,4 +61,4 @@ data_stream: -----END PRIVATE KEY----- verification_mode: none assert: - hit_count: 2 \ No newline at end of file + hit_count: 2 diff --git a/packages/cisco_meraki/data_stream/events/fields/agent.yml b/packages/cisco_meraki/data_stream/events/fields/agent.yml index 4c4f4b2d93a..b1694c35c8a 100644 --- a/packages/cisco_meraki/data_stream/events/fields/agent.yml +++ b/packages/cisco_meraki/data_stream/events/fields/agent.yml @@ -5,152 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cisco_meraki/data_stream/events/fields/base-fields.yml b/packages/cisco_meraki/data_stream/events/fields/base-fields.yml index fcbdca9da69..71da0e30206 100644 --- a/packages/cisco_meraki/data_stream/events/fields/base-fields.yml +++ b/packages/cisco_meraki/data_stream/events/fields/base-fields.yml @@ -15,7 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_meraki.events -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_meraki/data_stream/events/fields/ecs.yml b/packages/cisco_meraki/data_stream/events/fields/ecs.yml index 4a063f496f5..adb0dc85322 100644 --- a/packages/cisco_meraki/data_stream/events/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/events/fields/ecs.yml @@ -1,248 +1,2 @@ - external: ecs name: '@timestamp' -- external: ecs - name: client.ip -- external: ecs - name: client.mac -- external: ecs - name: client.domain -- external: ecs - name: client.registered_domain -- external: ecs - name: client.subdomain -- external: ecs - name: client.top_level_domain -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.bytes -- external: ecs - name: destination.domain -- external: ecs - name: destination.ip -- external: ecs - name: destination.mac -- external: ecs - name: destination.nat.ip -- external: ecs - name: destination.nat.port -- external: ecs - name: destination.port -- external: ecs - name: destination.registered_domain -- external: ecs - name: destination.subdomain -- external: ecs - name: destination.top_level_domain -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.type -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.subdomain -- external: ecs - name: dns.question.top_level_domain -- external: ecs - name: dns.question.type -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.code -- external: ecs - name: event.ingested -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: event.category -- external: ecs - name: file.attributes -- external: ecs - name: file.directory -- external: ecs - name: file.extension -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: file.type -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host.hostname -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: http.request.method -- external: ecs - name: http.request.referrer -- external: ecs - name: log.level -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: log.file.path -- external: ecs - name: tags -- external: ecs - name: message -- external: ecs - name: network.application -- external: ecs - name: network.bytes -- external: ecs - name: network.direction -- external: ecs - name: network.forwarded_ip -- external: ecs - name: network.packets -- external: ecs - name: network.protocol -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: observer.mac -- external: ecs - name: observer.name -- external: ecs - name: observer.serial_number -- external: ecs - name: process.name -- external: ecs - name: process.parent.name -- external: ecs - name: process.parent.title -- external: ecs - name: process.pid -- external: ecs - name: process.parent.pid -- external: ecs - name: process.title -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.name -- external: ecs - name: server.mac -- external: ecs - name: server.domain -- external: ecs - name: server.registered_domain -- external: ecs - name: server.subdomain -- external: ecs - name: server.top_level_domain -- external: ecs - name: service.name -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.nat.ip -- external: ecs - name: source.nat.port -- external: ecs - name: source.port -- external: ecs - name: source.registered_domain -- external: ecs - name: source.subdomain -- external: ecs - name: source.top_level_domain -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.top_level_domain -- external: ecs - name: user.domain -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user_agent.original -- external: ecs - name: observer.hostname -- external: ecs - name: network.vlan.id -- external: ecs - name: threat.software.type -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.reference -- external: ecs - name: threat.indicator.file.name -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: organization.id -- external: ecs - name: organization.name -- external: ecs - name: network.name diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml index e7918a6aa12..10b4cafe498 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml @@ -6,8 +6,8 @@ data_stream: listen_address: 0.0.0.0 listen_port: 8685 preserve_original_event: true -# Do not assert hit count for this input. Locally, the constraint is -# satisfied, but on CI, apparently the UDP input drops too many (>0) -# messages. -# assert: -# hit_count: 204 \ No newline at end of file + # Do not assert hit count for this input. Locally, the constraint is + # satisfied, but on CI, apparently the UDP input drops too many (>0) + # messages. + # assert: + # hit_count: 204 diff --git a/packages/cisco_meraki/data_stream/log/fields/agent.yml b/packages/cisco_meraki/data_stream/log/fields/agent.yml index 4c4f4b2d93a..b1694c35c8a 100644 --- a/packages/cisco_meraki/data_stream/log/fields/agent.yml +++ b/packages/cisco_meraki/data_stream/log/fields/agent.yml @@ -5,152 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cisco_meraki/data_stream/log/fields/base-fields.yml b/packages/cisco_meraki/data_stream/log/fields/base-fields.yml index 79eddd5d6c2..57cd7d544ae 100644 --- a/packages/cisco_meraki/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_meraki/data_stream/log/fields/base-fields.yml @@ -15,7 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_meraki.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml index c44c63e7226..adb0dc85322 100644 --- a/packages/cisco_meraki/data_stream/log/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/log/fields/ecs.yml @@ -1,298 +1,2 @@ - external: ecs name: '@timestamp' -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: client.ip -- external: ecs - name: client.mac -- external: ecs - name: client.domain -- external: ecs - name: client.registered_domain -- external: ecs - name: client.subdomain -- external: ecs - name: client.top_level_domain -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.bytes -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.ip -- external: ecs - name: destination.mac -- external: ecs - name: destination.nat.ip -- external: ecs - name: destination.nat.port -- external: ecs - name: destination.port -- external: ecs - name: destination.registered_domain -- external: ecs - name: destination.subdomain -- external: ecs - name: destination.top_level_domain -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.type -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.subdomain -- external: ecs - name: dns.question.top_level_domain -- external: ecs - name: dns.question.type -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.code -- external: ecs - name: event.ingested -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.timezone -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: file.attributes -- external: ecs - name: file.directory -- external: ecs - name: file.extension -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: file.type -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host.hostname -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: http.request.method -- external: ecs - name: http.request.referrer -- external: ecs - name: log.level -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: log.file.path -- external: ecs - name: tags -- external: ecs - name: message -- external: ecs - name: network.application -- external: ecs - name: network.bytes -- external: ecs - name: network.direction -- external: ecs - name: network.forwarded_ip -- external: ecs - name: network.name -- external: ecs - name: network.packets -- external: ecs - name: network.protocol -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.ingress.vlan.id -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: observer.mac -- external: ecs - name: process.name -- external: ecs - name: process.parent.name -- external: ecs - name: process.parent.title -- external: ecs - name: process.pid -- external: ecs - name: process.parent.pid -- external: ecs - name: process.title -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.name -- external: ecs - name: server.mac -- external: ecs - name: server.ip -- external: ecs - name: server.domain -- external: ecs - name: server.registered_domain -- external: ecs - name: server.subdomain -- external: ecs - name: server.top_level_domain -- external: ecs - name: service.name -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.nat.ip -- external: ecs - name: source.nat.port -- external: ecs - name: source.port -- external: ecs - name: source.registered_domain -- external: ecs - name: source.subdomain -- external: ecs - name: source.top_level_domain -- external: ecs - name: url.extension -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: user.domain -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.version -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.os.full -- external: ecs - name: observer.hostname -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: network.vlan.id -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.location -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index 7c09dbd5e47..22457755d29 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -115,202 +115,18 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | cisco_meraki.vap | | keyword | | cisco_meraki.wpa_auth | | flattened | | cisco_meraki.wpa_deauth | | flattened | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Input type. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `log` looks as following: @@ -435,175 +251,18 @@ An example event for `log` looks as following: | cisco_meraki.event.sentAt | Timestamp of the sent message (UTC) | date | | cisco_meraki.event.sharedSecret | User defined secret to be validated by the webhook receiver (optional) | keyword | | cisco_meraki.event.version | Current version of webhook format | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Input type. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | An example event for `events` looks as following: diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml index 49c669263b4..a90408378f1 100644 --- a/packages/cisco_meraki/manifest.yml +++ b/packages/cisco_meraki/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_meraki title: Cisco Meraki -version: "1.22.0" +version: "1.23.0" description: Collect logs from Cisco Meraki with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/cisco-meraki-dashboard-1.png title: Cisco Meraki Dashboard diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml index 417fbf5c7cf..82640b62fd2 100644 --- a/packages/cisco_secure_endpoint/changelog.yml +++ b/packages/cisco_secure_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.26.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.25.0" changes: - description: Set sensitive values as secret. diff --git a/packages/cisco_secure_endpoint/data_stream/event/fields/agent.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/agent.yml index 9dfc8d1aebc..2bc58530bac 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/fields/agent.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/fields/agent.yml @@ -5,175 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml index 351ac771303..7e2ae7c8427 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml @@ -18,10 +18,6 @@ type: constant_keyword description: Event dataset value: cisco_secure_endpoint.event -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml deleted file mode 100644 index c8c2722750d..00000000000 --- a/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml +++ /dev/null @@ -1,118 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.code -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.code -- external: ecs - name: event.ingested -- name: event.kind - external: ecs -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.severity -- name: event.start - external: ecs -- external: ecs - name: event.category -- external: ecs - name: event.id -- external: ecs - name: event.timezone -- external: ecs - name: group.id -- name: related.ip - external: ecs -- name: related.user - external: ecs -- external: ecs - name: user.name -- external: ecs - name: user.domain -- external: ecs - name: user.email -- name: related.hosts - external: ecs -- name: related.hash - external: ecs -- name: process.args - external: ecs -- name: process.args_count - external: ecs -- name: process.command_line - external: ecs -- name: process.executable - external: ecs -- name: process.name - external: ecs -- name: process.pid - external: ecs -- name: process.hash.md5 - external: ecs -- name: process.hash.sha1 - external: ecs -- name: process.hash.sha256 - external: ecs -- name: file.hash.md5 - external: ecs -- name: file.hash.sha1 - external: ecs -- name: file.hash.sha256 - external: ecs -- name: file.name - external: ecs -- name: file.path - external: ecs -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: network.direction -- external: ecs - name: network.transport -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: threat.tactic.id -- external: ecs - name: threat.tactic.reference -- external: ecs - name: threat.tactic.name -- external: ecs - name: threat.technique.id -- external: ecs - name: threat.technique.name -- external: ecs - name: threat.technique.reference diff --git a/packages/cisco_secure_endpoint/docs/README.md b/packages/cisco_secure_endpoint/docs/README.md index 63309531812..cd5420b08a2 100644 --- a/packages/cisco_secure_endpoint/docs/README.md +++ b/packages/cisco_secure_endpoint/docs/README.md @@ -186,106 +186,14 @@ An example event for `event` looks as following: | cisco.secure_endpoint.threat_hunting.techniques | List of all MITRE techniques related to the incident found. | flattened | | cisco.secure_endpoint.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date | | cisco.secure_endpoint.vulnerabilities | An array of related vulnerabilities to the malicious event. | flattened | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml index 01c4358f0cc..210f5d59c51 100644 --- a/packages/cisco_secure_endpoint/manifest.yml +++ b/packages/cisco_secure_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_secure_endpoint title: Cisco Secure Endpoint -version: "2.25.0" +version: "2.26.0" description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/cisco.svg title: cisco diff --git a/packages/cisco_umbrella/changelog.yml b/packages/cisco_umbrella/changelog.yml index 330dc3bb1d1..2a1c95e0a65 100644 --- a/packages/cisco_umbrella/changelog.yml +++ b/packages/cisco_umbrella/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.24.1" changes: - description: Fix sample event. diff --git a/packages/cisco_umbrella/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/data_stream/log/fields/agent.yml index 4d783629033..5e2d593b99e 100644 --- a/packages/cisco_umbrella/data_stream/log/fields/agent.yml +++ b/packages/cisco_umbrella/data_stream/log/fields/agent.yml @@ -5,152 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml index f3954559722..a15d8394c19 100644 --- a/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: cisco_umbrella.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/cisco_umbrella/data_stream/log/fields/ecs.yml b/packages/cisco_umbrella/data_stream/log/fields/ecs.yml index c2418fff333..44a60c5bd96 100644 --- a/packages/cisco_umbrella/data_stream/log/fields/ecs.yml +++ b/packages/cisco_umbrella/data_stream/log/fields/ecs.yml @@ -1,218 +1,2 @@ - external: ecs name: "@timestamp" -- external: ecs - name: client.domain -- external: ecs - name: client.registered_domain -- external: ecs - name: client.subdomain -- external: ecs - name: client.top_level_domain -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.bytes -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.ip -- external: ecs - name: destination.mac -- external: ecs - name: destination.nat.ip -- external: ecs - name: destination.nat.port -- external: ecs - name: destination.port -- external: ecs - name: dns.response_code -- external: ecs - name: dns.question.type -- external: ecs - name: dns.type -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.subdomain -- external: ecs - name: dns.question.top_level_domain -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.code -- external: ecs - name: event.ingested -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.timezone -- external: ecs - name: file.name -- external: ecs - name: file.mime_type -- external: ecs - name: file.size -- external: ecs - name: file.hash.sha256 -- external: ecs - name: host.hostname -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: http.request.method -- external: ecs - name: http.request.mime_type -- external: ecs - name: http.request.referrer -- external: ecs - name: http.request.bytes -- external: ecs - name: http.response.status_code -- external: ecs - name: http.response.body.bytes -- external: ecs - name: http.response.bytes -- external: ecs - name: message -- external: ecs - name: network.application -- external: ecs - name: network.transport -- external: ecs - name: network.direction -- external: ecs - name: network.community_id -- external: ecs - name: network.name -- external: ecs - name: network.protocol -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: related.hash -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.nat.ip -- external: ecs - name: source.nat.port -- external: ecs - name: source.port -- external: ecs - name: source.registered_domain -- external: ecs - name: source.subdomain -- external: ecs - name: source.top_level_domain -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.query -- external: ecs - name: url.extension -- external: ecs - name: url.scheme -- external: ecs - name: url.full -- external: ecs - name: user.domain -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.email -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version -- external: ecs - name: user_agent.original -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: log.file.path diff --git a/packages/cisco_umbrella/docs/README.md b/packages/cisco_umbrella/docs/README.md index 11f5de9a4a4..dfeebcdf629 100644 --- a/packages/cisco_umbrella/docs/README.md +++ b/packages/cisco_umbrella/docs/README.md @@ -177,153 +177,14 @@ An example event for `log` looks as following: | cisco.umbrella.sid | Used to uniquely identify signatures. | keyword | | cisco.umbrella.signature_list_id | Unique ID assigned to a Default or Custom Signature List. | keyword | | cisco.umbrella.warn_status | The warn page state associated with the request. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/cisco_umbrella/manifest.yml b/packages/cisco_umbrella/manifest.yml index d58aa633c5c..6edf48486d1 100644 --- a/packages/cisco_umbrella/manifest.yml +++ b/packages/cisco_umbrella/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_umbrella title: Cisco Umbrella -version: "1.24.1" +version: "1.25.0" description: Collect logs from Cisco Umbrella with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - dns_security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/cisco.svg title: cisco diff --git a/packages/cloudflare/changelog.yml b/packages/cloudflare/changelog.yml index 90778ddaba4..09cc681fc01 100644 --- a/packages/cloudflare/changelog.yml +++ b/packages/cloudflare/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.27.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.26.0" changes: - description: Improve handling of empty responses. diff --git a/packages/cloudflare/data_stream/audit/fields/agent.yml b/packages/cloudflare/data_stream/audit/fields/agent.yml index bca66ea4ae0..4b15225a4d4 100644 --- a/packages/cloudflare/data_stream/audit/fields/agent.yml +++ b/packages/cloudflare/data_stream/audit/fields/agent.yml @@ -1,56 +1,6 @@ -- name: cloud.account.id - external: ecs -- name: cloud.availability_zone - external: ecs -- name: cloud.instance.id - external: ecs -- name: cloud.instance.name - external: ecs -- name: cloud.machine.type - external: ecs -- name: cloud.provider - external: ecs -- name: cloud.region - external: ecs -- name: cloud.project.id - external: ecs - name: cloud.image.id type: keyword description: Image ID for the cloud instance. -- name: container.id - external: ecs -- name: container.image.name - external: ecs -- name: container.labels - external: ecs -- name: container.name - external: ecs -- name: host.architecture - external: ecs -- name: host.domain - external: ecs -- name: host.hostname - external: ecs -- name: host.id - external: ecs -- name: host.ip - external: ecs -- name: host.mac - external: ecs -- name: host.name - external: ecs -- name: host.os.family - external: ecs -- name: host.os.kernel - external: ecs -- name: host.os.name - external: ecs -- name: host.os.platform - external: ecs -- name: host.os.version - external: ecs -- name: host.type - external: ecs - name: host.containerized type: boolean description: If the host is a container. diff --git a/packages/cloudflare/data_stream/audit/fields/beats.yml b/packages/cloudflare/data_stream/audit/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/cloudflare/data_stream/audit/fields/beats.yml +++ b/packages/cloudflare/data_stream/audit/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/cloudflare/data_stream/audit/fields/ecs.yml b/packages/cloudflare/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 2753c4e415e..00000000000 --- a/packages/cloudflare/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,50 +0,0 @@ -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.action - external: ecs -- name: event.id - external: ecs -- name: event.ingested - external: ecs -- name: event.created - external: ecs -- name: event.original - external: ecs -- name: event.outcome - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: tags - external: ecs -- name: user.email - external: ecs -- name: user.id - external: ecs diff --git a/packages/cloudflare/data_stream/logpull/fields/agent.yml b/packages/cloudflare/data_stream/logpull/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/cloudflare/data_stream/logpull/fields/agent.yml +++ b/packages/cloudflare/data_stream/logpull/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare/data_stream/logpull/fields/beats.yml b/packages/cloudflare/data_stream/logpull/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/cloudflare/data_stream/logpull/fields/beats.yml +++ b/packages/cloudflare/data_stream/logpull/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/cloudflare/data_stream/logpull/fields/ecs.yml b/packages/cloudflare/data_stream/logpull/fields/ecs.yml deleted file mode 100644 index 84dce957ea0..00000000000 --- a/packages/cloudflare/data_stream/logpull/fields/ecs.yml +++ /dev/null @@ -1,222 +0,0 @@ -- name: client.as.number - external: ecs -- name: client.as.organization.name - external: ecs -- name: client.domain - external: ecs -- name: client.geo.city_name - external: ecs -- name: client.geo.country_name - external: ecs -- name: client.geo.country_iso_code - external: ecs -- name: client.geo.continent_name - external: ecs -- name: client.geo.region_iso_code - external: ecs -- name: client.geo.location - external: ecs -- name: client.geo.region_name - external: ecs -- name: client.ip - external: ecs -- name: client.address - external: ecs -- name: client.bytes - external: ecs -- name: client.port - external: ecs -- name: destination.bytes - external: ecs -- name: destination.as.number - external: ecs -- name: destination.as.organization.name - external: ecs -- name: destination.geo.city_name - external: ecs -- name: destination.geo.continent_name - external: ecs -- name: destination.geo.country_iso_code - external: ecs -- name: destination.geo.country_name - external: ecs -- name: destination.geo.location - external: ecs -- name: destination.geo.name - external: ecs -- name: destination.geo.region_iso_code - external: ecs -- name: destination.geo.region_name - external: ecs -- name: destination.ip - external: ecs -- name: destination.address - external: ecs -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.action - external: ecs -- name: event.category - external: ecs -- name: event.id - external: ecs -- name: event.ingested - external: ecs -- name: event.created - external: ecs -- name: event.start - external: ecs -- name: event.end - external: ecs -- name: event.kind - external: ecs -- name: event.duration - external: ecs -- name: event.original - external: ecs -- name: event.outcome - external: ecs -- name: event.type - external: ecs -- name: message - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.bytes - external: ecs -- name: source.domain - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: source.port - external: ecs -- name: source.user.id - external: ecs -- name: source.user.full_name - external: ecs -- name: user_agent.device.name - external: ecs -- name: user_agent.name - external: ecs -- name: user_agent.original - external: ecs -- name: user_agent.os.name - external: ecs -- name: user_agent.os.version - external: ecs -- name: user_agent.os.full - external: ecs -- name: user_agent.version - external: ecs -- name: tags - external: ecs -- name: user.domain - external: ecs -- name: user.email - external: ecs -- name: user.id - external: ecs -- name: user.name - external: ecs -- name: user.full_name - external: ecs -- name: url.domain - external: ecs -- name: url.original - external: ecs -- name: url.password - external: ecs -- name: url.port - external: ecs -- name: url.username - external: ecs -- name: url.path - external: ecs -- name: url.query - external: ecs -- name: url.extension - external: ecs -- name: url.scheme - external: ecs -- name: url.full - external: ecs -- name: tls.cipher - external: ecs -- name: tls.version - external: ecs -- name: tls.version_protocol - external: ecs -- name: network.bytes - external: ecs -- name: network.protocol - external: ecs -- name: network.transport - external: ecs -- name: http.response.status_code - external: ecs -- name: http.request.body.bytes - external: ecs -- name: http.response.body.bytes - external: ecs -- name: http.request.method - external: ecs -- name: http.request.referrer - external: ecs -- name: http.version - external: ecs -- name: http.request.bytes - external: ecs -- name: http.response.bytes - external: ecs -- name: observer.type - external: ecs -- name: observer.vendor - external: ecs -- name: observer.geo.city_name - external: ecs -- name: observer.geo.continent_name - external: ecs -- name: observer.geo.country_iso_code - external: ecs -- name: observer.geo.country_name - external: ecs -- name: observer.geo.region_iso_code - external: ecs -- name: observer.geo.location - external: ecs -- name: observer.geo.region_name - external: ecs -- name: observer.ip - external: ecs -- name: server.address - external: ecs -- name: server.bytes - external: ecs -- name: server.ip - external: ecs diff --git a/packages/cloudflare/docs/README.md b/packages/cloudflare/docs/README.md index 49f81e22fa2..f30e25c925a 100644 --- a/packages/cloudflare/docs/README.md +++ b/packages/cloudflare/docs/README.md @@ -66,15 +66,7 @@ Audit logs summarize the history of changes made within your Cloudflare account. | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | | cloudflare.audit.actor.type | The type of actor, whether a User, Cloudflare Admin, or an Automated System. Valid values: user, admin, Cloudflare. | keyword | | cloudflare.audit.metadata | An object which can lend more context to the action being logged. This is a flexible value and varies between different actions. | flattened | | cloudflare.audit.new_value | The new value of the resource that was modified | flattened | @@ -82,62 +74,17 @@ Audit logs summarize the history of changes made within your Cloudflare account. | cloudflare.audit.owner.id | User identifier tag | keyword | | cloudflare.audit.resource.id | An identifier for the resource that was affected by the action | keyword | | cloudflare.audit.resource.type | A short string that describes the resource that was affected by the action | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | An example event for `audit` looks as following: @@ -239,21 +186,6 @@ These logs contain data related to the connecting client, the request path throu | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | | cloudflare.bot.score.src | Detection engine responsible for generating the Bot Score. Possible values are Not Computed, Heuristics, Machine Learning, Behavioral Analysis, Verified Bot, JS Fingerprinting, Cloudflare Service. | text | | cloudflare.bot.score.value | Cloudflare Bot Score. Scores below 30 are commonly associated with automated traffic. | long | | cloudflare.cache.bytes | Number of bytes returned by the cache | long | @@ -302,136 +234,14 @@ These logs contain data related to the connecting client, the request path throu | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.id | Unique identifier of the user. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `logpull` looks as following: diff --git a/packages/cloudflare/manifest.yml b/packages/cloudflare/manifest.yml index 8152742eb73..71981c303fd 100644 --- a/packages/cloudflare/manifest.yml +++ b/packages/cloudflare/manifest.yml @@ -1,13 +1,13 @@ name: cloudflare title: Cloudflare -version: "2.26.0" +version: "2.27.0" description: Collect logs from Cloudflare with Elastic Agent. type: integration format_version: "3.0.2" categories: [security, network, cdn_security] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" icons: - src: /img/cf-logo-v.svg title: Cloudflare diff --git a/packages/cloudflare_logpush/changelog.yml b/packages/cloudflare_logpush/changelog.yml index 241a54bb14b..4b9deb70e05 100644 --- a/packages/cloudflare_logpush/changelog.yml +++ b/packages/cloudflare_logpush/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.20.0" changes: - description: Improve documentation on how to ingest data from Cloudflare R2. diff --git a/packages/cloudflare_logpush/data_stream/access_request/fields/agent.yml b/packages/cloudflare_logpush/data_stream/access_request/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/access_request/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/access_request/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/access_request/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/access_request/fields/ecs.yml deleted file mode 100644 index e05613a828b..00000000000 --- a/packages/cloudflare_logpush/data_stream/access_request/fields/ecs.yml +++ /dev/null @@ -1,56 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: event.action -- external: ecs - name: event.id -- external: ecs - name: url.domain -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.continent_code -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.location -- external: ecs - name: client.geo.name -- external: ecs - name: client.geo.postal_code -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name -- external: ecs - name: client.geo.timezone -- external: ecs - name: client.ip -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: user.id -- external: ecs - name: user.email -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/audit/fields/agent.yml b/packages/cloudflare_logpush/data_stream/audit/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/audit/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/audit/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/audit/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 625cce48d2d..00000000000 --- a/packages/cloudflare_logpush/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.provider -- external: ecs - name: event.type -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: user.email -- external: ecs - name: user.id diff --git a/packages/cloudflare_logpush/data_stream/casb/fields/agent.yml b/packages/cloudflare_logpush/data_stream/casb/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/casb/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/casb/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/casb/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/casb/fields/ecs.yml deleted file mode 100644 index af68abf1471..00000000000 --- a/packages/cloudflare_logpush/data_stream/casb/fields/ecs.yml +++ /dev/null @@ -1,42 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.id -- external: ecs - name: event.severity -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.full -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: url.username -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/device_posture/fields/agent.yml b/packages/cloudflare_logpush/data_stream/device_posture/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/device_posture/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/device_posture/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/device_posture/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/device_posture/fields/ecs.yml deleted file mode 100644 index 6d6d972a96e..00000000000 --- a/packages/cloudflare_logpush/data_stream/device_posture/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: event.outcome -- external: ecs - name: user_agent.version -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: rule.category -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: user.id -- external: ecs - name: user.email -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/dns/fields/agent.yml b/packages/cloudflare_logpush/data_stream/dns/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/dns/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/dns/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/dns/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/dns/fields/ecs.yml deleted file mode 100644 index b1b0128da07..00000000000 --- a/packages/cloudflare_logpush/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,22 +0,0 @@ -- external: ecs - name: dns.question.name -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: source.ip -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/dns_firewall/fields/agent.yml b/packages/cloudflare_logpush/data_stream/dns_firewall/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/dns_firewall/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/dns_firewall/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/dns_firewall/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/dns_firewall/fields/ecs.yml deleted file mode 100644 index 39240e89966..00000000000 --- a/packages/cloudflare_logpush/data_stream/dns_firewall/fields/ecs.yml +++ /dev/null @@ -1,52 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: event.timezone -- external: ecs - name: dns.question.name -- external: ecs - name: dns.response_code -- external: ecs - name: network.transport -- external: ecs - name: related.ip -- external: ecs - name: source.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_code -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/firewall_event/fields/agent.yml b/packages/cloudflare_logpush/data_stream/firewall_event/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/firewall_event/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/firewall_event/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/firewall_event/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/firewall_event/fields/ecs.yml deleted file mode 100644 index 18569146ce2..00000000000 --- a/packages/cloudflare_logpush/data_stream/firewall_event/fields/ecs.yml +++ /dev/null @@ -1,58 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: http.request.method -- external: ecs - name: http.response.status_code -- external: ecs - name: http.version -- external: ecs - name: network.protocol -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: rule.id -- external: ecs - name: source.as.number -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.path -- external: ecs - name: url.query -- external: ecs - name: url.scheme -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/cloudflare_logpush/data_stream/gateway_dns/fields/agent.yml b/packages/cloudflare_logpush/data_stream/gateway_dns/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/gateway_dns/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/gateway_dns/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/gateway_dns/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/gateway_dns/fields/ecs.yml deleted file mode 100644 index 5338b74884f..00000000000 --- a/packages/cloudflare_logpush/data_stream/gateway_dns/fields/ecs.yml +++ /dev/null @@ -1,111 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: event.outcome -- external: ecs - name: event.timezone -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_code -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.postal_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.timezone -- external: ecs - name: dns.response_code -- external: ecs - name: dns.resolved_ip -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.type -- external: ecs - name: dns.answers - type: group -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type -- external: ecs - name: related.ip -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_code -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: user.id -- external: ecs - name: user.email -- external: ecs - name: network.protocol -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/gateway_http/fields/agent.yml b/packages/cloudflare_logpush/data_stream/gateway_http/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/gateway_http/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/gateway_http/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/gateway_http/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/gateway_http/fields/ecs.yml deleted file mode 100644 index e8fefa5175b..00000000000 --- a/packages/cloudflare_logpush/data_stream/gateway_http/fields/ecs.yml +++ /dev/null @@ -1,124 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: event.action -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_code -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.postal_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.timezone -- external: ecs - name: http.request.method -- external: ecs - name: http.response.status_code -- external: ecs - name: http.version -- external: ecs - name: http.request.referrer -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_code -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.full -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: url.username -- external: ecs - name: user_agent.original -- external: ecs - name: user.id -- external: ecs - name: user.email -- external: ecs - name: related.ip -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/gateway_network/fields/agent.yml b/packages/cloudflare_logpush/data_stream/gateway_network/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/gateway_network/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/gateway_network/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/gateway_network/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/gateway_network/fields/ecs.yml deleted file mode 100644 index 552aa9e4cdf..00000000000 --- a/packages/cloudflare_logpush/data_stream/gateway_network/fields/ecs.yml +++ /dev/null @@ -1,94 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: event.action -- external: ecs - name: event.id -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_code -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.postal_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.timezone -- external: ecs - name: tls.client.server_name -- external: ecs - name: destination.domain -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_code -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: network.transport -- external: ecs - name: user.id -- external: ecs - name: user.email -- external: ecs - name: related.ip -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/http_request/fields/agent.yml b/packages/cloudflare_logpush/data_stream/http_request/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/http_request/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/http_request/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/http_request/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/http_request/fields/ecs.yml deleted file mode 100644 index 1fc14e69fa0..00000000000 --- a/packages/cloudflare_logpush/data_stream/http_request/fields/ecs.yml +++ /dev/null @@ -1,64 +0,0 @@ -- external: ecs - name: destination.ip -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: http.request.method -- external: ecs - name: http.response.mime_type -- external: ecs - name: http.response.status_code -- external: ecs - name: http.version -- external: ecs - name: network.protocol -- external: ecs - name: related.hash -- external: ecs - name: related.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: tls.version -- external: ecs - name: tls.version_protocol -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.query -- external: ecs - name: url.scheme -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/cloudflare_logpush/data_stream/magic_ids/fields/agent.yml b/packages/cloudflare_logpush/data_stream/magic_ids/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/magic_ids/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/magic_ids/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/magic_ids/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/magic_ids/fields/ecs.yml deleted file mode 100644 index e262f4f6bc3..00000000000 --- a/packages/cloudflare_logpush/data_stream/magic_ids/fields/ecs.yml +++ /dev/null @@ -1,82 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: event.action -- external: ecs - name: event.timezone -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_code -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.postal_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.timezone -- external: ecs - name: related.ip -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_code -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: network.transport -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/nel_report/fields/agent.yml b/packages/cloudflare_logpush/data_stream/nel_report/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/nel_report/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/nel_report/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/nel_report/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/nel_report/fields/ecs.yml deleted file mode 100644 index a0c9092f429..00000000000 --- a/packages/cloudflare_logpush/data_stream/nel_report/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: error.type -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/network_analytics/fields/agent.yml b/packages/cloudflare_logpush/data_stream/network_analytics/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/network_analytics/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/network_analytics/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/network_analytics/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/network_analytics/fields/ecs.yml deleted file mode 100644 index eb6b3e0ad5c..00000000000 --- a/packages/cloudflare_logpush/data_stream/network_analytics/fields/ecs.yml +++ /dev/null @@ -1,40 +0,0 @@ -- external: ecs - name: destination.as.number -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.type -- external: ecs - name: network.community_id -- external: ecs - name: network.direction -- external: ecs - name: network.transport -- external: ecs - name: related.hash -- external: ecs - name: related.ip -- external: ecs - name: rule.id -- external: ecs - name: source.as.number -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/network_session/fields/agent.yml b/packages/cloudflare_logpush/data_stream/network_session/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/network_session/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/network_session/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/network_session/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/network_session/fields/ecs.yml deleted file mode 100644 index 85bba103ac0..00000000000 --- a/packages/cloudflare_logpush/data_stream/network_session/fields/ecs.yml +++ /dev/null @@ -1,106 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: event.action -- external: ecs - name: event.id -- external: ecs - name: event.start -- external: ecs - name: event.end -- external: ecs - name: device.id -- external: ecs - name: device.model.identifier -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: destination.bytes -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_code -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.postal_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.timezone -- external: ecs - name: tls.server.issuer -- external: ecs - name: network.transport -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_code -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: source.bytes -- external: ecs - name: user.id -- external: ecs - name: user.email -- external: ecs - name: network.vlan.id -- external: ecs - name: related.ip -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/sinkhole_http/fields/agent.yml b/packages/cloudflare_logpush/data_stream/sinkhole_http/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/sinkhole_http/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/sinkhole_http/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/sinkhole_http/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/sinkhole_http/fields/ecs.yml deleted file mode 100644 index 438064b2091..00000000000 --- a/packages/cloudflare_logpush/data_stream/sinkhole_http/fields/ecs.yml +++ /dev/null @@ -1,130 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: event.timezone -- external: ecs - name: destination.ip -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_code -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.postal_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.timezone -- external: ecs - name: http.request.body.content -- external: ecs - name: http.request.body.bytes -- external: ecs - name: http.request.method -- external: ecs - name: http.request.referrer -- external: ecs - name: related.ip -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: source.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_code -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.full -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: url.username -- external: ecs - name: user.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version -- external: ecs - name: tags diff --git a/packages/cloudflare_logpush/data_stream/spectrum_event/fields/agent.yml b/packages/cloudflare_logpush/data_stream/spectrum_event/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/spectrum_event/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/spectrum_event/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/spectrum_event/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/spectrum_event/fields/ecs.yml deleted file mode 100644 index fea89d47ec6..00000000000 --- a/packages/cloudflare_logpush/data_stream/spectrum_event/fields/ecs.yml +++ /dev/null @@ -1,50 +0,0 @@ -- external: ecs - name: destination.bytes -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.end -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.start -- external: ecs - name: event.type -- external: ecs - name: http.response.status_code -- external: ecs - name: network.community_id -- external: ecs - name: network.transport -- external: ecs - name: related.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.bytes -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: tls.version -- external: ecs - name: tls.version_protocol diff --git a/packages/cloudflare_logpush/data_stream/workers_trace/fields/agent.yml b/packages/cloudflare_logpush/data_stream/workers_trace/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/cloudflare_logpush/data_stream/workers_trace/fields/agent.yml +++ b/packages/cloudflare_logpush/data_stream/workers_trace/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/cloudflare_logpush/data_stream/workers_trace/fields/ecs.yml b/packages/cloudflare_logpush/data_stream/workers_trace/fields/ecs.yml deleted file mode 100644 index 8993427eec6..00000000000 --- a/packages/cloudflare_logpush/data_stream/workers_trace/fields/ecs.yml +++ /dev/null @@ -1,48 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: http.request.method -- external: ecs - name: http.response.status_code -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.full -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: url.username diff --git a/packages/cloudflare_logpush/docs/README.md b/packages/cloudflare_logpush/docs/README.md index eb7f4c7b41e..5acdba78f8b 100644 --- a/packages/cloudflare_logpush/docs/README.md +++ b/packages/cloudflare_logpush/docs/README.md @@ -297,30 +297,7 @@ An example event for `access_request` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_code | Two-letter code representing continent's name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| client.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.access_request.action | What type of record is this. login | logout. | keyword | | cloudflare_logpush.access_request.allowed | If request was allowed or denied. | boolean | | cloudflare_logpush.access_request.app.domain | The domain of the Application that Access is protecting. | keyword | @@ -336,49 +313,17 @@ An example event for `access_request` looks as following: | cloudflare_logpush.access_request.timestamp | The date and time the corresponding access request was made. | date | | cloudflare_logpush.access_request.user.email | Email of the user who logged in. | keyword | | cloudflare_logpush.access_request.user.id | The uid of the user who logged in. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | ### audit @@ -499,15 +444,7 @@ An example event for `audit` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.audit.action.result | Whether the action was successful. | keyword | | cloudflare_logpush.audit.action.type | Type of action taken. | keyword | | cloudflare_logpush.audit.actor.email | Email of the actor. | keyword | @@ -523,51 +460,17 @@ An example event for `audit` looks as following: | cloudflare_logpush.audit.resource.id | Unique identifier of the resource within Cloudflare system. | keyword | | cloudflare_logpush.audit.resource.type | The type of resource that was changed. | keyword | | cloudflare_logpush.audit.timestamp | When the change happened. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | ### casb @@ -712,15 +615,7 @@ An example event for `casb` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.casb.asset.id | Unique identifier for an asset of this type. Format will vary by policy vendor. | keyword | | cloudflare_logpush.casb.asset.metadata | Metadata associated with the asset. Structure will vary by policy vendor. | flattened | | cloudflare_logpush.casb.asset.name | Asset display name. | keyword | @@ -733,58 +628,17 @@ An example event for `casb` looks as following: | cloudflare_logpush.casb.integration.name | Human-readable name of the integration. | keyword | | cloudflare_logpush.casb.integration.policy_vendor | Human-readable vendor name of the integration´s policy. | keyword | | cloudflare_logpush.casb.timestamp | Date and time the finding was first identified. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | ### device_posture @@ -921,15 +775,7 @@ An example event for `device_posture` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.device_posture.eval.expected | JSON object of what the posture check expects from the Zero Trust client. | flattened | | cloudflare_logpush.device_posture.eval.received | JSON object of what the Zero Trust client actually uploads. | flattened | | cloudflare_logpush.device_posture.eval.result | Whether this posture upload passes the associated posture check, given the requirements posture check at the time of the timestamp. | boolean | @@ -947,51 +793,17 @@ An example event for `device_posture` looks as following: | cloudflare_logpush.device_posture.user.email | The email used to register the device with the Zero Trust client. | keyword | | cloudflare_logpush.device_posture.user.id | The uid of the user who registered the device. | keyword | | cloudflare_logpush.device_posture.version | The Zero Trust client version at the time of upload. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user_agent.version | Version of the user agent. | keyword | ### dns @@ -1093,15 +905,7 @@ An example event for `dns` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.dns.colo.code | IATA airport code of data center that received the request. | keyword | | cloudflare_logpush.dns.edns.subnet | EDNS Client Subnet (IPv4 or IPv6). | ip | | cloudflare_logpush.dns.edns.subnet_length | EDNS Client Subnet length. | long | @@ -1111,46 +915,17 @@ An example event for `dns` looks as following: | cloudflare_logpush.dns.response.code | Integer value of response code. | long | | cloudflare_logpush.dns.source.ip | IP address of the client (IPv4 or IPv6). | ip | | cloudflare_logpush.dns.timestamp | Timestamp at which the query occurred. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | ### dns_firewall @@ -1280,15 +1055,7 @@ An example event for `dns_firewall` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.dns_firewall.cluster_id | The ID of the cluster which handled this request. | keyword | | cloudflare_logpush.dns_firewall.colo.code | IATA airport code of data center that received the request. | keyword | | cloudflare_logpush.dns_firewall.edns.subnet | EDNS Client Subnet (IPv4 or IPv6). | ip | @@ -1307,62 +1074,17 @@ An example event for `dns_firewall` looks as following: | cloudflare_logpush.dns_firewall.upstream.ip | IP of the upstream nameserver (IPv4 or IPv6). | ip | | cloudflare_logpush.dns_firewall.upstream.response_code | Response code from the upstream nameserver. | keyword | | cloudflare_logpush.dns_firewall.upstream.response_time_ms | Upstream response time in milliseconds. | long | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_code | Two-letter code representing continent's name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | ### firewall_event @@ -1541,15 +1263,7 @@ An example event for `firewall_event` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.firewall_event.action | The code of the first-class action the Cloudflare Firewall took on this request. | keyword | | cloudflare_logpush.firewall_event.client.asn.description | The ASN of the visitor as string. | keyword | | cloudflare_logpush.firewall_event.client.asn.value | The ASN number of the visitor. | long | @@ -1578,67 +1292,17 @@ An example event for `firewall_event` looks as following: | cloudflare_logpush.firewall_event.rule.id | The Cloudflare security product-specific RuleID triggered by this request. | keyword | | cloudflare_logpush.firewall_event.source | The Cloudflare security product triggered by this request. | keyword | | cloudflare_logpush.firewall_event.timestamp | The date and time the event occurred at the edge. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | ### gateway_dns @@ -1881,15 +1545,7 @@ An example event for `gateway_dns` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.gateway_dns.answers | The response data objects. | flattened | | cloudflare_logpush.gateway_dns.application_id | ID of the application the domain belongs to. | long | | cloudflare_logpush.gateway_dns.colo.code | The name of the colo that received the DNS query . | keyword | @@ -1922,92 +1578,17 @@ An example event for `gateway_dns` looks as following: | cloudflare_logpush.gateway_dns.timezone_inferred_method | Method used to pick the time zone for the schedule. | keyword | | cloudflare_logpush.gateway_dns.user.email | Email used to authenticate the client. | keyword | | cloudflare_logpush.gateway_dns.user.id | User identity where the HTTP request originated from. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_code | Two-letter code representing continent's name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | group | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_code | Two-letter code representing continent's name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | ### gateway_http @@ -2221,15 +1802,7 @@ An example event for `gateway_http` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.gateway_http.account_id | Cloudflare account tag. | keyword | | cloudflare_logpush.gateway_http.action | Action performed by gateway on the HTTP request. | keyword | | cloudflare_logpush.gateway_http.blocked_file.hash | Hash of the file blocked in the response, if any. | keyword | @@ -2262,102 +1835,17 @@ An example event for `gateway_http` looks as following: | cloudflare_logpush.gateway_http.user.email | Email used to authenticate the client. | keyword | | cloudflare_logpush.gateway_http.user.id | User identity where the HTTP request originated from. | keyword | | cloudflare_logpush.gateway_http.user_agent | Contents of the user agent header in the HTTP request. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_code | Two-letter code representing continent's name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_code | Two-letter code representing continent's name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | ### gateway_network @@ -2530,15 +2018,7 @@ An example event for `gateway_network` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.gateway_network.account_id | Cloudflare account tag. | keyword | | cloudflare_logpush.gateway_network.action | Action performed by gateway on the session. | keyword | | cloudflare_logpush.gateway_network.destination.ip | Destination IP of the network session. | ip | @@ -2558,84 +2038,17 @@ An example event for `gateway_network` looks as following: | cloudflare_logpush.gateway_network.transport | Transport protocol used for this session. | keyword | | cloudflare_logpush.gateway_network.user.email | Email associated with the user identity where the network sesion originated from. | keyword | | cloudflare_logpush.gateway_network.user.id | User identity where the network session originated from. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_code | Two-letter code representing continent's name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_code | Two-letter code representing continent's name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | ### http_request @@ -2935,15 +2348,7 @@ An example event for `http_request` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.http_request.bot.detection_ids | List of IDs that correlate to the Bot Management Heuristic detections made on a request. Available in Logpush v2 only. | long | | cloudflare_logpush.http_request.bot.score.src | Detection engine responsible for generating the Bot Score. Possible values are Not Computed, Heuristics, Machine Learning, Behavioral Analysis, Verified Bot, JS Fingerprinting, Cloudflare Service. | text | | cloudflare_logpush.http_request.bot.score.value | Cloudflare Bot Score. Scores below 30 are commonly associated with automated traffic. | long | @@ -3034,71 +2439,17 @@ An example event for `http_request` looks as following: | cloudflare_logpush.http_request.worker.wall_time_us | Real-time in microseconds elapsed between start and end of worker invocation. | long | | cloudflare_logpush.http_request.zone.id | Internal zone ID. | long | | cloudflare_logpush.http_request.zone.name | The human-readable name of the zone. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | ### magic_ids @@ -3237,15 +2588,7 @@ An example event for `magic_ids` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.magic_ids.action | What action was taken on the packet. Possible values are pass | block. | keyword | | cloudflare_logpush.magic_ids.colo.city | The city where the detection occurred. | keyword | | cloudflare_logpush.magic_ids.colo.code | The IATA airport code corresponding to where the detection occurred. | keyword | @@ -3258,78 +2601,17 @@ An example event for `magic_ids` looks as following: | cloudflare_logpush.magic_ids.source.port | The source port of the packet which triggered the detection. It is set to 0 if the protocol field is set to any. | long | | cloudflare_logpush.magic_ids.timestamp | A timestamp of when the detection occurred. | date | | cloudflare_logpush.magic_ids.transport | The layer 4 protocol of the packet which triggered the detection. Possible values are tcp | udp | any. Variant any means a detection occurred at a lower layer (such as IP). | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_code | Two-letter code representing continent's name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_code | Two-letter code representing continent's name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | ### nel_report @@ -3420,15 +2702,7 @@ An example event for `nel_report` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.nel_report.client.ip.asn.description | Client ASN description. | keyword | | cloudflare_logpush.nel_report.client.ip.asn.value | Client ASN. | long | | cloudflare_logpush.nel_report.client.ip.country | Client country. | keyword | @@ -3436,43 +2710,17 @@ An example event for `nel_report` looks as following: | cloudflare_logpush.nel_report.last_known_good.colo.code | IATA airport code of colo client connected to. | keyword | | cloudflare_logpush.nel_report.phase | The phase of connection the error occurred in. | keyword | | cloudflare_logpush.nel_report.timestamp | Timestamp for error report. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.type | The type of the error, for example the class name of the exception. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | List of keywords used to tag each event. | keyword | ### network_analytics @@ -3725,15 +2973,7 @@ An example event for `network_analytics` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.network_analytics.attack.campaign.id | Unique identifier of the attack campaign that this packet was a part of, if any. | keyword | | cloudflare_logpush.network_analytics.attack.id | Unique identifier of the mitigation that matched the packet, if any. | keyword | | cloudflare_logpush.network_analytics.colo.country | The country of colo that received the packet (ISO 3166-1 alpha-2). | keyword | @@ -3815,55 +3055,17 @@ An example event for `network_analytics` looks as following: | cloudflare_logpush.network_analytics.udp.checksum | Value of the Checksum header field in the UDP packet. | long | | cloudflare_logpush.network_analytics.udp.payload_length | Value of the Payload Length header field in the UDP packet. | long | | cloudflare_logpush.network_analytics.verdict | The action that Cloudflare systems think should be taken on the packet (pass | drop). | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | ### network_session @@ -4082,15 +3284,7 @@ An example event for `network_session` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.network_session.account_id | Cloudflare account ID. | keyword | | cloudflare_logpush.network_session.destination.bytes | The number of bytes sent from the origin to the client during the network session. | long | | cloudflare_logpush.network_session.destination.ip | The IP of the destination (origin) for the network session. | ip | @@ -4129,90 +3323,17 @@ An example event for `network_session` looks as following: | cloudflare_logpush.network_session.user.email | Email address associated with the user identity which initiated the network session. | keyword | | cloudflare_logpush.network_session.user.id | User identity where the network session originated from. | keyword | | cloudflare_logpush.network_session.vlan.id | Identifier of the virtual network configured for the client. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_code | Two-letter code representing continent's name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| device.id | The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. | keyword | -| device.model.identifier | The machine readable identifier of the device model. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_code | Two-letter code representing continent's name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | ### sinkhole_http @@ -4391,15 +3512,7 @@ An example event for `sinkhole_http` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.sinkhole_http.account_id | The Account ID. | keyword | | cloudflare_logpush.sinkhole_http.destination.ip | The destination IP address of the request. | ip | | cloudflare_logpush.sinkhole_http.host.name | The host the request was sent to. | keyword | @@ -4417,109 +3530,17 @@ An example event for `sinkhole_http` looks as following: | cloudflare_logpush.sinkhole_http.timestamp | The date and time the sinkhole HTTP request was logged. | date | | cloudflare_logpush.sinkhole_http.user.name | The request username. | keyword | | cloudflare_logpush.sinkhole_http.user_agent | The request user agent. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_code | Two-letter code representing continent's name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.body.content | The full HTTP request body. | wildcard | -| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_code | Two-letter code representing continent's name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | ### spectrum_event @@ -4670,15 +3691,7 @@ An example event for `spectrum_event` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.spectrum_event.action | Event Action. | keyword | | cloudflare_logpush.spectrum_event.application | The unique public ID of the application on which the event occurred. | keyword | | cloudflare_logpush.spectrum_event.client.asn | Client AS number. | long | @@ -4710,60 +3723,17 @@ An example event for `spectrum_event` looks as following: | cloudflare_logpush.spectrum_event.proxy.protocol | Which form of proxy protocol is applied to the given connection. | keyword | | cloudflare_logpush.spectrum_event.status | A code indicating reason for connection closure. | long | | cloudflare_logpush.spectrum_event.timestamp | Timestamp at which the event took place. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.response.status_code | HTTP response status code. | long | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | ### workers_trace @@ -4887,15 +3857,7 @@ An example event for `workers_trace` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | cloudflare_logpush.workers_trace.dispatch_namespace | The Cloudflare Worker dispatch namespace. | keyword | | cloudflare_logpush.workers_trace.event | Details about the source event. | flattened | | cloudflare_logpush.workers_trace.exceptions | List of uncaught exceptions during the invocation. | flattened | @@ -4905,59 +3867,15 @@ An example event for `workers_trace` looks as following: | cloudflare_logpush.workers_trace.script.tags | A list of user-defined tags used to categorize the Worker. | keyword | | cloudflare_logpush.workers_trace.timestamp | The timestamp of when the event was received. | date | | cloudflare_logpush.workers_trace.type | The event type that triggered the invocation. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.status_code | HTTP response status code. | long | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | diff --git a/packages/cloudflare_logpush/manifest.yml b/packages/cloudflare_logpush/manifest.yml index 23767102f73..5297d180aeb 100644 --- a/packages/cloudflare_logpush/manifest.yml +++ b/packages/cloudflare_logpush/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cloudflare_logpush title: Cloudflare Logpush -version: "1.20.0" +version: "1.21.0" description: Collect and parse logs from Cloudflare API with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - cdn_security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/cloudflare_logpush-overview1.png title: Cloudflare Logpush - Zero Trust Overview diff --git a/packages/cribl/_dev/build/build.yml b/packages/cribl/_dev/build/build.yml index bc1ffa5e1eb..2bfcfc223b0 100644 --- a/packages/cribl/_dev/build/build.yml +++ b/packages/cribl/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: - reference: git@8.11 - import_mappings: true + reference: "git@v8.11.0" diff --git a/packages/cribl/changelog.yml b/packages/cribl/changelog.yml index cb5384708cb..1881e0e85d7 100644 --- a/packages/cribl/changelog.yml +++ b/packages/cribl/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.4.0" + changes: + - description: ECS version updated to 8.11.0. Removed import_mappings. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "0.3.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml index c1b465abebf..e1378d7d99f 100644 --- a/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for rerouting log streams from Cribl. processors: - set: field: ecs.version - value: 8.13.0 + value: 8.11.0 - append: field: tags value: diff --git a/packages/cribl/data_stream/logs/fields/ecs.yml b/packages/cribl/data_stream/logs/fields/ecs.yml deleted file mode 100644 index 74989720ba2..00000000000 --- a/packages/cribl/data_stream/logs/fields/ecs.yml +++ /dev/null @@ -1,4 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: tags diff --git a/packages/cribl/manifest.yml b/packages/cribl/manifest.yml index 66cb85b6031..b2b280b1242 100644 --- a/packages/cribl/manifest.yml +++ b/packages/cribl/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: cribl title: "Cribl" -version: 0.3.0 +version: "0.4.0" description: Stream logs from Cribl into Elastic. type: integration categories: diff --git a/packages/crowdstrike/_dev/build/build.yml b/packages/crowdstrike/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/crowdstrike/_dev/build/build.yml +++ b/packages/crowdstrike/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 496c6041ef3..1332187ceda 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.37.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.36.0" changes: - description: Add `device.id` field. diff --git a/packages/crowdstrike/data_stream/alert/fields/beats.yml b/packages/crowdstrike/data_stream/alert/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/crowdstrike/data_stream/alert/fields/beats.yml +++ b/packages/crowdstrike/data_stream/alert/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/crowdstrike/data_stream/falcon/fields/agent.yml b/packages/crowdstrike/data_stream/falcon/fields/agent.yml index 388ddad84cd..2bc58530bac 100644 --- a/packages/crowdstrike/data_stream/falcon/fields/agent.yml +++ b/packages/crowdstrike/data_stream/falcon/fields/agent.yml @@ -5,172 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - external: ecs - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - external: ecs - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/crowdstrike/data_stream/falcon/fields/beats.yml b/packages/crowdstrike/data_stream/falcon/fields/beats.yml index b13d5cc96f4..96190255552 100644 --- a/packages/crowdstrike/data_stream/falcon/fields/beats.yml +++ b/packages/crowdstrike/data_stream/falcon/fields/beats.yml @@ -7,5 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - external: ecs diff --git a/packages/crowdstrike/data_stream/falcon/fields/ecs.yml b/packages/crowdstrike/data_stream/falcon/fields/ecs.yml deleted file mode 100644 index bb9fb2639b4..00000000000 --- a/packages/crowdstrike/data_stream/falcon/fields/ecs.yml +++ /dev/null @@ -1,166 +0,0 @@ -- name: message - external: ecs -- name: ecs.version - external: ecs -- name: event.code - external: ecs -- name: event.kind - external: ecs -- name: event.category - external: ecs -- name: event.type - external: ecs -- name: event.action - external: ecs -- name: event.original - external: ecs -- name: event.ingested - external: ecs -- name: event.created - external: ecs -- name: event.outcome - external: ecs -- name: event.url - external: ecs -- name: event.severity - external: ecs -- name: event.start - external: ecs -- name: event.end - external: ecs -- name: user.id - external: ecs -- name: user.name - external: ecs -- name: user.domain - external: ecs -- name: user.email - external: ecs -- name: threat.technique.name - external: ecs -- name: threat.technique.id - external: ecs -- name: threat.tactic.name - external: ecs -- name: threat.tactic.id - external: ecs -- name: threat.framework - external: ecs -- name: process.pid - external: ecs -- name: process.start - external: ecs -- name: process.end - external: ecs -- name: process.name - external: ecs -- name: process.command_line - external: ecs -- name: process.args - external: ecs -- name: process.executable - external: ecs -- name: process.parent.executable - external: ecs -- name: process.parent.pid - external: ecs -- name: process.parent.command_line - external: ecs -- name: process.parent.args - external: ecs -- name: device.id - external: ecs -- name: agent.name - external: ecs -- name: agent.id - external: ecs -- name: agent.type - external: ecs -- name: agent.version - external: ecs -- name: source.ip - external: ecs -- name: source.port - external: ecs -- name: destination.ip - external: ecs -- name: destination.port - external: ecs -- name: file.hash.sha1 - external: ecs -- name: file.hash.sha256 - external: ecs -- name: file.hash.md5 - external: ecs -- name: file.path - external: ecs -- name: rule.author - external: ecs -- name: rule.id - external: ecs -- name: rule.uuid - external: ecs -- name: rule.name - external: ecs -- name: rule.description - external: ecs -- name: error.message - external: ecs -- name: rule.ruleset - external: ecs -- name: rule.category - external: ecs -- name: network.direction - external: ecs -- name: network.type - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: related.hosts - external: ecs -- name: related.hash - external: ecs -- name: tags - external: ecs -- name: observer.vendor - external: ecs -- name: observer.product - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: destination.as.number - external: ecs -- name: destination.as.organization.name - external: ecs -- name: destination.geo.city_name - external: ecs -- name: destination.geo.continent_name - external: ecs -- name: destination.geo.country_iso_code - external: ecs -- name: destination.geo.country_name - external: ecs -- name: destination.geo.location - external: ecs -- name: destination.geo.region_iso_code - external: ecs -- name: destination.geo.region_name - external: ecs diff --git a/packages/crowdstrike/data_stream/fdr/fields/ecs.yml b/packages/crowdstrike/data_stream/fdr/fields/ecs.yml deleted file mode 100644 index a59ddff9346..00000000000 --- a/packages/crowdstrike/data_stream/fdr/fields/ecs.yml +++ /dev/null @@ -1,242 +0,0 @@ -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: device.id -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.subdomain -- external: ecs - name: dns.question.top_level_domain -- external: ecs - name: dns.question.type -- external: ecs - name: dns.type -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: file.device -- external: ecs - name: file.directory -- external: ecs - name: file.drive_letter -- external: ecs - name: file.extension -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.inode -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: file.type -- external: ecs - name: host.geo.city_name -- external: ecs - name: host.geo.continent_name -- external: ecs - name: host.geo.country_name -- external: ecs - name: host.geo.timezone -- external: ecs - name: host.domain -- external: ecs - name: host.hostname -- external: ecs - name: host.ip -- external: ecs - name: host.name -- external: ecs - name: log.file.path -- external: ecs - name: network.community_id -- external: ecs - name: network.direction -- external: ecs - name: network.iana_number -- external: ecs - name: network.transport -- external: ecs - name: observer.geo.city_name -- external: ecs - name: observer.geo.continent_name -- external: ecs - name: observer.geo.country_iso_code -- external: ecs - name: observer.geo.country_name -- external: ecs - name: observer.geo.location -- external: ecs - name: observer.geo.region_iso_code -- external: ecs - name: observer.geo.region_name -- external: ecs - name: observer.ip -- external: ecs - name: observer.serial_number -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: host.os.type -- external: ecs - name: host.os.version -- external: ecs - name: process.args -- external: ecs - name: process.args_count -- external: ecs - name: process.command_line -- external: ecs - name: process.end -- external: ecs - name: process.entity_id -- external: ecs - name: process.executable -- external: ecs - name: process.name -- external: ecs - name: process.exit_code -- external: ecs - name: process.hash.md5 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.parent.entity_id -- external: ecs - name: process.parent.name -- external: ecs - name: process.pgid -- external: ecs - name: process.pid -- external: ecs - name: process.start -- external: ecs - name: process.thread.id -- external: ecs - name: process.title -- external: ecs - name: process.uptime -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: server.address -- external: ecs - name: server.domain -- external: ecs - name: server.registered_domain -- external: ecs - name: server.subdomain -- external: ecs - name: server.top_level_domain -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.full_name -- external: ecs - name: user.group.id -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/crowdstrike/data_stream/host/fields/beats.yml b/packages/crowdstrike/data_stream/host/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/crowdstrike/data_stream/host/fields/beats.yml +++ b/packages/crowdstrike/data_stream/host/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index d3817dd18a7..fbb790c0e2a 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -549,7 +549,6 @@ An example event for `alert` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Falcon @@ -584,23 +583,7 @@ Current supported event types are: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | -| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | -| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | -| agent.version | Version of the agent. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | crowdstrike.event.AccountCreationTimeStamp | The timestamp of when the source account was created in Active Directory. | date | | crowdstrike.event.AccountId | | keyword | | crowdstrike.event.ActivityId | ID of the activity that triggered the detection. | keyword | @@ -818,118 +801,14 @@ Current supported event types are: | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| device.id | The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.end | The time the process ended. | date | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | An example event for `falcon` looks as following: @@ -1560,143 +1439,11 @@ and/or `session_token`. | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| device.id | The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.device | Device that is the source of the file. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.ip | Host ip addresses. | ip | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | | input.type | | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | observer.address | | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.end | The time the process ended. | date | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.thread.id | Thread ID. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| process.uptime | Seconds the process has been up. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | An example event for `fdr` looks as following: @@ -2246,5 +1993,4 @@ An example event for `host` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 1a056eeec20..d3c9bf33f15 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,13 +1,13 @@ name: crowdstrike title: CrowdStrike -version: "1.36.0" +version: "1.37.0" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.0.3" categories: [security, edr_xdr] conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/logo-integrations-crowdstrike.svg title: CrowdStrike diff --git a/packages/cyberark_pta/changelog.yml b/packages/cyberark_pta/changelog.yml index 8e4720b2b39..518877773d5 100644 --- a/packages/cyberark_pta/changelog.yml +++ b/packages/cyberark_pta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.10.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.9.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/cyberark_pta/data_stream/events/fields/ecs.yml b/packages/cyberark_pta/data_stream/events/fields/ecs.yml deleted file mode 100644 index a3391d494bb..00000000000 --- a/packages/cyberark_pta/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,38 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: observer.vendor -- external: ecs - name: observer.product -- external: ecs - name: observer.version -- external: ecs - name: event.reason -- external: ecs - name: event.severity -- external: ecs - name: source.user.name -- external: ecs - name: source.domain -- external: ecs - name: source.ip -- external: ecs - name: destination.user.name -- external: ecs - name: destination.domain -- external: ecs - name: destination.ip -- external: ecs - name: event.id -- external: ecs - name: event.created -- external: ecs - name: event.reference -- external: ecs - name: event.url -- external: ecs - name: event.action -- external: ecs - name: message -- external: ecs - name: tags diff --git a/packages/cyberark_pta/docs/README.md b/packages/cyberark_pta/docs/README.md index 0c6e2eeb634..42dc6f88fd9 100644 --- a/packages/cyberark_pta/docs/README.md +++ b/packages/cyberark_pta/docs/README.md @@ -280,30 +280,9 @@ An example event for pta looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.service.name | | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | | event.module | Event module | constant_keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | | input.type | Input type | keyword | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.service.name | | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/cyberark_pta/manifest.yml b/packages/cyberark_pta/manifest.yml index de0895d9166..4174cdcb71f 100644 --- a/packages/cyberark_pta/manifest.yml +++ b/packages/cyberark_pta/manifest.yml @@ -1,13 +1,13 @@ name: cyberark_pta title: Cyberark Privileged Threat Analytics -version: "1.9.0" +version: "1.10.0" description: Collect security logs from Cyberark PTA integration. type: integration format_version: "3.0.3" categories: ["security", "iam"] conditions: kibana: - version: ^7.17.0 || ^8.0.0 + version: "^8.13.0" screenshots: - src: /img/cyberarkpta-overview.png title: cyberark pta overview diff --git a/packages/cyberarkpas/changelog.yml b/packages/cyberarkpas/changelog.yml index f4784d57d0a..d148fa64198 100644 --- a/packages/cyberarkpas/changelog.yml +++ b/packages/cyberarkpas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.21.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.20.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json index 66013d49724..68cf6d1a251 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json @@ -53,7 +53,7 @@ ] }, { - "@timestamp": "2023-03-08T03:00:20.000Z", + "@timestamp": "2024-03-08T03:00:20.000Z", "cyberarkpas": { "audit": { "action": "Auto Clear Users History start", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json index fa3a88098d6..97dbbb8feb5 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json @@ -53,7 +53,7 @@ ] }, { - "@timestamp": "2023-03-08T03:00:20.000Z", + "@timestamp": "2024-03-08T03:00:20.000Z", "cyberarkpas": { "audit": { "action": "Auto Clear Users History end", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json index 929f7b3bb21..8f39a4f9406 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json @@ -53,7 +53,7 @@ ] }, { - "@timestamp": "2023-03-08T02:48:07.000Z", + "@timestamp": "2024-03-08T02:48:07.000Z", "cyberarkpas": { "audit": { "action": "Monitor DR Replication start", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json index 551d75ef5a4..2054f987ba1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json @@ -53,7 +53,7 @@ ] }, { - "@timestamp": "2023-03-08T02:48:07.000Z", + "@timestamp": "2024-03-08T02:48:07.000Z", "cyberarkpas": { "audit": { "action": "Monitor DR Replication end", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json index 6e0f7244c3b..f92147eab77 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json @@ -53,7 +53,7 @@ ] }, { - "@timestamp": "2023-03-08T02:32:56.000Z", + "@timestamp": "2024-03-08T02:32:56.000Z", "cyberarkpas": { "audit": { "action": "Monitor FW rules start", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json index b3f6a64238e..c5a4930cdf7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json @@ -53,7 +53,7 @@ ] }, { - "@timestamp": "2023-03-08T02:32:56.000Z", + "@timestamp": "2024-03-08T02:32:56.000Z", "cyberarkpas": { "audit": { "action": "Monitor FW Rules end", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json index 4784e54a33e..8c01881e357 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json @@ -56,7 +56,7 @@ ] }, { - "@timestamp": "2023-03-08T07:46:54.000Z", + "@timestamp": "2024-03-08T07:46:54.000Z", "cyberarkpas": { "audit": { "action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json index 6b6c29a2ff6..c33362d5251 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json @@ -54,7 +54,7 @@ ] }, { - "@timestamp": "2023-03-08T03:10:31.000Z", + "@timestamp": "2024-03-08T03:10:31.000Z", "cyberarkpas": { "audit": { "action": "Clear Safe History", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json index 47b88e33a6c..76eab1296f7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json @@ -105,7 +105,7 @@ ] }, { - "@timestamp": "2023-03-08T02:54:46.000Z", + "@timestamp": "2024-03-08T02:54:46.000Z", "cyberarkpas": { "audit": { "action": "Set Password", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json index 10e2241b37b..f66bbb6fde7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-03-08T03:41:01.000Z", + "@timestamp": "2024-03-08T03:41:01.000Z", "cyberarkpas": { "audit": { "action": "Retrieve File", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-logfile-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-logfile-config.yml index 8d1df5b6a92..fdb4b0add1d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-logfile-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-logfile-config.yml @@ -8,4 +8,4 @@ numeric_keyword_fields: - process.pid - log.syslog.priority assert: - hit_count: 343 \ No newline at end of file + hit_count: 343 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tcp-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tcp-config.yml index 69ffe017bc4..7faaf7210d7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tcp-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tcp-config.yml @@ -6,4 +6,4 @@ data_stream: syslog_host: 0.0.0.0 syslog_port: 9999 assert: - hit_count: 343 \ No newline at end of file + hit_count: 343 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tls-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tls-config.yml index 8009c1a76dc..3c5a82dc060 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tls-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tls-config.yml @@ -57,4 +57,4 @@ data_stream: rcZR4kw7O4cWsLR4NHJBosUVoaeoCizBB6xLREqISxIZuHKuEcYsRA== -----END RSA PRIVATE KEY----- assert: - hit_count: 343 \ No newline at end of file + hit_count: 343 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-udp-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-udp-config.yml index fbf6e26e702..c3bcbe0e9ea 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-udp-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-udp-config.yml @@ -5,8 +5,8 @@ data_stream: vars: syslog_host: 0.0.0.0 syslog_port: 9999 -# Do not assert hit count for this input. Locally, the constraint is -# satisfied, but on CI, apparently the UDP input drops too many (>0) -# messages. -# assert: -# hit_count: 343 \ No newline at end of file + # Do not assert hit count for this input. Locally, the constraint is + # satisfied, but on CI, apparently the UDP input drops too many (>0) + # messages. + # assert: + # hit_count: 343 diff --git a/packages/cyberarkpas/data_stream/audit/fields/beats.yml b/packages/cyberarkpas/data_stream/audit/fields/beats.yml index 9275638f93a..582ff946c0d 100644 --- a/packages/cyberarkpas/data_stream/audit/fields/beats.yml +++ b/packages/cyberarkpas/data_stream/audit/fields/beats.yml @@ -7,9 +7,6 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. - name: log.source.address type: keyword description: Source address from which the log event was read / sent from. diff --git a/packages/cyberarkpas/data_stream/audit/fields/ecs.yml b/packages/cyberarkpas/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 868b5ad3266..00000000000 --- a/packages/cyberarkpas/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,114 +0,0 @@ -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: destination.user.name -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.duration -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.reason -- external: ecs - name: event.severity -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: file.path -- external: ecs - name: host.name -- external: ecs - name: log.syslog.priority -- external: ecs - name: network.application -- external: ecs - name: network.direction -- external: ecs - name: observer.hostname -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: service.type -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.user.name -- external: ecs - name: tags -- external: ecs - name: user.name -- external: ecs - name: user.target.name diff --git a/packages/cyberarkpas/docs/README.md b/packages/cyberarkpas/docs/README.md index 34eed0b9b66..becacb212e6 100644 --- a/packages/cyberarkpas/docs/README.md +++ b/packages/cyberarkpas/docs/README.md @@ -207,76 +207,10 @@ An example event for `audit` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | diff --git a/packages/cyberarkpas/manifest.yml b/packages/cyberarkpas/manifest.yml index 248acd14c07..4fa3cbeeb2d 100644 --- a/packages/cyberarkpas/manifest.yml +++ b/packages/cyberarkpas/manifest.yml @@ -1,13 +1,13 @@ name: cyberarkpas title: CyberArk Privileged Access Security -version: "2.20.0" +version: "2.21.0" description: Collect logs from CyberArk Privileged Access Security with Elastic Agent. type: integration format_version: "3.0.3" categories: ["security", "iam"] conditions: kibana: - version: ^8.7.1 + version: "^8.13.0" screenshots: - src: /img/filebeat-cyberarkpas-overview.png title: filebeat cyberarkpas overview diff --git a/packages/cybereason/_dev/build/build.yml b/packages/cybereason/_dev/build/build.yml index 1f4fa988f6e..e2b012548e0 100644 --- a/packages/cybereason/_dev/build/build.yml +++ b/packages/cybereason/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: git@v8.11.0 - import_mappings: true diff --git a/packages/cybereason/changelog.yml b/packages/cybereason/changelog.yml index ee44ece1fd3..dee7eaca8df 100644 --- a/packages/cybereason/changelog.yml +++ b/packages/cybereason/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "0.1.0" changes: - description: Initial release. diff --git a/packages/cybereason/data_stream/logon_session/fields/beats.yml b/packages/cybereason/data_stream/logon_session/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/cybereason/data_stream/logon_session/fields/beats.yml +++ b/packages/cybereason/data_stream/logon_session/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/cybereason/data_stream/malop_connection/fields/beats.yml b/packages/cybereason/data_stream/malop_connection/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/cybereason/data_stream/malop_connection/fields/beats.yml +++ b/packages/cybereason/data_stream/malop_connection/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/cybereason/data_stream/malop_process/fields/beats.yml b/packages/cybereason/data_stream/malop_process/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/cybereason/data_stream/malop_process/fields/beats.yml +++ b/packages/cybereason/data_stream/malop_process/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/cybereason/data_stream/malware/fields/beats.yml b/packages/cybereason/data_stream/malware/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/cybereason/data_stream/malware/fields/beats.yml +++ b/packages/cybereason/data_stream/malware/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/cybereason/data_stream/poll_malop/fields/beats.yml b/packages/cybereason/data_stream/poll_malop/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/cybereason/data_stream/poll_malop/fields/beats.yml +++ b/packages/cybereason/data_stream/poll_malop/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/cybereason/data_stream/suspicions_process/fields/beats.yml b/packages/cybereason/data_stream/suspicions_process/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/cybereason/data_stream/suspicions_process/fields/beats.yml +++ b/packages/cybereason/data_stream/suspicions_process/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/cybereason/docs/README.md b/packages/cybereason/docs/README.md index 2b2aa6b7093..c4beb659713 100644 --- a/packages/cybereason/docs/README.md +++ b/packages/cybereason/docs/README.md @@ -336,7 +336,6 @@ An example event for `logon_session` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Malop Connection @@ -708,7 +707,6 @@ An example event for `malop_connection` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Malop Process @@ -2193,7 +2191,6 @@ An example event for `malop_process` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Malware @@ -2319,7 +2316,6 @@ An example event for `malware` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Poll Malop @@ -2565,7 +2561,6 @@ An example event for `poll_malop` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Suspicions Process @@ -3019,4 +3014,3 @@ An example event for `suspicions_process` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | diff --git a/packages/cybereason/manifest.yml b/packages/cybereason/manifest.yml index 2122606f268..e3bbf2bbe94 100644 --- a/packages/cybereason/manifest.yml +++ b/packages/cybereason/manifest.yml @@ -1,14 +1,14 @@ format_version: 3.0.3 name: cybereason title: Cybereason -version: 0.1.0 +version: "0.2.0" description: Collect logs from Cybereason with Elastic Agent. type: integration categories: - security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/cylance/changelog.yml b/packages/cylance/changelog.yml index 61347300f85..7d7fb9be13e 100644 --- a/packages/cylance/changelog.yml +++ b/packages/cylance/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.20.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "0.19.3" changes: - description: Fix `kibana.version` syntax in manifest. diff --git a/packages/cylance/data_stream/protect/fields/base-fields.yml b/packages/cylance/data_stream/protect/fields/base-fields.yml index 0e6d6970311..665aacc3d98 100644 --- a/packages/cylance/data_stream/protect/fields/base-fields.yml +++ b/packages/cylance/data_stream/protect/fields/base-fields.yml @@ -15,18 +15,9 @@ type: constant_keyword description: Event dataset value: cylance.protect -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword - name: log.source.address description: Source address from which the log event was read / sent from. type: keyword @@ -36,8 +27,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cylance/data_stream/protect/fields/ecs.yml b/packages/cylance/data_stream/protect/fields/ecs.yml index 5d22b129aef..6ce5c3d0b78 100644 --- a/packages/cylance/data_stream/protect/fields/ecs.yml +++ b/packages/cylance/data_stream/protect/fields/ecs.yml @@ -1,87 +1,5 @@ - external: ecs name: '@timestamp' -- external: ecs - name: client.domain -- external: ecs - name: client.registered_domain -- external: ecs - name: client.subdomain -- external: ecs - name: client.top_level_domain -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.bytes -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.ip -- external: ecs - name: destination.mac -- external: ecs - name: destination.nat.ip -- external: ecs - name: destination.nat.port -- external: ecs - name: destination.port -- external: ecs - name: destination.registered_domain -- external: ecs - name: destination.subdomain -- external: ecs - name: destination.top_level_domain -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.type -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.subdomain -- external: ecs - name: dns.question.top_level_domain -- external: ecs - name: dns.question.type -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.code -- external: ecs - name: event.ingested -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.timezone -- external: ecs - name: file.attributes -- external: ecs - name: file.directory -- external: ecs - name: file.extension -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: file.type - external: ecs name: geo.city_name - external: ecs @@ -90,137 +8,3 @@ name: geo.name - external: ecs name: geo.region_name -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host.hostname -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: http.request.method -- external: ecs - name: http.request.referrer -- external: ecs - name: log.level -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: message -- external: ecs - name: network.application -- external: ecs - name: network.bytes -- external: ecs - name: network.direction -- external: ecs - name: network.forwarded_ip -- external: ecs - name: network.packets -- external: ecs - name: network.protocol -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: process.name -- external: ecs - name: process.parent.name -- external: ecs - name: process.parent.title -- external: ecs - name: process.pid -- external: ecs - name: process.parent.pid -- external: ecs - name: process.title -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.name -- external: ecs - name: server.domain -- external: ecs - name: server.registered_domain -- external: ecs - name: server.subdomain -- external: ecs - name: server.top_level_domain -- external: ecs - name: service.name -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.nat.ip -- external: ecs - name: source.nat.port -- external: ecs - name: source.port -- external: ecs - name: source.registered_domain -- external: ecs - name: source.subdomain -- external: ecs - name: source.top_level_domain -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.top_level_domain -- external: ecs - name: user.domain -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user_agent.original diff --git a/packages/cylance/docs/README.md b/packages/cylance/docs/README.md index 494b8fd9007..08325a6516b 100644 --- a/packages/cylance/docs/README.md +++ b/packages/cylance/docs/README.md @@ -13,104 +13,21 @@ The `protect` dataset collects CylanceProtect logs. | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| container.id | Unique container id. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | | geo.city_name | City name. | keyword | | geo.country_name | Country name. | keyword | | geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | | log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | | rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | | rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | @@ -783,42 +700,3 @@ The `protect` dataset collects CylanceProtect logs. | rsa.wireless.wlan_channel | This is used to capture the channel names | long | | rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | | rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/cylance/manifest.yml b/packages/cylance/manifest.yml index bf31368efe1..fd17850c1ef 100644 --- a/packages/cylance/manifest.yml +++ b/packages/cylance/manifest.yml @@ -1,13 +1,13 @@ format_version: 2.7.0 name: cylance title: CylanceProtect Logs -version: "0.19.3" +version: "0.20.0" description: Collect logs from CylanceProtect devices with Elastic Agent. categories: ["security", "edr_xdr"] type: integration conditions: kibana: - version: "^7.14.1 || ^8.0.0" + version: "^8.13.0" policy_templates: - name: protect title: CylanceProtect diff --git a/packages/darktrace/changelog.yml b/packages/darktrace/changelog.yml index c8bc1e4924d..8d28b1412b4 100644 --- a/packages/darktrace/changelog.yml +++ b/packages/darktrace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.17.0" changes: - description: Make `host.mac` field conform to ECS field definition. diff --git a/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml b/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml index 47d5be58da9..d3d659d48f2 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml +++ b/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml @@ -5,143 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: >- diff --git a/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml b/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml deleted file mode 100644 index 4fcab038289..00000000000 --- a/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml +++ /dev/null @@ -1,64 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.end -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.reason -- external: ecs - name: event.risk_score -- external: ecs - name: event.risk_score_norm -- external: ecs - name: event.start -- external: ecs - name: event.type -- external: ecs - name: event.url -- external: ecs - name: host.hostname -- external: ecs - name: host.id -- external: ecs - name: host.ip -- external: ecs - name: host.name -- external: ecs - name: log.syslog.appname -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.facility.name -- external: ecs - name: log.syslog.hostname -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: log.syslog.severity.name -- external: ecs - name: log.syslog.version -- external: ecs - name: message -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: rule.name -- external: ecs - name: tags -- external: ecs - name: threat.enrichments.matched.id -- external: ecs - name: threat.group.id diff --git a/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml b/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml index 2ad539b9eb2..89c81d2ed1c 100644 --- a/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml +++ b/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml @@ -5,143 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - name: containerized type: boolean description: >- diff --git a/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml b/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml deleted file mode 100644 index 2b34237b623..00000000000 --- a/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml +++ /dev/null @@ -1,74 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.risk_score -- external: ecs - name: event.risk_score_norm -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: event.type -- external: ecs - name: event.url -- external: ecs - name: host.hostname -- external: ecs - name: host.id -- external: ecs - name: host.ip -- external: ecs - name: host.type -- external: ecs - name: log.syslog.appname -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.facility.name -- external: ecs - name: log.syslog.hostname -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: log.syslog.severity.name -- external: ecs - name: log.syslog.version -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.author -- external: ecs - name: rule.category -- external: ecs - name: rule.description -- external: ecs - name: rule.name -- external: ecs - name: rule.ruleset -- external: ecs - name: rule.uuid -- external: ecs - name: rule.version -- external: ecs - name: tags -- external: ecs - name: threat.technique.id -- external: ecs - name: threat.technique.name diff --git a/packages/darktrace/data_stream/system_status_alert/fields/agent.yml b/packages/darktrace/data_stream/system_status_alert/fields/agent.yml index feb71b5a75f..d3d659d48f2 100644 --- a/packages/darktrace/data_stream/system_status_alert/fields/agent.yml +++ b/packages/darktrace/data_stream/system_status_alert/fields/agent.yml @@ -5,153 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: >- diff --git a/packages/darktrace/data_stream/system_status_alert/fields/ecs.yml b/packages/darktrace/data_stream/system_status_alert/fields/ecs.yml deleted file mode 100644 index f2acb655a91..00000000000 --- a/packages/darktrace/data_stream/system_status_alert/fields/ecs.yml +++ /dev/null @@ -1,48 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.reason -- external: ecs - name: event.risk_score -- external: ecs - name: event.risk_score_norm -- external: ecs - name: event.type -- external: ecs - name: event.url -- external: ecs - name: host.hostname -- external: ecs - name: host.ip -- external: ecs - name: log.syslog.appname -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.facility.name -- external: ecs - name: log.syslog.hostname -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: log.syslog.severity.name -- external: ecs - name: log.syslog.version -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: tags diff --git a/packages/darktrace/docs/README.md b/packages/darktrace/docs/README.md index d53a8e5530f..2ea9d7a4ba7 100644 --- a/packages/darktrace/docs/README.md +++ b/packages/darktrace/docs/README.md @@ -357,19 +357,7 @@ An example event for `ai_analyst_alert` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | darktrace.ai_analyst_alert.activity_id | An identifier for the specific activity detected by AI Analyst. If groupByActivity=true , this field should be used to group events together into an incident. | keyword | | darktrace.ai_analyst_alert.aia_score | The score of the event as classified by AI Analyst - out of 100. | double | | darktrace.ai_analyst_alert.attack_phases | Of the six attack phases, which phases are applicable to the activity. | long | @@ -418,56 +406,14 @@ An example event for `ai_analyst_alert` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.enrichments.matched.id | Identifies the _id of the indicator document enriching the event. | keyword | -| threat.group.id | The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. | keyword | ### model_breach_alert @@ -1072,19 +1018,7 @@ An example event for `model_breach_alert` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | darktrace.model_breach_alert.aianalyst_data.related | | long | | darktrace.model_breach_alert.aianalyst_data.summariser | | keyword | | darktrace.model_breach_alert.aianalyst_data.uuid | | keyword | @@ -1214,62 +1148,14 @@ An example event for `model_breach_alert` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| rule.version | The version / revision of the rule being used for analysis. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | ### system_status_alert @@ -1383,19 +1269,7 @@ An example event for `system_status_alert` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | darktrace.system_status_alert.acknowledge_timeout | When acknowledgement of the alert expires. As alerts are sent externally on creation before acknowledgement is possible, this will be null in almost all cases. | keyword | | darktrace.system_status_alert.alert_name | A human readable name of the alert type. | keyword | | darktrace.system_status_alert.child_id | For probes (physical or virtual), the unique ID associated with the probe. | long | @@ -1423,47 +1297,11 @@ An example event for `system_status_alert` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/darktrace/manifest.yml b/packages/darktrace/manifest.yml index 750fa88fd76..0d916f6bbd0 100644 --- a/packages/darktrace/manifest.yml +++ b/packages/darktrace/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: darktrace title: Darktrace -version: "1.17.0" +version: "1.18.0" description: Collect logs from Darktrace with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - network_security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/darktrace-screenshot.png title: Darktrace Model Breach Alert Dashboard Screenshot diff --git a/packages/entityanalytics_ad/_dev/build/build.yml b/packages/entityanalytics_ad/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/entityanalytics_ad/_dev/build/build.yml +++ b/packages/entityanalytics_ad/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/entityanalytics_ad/changelog.yml b/packages/entityanalytics_ad/changelog.yml index e67c14252eb..cd042752c93 100644 --- a/packages/entityanalytics_ad/changelog.yml +++ b/packages/entityanalytics_ad/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.0" + changes: + - description: Removed import_mappings. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "0.0.1" changes: - description: Initial Release. diff --git a/packages/entityanalytics_ad/data_stream/user/_dev/test/pipeline/test-user.json b/packages/entityanalytics_ad/data_stream/user/_dev/test/pipeline/test-user.json index 3e17d54c42d..63fc5ab8c4e 100644 --- a/packages/entityanalytics_ad/data_stream/user/_dev/test/pipeline/test-user.json +++ b/packages/entityanalytics_ad/data_stream/user/_dev/test/pipeline/test-user.json @@ -354,6 +354,15 @@ "id": "CN=krbtgt,CN=Users,DC=testserver,DC=local" } }, - {"@timestamp":"2024-03-27T21:30:18.980Z","event":{"action":"completed","end":"2024-03-27T21:30:18.980Z"},"labels":{"identity_source":"entity-analytics-entityanalytics_ad.user-8c3c1f67-428d-4a95-a6de-69a2b8f952c3"}} + { + "@timestamp": "2024-03-27T21:30:18.980Z", + "event": { + "action": "completed", + "end": "2024-03-27T21:30:18.980Z" + }, + "labels": { + "identity_source": "entity-analytics-entityanalytics_ad.user-8c3c1f67-428d-4a95-a6de-69a2b8f952c3" + } + } ] } \ No newline at end of file diff --git a/packages/entityanalytics_ad/data_stream/user/fields/beats.yml b/packages/entityanalytics_ad/data_stream/user/fields/beats.yml index a43f4ff852c..3382e376e77 100644 --- a/packages/entityanalytics_ad/data_stream/user/fields/beats.yml +++ b/packages/entityanalytics_ad/data_stream/user/fields/beats.yml @@ -1,6 +1,3 @@ - name: input.type type: keyword description: Type of filebeat input. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/entityanalytics_ad/data_stream/user/fields/fields.yml b/packages/entityanalytics_ad/data_stream/user/fields/fields.yml index 75a4a0ed1e5..e14a3001d73 100644 --- a/packages/entityanalytics_ad/data_stream/user/fields/fields.yml +++ b/packages/entityanalytics_ad/data_stream/user/fields/fields.yml @@ -119,6 +119,5 @@ type: date - name: when_created type: date - - name: when_changed type: date diff --git a/packages/entityanalytics_ad/docs/README.md b/packages/entityanalytics_ad/docs/README.md index e221b8e3bbe..faf38f3f360 100644 --- a/packages/entityanalytics_ad/docs/README.md +++ b/packages/entityanalytics_ad/docs/README.md @@ -202,7 +202,6 @@ An example event for `user` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | labels.identity_source | | keyword | -| tags | User defined tags. | keyword | | user.account.activated_date | | date | | user.account.change_date | | date | | user.account.create_date | | date | diff --git a/packages/entityanalytics_ad/manifest.yml b/packages/entityanalytics_ad/manifest.yml index 9e4f5f16520..5a0972bcd09 100644 --- a/packages/entityanalytics_ad/manifest.yml +++ b/packages/entityanalytics_ad/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: entityanalytics_ad title: Active Directory Entity Analytics -version: "0.0.1" +version: "0.1.0" description: "Collect User Identities from Active Directory Entity with Elastic Agent." type: integration categories: diff --git a/packages/entityanalytics_okta/_dev/build/build.yml b/packages/entityanalytics_okta/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/entityanalytics_okta/_dev/build/build.yml +++ b/packages/entityanalytics_okta/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/entityanalytics_okta/changelog.yml b/packages/entityanalytics_okta/changelog.yml index ccb00e5a8b7..52ea7b91fd2 100644 --- a/packages/entityanalytics_okta/changelog.yml +++ b/packages/entityanalytics_okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.1.0" changes: - description: Set sensitive values as secret. diff --git a/packages/entityanalytics_okta/data_stream/user/fields/beats.yml b/packages/entityanalytics_okta/data_stream/user/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/entityanalytics_okta/data_stream/user/fields/beats.yml +++ b/packages/entityanalytics_okta/data_stream/user/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/entityanalytics_okta/docs/README.md b/packages/entityanalytics_okta/docs/README.md index c9769b2ba00..9a35f2095dc 100644 --- a/packages/entityanalytics_okta/docs/README.md +++ b/packages/entityanalytics_okta/docs/README.md @@ -324,7 +324,6 @@ An example event for `user` looks as following: | input.type | Type of filebeat input. | keyword | | labels.identity_source | | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | user.account.activated_date | | date | | user.account.change_date | | date | | user.account.create_date | | date | diff --git a/packages/entityanalytics_okta/manifest.yml b/packages/entityanalytics_okta/manifest.yml index d6f3b28bd8c..e7650a2016d 100644 --- a/packages/entityanalytics_okta/manifest.yml +++ b/packages/entityanalytics_okta/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.2" name: entityanalytics_okta title: Okta Entity Analytics -version: "1.1.0" +version: "1.2.0" description: "Collect User Identities from Okta with Elastic Agent." type: integration categories: - security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/eset_protect/changelog.yml b/packages/eset_protect/changelog.yml index 28c1af82616..792ad666df9 100644 --- a/packages/eset_protect/changelog.yml +++ b/packages/eset_protect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.0.0" changes: - description: Release package as GA. diff --git a/packages/eset_protect/data_stream/detection/fields/beats.yml b/packages/eset_protect/data_stream/detection/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/eset_protect/data_stream/detection/fields/beats.yml +++ b/packages/eset_protect/data_stream/detection/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/eset_protect/data_stream/device_task/fields/beats.yml b/packages/eset_protect/data_stream/device_task/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/eset_protect/data_stream/device_task/fields/beats.yml +++ b/packages/eset_protect/data_stream/device_task/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/eset_protect/data_stream/event/fields/beats.yml b/packages/eset_protect/data_stream/event/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/eset_protect/data_stream/event/fields/beats.yml +++ b/packages/eset_protect/data_stream/event/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/eset_protect/docs/README.md b/packages/eset_protect/docs/README.md index 9f9d7424bdc..2746af7ce61 100644 --- a/packages/eset_protect/docs/README.md +++ b/packages/eset_protect/docs/README.md @@ -252,7 +252,6 @@ An example event for `detection` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Device Task @@ -386,7 +385,6 @@ An example event for `device_task` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Event @@ -626,5 +624,4 @@ An example event for `event` looks as following: | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | diff --git a/packages/eset_protect/manifest.yml b/packages/eset_protect/manifest.yml index 2d45a0dc4e6..b8d9f67c55f 100644 --- a/packages/eset_protect/manifest.yml +++ b/packages/eset_protect/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: eset_protect title: ESET PROTECT -version: 1.0.0 +version: "1.1.0" description: Collect logs from ESET PROTECT with Elastic Agent. type: integration categories: diff --git a/packages/f5_bigip/changelog.yml b/packages/f5_bigip/changelog.yml index b3e2e596495..e88c271b733 100644 --- a/packages/f5_bigip/changelog.yml +++ b/packages/f5_bigip/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.16.0" changes: - description: Clarify the supported events in README. diff --git a/packages/f5_bigip/data_stream/log/fields/agent.yml b/packages/f5_bigip/data_stream/log/fields/agent.yml index 1740ca457d3..b29a069dffd 100644 --- a/packages/f5_bigip/data_stream/log/fields/agent.yml +++ b/packages/f5_bigip/data_stream/log/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: >- diff --git a/packages/f5_bigip/data_stream/log/fields/ecs.yml b/packages/f5_bigip/data_stream/log/fields/ecs.yml deleted file mode 100644 index a51a91ad790..00000000000 --- a/packages/f5_bigip/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,114 +0,0 @@ -- external: ecs - name: client.ip -- external: ecs - name: destination.domain -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.type -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.severity -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: host.geo.country_iso_code -- external: ecs - name: host.geo.continent_name -- external: ecs - name: host.geo.country_name -- external: ecs - name: http.request.method -- external: ecs - name: http.request.referrer -- external: ecs - name: http.response.status_code -- external: ecs - name: http.version -- external: ecs - name: log.file.path -- external: ecs - name: log.level -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: network.application -- external: ecs - name: network.bytes -- external: ecs - name: network.direction -- external: ecs - name: network.protocol -- external: ecs - name: network.transport -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: server.ip -- external: ecs - name: source.domain -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: source.user.group.name -- external: ecs - name: source.user.name -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.scheme -- external: ecs - name: url.username -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version -- external: ecs - name: user.name diff --git a/packages/f5_bigip/docs/README.md b/packages/f5_bigip/docs/README.md index f9719439fa4..ba4110018b8 100644 --- a/packages/f5_bigip/docs/README.md +++ b/packages/f5_bigip/docs/README.md @@ -360,38 +360,12 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | f5_bigip.log.abandoned_conns | | long | | f5_bigip.log.accept_fails | | long | | f5_bigip.log.accepts | | long | @@ -683,78 +657,15 @@ An example event for `log` looks as following: | f5_bigip.log.websocket.message_type | | keyword | | f5_bigip.log.wl_events | | long | | f5_bigip.log.x_forwarded_for_header_value | | ip | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Input type | keyword | | log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | | log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | | log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | | log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | | log.file.inode | Inode number of the log file. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/f5_bigip/manifest.yml b/packages/f5_bigip/manifest.yml index c98266e7225..e4626bfb335 100644 --- a/packages/f5_bigip/manifest.yml +++ b/packages/f5_bigip/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.2" name: f5_bigip title: F5 BIG-IP -version: "1.16.0" +version: "1.17.0" description: Collect logs from F5 BIG-IP with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/fireeye/changelog.yml b/packages/fireeye/changelog.yml index ed0e6d63b36..682e74ca1dd 100644 --- a/packages/fireeye/changelog.yml +++ b/packages/fireeye/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.23.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.22.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/fireeye/data_stream/nx/fields/agent.yml b/packages/fireeye/data_stream/nx/fields/agent.yml index 368be734273..ae4fc1ddd0c 100644 --- a/packages/fireeye/data_stream/nx/fields/agent.yml +++ b/packages/fireeye/data_stream/nx/fields/agent.yml @@ -5,158 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: > diff --git a/packages/fireeye/data_stream/nx/fields/ecs.yml b/packages/fireeye/data_stream/nx/fields/ecs.yml deleted file mode 100644 index fa8df0acf96..00000000000 --- a/packages/fireeye/data_stream/nx/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- external: ecs - name: destination.domain -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: destination.bytes -- external: ecs - name: destination.packets -- external: ecs - name: ecs.version -- external: ecs - name: host.ip -- external: ecs - name: http.request.method -- external: ecs - name: http.request.referrer -- external: ecs - name: http.response.body.bytes -- external: ecs - name: http.response.status_code -- external: ecs - name: http.version -- external: ecs - name: http.request.mime_type -- external: ecs - name: http.response.bytes -- external: ecs - name: log.file.path -- external: ecs - name: related.ip -- external: ecs - name: related.hash -- external: ecs - name: source.bytes -- external: ecs - name: source.packets -- external: ecs - name: source.address -- external: ecs - name: source.port -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.scheme -- external: ecs - name: user.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version -- external: ecs - name: network.transport -- external: ecs - name: network.protocol -- external: ecs - name: network.community_id -- external: ecs - name: network.iana_number -- external: ecs - name: event.type -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: dns.response_code -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.type -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.type -- external: ecs - name: dns.id -- external: ecs - name: tls.client.issuer -- external: ecs - name: tls.client.ja3 -- external: ecs - name: tls.client.not_before -- external: ecs - name: tls.client.not_after -- external: ecs - name: tls.client.server_name -- external: ecs - name: tls.client.subject -- external: ecs - name: tls.server.ja3s -- external: ecs - name: tls.version -- external: ecs - name: observer.product -- external: ecs - name: observer.vendor diff --git a/packages/fireeye/docs/README.md b/packages/fireeye/docs/README.md index efea6222503..bd7c2de556d 100644 --- a/packages/fireeye/docs/README.md +++ b/packages/fireeye/docs/README.md @@ -17,48 +17,12 @@ The `nx` integration ingests network security logs from FireEye NX through TCP/U | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | fireeye.nx.fileinfo.filename | File name. | keyword | | fireeye.nx.fileinfo.magic | Fileinfo magic. | keyword | | fireeye.nx.fileinfo.md5 | File hash. | keyword | @@ -79,94 +43,20 @@ The `nx` integration ingests network security logs from FireEye NX through TCP/U | fireeye.nx.tcp.tcp_flags | TCP flags. | keyword | | fireeye.nx.tcp.tcp_flags_tc | TCP flags. | keyword | | fireeye.nx.tcp.tcp_flags_ts | TCP flags. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Log offset | long | | log.source.address | Logs Source Raw address. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | | tls.client.ciphersuites | TLS cipher suites by client. | long | | tls.client.fingerprint | TLS fingerprint. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | | tls.client.ja3_string | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | | tls.client.tls_exts | TLS extensions set by client. | long | | tls.public_keylength | TLS public key length. | long | | tls.server.ciphersuite | TLS cipher suites by server. | long | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | | tls.server.ja3s_string | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | | tls.server.tls_exts | TLS extensions set by server. | long | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `nx` looks as following: diff --git a/packages/fireeye/manifest.yml b/packages/fireeye/manifest.yml index 3c2e746df22..fbb822585d5 100644 --- a/packages/fireeye/manifest.yml +++ b/packages/fireeye/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: fireeye title: "FireEye Network Security" -version: "1.22.0" +version: "1.23.0" description: Collect logs from FireEye NX with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^7.16.0 || ^8.0.0" + version: "^8.13.0" icons: - src: /img/FireEye-logo.svg title: Fireeye logo diff --git a/packages/forcepoint_web/changelog.yml b/packages/forcepoint_web/changelog.yml index 77378378654..0c9f100fca8 100644 --- a/packages/forcepoint_web/changelog.yml +++ b/packages/forcepoint_web/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.9.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.8.0" changes: - description: Upgrade to package spec 3.0.3. diff --git a/packages/forcepoint_web/data_stream/logs/fields/ecs.yml b/packages/forcepoint_web/data_stream/logs/fields/ecs.yml index e5dedbb37b7..adb0dc85322 100644 --- a/packages/forcepoint_web/data_stream/logs/fields/ecs.yml +++ b/packages/forcepoint_web/data_stream/logs/fields/ecs.yml @@ -1,222 +1,2 @@ - external: ecs name: '@timestamp' -- external: ecs - name: container.id -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.bytes -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: destination.nat.ip -- external: ecs - name: destination.nat.port -- external: ecs - name: destination.packets -- external: ecs - name: destination.port -- external: ecs - name: destination.user.email -- external: ecs - name: destination.user.name -- external: ecs - name: ecs.version -- external: ecs - name: error.code -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.dataset -- external: ecs - name: event.duration -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.module -- external: ecs - name: event.outcome -- external: ecs - name: event.reference -- external: ecs - name: event.start -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: file.extension -- external: ecs - name: file.name -- external: ecs - name: file.size -- external: ecs - name: http.request.method -- external: ecs - name: http.response.status_code -- external: ecs - name: log.level -- external: ecs - name: message -- external: ecs - name: network.application -- external: ecs - name: network.bytes -- external: ecs - name: network.direction -- external: ecs - name: network.iana_number -- external: ecs - name: network.transport -- external: ecs - name: network.packets -- external: ecs - name: network.protocol -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.name -- external: ecs - name: observer.product -- external: ecs - name: observer.serial_number -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.category -- external: ecs - name: rule.description -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: rule.ruleset -- external: ecs - name: rule.uuid -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.nat.ip -- external: ecs - name: source.nat.port -- external: ecs - name: source.packets -- external: ecs - name: source.port -- external: ecs - name: source.user.email -- external: ecs - name: source.user.group.name -- external: ecs - name: source.user.name -- external: ecs - name: tags -- external: ecs - name: tls.client.issuer -- external: ecs - name: tls.client.server_name -- external: ecs - name: tls.client.x509.issuer.common_name -- external: ecs - name: tls.server.issuer -- external: ecs - name: tls.server.x509.issuer.common_name -- external: ecs - name: tls.server.x509.subject.common_name -- external: ecs - name: url.domain -- external: ecs - name: url.path -- external: ecs - name: url.original -- external: ecs - name: url.port -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.version -- external: ecs - name: vulnerability.category diff --git a/packages/forcepoint_web/docs/README.md b/packages/forcepoint_web/docs/README.md index eef17c16676..a7b7906261b 100644 --- a/packages/forcepoint_web/docs/README.md +++ b/packages/forcepoint_web/docs/README.md @@ -207,50 +207,9 @@ The following fields may be used by the package: | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| container.id | Unique container id. | keyword | | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.email | User email address. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | forcepoint_web.action | | keyword | | forcepoint_web.category | | keyword | | forcepoint_web.connection_ip | | keyword | @@ -266,81 +225,5 @@ The following fields may be used by the package: | forcepoint_web.user | | keyword | | forcepoint_web.user_agent_string | | keyword | | forcepoint_web.workstation | | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.status_code | HTTP response status code. | long | | input.type | | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.version | Version of the user agent. | keyword | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | diff --git a/packages/forcepoint_web/manifest.yml b/packages/forcepoint_web/manifest.yml index a1a653ccaf5..3af8f057913 100644 --- a/packages/forcepoint_web/manifest.yml +++ b/packages/forcepoint_web/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: forcepoint_web title: "Forcepoint Web Security" -version: "1.8.0" +version: "1.9.0" source: license: "Elastic-2.0" description: "Forcepoint Web Security" @@ -11,7 +11,7 @@ categories: - security conditions: kibana: - version: "^8.5.1" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/forgerock/changelog.yml b/packages/forgerock/changelog.yml index 1758e86058a..9e04fb0aa75 100644 --- a/packages/forgerock/changelog.yml +++ b/packages/forgerock/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.17.1" changes: - description: Fix sample event. diff --git a/packages/forgerock/data_stream/am_access/fields/base-fields.yml b/packages/forgerock/data_stream/am_access/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/am_access/fields/base-fields.yml +++ b/packages/forgerock/data_stream/am_access/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/am_access/fields/ecs.yml b/packages/forgerock/data_stream/am_access/fields/ecs.yml deleted file mode 100644 index 1d8c46e6ed1..00000000000 --- a/packages/forgerock/data_stream/am_access/fields/ecs.yml +++ /dev/null @@ -1,38 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.id -- external: ecs - name: transaction.id -- external: ecs - name: user.id -- external: ecs - name: client.ip -- external: ecs - name: client.port -- external: ecs - name: client.domain -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: event.action -- external: ecs - name: http.request.method -- external: ecs - name: event.outcome -- external: ecs - name: http.response.status_code -- external: ecs - name: http.response.body.content -- external: ecs - name: event.duration -- external: ecs - name: server.ip -- external: ecs - name: service.name -- external: ecs - name: observer.vendor -- external: ecs - name: tags diff --git a/packages/forgerock/data_stream/am_activity/fields/base-fields.yml b/packages/forgerock/data_stream/am_activity/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/am_activity/fields/base-fields.yml +++ b/packages/forgerock/data_stream/am_activity/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/am_activity/fields/ecs.yml b/packages/forgerock/data_stream/am_activity/fields/ecs.yml deleted file mode 100644 index 1e7792dc5b2..00000000000 --- a/packages/forgerock/data_stream/am_activity/fields/ecs.yml +++ /dev/null @@ -1,20 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.id -- external: ecs - name: transaction.id -- external: ecs - name: user.id -- external: ecs - name: tags -- external: ecs - name: observer.vendor -- external: ecs - name: event.action -- external: ecs - name: event.duration -- external: ecs - name: service.name -- external: ecs - name: user.effective.id diff --git a/packages/forgerock/data_stream/am_authentication/fields/base-fields.yml b/packages/forgerock/data_stream/am_authentication/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/am_authentication/fields/base-fields.yml +++ b/packages/forgerock/data_stream/am_authentication/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/am_authentication/fields/ecs.yml b/packages/forgerock/data_stream/am_authentication/fields/ecs.yml deleted file mode 100644 index 5c532e03dff..00000000000 --- a/packages/forgerock/data_stream/am_authentication/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.id -- external: ecs - name: transaction.id -- external: ecs - name: user.id -- external: ecs - name: event.outcome -- external: ecs - name: observer.vendor -- external: ecs - name: tags -- external: ecs - name: service.name diff --git a/packages/forgerock/data_stream/am_config/fields/base-fields.yml b/packages/forgerock/data_stream/am_config/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/am_config/fields/base-fields.yml +++ b/packages/forgerock/data_stream/am_config/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/am_config/fields/ecs.yml b/packages/forgerock/data_stream/am_config/fields/ecs.yml deleted file mode 100644 index 656f6403ffe..00000000000 --- a/packages/forgerock/data_stream/am_config/fields/ecs.yml +++ /dev/null @@ -1,18 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.id -- external: ecs - name: transaction.id -- external: ecs - name: user.effective.id -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: observer.vendor -- external: ecs - name: tags -- external: ecs - name: user.id diff --git a/packages/forgerock/data_stream/am_core/fields/base-fields.yml b/packages/forgerock/data_stream/am_core/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/am_core/fields/base-fields.yml +++ b/packages/forgerock/data_stream/am_core/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/am_core/fields/ecs.yml b/packages/forgerock/data_stream/am_core/fields/ecs.yml deleted file mode 100644 index 878f80a1ed3..00000000000 --- a/packages/forgerock/data_stream/am_core/fields/ecs.yml +++ /dev/null @@ -1,18 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: transaction.id -- external: ecs - name: event.reason -- external: ecs - name: log.level -- external: ecs - name: log.logger -- external: ecs - name: process.name -- external: ecs - name: observer.vendor -- external: ecs - name: error.stack_trace -- external: ecs - name: tags diff --git a/packages/forgerock/data_stream/idm_access/fields/base-fields.yml b/packages/forgerock/data_stream/idm_access/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/idm_access/fields/base-fields.yml +++ b/packages/forgerock/data_stream/idm_access/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/idm_access/fields/ecs.yml b/packages/forgerock/data_stream/idm_access/fields/ecs.yml deleted file mode 100644 index ee115549390..00000000000 --- a/packages/forgerock/data_stream/idm_access/fields/ecs.yml +++ /dev/null @@ -1,20 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: client.ip -- external: ecs - name: client.port -- external: ecs - name: transaction.id -- external: ecs - name: user.id -- external: ecs - name: server.ip -- external: ecs - name: http.request.method -- external: ecs - name: http.response.status_code -- external: ecs - name: observer.vendor -- external: ecs - name: tags diff --git a/packages/forgerock/data_stream/idm_activity/fields/base-fields.yml b/packages/forgerock/data_stream/idm_activity/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/idm_activity/fields/base-fields.yml +++ b/packages/forgerock/data_stream/idm_activity/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/idm_activity/fields/ecs.yml b/packages/forgerock/data_stream/idm_activity/fields/ecs.yml deleted file mode 100644 index db971e84e88..00000000000 --- a/packages/forgerock/data_stream/idm_activity/fields/ecs.yml +++ /dev/null @@ -1,14 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.id -- external: ecs - name: transaction.id -- external: ecs - name: observer.vendor -- external: ecs - name: tags -- external: ecs - name: user.effective.id -- external: ecs - name: user.id diff --git a/packages/forgerock/data_stream/idm_authentication/fields/base-fields.yml b/packages/forgerock/data_stream/idm_authentication/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/idm_authentication/fields/base-fields.yml +++ b/packages/forgerock/data_stream/idm_authentication/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/idm_authentication/fields/ecs.yml b/packages/forgerock/data_stream/idm_authentication/fields/ecs.yml deleted file mode 100644 index 01b02b19d6e..00000000000 --- a/packages/forgerock/data_stream/idm_authentication/fields/ecs.yml +++ /dev/null @@ -1,12 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.id -- external: ecs - name: transaction.id -- external: ecs - name: observer.vendor -- external: ecs - name: tags -- external: ecs - name: user.id diff --git a/packages/forgerock/data_stream/idm_config/fields/base-fields.yml b/packages/forgerock/data_stream/idm_config/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/idm_config/fields/base-fields.yml +++ b/packages/forgerock/data_stream/idm_config/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/idm_config/fields/ecs.yml b/packages/forgerock/data_stream/idm_config/fields/ecs.yml deleted file mode 100644 index 34a5570d138..00000000000 --- a/packages/forgerock/data_stream/idm_config/fields/ecs.yml +++ /dev/null @@ -1,14 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.id -- external: ecs - name: transaction.id -- external: ecs - name: user.id -- external: ecs - name: user.effective.id -- external: ecs - name: observer.vendor -- external: ecs - name: tags diff --git a/packages/forgerock/data_stream/idm_core/fields/base-fields.yml b/packages/forgerock/data_stream/idm_core/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/idm_core/fields/base-fields.yml +++ b/packages/forgerock/data_stream/idm_core/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/idm_core/fields/ecs.yml b/packages/forgerock/data_stream/idm_core/fields/ecs.yml deleted file mode 100644 index 3adc3e10518..00000000000 --- a/packages/forgerock/data_stream/idm_core/fields/ecs.yml +++ /dev/null @@ -1,6 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: observer.vendor -- external: ecs - name: tags diff --git a/packages/forgerock/data_stream/idm_sync/fields/base-fields.yml b/packages/forgerock/data_stream/idm_sync/fields/base-fields.yml index 5c15b940850..0f62ee563d1 100644 --- a/packages/forgerock/data_stream/idm_sync/fields/base-fields.yml +++ b/packages/forgerock/data_stream/idm_sync/fields/base-fields.yml @@ -4,12 +4,6 @@ external: ecs - name: data_stream.namespace external: ecs -- name: event.module - external: ecs - value: forgerock -- name: event.dataset - external: ecs - value: forgerock.audit - name: '@timestamp' external: ecs - name: input.type diff --git a/packages/forgerock/data_stream/idm_sync/fields/ecs.yml b/packages/forgerock/data_stream/idm_sync/fields/ecs.yml deleted file mode 100644 index e5a6d114b6d..00000000000 --- a/packages/forgerock/data_stream/idm_sync/fields/ecs.yml +++ /dev/null @@ -1,14 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.id -- external: ecs - name: transaction.id -- external: ecs - name: user.id -- external: ecs - name: event.outcome -- external: ecs - name: observer.vendor -- external: ecs - name: tags diff --git a/packages/forgerock/docs/README.md b/packages/forgerock/docs/README.md index a38ec8d2116..a55cbb1593c 100644 --- a/packages/forgerock/docs/README.md +++ b/packages/forgerock/docs/README.md @@ -87,19 +87,9 @@ An example event for `am_access` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | forgerock.eventName | The name of the audit event. | keyword | | forgerock.http.request.headers.\* | The headers of the HTTP request. | object | | forgerock.http.request.headers.accept | The accept parameter for the request. | keyword | @@ -138,19 +128,7 @@ An example event for `am_access` looks as following: | forgerock.topic | The topic of the event. | keyword | | forgerock.trackingIds | Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. | keyword | | http.request.Path | The path of the HTTP request. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.body.content | The full HTTP response body. | wildcard | -| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | -| http.response.status_code | HTTP response status code. | long | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| user.id | Unique identifier of the user. | keyword | ### AM_Activity events @@ -235,12 +213,6 @@ An example event for `am_activity` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | forgerock.after.\* | Specifies the JSON representation of the object after the activity. | object | | forgerock.before.\* | Specifies the JSON representation of the object prior to the activity. | object | | forgerock.changedFields | Specifies the fields that were changed. | keyword | @@ -252,12 +224,6 @@ An example event for `am_activity` looks as following: | forgerock.topic | The topic of the event. | keyword | | forgerock.trackingIds | Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. | keyword | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| user.effective.id | Unique identifier of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | ### AM_Authentication events @@ -356,11 +322,6 @@ An example event for `am_authentication` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | forgerock.entries | The JSON representation of the details of an authentication module, chain, tree, or node. | flattened | | forgerock.eventName | The name of the audit event. | keyword | | forgerock.level | The log level. | keyword | @@ -370,11 +331,6 @@ An example event for `am_authentication` looks as following: | forgerock.topic | The topic of the event. | keyword | | forgerock.trackingIds | Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. | keyword | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| user.id | Unique identifier of the user. | keyword | ### AM_Config events @@ -459,12 +415,6 @@ An example event for `am_config` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | forgerock.changedFields | Specifies the fields that were changed. | keyword | | forgerock.eventName | The name of the audit event. | keyword | | forgerock.level | The log level. | keyword | @@ -475,11 +425,6 @@ An example event for `am_config` looks as following: | forgerock.topic | The topic of the event. | keyword | | forgerock.trackingIds | Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. | keyword | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| user.effective.id | Unique identifier of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | ### AM_Core events @@ -550,21 +495,8 @@ An example event for `am_core` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.stack_trace | The stack trace of this error in plain text. | wildcard | -| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | | forgerock.context | The context of the debug event. | keyword | | input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | ### IDM_access events @@ -677,14 +609,9 @@ An example event for `idm_access` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | forgerock.eventName | The name of the audit event. | keyword | | forgerock.http.request.headers.host | The host header of the HTTP request. | keyword | | forgerock.http.request.secure | A flag describing whether or not the HTTP request was secure. | boolean | @@ -698,14 +625,7 @@ An example event for `idm_access` looks as following: | forgerock.source | The source of the event. | keyword | | forgerock.topic | The topic of the event. | keyword | | http.request.Path | The path of the HTTP request. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.status_code | HTTP response status code. | long | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| user.id | Unique identifier of the user. | keyword | ### IDM_activity events @@ -787,10 +707,6 @@ An example event for `idm_activity` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | forgerock.eventName | The name of the audit event. | keyword | | forgerock.level | The log level. | keyword | | forgerock.message | Human readable text about the action. | keyword | @@ -801,11 +717,6 @@ An example event for `idm_activity` looks as following: | forgerock.source | The source of the event. | keyword | | forgerock.topic | The topic of the event. | keyword | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| user.effective.id | Unique identifier of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | ### IDM_authentication events @@ -900,10 +811,6 @@ An example event for `idm_authentication` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | forgerock.entries | The JSON representation of the details of an authentication module, chain, tree, or node. | flattened | | forgerock.eventName | The name of the audit event. | keyword | | forgerock.level | The log level. | keyword | @@ -913,10 +820,6 @@ An example event for `idm_authentication` looks as following: | forgerock.topic | The topic of the event. | keyword | | forgerock.trackingIds | Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. | keyword | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| user.id | Unique identifier of the user. | keyword | ### IDM_config events @@ -999,10 +902,6 @@ An example event for `idm_config` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | forgerock.changedFields | Specifies the fields that were changed. | keyword | | forgerock.eventName | The name of the audit event. | keyword | | forgerock.level | The log level. | keyword | @@ -1010,11 +909,6 @@ An example event for `idm_config` looks as following: | forgerock.source | The source of the event. | keyword | | forgerock.topic | The topic of the event. | keyword | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| user.effective.id | Unique identifier of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | ### IDM_core events @@ -1075,12 +969,7 @@ An example event for `idm_core` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| tags | List of keywords used to tag each event. | keyword | ### IDM_sync events @@ -1159,11 +1048,6 @@ An example event for `idm_sync` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | forgerock.action | The synchronization action, depicted as a Common REST action. | keyword | | forgerock.eventName | The name of the audit event. | keyword | | forgerock.level | The log level. | keyword | @@ -1175,7 +1059,3 @@ An example event for `idm_sync` looks as following: | forgerock.targetObjectId | Object ID on the target system | keyword | | forgerock.topic | The topic of the event. | keyword | | input.type | Input type | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| user.id | Unique identifier of the user. | keyword | diff --git a/packages/forgerock/manifest.yml b/packages/forgerock/manifest.yml index b5e583b2db4..a551fd0f365 100644 --- a/packages/forgerock/manifest.yml +++ b/packages/forgerock/manifest.yml @@ -1,13 +1,13 @@ name: forgerock title: "ForgeRock" -version: "1.17.1" +version: "1.18.0" description: Collect audit logs from ForgeRock with Elastic Agent. type: integration format_version: "3.0.2" categories: ["security"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/forgerock-dashboard.png title: ForgeRock Dashboard diff --git a/packages/gcp_pubsub/changelog.yml b/packages/gcp_pubsub/changelog.yml index 85e3d5a29c9..17b81567ff2 100644 --- a/packages/gcp_pubsub/changelog.yml +++ b/packages/gcp_pubsub/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.0.0" changes: - description: Converted Google Pub/Sub to input package type. diff --git a/packages/gcp_pubsub/fields/agent.yml b/packages/gcp_pubsub/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/gcp_pubsub/fields/agent.yml +++ b/packages/gcp_pubsub/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/gcp_pubsub/fields/ecs.yml b/packages/gcp_pubsub/fields/ecs.yml deleted file mode 100644 index c565c4a26fe..00000000000 --- a/packages/gcp_pubsub/fields/ecs.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: ecs.version - external: ecs -- name: log.level - external: ecs -- name: message - external: ecs -- name: event.original - external: ecs -- name: tags - external: ecs diff --git a/packages/gcp_pubsub/manifest.yml b/packages/gcp_pubsub/manifest.yml index bd457097361..a16e8457b73 100644 --- a/packages/gcp_pubsub/manifest.yml +++ b/packages/gcp_pubsub/manifest.yml @@ -3,7 +3,7 @@ title: Custom Google Pub/Sub Logs format_version: "3.0.2" description: Collect Logs from Google Pub/Sub topics type: input -version: "2.0.0" +version: "2.1.0" icons: - src: /img/logo_gcp.svg title: logo gcp @@ -15,7 +15,7 @@ categories: - custom conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" policy_templates: - name: gcp title: Custom Google Pub/Sub Logs @@ -109,7 +109,6 @@ policy_templates: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - name: alternative_host type: text title: Alternative host diff --git a/packages/gcp_pubsub/sample_event.json b/packages/gcp_pubsub/sample_event.json index 7360eda8ff4..671bd5cf771 100644 --- a/packages/gcp_pubsub/sample_event.json +++ b/packages/gcp_pubsub/sample_event.json @@ -13,7 +13,7 @@ "type": "logs" }, "ecs": { - "version": "8.0.0" + "version": "8.11.0" }, "elastic_agent": { "id": "94455c8e-3b6c-40c3-96b7-9163c5f086a0", diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index cedc2bfec30..473548be21e 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.29.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.28.0" changes: - description: Set sensitive values as secret and fix incorrect mappings. diff --git a/packages/github/data_stream/audit/fields/agent.yml b/packages/github/data_stream/audit/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/github/data_stream/audit/fields/agent.yml +++ b/packages/github/data_stream/audit/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/github/data_stream/audit/fields/ecs.yml b/packages/github/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 4c860994252..00000000000 --- a/packages/github/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,54 +0,0 @@ -- name: client.geo.country_iso_code - external: ecs -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.action - external: ecs -- name: event.category - external: ecs -- name: event.created - external: ecs -- name: event.id - external: ecs -- name: event.ingested - external: ecs -- name: event.kind - external: ecs -- name: event.original - external: ecs -- name: event.outcome - external: ecs -- name: event.type - external: ecs -- name: message - external: ecs -- name: related.user - external: ecs -- name: user.name - external: ecs -- name: group.name - external: ecs -- name: related.ip - external: ecs -- name: user.target.group.name - external: ecs -- name: user.target.name - external: ecs -- name: user_agent.device.name - external: ecs -- name: user_agent.name - external: ecs -- name: user_agent.original - external: ecs -- name: user_agent.os.full - external: ecs -- name: user_agent.os.name - external: ecs -- name: user_agent.os.version - external: ecs -- name: user_agent.version - external: ecs -- name: tags - external: ecs diff --git a/packages/github/data_stream/code_scanning/fields/agent.yml b/packages/github/data_stream/code_scanning/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/github/data_stream/code_scanning/fields/agent.yml +++ b/packages/github/data_stream/code_scanning/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/github/data_stream/code_scanning/fields/ecs.yml b/packages/github/data_stream/code_scanning/fields/ecs.yml deleted file mode 100644 index b900cad0bca..00000000000 --- a/packages/github/data_stream/code_scanning/fields/ecs.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.category - external: ecs -- name: event.created - external: ecs -- name: event.kind - external: ecs -- name: rule.id - external: ecs -- name: rule.description - external: ecs -- name: rule.name - external: ecs -- name: tags - external: ecs -- name: message - external: ecs diff --git a/packages/github/data_stream/dependabot/fields/agent.yml b/packages/github/data_stream/dependabot/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/github/data_stream/dependabot/fields/agent.yml +++ b/packages/github/data_stream/dependabot/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/github/data_stream/dependabot/fields/ecs.yml b/packages/github/data_stream/dependabot/fields/ecs.yml deleted file mode 100644 index 627371d1ed3..00000000000 --- a/packages/github/data_stream/dependabot/fields/ecs.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.category - external: ecs -- name: event.created - external: ecs -- name: event.start - external: ecs -- name: event.end - external: ecs -- name: event.duration - external: ecs -- name: event.kind - external: ecs -- name: vulnerability.classification - external: ecs -- name: vulnerability.description - external: ecs -- name: vulnerability.enumeration - external: ecs -- name: vulnerability.id - external: ecs -- name: vulnerability.reference - external: ecs -- name: vulnerability.scanner.vendor - external: ecs -- name: vulnerability.score.base - external: ecs -- name: vulnerability.score.version - external: ecs -- name: vulnerability.severity - external: ecs -- name: tags - external: ecs diff --git a/packages/github/data_stream/issues/fields/agent.yml b/packages/github/data_stream/issues/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/github/data_stream/issues/fields/agent.yml +++ b/packages/github/data_stream/issues/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/github/data_stream/issues/fields/ecs.yml b/packages/github/data_stream/issues/fields/ecs.yml deleted file mode 100644 index f9f05af6577..00000000000 --- a/packages/github/data_stream/issues/fields/ecs.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.category - external: ecs -- name: event.created - external: ecs -- name: event.kind - external: ecs -- name: user.name - external: ecs -- name: user.id - external: ecs -- name: user.roles - external: ecs -- name: related.user - external: ecs -- name: tags - external: ecs -- name: message - external: ecs diff --git a/packages/github/data_stream/secret_scanning/fields/agent.yml b/packages/github/data_stream/secret_scanning/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/github/data_stream/secret_scanning/fields/agent.yml +++ b/packages/github/data_stream/secret_scanning/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/github/data_stream/secret_scanning/fields/ecs.yml b/packages/github/data_stream/secret_scanning/fields/ecs.yml deleted file mode 100644 index f25bf7ec020..00000000000 --- a/packages/github/data_stream/secret_scanning/fields/ecs.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.category - external: ecs -- name: event.created - external: ecs -- name: tags - external: ecs diff --git a/packages/github/docs/README.md b/packages/github/docs/README.md index 0ca08ce09bb..99c357a34f8 100644 --- a/packages/github/docs/README.md +++ b/packages/github/docs/README.md @@ -20,23 +20,11 @@ To use this integration, the following prerequisites must be met: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.geo.country_iso_code | Country ISO code. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | github.actor_ip | The IP address of the entity performing the action. | ip | | github.category | GitHub action category. | keyword | | github.hashed_token | SHA-256 hash of the token used for authentication. | keyword | @@ -51,44 +39,10 @@ To use this integration, the following prerequisites must be met: | github.repository_selection | Whether all repositories have been selected or there's a selection involved. | keyword | | github.team | GitHub team name. | keyword | | github.user_agent | The user agent of the entity performing the action. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `audit` looks as following: @@ -173,12 +127,7 @@ Or use a personal access token with the `security_events` scope for private repo | data_stream.dataset | Data stream dataset name. | constant_keyword | | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | | data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| error.message | Error message. | match_only_text | | | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | | | event.dataset | Event dataset | constant_keyword | | | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | | | event.module | Event module | constant_keyword | | | | github.code_scanning.created_at | The time that the alert was created in ISO 8601 format: `YYYY-MM-DDTHH:MM:SSZ` | date | | | | github.code_scanning.dismissed_at | The time that the alert was dismissed in ISO 8601 format: `YYYY-MM-DDTHH:MM:SSZ`. | date | | | @@ -236,29 +185,10 @@ Or use a personal access token with the `security_events` scope for private repo | github.repository.url | The URL to get more information about the repository from the GitHub API. | keyword | | | | github.severity | The security severity of the alert | keyword | | | | github.state | State of a code scanning alert | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | | input.type | Type of Filebeat input. | keyword | | | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | -| rule.description | The description of the rule generating the event. | keyword | | | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | | | -| rule.name | The name of the rule or signature generating the event. | keyword | | | -| tags | List of keywords used to tag each event. | keyword | | | An example event for `code_scanning` looks as following: @@ -372,10 +302,6 @@ Or you must be an administrator for the repository or for the organization that | data_stream.dataset | Data stream dataset name. | constant_keyword | | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | | data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| error.message | Error message. | match_only_text | | | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | | | event.dataset | Event dataset | constant_keyword | | | | event.module | Event module | constant_keyword | | | | github.repository.html_url | The URL to view the repository on GitHub.com. | keyword | | | @@ -417,25 +343,10 @@ Or you must be an administrator for the repository or for the organization that | github.secret_scanning.url | The REST API URL of the alert resource | keyword | | | | github.severity | The severity of the secret scanning alert | keyword | | | | github.state | State of a code scanning alert | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | | input.type | Type of Filebeat input. | keyword | | | -| tags | List of keywords used to tag each event. | keyword | | | An example event for `secret_scanning` looks as following: @@ -532,16 +443,8 @@ To use this integration, you must be an administrator for the repository or for | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | | github.dependabot.created_at | When was the alert created | date | | github.dependabot.dependabot_update.error.body | The body of the error. | text | | github.dependabot.dependabot_update.error.error_type | The error code. | keyword | @@ -594,35 +497,10 @@ To use this integration, you must be an administrator for the repository or for | github.repository.url | The HTTP URL for this repository. | keyword | | github.severity | The severity of the advisory. | keyword | | github.state | Identifies the state of the alert. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | -| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | -| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | -| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | -| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | -| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | An example event for `dependabot` looks as following: @@ -778,12 +656,7 @@ To use this integration, users must use Github Apps or Personal Access Token wit | data_stream.dataset | Data stream dataset name. | constant_keyword | | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | | data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| error.message | Error message. | match_only_text | | | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | | | event.dataset | Event dataset | constant_keyword | | | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | | | event.module | Event module | constant_keyword | | | | github.issues.active_lock_reason | | keyword | | | | github.issues.assignee.email | | keyword | | | @@ -848,31 +721,10 @@ To use this integration, users must use Github Apps or Personal Access Token wit | github.repository.owner.login | | keyword | | | | github.repository.url | The URL to get more information about the repository from the GitHub API. | keyword | | | | github.state | State of github issue | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | | input.type | Type of Filebeat input. | keyword | | | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | | -| tags | List of keywords used to tag each event. | keyword | | | -| user.id | Unique identifier of the user. | keyword | | | -| user.name | Short name or login of the user. | keyword | | | -| user.name.text | Multi-field of `user.name`. | match_only_text | | | -| user.roles | Array of user roles at the time of the event. | keyword | | | An example event for `issues` looks as following: diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml index e3b8ab54974..e0ae59529b7 100644 --- a/packages/github/manifest.yml +++ b/packages/github/manifest.yml @@ -1,13 +1,13 @@ name: github title: GitHub -version: "1.28.0" +version: "1.29.0" description: Collect logs from GitHub with Elastic Agent. type: integration format_version: "3.0.2" categories: [security, "productivity_security"] conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/github.svg title: GitHub diff --git a/packages/gitlab/changelog.yml b/packages/gitlab/changelog.yml index 42e79b8cbd7..dee57e4dbf5 100644 --- a/packages/gitlab/changelog.yml +++ b/packages/gitlab/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: 0.1.0 changes: - description: Initial Version diff --git a/packages/gitlab/data_stream/api/fields/agent.yml b/packages/gitlab/data_stream/api/fields/agent.yml index 27f215b1cd6..df92bfa51a9 100644 --- a/packages/gitlab/data_stream/api/fields/agent.yml +++ b/packages/gitlab/data_stream/api/fields/agent.yml @@ -8,17 +8,6 @@ - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - name: host title: Host group: 2 diff --git a/packages/gitlab/data_stream/production/fields/agent.yml b/packages/gitlab/data_stream/production/fields/agent.yml index 27f215b1cd6..df92bfa51a9 100644 --- a/packages/gitlab/data_stream/production/fields/agent.yml +++ b/packages/gitlab/data_stream/production/fields/agent.yml @@ -8,17 +8,6 @@ - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - name: host title: Host group: 2 diff --git a/packages/gitlab/docs/README.md b/packages/gitlab/docs/README.md index 19016f94ca4..e5dd1b129bf 100644 --- a/packages/gitlab/docs/README.md +++ b/packages/gitlab/docs/README.md @@ -28,7 +28,6 @@ Collect logs for HTTP requests made to the GitLab API. Check out the [GitLab API |---|---|---| | @timestamp | Event timestamp. | date | | cloud.image.id | Image ID for the cloud instance. | keyword | -| container.labels | Image labels. | object | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | @@ -297,7 +296,6 @@ Collect logs for Rails controller requests received from GitLab. Check out the [ |---|---|---| | @timestamp | Event timestamp. | date | | cloud.image.id | Image ID for the cloud instance. | keyword | -| container.labels | Image labels. | object | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | diff --git a/packages/gitlab/manifest.yml b/packages/gitlab/manifest.yml index 2a5d8c3dda5..7010196d1b2 100644 --- a/packages/gitlab/manifest.yml +++ b/packages/gitlab/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.3 name: gitlab title: GitLab -version: 0.1.0 +version: "0.2.0" description: Collect logs from GitLab with Elastic Agent. type: integration categories: diff --git a/packages/google_cloud_storage/_dev/build/build.yml b/packages/google_cloud_storage/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/google_cloud_storage/_dev/build/build.yml +++ b/packages/google_cloud_storage/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/google_cloud_storage/changelog.yml b/packages/google_cloud_storage/changelog.yml index c4ab4a18052..70cea1a2a95 100644 --- a/packages/google_cloud_storage/changelog.yml +++ b/packages/google_cloud_storage/changelog.yml @@ -1,3 +1,8 @@ +- version: "2.1.0" + changes: + - description: ECS version updated to 8.11.0. Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.0.0" changes: - description: Convert Google Cloud Storage to input package type. diff --git a/packages/google_cloud_storage/fields/agent.yml b/packages/google_cloud_storage/fields/agent.yml index 230f7bc911d..9638d2992eb 100644 --- a/packages/google_cloud_storage/fields/agent.yml +++ b/packages/google_cloud_storage/fields/agent.yml @@ -5,9 +5,6 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. diff --git a/packages/google_cloud_storage/fields/beats.yml b/packages/google_cloud_storage/fields/beats.yml index 8c03b061f7c..6d9a7862671 100644 --- a/packages/google_cloud_storage/fields/beats.yml +++ b/packages/google_cloud_storage/fields/beats.yml @@ -1,9 +1,6 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags - name: log.offset type: long description: Log offset diff --git a/packages/google_cloud_storage/manifest.yml b/packages/google_cloud_storage/manifest.yml index 6cd68fa3d28..ea3b4d4ae83 100644 --- a/packages/google_cloud_storage/manifest.yml +++ b/packages/google_cloud_storage/manifest.yml @@ -3,10 +3,10 @@ name: google_cloud_storage title: Custom GCS (Google Cloud Storage) Input description: Collect JSON data from configured GCS Bucket with Elastic Agent. type: input -version: 2.0.0 +version: "2.1.0" conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" categories: - custom - cloud @@ -105,7 +105,6 @@ policy_templates: title: Buckets description: > This attribute contains the details about a specific bucket like, name, number_of_workers, poll, poll_interval and bucket_timeout. The attribute 'name' is specific to a bucket as it describes the bucket name, while the fields number_of_workers, poll, poll_interval and bucket_timeout can exist both at the bucket level and at the global level. If you have already defined the attributes globally, then you can only specify the name in this yaml config. If you want to override any specific attribute for a specific bucket, then, you can define it here. Any attribute defined in the yaml will override the global definitions. Please see the relevant [Documentation](https://www.elastic.co/guide/en/beats/filebeat/8.5/filebeat-input-gcs.html#attrib-buckets) for further information. - required: true show_user: true default: | @@ -131,7 +130,6 @@ policy_templates: # - regex: "event/" description: > If the GCS bucket will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which is made up of regex patters. The regex should match the GCS bucket filepath. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: timestamp_epoch type: integer title: Timestamp Epoch diff --git a/packages/google_cloud_storage/sample_event.json b/packages/google_cloud_storage/sample_event.json index fec33721806..37ef5bb15b6 100644 --- a/packages/google_cloud_storage/sample_event.json +++ b/packages/google_cloud_storage/sample_event.json @@ -13,7 +13,7 @@ "type": "logs" }, "ecs": { - "version": "8.0.0" + "version": "8.11.0" }, "elastic_agent": { "id": "80442ebe-168f-468b-82af-30451478d848", diff --git a/packages/google_scc/_dev/build/build.yml b/packages/google_scc/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/google_scc/_dev/build/build.yml +++ b/packages/google_scc/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/google_scc/changelog.yml b/packages/google_scc/changelog.yml index 7efebc089a1..60b60614bf2 100644 --- a/packages/google_scc/changelog.yml +++ b/packages/google_scc/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.4.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.3.0" changes: - description: Improve handling of empty responses. diff --git a/packages/google_scc/data_stream/asset/fields/beats.yml b/packages/google_scc/data_stream/asset/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_scc/data_stream/asset/fields/beats.yml +++ b/packages/google_scc/data_stream/asset/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_scc/data_stream/audit/fields/beats.yml b/packages/google_scc/data_stream/audit/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_scc/data_stream/audit/fields/beats.yml +++ b/packages/google_scc/data_stream/audit/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_scc/data_stream/finding/fields/beats.yml b/packages/google_scc/data_stream/finding/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_scc/data_stream/finding/fields/beats.yml +++ b/packages/google_scc/data_stream/finding/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_scc/data_stream/source/fields/beats.yml b/packages/google_scc/data_stream/source/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_scc/data_stream/source/fields/beats.yml +++ b/packages/google_scc/data_stream/source/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_scc/docs/README.md b/packages/google_scc/docs/README.md index 44d9b3b8c08..16af6a4f8bd 100644 --- a/packages/google_scc/docs/README.md +++ b/packages/google_scc/docs/README.md @@ -495,7 +495,6 @@ An example event for `asset` looks as following: | google_scc.asset.window.start_time | | date | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Finding @@ -782,7 +781,6 @@ An example event for `finding` looks as following: | google_scc.finding.vulnerability.cve.upstream_fix_available | Whether upstream fix is available for the CVE. | boolean | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Source @@ -867,7 +865,6 @@ An example event for `source` looks as following: | google_scc.source.name | The relative resource name of this source. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/\{organization_id\}/sources/\{source_id\}". | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Audit @@ -1086,4 +1083,3 @@ An example event for `audit` looks as following: | google_scc.audit.trace_sampled | The sampling decision of the trace associated with the log entry. | boolean | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | diff --git a/packages/google_scc/manifest.yml b/packages/google_scc/manifest.yml index 43f88d620e7..2f4783c5ffd 100644 --- a/packages/google_scc/manifest.yml +++ b/packages/google_scc/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: google_scc title: Google Security Command Center -version: "1.3.0" +version: "1.4.0" description: Collect logs from Google Security Command Center with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - cloudsecurity_cdr conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/google_workspace/_dev/build/build.yml b/packages/google_workspace/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/google_workspace/_dev/build/build.yml +++ b/packages/google_workspace/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index ace3e23ac05..5ad201bf890 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.23.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.22.0" changes: - description: Improve handling of empty responses. diff --git a/packages/google_workspace/data_stream/access_transparency/fields/beats.yml b/packages/google_workspace/data_stream/access_transparency/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/access_transparency/fields/beats.yml +++ b/packages/google_workspace/data_stream/access_transparency/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/admin/fields/beats.yml b/packages/google_workspace/data_stream/admin/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/admin/fields/beats.yml +++ b/packages/google_workspace/data_stream/admin/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/alert/fields/beats.yml b/packages/google_workspace/data_stream/alert/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/alert/fields/beats.yml +++ b/packages/google_workspace/data_stream/alert/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/context_aware_access/fields/beats.yml b/packages/google_workspace/data_stream/context_aware_access/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/context_aware_access/fields/beats.yml +++ b/packages/google_workspace/data_stream/context_aware_access/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/device/fields/beats.yml b/packages/google_workspace/data_stream/device/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/device/fields/beats.yml +++ b/packages/google_workspace/data_stream/device/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/drive/fields/beats.yml b/packages/google_workspace/data_stream/drive/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/drive/fields/beats.yml +++ b/packages/google_workspace/data_stream/drive/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/gcp/fields/beats.yml b/packages/google_workspace/data_stream/gcp/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/gcp/fields/beats.yml +++ b/packages/google_workspace/data_stream/gcp/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/group_enterprise/fields/beats.yml b/packages/google_workspace/data_stream/group_enterprise/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/group_enterprise/fields/beats.yml +++ b/packages/google_workspace/data_stream/group_enterprise/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/groups/fields/beats.yml b/packages/google_workspace/data_stream/groups/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/groups/fields/beats.yml +++ b/packages/google_workspace/data_stream/groups/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/login/fields/beats.yml b/packages/google_workspace/data_stream/login/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/login/fields/beats.yml +++ b/packages/google_workspace/data_stream/login/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/rules/fields/beats.yml b/packages/google_workspace/data_stream/rules/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/rules/fields/beats.yml +++ b/packages/google_workspace/data_stream/rules/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/saml/fields/beats.yml b/packages/google_workspace/data_stream/saml/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/saml/fields/beats.yml +++ b/packages/google_workspace/data_stream/saml/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/token/fields/beats.yml b/packages/google_workspace/data_stream/token/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/token/fields/beats.yml +++ b/packages/google_workspace/data_stream/token/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/data_stream/user_accounts/fields/beats.yml b/packages/google_workspace/data_stream/user_accounts/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/google_workspace/data_stream/user_accounts/fields/beats.yml +++ b/packages/google_workspace/data_stream/user_accounts/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/google_workspace/docs/README.md b/packages/google_workspace/docs/README.md index 11d81229b57..8bcbbd23640 100644 --- a/packages/google_workspace/docs/README.md +++ b/packages/google_workspace/docs/README.md @@ -275,7 +275,6 @@ An example event for `saml` looks as following: | google_workspace.saml.status_code | SAML status code. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### User Accounts @@ -399,7 +398,6 @@ An example event for `user_accounts` looks as following: | google_workspace.user_accounts.email_forwarding_destination_address | Out of domain email the actor has forwarded to. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Login Accounts @@ -538,7 +536,6 @@ An example event for `login` looks as following: | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Rules @@ -745,7 +742,6 @@ An example event for `rules` looks as following: | google_workspace.rules.update_time_usec | Update time (microseconds since epoch) indicating the version of rule which is used. | date | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Admin @@ -977,7 +973,6 @@ An example event for `admin` looks as following: | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Drive @@ -1145,7 +1140,6 @@ An example event for `drive` looks as following: | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Groups @@ -1300,7 +1294,6 @@ An example event for `groups` looks as following: | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Alert @@ -1617,7 +1610,6 @@ An example event for `alert` looks as following: | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | ### Device @@ -1877,7 +1869,6 @@ An example event for `device` looks as following: | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Group Enterprise @@ -2056,7 +2047,6 @@ An example event for `group_enterprise` looks as following: | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Token @@ -2264,7 +2254,6 @@ An example event for `token` looks as following: | google_workspace.token.scope.value | Scopes under which access was granted / revoked. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Access Transparency @@ -2435,7 +2424,6 @@ An example event for `access_transparency` looks as following: | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### Context Aware Access @@ -2595,7 +2583,6 @@ An example event for `context_aware_access` looks as following: | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | ### GCP @@ -2741,5 +2728,4 @@ An example event for `gcp` looks as following: | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index df1eafee766..2f4eef163c6 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace -version: "2.22.0" +version: "2.23.0" source: license: Elastic-2.0 description: Collect logs from Google Workspace with Elastic Agent. @@ -11,7 +11,7 @@ categories: - productivity_security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/http_endpoint/changelog.yml b/packages/http_endpoint/changelog.yml index 942917443fe..9a2a2593ea9 100644 --- a/packages/http_endpoint/changelog.yml +++ b/packages/http_endpoint/changelog.yml @@ -1,3 +1,8 @@ +- version: "2.2.0" + changes: + - description: ECS version updated to 8.11.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.1.0" changes: - description: Provide request tracing support. diff --git a/packages/http_endpoint/fields/agent.yml b/packages/http_endpoint/fields/agent.yml index 230f7bc911d..9638d2992eb 100644 --- a/packages/http_endpoint/fields/agent.yml +++ b/packages/http_endpoint/fields/agent.yml @@ -5,9 +5,6 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. diff --git a/packages/http_endpoint/fields/beats.yml b/packages/http_endpoint/fields/beats.yml index ede69588554..22565288a1d 100644 --- a/packages/http_endpoint/fields/beats.yml +++ b/packages/http_endpoint/fields/beats.yml @@ -1,6 +1,3 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags diff --git a/packages/http_endpoint/fields/ecs.yml b/packages/http_endpoint/fields/ecs.yml deleted file mode 100644 index 21845b26f5a..00000000000 --- a/packages/http_endpoint/fields/ecs.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: ecs.version - external: ecs -- name: event.code - external: ecs -- name: event.created - external: ecs -- name: log.level - external: ecs -- name: message - external: ecs -- name: event.original - external: ecs diff --git a/packages/http_endpoint/manifest.yml b/packages/http_endpoint/manifest.yml index 3801af9426b..d79ff30a9fd 100644 --- a/packages/http_endpoint/manifest.yml +++ b/packages/http_endpoint/manifest.yml @@ -3,7 +3,7 @@ name: http_endpoint title: Custom HTTP Endpoint Logs description: Collect JSON data from listening HTTP port with Elastic Agent. type: input -version: "2.1.0" +version: "2.2.0" conditions: kibana: version: "^8.14.0" diff --git a/packages/http_endpoint/sample_event.json b/packages/http_endpoint/sample_event.json index a5e5c3ebf27..14494c99749 100644 --- a/packages/http_endpoint/sample_event.json +++ b/packages/http_endpoint/sample_event.json @@ -13,7 +13,7 @@ "type": "logs" }, "ecs": { - "version": "8.0.0" + "version": "8.11.0" }, "elastic_agent": { "id": "11a5b254-bd1f-402d-9d5c-593cbebda407", diff --git a/packages/httpjson/changelog.yml b/packages/httpjson/changelog.yml index fb16a20021b..0ec7bd5e568 100644 --- a/packages/httpjson/changelog.yml +++ b/packages/httpjson/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.21.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.20.0" changes: - description: Set sensitive values as secret. diff --git a/packages/httpjson/data_stream/generic/fields/beats.yml b/packages/httpjson/data_stream/generic/fields/beats.yml index ede69588554..22565288a1d 100644 --- a/packages/httpjson/data_stream/generic/fields/beats.yml +++ b/packages/httpjson/data_stream/generic/fields/beats.yml @@ -1,6 +1,3 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags diff --git a/packages/httpjson/data_stream/generic/fields/ecs.yml b/packages/httpjson/data_stream/generic/fields/ecs.yml deleted file mode 100644 index 1c3645d5f4e..00000000000 --- a/packages/httpjson/data_stream/generic/fields/ecs.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: ecs.version - external: ecs -- name: event.created - external: ecs -- name: message - external: ecs diff --git a/packages/httpjson/manifest.yml b/packages/httpjson/manifest.yml index a58c6214b82..38c5ce4f2d9 100644 --- a/packages/httpjson/manifest.yml +++ b/packages/httpjson/manifest.yml @@ -3,10 +3,10 @@ name: httpjson title: Custom API description: Collect custom events from an API endpoint with Elastic agent type: integration -version: "1.20.0" +version: "1.21.0" conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" categories: - custom policy_templates: diff --git a/packages/imperva_cloud_waf/changelog.yml b/packages/imperva_cloud_waf/changelog.yml index 247b1d90ee3..5e79d16a91c 100644 --- a/packages/imperva_cloud_waf/changelog.yml +++ b/packages/imperva_cloud_waf/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.0.0" changes: - description: Release package as GA. diff --git a/packages/imperva_cloud_waf/data_stream/event/_dev/test/pipeline/test-common-config.yml b/packages/imperva_cloud_waf/data_stream/event/_dev/test/pipeline/test-common-config.yml index 36106b22efb..1f0a54d166d 100644 --- a/packages/imperva_cloud_waf/data_stream/event/_dev/test/pipeline/test-common-config.yml +++ b/packages/imperva_cloud_waf/data_stream/event/_dev/test/pipeline/test-common-config.yml @@ -2,7 +2,6 @@ fields: tags: - preserve_original_event - preserve_duplicate_custom_fields - dynamic_fields: # This can be removed after ES 8.14 is the minimum version. # Relates: https://github.com/elastic/elasticsearch/pull/105689 diff --git a/packages/imperva_cloud_waf/data_stream/event/fields/beats.yml b/packages/imperva_cloud_waf/data_stream/event/fields/beats.yml index 083dcfe307e..fff1b3f1b6b 100644 --- a/packages/imperva_cloud_waf/data_stream/event/fields/beats.yml +++ b/packages/imperva_cloud_waf/data_stream/event/fields/beats.yml @@ -4,9 +4,6 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. - name: aws.s3 type: group fields: diff --git a/packages/imperva_cloud_waf/docs/README.md b/packages/imperva_cloud_waf/docs/README.md index 7804458cb4b..ff9072a365b 100644 --- a/packages/imperva_cloud_waf/docs/README.md +++ b/packages/imperva_cloud_waf/docs/README.md @@ -356,5 +356,4 @@ An example event for `event` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | source.service.name | | keyword | -| tags | User defined tags. | keyword | diff --git a/packages/imperva_cloud_waf/manifest.yml b/packages/imperva_cloud_waf/manifest.yml index 234b126935e..b63e836fcac 100644 --- a/packages/imperva_cloud_waf/manifest.yml +++ b/packages/imperva_cloud_waf/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: imperva_cloud_waf title: Imperva Cloud WAF -version: 1.0.0 +version: "1.1.0" description: Collect logs from Imperva Cloud WAF with Elastic Agent. type: integration categories: diff --git a/packages/infoblox_bloxone_ddi/changelog.yml b/packages/infoblox_bloxone_ddi/changelog.yml index d501255c179..33bf888e70f 100644 --- a/packages/infoblox_bloxone_ddi/changelog.yml +++ b/packages/infoblox_bloxone_ddi/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.17.0" changes: - description: Improve handling of empty responses. diff --git a/packages/infoblox_bloxone_ddi/data_stream/dhcp_lease/fields/agent.yml b/packages/infoblox_bloxone_ddi/data_stream/dhcp_lease/fields/agent.yml index 13b5e5c01c0..894e6f12be2 100644 --- a/packages/infoblox_bloxone_ddi/data_stream/dhcp_lease/fields/agent.yml +++ b/packages/infoblox_bloxone_ddi/data_stream/dhcp_lease/fields/agent.yml @@ -5,152 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/infoblox_bloxone_ddi/data_stream/dhcp_lease/fields/ecs.yml b/packages/infoblox_bloxone_ddi/data_stream/dhcp_lease/fields/ecs.yml deleted file mode 100644 index 9e89db6b837..00000000000 --- a/packages/infoblox_bloxone_ddi/data_stream/dhcp_lease/fields/ecs.yml +++ /dev/null @@ -1,30 +0,0 @@ -- external: ecs - name: client.user.id -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.end -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.start -- external: ecs - name: event.type -- external: ecs - name: host.hostname -- external: ecs - name: host.name -- external: ecs - name: network.type -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: tags diff --git a/packages/infoblox_bloxone_ddi/data_stream/dns_config/fields/agent.yml b/packages/infoblox_bloxone_ddi/data_stream/dns_config/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/infoblox_bloxone_ddi/data_stream/dns_config/fields/agent.yml +++ b/packages/infoblox_bloxone_ddi/data_stream/dns_config/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/infoblox_bloxone_ddi/data_stream/dns_config/fields/ecs.yml b/packages/infoblox_bloxone_ddi/data_stream/dns_config/fields/ecs.yml deleted file mode 100644 index 3d366d56904..00000000000 --- a/packages/infoblox_bloxone_ddi/data_stream/dns_config/fields/ecs.yml +++ /dev/null @@ -1,22 +0,0 @@ -- external: ecs - name: dns.answers.ttl -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.hash -- external: ecs - name: related.ip -- external: ecs - name: tags diff --git a/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/agent.yml b/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/agent.yml +++ b/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml b/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml deleted file mode 100644 index 4ef70f75af8..00000000000 --- a/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml +++ /dev/null @@ -1,37 +0,0 @@ -- external: ecs - name: dns.answers - type: group -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.subdomain -- external: ecs - name: dns.question.type -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: tags diff --git a/packages/infoblox_bloxone_ddi/docs/README.md b/packages/infoblox_bloxone_ddi/docs/README.md index 982b96a446b..6120e87b5e4 100644 --- a/packages/infoblox_bloxone_ddi/docs/README.md +++ b/packages/infoblox_bloxone_ddi/docs/README.md @@ -156,50 +156,15 @@ An example event for `dhcp_lease` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | infoblox_bloxone_ddi.dhcp_lease.address | The IP address of the DHCP lease in the format "a.b.c.d". This address will be marked as leased in IPAM while the lease exists. | ip | | infoblox_bloxone_ddi.dhcp_lease.client_id | The client ID of the DHCP lease. It might be empty. | keyword | | infoblox_bloxone_ddi.dhcp_lease.ends | The time when the DHCP lease will expire. | date | @@ -220,10 +185,6 @@ An example event for `dhcp_lease` looks as following: | infoblox_bloxone_ddi.dhcp_lease.type | Lease type. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | ### dns_config @@ -913,49 +874,15 @@ An example event for `dns_config` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | infoblox_bloxone_ddi.dns_config.add_edns.option_in.outgoing_query | add_edns_option_in_outgoing_query adds client IP, MAC address and view name into outgoing recursive query. | boolean | | infoblox_bloxone_ddi.dns_config.comment | Optional. Comment for view. | keyword | | infoblox_bloxone_ddi.dns_config.created_at | The timestamp when the object has been created. | date | @@ -1250,9 +1177,6 @@ An example event for `dns_config` looks as following: | infoblox_bloxone_ddi.dns_config.zone_authority.use_default_mname | Optional. Use default value for master name server. Defaults to true. | boolean | | input.type | Input type | keyword | | log.offset | Log offset | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | ### dns_data @@ -1417,56 +1341,15 @@ An example event for `dns_data` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | group | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | infoblox_bloxone_ddi.dns_data.absolute.name.spec | The DNS protocol textual representation of absolute_name_spec. | keyword | | infoblox_bloxone_ddi.dns_data.absolute.zone.name | The DNS protocol textual representation of the absolute domain name of the zone where this record belongs. | keyword | | infoblox_bloxone_ddi.dns_data.absolute_name.spec | Synthetic field, used to determine zone and/or name_in_zone field for records. | keyword | @@ -1524,7 +1407,4 @@ An example event for `dns_data` looks as following: | infoblox_bloxone_ddi.dns_data.zone | The resource identifier. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/infoblox_bloxone_ddi/manifest.yml b/packages/infoblox_bloxone_ddi/manifest.yml index bd292e6a4d2..a22e0b99ce5 100644 --- a/packages/infoblox_bloxone_ddi/manifest.yml +++ b/packages/infoblox_bloxone_ddi/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: infoblox_bloxone_ddi title: Infoblox BloxOne DDI -version: "1.17.0" +version: "1.18.0" description: Collect logs from Infoblox BloxOne DDI with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - dns_security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/infoblox-bloxone-ddi-screenshot.png title: Infoblox BloxOne DDI dashboard screenshot diff --git a/packages/infoblox_nios/changelog.yml b/packages/infoblox_nios/changelog.yml index 4e18ab2716a..0f6c058b106 100644 --- a/packages/infoblox_nios/changelog.yml +++ b/packages/infoblox_nios/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.22.0" changes: - description: Handle REFUSED log messages. diff --git a/packages/infoblox_nios/data_stream/log/fields/agent.yml b/packages/infoblox_nios/data_stream/log/fields/agent.yml index 152150fe41a..5b567f262ee 100644 --- a/packages/infoblox_nios/data_stream/log/fields/agent.yml +++ b/packages/infoblox_nios/data_stream/log/fields/agent.yml @@ -5,158 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: >- diff --git a/packages/infoblox_nios/data_stream/log/fields/ecs.yml b/packages/infoblox_nios/data_stream/log/fields/ecs.yml deleted file mode 100644 index dcd80b6b0e6..00000000000 --- a/packages/infoblox_nios/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,90 +0,0 @@ -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.location -- external: ecs - name: client.geo.region_name -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: client.ip -- external: ecs - name: client.mac -- external: ecs - name: client.port -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type -- external: ecs - name: dns.header_flags -- external: ecs - name: dns.question.class -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.subdomain -- external: ecs - name: dns.question.top_level_domain -- external: ecs - name: dns.question.type -- external: ecs - name: dns.response_code -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.type -- external: ecs - name: host.ip -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: log.file.path -- external: ecs - name: log.syslog.priority -- external: ecs - name: message -- external: ecs - name: network.transport -- external: ecs - name: process.pid -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: server.ip -- external: ecs - name: server.port -- external: ecs - name: tags -- external: ecs - name: user.name diff --git a/packages/infoblox_nios/docs/README.md b/packages/infoblox_nios/docs/README.md index 1294714ddbd..151f359eeef 100644 --- a/packages/infoblox_nios/docs/README.md +++ b/packages/infoblox_nios/docs/README.md @@ -238,71 +238,13 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | infoblox_nios.log.audit.apparently_via | | keyword | | infoblox_nios.log.audit.auth | | keyword | | infoblox_nios.log.audit.error | | text | @@ -359,20 +301,6 @@ An example event for `log` looks as following: | infoblox_nios.log.type | | keyword | | infoblox_nios.log.view | | keyword | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Log offset | long | | log.source.address | Log source address | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| process.pid | Process id. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/infoblox_nios/manifest.yml b/packages/infoblox_nios/manifest.yml index dff733e7f50..0fe93053f71 100644 --- a/packages/infoblox_nios/manifest.yml +++ b/packages/infoblox_nios/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: infoblox_nios title: Infoblox NIOS -version: "1.22.0" +version: "1.23.0" description: Collect logs from Infoblox NIOS with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - dns_security conditions: kibana: - version: ^8.7.1 + version: "^8.13.0" screenshots: - src: /img/infoblox-nios-screenshot.png title: Infoblox NIOS dashboard screenshot diff --git a/packages/jamf_compliance_reporter/changelog.yml b/packages/jamf_compliance_reporter/changelog.yml index d79e16252a3..7c1f82e2750 100644 --- a/packages/jamf_compliance_reporter/changelog.yml +++ b/packages/jamf_compliance_reporter/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.12.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/jamf_compliance_reporter/data_stream/log/fields/agent.yml b/packages/jamf_compliance_reporter/data_stream/log/fields/agent.yml index 2919f7a30c6..35ae17d33b3 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/fields/agent.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/jamf_compliance_reporter/data_stream/log/fields/ecs.yml b/packages/jamf_compliance_reporter/data_stream/log/fields/ecs.yml deleted file mode 100644 index c09ccff0735..00000000000 --- a/packages/jamf_compliance_reporter/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.code -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.type -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.path -- external: ecs - name: host.os.type -- external: ecs - name: process.args -- external: ecs - name: process.exit_code -- external: ecs - name: process.hash.sha1 -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: process.parent.pid -- external: ecs - name: process.real_group.id -- external: ecs - name: process.real_group.name -- external: ecs - name: process.real_user.id -- external: ecs - name: process.real_user.name -- external: ecs - name: process.user.id -- external: ecs - name: process.user.name -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: server.ip -- external: ecs - name: server.port -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.effective.id -- external: ecs - name: user.effective.name -- external: ecs - name: user.email -- external: ecs - name: user.group.id -- external: ecs - name: user.group.name -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/jamf_compliance_reporter/docs/README.md b/packages/jamf_compliance_reporter/docs/README.md index 69e513aa4e4..c9fbd9727a5 100644 --- a/packages/jamf_compliance_reporter/docs/README.md +++ b/packages/jamf_compliance_reporter/docs/README.md @@ -201,55 +201,15 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Name of the dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | jamf_compliance_reporter.log.app_metric_info.cpu_percentage | | double | | jamf_compliance_reporter.log.app_metric_info.cpu_time_seconds | | double | @@ -490,35 +450,4 @@ An example event for `log` looks as following: | jamf_compliance_reporter.log.texts | | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| process.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.real_group.name | Name of the group. | keyword | -| process.real_user.id | Unique identifier of the user. | keyword | -| process.real_user.name | Short name or login of the user. | keyword | -| process.real_user.name.text | Multi-field of `process.real_user.name`. | match_only_text | -| process.user.id | Unique identifier of the user. | keyword | -| process.user.name | Short name or login of the user. | keyword | -| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.effective.id | Unique identifier of the user. | keyword | -| user.effective.name | Short name or login of the user. | keyword | -| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | -| user.email | User email address. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/jamf_compliance_reporter/manifest.yml b/packages/jamf_compliance_reporter/manifest.yml index 88305aaa722..5a56b3ebb28 100644 --- a/packages/jamf_compliance_reporter/manifest.yml +++ b/packages/jamf_compliance_reporter/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.3" name: jamf_compliance_reporter title: Jamf Compliance Reporter -version: "1.12.0" +version: "1.13.0" description: Collect logs from Jamf Compliance Reporter with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.7.1 + version: "^8.13.0" screenshots: - src: /img/jamf-compliance-reporter-screenshot.png title: Jamf Compliance Reporter Screenshot diff --git a/packages/jamf_protect/changelog.yml b/packages/jamf_protect/changelog.yml index 9d89330ef53..7b0f0049284 100644 --- a/packages/jamf_protect/changelog.yml +++ b/packages/jamf_protect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.0.0" changes: - description: Adding support for new Telemetry stream. diff --git a/packages/jamf_protect/data_stream/alerts/fields/agent.yml b/packages/jamf_protect/data_stream/alerts/fields/agent.yml index 2919f7a30c6..35ae17d33b3 100644 --- a/packages/jamf_protect/data_stream/alerts/fields/agent.yml +++ b/packages/jamf_protect/data_stream/alerts/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/jamf_protect/data_stream/alerts/fields/ecs.yml b/packages/jamf_protect/data_stream/alerts/fields/ecs.yml index ed4a6adbfaf..9de37950ad1 100644 --- a/packages/jamf_protect/data_stream/alerts/fields/ecs.yml +++ b/packages/jamf_protect/data_stream/alerts/fields/ecs.yml @@ -1,235 +1,3 @@ -- external: ecs - name: container.image.tag -- external: ecs - name: container.runtime -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.duration -- external: ecs - name: event.end -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.provider -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: file.code_signature.signing_id -- external: ecs - name: file.code_signature.status -- external: ecs - name: file.code_signature.team_id -- external: ecs - name: file.extension -- external: ecs - name: file.gid -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.hash.sha512 -- external: ecs - name: file.inode -- external: ecs - name: file.mode -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: file.uid -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: log.file.path -- external: ecs - name: log.logger -- external: ecs - name: message -- external: ecs - name: network.direction -- external: ecs - name: network.transport -- external: ecs - name: observer.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: process.args -- external: ecs - name: process.args_count -- external: ecs - name: process.code_signature.signing_id -- external: ecs - name: process.code_signature.status -- external: ecs - name: process.code_signature.team_id -- external: ecs - name: process.command_line -- external: ecs - name: process.entity_id -- external: ecs - name: process.executable -- external: ecs - name: process.exit_code -- external: ecs - name: process.group_leader.executable -- external: ecs - name: process.group_leader.group.id -- external: ecs - name: process.group_leader.name -- external: ecs - name: process.group_leader.pid -- external: ecs - name: process.group_leader.real_group.id -- external: ecs - name: process.group_leader.real_user.id -- external: ecs - name: process.group_leader.start -- external: ecs - name: process.group_leader.user.id -- external: ecs - name: process.hash.md5 -- external: ecs - name: process.hash.sha1 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.name -- external: ecs - name: process.parent.code_signature.signing_id -- external: ecs - name: process.parent.code_signature.status -- external: ecs - name: process.parent.code_signature.team_id -- external: ecs - name: process.parent.entity_id -- external: ecs - name: process.parent.executable -- external: ecs - name: process.parent.name -- external: ecs - name: process.parent.pid -- external: ecs - name: process.parent.real_group.id -- external: ecs - name: process.parent.real_user.id -- external: ecs - name: process.parent.start -- external: ecs - name: process.parent.user.id -- external: ecs - name: process.pid -- external: ecs - name: process.real_group.id -- external: ecs - name: process.real_user.id -- external: ecs - name: process.start -- external: ecs - name: process.user.id -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.description -- external: ecs - name: rule.name -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: threat.enrichments -- external: ecs - name: threat.framework -- external: ecs - name: threat.software.platforms -- external: ecs - name: threat.tactic.id -- external: ecs - name: threat.tactic.name -- external: ecs - name: threat.tactic.reference -- external: ecs - name: threat.technique.id -- external: ecs - name: threat.technique.name -- external: ecs - name: threat.technique.reference -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.id -- external: ecs - name: user.name - name: volume.file_system_type type: keyword - name: volume.bus_type diff --git a/packages/jamf_protect/data_stream/telemetry/fields/agent.yml b/packages/jamf_protect/data_stream/telemetry/fields/agent.yml index 2919f7a30c6..35ae17d33b3 100644 --- a/packages/jamf_protect/data_stream/telemetry/fields/agent.yml +++ b/packages/jamf_protect/data_stream/telemetry/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml b/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml index b1a023ec96c..d1fb054c432 100644 --- a/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml +++ b/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml @@ -1,259 +1,3 @@ -- external: ecs - name: observer.version -- external: ecs - name: device.id -- external: ecs - name: device.manufacturer -- external: ecs - name: process.env_vars -- external: ecs - name: process.interactive -- external: ecs - name: process.thread.id -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.code -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: event.category -- external: ecs - name: event.id -- external: ecs - name: event.timezone -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: user.name -- external: ecs - name: user.id -- external: ecs - name: user.effective.id -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: related.hosts -- external: ecs - name: related.hash -- external: ecs - name: process.args -- external: ecs - name: process.working_directory -- external: ecs - name: process.args_count -- external: ecs - name: process.executable -- external: ecs - name: process.parent.pid -- external: ecs - name: process.group_leader.group.id -- external: ecs - name: process.real_group.id -- external: ecs - name: process.parent.real_group.id -- external: ecs - name: process.group_leader.real_group.id -- external: ecs - name: process.entity_id -- external: ecs - name: process.real_user.id -- external: ecs - name: process.parent.real_user.id -- external: ecs - name: process.group_leader.real_user.id -- external: ecs - name: process.user.id -- external: ecs - name: process.parent.user.id -- external: ecs - name: process.group_leader.user.id -- external: ecs - name: process.group_leader.pid -- external: ecs - name: process.exit_code -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: process.hash.md5 -- external: ecs - name: process.hash.sha1 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.code_signature.signing_id -- external: ecs - name: process.code_signature.status -- external: ecs - name: process.code_signature.team_id -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.gid -- external: ecs - name: file.inode -- external: ecs - name: file.mode -- external: ecs - name: file.size -- external: ecs - name: file.uid -- external: ecs - name: file.code_signature.signing_id -- external: ecs - name: file.code_signature.status -- external: ecs - name: file.code_signature.team_id -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: network.direction -- external: ecs - name: network.transport -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: threat.tactic.id -- external: ecs - name: threat.tactic.reference -- external: ecs - name: threat.tactic.name -- external: ecs - name: threat.technique.id -- external: ecs - name: threat.technique.name -- external: ecs - name: threat.technique.reference -- external: ecs - name: threat.enrichments -- external: ecs - name: threat.software.platforms -- external: ecs - name: threat.indicator.file.path -- external: ecs - name: threat.indicator.type -- external: ecs - name: rule.version -- external: ecs - name: container.image.tag -- external: ecs - name: container.runtime -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.duration -- external: ecs - name: event.end -- external: ecs - name: event.provider -- external: ecs - name: event.type -- external: ecs - name: file.extension -- external: ecs - name: file.hash.sha512 -- external: ecs - name: log.file.path -- external: ecs - name: log.logger -- external: ecs - name: message -- external: ecs - name: observer.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: process.command_line -- external: ecs - name: process.parent.name -- external: ecs - name: process.parent.executable -- external: ecs - name: process.parent.entity_id -- external: ecs - name: process.parent.start -- external: ecs - name: process.parent.code_signature.signing_id -- external: ecs - name: process.parent.code_signature.status -- external: ecs - name: process.parent.code_signature.team_id -- external: ecs - name: process.group_leader.name -- external: ecs - name: process.group_leader.executable -- external: ecs - name: process.group_leader.start -- external: ecs - name: process.group_leader.entity_id -- external: ecs - name: process.start -- external: ecs - name: rule.description -- external: ecs - name: rule.name -- external: ecs - name: threat.framework -- external: ecs - name: group.id -- external: ecs - name: group.name - name: volume.device_name type: keyword - name: volume.mount_name diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/fields/agent.yml b/packages/jamf_protect/data_stream/telemetry_legacy/fields/agent.yml index 2919f7a30c6..35ae17d33b3 100644 --- a/packages/jamf_protect/data_stream/telemetry_legacy/fields/agent.yml +++ b/packages/jamf_protect/data_stream/telemetry_legacy/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/fields/ecs.yml b/packages/jamf_protect/data_stream/telemetry_legacy/fields/ecs.yml deleted file mode 100644 index 6804143d1fe..00000000000 --- a/packages/jamf_protect/data_stream/telemetry_legacy/fields/ecs.yml +++ /dev/null @@ -1,84 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.code -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.outcome -- external: ecs - name: event.type -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.path -- external: ecs - name: host.os.type -- external: ecs - name: process.args -- external: ecs - name: process.exit_code -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: process.parent.pid -- external: ecs - name: process.hash.sha1 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.real_group.id -- external: ecs - name: process.real_group.name -- external: ecs - name: process.real_user.id -- external: ecs - name: process.real_user.name -- external: ecs - name: process.user.id -- external: ecs - name: process.user.name -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: server.ip -- external: ecs - name: server.port -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.effective.id -- external: ecs - name: user.effective.name -- external: ecs - name: user.email -- external: ecs - name: user.group.id -- external: ecs - name: user.group.name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: process.code_signature.signing_id -- external: ecs - name: process.code_signature.status -- external: ecs - name: process.code_signature.team_id diff --git a/packages/jamf_protect/data_stream/web_threat_events/fields/agent.yml b/packages/jamf_protect/data_stream/web_threat_events/fields/agent.yml index 2919f7a30c6..35ae17d33b3 100644 --- a/packages/jamf_protect/data_stream/web_threat_events/fields/agent.yml +++ b/packages/jamf_protect/data_stream/web_threat_events/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/jamf_protect/data_stream/web_threat_events/fields/ecs.yml b/packages/jamf_protect/data_stream/web_threat_events/fields/ecs.yml index 3e6112bc0e0..9de37950ad1 100644 --- a/packages/jamf_protect/data_stream/web_threat_events/fields/ecs.yml +++ b/packages/jamf_protect/data_stream/web_threat_events/fields/ecs.yml @@ -1,215 +1,3 @@ -- external: ecs - name: container.image.tag -- external: ecs - name: container.runtime -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.duration -- external: ecs - name: event.end -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.provider -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: file.code_signature.signing_id -- external: ecs - name: file.code_signature.status -- external: ecs - name: file.code_signature.team_id -- external: ecs - name: file.extension -- external: ecs - name: file.gid -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.hash.sha512 -- external: ecs - name: file.inode -- external: ecs - name: file.mode -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: file.uid -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host.geo.country_iso_code -- external: ecs - name: log.file.path -- external: ecs - name: log.logger -- external: ecs - name: message -- external: ecs - name: network.direction -- external: ecs - name: network.transport -- external: ecs - name: observer.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: process.args -- external: ecs - name: process.args_count -- external: ecs - name: process.code_signature.signing_id -- external: ecs - name: process.code_signature.status -- external: ecs - name: process.code_signature.team_id -- external: ecs - name: process.command_line -- external: ecs - name: process.executable -- external: ecs - name: process.exit_code -- external: ecs - name: process.group_leader.pid -- external: ecs - name: process.hash.md5 -- external: ecs - name: process.hash.sha1 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.name -- external: ecs - name: process.parent.pid -- external: ecs - name: process.parent.start -- external: ecs - name: process.pid -- external: ecs - name: process.real_group.id -- external: ecs - name: process.real_user.id -- external: ecs - name: process.start -- external: ecs - name: process.tty.char_device.major -- external: ecs - name: process.tty.char_device.minor -- external: ecs - name: process.tty.columns -- external: ecs - name: process.tty.rows -- external: ecs - name: process.user.id -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.description -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: source.domain -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: threat.enrichments -- external: ecs - name: threat.framework -- external: ecs - name: threat.software.platforms -- external: ecs - name: threat.tactic.id -- external: ecs - name: threat.tactic.name -- external: ecs - name: threat.tactic.reference -- external: ecs - name: threat.technique.id -- external: ecs - name: threat.technique.name -- external: ecs - name: threat.technique.reference -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.id -- external: ecs - name: user.name - name: volume.file_system_type type: keyword - name: volume.bus_type @@ -232,5 +20,3 @@ type: keyword - name: volume.writable type: boolean -- name: organization.id - type: keyword diff --git a/packages/jamf_protect/data_stream/web_traffic_events/fields/agent.yml b/packages/jamf_protect/data_stream/web_traffic_events/fields/agent.yml index 2919f7a30c6..35ae17d33b3 100644 --- a/packages/jamf_protect/data_stream/web_traffic_events/fields/agent.yml +++ b/packages/jamf_protect/data_stream/web_traffic_events/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/jamf_protect/data_stream/web_traffic_events/fields/ecs.yml b/packages/jamf_protect/data_stream/web_traffic_events/fields/ecs.yml deleted file mode 100644 index 1ff3858a73a..00000000000 --- a/packages/jamf_protect/data_stream/web_traffic_events/fields/ecs.yml +++ /dev/null @@ -1,166 +0,0 @@ -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.top_level_domain -- external: ecs - name: dns.response_code -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.duration -- external: ecs - name: event.end -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.provider -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: file.code_signature.signing_id -- external: ecs - name: file.code_signature.status -- external: ecs - name: file.code_signature.team_id -- external: ecs - name: file.extension -- external: ecs - name: file.gid -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.hash.sha512 -- external: ecs - name: file.inode -- external: ecs - name: file.mode -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: file.uid -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host.geo.country_iso_code -- external: ecs - name: log.file.path -- external: ecs - name: log.logger -- external: ecs - name: message -- external: ecs - name: network.direction -- external: ecs - name: network.transport -- external: ecs - name: observer.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: process.command_line -- external: ecs - name: process.parent.pid -- external: ecs - name: process.parent.start -- external: ecs - name: process.pid -- external: ecs - name: process.start -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.description -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: source.domain -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.id -- external: ecs - name: user.name -- name: organization.id - type: keyword diff --git a/packages/jamf_protect/docs/README.md b/packages/jamf_protect/docs/README.md index a05b9804c29..f30f702bdd0 100644 --- a/packages/jamf_protect/docs/README.md +++ b/packages/jamf_protect/docs/README.md @@ -249,171 +249,18 @@ An example event for `alerts` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.image.tag | Container image tags. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Name of the dataset. | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.gid | Primary group ID (GID) of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.mode | Mode of the file in octal representation. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | jamf_protect.alerts.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.group_leader.executable | Absolute path to the process executable. | keyword | -| process.group_leader.executable.text | Multi-field of `process.group_leader.executable`. | match_only_text | -| process.group_leader.group.id | Unique identifier for the group on the system/platform. | keyword | -| process.group_leader.name | Process name. Sometimes called program name or similar. | keyword | -| process.group_leader.name.text | Multi-field of `process.group_leader.name`. | match_only_text | -| process.group_leader.pid | Process id. | long | -| process.group_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.group_leader.real_user.id | Unique identifier of the user. | keyword | -| process.group_leader.start | The time the process started. | date | -| process.group_leader.user.id | Unique identifier of the user. | keyword | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.parent.real_user.id | Unique identifier of the user. | keyword | -| process.parent.start | The time the process started. | date | -| process.parent.user.id | Unique identifier of the user. | keyword | -| process.pid | Process id. | long | -| process.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.real_user.id | Unique identifier of the user. | keyword | -| process.start | The time the process started. | date | -| process.user.id | Unique identifier of the user. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.software.platforms | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | | volume.bus_type | | keyword | | volume.file_system_type | | keyword | | volume.nt_name | | keyword | @@ -597,93 +444,15 @@ An example event for `telemetry` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.image.tag | Container image tags. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| device.id | The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. | keyword | -| device.manufacturer | The vendor name of the device manufacturer. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Name of the dataset. | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.gid | Primary group ID (GID) of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.mode | Mode of the file in octal representation. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | jamf_protect.telemetry.account_type | Defines if it's a user or group | keyword | | jamf_protect.telemetry.attribute_name | The name of the attribute that got set | keyword | @@ -771,96 +540,7 @@ An example event for `telemetry` looks as following: | jamf_protect.telemetry.system_performance.timer_wakeups.wakeups | Number of wakeups | long | | jamf_protect.telemetry.to_username | Username to which an action is directed | keyword | | jamf_protect.telemetry.tty | Software terminal device file that the process is associated with | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.env_vars | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.group_leader.executable | Absolute path to the process executable. | keyword | -| process.group_leader.executable.text | Multi-field of `process.group_leader.executable`. | match_only_text | -| process.group_leader.group.id | Unique identifier for the group on the system/platform. | keyword | -| process.group_leader.name | Process name. Sometimes called program name or similar. | keyword | -| process.group_leader.name.text | Multi-field of `process.group_leader.name`. | match_only_text | -| process.group_leader.pid | Process id. | long | -| process.group_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.group_leader.real_user.id | Unique identifier of the user. | keyword | -| process.group_leader.start | The time the process started. | date | -| process.group_leader.user.id | Unique identifier of the user. | keyword | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.parent.real_user.id | Unique identifier of the user. | keyword | -| process.parent.start | The time the process started. | date | -| process.parent.user.id | Unique identifier of the user. | keyword | -| process.pid | Process id. | long | -| process.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.real_user.id | Unique identifier of the user. | keyword | -| process.start | The time the process started. | date | -| process.thread.id | Thread ID. | long | -| process.user.id | Unique identifier of the user. | keyword | -| process.working_directory | The working directory of the process. | keyword | -| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.version | The version / revision of the rule being used for analysis. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| threat.indicator.file.path.text | Multi-field of `threat.indicator.file.path`. | match_only_text | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.software.platforms | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.effective.id | Unique identifier of the user. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | | volume.bus_type | | keyword | | volume.device_name | | keyword | | volume.file_system_type | | keyword | @@ -979,157 +659,17 @@ An example event for `web_threat_events` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.image.tag | Container image tags. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Name of the dataset. | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.gid | Primary group ID (GID) of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.mode | Mode of the file in octal representation. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| organization.id | | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.group_leader.pid | Process id. | long | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.pid | Process id. | long | -| process.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.real_user.id | Unique identifier of the user. | keyword | -| process.start | The time the process started. | date | -| process.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | -| process.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | -| process.tty.columns | The number of character columns per line. e.g terminal width Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output' | long | -| process.tty.rows | The number of character rows in the terminal. e.g terminal height Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output' | long | -| process.user.id | Unique identifier of the user. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.software.platforms | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | | volume.bus_type | | keyword | | volume.file_system_type | | keyword | | volume.nt_name | | keyword | @@ -1244,128 +784,15 @@ An example event for `web_traffic_events` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Name of the dataset. | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.gid | Primary group ID (GID) of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.mode | Mode of the file in octal representation. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| organization.id | | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/jamf_protect/manifest.yml b/packages/jamf_protect/manifest.yml index 57199646a62..9c7ad3b9eff 100644 --- a/packages/jamf_protect/manifest.yml +++ b/packages/jamf_protect/manifest.yml @@ -1,14 +1,14 @@ format_version: 3.0.3 name: jamf_protect title: Jamf Protect -version: "2.0.0" +version: "2.1.0" description: Receives events from Jamf Protect with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/jamfprotect_kibana.png title: Jamf Protect Kibana diff --git a/packages/jumpcloud/changelog.yml b/packages/jumpcloud/changelog.yml index b203d88a642..9e0f151bbb5 100644 --- a/packages/jumpcloud/changelog.yml +++ b/packages/jumpcloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.10.0" changes: - description: Set sensitive values as secret. diff --git a/packages/jumpcloud/data_stream/events/fields/ecs.yml b/packages/jumpcloud/data_stream/events/fields/ecs.yml deleted file mode 100644 index bf1133de808..00000000000 --- a/packages/jumpcloud/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,122 +0,0 @@ -- external: ecs - name: client.ip -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: client.bytes -- external: ecs - name: client.domain -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.location -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name -- external: ecs - name: ecs.version -- external: ecs - name: event.ingested -- external: ecs - name: event.original -- external: ecs - name: message -- external: ecs - name: process.name -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.category -- external: ecs - name: rule.id -- external: ecs - name: rule.uuid -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.nat.ip -- external: ecs - name: source.nat.port -- external: ecs - name: source.port -- external: ecs - name: source.user.email -- external: ecs - name: source.user.id -- external: ecs - name: source.user.name -- external: ecs - name: tags -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.email -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version -- name: event.action - external: ecs -- name: event.category - external: ecs -- name: event.code - external: ecs -- name: event.duration - external: ecs -- name: event.id - external: ecs -- name: event.kind - external: ecs -- name: event.risk_score - external: ecs -- name: event.severity - external: ecs diff --git a/packages/jumpcloud/docs/README.md b/packages/jumpcloud/docs/README.md index a133de54f2e..53c3179cf18 100644 --- a/packages/jumpcloud/docs/README.md +++ b/packages/jumpcloud/docs/README.md @@ -48,33 +48,9 @@ All JumpCloud Directory Insights events are available in the `jumpcloud.events` | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | input.type | | keyword | | jumpcloud.event.application.display_label | | keyword | | jumpcloud.event.application.id | | keyword | @@ -181,50 +157,6 @@ All JumpCloud Directory Insights events are available in the `jumpcloud.events` | jumpcloud.event.useragent.version | | keyword | | jumpcloud.event.username | | keyword | | jumpcloud.event.version | | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `events` looks as following: diff --git a/packages/jumpcloud/manifest.yml b/packages/jumpcloud/manifest.yml index 59820bdfa92..81ffd8fd3c6 100644 --- a/packages/jumpcloud/manifest.yml +++ b/packages/jumpcloud/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: jumpcloud title: "JumpCloud" -version: "1.10.0" +version: "1.11.0" description: "Collect logs from JumpCloud Directory as a Service" type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/keycloak/changelog.yml b/packages/keycloak/changelog.yml index 73d4d82daa8..b2def31fcf5 100644 --- a/packages/keycloak/changelog.yml +++ b/packages/keycloak/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.22.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.21.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/keycloak/data_stream/log/fields/agent.yml b/packages/keycloak/data_stream/log/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/keycloak/data_stream/log/fields/agent.yml +++ b/packages/keycloak/data_stream/log/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/keycloak/data_stream/log/fields/beats.yml b/packages/keycloak/data_stream/log/fields/beats.yml index 4e189f20187..b2c7e0a2961 100644 --- a/packages/keycloak/data_stream/log/fields/beats.yml +++ b/packages/keycloak/data_stream/log/fields/beats.yml @@ -7,9 +7,6 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. - name: log.file type: group fields: diff --git a/packages/keycloak/data_stream/log/fields/ecs.yml b/packages/keycloak/data_stream/log/fields/ecs.yml index 6d3428b27d2..7a327dae36b 100644 --- a/packages/keycloak/data_stream/log/fields/ecs.yml +++ b/packages/keycloak/data_stream/log/fields/ecs.yml @@ -1,87 +1 @@ -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.action - external: ecs -- name: event.category - external: ecs -- name: event.id - external: ecs -- name: event.ingested - external: ecs -- name: event.created - external: ecs -- name: event.kind - external: ecs -- name: event.original - external: ecs -- name: event.type - external: ecs -- name: message - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: related.hosts - external: ecs -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.bytes - external: ecs -- name: source.domain - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: source.port - external: ecs -- name: tags - external: ecs -- name: user.id - external: ecs -- name: user.name - external: ecs -- name: log.level - external: ecs -- name: log.logger - external: ecs -- name: process.thread.name - external: ecs -- name: group.id - external: ecs -- name: user.target.id - external: ecs -- name: url.domain - external: ecs -- name: url.extension - external: ecs -- name: url.fragment - external: ecs -- name: url.original - external: ecs -- name: url.path - external: ecs -- name: url.port - external: ecs - name: url.scheme diff --git a/packages/keycloak/data_stream/log/manifest.yml b/packages/keycloak/data_stream/log/manifest.yml index 9741ae8fb5c..30de5132a78 100644 --- a/packages/keycloak/data_stream/log/manifest.yml +++ b/packages/keycloak/data_stream/log/manifest.yml @@ -52,6 +52,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: parsers type: yaml title: Parsers @@ -65,7 +66,6 @@ streams: pattern: '^\d{4}-\w{2}-\d{2}' negate: true match: after - template_path: "filestream.yml.hbs" title: Keycloak logs description: Collect Keycloak logs via log files diff --git a/packages/keycloak/docs/README.md b/packages/keycloak/docs/README.md index 31df48cd0e0..226db3908c1 100644 --- a/packages/keycloak/docs/README.md +++ b/packages/keycloak/docs/README.md @@ -31,52 +31,15 @@ Note: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | | keycloak.admin.operation | Keycloak admin operation; Add, Update, Delete | keyword | | keycloak.admin.resource.path | Path to affected resource | keyword | @@ -96,46 +59,10 @@ Note: | log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | | log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | | log.file.inode | Inode number of the log file. | keyword | -| log.file.path | Path to the log file. | keyword | | log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| process.thread.name | Thread name. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | | url.scheme | | | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.id | Unique identifier of the user. | keyword | An example event for `log` looks as following: diff --git a/packages/keycloak/manifest.yml b/packages/keycloak/manifest.yml index 4970508ce32..f6452c0efe0 100644 --- a/packages/keycloak/manifest.yml +++ b/packages/keycloak/manifest.yml @@ -1,13 +1,13 @@ name: keycloak title: Keycloak -version: "1.21.0" +version: "1.22.0" description: Collect logs from Keycloak with Elastic Agent. type: integration format_version: "3.0.3" categories: [security, iam] conditions: kibana: - version: "^7.16.0 || ^8.0.0" + version: "^8.13.0" icons: - src: /img/keycloak-logo.svg title: Keycloak diff --git a/packages/lastpass/changelog.yml b/packages/lastpass/changelog.yml index bded279947c..6966b838cf4 100644 --- a/packages/lastpass/changelog.yml +++ b/packages/lastpass/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.16.0" changes: - description: Add pagesize and pageindex to request. diff --git a/packages/lastpass/data_stream/detailed_shared_folder/fields/agent.yml b/packages/lastpass/data_stream/detailed_shared_folder/fields/agent.yml index 73e076a93b1..894e6f12be2 100644 --- a/packages/lastpass/data_stream/detailed_shared_folder/fields/agent.yml +++ b/packages/lastpass/data_stream/detailed_shared_folder/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/lastpass/data_stream/detailed_shared_folder/fields/ecs.yml b/packages/lastpass/data_stream/detailed_shared_folder/fields/ecs.yml deleted file mode 100644 index 16255512a07..00000000000 --- a/packages/lastpass/data_stream/detailed_shared_folder/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.email diff --git a/packages/lastpass/data_stream/event_report/fields/agent.yml b/packages/lastpass/data_stream/event_report/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/lastpass/data_stream/event_report/fields/agent.yml +++ b/packages/lastpass/data_stream/event_report/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/lastpass/data_stream/event_report/fields/ecs.yml b/packages/lastpass/data_stream/event_report/fields/ecs.yml deleted file mode 100644 index 52216f81053..00000000000 --- a/packages/lastpass/data_stream/event_report/fields/ecs.yml +++ /dev/null @@ -1,34 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: user.email -- external: ecs - name: user.group.name diff --git a/packages/lastpass/data_stream/user/fields/agent.yml b/packages/lastpass/data_stream/user/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/lastpass/data_stream/user/fields/agent.yml +++ b/packages/lastpass/data_stream/user/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/lastpass/data_stream/user/fields/ecs.yml b/packages/lastpass/data_stream/user/fields/ecs.yml deleted file mode 100644 index 97efa126a91..00000000000 --- a/packages/lastpass/data_stream/user/fields/ecs.yml +++ /dev/null @@ -1,24 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.email -- external: ecs - name: user.full_name -- external: ecs - name: user.group.name -- external: ecs - name: user.id diff --git a/packages/lastpass/docs/README.md b/packages/lastpass/docs/README.md index ee51c087e60..ab3dc0415cf 100644 --- a/packages/lastpass/docs/README.md +++ b/packages/lastpass/docs/README.md @@ -128,46 +128,15 @@ An example event for `detailed_shared_folder` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | lastpass.detailed_shared_folder.deleted | | boolean | | lastpass.detailed_shared_folder.name | | keyword | @@ -180,9 +149,6 @@ An example event for `detailed_shared_folder` looks as following: | lastpass.detailed_shared_folder.user.site | | keyword | | lastpass.detailed_shared_folder.user.super_admin | | boolean | | log.offset | Log offset | long | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | ### event_report @@ -275,48 +241,15 @@ An example event for `event_report` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | lastpass.event_report.action | | keyword | | lastpass.event_report.data.added_site | | keyword | @@ -338,16 +271,6 @@ An example event for `event_report` looks as following: | lastpass.event_report.time | | date | | lastpass.event_report.user_name | | keyword | | log.offset | Log offset | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.group.name | Name of the group. | keyword | ### user @@ -456,47 +379,15 @@ An example event for `user` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | lastpass.user.application | | long | | lastpass.user.attachment | | long | @@ -518,11 +409,4 @@ An example event for `user` looks as following: | lastpass.user.total_score | | double | | lastpass.user.user_name | | keyword | | log.offset | Log offset | long | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.name | Name of the group. | keyword | -| user.id | Unique identifier of the user. | keyword | diff --git a/packages/lastpass/manifest.yml b/packages/lastpass/manifest.yml index 15f7d40d175..f9a9de1d5d4 100644 --- a/packages/lastpass/manifest.yml +++ b/packages/lastpass/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: lastpass title: LastPass -version: "1.16.0" +version: "1.17.0" description: Collect logs from LastPass with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - credential_management conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/lumos/changelog.yml b/packages/lumos/changelog.yml index 98bad0e736a..b88153ed648 100644 --- a/packages/lumos/changelog.yml +++ b/packages/lumos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.2.1" changes: - description: Fix sample event. diff --git a/packages/lumos/data_stream/activity_logs/fields/ecs.yml b/packages/lumos/data_stream/activity_logs/fields/ecs.yml deleted file mode 100644 index 553d3da3148..00000000000 --- a/packages/lumos/data_stream/activity_logs/fields/ecs.yml +++ /dev/null @@ -1,4 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message diff --git a/packages/lumos/data_stream/activity_logs/fields/fields.yml b/packages/lumos/data_stream/activity_logs/fields/fields.yml index 763d709168a..3b850446fd1 100644 --- a/packages/lumos/data_stream/activity_logs/fields/fields.yml +++ b/packages/lumos/data_stream/activity_logs/fields/fields.yml @@ -1,18 +1,6 @@ - name: input.type type: keyword description: Input type -- name: event.id - type: keyword - description: The event hash -- name: event.created - type: date - description: The time the event began -- name: event.action - type: keyword - description: The activity that occurred -- name: event.outcome - type: keyword - description: The outcome of the event, whether it succeeded or failed - name: lumos.activity_logs.actor.actor_type type: keyword description: The type of actor diff --git a/packages/lumos/docs/README.md b/packages/lumos/docs/README.md index 1becdd681e4..47db95c2def 100644 --- a/packages/lumos/docs/README.md +++ b/packages/lumos/docs/README.md @@ -34,12 +34,7 @@ Activity Logs summarize the history of changes and events occurring within Lumos | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The activity that occurred | keyword | -| event.created | The time the event began | date | -| event.id | The event hash | keyword | | event.module | Event module | constant_keyword | -| event.outcome | The outcome of the event, whether it succeeded or failed | keyword | | input.type | Input type | keyword | | lumos.activity_logs.actor.actor_type | The type of actor | keyword | | lumos.activity_logs.actor.email | The email of the actor | keyword | @@ -49,7 +44,6 @@ Activity Logs summarize the history of changes and events occurring within Lumos | lumos.activity_logs.event_type_user_friendly | The user friendly type of the event | keyword | | lumos.activity_logs.targets.name | | keyword | | lumos.activity_logs.targets.target_type | | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | An example event for `activity` looks as following: diff --git a/packages/lumos/manifest.yml b/packages/lumos/manifest.yml index 8d03976ac00..3984bed287c 100644 --- a/packages/lumos/manifest.yml +++ b/packages/lumos/manifest.yml @@ -1,14 +1,14 @@ format_version: 3.1.2 name: lumos title: "Lumos" -version: 1.2.1 +version: "1.3.0" description: "An integration with Lumos to ship your Activity logs to your Elastic instance." type: integration categories: - security conditions: kibana: - version: "^8.12.1" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/lyve_cloud/changelog.yml b/packages/lyve_cloud/changelog.yml index 272e7d0bfb4..ee84f4bdf41 100644 --- a/packages/lyve_cloud/changelog.yml +++ b/packages/lyve_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.14.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.13.0" changes: - description: Set sensitive values as secret. diff --git a/packages/lyve_cloud/data_stream/audit/fields/agent.yml b/packages/lyve_cloud/data_stream/audit/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/lyve_cloud/data_stream/audit/fields/agent.yml +++ b/packages/lyve_cloud/data_stream/audit/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/lyve_cloud/data_stream/audit/fields/ecs.yml b/packages/lyve_cloud/data_stream/audit/fields/ecs.yml index 7136e8e2fda..2699ba80122 100644 --- a/packages/lyve_cloud/data_stream/audit/fields/ecs.yml +++ b/packages/lyve_cloud/data_stream/audit/fields/ecs.yml @@ -1,86 +1,10 @@ - external: ecs name: "@timestamp" -- external: ecs - name: ecs.version -- external: ecs - name: tags -- external: ecs - name: user.name -- external: ecs - name: user.email -- external: ecs - name: user.id -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: http.response.status_code -- external: ecs - name: http.request.body.bytes -- external: ecs - name: http.response.body.bytes -- external: ecs - name: http.response.mime_type -- external: ecs - name: log.file.path -- external: ecs - name: user_agent.version -- external: ecs - name: related.user -- external: ecs - name: related.ip -- external: ecs - name: related.hosts -- external: ecs - name: client.ip -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name - external: ecs name: client.geo.location.lat - external: ecs name: client.geo.location.lon -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.ip -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name - external: ecs name: source.geo.location.lat - external: ecs name: source.geo.location.lon -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name diff --git a/packages/lyve_cloud/docs/README.md b/packages/lyve_cloud/docs/README.md index 3ea91d5e412..20994962bbf 100644 --- a/packages/lyve_cloud/docs/README.md +++ b/packages/lyve_cloud/docs/README.md @@ -29,60 +29,18 @@ when creating new dashboard or in other Analytics search fields inside the filte | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | | client.geo.location.lat | Longitude and latitude. | geo_point | | client.geo.location.lon | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | -| http.response.status_code | HTTP response status code. | long | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | lyve_cloud.audit.auditEntry.api.bucket | Bucket for which the opearion was taken upon. | keyword | | lyve_cloud.audit.auditEntry.api.name | Represents name of the operation. | keyword | | lyve_cloud.audit.auditEntry.api.object | Objects name | keyword | @@ -101,36 +59,8 @@ when creating new dashboard or in other Analytics search fields inside the filte | lyve_cloud.audit.auditEntry.responseHeader.object_lock_retain_until_date | Object retention duration | date | | lyve_cloud.audit.auditEntry.responseHeader.x-amz-version-id | The version of the object. When versioning is enabled. | keyword | | lyve_cloud.audit.auditEntry.version | Represents the current version of Audit Log structure. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | | source.geo.location.lat | Longitude and latitude. | geo_point | | source.geo.location.lon | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `audit` looks as following: diff --git a/packages/lyve_cloud/manifest.yml b/packages/lyve_cloud/manifest.yml index 1796b2f6000..422be489dc9 100644 --- a/packages/lyve_cloud/manifest.yml +++ b/packages/lyve_cloud/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.2" name: lyve_cloud title: Lyve Cloud -version: "1.13.0" +version: "1.14.0" description: Collect S3 API audit log from Lyve Cloud with Elastic Agent. type: integration categories: - security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/LyveCloud-Logo.svg title: Seagate-Lyve-Cloud diff --git a/packages/m365_defender/_dev/build/build.yml b/packages/m365_defender/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/m365_defender/_dev/build/build.yml +++ b/packages/m365_defender/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/m365_defender/changelog.yml b/packages/m365_defender/changelog.yml index 3529064c4fa..496046b12fc 100644 --- a/packages/m365_defender/changelog.yml +++ b/packages/m365_defender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.13.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.12.0" changes: - description: Make `host.ip` and `host.mac` fields conform to ECS field definition. diff --git a/packages/m365_defender/data_stream/alert/fields/beats.yml b/packages/m365_defender/data_stream/alert/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/m365_defender/data_stream/alert/fields/beats.yml +++ b/packages/m365_defender/data_stream/alert/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json index b113b2a5bae..85afb6f8534 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json @@ -2020,6 +2020,7 @@ "preserve_duplicate_custom_fields" ], "url": { + "extension": "tld", "original": "subdomain.domain.tld", "path": "subdomain.domain.tld" }, @@ -2718,6 +2719,7 @@ "preserve_duplicate_custom_fields" ], "url": { + "extension": "com", "original": "url.com", "path": "url.com" }, diff --git a/packages/m365_defender/data_stream/event/fields/agent.yml b/packages/m365_defender/data_stream/event/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/m365_defender/data_stream/event/fields/agent.yml +++ b/packages/m365_defender/data_stream/event/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/m365_defender/data_stream/event/fields/ecs.yml b/packages/m365_defender/data_stream/event/fields/ecs.yml index 9b0fe006804..c4589bf1b4b 100644 --- a/packages/m365_defender/data_stream/event/fields/ecs.yml +++ b/packages/m365_defender/data_stream/event/fields/ecs.yml @@ -1,308 +1,2 @@ -- external: ecs - name: ecs.version -- external: ecs - name: tags -- external: ecs - name: message -- external: ecs - name: destination.address -- external: ecs - name: destination.domain -- external: ecs - name: destination.ip -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.port -- external: ecs - name: dns.header_flags -- external: ecs - name: dns.question.class -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.type -- external: ecs - name: dns.response_code -- external: ecs - name: email.direction -- external: ecs - name: email.from.address -- external: ecs - name: email.local_id -- external: ecs - name: email.message_id -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: event.action -- external: ecs - name: event.outcome -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.original -- external: ecs - name: event.provider -- external: ecs - name: event.reference -- external: ecs - name: event.severity -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.kind -- external: ecs - name: file.directory -- external: ecs - name: file.path -- external: ecs - name: file.extension -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.name -- external: ecs - name: file.size -- external: ecs - name: file.x509.not_after -- external: ecs - name: file.x509.serial_number -- external: ecs - name: file.x509.issuer.common_name -- external: ecs - name: file.code_signature.subject_name -- external: ecs - name: file.code_signature.exists -- external: ecs - name: file.code_signature.trusted -- external: ecs - name: dll.path -- external: ecs - name: dll.name -- external: ecs - name: dll.hash.md5 -- external: ecs - name: dll.hash.sha1 -- external: ecs - name: dll.hash.sha256 -- external: ecs - name: network.direction -- external: ecs - name: network.protocol -- external: ecs - name: observer.type -- external: ecs - name: observer.version -- external: ecs - name: process.command_line -- external: ecs - name: process.start -- external: ecs - name: process.args -- external: ecs - name: process.args_count -- external: ecs - name: process.hash.md5 -- external: ecs - name: process.hash.sha1 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.pid -- external: ecs - name: process.executable -- external: ecs - name: process.name -- external: ecs - name: process.pe.company -- external: ecs - name: process.pe.description -- external: ecs - name: process.pe.original_file_name -- external: ecs - name: process.pe.product -- external: ecs - name: process.pe.file_version -- external: ecs - name: process.code_signature.status -- external: ecs - name: process.parent.pid -- external: ecs - name: process.parent.start -- external: ecs - name: process.parent.command_line -- external: ecs - name: process.parent.args -- external: ecs - name: process.parent.args_count -- external: ecs - name: process.parent.hash.md5 -- external: ecs - name: process.parent.hash.sha1 -- external: ecs - name: process.parent.hash.sha256 -- external: ecs - name: process.parent.executable -- external: ecs - name: process.parent.name -- external: ecs - name: process.parent.pe.company -- external: ecs - name: process.parent.pe.description -- external: ecs - name: process.parent.pe.original_file_name -- external: ecs - name: process.parent.pe.product -- external: ecs - name: process.parent.pe.file_version -- external: ecs - name: process.parent.code_signature.status -- external: ecs - name: process.parent.code_signature.exists -- external: ecs - name: process.parent.code_signature.trusted -- external: ecs - name: process.parent.group_leader.pid -- external: ecs - name: process.parent.group_leader.start -# Missing in ECS flatfile - name: process.parent.group_leader.name type: keyword -- name: dns.answers - type: object - object_type: keyword -- external: ecs - name: registry.key -- external: ecs - name: registry.value -- external: ecs - name: registry.hive -- external: ecs - name: registry.path -- external: ecs - name: registry.data.strings -- external: ecs - name: registry.data.type -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: host.os.full -- external: ecs - name: user.domain -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: source.domain -- external: ecs - name: source.user.domain -- external: ecs - name: source.user.id -- external: ecs - name: source.user.name -- external: ecs - name: threat.indicator.file.directory -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.name -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.indicator.registry.key -- external: ecs - name: threat.indicator.registry.data.strings -- external: ecs - name: threat.indicator.registry.value -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.group.name -- external: ecs - name: threat.technique.subtechnique.id -- external: ecs - name: threat.technique.subtechnique.name -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.scheme -- external: ecs - name: url.username -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/m365_defender/data_stream/incident/fields/agent.yml b/packages/m365_defender/data_stream/incident/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/m365_defender/data_stream/incident/fields/agent.yml +++ b/packages/m365_defender/data_stream/incident/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/m365_defender/data_stream/incident/fields/ecs.yml b/packages/m365_defender/data_stream/incident/fields/ecs.yml deleted file mode 100644 index 1652e216e7e..00000000000 --- a/packages/m365_defender/data_stream/incident/fields/ecs.yml +++ /dev/null @@ -1,104 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: email.delivery_timestamp -- external: ecs - name: email.direction -- external: ecs - name: email.from.address -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.provider -- external: ecs - name: event.severity -- external: ecs - name: event.type -- external: ecs - name: event.url -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: message -- external: ecs - name: process.command_line -- external: ecs - name: process.hash.sha1 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.parent.hash.sha1 -- external: ecs - name: process.parent.hash.sha256 -- external: ecs - name: process.parent.pid -- external: ecs - name: process.parent.start -- external: ecs - name: process.pid -- external: ecs - name: process.start -- external: ecs - name: process.user.id -- external: ecs - name: process.user.name -- external: ecs - name: registry.data.type -- external: ecs - name: registry.hive -- external: ecs - name: registry.key -- external: ecs - name: registry.value -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.ip -- external: ecs - name: source.user.name -- external: ecs - name: tags -- external: ecs - name: threat.group.name -- external: ecs - name: threat.tactic.name -- external: ecs - name: threat.technique.subtechnique.id -- external: ecs - name: user.domain -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/m365_defender/data_stream/log/fields/agent.yml b/packages/m365_defender/data_stream/log/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/m365_defender/data_stream/log/fields/agent.yml +++ b/packages/m365_defender/data_stream/log/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/m365_defender/data_stream/log/fields/ecs.yml b/packages/m365_defender/data_stream/log/fields/ecs.yml deleted file mode 100644 index 103c84ac3c7..00000000000 --- a/packages/m365_defender/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,90 +0,0 @@ -- external: ecs - name: event.kind -- external: ecs - name: event.timezone -- external: ecs - name: event.action -- external: ecs - name: event.provider -- external: ecs - name: event.created -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: error.message -- external: ecs - name: event.id -- external: ecs - name: event.start -- external: ecs - name: event.end -- external: ecs - name: event.severity -- external: ecs - name: threat.framework -- external: ecs - name: threat.technique.name -- external: ecs - name: rule.description -- external: ecs - name: file.name -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.path -- external: ecs - name: process.pid -- external: ecs - name: process.command_line -- external: ecs - name: process.start -- external: ecs - name: process.parent.pid -- external: ecs - name: process.parent.start -- external: ecs - name: observer.product -- external: ecs - name: observer.vendor -- external: ecs - name: observer.name -- external: ecs - name: url.domain -- external: ecs - name: url.full -- external: ecs - name: url.extension -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.scheme -- external: ecs - name: url.query -- external: ecs - name: user.name -- external: ecs - name: user.domain -- external: ecs - name: user.id -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: tags -- external: ecs - name: ecs.version -- external: ecs - name: message diff --git a/packages/m365_defender/docs/README.md b/packages/m365_defender/docs/README.md index 6aa34122da6..fcd0d8db391 100644 --- a/packages/m365_defender/docs/README.md +++ b/packages/m365_defender/docs/README.md @@ -553,7 +553,6 @@ An example event for `alert` looks as following: | m365_defender.alert.web_url.query | | keyword | | m365_defender.alert.web_url.scheme | | keyword | | m365_defender.alert.web_url.username | | keyword | -| tags | User defined tags. | keyword | ### event @@ -573,100 +572,16 @@ This is the `event` dataset. | Target.process.executable.text | Multi-field of `Target.process.executable`. | text | | Target.process.name | Process name. Sometimes called program name or similar. | keyword | | Target.process.name.text | Multi-field of `Target.process.name`. | text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | | dll.Ext.size | Size of the dll executable. | long | -| dll.hash.md5 | MD5 hash. | keyword | -| dll.hash.sha1 | SHA1 hash. | keyword | -| dll.hash.sha256 | SHA256 hash. | keyword | -| dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | -| dll.path | Full file path of the library. | keyword | -| dns.answers | | object | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.direction | The direction of the message based on the sending and receiving domains. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.local_id | Unique identifier given to the email by the source that created the event. Identifier is not persistent across hops. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| file.code_signature.subject_name | Subject name of the code signer | keyword | -| file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | m365_defender.event.aad_device_id | Unique identifier for the device in Azure AD. | keyword | @@ -928,124 +843,14 @@ This is the `event` dataset. | m365_defender.event.user_level_policy | End-user mailbox policy that triggered the action taken on the email. | keyword | | m365_defender.event.vendor | Name of the product vendor or manufacturer, only available if device discovery finds enough information about this attribute. | keyword | | m365_defender.event.workload | The application from which the user clicked on the link, with the values being Email, Office and Teams. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.version | Observer version. | keyword | | process.Ext.api.name | | keyword | | process.Ext.api.parameters.address | The target memory address. | long | | process.Ext.api.parameters.desired_access_numeric | This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. | long | | process.Ext.api.parameters.protection | The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect`. | keyword | | process.Ext.api.parameters.size | The size of parameter values passed to the API call. | long | | process.Ext.token.integrity_level_name | Integrity level that determine the levels of protection or access for a principal used by Mandatory Integrity Control (MIC). | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | process.parent.group_leader.name | | keyword | -| process.parent.group_leader.pid | Process id. | long | -| process.parent.group_leader.start | The time the process started. | date | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | -| registry.data.type | Standard registry type for encoding contents | keyword | -| registry.hive | Abbreviated name for the hive. | keyword | -| registry.key | Hive-relative path of keys. | keyword | -| registry.path | Full path, including hive, key and value | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.group.name | The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. | keyword | -| threat.indicator.file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | -| threat.indicator.registry.key | Hive-relative path of keys. | keyword | -| threat.indicator.registry.value | Name of the value written. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.technique.subtechnique.id | The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) | keyword | -| threat.technique.subtechnique.name | The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) | keyword | -| threat.technique.subtechnique.name.text | Multi-field of `threat.technique.subtechnique.name`. | match_only_text | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | | url.user_info | | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | ### incident @@ -1394,66 +1199,15 @@ An example event for `incident` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | -| email.direction | The direction of the message based on the sending and receiving domains. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | m365_defender.incident.alert.actor_display_name | The adversary or activity group that is associated with this alert. | keyword | @@ -1643,39 +1397,6 @@ An example event for `incident` looks as following: | m365_defender.incident.web_url.query | | keyword | | m365_defender.incident.web_url.scheme | | keyword | | m365_defender.incident.web_url.username | | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.user.id | Unique identifier of the user. | keyword | -| process.user.name | Short name or login of the user. | keyword | -| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | -| registry.data.type | Standard registry type for encoding contents | keyword | -| registry.hive | Abbreviated name for the hive. | keyword | -| registry.key | Hive-relative path of keys. | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.group.name | The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.subtechnique.id | The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### log @@ -1803,59 +1524,15 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | m365_defender.alerts.actorName | The activity group, if any, the associated with this alert. | keyword | @@ -1908,37 +1585,4 @@ An example event for `log` looks as following: | m365_defender.redirectIncidentId | Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic. | keyword | | m365_defender.status | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. | keyword | | m365_defender.tags | Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/m365_defender/manifest.yml b/packages/m365_defender/manifest.yml index d96266b8594..34ac3273997 100644 --- a/packages/m365_defender/manifest.yml +++ b/packages/m365_defender/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: m365_defender title: Microsoft M365 Defender -version: "2.12.0" +version: "2.13.0" description: Collect logs from Microsoft M365 Defender with Elastic Agent. categories: - "security" @@ -11,7 +11,7 @@ conditions: elastic: subscription: basic kibana: - version: ^8.12.0 + version: "^8.13.0" policy_templates: - name: m365_defender title: M365 Defender Logs diff --git a/packages/mattermost/changelog.yml b/packages/mattermost/changelog.yml index 9907ceedc28..8c39390a0fb 100644 --- a/packages/mattermost/changelog.yml +++ b/packages/mattermost/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.0.1" changes: - description: Fix sample event. diff --git a/packages/mattermost/data_stream/audit/fields/agent.yml b/packages/mattermost/data_stream/audit/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/mattermost/data_stream/audit/fields/agent.yml +++ b/packages/mattermost/data_stream/audit/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mattermost/data_stream/audit/fields/beats.yml b/packages/mattermost/data_stream/audit/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/mattermost/data_stream/audit/fields/beats.yml +++ b/packages/mattermost/data_stream/audit/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/mattermost/data_stream/audit/fields/ecs.yml b/packages/mattermost/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 4ef73c50eee..00000000000 --- a/packages/mattermost/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: user_agent.device.name - external: ecs -- name: user_agent.name - external: ecs -- name: user_agent.original - external: ecs -- name: user_agent.os.name - external: ecs -- name: user_agent.os.version - external: ecs -- name: user_agent.os.full - external: ecs -- name: user_agent.version - external: ecs -- name: url.path - external: ecs -- name: url.original - external: ecs -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.bytes - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: tags - external: ecs -- name: ecs.version - external: ecs -- name: error.code - external: ecs -- name: group.id - external: ecs -- name: group.name - external: ecs -- name: http.response.status_code - external: ecs -- name: user.id - external: ecs -- name: user.target.id - external: ecs -- name: user.target.name - external: ecs -- name: user.target.roles - external: ecs -- name: user.target.group.id - external: ecs -- name: user.target.group.name - external: ecs -- name: user.changes.name - external: ecs -- name: related.user - external: ecs -- name: related.ip - external: ecs diff --git a/packages/mattermost/docs/README.md b/packages/mattermost/docs/README.md index 3f6ad1ba484..c0c2d19fc21 100644 --- a/packages/mattermost/docs/README.md +++ b/packages/mattermost/docs/README.md @@ -15,48 +15,16 @@ All access to the Mattermost REST API or CLI is audited. | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.response.status_code | HTTP response status code. | long | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | | mattermost.audit.api_path | REST API endpoint | keyword | @@ -79,45 +47,6 @@ All access to the Mattermost REST API or CLI is audited. | mattermost.audit.team.id | ID of affected team | keyword | | mattermost.audit.team.name | Name of affected team | keyword | | mattermost.audit.team.type | Type of affected team | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| user.changes.name | Short name or login of the user. | keyword | -| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| user.target.roles | Array of user roles at the time of the event. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `audit` looks as following: diff --git a/packages/mattermost/manifest.yml b/packages/mattermost/manifest.yml index dca2dafcc41..d556d7c21c2 100644 --- a/packages/mattermost/manifest.yml +++ b/packages/mattermost/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: mattermost title: "Mattermost" -version: "2.0.1" +version: "2.1.0" description: Collect logs from Mattermost with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^7.16.0 || ^8.0.0" + version: "^8.13.0" icons: - src: /img/mattermost-logo.svg title: Mattermost logo diff --git a/packages/menlo/changelog.yml b/packages/menlo/changelog.yml index 62c94d03acb..423c79404a2 100644 --- a/packages/menlo/changelog.yml +++ b/packages/menlo/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.0.0" changes: - description: Release package as GA. diff --git a/packages/menlo/data_stream/dlp/fields/agent.yml b/packages/menlo/data_stream/dlp/fields/agent.yml index 98d2f9f38d5..894e6f12be2 100644 --- a/packages/menlo/data_stream/dlp/fields/agent.yml +++ b/packages/menlo/data_stream/dlp/fields/agent.yml @@ -5,153 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/menlo/data_stream/dlp/fields/ecs.yml b/packages/menlo/data_stream/dlp/fields/ecs.yml deleted file mode 100644 index bc427b45597..00000000000 --- a/packages/menlo/data_stream/dlp/fields/ecs.yml +++ /dev/null @@ -1,54 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.action -- external: ecs - name: event.id -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.severity -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.name -- external: ecs - name: http.request.method -- external: ecs - name: observer.product -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: related.user -- external: ecs - name: related.hash -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.top_level_domain -- external: ecs - name: user.name diff --git a/packages/menlo/data_stream/web/fields/agent.yml b/packages/menlo/data_stream/web/fields/agent.yml index 98d2f9f38d5..894e6f12be2 100644 --- a/packages/menlo/data_stream/web/fields/agent.yml +++ b/packages/menlo/data_stream/web/fields/agent.yml @@ -5,153 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/menlo/data_stream/web/fields/ecs.yml b/packages/menlo/data_stream/web/fields/ecs.yml deleted file mode 100644 index 675463fef80..00000000000 --- a/packages/menlo/data_stream/web/fields/ecs.yml +++ /dev/null @@ -1,104 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.type -- external: ecs - name: destination.domain -- external: ecs - name: error.message -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.reason -- external: ecs - name: event.severity -- external: ecs - name: dns.answers.data -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.ip -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.ip -- external: ecs - name: network.protocol -- external: ecs - name: observer.geo.country_iso_code -- external: ecs - name: observer.ip -- external: ecs - name: observer.product -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: related.hash -- external: ecs - name: file.name -- external: ecs - name: http.request.method -- external: ecs - name: http.request.mime_type -- external: ecs - name: http.request.referrer -- external: ecs - name: http.response.status_code -- external: ecs - name: message -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.ip -- external: ecs - name: server.geo.country_iso_code -- external: ecs - name: server.ip -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.registered_domain -- external: ecs - name: url.top_level_domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: user.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/menlo/docs/README.md b/packages/menlo/docs/README.md index e9189d2250d..870e68000e5 100644 --- a/packages/menlo/docs/README.md +++ b/packages/menlo/docs/README.md @@ -192,61 +192,15 @@ An example event for `web` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.status_code | HTTP response status code. | long | | input.type | Input type | keyword | | log.offset | Log offset | long | | menlo.web.cached | Indicates whether the resource was obtained from the isolated browser’s cache (True) or by downloading from the origin server (False) | boolean | @@ -274,41 +228,6 @@ An example event for `web` looks as following: | menlo.web.ua_type | The type of user agent | keyword | | menlo.web.virus_details | Virus detail | keyword | | menlo.web.xff_ip | X-Forwarded-For HTTP header field originating client IP address | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | ### DLP @@ -425,51 +344,15 @@ An example event for `dlp` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | menlo.dlp.alerted | Whether or not an email alert was sent to a DLP Auditor profile | boolean | @@ -480,21 +363,4 @@ An example event for `dlp` looks as following: | menlo.dlp.status | Result from the DLP engine | keyword | | menlo.dlp.stream_name | Internal name used for the file (usually working_file) or text stream (uid) | keyword | | menlo.dlp.user_input | Whether or not this event was generated as a result of user form input | boolean | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/menlo/manifest.yml b/packages/menlo/manifest.yml index 3bfc6efca3d..e93da73be5a 100644 --- a/packages/menlo/manifest.yml +++ b/packages/menlo/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: menlo title: "Menlo Security" -version: 1.0.0 +version: "1.1.0" source: license: "Elastic-2.0" description: "Collect logs from Menlo Security products with Elastic Agent" diff --git a/packages/microsoft_defender_cloud/_dev/build/build.yml b/packages/microsoft_defender_cloud/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/microsoft_defender_cloud/_dev/build/build.yml +++ b/packages/microsoft_defender_cloud/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/microsoft_defender_cloud/changelog.yml b/packages/microsoft_defender_cloud/changelog.yml index e38d7b2042b..0c541b0cec0 100644 --- a/packages/microsoft_defender_cloud/changelog.yml +++ b/packages/microsoft_defender_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.1.2" changes: - description: Fix name canonicalization routines. diff --git a/packages/microsoft_defender_cloud/data_stream/event/fields/beats.yml b/packages/microsoft_defender_cloud/data_stream/event/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/microsoft_defender_cloud/data_stream/event/fields/beats.yml +++ b/packages/microsoft_defender_cloud/data_stream/event/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/microsoft_defender_cloud/docs/README.md b/packages/microsoft_defender_cloud/docs/README.md index 28c460ada13..af4046f448a 100644 --- a/packages/microsoft_defender_cloud/docs/README.md +++ b/packages/microsoft_defender_cloud/docs/README.md @@ -294,5 +294,4 @@ This is the `Event` dataset. | microsoft_defender_cloud.event.workspace.id | | keyword | | microsoft_defender_cloud.event.workspace.resource_group | | keyword | | microsoft_defender_cloud.event.workspace.subscription_id | | keyword | -| tags | User defined tags. | keyword | diff --git a/packages/microsoft_defender_cloud/manifest.yml b/packages/microsoft_defender_cloud/manifest.yml index 0e3033531da..4eee3715cce 100644 --- a/packages/microsoft_defender_cloud/manifest.yml +++ b/packages/microsoft_defender_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_defender_cloud title: Microsoft Defender for Cloud -version: "1.1.2" +version: "1.2.0" description: Collect logs from Microsoft Defender for Cloud with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - cloudsecurity_cdr conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/microsoft_defender_endpoint/changelog.yml b/packages/microsoft_defender_endpoint/changelog.yml index f8314cd2924..f8335597db2 100644 --- a/packages/microsoft_defender_endpoint/changelog.yml +++ b/packages/microsoft_defender_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.25.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.24.2" changes: - description: Fix bug handling message field when events are received from Logstash with `ecs_compatibility` turned on. diff --git a/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml b/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml +++ b/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/microsoft_defender_endpoint/data_stream/log/fields/ecs.yml b/packages/microsoft_defender_endpoint/data_stream/log/fields/ecs.yml deleted file mode 100644 index 6f8b6071989..00000000000 --- a/packages/microsoft_defender_endpoint/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,92 +0,0 @@ -- external: ecs - name: container.image.tag -- external: ecs - name: container.runtime -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.duration -- external: ecs - name: event.end -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.provider -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: event.type -- external: ecs - name: file.extension -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.hash.sha512 -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: log.file.path -- external: ecs - name: log.logger -- external: ecs - name: message -- external: ecs - name: observer.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: process.command_line -- external: ecs - name: process.parent.pid -- external: ecs - name: process.parent.start -- external: ecs - name: process.pid -- external: ecs - name: process.start -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.description -- external: ecs - name: tags -- external: ecs - name: threat.framework -- external: ecs - name: threat.technique.name -- external: ecs - name: user.domain -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/microsoft_defender_endpoint/docs/README.md b/packages/microsoft_defender_endpoint/docs/README.md index 2ea1439dd51..6143851476b 100644 --- a/packages/microsoft_defender_endpoint/docs/README.md +++ b/packages/microsoft_defender_endpoint/docs/README.md @@ -164,70 +164,17 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.image.tag | Container image tags. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | microsoft.defender_endpoint.assignedTo | Owner of the alert. | keyword | | microsoft.defender_endpoint.classification | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. | keyword | | microsoft.defender_endpoint.determination | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. | keyword | @@ -245,27 +192,4 @@ An example event for `log` looks as following: | microsoft.defender_endpoint.resolvedTime | The date and time in which the status of the alert was changed to 'Resolved'. | date | | microsoft.defender_endpoint.status | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. | keyword | | microsoft.defender_endpoint.threatFamilyName | Threat family. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/microsoft_defender_endpoint/manifest.yml b/packages/microsoft_defender_endpoint/manifest.yml index bc33e45e7d0..121db9fcedb 100644 --- a/packages/microsoft_defender_endpoint/manifest.yml +++ b/packages/microsoft_defender_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_defender_endpoint title: Microsoft Defender for Endpoint -version: "2.24.2" +version: "2.25.0" description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent. categories: - "security" @@ -9,7 +9,7 @@ categories: type: integration conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" policy_templates: - name: microsoft_defender_endpoint title: Microsoft Defender for Endpoint diff --git a/packages/microsoft_exchange_online_message_trace/changelog.yml b/packages/microsoft_exchange_online_message_trace/changelog.yml index 0732d7b3822..35ffe803471 100644 --- a/packages/microsoft_exchange_online_message_trace/changelog.yml +++ b/packages/microsoft_exchange_online_message_trace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.22.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.21.2" changes: - description: Fix template to not fail without local domains. diff --git a/packages/microsoft_exchange_online_message_trace/data_stream/log/fields/ecs.yml b/packages/microsoft_exchange_online_message_trace/data_stream/log/fields/ecs.yml deleted file mode 100644 index f7117c7dfb2..00000000000 --- a/packages/microsoft_exchange_online_message_trace/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,114 +0,0 @@ -- external: ecs - name: email.attachments.file.size -- external: ecs - name: email.delivery_timestamp -- external: ecs - name: email.from.address -- external: ecs - name: email.local_id -- external: ecs - name: email.message_id -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: ecs.version -- external: ecs - name: tags -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.as.number -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: email.direction -- external: ecs - name: log.file.path -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.as.number -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: event.created -- external: ecs - name: event.start -- external: ecs - name: event.end -- external: ecs - name: destination.domain -- external: ecs - name: destination.registered_domain -- external: ecs - name: destination.top_level_domain -- external: ecs - name: destination.subdomain -- external: ecs - name: source.domain -- external: ecs - name: source.registered_domain -- external: ecs - name: source.top_level_domain -- external: ecs - name: source.subdomain -- external: ecs - name: user.name -- external: ecs - name: user.domain -- external: ecs - name: source.user.domain -- external: ecs - name: source.user.email -- external: ecs - name: source.user.id -- external: ecs - name: source.user.name -- external: ecs - name: user.email -- external: ecs - name: user.id -- external: ecs - name: destination.user.email -- external: ecs - name: destination.user.name -- external: ecs - name: destination.user.domain -- external: ecs - name: destination.user.id -- external: ecs - name: related.user diff --git a/packages/microsoft_exchange_online_message_trace/docs/README.md b/packages/microsoft_exchange_online_message_trace/docs/README.md index 4e2a675dde2..54da485d4e5 100644 --- a/packages/microsoft_exchange_online_message_trace/docs/README.md +++ b/packages/microsoft_exchange_online_message_trace/docs/README.md @@ -269,42 +269,8 @@ An example event for `log` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.email | User email address. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.attachments.file.size | Attachment file size in bytes. | long | -| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | -| email.direction | The direction of the message based on the sending and receiving domains. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.local_id | Unique identifier given to the email by the source that created the event. Identifier is not persistent across hops. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | | input.type | | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | | long | | microsoft.online_message_trace.EndDate | This field is used to limit the report period. Use this field in a $filter query option to set the end date and time of the reporting period. If you supply EndDate in the $filter option, you must also supply StartDate. In this report, this field corresponds to the date and time of the last processing step recorded for the message. | date_nanos | | microsoft.online_message_trace.FromIP | The IPv4 or IPv6 address that transmitted the message to the Office 365 email system. | keyword | @@ -320,30 +286,3 @@ An example event for `log` looks as following: | microsoft.online_message_trace.Status | The status of the message in the Office 365 email system. This corresponds to the Detail field of the last processing step recorded for the message.\\ | keyword | | microsoft.online_message_trace.Subject | The subject line of the message, if one was present for the message.\\ | keyword | | microsoft.online_message_trace.ToIP | The IPv4 or IPv6 address that the Office 365 email system sent the message to.\\ | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/microsoft_exchange_online_message_trace/manifest.yml b/packages/microsoft_exchange_online_message_trace/manifest.yml index bda6c474bdc..27d503bd52b 100644 --- a/packages/microsoft_exchange_online_message_trace/manifest.yml +++ b/packages/microsoft_exchange_online_message_trace/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_exchange_online_message_trace title: "Microsoft Exchange Online Message Trace" -version: "1.21.2" +version: "1.22.0" description: "Microsoft Exchange Online Message Trace Integration" type: integration categories: @@ -9,7 +9,7 @@ categories: - email_security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" icons: diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index fe27f64a68e..fa323cd6ace 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.26.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.25.0" changes: - description: Improve handling of empty responses. diff --git a/packages/mimecast/data_stream/archive_search_logs/fields/agent.yml b/packages/mimecast/data_stream/archive_search_logs/fields/agent.yml index c46a152ef14..894e6f12be2 100644 --- a/packages/mimecast/data_stream/archive_search_logs/fields/agent.yml +++ b/packages/mimecast/data_stream/archive_search_logs/fields/agent.yml @@ -5,166 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mimecast/data_stream/archive_search_logs/fields/ecs.yml b/packages/mimecast/data_stream/archive_search_logs/fields/ecs.yml deleted file mode 100644 index 571dd97bf81..00000000000 --- a/packages/mimecast/data_stream/archive_search_logs/fields/ecs.yml +++ /dev/null @@ -1,22 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.original -- external: ecs - name: event.reason -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.name diff --git a/packages/mimecast/data_stream/audit_events/fields/agent.yml b/packages/mimecast/data_stream/audit_events/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/mimecast/data_stream/audit_events/fields/agent.yml +++ b/packages/mimecast/data_stream/audit_events/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mimecast/data_stream/audit_events/fields/ecs.yml b/packages/mimecast/data_stream/audit_events/fields/ecs.yml deleted file mode 100644 index 9105b62ec94..00000000000 --- a/packages/mimecast/data_stream/audit_events/fields/ecs.yml +++ /dev/null @@ -1,58 +0,0 @@ -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.location -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name -- external: ecs - name: client.ip -- external: ecs - name: ecs.version -- external: ecs - name: email.from.address -- external: ecs - name: email.origination_timestamp -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.original -- external: ecs - name: event.reason -- external: ecs - name: file.extension -- external: ecs - name: file.name -- external: ecs - name: file.size -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.name diff --git a/packages/mimecast/data_stream/dlp_logs/fields/agent.yml b/packages/mimecast/data_stream/dlp_logs/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/mimecast/data_stream/dlp_logs/fields/agent.yml +++ b/packages/mimecast/data_stream/dlp_logs/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mimecast/data_stream/dlp_logs/fields/ecs.yml b/packages/mimecast/data_stream/dlp_logs/fields/ecs.yml deleted file mode 100644 index ef925714f24..00000000000 --- a/packages/mimecast/data_stream/dlp_logs/fields/ecs.yml +++ /dev/null @@ -1,22 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: email.direction -- external: ecs - name: email.from.address -- external: ecs - name: email.message_id -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: rule.name -- external: ecs - name: tags diff --git a/packages/mimecast/data_stream/siem_logs/fields/agent.yml b/packages/mimecast/data_stream/siem_logs/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/mimecast/data_stream/siem_logs/fields/agent.yml +++ b/packages/mimecast/data_stream/siem_logs/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mimecast/data_stream/siem_logs/fields/ecs.yml b/packages/mimecast/data_stream/siem_logs/fields/ecs.yml deleted file mode 100644 index 863be6474cd..00000000000 --- a/packages/mimecast/data_stream/siem_logs/fields/ecs.yml +++ /dev/null @@ -1,82 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: email.attachments.file.extension -- external: ecs - name: email.attachments.file.hash.md5 -- external: ecs - name: email.attachments.file.hash.sha1 -- external: ecs - name: email.attachments.file.hash.sha256 -- external: ecs - name: email.attachments.file.mime_type -- external: ecs - name: email.attachments.file.name -- external: ecs - name: email.attachments.file.size -- external: ecs - name: email.direction -- external: ecs - name: email.from.address -- external: ecs - name: email.local_id -- external: ecs - name: email.message_id -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: error.code -- external: ecs - name: error.message -- external: ecs - name: error.type -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.reason -- external: ecs - name: rule.name -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: tls.cipher -- external: ecs - name: tls.established -- external: ecs - name: tls.version -- external: ecs - name: url.full -- external: ecs - name: user.email diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/fields/agent.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/fields/agent.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml deleted file mode 100644 index 3c764373326..00000000000 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/fields/ecs.yml +++ /dev/null @@ -1,30 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: message -- external: ecs - name: related.hash -- external: ecs - name: tags -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.type diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/fields/agent.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/fields/agent.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml deleted file mode 100644 index 3c764373326..00000000000 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/fields/ecs.yml +++ /dev/null @@ -1,30 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: message -- external: ecs - name: related.hash -- external: ecs - name: tags -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.type diff --git a/packages/mimecast/data_stream/ttp_ap_logs/fields/agent.yml b/packages/mimecast/data_stream/ttp_ap_logs/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/fields/agent.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml deleted file mode 100644 index d942cd864e0..00000000000 --- a/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: email.attachments.file.extension -- external: ecs - name: email.attachments.file.hash.sha256 -- external: ecs - name: email.attachments.file.mime_type -- external: ecs - name: email.attachments.file.name -- external: ecs - name: email.direction -- external: ecs - name: email.from.address -- external: ecs - name: email.message_id -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: related.hash -- external: ecs - name: rule.name -- external: ecs - name: tags diff --git a/packages/mimecast/data_stream/ttp_ip_logs/fields/agent.yml b/packages/mimecast/data_stream/ttp_ip_logs/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/fields/agent.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml deleted file mode 100644 index ae101f9d829..00000000000 --- a/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml +++ /dev/null @@ -1,28 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: email.from.address -- external: ecs - name: email.message_id -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.original -- external: ecs - name: related.ip -- external: ecs - name: rule.name -- external: ecs - name: source.domain -- external: ecs - name: source.ip -- external: ecs - name: tags diff --git a/packages/mimecast/data_stream/ttp_url_logs/fields/agent.yml b/packages/mimecast/data_stream/ttp_url_logs/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/fields/agent.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml deleted file mode 100644 index faf406570c5..00000000000 --- a/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: email.direction -- external: ecs - name: email.from.address -- external: ecs - name: email.message_id -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: event.action -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.name -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: url.original -- external: ecs - name: user.email diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index 00dcd52b0c5..e3d61881156 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -94,47 +94,15 @@ An example event for `archive_search` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | mimecast.email.address | The email address of the user who performed the search. | keyword | @@ -143,12 +111,6 @@ An example event for `archive_search` looks as following: | mimecast.search_details.reason | The search reason entered when the search was executed if any. | keyword | | mimecast.search_details.source | The search source context | keyword | | mimecast.search_details.text | The text used in the search. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### Audit Events @@ -223,66 +185,15 @@ An example event for `audit_events` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.origination_timestamp | The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. | date | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | mimecast.2FA | Info about two-factor authentication. | keyword | @@ -294,13 +205,6 @@ An example event for `audit_events` looks as following: | mimecast.method | Method which triggers audit events. | keyword | | mimecast.remote | Info about remote IP trying to access the API. | keyword | | mimecast.remote_ip | Remote IP. | ip | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### DLP Logs @@ -377,55 +281,17 @@ An example event for `dlp` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.direction | The direction of the message based on the sending and receiving domains. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | ### SIEM Logs @@ -504,65 +370,15 @@ An example event for `siem` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.attachments.file.extension | Attachment file extension, excluding the leading dot. | keyword | -| email.attachments.file.hash.md5 | MD5 hash. | keyword | -| email.attachments.file.hash.sha1 | SHA1 hash. | keyword | -| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | -| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | -| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | -| email.attachments.file.size | Attachment file size in bytes. | long | -| email.direction | The direction of the message based on the sending and receiving domains. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.local_id | Unique identifier given to the email by the source that created the event. Identifier is not persistent across hops. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| error.type | The type of the error, for example the class name of the exception. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | mimecast.AttCnt | The number of attachments on the email. | long | @@ -609,26 +425,6 @@ An example event for `siem` looks as following: | mimecast.log_type | String to get type of SIEM log. | keyword | | mimecast.msgid | The internet message id of the email. | keyword | | mimecast.urlCategory | The category of the URL that was clicked. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| user.email | User email address. | keyword | ### Threat Intel Feed Malware: Customer @@ -719,50 +515,17 @@ An example event for `threat_intel_malware_customer` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | mimecast.created | When the indicator was last created. | date | | mimecast.hashtype | The hash type. | keyword | | mimecast.id | The ID of the indicator. | keyword | @@ -777,14 +540,6 @@ An example event for `threat_intel_malware_customer` looks as following: | mimecast.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | | mimecast.valid_from | The valid from date. | date | | mimecast.value | The value of the indicator. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | ### Threat Intel Feed Malware: Grid @@ -875,50 +630,17 @@ An example event for `threat_intel_malware_grid` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | mimecast.created | When the indicator was last created. | date | | mimecast.hashtype | The hash type. | keyword | | mimecast.id | The ID of the indicator. | keyword | @@ -933,14 +655,6 @@ An example event for `threat_intel_malware_grid` looks as following: | mimecast.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | | mimecast.valid_from | The valid from date. | date | | mimecast.value | The value of the indicator. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | ### TTP Attachment Logs @@ -1039,55 +753,15 @@ An example event for `ttp_ap` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.attachments.file.extension | Attachment file extension, excluding the leading dot. | keyword | -| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | -| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | -| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | -| email.direction | The direction of the message based on the sending and receiving domains. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | mimecast.actionTriggered | The action triggered for the attachment. | keyword | @@ -1102,9 +776,6 @@ An example event for `ttp_ap` looks as following: | mimecast.route | The route of the original email containing the attachment, either - inbound, outbound, internal, or external. | keyword | | mimecast.senderAddress | The sender of the attachment. | keyword | | mimecast.subject | The subject of the email. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | ### TTP Impersonation Logs @@ -1205,51 +876,15 @@ An example event for `ttp_ip` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | mimecast.action | The action triggered by the email. | keyword | @@ -1268,11 +903,6 @@ An example event for `ttp_ip` looks as following: | mimecast.subject | The subject of the email. | keyword | | mimecast.taggedExternal | Whether the message was tagged as coming from an external address. | boolean | | mimecast.taggedMalicious | Whether the message was tagged as malicious. | boolean | -| related.ip | All of the IPs seen on your event. | ip | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | ### TTP URL Logs @@ -1386,51 +1016,15 @@ An example event for `ttp_url` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.direction | The direction of the message based on the sending and receiving domains. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | mimecast.action | The action that was taken for the click. | keyword | @@ -1450,12 +1044,4 @@ An example event for `ttp_url` looks as following: | mimecast.userAwarenessAction | The action taken by the user if user awareness was applied. | keyword | | mimecast.userEmailAddress | The email address of the user who clicked the link. | keyword | | mimecast.userOverride | The action requested by the user. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user.email | User email address. | keyword | diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index 477de3c60a4..a2b3ade0cf7 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,13 +1,13 @@ format_version: "3.0.2" name: mimecast title: "Mimecast" -version: "1.25.0" +version: "1.26.0" description: Collect logs from Mimecast with Elastic Agent. type: integration categories: ["security", "email_security"] conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" screenshots: - src: /img/mimecast.png title: Sample screenshot diff --git a/packages/netskope/changelog.yml b/packages/netskope/changelog.yml index 47a75faeb2c..b5c411fbc38 100644 --- a/packages/netskope/changelog.yml +++ b/packages/netskope/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.19.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.18.0" changes: - description: Added support for custom TCP options. diff --git a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-common-config.yml b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-common-config.yml index 268aa7f67e6..ed9ac911387 100644 --- a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-common-config.yml +++ b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-common-config.yml @@ -1,7 +1,6 @@ fields: tags: - preserve_original_event - dynamic_fields: # This can be removed after ES 8.14 is the minimum version. # Relates: https://github.com/elastic/elasticsearch/pull/105689 diff --git a/packages/netskope/data_stream/alerts/fields/agent.yml b/packages/netskope/data_stream/alerts/fields/agent.yml index ee375d8ef36..894e6f12be2 100644 --- a/packages/netskope/data_stream/alerts/fields/agent.yml +++ b/packages/netskope/data_stream/alerts/fields/agent.yml @@ -5,142 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - external: ecs - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - external: ecs - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - external: ecs - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - external: ecs - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/netskope/data_stream/alerts/fields/ecs.yml b/packages/netskope/data_stream/alerts/fields/ecs.yml deleted file mode 100644 index 354597532a7..00000000000 --- a/packages/netskope/data_stream/alerts/fields/ecs.yml +++ /dev/null @@ -1,106 +0,0 @@ -- external: ecs - name: client.bytes -- external: ecs - name: client.port -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.service.name -- external: ecs - name: destination.address -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.postal_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.timezone -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: event.id -- external: ecs - name: ecs.version -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.mime_type -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: http.request.referrer -- external: ecs - name: network.protocol -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: source.address -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: user.email -- external: ecs - name: user.group.name -- external: ecs - name: user.name -- external: ecs - name: user.roles -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/netskope/data_stream/events/_dev/test/pipeline/test-common-config.yml b/packages/netskope/data_stream/events/_dev/test/pipeline/test-common-config.yml index 7175bb1a704..f88bd98f400 100644 --- a/packages/netskope/data_stream/events/_dev/test/pipeline/test-common-config.yml +++ b/packages/netskope/data_stream/events/_dev/test/pipeline/test-common-config.yml @@ -1,7 +1,6 @@ fields: tags: - preserve_original_event - dynamic_fields: # This can be removed after ES 8.14 is the minimum version. # Relates: https://github.com/elastic/elasticsearch/pull/105689 diff --git a/packages/netskope/data_stream/events/fields/agent.yml b/packages/netskope/data_stream/events/fields/agent.yml index f1d064df00a..894e6f12be2 100644 --- a/packages/netskope/data_stream/events/fields/agent.yml +++ b/packages/netskope/data_stream/events/fields/agent.yml @@ -5,155 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - external: ecs - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - external: ecs - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/netskope/data_stream/events/fields/ecs.yml b/packages/netskope/data_stream/events/fields/ecs.yml deleted file mode 100644 index ec27c72f9be..00000000000 --- a/packages/netskope/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- external: ecs - name: client.bytes -- external: ecs - name: client.nat.ip -- external: ecs - name: client.packets -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.service.name -- external: ecs - name: destination.address -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.postal_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.timezone -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.mime_type -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: network.protocol -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: server.bytes -- external: ecs - name: server.packets -- external: ecs - name: source.address -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: user.email -- external: ecs - name: user.group.name -- external: ecs - name: user.name -- external: ecs - name: user.roles -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/netskope/docs/README.md b/packages/netskope/docs/README.md index 58eba436dfa..dfcb3b29978 100644 --- a/packages/netskope/docs/README.md +++ b/packages/netskope/docs/README.md @@ -56,67 +56,15 @@ Default port: _9021_ | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | | event.module | Event module | constant_keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | @@ -544,37 +492,6 @@ Default port: _9021_ | netskope.alerts.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword | | netskope.alerts.workspace.name | Workspace name in case of Slack for Enterprise. | keyword | | netskope.alerts.zip.password | Zip the malicious file and put pwd to it and send it back to caller. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| user.email | User email address. | keyword | -| user.group.name | Name of the group. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `alerts` looks as following: @@ -769,72 +686,15 @@ An example event for `alerts` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| client.packets | Packets sent from the client to the server. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | @@ -1134,44 +994,6 @@ An example event for `alerts` looks as following: | netskope.events.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword | | netskope.events.workspace.name | Workspace name in case of Slack for Enterprise. | keyword | | netskope.events.zip_password | Zip the malacious file and put pwd to it and send it back to caller. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.packets | Packets sent from the server to the client. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| user.email | User email address. | keyword | -| user.group.name | Name of the group. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `events` looks as following: diff --git a/packages/netskope/manifest.yml b/packages/netskope/manifest.yml index 1a11db082cb..284b4c7e8a8 100644 --- a/packages/netskope/manifest.yml +++ b/packages/netskope/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: netskope title: "Netskope" -version: "1.18.0" +version: "1.19.0" description: Collect logs from Netskope with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - network conditions: kibana: - version: ^8.7.0 + version: "^8.13.0" screenshots: - src: /img/netskope-alerts-screenshot.png title: Netskope Alert logs screenshot diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index 9977d04563b..f3e4dfe3485 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.4.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.3.3" changes: - description: Improve handling of o365.audit.AdditionalInfo. diff --git a/packages/o365/data_stream/audit/fields/agent.yml b/packages/o365/data_stream/audit/fields/agent.yml index 92d4ec0730c..2bc58530bac 100644 --- a/packages/o365/data_stream/audit/fields/agent.yml +++ b/packages/o365/data_stream/audit/fields/agent.yml @@ -5,165 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - external: ecs - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - external: ecs - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - external: ecs - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/o365/data_stream/audit/fields/beats.yml b/packages/o365/data_stream/audit/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/o365/data_stream/audit/fields/beats.yml +++ b/packages/o365/data_stream/audit/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/o365/data_stream/audit/fields/ecs.yml b/packages/o365/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 91fa0a69b67..00000000000 --- a/packages/o365/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- external: ecs - name: client.address -- external: ecs - name: client.domain -- external: ecs - name: client.ip -- external: ecs - name: client.port -- external: ecs - name: destination.ip -- external: ecs - name: destination.user.email -- external: ecs - name: destination.user.id -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.outcome -- external: ecs - name: event.provider -- external: ecs - name: event.severity -- external: ecs - name: event.type -- external: ecs - name: file.directory -- external: ecs - name: file.extension -- external: ecs - name: file.inode -- external: ecs - name: file.mtime -- external: ecs - name: file.name -- external: ecs - name: file.owner -- external: ecs - name: group.name -- external: ecs - name: message -- external: ecs - name: network.type -- external: ecs - name: organization.id -- external: ecs - name: organization.name -- external: ecs - name: process.name -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.category -- external: ecs - name: rule.description -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: rule.reference -- external: ecs - name: rule.ruleset -- external: ecs - name: server.address -- external: ecs - name: server.domain -- external: ecs - name: server.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: source.user.email -- external: ecs - name: tags -- external: ecs - name: threat.technique.id -- external: ecs - name: url.original -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.target.domain -- external: ecs - name: user.target.email -- external: ecs - name: user.target.full_name -- external: ecs - name: user.target.group.domain -- external: ecs - name: user.target.group.id -- external: ecs - name: user.target.group.name -- external: ecs - name: user.target.id -- external: ecs - name: user.target.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/o365/docs/README.md b/packages/o365/docs/README.md index af1bc05c8c8..0024af294a7 100644 --- a/packages/o365/docs/README.md +++ b/packages/o365/docs/README.md @@ -178,73 +178,18 @@ An example event for `audit` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.user.email | User email address. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.mtime | Last time the file content was modified. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.owner | File owner's username. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | o365.audit.Activity | | keyword | | o365.audit.Actor.ID | | keyword | | o365.audit.Actor.Type | | keyword | @@ -415,65 +360,4 @@ An example event for `audit` looks as following: | o365.audit.WorkspaceId | | keyword | | o365.audit.WorkspaceName | | keyword | | o365.audit.YammerNetworkId | | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.reference | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.full_name | User's full name, if available. | keyword | -| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index fe7d562be53..0d3d815c6f2 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,13 +1,13 @@ name: o365 title: Microsoft 365 -version: "2.3.3" +version: "2.4.0" description: Collect logs from Microsoft 365 with Elastic Agent. type: integration format_version: "3.0.2" categories: [security, productivity_security] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" icons: - src: /img/logo-integrations-microsoft-365.svg title: Microsoft Office 365 diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index c8f7f9a2f13..7fc0e0c447a 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.11.0" + changes: + - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.10.0" changes: - description: Support OIN service application authentication. diff --git a/packages/okta/data_stream/system/fields/agent.yml b/packages/okta/data_stream/system/fields/agent.yml index 2f0666cc38f..2bc58530bac 100644 --- a/packages/okta/data_stream/system/fields/agent.yml +++ b/packages/okta/data_stream/system/fields/agent.yml @@ -5,177 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - external: ecs - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/okta/data_stream/system/fields/beats.yml b/packages/okta/data_stream/system/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/okta/data_stream/system/fields/beats.yml +++ b/packages/okta/data_stream/system/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/okta/data_stream/system/fields/ecs.yml b/packages/okta/data_stream/system/fields/ecs.yml deleted file mode 100644 index 688246885b3..00000000000 --- a/packages/okta/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: client.domain -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.location -- external: ecs - name: client.geo.region_name -- external: ecs - name: client.ip -- external: ecs - name: client.user.full_name -- external: ecs - name: client.user.id -- external: ecs - name: client.user.name -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.name -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.type -- external: ecs - name: message -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.user.full_name -- external: ecs - name: source.user.id -- external: ecs - name: source.user.name -- external: ecs - name: tags -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.target.domain -- external: ecs - name: user.target.email -- external: ecs - name: user.target.full_name -- external: ecs - name: user.target.group.domain -- external: ecs - name: user.target.group.id -- external: ecs - name: user.target.group.name -- external: ecs - name: user.target.id -- external: ecs - name: user.target.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/okta/docs/README.md b/packages/okta/docs/README.md index 2e5303f958d..4920e98dbbc 100644 --- a/packages/okta/docs/README.md +++ b/packages/okta/docs/README.md @@ -224,83 +224,18 @@ An example event for `system` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.full_name | User's full name, if available. | keyword | -| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | -| client.user.id | Unique identifier of the user. | keyword | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | okta.actor.alternate_id | Alternate identifier of the actor. | keyword | | okta.actor.display_name | Display name of the actor. | keyword | | okta.actor.id | Identifier of the actor. | keyword | @@ -358,51 +293,3 @@ An example event for `system` looks as following: | okta.transaction.type | The type of transaction. Must be one of "WEB", "JOB". | keyword | | okta.uuid | The unique identifier of the Okta LogEvent. | keyword | | okta.version | The version of the LogEvent. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.full_name | User's full name, if available. | keyword | -| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index 62f68c3a9f9..8c21b151717 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,6 +1,6 @@ name: okta title: Okta -version: "2.10.0" +version: "2.11.0" description: Collect and parse event logs from Okta API with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/opencanary/changelog.yml b/packages/opencanary/changelog.yml index 6bbdef39abc..e780a4d12d5 100644 --- a/packages/opencanary/changelog.yml +++ b/packages/opencanary/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "0.0.1" changes: - description: Initial draft of the package diff --git a/packages/opencanary/data_stream/events/_dev/test/pipeline/test-events.log-expected.json b/packages/opencanary/data_stream/events/_dev/test/pipeline/test-events.log-expected.json index 49aacae58ac..7a0057553e9 100644 --- a/packages/opencanary/data_stream/events/_dev/test/pipeline/test-events.log-expected.json +++ b/packages/opencanary/data_stream/events/_dev/test/pipeline/test-events.log-expected.json @@ -502,7 +502,7 @@ "id": "opencanary-1" }, "redis": { - "command": "\u0000\u000c\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + "command": "\u0000\f\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" } }, "related": { diff --git a/packages/opencanary/data_stream/events/fields/agent.yml b/packages/opencanary/data_stream/events/fields/agent.yml index 060a12cbb09..8f9dc95f3a3 100644 --- a/packages/opencanary/data_stream/events/fields/agent.yml +++ b/packages/opencanary/data_stream/events/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/opencanary/data_stream/events/fields/ecs.yml b/packages/opencanary/data_stream/events/fields/ecs.yml deleted file mode 100644 index 96cfa7d0df8..00000000000 --- a/packages/opencanary/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,327 +0,0 @@ -- external: ecs - name: client.domain -- external: ecs - name: client.address -- external: ecs - name: client.port -- external: ecs - name: client.ip -- external: ecs - name: client.user.name -- external: ecs - name: destination.address -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.bytes -- external: ecs - name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_code -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.postal_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.geo.timezone -- external: ecs - name: destination.ip -- external: ecs - name: destination.mac -- external: ecs - name: destination.nat.ip -- external: ecs - name: destination.nat.port -- external: ecs - name: destination.packets -- external: ecs - name: destination.port -- external: ecs - name: destination.user.name -- external: ecs - name: dns.question.name -- external: ecs - name: dns.question.registered_domain -- external: ecs - name: dns.question.subdomain -- external: ecs - name: dns.question.top_level_domain -- external: ecs - name: dns.question.type -- external: ecs - name: dns.response_code -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.duration -- external: ecs - name: event.end -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.provider -- external: ecs - name: event.reason -- external: ecs - name: event.severity -- external: ecs - name: event.start -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: http.request.method -- external: ecs - name: http.request.bytes -- external: ecs - name: http.request.referrer -- external: ecs - name: http.response.bytes -- external: ecs - name: http.response.status_code -- external: ecs - name: labels -- external: ecs - name: log.file.path -- external: ecs - name: log.level -- external: ecs - name: log.logger -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.facility.name -- external: ecs - name: log.syslog.hostname -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: log.syslog.severity.name -- external: ecs - name: message -- external: ecs - name: network.application -- external: ecs - name: network.bytes -- external: ecs - name: network.community_id -- external: ecs - name: network.direction -- external: ecs - name: network.iana_number -- external: ecs - name: network.inner - type: group -- external: ecs - name: network.inner.vlan.id -- external: ecs - name: network.inner.vlan.name -- external: ecs - name: network.protocol -- external: ecs - name: network.transport -- external: ecs - name: network.type -- external: ecs - name: observer.egress.interface.alias -- external: ecs - name: observer.egress.interface.id -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.egress.zone -- external: ecs - name: observer.hostname -- external: ecs - name: observer.ingress.interface.alias -- external: ecs - name: observer.ingress.interface.id -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.ingress.zone -- external: ecs - name: observer.ip -- external: ecs - name: observer.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.category -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: rule.ruleset -- external: ecs - name: server.domain -- external: ecs - name: server.address -- external: ecs - name: server.port -- external: ecs - name: server.ip -- external: ecs - name: server.user.name -- external: ecs - name: service.id -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.bytes -- external: ecs - name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_code -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.postal_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.timezone -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: source.nat.ip -- external: ecs - name: source.nat.port -- external: ecs - name: source.packets -- external: ecs - name: source.port -- external: ecs - name: source.user.name -- external: ecs - name: source.user.group.name -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.full -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.subdomain -- external: ecs - name: url.top_level_domain -- external: ecs - name: url.username -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/opencanary/docs/README.md b/packages/opencanary/docs/README.md index a4f8f58ebe2..1a09eb7957b 100755 --- a/packages/opencanary/docs/README.md +++ b/packages/opencanary/docs/README.md @@ -89,145 +89,17 @@ An example event for `events` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_code | Two-letter code representing continent's name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | | input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Offset of the entry in the log file. | long | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | group | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | | opencanary.logdata.cwr | | keyword | | opencanary.logdata.df | | keyword | | opencanary.logdata.ece | | keyword | @@ -261,79 +133,4 @@ An example event for `events` looks as following: | opencanary.tcp_banner.data | | keyword | | opencanary.tcp_banner.function | | keyword | | opencanary.tcp_banner.secret_string | | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_code | Two-letter code representing continent's name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/opencanary/manifest.yml b/packages/opencanary/manifest.yml index 61dc41b1314..44bc0d76079 100644 --- a/packages/opencanary/manifest.yml +++ b/packages/opencanary/manifest.yml @@ -1,14 +1,14 @@ format_version: 3.1.3 name: opencanary title: "OpenCanary" -version: 0.0.1 +version: "0.1.0" description: "This integration collects and parses logs from OpenCanary honeypots." type: integration categories: - security conditions: kibana: - version: "^8.12.2" + version: "^8.13.0" elastic: subscription: "basic" icons: diff --git a/packages/panw_cortex_xdr/changelog.yml b/packages/panw_cortex_xdr/changelog.yml index f23d21d76be..cd54a12094c 100644 --- a/packages/panw_cortex_xdr/changelog.yml +++ b/packages/panw_cortex_xdr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.27.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.26.0" changes: - description: Improve handling of empty responses. diff --git a/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml b/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml index fed14316c18..2bc58530bac 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml +++ b/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml @@ -5,152 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - external: ecs - - name: hostname - external: ecs - - name: id - external: ecs - - name: ip - external: ecs - - name: mac - external: ecs - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - external: ecs - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/panw_cortex_xdr/data_stream/alerts/fields/beats.yml b/packages/panw_cortex_xdr/data_stream/alerts/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/fields/beats.yml +++ b/packages/panw_cortex_xdr/data_stream/alerts/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml b/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml deleted file mode 100644 index 961c6312569..00000000000 --- a/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- name: ecs.version - external: ecs -- name: message - external: ecs -- name: tags - external: ecs -- name: email.from.address - external: ecs -- name: email.to.address - external: ecs -- name: email.subject - external: ecs -- name: event.kind - external: ecs -- name: event.original - external: ecs -- name: event.type - external: ecs -- name: event.category - external: ecs -- name: event.ingested - external: ecs -- name: event.created - external: ecs -- name: event.severity - external: ecs -- name: event.action - external: ecs -- name: event.reason - external: ecs -- name: dns.question.name - external: ecs -- name: destination.ip - external: ecs -- name: destination.port - external: ecs -- name: destination.as.number - external: ecs -- name: destination.as.organization.name - external: ecs -- name: destination.geo.continent_name - external: ecs -- name: destination.geo.city_name - external: ecs -- name: destination.geo.country_iso_code - external: ecs -- name: destination.geo.country_name - external: ecs -- name: destination.geo.region_iso_code - external: ecs -- name: destination.geo.region_name - external: ecs -- name: destination.geo.location - external: ecs -- name: source.ip - external: ecs -- name: source.port - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: process.hash.sha256 - external: ecs -- name: process.command_line - external: ecs -- name: process.name - external: ecs -- name: process.code_signature.subject_name - external: ecs -- name: process.code_signature.status - external: ecs -- name: process.entity_id - external: ecs -- name: process.pid - external: ecs -- name: process.executable - external: ecs -- name: process.hash.md5 - external: ecs -- name: process.thread.id - external: ecs -- name: process.parent.name - external: ecs -- name: process.parent.executable - external: ecs -- name: process.parent.hash.md5 - external: ecs -- name: process.parent.hash.sha256 - external: ecs -- name: process.parent.entity_id - external: ecs -- name: process.parent.code_signature.subject_name - external: ecs -- name: process.parent.code_signature.status - external: ecs -- name: process.parent.command_line - external: ecs -- name: process.parent.uptime - external: ecs -- name: file.path - external: ecs -- name: file.name - external: ecs -- name: file.hash.md5 - external: ecs -- name: file.hash.sha256 - external: ecs -- name: user.name - external: ecs -- name: user.domain - external: ecs -- name: user.id - external: ecs -- name: user.email - external: ecs -- name: rule.name - external: ecs -- name: rule.id - external: ecs -- name: observer.ingress.interface.name - external: ecs -- name: observer.egress.interface.name - external: ecs -- name: observer.serial_number - external: ecs -- name: registry.key - external: ecs -- name: registry.value - external: ecs -- name: registry.path - external: ecs -- name: registry.data.strings - external: ecs -- name: related.hash - external: ecs -- name: related.user - external: ecs -- name: threat.framework - external: ecs -- name: threat.technique.id - external: ecs -- name: threat.technique.name - external: ecs -- name: threat.tactic.id - external: ecs -- name: threat.tactic.name - external: ecs diff --git a/packages/panw_cortex_xdr/data_stream/incidents/fields/agent.yml b/packages/panw_cortex_xdr/data_stream/incidents/fields/agent.yml index fed14316c18..2bc58530bac 100644 --- a/packages/panw_cortex_xdr/data_stream/incidents/fields/agent.yml +++ b/packages/panw_cortex_xdr/data_stream/incidents/fields/agent.yml @@ -5,152 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - external: ecs - - name: hostname - external: ecs - - name: id - external: ecs - - name: ip - external: ecs - - name: mac - external: ecs - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - external: ecs - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/panw_cortex_xdr/data_stream/incidents/fields/beats.yml b/packages/panw_cortex_xdr/data_stream/incidents/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/panw_cortex_xdr/data_stream/incidents/fields/beats.yml +++ b/packages/panw_cortex_xdr/data_stream/incidents/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/panw_cortex_xdr/data_stream/incidents/fields/ecs.yml b/packages/panw_cortex_xdr/data_stream/incidents/fields/ecs.yml deleted file mode 100644 index c629e96c1a3..00000000000 --- a/packages/panw_cortex_xdr/data_stream/incidents/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: ecs.version - external: ecs -- name: message - external: ecs -- name: tags - external: ecs -- name: user.name - external: ecs -- name: user.domain - external: ecs -- name: user.id - external: ecs -- name: user.email - external: ecs -- name: rule.name - external: ecs -- name: rule.id - external: ecs -- name: related.hosts - external: ecs -- name: related.user - external: ecs -- name: threat.framework - external: ecs -- name: threat.technique.id - external: ecs -- name: threat.technique.name - external: ecs -- name: threat.tactic.id - external: ecs -- name: threat.tactic.name - external: ecs diff --git a/packages/panw_cortex_xdr/docs/README.md b/packages/panw_cortex_xdr/docs/README.md index fbdef3471a2..00387009af8 100644 --- a/packages/panw_cortex_xdr/docs/README.md +++ b/packages/panw_cortex_xdr/docs/README.md @@ -133,81 +133,18 @@ An example event for `alerts` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.serial_number | Observer serial number. | keyword | | panw_cortex.xdr.action_pretty | Pretty description of the action type. | keyword | | panw_cortex.xdr.agent_data_collection_status | Collection status of the agent. | boolean | | panw_cortex.xdr.agent_ip_addresses_v6 | Agent ipv6 address | ip | @@ -293,60 +230,6 @@ An example event for `alerts` looks as following: | panw_cortex.xdr.resolution_status | | keyword | | panw_cortex.xdr.source | | keyword | | panw_cortex.xdr.starred | If alert type is prioritized (starred). | boolean | -| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.code_signature.subject_name | Subject name of the code signer | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.uptime | Seconds the process has been up. | long | -| process.pid | Process id. | long | -| process.thread.id | Thread ID. | long | -| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | -| registry.key | Hive-relative path of keys. | keyword | -| registry.path | Full path, including hive, key and value | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### Incidents @@ -487,47 +370,18 @@ An example event for `incidents` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | panw_cortex.xdr.aggregated_score | Aggregated incident score. | long | | panw_cortex.xdr.alert_categories | Categories for alerts contained in the incident. | keyword | | panw_cortex.xdr.alert_count | Count of alerts. | long | @@ -563,21 +417,5 @@ An example event for `incidents` looks as following: | panw_cortex.xdr.users | Usernames related to the incident. | keyword | | panw_cortex.xdr.wildfire_hits | Count of Wildfire hits. | long | | panw_cortex.xdr.xdr_url | URL to Cortex XDR incident. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/panw_cortex_xdr/manifest.yml b/packages/panw_cortex_xdr/manifest.yml index e8d73203476..ef3d253b448 100644 --- a/packages/panw_cortex_xdr/manifest.yml +++ b/packages/panw_cortex_xdr/manifest.yml @@ -1,13 +1,13 @@ name: panw_cortex_xdr title: Palo Alto Cortex XDR -version: "1.26.0" +version: "1.27.0" description: Collect logs from Palo Alto Cortex XDR with Elastic Agent. type: integration format_version: "3.0.2" categories: [security, edr_xdr] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" icons: - src: /img/icon-cortex.svg title: Palo Alto diff --git a/packages/ping_one/changelog.yml b/packages/ping_one/changelog.yml index c8c6807d147..8c26ebe7d79 100644 --- a/packages/ping_one/changelog.yml +++ b/packages/ping_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.15.0" changes: - description: Improve handling of empty responses. diff --git a/packages/ping_one/data_stream/audit/fields/agent.yml b/packages/ping_one/data_stream/audit/fields/agent.yml index bb99e5f0b19..d3d659d48f2 100644 --- a/packages/ping_one/data_stream/audit/fields/agent.yml +++ b/packages/ping_one/data_stream/audit/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: >- diff --git a/packages/ping_one/data_stream/audit/fields/ecs.yml b/packages/ping_one/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 3f6d623b9f4..00000000000 --- a/packages/ping_one/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,38 +0,0 @@ -- external: ecs - name: client.user.id -- external: ecs - name: client.user.name -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.type -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.scheme -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/ping_one/docs/README.md b/packages/ping_one/docs/README.md index 72d95c0e7e1..3fac7610e65 100644 --- a/packages/ping_one/docs/README.md +++ b/packages/ping_one/docs/README.md @@ -246,53 +246,15 @@ An example event for `audit` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.user.id | Unique identifier of the user. | keyword | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | ping_one.audit.action.description | A string that specifies the description of the action performed. | text | @@ -323,14 +285,4 @@ An example event for `audit` looks as following: | ping_one.audit.result.id | A string that specifies the ID for the result of the operation. | keyword | | ping_one.audit.result.status | A string that specifies the result of the operation. Options are succeeded or failed. | keyword | | ping_one.audit.tags | A string identifying the activity as the action of an administrator on other administrators. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/ping_one/manifest.yml b/packages/ping_one/manifest.yml index b13ce0ba25f..be84b0c68a0 100644 --- a/packages/ping_one/manifest.yml +++ b/packages/ping_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: ping_one title: PingOne -version: "1.15.0" +version: "1.16.0" description: Collect logs from PingOne with Elastic-Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - iam conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/ping-one-dashboard.png title: PingOne Audit Dashboard Screenshot diff --git a/packages/pps/changelog.yml b/packages/pps/changelog.yml index 375181b767a..ac711a3b209 100644 --- a/packages/pps/changelog.yml +++ b/packages/pps/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "0.0.1" changes: - description: Initial Integration for Pleasant Password Server in Elastic diff --git a/packages/pps/data_stream/log/fields/ecs.yml b/packages/pps/data_stream/log/fields/ecs.yml deleted file mode 100644 index e8b886726b1..00000000000 --- a/packages/pps/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,20 +0,0 @@ -- external: ecs - name: user.name -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: client.ip -- external: ecs - name: ecs.version -- external: ecs - name: log.syslog.priority -- external: ecs - name: message -- external: ecs - name: event.outcome -- external: ecs - name: log.file.path -- external: ecs - name: tags diff --git a/packages/pps/docs/README.md b/packages/pps/docs/README.md index 0276d532ab7..6528e7fe72b 100644 --- a/packages/pps/docs/README.md +++ b/packages/pps/docs/README.md @@ -109,21 +109,10 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Log offset | long | | log.source.address | Log source address | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/pps/manifest.yml b/packages/pps/manifest.yml index 9b9c66d40e4..a92dd9882ef 100644 --- a/packages/pps/manifest.yml +++ b/packages/pps/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: pps title: "Pleasant Password Server" -version: 0.0.1 +version: "0.1.0" source: license: "Apache-2.0" description: "Integration for Pleasant Password Server Syslog Messages" @@ -12,7 +12,7 @@ categories: - security conditions: kibana: - version: "^8.0.0" + version: "^8.13.0" elastic: subscription: "basic" icons: diff --git a/packages/prisma_cloud/_dev/build/build.yml b/packages/prisma_cloud/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/prisma_cloud/_dev/build/build.yml +++ b/packages/prisma_cloud/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/prisma_cloud/changelog.yml b/packages/prisma_cloud/changelog.yml index 20167de590b..6d4b62adcb5 100644 --- a/packages/prisma_cloud/changelog.yml +++ b/packages/prisma_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.2.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/prisma_cloud/data_stream/alert/fields/beats.yml b/packages/prisma_cloud/data_stream/alert/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/prisma_cloud/data_stream/alert/fields/beats.yml +++ b/packages/prisma_cloud/data_stream/alert/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/prisma_cloud/data_stream/audit/fields/beats.yml b/packages/prisma_cloud/data_stream/audit/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/prisma_cloud/data_stream/audit/fields/beats.yml +++ b/packages/prisma_cloud/data_stream/audit/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/prisma_cloud/data_stream/host/fields/beats.yml b/packages/prisma_cloud/data_stream/host/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/prisma_cloud/data_stream/host/fields/beats.yml +++ b/packages/prisma_cloud/data_stream/host/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/prisma_cloud/data_stream/host_profile/fields/beats.yml b/packages/prisma_cloud/data_stream/host_profile/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/prisma_cloud/data_stream/host_profile/fields/beats.yml +++ b/packages/prisma_cloud/data_stream/host_profile/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/prisma_cloud/data_stream/incident_audit/fields/beats.yml b/packages/prisma_cloud/data_stream/incident_audit/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/prisma_cloud/data_stream/incident_audit/fields/beats.yml +++ b/packages/prisma_cloud/data_stream/incident_audit/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/prisma_cloud/docs/README.md b/packages/prisma_cloud/docs/README.md index 55ff2c3ac7a..0da49e2d461 100644 --- a/packages/prisma_cloud/docs/README.md +++ b/packages/prisma_cloud/docs/README.md @@ -480,7 +480,6 @@ An example event for `alert` looks as following: | prisma_cloud.alert.status | | keyword | | prisma_cloud.alert.time | Timestamp when alert was last reopened for resource update, or the same as firstSeen if there are no status changes. | date | | prisma_cloud.alert.triggered_by | | keyword | -| tags | User defined tags. | keyword | ### Audit @@ -596,7 +595,6 @@ An example event for `audit` looks as following: | prisma_cloud.audit.result | | keyword | | prisma_cloud.audit.timestamp | Timestamp. | date | | prisma_cloud.audit.user | User. | keyword | -| tags | User defined tags. | keyword | ### Host @@ -1575,7 +1573,6 @@ An example event for `host` looks as following: | prisma_cloud.host.wild_fire_usage.bytes | Bytes is the total number of bytes uploaded to the WildFire API. | long | | prisma_cloud.host.wild_fire_usage.queries | Queries is the number of queries to the WildFire API. | long | | prisma_cloud.host.wild_fire_usage.uploads | Uploads is the number of uploads to the WildFire API. | long | -| tags | User defined tags. | keyword | ### Host Profile @@ -1724,7 +1721,6 @@ An example event for `host_profile` looks as following: | prisma_cloud.host_profile.ssh_events.time | Time is the time in which the process was added. If the process was modified, Time is the modification time. | date | | prisma_cloud.host_profile.ssh_events.user | User represents the username that started the process. | keyword | | prisma_cloud.host_profile.time | Time is the last time when this profile was modified. | date | -| tags | User defined tags. | keyword | ### Incident Audit @@ -2071,4 +2067,3 @@ An example event for `incident_audit` looks as following: | prisma_cloud.incident_audit.type | Possible values: [host,container,function,appEmbedded,fargate]. | keyword | | prisma_cloud.incident_audit.vm_id | Azure unique VM ID on which the incident was found. | keyword | | prisma_cloud.incident_audit.windows | Windows indicates if defender OS type is Windows. | boolean | -| tags | User defined tags. | keyword | diff --git a/packages/prisma_cloud/manifest.yml b/packages/prisma_cloud/manifest.yml index 24862149bf3..3258649c944 100644 --- a/packages/prisma_cloud/manifest.yml +++ b/packages/prisma_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: prisma_cloud title: "Palo Alto Prisma Cloud" -version: "1.2.0" +version: "1.3.0" description: "Collect logs from Prisma Cloud with Elastic Agent." type: integration categories: @@ -9,7 +9,7 @@ categories: - cloudsecurity_cdr conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/proofpoint_tap/changelog.yml b/packages/proofpoint_tap/changelog.yml index 5f1113b2452..edcb4a22309 100644 --- a/packages/proofpoint_tap/changelog.yml +++ b/packages/proofpoint_tap/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.22.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.21.0" changes: - description: Improve query interval documentation to avoid request throttling. diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/fields/agent.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/agent.yml index d2c2658271b..79b11221868 100644 --- a/packages/proofpoint_tap/data_stream/clicks_blocked/fields/agent.yml +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: > diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/fields/ecs.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/ecs.yml deleted file mode 100644 index c49113c9429..00000000000 --- a/packages/proofpoint_tap/data_stream/clicks_blocked/fields/ecs.yml +++ /dev/null @@ -1,84 +0,0 @@ -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: ecs.version -- external: ecs - name: email.from.address -- external: ecs - name: email.message_id -- external: ecs - name: email.to.address -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.ip -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.full -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.scheme -- external: ecs - name: url.username -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/manifest.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/manifest.yml index a09dba7e836..d360e435824 100644 --- a/packages/proofpoint_tap/data_stream/clicks_blocked/manifest.yml +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/manifest.yml @@ -10,12 +10,7 @@ streams: type: text title: Interval description: >- - Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit - to users of the API. The clicks blocked, messages delivered and messages blocked endpoints allow a pooled - 1800 requests over a 24 hour period. After that requests will be throttled. See details - [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). - To avoid throttling, assuming all data streams are being ingested, the interval should be at least 2m30s. - NOTE: Supported units for this parameter are h/m/s. + Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit to users of the API. The clicks blocked, messages delivered and messages blocked endpoints allow a pooled 1800 requests over a 24 hour period. After that requests will be throttled. See details [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). To avoid throttling, assuming all data streams are being ingested, the interval should be at least 2m30s. NOTE: Supported units for this parameter are h/m/s. multi: false required: true show_user: true @@ -24,8 +19,7 @@ streams: type: text title: Initial Interval description: >- - How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). - NOTE: Supported units for this parameter are h/m/s. + How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). NOTE: Supported units for this parameter are h/m/s. default: 24h multi: false required: true diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/fields/agent.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/agent.yml index d2c2658271b..79b11221868 100644 --- a/packages/proofpoint_tap/data_stream/clicks_permitted/fields/agent.yml +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: > diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/fields/ecs.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/ecs.yml deleted file mode 100644 index c49113c9429..00000000000 --- a/packages/proofpoint_tap/data_stream/clicks_permitted/fields/ecs.yml +++ /dev/null @@ -1,84 +0,0 @@ -- external: ecs - name: destination.as.number -- external: ecs - name: destination.as.organization.name -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: destination.ip -- external: ecs - name: ecs.version -- external: ecs - name: email.from.address -- external: ecs - name: email.message_id -- external: ecs - name: email.to.address -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.ip -- external: ecs - name: source.ip -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.full -- external: ecs - name: url.original -- external: ecs - name: url.password -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.query -- external: ecs - name: url.scheme -- external: ecs - name: url.username -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/manifest.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/manifest.yml index 4a37cfbf061..45c7d73839c 100644 --- a/packages/proofpoint_tap/data_stream/clicks_permitted/manifest.yml +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/manifest.yml @@ -10,11 +10,7 @@ streams: type: text title: Interval description: >- - Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit - to users of the API. The clicks permitted endpoint allows 1800 requests over a 24 hour period. After that - requests will be throttled. See details [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). - To avoid throttling, the interval should be at least 1m. - NOTE: Supported units for this parameter are h/m/s. + Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit to users of the API. The clicks permitted endpoint allows 1800 requests over a 24 hour period. After that requests will be throttled. See details [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). To avoid throttling, the interval should be at least 1m. NOTE: Supported units for this parameter are h/m/s. multi: false required: true show_user: true @@ -23,8 +19,7 @@ streams: type: text title: Initial Interval description: >- - How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). - NOTE: Supported units for this parameter are h/m/s. + How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). NOTE: Supported units for this parameter are h/m/s. default: 24h multi: false required: true diff --git a/packages/proofpoint_tap/data_stream/message_blocked/fields/agent.yml b/packages/proofpoint_tap/data_stream/message_blocked/fields/agent.yml index d2c2658271b..79b11221868 100644 --- a/packages/proofpoint_tap/data_stream/message_blocked/fields/agent.yml +++ b/packages/proofpoint_tap/data_stream/message_blocked/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: > diff --git a/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml b/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml deleted file mode 100644 index 0bdb1f5ebba..00000000000 --- a/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml +++ /dev/null @@ -1,72 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: email.attachments -- external: ecs - name: email.attachments.file.hash.md5 -- external: ecs - name: email.attachments.file.hash.sha256 -- external: ecs - name: email.attachments.file.mime_type -- external: ecs - name: email.attachments.file.name -- external: ecs - name: email.cc.address -- external: ecs - name: email.content_type -- external: ecs - name: email.delivery_timestamp -- external: ecs - name: email.from.address -- external: ecs - name: email.message_id -- external: ecs - name: email.reply_to.address -- external: ecs - name: email.sender.address -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: email.x_mailer -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.hash -- external: ecs - name: related.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: tags diff --git a/packages/proofpoint_tap/data_stream/message_blocked/manifest.yml b/packages/proofpoint_tap/data_stream/message_blocked/manifest.yml index 2df8d3a058e..9fe316cfb4b 100644 --- a/packages/proofpoint_tap/data_stream/message_blocked/manifest.yml +++ b/packages/proofpoint_tap/data_stream/message_blocked/manifest.yml @@ -10,12 +10,7 @@ streams: type: text title: Interval description: >- - Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit - to users of the API. The clicks blocked, messages delivered and messages blocked endpoints allow a pooled - 1800 requests over a 24 hour period. After that requests will be throttled. See details - [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). - To avoid throttling, assuming all data streams are being ingested, the interval should be at least 2m30s. - NOTE: Supported units for this parameter are h/m/s. + Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit to users of the API. The clicks blocked, messages delivered and messages blocked endpoints allow a pooled 1800 requests over a 24 hour period. After that requests will be throttled. See details [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). To avoid throttling, assuming all data streams are being ingested, the interval should be at least 2m30s. NOTE: Supported units for this parameter are h/m/s. multi: false required: true show_user: true @@ -24,8 +19,7 @@ streams: type: text title: Initial Interval description: >- - How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). - NOTE: Supported units for this parameter are h/m/s. + How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). NOTE: Supported units for this parameter are h/m/s. default: 24h multi: false required: true diff --git a/packages/proofpoint_tap/data_stream/message_delivered/fields/agent.yml b/packages/proofpoint_tap/data_stream/message_delivered/fields/agent.yml index d2c2658271b..79b11221868 100644 --- a/packages/proofpoint_tap/data_stream/message_delivered/fields/agent.yml +++ b/packages/proofpoint_tap/data_stream/message_delivered/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: > diff --git a/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml b/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml deleted file mode 100644 index 0bdb1f5ebba..00000000000 --- a/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml +++ /dev/null @@ -1,72 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: email.attachments -- external: ecs - name: email.attachments.file.hash.md5 -- external: ecs - name: email.attachments.file.hash.sha256 -- external: ecs - name: email.attachments.file.mime_type -- external: ecs - name: email.attachments.file.name -- external: ecs - name: email.cc.address -- external: ecs - name: email.content_type -- external: ecs - name: email.delivery_timestamp -- external: ecs - name: email.from.address -- external: ecs - name: email.message_id -- external: ecs - name: email.reply_to.address -- external: ecs - name: email.sender.address -- external: ecs - name: email.subject -- external: ecs - name: email.to.address -- external: ecs - name: email.x_mailer -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.hash -- external: ecs - name: related.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: tags diff --git a/packages/proofpoint_tap/data_stream/message_delivered/manifest.yml b/packages/proofpoint_tap/data_stream/message_delivered/manifest.yml index 8b1b8f774c5..db1a833a496 100644 --- a/packages/proofpoint_tap/data_stream/message_delivered/manifest.yml +++ b/packages/proofpoint_tap/data_stream/message_delivered/manifest.yml @@ -10,12 +10,7 @@ streams: type: text title: Interval description: >- - Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit - to users of the API. The clicks blocked, messages delivered and messages blocked endpoints allow a pooled - 1800 requests over a 24 hour period. After that requests will be throttled. See details - [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). - To avoid throttling, assuming all data streams are being ingested, the interval should be at least 2m30s. - NOTE: Supported units for this parameter are h/m/s. + Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit to users of the API. The clicks blocked, messages delivered and messages blocked endpoints allow a pooled 1800 requests over a 24 hour period. After that requests will be throttled. See details [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). To avoid throttling, assuming all data streams are being ingested, the interval should be at least 2m30s. NOTE: Supported units for this parameter are h/m/s. multi: false required: true show_user: true @@ -24,8 +19,7 @@ streams: type: text title: Initial Interval description: >- - How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). - NOTE: Supported units for this parameter are h/m/s. + How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). NOTE: Supported units for this parameter are h/m/s. default: 24h multi: false required: true diff --git a/packages/proofpoint_tap/docs/README.md b/packages/proofpoint_tap/docs/README.md index 735b37b0220..be3b32f0ad4 100644 --- a/packages/proofpoint_tap/docs/README.md +++ b/packages/proofpoint_tap/docs/README.md @@ -161,63 +161,15 @@ An example event for `clicks_blocked` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.to.address | The email address of recipient | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | proofpoint_tap.clicks_blocked.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | @@ -229,32 +181,6 @@ An example event for `clicks_blocked` looks as following: | proofpoint_tap.clicks_blocked.threat.time | Proofpoint identified the URL as a threat at this time. | date | | proofpoint_tap.clicks_blocked.threat.url | A link to the entry on the TAP Dashboard for the particular threat. | keyword | | proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | ### Clicks Permitted @@ -399,63 +325,15 @@ An example event for `clicks_permitted` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.to.address | The email address of recipient | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | proofpoint_tap.clicks_permitted.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | @@ -467,32 +345,6 @@ An example event for `clicks_permitted` looks as following: | proofpoint_tap.clicks_permitted.threat.time | Proofpoint identified the URL as a threat at this time. | date | | proofpoint_tap.clicks_permitted.threat.url | A link to the entry on the TAP Dashboard for the particular threat. | keyword | | proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | ### Message Blocked @@ -703,65 +555,15 @@ An example event for `message_blocked` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.attachments | A list of objects describing the attachment files sent along with an email message. | nested | -| email.attachments.file.hash.md5 | MD5 hash. | keyword | -| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | -| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | -| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | -| email.cc.address | The email address of CC recipient | keyword | -| email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | -| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.reply_to.address | The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. | keyword | -| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| email.x_mailer | The name of the application that was used to draft and send the original email message. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | @@ -794,20 +596,6 @@ An example event for `message_blocked` looks as following: | proofpoint_tap.message_blocked.threat_info_map.threat.type | Whether the threat was an attachment, URL, or message type. | keyword | | proofpoint_tap.message_blocked.threat_info_map.threat.url | A link to the entry about the threat on the TAP Dashboard. | keyword | | proofpoint_tap.message_blocked.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | ### Message Delivered @@ -944,65 +732,15 @@ An example event for `message_delivered` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.attachments | A list of objects describing the attachment files sent along with an email message. | nested | -| email.attachments.file.hash.md5 | MD5 hash. | keyword | -| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | -| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | -| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | -| email.cc.address | The email address of CC recipient | keyword | -| email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | -| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.reply_to.address | The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. | keyword | -| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| email.x_mailer | The name of the application that was used to draft and send the original email message. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | @@ -1033,18 +771,4 @@ An example event for `message_delivered` looks as following: | proofpoint_tap.message_delivered.threat_info_map.threat.type | Whether the threat was an attachment, URL, or message type. | keyword | | proofpoint_tap.message_delivered.threat_info_map.threat.url | A link to the entry about the threat on the TAP Dashboard. | keyword | | proofpoint_tap.message_delivered.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/proofpoint_tap/manifest.yml b/packages/proofpoint_tap/manifest.yml index 34fbd30c7f3..47aa28ca034 100644 --- a/packages/proofpoint_tap/manifest.yml +++ b/packages/proofpoint_tap/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: proofpoint_tap title: Proofpoint TAP -version: "1.21.0" +version: "1.22.0" description: Collect logs from Proofpoint TAP with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - email_security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/proofpoint_tap-screenshot.png title: Proofpoint TAP blocked clicks dashboard screenshot diff --git a/packages/pulse_connect_secure/changelog.yml b/packages/pulse_connect_secure/changelog.yml index 4f4f8b74c68..2b88be558c4 100644 --- a/packages/pulse_connect_secure/changelog.yml +++ b/packages/pulse_connect_secure/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.0.1" changes: - description: Fix sample event. diff --git a/packages/pulse_connect_secure/data_stream/log/fields/agent.yml b/packages/pulse_connect_secure/data_stream/log/fields/agent.yml index 79a7a39864b..31300ef7751 100644 --- a/packages/pulse_connect_secure/data_stream/log/fields/agent.yml +++ b/packages/pulse_connect_secure/data_stream/log/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: > diff --git a/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml b/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml index 6a4f52e7d57..adb0dc85322 100644 --- a/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml +++ b/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml @@ -1,92 +1,2 @@ - external: ecs name: '@timestamp' -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.outcome -- external: ecs - name: client.address -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.location -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.country_name -- external: ecs - name: client.ip -- external: ecs - name: client.nat.ip -- external: ecs - name: log.syslog.priority -- external: ecs - name: message -- external: ecs - name: network.type -- external: ecs - name: observer.hostname -- external: ecs - name: observer.ip -- external: ecs - name: observer.name -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: tags -- external: ecs - name: user.name -- external: ecs - name: user.domain -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: source.address -- external: ecs - name: source.geo.location -- external: ecs - name: source.ip -- external: ecs - name: source.nat.ip diff --git a/packages/pulse_connect_secure/docs/README.md b/packages/pulse_connect_secure/docs/README.md index b8d0e95d560..215016527e8 100644 --- a/packages/pulse_connect_secure/docs/README.md +++ b/packages/pulse_connect_secure/docs/README.md @@ -142,98 +142,21 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | | pulse_secure.realm | test | keyword | | pulse_secure.role | test | keyword | | pulse_secure.session.id | test | keyword | | pulse_secure.session.id_short | | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/pulse_connect_secure/manifest.yml b/packages/pulse_connect_secure/manifest.yml index b862911c584..199dcd74163 100644 --- a/packages/pulse_connect_secure/manifest.yml +++ b/packages/pulse_connect_secure/manifest.yml @@ -1,6 +1,6 @@ name: pulse_connect_secure title: Pulse Connect Secure -version: 2.0.1 +version: "2.1.0" description: Collect logs from Pulse Connect Secure with Elastic Agent. type: integration icons: @@ -12,7 +12,7 @@ format_version: "3.0.3" categories: [vpn_security, security] conditions: kibana: - version: "^7.16.0 || ^8.0.0" + version: "^8.13.0" policy_templates: - name: pulse_connect_secure title: Pulse Connect Secure logs diff --git a/packages/qualys_vmdr/_dev/build/build.yml b/packages/qualys_vmdr/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/qualys_vmdr/_dev/build/build.yml +++ b/packages/qualys_vmdr/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml index 83ce50d1c20..83749736bb3 100644 --- a/packages/qualys_vmdr/changelog.yml +++ b/packages/qualys_vmdr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.3.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "3.2.2" changes: - description: Fix date format to match user activity API behaviour. diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/beats.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/beats.yml +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/fields/beats.yml b/packages/qualys_vmdr/data_stream/knowledge_base/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/fields/beats.yml +++ b/packages/qualys_vmdr/data_stream/knowledge_base/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/qualys_vmdr/data_stream/user_activity/fields/ecs.yml b/packages/qualys_vmdr/data_stream/user_activity/fields/ecs.yml deleted file mode 100644 index d033a9239be..00000000000 --- a/packages/qualys_vmdr/data_stream/user_activity/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: event.action - external: ecs -- name: event.provider - external: ecs -- name: message - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: user.name - external: ecs -- name: user.roles - external: ecs diff --git a/packages/qualys_vmdr/docs/README.md b/packages/qualys_vmdr/docs/README.md index 1884863a077..31c469d2d95 100644 --- a/packages/qualys_vmdr/docs/README.md +++ b/packages/qualys_vmdr/docs/README.md @@ -315,7 +315,6 @@ An example event for `asset_host_detection` looks as following: | qualys_vmdr.asset_host_detection.vulnerability.times.reopened | | long | | qualys_vmdr.asset_host_detection.vulnerability.type | | keyword | | qualys_vmdr.asset_host_detection.vulnerability.unique_vuln_id | | keyword | -| tags | User defined tags. | keyword | ### Knowledge Base @@ -506,7 +505,6 @@ An example event for `knowledge_base` looks as following: | qualys_vmdr.knowledge_base.vendor_reference_list.id | | keyword | | qualys_vmdr.knowledge_base.vendor_reference_list.url | | keyword | | qualys_vmdr.knowledge_base.vuln_type | | keyword | -| tags | User defined tags. | keyword | ### User Activity @@ -604,12 +602,9 @@ An example event for `user_activity` looks as following: | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | input.type | Type of filebeat input. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | qualys_vmdr.user_activity.Action | | keyword | | qualys_vmdr.user_activity.Date | | date | | qualys_vmdr.user_activity.Details | | keyword | @@ -617,18 +612,3 @@ An example event for `user_activity` looks as following: | qualys_vmdr.user_activity.User_IP | | keyword | | qualys_vmdr.user_activity.User_Name | | keyword | | qualys_vmdr.user_activity.User_Role | | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml index dedbd6beecd..80f6b908706 100644 --- a/packages/qualys_vmdr/manifest.yml +++ b/packages/qualys_vmdr/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: qualys_vmdr title: Qualys VMDR -version: "3.2.2" +version: "3.3.0" description: Collect data from Qualys VMDR platform with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - vulnerability_management conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/rapid7_insightvm/_dev/build/build.yml b/packages/rapid7_insightvm/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/rapid7_insightvm/_dev/build/build.yml +++ b/packages/rapid7_insightvm/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/rapid7_insightvm/changelog.yml b/packages/rapid7_insightvm/changelog.yml index 2359aad9e50..3d0595bf035 100644 --- a/packages/rapid7_insightvm/changelog.yml +++ b/packages/rapid7_insightvm/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.11.0" changes: - description: Improve handling of empty responses. diff --git a/packages/rapid7_insightvm/data_stream/asset/fields/beats.yml b/packages/rapid7_insightvm/data_stream/asset/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/rapid7_insightvm/data_stream/asset/fields/beats.yml +++ b/packages/rapid7_insightvm/data_stream/asset/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/fields/beats.yml b/packages/rapid7_insightvm/data_stream/vulnerability/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/fields/beats.yml +++ b/packages/rapid7_insightvm/data_stream/vulnerability/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index 148c69a30a9..445de560009 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -226,7 +226,6 @@ An example event for `asset` looks as following: | rapid7.insightvm.asset.type | Enum: "hypervisor" "mobile" "guest" "physical" "unknown" The type of asset. | keyword | | rapid7.insightvm.asset.unique_identifiers.id | The unique identifier. | keyword | | rapid7.insightvm.asset.unique_identifiers.source | The source of the unique identifier. | keyword | -| tags | User defined tags. | keyword | ### vulnerability @@ -481,4 +480,3 @@ An example event for `vulnerability` looks as following: | rapid7.insightvm.vulnerability.severity | Enum: "critical" "low" "severe" "informational" "none" "moderate" The severity of the vulnerability. | keyword | | rapid7.insightvm.vulnerability.severity_score | The severity score of the vulnerability, on a scale of 0-10. | long | | rapid7.insightvm.vulnerability.title | The title (summary) of the vulnerability. | keyword | -| tags | User defined tags. | keyword | diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index 1ee759938d8..7a9a58b0160 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: rapid7_insightvm title: Rapid7 InsightVM -version: "1.11.0" +version: "1.12.0" source: license: "Elastic-2.0" description: Collect logs from Rapid7 InsightVM with Elastic Agent. @@ -11,7 +11,7 @@ categories: - vulnerability_management conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/santa/changelog.yml b/packages/santa/changelog.yml index f70e6126a03..b852bd1b8b8 100644 --- a/packages/santa/changelog.yml +++ b/packages/santa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.18.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "3.17.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/santa/data_stream/log/fields/agent.yml b/packages/santa/data_stream/log/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/santa/data_stream/log/fields/agent.yml +++ b/packages/santa/data_stream/log/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/santa/data_stream/log/fields/ecs.yml b/packages/santa/data_stream/log/fields/ecs.yml deleted file mode 100644 index ca4a4858ec6..00000000000 --- a/packages/santa/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,46 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.ingested -- external: ecs - name: agent.id -- external: ecs - name: file.path -- external: ecs - name: file.target_path -- external: ecs - name: file.x509.issuer.common_name -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: log.file.path -- external: ecs - name: log.level -- external: ecs - name: process.args -- external: ecs - name: process.executable -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.pid -- external: ecs - name: process.entity_id -- external: ecs - name: process.parent.pid -- external: ecs - name: process.name -- external: ecs - name: process.start -- external: ecs - name: related.hash -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/santa/docs/README.md b/packages/santa/docs/README.md index 57b4d5155e8..a9acbc3336c 100644 --- a/packages/santa/docs/README.md +++ b/packages/santa/docs/README.md @@ -127,67 +127,17 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.module | Event module | constant_keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.target_path | Target path for symlinks. | keyword | -| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset | long | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | santa.action | Action | keyword | | santa.certificate.common_name | Common name from code signing certificate. | keyword | | santa.certificate.sha256 | SHA256 hash of code signing certificate. | keyword | @@ -204,8 +154,4 @@ An example event for `log` looks as following: | santa.mode | Operating mode of Santa. | keyword | | santa.pidversion | macOS process identity version. | long | | santa.reason | Reason for the decision. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/santa/manifest.yml b/packages/santa/manifest.yml index 242cda09914..077c576812b 100644 --- a/packages/santa/manifest.yml +++ b/packages/santa/manifest.yml @@ -1,6 +1,6 @@ name: santa title: Google Santa -version: "3.17.0" +version: "3.18.0" description: Collect logs from Google Santa with Elastic Agent. type: integration icons: @@ -12,7 +12,7 @@ categories: - security conditions: kibana: - version: ^8.7.1 + version: "^8.13.0" screenshots: - src: /img/kibana-santa-log-overview.png title: kibana santa log overview diff --git a/packages/sentinel_one/_dev/deploy/docker/files/config.yml b/packages/sentinel_one/_dev/deploy/docker/files/config.yml index 9412d2423e7..f9abf588bbb 100644 --- a/packages/sentinel_one/_dev/deploy/docker/files/config.yml +++ b/packages/sentinel_one/_dev/deploy/docker/files/config.yml @@ -27,5 +27,5 @@ rules: methods: ["GET"] responses: - status_code: 200 - body: | - {"data":[{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"protect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"DE:AD:00:00:BE:EF"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"unquarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:54:17.198002Z","latestReport":"/threats/mitigation-report","mitigationEndedAt":"2022-04-06T08:54:17.101000Z","mitigationStartedAt":"2022-04-06T08:54:17.101000Z","status":"success"},{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:45:55.303355Z","latestReport":null,"mitigationEndedAt":"2022-04-06T08:45:55.297364Z","mitigationStartedAt":"2022-04-06T08:45:55.297363Z","status":"success"}],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Trojan","classificationSource":"Cloud","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:45:54.519988Z","detectionEngines":[{"key":"sentinelone_cloud","title":"SentinelOne Cloud"}],"detectionType":"static","engines":["SentinelOne Cloud"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"EXE","fileExtensionType":"Executable","filePath":"default.exe","fileSize":1234,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:45:53.968000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.exe","pendingActions":false,"processUser":"test user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"D0XXXXXXXXXXAF4D","threatId":"1234567890123456789","threatName":"default.exe","updatedAt":"2022-04-06T08:54:17.194122Z"},"whiteningOptions":["hash"]},{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"DE:AD:00:00:BE:EF"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}],"pagination":{"nextCursor":null,"totalItems":2}} \ No newline at end of file + body: |- + {"data":[{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"protect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"DE:AD:00:00:BE:EF"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"unquarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:54:17.198002Z","latestReport":"/threats/mitigation-report","mitigationEndedAt":"2022-04-06T08:54:17.101000Z","mitigationStartedAt":"2022-04-06T08:54:17.101000Z","status":"success"},{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2022-04-06T08:45:55.303355Z","latestReport":null,"mitigationEndedAt":"2022-04-06T08:45:55.297364Z","mitigationStartedAt":"2022-04-06T08:45:55.297363Z","status":"success"}],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Trojan","classificationSource":"Cloud","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:45:54.519988Z","detectionEngines":[{"key":"sentinelone_cloud","title":"SentinelOne Cloud"}],"detectionType":"static","engines":["SentinelOne Cloud"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"EXE","fileExtensionType":"Executable","filePath":"default.exe","fileSize":1234,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:45:53.968000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.exe","pendingActions":false,"processUser":"test user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"D0XXXXXXXXXXAF4D","threatId":"1234567890123456789","threatName":"default.exe","updatedAt":"2022-04-06T08:54:17.194122Z"},"whiteningOptions":["hash"]},{"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40::","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"DE:AD:00:00:BE:EF"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}],"pagination":{"nextCursor":null,"totalItems":2}} diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index 86a49d43fef..cfd4f04a431 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.24.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.23.3" changes: - description: Fix sample event MAC address. diff --git a/packages/sentinel_one/data_stream/activity/fields/agent.yml b/packages/sentinel_one/data_stream/activity/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/sentinel_one/data_stream/activity/fields/agent.yml +++ b/packages/sentinel_one/data_stream/activity/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/sentinel_one/data_stream/activity/fields/ecs.yml b/packages/sentinel_one/data_stream/activity/fields/ecs.yml deleted file mode 100644 index bf0722a2f69..00000000000 --- a/packages/sentinel_one/data_stream/activity/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: host.geo.city_name -- external: ecs - name: host.geo.continent_name -- external: ecs - name: host.geo.country_iso_code -- external: ecs - name: host.geo.country_name -- external: ecs - name: host.geo.location -- external: ecs - name: host.geo.region_iso_code -- external: ecs - name: host.geo.region_name -- external: ecs - name: message -- external: ecs - name: observer.version -- external: ecs - name: observer.os.family -- external: ecs - name: process.hash.sha1 -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.email -- external: ecs - name: user.full_name -- external: ecs - name: user.group.id -- external: ecs - name: user.group.name -- external: ecs - name: user.id diff --git a/packages/sentinel_one/data_stream/agent/fields/agent.yml b/packages/sentinel_one/data_stream/agent/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/sentinel_one/data_stream/agent/fields/agent.yml +++ b/packages/sentinel_one/data_stream/agent/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/sentinel_one/data_stream/agent/fields/ecs.yml b/packages/sentinel_one/data_stream/agent/fields/ecs.yml deleted file mode 100644 index eea36baf80e..00000000000 --- a/packages/sentinel_one/data_stream/agent/fields/ecs.yml +++ /dev/null @@ -1,44 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host.geo.city_name -- external: ecs - name: host.geo.continent_name -- external: ecs - name: host.geo.country_iso_code -- external: ecs - name: host.geo.country_name -- external: ecs - name: host.geo.location -- external: ecs - name: host.geo.region_iso_code -- external: ecs - name: host.geo.region_name -- external: ecs - name: host.os.type -- external: ecs - name: observer.version -- external: ecs - name: related.ip -- external: ecs - name: related.hosts -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.name diff --git a/packages/sentinel_one/data_stream/alert/fields/agent.yml b/packages/sentinel_one/data_stream/alert/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/sentinel_one/data_stream/alert/fields/agent.yml +++ b/packages/sentinel_one/data_stream/alert/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/sentinel_one/data_stream/alert/fields/ecs.yml b/packages/sentinel_one/data_stream/alert/fields/ecs.yml deleted file mode 100644 index 65edf4c29e3..00000000000 --- a/packages/sentinel_one/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,116 +0,0 @@ -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: dll.hash.sha1 -- external: ecs - name: dll.path -- external: ecs - name: dns.question.name -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: file.created -- external: ecs - name: file.mtime -- external: ecs - name: network.direction -- external: ecs - name: observer.serial_number -- external: ecs - name: observer.version -- external: ecs - name: orchestrator.cluster.name -- external: ecs - name: orchestrator.namespace -- external: ecs - name: observer.os.name -- external: ecs - name: process.code_signature.signing_id -- external: ecs - name: process.command_line -- external: ecs - name: process.entity_id -- external: ecs - name: process.executable -- external: ecs - name: process.hash.md5 -- external: ecs - name: process.hash.sha1 -- external: ecs - name: process.hash.sha256 -- external: ecs - name: process.name -- external: ecs - name: process.parent.code_signature.signing_id -- external: ecs - name: process.parent.command_line -- external: ecs - name: process.parent.entity_id -- external: ecs - name: process.parent.executable -- external: ecs - name: process.parent.hash.md5 -- external: ecs - name: process.parent.hash.sha1 -- external: ecs - name: process.parent.hash.sha256 -- external: ecs - name: process.parent.name -- external: ecs - name: process.parent.pid -- external: ecs - name: process.parent.start -- external: ecs - name: process.parent.user.name -- external: ecs - name: process.pid -- external: ecs - name: process.start -- external: ecs - name: process.user.name -- external: ecs - name: registry.key -- external: ecs - name: registry.path -- external: ecs - name: registry.value -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: rule.category -- external: ecs - name: rule.description -- external: ecs - name: rule.id -- external: ecs - name: rule.name -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: user.domain -- external: ecs - name: user.name diff --git a/packages/sentinel_one/data_stream/group/fields/agent.yml b/packages/sentinel_one/data_stream/group/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/sentinel_one/data_stream/group/fields/agent.yml +++ b/packages/sentinel_one/data_stream/group/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/sentinel_one/data_stream/group/fields/ecs.yml b/packages/sentinel_one/data_stream/group/fields/ecs.yml deleted file mode 100644 index 938c61044f1..00000000000 --- a/packages/sentinel_one/data_stream/group/fields/ecs.yml +++ /dev/null @@ -1,24 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: user.full_name -- external: ecs - name: user.id diff --git a/packages/sentinel_one/data_stream/threat/fields/agent.yml b/packages/sentinel_one/data_stream/threat/fields/agent.yml index 6e1bac042bc..894e6f12be2 100644 --- a/packages/sentinel_one/data_stream/threat/fields/agent.yml +++ b/packages/sentinel_one/data_stream/threat/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/sentinel_one/data_stream/threat/fields/ecs.yml b/packages/sentinel_one/data_stream/threat/fields/ecs.yml deleted file mode 100644 index 97b9f837d5f..00000000000 --- a/packages/sentinel_one/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,72 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.id -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: host.geo.city_name -- external: ecs - name: host.geo.continent_name -- external: ecs - name: host.geo.country_iso_code -- external: ecs - name: host.geo.country_name -- external: ecs - name: host.geo.location -- external: ecs - name: host.geo.region_iso_code -- external: ecs - name: host.geo.region_name -- external: ecs - name: host.os.type -- external: ecs - name: message -- external: ecs - name: observer.version -- external: ecs - name: process.name -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: threat.framework -- external: ecs - name: threat.indicator.file.extension -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.path -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.tactic.id -- external: ecs - name: threat.tactic.name -- external: ecs - name: threat.technique.id -- external: ecs - name: threat.technique.reference -- external: ecs - name: user.email -- external: ecs - name: user.name diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md index f79898ca8cf..b62df0cb6ab 100644 --- a/packages/sentinel_one/docs/README.md +++ b/packages/sentinel_one/docs/README.md @@ -119,69 +119,18 @@ An example event for `activity` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| observer.version | Observer version. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | sentinel_one.activity.account.id | Related account ID (if applicable). | keyword | | sentinel_one.activity.account.name | Related account name (if applicable). | keyword | | sentinel_one.activity.agent.id | Related agent (if applicable). | keyword | @@ -232,13 +181,6 @@ An example event for `activity` looks as following: | sentinel_one.activity.threat.id | Related threat ID (if applicable). | keyword | | sentinel_one.activity.type | Activity type. | long | | sentinel_one.activity.updated_at | Activity last updated time (UTC). | date | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | -| user.id | Unique identifier of the user. | keyword | ### agent @@ -453,63 +395,17 @@ An example event for `agent` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| observer.version | Observer version. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | sentinel_one.agent.account.id | A reference to the containing account. | keyword | | sentinel_one.agent.account.name | Name of the containing account. | keyword | | sentinel_one.agent.active_directory.computer.member_of | Computer member of. | keyword | @@ -593,9 +489,6 @@ An example event for `agent` looks as following: | sentinel_one.agent.total_memory | Memory size (MB). | long | | sentinel_one.agent.user_action_needed | A list of pending user actions. | keyword | | sentinel_one.agent.uuid | Agent's universally unique identifier. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### alert @@ -886,106 +779,18 @@ An example event for `alert` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dll.hash.sha1 | SHA1 hash. | keyword | -| dll.path | Full file path of the library. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.mtime | Last time the file content was modified. | date | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| observer.os.name | Operating system name, without the version. | keyword | -| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | -| observer.serial_number | Observer serial number. | keyword | -| observer.version | Observer version. | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.parent.user.name | Short name or login of the user. | keyword | -| process.parent.user.name.text | Multi-field of `process.parent.user.name`. | match_only_text | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.user.name | Short name or login of the user. | keyword | -| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | -| registry.key | Hive-relative path of keys. | keyword | -| registry.path | Full path, including hive, key and value | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | | sentinel_one.alert.agent.site_id | Site id. | keyword | | sentinel_one.alert.analyst_verdict | Analyst verdict. | keyword | | sentinel_one.alert.container.info.labels | Container info labels. | keyword | @@ -1041,12 +846,6 @@ An example event for `alert` looks as following: | sentinel_one.alert.target.process.proc.storyline_id | Target Process StoryLine ID. | keyword | | sentinel_one.alert.target.process.proc.uid | Target Process Unique ID. | keyword | | sentinel_one.alert.target.process.start_time | Target Process Start Time. | date | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### group @@ -1138,53 +937,18 @@ An example event for `group` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | sentinel_one.group.agent.count | | long | | sentinel_one.group.created_at | | date | | sentinel_one.group.creator.id | | keyword | @@ -1196,10 +960,6 @@ An example event for `group` looks as following: | sentinel_one.group.registration_token | | keyword | | sentinel_one.group.site.id | | keyword | | sentinel_one.group.type | | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | ### threat @@ -1490,66 +1250,17 @@ An example event for `threat` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | sentinel_one.threat.agent.account.id | Account id. | keyword | | sentinel_one.threat.agent.account.name | Account name. | keyword | | sentinel_one.threat.agent.active_threats | Active threats. | long | @@ -1668,19 +1379,3 @@ An example event for `threat` looks as following: | sentinel_one.threat.storyline | Storyline identifier from agent. | keyword | | sentinel_one.threat.threat_id | Threat id. | keyword | | sentinel_one.threat.whitening_option | Whitening options. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| threat.indicator.file.path.text | Multi-field of `threat.indicator.file.path`. | match_only_text | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index 07a356cddb0..103a8cb2d8c 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: sentinel_one title: SentinelOne -version: "1.23.3" +version: "1.24.0" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/sentinel-one-screenshot.png title: SentinelOne Threat Dashboard Screenshot diff --git a/packages/sentinel_one_cloud_funnel/changelog.yml b/packages/sentinel_one_cloud_funnel/changelog.yml index 8155861042b..ac5ef5e71c2 100644 --- a/packages/sentinel_one_cloud_funnel/changelog.yml +++ b/packages/sentinel_one_cloud_funnel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.1.0" changes: - description: Improve `dns fields` to process `dns.answers.type` and `dns.questions.type`. diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/fields/beats.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/fields/beats.yml index 0657078efcf..b9a19f1aa20 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/fields/beats.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/fields/beats.yml @@ -4,9 +4,6 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. - name: aws.s3 type: group fields: diff --git a/packages/sentinel_one_cloud_funnel/docs/README.md b/packages/sentinel_one_cloud_funnel/docs/README.md index addd1fe62b9..74ed92a1074 100644 --- a/packages/sentinel_one_cloud_funnel/docs/README.md +++ b/packages/sentinel_one_cloud_funnel/docs/README.md @@ -887,6 +887,5 @@ An example event for `event` looks as following: | sentinel_one_cloud_funnel.event.url.action | URL action of process. | keyword | | sentinel_one_cloud_funnel.event.url.address | Complete URL. | keyword | | sentinel_one_cloud_funnel.event.url.source | | keyword | -| tags | User defined tags. | keyword | diff --git a/packages/sentinel_one_cloud_funnel/manifest.yml b/packages/sentinel_one_cloud_funnel/manifest.yml index 149576b63dd..256d4fa2631 100644 --- a/packages/sentinel_one_cloud_funnel/manifest.yml +++ b/packages/sentinel_one_cloud_funnel/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: sentinel_one_cloud_funnel title: SentinelOne Cloud Funnel -version: "1.1.0" +version: "1.2.0" description: Collect logs from SentinelOne Cloud Funnel with Elastic Agent. type: integration categories: ["security", "edr_xdr"] diff --git a/packages/slack/changelog.yml b/packages/slack/changelog.yml index 5638392b362..b8a54edc9bb 100644 --- a/packages/slack/changelog.yml +++ b/packages/slack/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.20.0" changes: - description: Improve handling of empty responses. diff --git a/packages/slack/data_stream/audit/fields/agent.yml b/packages/slack/data_stream/audit/fields/agent.yml index bca66ea4ae0..4b15225a4d4 100644 --- a/packages/slack/data_stream/audit/fields/agent.yml +++ b/packages/slack/data_stream/audit/fields/agent.yml @@ -1,56 +1,6 @@ -- name: cloud.account.id - external: ecs -- name: cloud.availability_zone - external: ecs -- name: cloud.instance.id - external: ecs -- name: cloud.instance.name - external: ecs -- name: cloud.machine.type - external: ecs -- name: cloud.provider - external: ecs -- name: cloud.region - external: ecs -- name: cloud.project.id - external: ecs - name: cloud.image.id type: keyword description: Image ID for the cloud instance. -- name: container.id - external: ecs -- name: container.image.name - external: ecs -- name: container.labels - external: ecs -- name: container.name - external: ecs -- name: host.architecture - external: ecs -- name: host.domain - external: ecs -- name: host.hostname - external: ecs -- name: host.id - external: ecs -- name: host.ip - external: ecs -- name: host.mac - external: ecs -- name: host.name - external: ecs -- name: host.os.family - external: ecs -- name: host.os.kernel - external: ecs -- name: host.os.name - external: ecs -- name: host.os.platform - external: ecs -- name: host.os.version - external: ecs -- name: host.type - external: ecs - name: host.containerized type: boolean description: If the host is a container. diff --git a/packages/slack/data_stream/audit/fields/beats.yml b/packages/slack/data_stream/audit/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/slack/data_stream/audit/fields/beats.yml +++ b/packages/slack/data_stream/audit/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/slack/data_stream/audit/fields/ecs.yml b/packages/slack/data_stream/audit/fields/ecs.yml deleted file mode 100644 index f7210a05058..00000000000 --- a/packages/slack/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.action - external: ecs -- name: event.id - external: ecs -- name: event.type - external: ecs -- name: event.category - external: ecs -- name: event.kind - external: ecs -- name: event.ingested - external: ecs -- name: event.original - external: ecs -- name: file.hash.md5 - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: related.hash - external: ecs -- name: tags - external: ecs -- name: user.email - external: ecs -- name: user.id - external: ecs -- name: user.full_name - external: ecs -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/slack/docs/README.md b/packages/slack/docs/README.md index d781a6250fd..04cc62894d4 100644 --- a/packages/slack/docs/README.md +++ b/packages/slack/docs/README.md @@ -40,58 +40,18 @@ Audit logs summarize the history of changes made within the Slack Enterprise. | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | slack.audit.context.domain | The domain of the Workspace or Enterprise | keyword | | slack.audit.context.id | The ID of the workspace or enterprise | keyword | | slack.audit.context.name | The name of the workspace or enterprise | keyword | @@ -123,34 +83,6 @@ Audit logs summarize the history of changes made within the Slack Enterprise. | slack.audit.entity.timestamp | The timestamp of the entity when entity_type is message | keyword | | slack.audit.entity.title | Title of the entity when entity_type is file | keyword | | slack.audit.entity.type | The type of the entity when entity_type is role | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `audit` looks as following: diff --git a/packages/slack/manifest.yml b/packages/slack/manifest.yml index 493c3b8c4fb..42fc10f6db4 100644 --- a/packages/slack/manifest.yml +++ b/packages/slack/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: slack title: "Slack Logs" -version: "1.20.0" +version: "1.21.0" description: "Slack Logs Integration" type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/slack.svg title: Slack logo diff --git a/packages/snyk/_dev/deploy/docker/files/config.yml b/packages/snyk/_dev/deploy/docker/files/config.yml index 9d5cfc86cd0..d3ac62e9a10 100644 --- a/packages/snyk/_dev/deploy/docker/files/config.yml +++ b/packages/snyk/_dev/deploy/docker/files/config.yml @@ -73,7 +73,6 @@ rules: {"issue":{"url":"https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOYAMLYAML-564236","id":"SNYK-GOLANG-GITHUBCOMGOYAMLYAML-564236","title":"Denial of Service (DoS)","type":"vuln","package":"github.com/go-yaml/yaml","version":"2.1.0","severity":"medium","originalSeverity":null,"uniqueSeveritiesList":["medium"],"language":"golang","packageManager":"golang","semver":{"vulnerable":["<2.2.8"],"hashesRange":["53403b58ad1b561927d19068c655246f2db79d48"],"vulnerableHashes":["dd8f49ae7840d1fc6810d53ee7b05356da92f81f","d4766d1dff71f8a135a57e1fcff946c8c1a140ab","2aba0a492be00f1eb4d95483b08930ebe4968b64","3b0eedc5a476efc2b2e025eff55b2fd08fa32abd","2f2fd02e5a54a7d4f5e5d3494b170b0cb9275c92","7ad95dd0798a40da1ccdff6dff35fd177b5edf40","f7716cbe52baa25d2e9b0d0da546fcf909fc16b4","1ff37a7d30b085dc643dee7adb18759e3511661a","eca94c41d994ae2215d455ce578ae6e2dc6ee516","b0c168ac0cf9493da1f9bb76c34b26ffef940b4a","77373ee937410eceadc4dc64b1100d897ed593d0","025607cd2e381e6e08a56ffec46ac79e23ca2d88","7d17c9173a3d25ebba15cedb25b5205bdfb1eac8","ca3d523f32f3b33fb3265bfeb8e11003a8670e3d","85db785e81ed62ffae7a145404fc0f022335378c","a72a87d92dad7563e31c2c007e8d67f93d67f221","1be3d31502d6eabc0dd7ce5b0daab022e14a5538","90376f16b6d74c4e2fff21dd24397bec3dc62dd5","bb263360b83253468e534d974aabeddd6c22f887","d466437aa4adc35830964cffc5b5f262c63ddcb4","d6c23fbaf16f72995b58492627e65801cfb9a8dd","e4d366fc3c7938e2958e662b4258c7a89e1f0e3e","60a2abf4e00318875a661c29b36df7a68e484bf4","f4d271a8a289b41fa88b802c430fefde4e018bba","10c59a7d91867c206737dcd482fe68906a1484ca","d0b6f3facf302fb1bf969a12bad68ce720b3c025","4d6bb54d8acc91e147763cea066cff0b89437e90","1244d3ce02e3e1c16820ada0bae506b6c479f106","49fdd64ad429d146bacf7106dd73078e889be2e8","8e626dec39b5836cef636d885e33479debcf0cb1","4914593b9558e85597f08346c798aea8f6fb899f","031c922227a592b2b562a1833438308381f9a8bf","b51f82a2e3cbedab685908bd64d61d0a1b781754","c75e52ecee48db6de9aa73d00a360d43abf3e7ac","857a0b2759f87f47aaebad6dd319cf4f887eb6dc","5887bc194be84805c8283e9d9a66102bf9571fca","a528d0ef484d32e416d7b9c4a249d1fa7111be6e","5b18502a28c65dfd209ea5aebb405fb6fc07f7e1","5d6f7e02b7cdad63b06ab3877915532cd30073b4","9c272e25743608d6d3287141522eb4506b2dac45","125a562d7bf105e062ed2adfb2d37e6f11c209bd","87e4a22b684220ccca96de3f2e651b2380a55f9e","d56ec34a3ded0bb58c82198664664ccb81eec91b","b754a4fe6ad8db932e083a2d85ae2199b3516bef","04092268b2c5e87e6373229049c827b833af4edb","f59f5e67022f3c186e20af01b1993b86ac74f0dc","52d5976e4791cf8c96a9de7569098e3752677412","770b8dae4cf00919e5eafffbd8d58186294b61b5","71e7ede9d48a2e096f6d5d0516c763513a471bd1","b01920c75e30179201b01633db246038b0226ce9","ef0aede23c8c624e127a9a59183ee8915e48a3c9","1632dd8118ce1efece66b7f53bb167956d5d8b4e","05299e459464264cd87a230b62d1aca93725c51b","d00346f943c9d2c43424c8a3840f5ca58817750d","49c95bdc21843256fb6c4e0d370a05f24a0bf213","088598405c86d37e951287d094d691e221654a00","c11897f0ba79d8a35d8a124ff0d76e13d9dccb9b","711419034010345c604724ef87ec3db91ffe0936","3e6d767784b037b90a14701b6c9f0643f05db963","a83829b6f1293c91addabc89d0571c246397bbf4","ee2f4956ea46791a74a31142105f03c0d5f9492b","7b079234548be56f14c6e342d4660aa8d54865b7","b7fbda9990042cd5456fdf187480c25fdd776f92","a6dc653f939ab0e6a554873806c41add1140d90c","687eda924018599a7c4518013c369f0bfb7eb0e1","fa9662d290d59b79f2ef7e1f72c885560efe512d","e47eca576e8f3a433de0ba77f1923e7c7f959667","e90bcf783f7abddaa0ee0994a09e536498744e49","fdc1ab46101a842d9e914408bd481f6647d5f9c1","f0766b44ca7999dc9af38a050ddf6db79d05bf3b","cdd36ee8d333aa740c1c0bceae0da74969b2c60b","7701d177ce02b7bd38c4ebd2ba4a7783080505ae","2c1be0d7f7ff8305cf666e89152e9753c8b39004","97203c6e4fc7347bfef3bd6d4913e90bd46c7ecb","7c97801ccf41d5273de9e22c8b2af6860c7703a2","7002636de42c9ef59a2921bb4f78744cabe8bfe3","0725b7707fdeeb6894c403d0f5a2a20e1dc7454d","1dd72ac3928693b9db2533639dfc2a5f831697eb","73a1567027eea2fab2b057a193036f844736f7da","7539b1dee2c790ab2d1aa5e254ef877f5552ff97","920b7d819b42f26f4796e4a43f518090a7a6331f","1f64d6156d11335c3f22d9330b0ad14fc1e789ce","1b9791953ba4027efaeb728c7355e542a203be5e","1ed59511881fdb008c1e618e9f219ce0704e658e","c325d146e464fb9567e780ddfa2dad3a99323075","0ee36981cbf495d5eb6aeb540a3afc25c61d1a96","c4a9fb418357aceb801272d73efd518f183700fa","a347d2466e459933f4fb25f8026d995977436ccf","f221b8435cfb71e54062f6c6e99e9ade30b124d5","5206f6dd03423b3a5462a2a4286a4efae8abe347","a1c4bcb6c278a41992e2f4f0f29a44b4146daa5c","4ca689e686c2caf4dda3a62936c097d6dfb56877","119a11e4378a0410c69c42d82f51331a6da7a97c","c7da9dcff86f24fcfdc15e1f9fa39dfc19784616","f29dde21846f6357ee4421013b59eefd65c069b0","5515099aacaeb9ff3ab7492f0803327bb19fc512","1c9241b56a03383c77e1c33d86ea6ca4a927153e","86f5ed62f8a0ee96bd888d2efdfd6d4fb100a4eb","1f2a25ba9402c70a7806e84531ef763943739072","1418a9bc452f9cf4efa70307cafcb10743e64a56","65b1927d8262617ca3d25f296fdde1e8c48f813d","2bf60357b89cbc6044dde700cf63bab94a615bf7","c6314f5b627e2a1c1846d89cd775de6b2808d37e","50e1b1b1332ea40fff2a9b13bfbccbbecd526f00","50f7813e6b19e58334360ab011dfbaece5b1501f","a311394a2a9276454d3f92d26838c3ae3d99cdf3","79f5ef7c40ae7a4ee6bcd26d324bf50491b431e5","731788bc8b082f8c81c63ca0abd5950c7a68a2f1","6491ec31f7b0d27492e3046c86de94838dcb523c","41168bb7ed2fc849bc36727a2b902bd8f447bfc2","bc27649cd5454055cf20fdb9ef556c214d3f9aa0","d6b53382672776035ad8ef0404681f8a4a16bb95","8eba062837dc10754db7cbafcbedbfbc985ca172","837b0877fcd6b2c8ba83d126917267695ff16ad8","72c33f6840f49f9ed7d1faef7562b3266640fdf4","26b882523374125854702734c30b0ce6a1a18d7b","e90048704a8adb0b81b2e15ebafd1a35fa110903","4fc5987536ef307a24ca299aee7ae301cde3d221","4341420a144323d3f148ece677a20da6e077cfd2","5c8bfe59213b6e9a5eb50debebc396e99a9fa174","200c098a06472243b50aeda4510220a90c4e7dbe","de3643d77b438c6f0f69f350c437639a300b5e73","9a4310b1caff4cca3780580195a916ca060d08f7","91eb945ac02153399ac9f69e34751f1a176254c3","4cdd993908b57c3b87bef0695e5ca989151ad55f","7ddc4634ce2d8ca5c03846918ae1df6aa40ee464","ec232d2920a84930b077414b60b5985e076ae228","2c8612dfee1362e7e482c66c5feb892a94d53255","d670f9405373e636a5a2765eea47fac0c9bc91a4","e9bfed595636e952566e5cb857c22b918f2530a2","c1cd2254a6dd314c9d73c338c12688c9325d85c6","df747160af0ebfcc572951e4168d4b1bc91a47f5","a65e08b08285cef29253c50ffd92469bf6e26a29","e6da37e746419537560c1e95e429f42b33f6d0e3","eea198a9c5cc6e02bfcd130a932051088a9f0950","6675ed2a9028caf87bb5915503c08a595e57b77d","562080bfe963d41a6870a4c500918f6361a0b61f","8171f560dedcb162dd3d2c925015679e84bac269","c78cd3ebd83777ac093137fbb55c33a9d3f65819","e4ac4c457c23b390e7fd75ddf746c5a69aa8cfd5","93d787c44dc828e1c67fa275cb66eb86bb2929f8","7cdd87a79f79db641dae55776224443026d28928","406cad6bb47dd7d9a123d005fb8ff766f6463051","523c7d9470684b02d902e8d986cd9eea66884755","9ca8abd6882a6e741166e6ec946a73f3a64df65a","885e19c0dda1f4e4e22837474879f8f3d36fb449","e8976af76e3d35c48f8b2c9540cca3e92995fbc6","addb3a024ff5763c8facbe4767fe530d602cfedc","c7f6f9c6e6c14027a46eb91241427dba67604f39","0a6d1b02c16e372ceea8f17f3b1833b918954bf1","835086a6b6aa65939515e30b5d6c2eba43d7c075","7b8fd2dbef04521fdd8d670ef4c77be691845aa2","3eb2270747cdd89e3f095cb24e8dd4ccf2a098f6","1d653a737648051ca638423377052c2f5c10c050","14d1c4659ec7b9ee26f5d705f3c2bb56cb6cbee4","c544d0342172409bd9c8f7c45d9fb21971c8aee9","6941443daa441371720e9ef8f3554c3958cfb071","f8db564a0a4a5f6d04f66522493597f18e5ab4ae","7c634f6a68c1076d3cfdc56930db26e86f7876d7","f7e23311052d3dda728ce15788fb3727898afa17","8691640bc70f3d96128a809341d850b550a3abb9","b9b22c434500d7639936fbed673fc0ef23ce88f6","d6385b38675d8d03521c9290f4f3d7bff08664c0","4c78c975fe7c825c6d1466c42be594d1d6f3aba6","54c736c86c9bcc793fb4bd6f203604cd738dc0e9","722ff6b958a31d4ca3405db35a72648a6077a6bb","2afc2e57e051513a3f5f67e74857696a8558d67b","283fbcdd1e64975730a38609f8802ef983a43cb9","ab5d55c35f3919fe06e9daedce5a32f4aab23777","e2fbf5b72a6a12abd15be9b37656a0a136fc32f8","399c3345e0f76f583d830cd7da27518bbb00c91a","b6679148d27038e59d7818facc4d100e677a64ae","43a0256bb22b0c2e1803ac6e28f55e5989a60523","f5f5cc19d1f681884684426c96adadef47a3b55c","787afde64d7b36591050440c4a14c2288b373de6","7b8349ac747c6a24702b762d2c4fd9266cf4f1d6","0e4404da71227dcc02fb1deee803d93e86d08f72","a95acef3719e5e9f7614cc90a119dee4699291eb","3ba0e99ffa727bd7eb782b7a5d1aafcb989b0899","5edc3ded41385ca1b9a80339d2a070e4d0a17cb6","2c9db3558be789ef3896b03ed3f354b822c304b9","a833012353d046b1f12c82db87d01c86570b24d7","77b516425597da3c093a666c11608112e91604de","1ade51a028efa6990b524e0b01237dbd9123957d","9e27074feeaed4b0ae4e5e71187eff80c0f0bf35","cd515839285fe1a31b92193360172d59f818c9b8","9f33a69b86c3c76c52e41d12d83e233065bfcca9","36babc3691687601732d9e2571b698be4116469a","51d6538a90f86fe93ac480b35f37b2be17fef232","31c299268d302dd0aa9a0dcf765a3d58971ac83f","3e92d6a11b92fa4612d66712704844bdc0c48aed","9211cbc02789a32acf5e90c23a42f040ac3ec3f8","0cb32393ebcfc65467398e5daadfb63b2184caea","0f9a5c380d77a8b2888a78c3d3a14db15949b1fa","82377a97b299347cd15cc1be13e1c8d04e33efbb","fe9486c37432968838e1798b2317dc1aa10b586b","77b384eced7745af978888311ea3c67e57c7ed96","fc7f19eff1782a0beae3065097c776183e7d01d0","dbd6d0229d1f1e1c3055cd82efb81f60a27d1103","25c4ec802a7d637f88d584ab26798e94ad14c13b","5e76f7cf8cb1fc353b84b96c72a36c4984cbd005","a5844a8f8f489bad96ab6da62cfa21ee1f5d9e6b","41c132e8ac051886e4eb06e7c3d58ced63d58057","4f03e946c120a8f146f43bee6f392f9bb5d0a677","287cf08546ab5e7e37d55a84f7ed3fd1db036de5","1092c5d94f266e0f94e485a24f7010da877eeba0","910de082618d0d8ccac6443a6e7a72cc8bcd5227","feb4ca79644e8e7e39c06095246ee54b1282c118","3c68098bffba683534584be69216dac3a2b2305a","3323b7713e656f16fbd0eec27c60370b6237f4e3","f3293401ceedf2a32a1c22cb062b274dba6be798","43607cc2a1772b23faf366c24b8e33541187b64d","add015b1c64e144664b73d5eacfeb6aeace2e45c","3e69410288aeb97d31353af8e063b798d40feb3f","39e59aa7e15898a87148f0f4891a085c83b9b0fc","a3f3340b5840cee44f372bddb5880fcbc419b46a","05d405925260878bd750ea7d96c746c2d726b349","65622dcbf4c25328cd440d1b322c6530abe83337","8ca81d591dc2242f9c4b7a907533f0b7f93802b5","3d8cfc3754fba03b8f1a0d44ea4e6e870cf86c57","eb3733d160e74a9c7e442f435eb3bea458e1d19f","d0fefed9b627fbe0c1597ac29ed5f48ff2eb9064","dcd83b31fd165d8cc8677fce58f889dca3e06f35","7f97868eec74b32b0982dd158a51a446d1da7eb5","925f818e2c358746b3a14bf3e5614db14208037f","c95af922eae69f190717a0b7148960af8c55a072","0516c53462e633a479f3826e1d3557033413eeb8","53087c11c10b453af4f2eb47471434eae75526f9","5420a8b6744d3b0345ab293f6fcba19c978f1183","fb03f24d58ac0c7a3d85edc1b91dfcfea4329883","08434a82b8376f585898a97654ce18065d14cb97","a5b47d31c556af34a302ce5d659e6fea44d90de0","838f4ea96166350b9185bf3d2cbf786d34127ca2","f2d2788ce5b1741745c0d1a853e856b5b77376b2","284796d39ddb313ec0ae04898de280d41fe32479","970885f01c8bc1fecb7ab1c8ce8e7609bda45530","4f3d34e492b8930c50204a216d960e7da0dc5f63","9f389a1f0b1d442eba00213e7aa09ccd878d18b0","1b2e8c1531abbfe7dcd3de8ff4483326af275bc8","14227de293ca979cf205cd88769fe71ed96a97e2","e72f93569ef83aca933836c2fb9185faeeced236","3b4ad1db5b2a649883ff3782f5f9f6fb52be71af","a0ae8d516398f3724bb3db614ab47f0e4f643f2e","f7a330473f18ddc052fce1f71a2b2d1231860f71","81205292aba40f8868069e2f18d90043d3e724a6","059398de19c863a04c55315526d6c226de540aa1","e6ec13e5a80029d7ebcbc2c90d16ce5ff1fa6c84","8173ecbc8953a159ae0fa2fad94adf3553b0bf8e","b7dfe2d918fda477aa5b42519294b5ada3c991fa","b6b591a3c0ec0452719f4d4555a3e084fd9f12fb","ba29208cca8f239f2cea685183f79df8e4defc29","422f540d2e1f1b41b6184903cd1eb69c777df1bb","914e67f109a574665d15c0d179cdc796abefb176","1bf6a7ce154075e61134f8a68dd50902c3027a10","2628b30e544c309ac3d0c8cd7e78a785400cd41f","0846a25da24891a7b3c725bc190493b5f7525db8","4cadac2bc790baeffa0a7fa19689223966a64c24","b3031338ac8e006cbd668f67c36c24d2c5e64b6d","cd8b52f8269e0feb286dfeef29f8fe4d5b397e0b","205b70273c7999d96b32db43ab54337690817184","62e345dcf33dd13810ceba10407c30a7db6a0958","53feefa2559fb8dfa8d81baad31be332c97d6c77","e720624475f3807e3dc6477e7af6feb09da0b848","bd61a856f807e525beaee41959452c88c83d46cf","f90ceb4f409096b60e2e9076b38b304b8246e5fa","3c0d4d4f56c36fcfd2da00ff26c40046512b4208","1f1f61830e4c9f1eff03047c9d1d11e576853bc4","f96735bc0fa70a12e9f41277b2d909e0c477ee30","e334f8522ac9fe2b381c329b3159a328eeb14f76","18e5f12b39cb93b31a249fb7115b9bbf6162aeeb","b3472531944cd769419f297322dc285a0fc0d6cc","3e542fbf7c84c0bf22f51ad07899cf80f8658caa","00efe9c47819ca58089c4bd5d1d8463248e23228","670d4cfef0544295bc27a114dbac37980d83185a","8ed39f36d6f36299d2ce5f9b35a05d048500f777","bb4e33bf68bf89cad44d386192cbed201f35b241","bef53efd0c76e49e6de55ead051f886bea7e9420","9eade332f0ceebc6b7c9e24893574cad4c51722b"]},"isIgnored":false,"publicationTime":"2020-04-02T11:29:49.000Z","disclosureTime":"2020-03-26T11:30:05.000Z","isUpgradable":false,"isPatchable":false,"isPinnable":false,"identifiers":{"CVE":["CVE-2019-11254"],"CWE":["CWE-1050"]},"credit":["Unknown"],"CVSSv3":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","cvssScore":"6.5","patches":[],"isPatched":false,"exploitMaturity":"no-known-exploit","reachability":"No Info","priorityScore":325,"jiraIssueUrl":null},"isFixed":false,"introducedDate":"2020-04-29","projects":[{"url":"https://snyk.io/org/orgname/project/projectid","id":"projectid","name":"username/reponame","source":"github","packageManager":"npm","targetFile":"package.json"},{"url":"https://snyk.io/org/orgname/project/projectid","id":"projectid","name":"someotheruser/someotherreponame","source":"github","packageManager":"npm","targetFile":"folder1/package.json"},{"url":"https://snyk.io/org/orgname/project/projectid","id":"projectid","name":"projectname","source":"cli","packageManager":"npm","targetFile":"package.json"}]} ] } - - path: /rest/orgs/0de7b2d6-c1da-46aa-887e-1886f96770d4/audit_logs/search methods: ["GET"] request_headers: @@ -276,7 +275,6 @@ rules: } } `}} - - path: /rest/orgs/0de7b2d6-c1da-46aa-887e-1886f96770d4/issues methods: ["GET"] request_headers: diff --git a/packages/snyk/changelog.yml b/packages/snyk/changelog.yml index 4eae76aa3d8..fdbc1797dcf 100644 --- a/packages/snyk/changelog.yml +++ b/packages/snyk/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.0" + changes: + - description: ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.22.1" changes: - description: Fix handling of event filter parameter in audit_logs data stream. diff --git a/packages/snyk/data_stream/audit/fields/agent.yml b/packages/snyk/data_stream/audit/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/snyk/data_stream/audit/fields/agent.yml +++ b/packages/snyk/data_stream/audit/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/snyk/data_stream/audit/fields/beats.yml b/packages/snyk/data_stream/audit/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/snyk/data_stream/audit/fields/beats.yml +++ b/packages/snyk/data_stream/audit/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/snyk/data_stream/audit/fields/ecs.yml b/packages/snyk/data_stream/audit/fields/ecs.yml deleted file mode 100644 index f243288cc96..00000000000 --- a/packages/snyk/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: event.created - external: ecs -- name: event.original - external: ecs -- name: tags - external: ecs -- name: message - external: ecs -- name: ecs.version - external: ecs -- name: user.group.id - external: ecs -- name: user.id - external: ecs diff --git a/packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json b/packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json index 2718a62df19..3c735093d02 100644 --- a/packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json +++ b/packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json @@ -1,64 +1,64 @@ { - "events": [ - { - "message": "{\"content\":{\"after\":{\"name\":\"elastic-integration\"},\"before\":{\"name\":\"admin.user\"}},\"created\":\"2024-04-15T19:47:21.565Z\",\"event\":\"org.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"b4b324c4-a55c-4cd6-82b8-f96e3b3b8d85\"}" - }, - { - "message": "{\"content\":{\"email\":\"other.user@company.com\",\"role\":\"0afa84b4-9d99-4c2b-94c2-65da22270836\"},\"created\":\"2024-04-15T19:49:01.920Z\",\"event\":\"org.user.invite\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"b4b324c4-a55c-4cd6-82b8-f96e3b3b8d85\"}" - }, - { - "message": "{\"content\":{\"openInvitePublicId\":\"5cc83241-4d28-401e-80e7-3a421cee2c03\",\"url\":\"https://app.snyk.io/invite/link/accept?invite=5cc83241-4d28-401e-80e7-3a421cee2c03\\u0026utm_source=link_invite\\u0026utm_medium=referral\\u0026utm_campaign=product-link-invite\\u0026from=link_invite\"},\"created\":\"2024-04-16T09:46:29.448Z\",\"event\":\"org.user.invite_link.create\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"b4b324c4-a55c-4cd6-82b8-f96e3b3b8d85\"}" - }, - { - "message": "{\"content\":{\"role\":\"ADMIN\",\"rolePublicId\":\"0afa84b4-9d99-4c2b-94c2-65da22270836\",\"userPublicId\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"},\"created\":\"2024-04-16T21:54:33.257Z\",\"event\":\"org.user.add\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"email\":\"other.user-alias@company.com\",\"invitingUserId\":1881478,\"rolePublicId\":\"0afa84b4-9d99-4c2b-94c2-65da22270836\"},\"created\":\"2024-04-16T21:54:33.257Z\",\"event\":\"org.user.invite_link.accept\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"origin\":\"cli\"},\"created\":\"2024-04-17T01:08:08.228Z\",\"event\":\"org.project.test\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"after\":{\"autoDepUpgradeEnabled\":true,\"autoRemediationPrs\":{\"backlogPrStrategy\":\"vuln\",\"container\":{\"enabled\":true},\"freshPrsEnabled\":true,\"usePatchRemediation\":true},\"pullRequestTestEnabled\":true,\"reachableVulns\":{}},\"before\":{\"autoDepUpgradeEnabled\":true,\"autoRemediationPrs\":{\"backlogPrStrategy\":\"vuln\",\"container\":{},\"freshPrsEnabled\":true,\"usePatchRemediation\":true},\"pullRequestTestEnabled\":true,\"reachableVulns\":{}},\"flow\":\"on-boarding\",\"sourceType\":\"github\"},\"created\":\"2024-04-17T01:24:49.748Z\",\"event\":\"org.integration.settings.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"after\":{\"sastSettings\":{\"sastEnabled\":true}},\"before\":{\"sastSettings\":{}},\"interface\":\"ui\"},\"created\":\"2024-04-17T01:24:49.837Z\",\"event\":\"org.sast_settings.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"targetId\":\"693b1550-43b1-4108-a55a-37e5cabe7355\"},\"created\":\"2024-04-17T01:26:10.024Z\",\"event\":\"org.target.create\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"action\":\"Cloned repo: https://github.com/elastic/mito.git commit hash: 5e8963319b4a55b32f6d9db0a19f0ddd70ae8c5d\",\"requestId\":\"dc3cad34-9ece-49d6-b38e-28d8439f29e1\"},\"created\":\"2024-04-17T01:26:13.000Z\",\"event\":\"org.project.files.create\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" - }, - { - "message": "{\"content\":{\"AboveSizeLimit\":{},\"action\":\"Modify files - exclude\",\"excluded\":{},\"notSupported\":{\"\":1,\".cel\":1,\".json\":1,\".md\":1,\".mod\":1,\".sum\":1,\".txt\":70,\".yml\":1},\"requestId\":\"dc3cad34-9ece-49d6-b38e-28d8439f29e1\"},\"created\":\"2024-04-17T01:26:13.000Z\",\"event\":\"org.project.files.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" - }, - { - "message": "{\"content\":{\"action\":\"Retrieve files\",\"requestId\":\"dc3cad34-9ece-49d6-b38e-28d8439f29e1\"},\"created\":\"2024-04-17T01:26:13.000Z\",\"event\":\"org.project.files.access\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" - }, - { - "message": "{\"content\":{\"action\":\"Returned from analysis\"},\"created\":\"2024-04-17T01:26:19.025Z\",\"event\":\"org.project.issue.create\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" - }, - { - "message": "{\"content\":{\"issues\":7},\"created\":\"2024-04-17T01:26:19.192Z\",\"event\":\"org.project.issue.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"f6f87c14-594e-4335-b873-d3473054834d\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"snapshotId\":\"7c4c1751-2f5e-4d79-96e4-5a200aa6d802\"},\"created\":\"2024-04-17T01:26:19.268Z\",\"event\":\"org.project.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"f6f87c14-594e-4335-b873-d3473054834d\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"AboveSizeLimit\":{\".js\":1},\"action\":\"Modify files - exclude\",\"excluded\":{\"\":1,\".yml\":1},\"notSupported\":{\"\":163,\".0\":10,\".00\":1,\".04\":1,\".1\":1,\".1-faulty\":1,\".14\":2,\".17\":1,\".18-Debian\":1,\".2\":1,\".20\":1,\".23-CentOS6\":1,\".asciidoc\":1214,\".bash\":1,\".bat\":14,\".cert\":1,\".cfg\":1,\".cnf\":1,\".conf\":17,\".crt\":12,\".csr\":4,\".csv\":5,\".current\":2,\".dat\":88,\".debug\":1,\".disabled\":141,\".dll\":1,\".dockerignore\":2,\".editorconfig\":2,\".env\":1,\".evtx\":115,\".exe\":1,\".expected\":54,\".fbs\":1,\".gitattributes\":1,\".gitignore\":30,\".go-version\":1,\".gob\":1,\".groovy\":8,\".gz\":4,\".hcl\":2,\".ini\":2,\".j2\":14,\".jewel\":1,\".jks\":2,\".journal\":1,\".jpg\":10,\".json\":3500,\".key\":16,\".log\":590,\".md\":116,\".mk\":2,\".mmdb\":3,\".mod\":1,\".nautilus\":1,\".ndjson\":4,\".orig\":1,\".pcap\":118,\".pem\":8,\".pic\":6,\".placeholder\":3,\".plain\":51,\".png\":208,\".properties\":2,\".ps1\":1,\".pylintrc\":1,\".rl\":15,\".sh\":62,\".spec\":1,\".sql\":1,\".srl\":2,\".sum\":2,\".svg\":8,\".template\":2,\".tf\":21,\".thrift\":3,\".tmpl\":117,\".toml\":1,\".tpl\":1,\".txt\":32,\".xsl\":1,\".yaml\":34,\".yml\":1844,\".zip\":3},\"requestId\":\"dc3cad34-9ece-49d6-b38e-28d8439f29e1\"},\"created\":\"2024-04-17T01:26:21.000Z\",\"event\":\"org.project.files.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" - }, - { - "message": "{\"content\":{\"origin\":\"github\",\"target\":{\"branch\":\"dev\",\"id\":477916110,\"name\":\"mito\",\"owner\":\"elastic\"},\"targetFile\":\"go.mod\",\"type\":\"gomodules\"},\"created\":\"2024-04-17T01:26:29.493Z\",\"event\":\"org.project.monitor\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"ad562805-e976-4eed-85b6-740c7664d607\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"sourceOrgId\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"},\"created\":\"2024-04-17T01:26:49.288Z\",\"event\":\"org.project.add\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"2d92916c-792a-46b0-aa23-c94d7481478b\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{\"issues\":7},\"created\":\"2024-04-17T01:35:51.787Z\",\"event\":\"org.project.issue.access\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"f6f87c14-594e-4335-b873-d3473054834d\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - }, - { - "message": "{\"content\":{},\"created\":\"2024-04-17T01:35:52.948Z\",\"event\":\"org.project.file.access\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"f6f87c14-594e-4335-b873-d3473054834d\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" - } - ] + "events": [ + { + "message": "{\"content\":{\"after\":{\"name\":\"elastic-integration\"},\"before\":{\"name\":\"admin.user\"}},\"created\":\"2024-04-15T19:47:21.565Z\",\"event\":\"org.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"b4b324c4-a55c-4cd6-82b8-f96e3b3b8d85\"}" + }, + { + "message": "{\"content\":{\"email\":\"other.user@company.com\",\"role\":\"0afa84b4-9d99-4c2b-94c2-65da22270836\"},\"created\":\"2024-04-15T19:49:01.920Z\",\"event\":\"org.user.invite\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"b4b324c4-a55c-4cd6-82b8-f96e3b3b8d85\"}" + }, + { + "message": "{\"content\":{\"openInvitePublicId\":\"5cc83241-4d28-401e-80e7-3a421cee2c03\",\"url\":\"https://app.snyk.io/invite/link/accept?invite=5cc83241-4d28-401e-80e7-3a421cee2c03\\u0026utm_source=link_invite\\u0026utm_medium=referral\\u0026utm_campaign=product-link-invite\\u0026from=link_invite\"},\"created\":\"2024-04-16T09:46:29.448Z\",\"event\":\"org.user.invite_link.create\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"b4b324c4-a55c-4cd6-82b8-f96e3b3b8d85\"}" + }, + { + "message": "{\"content\":{\"role\":\"ADMIN\",\"rolePublicId\":\"0afa84b4-9d99-4c2b-94c2-65da22270836\",\"userPublicId\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"},\"created\":\"2024-04-16T21:54:33.257Z\",\"event\":\"org.user.add\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"email\":\"other.user-alias@company.com\",\"invitingUserId\":1881478,\"rolePublicId\":\"0afa84b4-9d99-4c2b-94c2-65da22270836\"},\"created\":\"2024-04-16T21:54:33.257Z\",\"event\":\"org.user.invite_link.accept\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"origin\":\"cli\"},\"created\":\"2024-04-17T01:08:08.228Z\",\"event\":\"org.project.test\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"after\":{\"autoDepUpgradeEnabled\":true,\"autoRemediationPrs\":{\"backlogPrStrategy\":\"vuln\",\"container\":{\"enabled\":true},\"freshPrsEnabled\":true,\"usePatchRemediation\":true},\"pullRequestTestEnabled\":true,\"reachableVulns\":{}},\"before\":{\"autoDepUpgradeEnabled\":true,\"autoRemediationPrs\":{\"backlogPrStrategy\":\"vuln\",\"container\":{},\"freshPrsEnabled\":true,\"usePatchRemediation\":true},\"pullRequestTestEnabled\":true,\"reachableVulns\":{}},\"flow\":\"on-boarding\",\"sourceType\":\"github\"},\"created\":\"2024-04-17T01:24:49.748Z\",\"event\":\"org.integration.settings.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"after\":{\"sastSettings\":{\"sastEnabled\":true}},\"before\":{\"sastSettings\":{}},\"interface\":\"ui\"},\"created\":\"2024-04-17T01:24:49.837Z\",\"event\":\"org.sast_settings.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"targetId\":\"693b1550-43b1-4108-a55a-37e5cabe7355\"},\"created\":\"2024-04-17T01:26:10.024Z\",\"event\":\"org.target.create\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"action\":\"Cloned repo: https://github.com/elastic/mito.git commit hash: 5e8963319b4a55b32f6d9db0a19f0ddd70ae8c5d\",\"requestId\":\"dc3cad34-9ece-49d6-b38e-28d8439f29e1\"},\"created\":\"2024-04-17T01:26:13.000Z\",\"event\":\"org.project.files.create\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" + }, + { + "message": "{\"content\":{\"AboveSizeLimit\":{},\"action\":\"Modify files - exclude\",\"excluded\":{},\"notSupported\":{\"\":1,\".cel\":1,\".json\":1,\".md\":1,\".mod\":1,\".sum\":1,\".txt\":70,\".yml\":1},\"requestId\":\"dc3cad34-9ece-49d6-b38e-28d8439f29e1\"},\"created\":\"2024-04-17T01:26:13.000Z\",\"event\":\"org.project.files.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" + }, + { + "message": "{\"content\":{\"action\":\"Retrieve files\",\"requestId\":\"dc3cad34-9ece-49d6-b38e-28d8439f29e1\"},\"created\":\"2024-04-17T01:26:13.000Z\",\"event\":\"org.project.files.access\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" + }, + { + "message": "{\"content\":{\"action\":\"Returned from analysis\"},\"created\":\"2024-04-17T01:26:19.025Z\",\"event\":\"org.project.issue.create\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" + }, + { + "message": "{\"content\":{\"issues\":7},\"created\":\"2024-04-17T01:26:19.192Z\",\"event\":\"org.project.issue.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"f6f87c14-594e-4335-b873-d3473054834d\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"snapshotId\":\"7c4c1751-2f5e-4d79-96e4-5a200aa6d802\"},\"created\":\"2024-04-17T01:26:19.268Z\",\"event\":\"org.project.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"f6f87c14-594e-4335-b873-d3473054834d\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"AboveSizeLimit\":{\".js\":1},\"action\":\"Modify files - exclude\",\"excluded\":{\"\":1,\".yml\":1},\"notSupported\":{\"\":163,\".0\":10,\".00\":1,\".04\":1,\".1\":1,\".1-faulty\":1,\".14\":2,\".17\":1,\".18-Debian\":1,\".2\":1,\".20\":1,\".23-CentOS6\":1,\".asciidoc\":1214,\".bash\":1,\".bat\":14,\".cert\":1,\".cfg\":1,\".cnf\":1,\".conf\":17,\".crt\":12,\".csr\":4,\".csv\":5,\".current\":2,\".dat\":88,\".debug\":1,\".disabled\":141,\".dll\":1,\".dockerignore\":2,\".editorconfig\":2,\".env\":1,\".evtx\":115,\".exe\":1,\".expected\":54,\".fbs\":1,\".gitattributes\":1,\".gitignore\":30,\".go-version\":1,\".gob\":1,\".groovy\":8,\".gz\":4,\".hcl\":2,\".ini\":2,\".j2\":14,\".jewel\":1,\".jks\":2,\".journal\":1,\".jpg\":10,\".json\":3500,\".key\":16,\".log\":590,\".md\":116,\".mk\":2,\".mmdb\":3,\".mod\":1,\".nautilus\":1,\".ndjson\":4,\".orig\":1,\".pcap\":118,\".pem\":8,\".pic\":6,\".placeholder\":3,\".plain\":51,\".png\":208,\".properties\":2,\".ps1\":1,\".pylintrc\":1,\".rl\":15,\".sh\":62,\".spec\":1,\".sql\":1,\".srl\":2,\".sum\":2,\".svg\":8,\".template\":2,\".tf\":21,\".thrift\":3,\".tmpl\":117,\".toml\":1,\".tpl\":1,\".txt\":32,\".xsl\":1,\".yaml\":34,\".yml\":1844,\".zip\":3},\"requestId\":\"dc3cad34-9ece-49d6-b38e-28d8439f29e1\"},\"created\":\"2024-04-17T01:26:21.000Z\",\"event\":\"org.project.files.edit\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"}" + }, + { + "message": "{\"content\":{\"origin\":\"github\",\"target\":{\"branch\":\"dev\",\"id\":477916110,\"name\":\"mito\",\"owner\":\"elastic\"},\"targetFile\":\"go.mod\",\"type\":\"gomodules\"},\"created\":\"2024-04-17T01:26:29.493Z\",\"event\":\"org.project.monitor\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"ad562805-e976-4eed-85b6-740c7664d607\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"sourceOrgId\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\"},\"created\":\"2024-04-17T01:26:49.288Z\",\"event\":\"org.project.add\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"2d92916c-792a-46b0-aa23-c94d7481478b\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{\"issues\":7},\"created\":\"2024-04-17T01:35:51.787Z\",\"event\":\"org.project.issue.access\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"f6f87c14-594e-4335-b873-d3473054834d\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + }, + { + "message": "{\"content\":{},\"created\":\"2024-04-17T01:35:52.948Z\",\"event\":\"org.project.file.access\",\"org_id\":\"86054e75-398a-4a1a-9dd8-72d026d8c237\",\"project_id\":\"f6f87c14-594e-4335-b873-d3473054834d\",\"user_id\":\"14b442f2-02f8-47d4-ba51-1749d3771e2c\"}" + } + ] } diff --git a/packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json b/packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json index 1208451483b..b2236700d75 100644 --- a/packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json +++ b/packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2024-04-15T19:47:21.565Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.edit", @@ -44,7 +44,7 @@ { "@timestamp": "2024-04-15T19:49:01.920Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.user.invite", @@ -85,7 +85,7 @@ { "@timestamp": "2024-04-16T09:46:29.448Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.user.invite_link.create", @@ -133,7 +133,7 @@ { "@timestamp": "2024-04-16T21:54:33.257Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.user.add", @@ -175,7 +175,7 @@ { "@timestamp": "2024-04-16T21:54:33.257Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.user.invite_link.accept", @@ -217,7 +217,7 @@ { "@timestamp": "2024-04-17T01:08:08.228Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.test", @@ -253,7 +253,7 @@ { "@timestamp": "2024-04-17T01:24:49.748Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.integration.settings.edit", @@ -314,7 +314,7 @@ { "@timestamp": "2024-04-17T01:24:49.837Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.sast_settings.edit", @@ -355,7 +355,7 @@ { "@timestamp": "2024-04-17T01:26:10.024Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.target.create", @@ -391,7 +391,7 @@ { "@timestamp": "2024-04-17T01:26:13.000Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.files.create", @@ -422,7 +422,7 @@ { "@timestamp": "2024-04-17T01:26:13.000Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.files.edit", @@ -463,7 +463,7 @@ { "@timestamp": "2024-04-17T01:26:13.000Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.files.access", @@ -494,7 +494,7 @@ { "@timestamp": "2024-04-17T01:26:19.025Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.issue.create", @@ -521,7 +521,7 @@ { "@timestamp": "2024-04-17T01:26:19.192Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.issue.edit", @@ -558,7 +558,7 @@ { "@timestamp": "2024-04-17T01:26:19.268Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.edit", @@ -595,7 +595,7 @@ { "@timestamp": "2024-04-17T01:26:21.000Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.files.edit", @@ -719,7 +719,7 @@ { "@timestamp": "2024-04-17T01:26:29.493Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.monitor", @@ -764,7 +764,7 @@ { "@timestamp": "2024-04-17T01:26:49.288Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.add", @@ -801,7 +801,7 @@ { "@timestamp": "2024-04-17T01:35:51.787Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.issue.access", @@ -838,7 +838,7 @@ { "@timestamp": "2024-04-17T01:35:52.948Z", "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "event": { "action": "org.project.file.access", diff --git a/packages/snyk/data_stream/audit_logs/elasticsearch/ingest_pipeline/default.yml b/packages/snyk/data_stream/audit_logs/elasticsearch/ingest_pipeline/default.yml index cb57c43fd31..9923057381e 100644 --- a/packages/snyk/data_stream/audit_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/snyk/data_stream/audit_logs/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for Snyk Audit logs processors: - set: field: ecs.version - value: 8.12.0 + value: 8.11.0 - rename: field: message target_field: event.original diff --git a/packages/snyk/data_stream/audit_logs/fields/agent.yml b/packages/snyk/data_stream/audit_logs/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/snyk/data_stream/audit_logs/fields/agent.yml +++ b/packages/snyk/data_stream/audit_logs/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/snyk/data_stream/audit_logs/fields/beats.yml b/packages/snyk/data_stream/audit_logs/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/snyk/data_stream/audit_logs/fields/beats.yml +++ b/packages/snyk/data_stream/audit_logs/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/snyk/data_stream/audit_logs/fields/ecs.yml b/packages/snyk/data_stream/audit_logs/fields/ecs.yml deleted file mode 100644 index 4e829eae856..00000000000 --- a/packages/snyk/data_stream/audit_logs/fields/ecs.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: event.created - external: ecs -- name: event.original - external: ecs -- name: tags - external: ecs -- name: message - external: ecs -- name: ecs.version - external: ecs -- name: organization.id - external: ecs -- name: user.group.id - external: ecs -- name: user.id - external: ecs -- name: related.user - external: ecs -- name: url.domain - external: ecs -- name: url.original - external: ecs -- name: url.path - external: ecs -- name: url.query - external: ecs -- name: url.scheme - external: ecs diff --git a/packages/snyk/data_stream/audit_logs/sample_event.json b/packages/snyk/data_stream/audit_logs/sample_event.json index 841ca837f73..50d4cec4937 100644 --- a/packages/snyk/data_stream/audit_logs/sample_event.json +++ b/packages/snyk/data_stream/audit_logs/sample_event.json @@ -13,7 +13,7 @@ "type": "logs" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "elastic_agent": { "id": "24936262-0cda-4934-aea3-82bed4844c98", diff --git a/packages/snyk/data_stream/issues/fields/agent.yml b/packages/snyk/data_stream/issues/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/snyk/data_stream/issues/fields/agent.yml +++ b/packages/snyk/data_stream/issues/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/snyk/data_stream/issues/fields/beats.yml b/packages/snyk/data_stream/issues/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/snyk/data_stream/issues/fields/beats.yml +++ b/packages/snyk/data_stream/issues/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/snyk/data_stream/issues/fields/ecs.yml b/packages/snyk/data_stream/issues/fields/ecs.yml deleted file mode 100644 index 74148055477..00000000000 --- a/packages/snyk/data_stream/issues/fields/ecs.yml +++ /dev/null @@ -1,34 +0,0 @@ -- name: event.created - external: ecs -- name: event.original - external: ecs -- name: tags - external: ecs -- name: message - external: ecs -- name: ecs.version - external: ecs -- name: user.group.id - external: ecs -- name: user.id - external: ecs -- name: organization.id - external: ecs -- name: vulnerability.category - external: ecs -- name: vulnerability.classification - external: ecs -- name: vulnerability.enumeration - external: ecs -- name: vulnerability.id - external: ecs -- name: vulnerability.reference - external: ecs -- name: vulnerability.scanner.vendor - external: ecs -- name: vulnerability.score.base - external: ecs -- name: vulnerability.score.version - external: ecs -- name: vulnerability.severity - external: ecs diff --git a/packages/snyk/data_stream/vulnerabilities/fields/agent.yml b/packages/snyk/data_stream/vulnerabilities/fields/agent.yml index 4d9a6f7b362..bc42d0a853b 100644 --- a/packages/snyk/data_stream/vulnerabilities/fields/agent.yml +++ b/packages/snyk/data_stream/vulnerabilities/fields/agent.yml @@ -1,100 +1,9 @@ - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/snyk/data_stream/vulnerabilities/fields/beats.yml b/packages/snyk/data_stream/vulnerabilities/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/snyk/data_stream/vulnerabilities/fields/beats.yml +++ b/packages/snyk/data_stream/vulnerabilities/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/snyk/data_stream/vulnerabilities/fields/ecs.yml b/packages/snyk/data_stream/vulnerabilities/fields/ecs.yml deleted file mode 100644 index 0e1e5e77d09..00000000000 --- a/packages/snyk/data_stream/vulnerabilities/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: event.created - external: ecs -- name: event.original - external: ecs -- name: tags - external: ecs -- name: message - external: ecs -- name: ecs.version - external: ecs -- name: user.group.id - external: ecs -- name: user.id - external: ecs -- name: vulnerability.category - external: ecs -- name: vulnerability.classification - external: ecs -- name: vulnerability.enumeration - external: ecs -- name: vulnerability.id - external: ecs -- name: vulnerability.reference - external: ecs -- name: vulnerability.scanner.vendor - external: ecs -- name: vulnerability.score.base - external: ecs -- name: vulnerability.score.version - external: ecs -- name: vulnerability.severity - external: ecs diff --git a/packages/snyk/docs/README.md b/packages/snyk/docs/README.md index 47259f69798..a9e01311792 100644 --- a/packages/snyk/docs/README.md +++ b/packages/snyk/docs/README.md @@ -44,7 +44,7 @@ An example event for `audit` looks as following: "type": "logs" }, "ecs": { - "version": "8.12.0" + "version": "8.11.0" }, "elastic_agent": { "id": "24936262-0cda-4934-aea3-82bed4844c98", @@ -92,50 +92,20 @@ An example event for `audit` looks as following: | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | snyk.audit_logs.content | Overview of the content that was changed, both old and new values. | flattened | | snyk.audit_logs.org_id | ID of the related Organization related to the event. | keyword | | snyk.audit_logs.project_id | ID of the project related to the event. | keyword | | snyk.audit_logs.user_id | ID of the user related to the event. | keyword | | snyk.projects | Array with all related projects objects. | flattened | | snyk.related.projects | Array of all the related project ID's. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.id | Unique identifier of the user. | keyword | ## Issues @@ -308,34 +278,14 @@ An example event for `issues` looks as following: | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | | snyk.issues.attributes.classes.id | | keyword | | snyk.issues.attributes.classes.source | | keyword | | snyk.issues.attributes.classes.type | | keyword | @@ -377,18 +327,6 @@ An example event for `issues` looks as following: | snyk.issues.relationships.scan_item.links.related | | keyword | | snyk.projects | Array with all related projects objects. | flattened | | snyk.related.projects | Array of all the related project ID's. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.id | Unique identifier of the user. | keyword | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | -| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | -| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | -| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | -| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | ## Audit (Legacy) @@ -460,41 +398,19 @@ An example event for `audit` looks as following: | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | snyk.audit.content | Overview of the content that was changed, both old and new values. | flattened | | snyk.audit.org_id | ID of the related Organization related to the event. | keyword | | snyk.audit.project_id | ID of the project related to the event. | keyword | | snyk.projects | Array with all related projects objects. | flattened | | snyk.related.projects | Array of all the related project ID's. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.id | Unique identifier of the user. | keyword | ## Vulnerabilities (Legacy) @@ -653,33 +569,14 @@ An example event for `vulnerabilities` looks as following: | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | snyk.projects | Array with all related projects objects. | flattened | | snyk.related.projects | Array of all the related project ID's. | keyword | | snyk.vulnerabilities.credit | Reference to the person that original found the vulnerability. | keyword | @@ -710,17 +607,5 @@ An example event for `vulnerabilities` looks as following: | snyk.vulnerabilities.type | The issue type. Can be either "license" or "vulnerability". | keyword | | snyk.vulnerabilities.unique_severities_list | A list of related unique severities. | keyword | | snyk.vulnerabilities.version | The package version this issue is applicable to. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.id | Unique identifier of the user. | keyword | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | -| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | -| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | -| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | -| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/snyk/manifest.yml b/packages/snyk/manifest.yml index 1105a9de36e..3ae3b795265 100644 --- a/packages/snyk/manifest.yml +++ b/packages/snyk/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: snyk title: "Snyk" -version: "1.22.1" +version: "1.23.0" description: Collect logs from Snyk with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - cloudsecurity_cdr conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/snyk-logo.svg title: Snyk logo diff --git a/packages/sophos_central/_dev/build/build.yml b/packages/sophos_central/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/sophos_central/_dev/build/build.yml +++ b/packages/sophos_central/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/sophos_central/changelog.yml b/packages/sophos_central/changelog.yml index 61e07f75170..be4a3c60012 100644 --- a/packages/sophos_central/changelog.yml +++ b/packages/sophos_central/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.14.0" changes: - description: Set sensitive values as secret and fix incorrect mapping. diff --git a/packages/sophos_central/data_stream/alert/fields/beats.yml b/packages/sophos_central/data_stream/alert/fields/beats.yml index 80cbae91cae..cc9fcebf29b 100644 --- a/packages/sophos_central/data_stream/alert/fields/beats.yml +++ b/packages/sophos_central/data_stream/alert/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/sophos_central/data_stream/event/fields/beats.yml b/packages/sophos_central/data_stream/event/fields/beats.yml index 80cbae91cae..cc9fcebf29b 100644 --- a/packages/sophos_central/data_stream/event/fields/beats.yml +++ b/packages/sophos_central/data_stream/event/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/sophos_central/docs/README.md b/packages/sophos_central/docs/README.md index 7df48147f80..6e5d2c47554 100644 --- a/packages/sophos_central/docs/README.md +++ b/packages/sophos_central/docs/README.md @@ -353,7 +353,6 @@ An example event for `alert` looks as following: | sophos_central.alert.threat.value | Name of the threat (as identified by threat_id). | keyword | | sophos_central.alert.type | Event type. | keyword | | sophos_central.alert.when | The date at which the alert was created. | date | -| tags | User defined tags. | keyword | ### Events @@ -570,4 +569,3 @@ An example event for `event` looks as following: | sophos_central.event.type | The type of this record. | keyword | | sophos_central.event.user_id | The identifier of the user for which record is created. | keyword | | sophos_central.event.when | The date at which the event was created. | date | -| tags | User defined tags. | keyword | diff --git a/packages/sophos_central/manifest.yml b/packages/sophos_central/manifest.yml index 2b47e94fc0c..aef6d3a8b9e 100644 --- a/packages/sophos_central/manifest.yml +++ b/packages/sophos_central/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.2" name: sophos_central title: Sophos Central -version: "1.14.0" +version: "1.15.0" description: This Elastic integration collects logs from Sophos Central with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/symantec_edr_cloud/_dev/build/build.yml b/packages/symantec_edr_cloud/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/symantec_edr_cloud/_dev/build/build.yml +++ b/packages/symantec_edr_cloud/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/symantec_edr_cloud/changelog.yml b/packages/symantec_edr_cloud/changelog.yml index ad4bffb350a..50f76ab8f41 100644 --- a/packages/symantec_edr_cloud/changelog.yml +++ b/packages/symantec_edr_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.1.0" changes: - description: Set sensitive values as secret. diff --git a/packages/symantec_edr_cloud/data_stream/incident/fields/beats.yml b/packages/symantec_edr_cloud/data_stream/incident/fields/beats.yml index 80cbae91cae..cc9fcebf29b 100644 --- a/packages/symantec_edr_cloud/data_stream/incident/fields/beats.yml +++ b/packages/symantec_edr_cloud/data_stream/incident/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/symantec_edr_cloud/docs/README.md b/packages/symantec_edr_cloud/docs/README.md index e3c2ca386f0..8126cac0e25 100644 --- a/packages/symantec_edr_cloud/docs/README.md +++ b/packages/symantec_edr_cloud/docs/README.md @@ -225,5 +225,4 @@ An example event for `incident` looks as following: | symantec_edr_cloud.incident.type | Event type. | keyword | | symantec_edr_cloud.incident.type_id | | keyword | | symantec_edr_cloud.incident.version | API version in the form major.minor. | keyword | -| tags | User defined tags. | keyword | diff --git a/packages/symantec_edr_cloud/manifest.yml b/packages/symantec_edr_cloud/manifest.yml index 7c72366669f..3582b346960 100644 --- a/packages/symantec_edr_cloud/manifest.yml +++ b/packages/symantec_edr_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: symantec_edr_cloud title: Symantec EDR Cloud -version: "1.1.0" +version: "1.2.0" source: license: Elastic-2.0 description: Collect logs from Symantec EDR Cloud with Elastic Agent. @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/symantec_endpoint/changelog.yml b/packages/symantec_endpoint/changelog.yml index 459db0dc3f5..d75e408aff7 100644 --- a/packages/symantec_endpoint/changelog.yml +++ b/packages/symantec_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.16.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.15.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc3164.log-expected.json b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc3164.log-expected.json index 989812ecdcc..2ce19f8f144 100644 --- a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc3164.log-expected.json +++ b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc3164.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-10-04T10:51:33.000Z", + "@timestamp": "2024-10-04T10:51:33.000Z", "destination": { "address": "216.160.83.61", "as": { diff --git a/packages/symantec_endpoint/data_stream/log/fields/agent.yml b/packages/symantec_endpoint/data_stream/log/fields/agent.yml index 49dbf0d0e94..32012c4eba4 100644 --- a/packages/symantec_endpoint/data_stream/log/fields/agent.yml +++ b/packages/symantec_endpoint/data_stream/log/fields/agent.yml @@ -5,177 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - external: ecs - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/symantec_endpoint/data_stream/log/fields/ecs.yml b/packages/symantec_endpoint/data_stream/log/fields/ecs.yml deleted file mode 100644 index 20a9d61362b..00000000000 --- a/packages/symantec_endpoint/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,158 +0,0 @@ -- name: destination.address - external: ecs -- name: destination.as.number - external: ecs -- name: destination.as.organization.name - external: ecs -- name: destination.domain - external: ecs -- name: destination.geo.city_name - external: ecs -- name: destination.geo.continent_name - external: ecs -- name: destination.geo.country_iso_code - external: ecs -- name: destination.geo.country_name - external: ecs -- name: destination.geo.location - external: ecs -- name: destination.geo.name - external: ecs -- name: destination.geo.region_iso_code - external: ecs -- name: destination.geo.region_name - external: ecs -- name: destination.ip - external: ecs -- name: destination.mac - external: ecs -- name: destination.packets - external: ecs -- name: destination.port - external: ecs -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.category - external: ecs -- name: event.ingested - external: ecs -- name: event.kind - external: ecs -- name: event.start - external: ecs -- name: event.type - external: ecs -- name: file.hash.sha1 - external: ecs -- name: file.name - external: ecs -- name: file.path - external: ecs -- name: file.pe.company - external: ecs -- name: file.pe.file_version - external: ecs -- name: file.pe.product - external: ecs -- name: file.size - external: ecs -- name: file.x509.issuer.common_name - external: ecs -- name: file.x509.not_before - external: ecs -- name: file.x509.serial_number - external: ecs -- name: log.file.path - external: ecs -- name: log.level - external: ecs -- name: log.syslog.appname - external: ecs -- name: log.syslog.hostname - external: ecs -- name: log.syslog.priority - external: ecs -- name: log.syslog.procid - external: ecs -- name: log.syslog.structured_data - external: ecs -- name: log.syslog.version - external: ecs -- name: message - external: ecs -- name: network.community_id - external: ecs -- name: network.direction - external: ecs -- name: network.transport - external: ecs -- name: network.type - external: ecs -- name: process.executable - external: ecs -- name: process.hash.md5 - external: ecs -- name: process.hash.sha256 - external: ecs -- name: process.name - external: ecs -- name: process.pid - external: ecs -- name: related.hash - external: ecs -- name: related.ip - external: ecs -- name: related.user - external: ecs -- name: rule.id - external: ecs -- name: rule.name - external: ecs -- name: source.address - external: ecs -- name: source.as.number - external: ecs -- name: source.as.organization.name - external: ecs -- name: source.domain - external: ecs -- name: source.geo.city_name - external: ecs -- name: source.geo.continent_name - external: ecs -- name: source.geo.country_iso_code - external: ecs -- name: source.geo.country_name - external: ecs -- name: source.geo.location - external: ecs -- name: source.geo.name - external: ecs -- name: source.geo.region_iso_code - external: ecs -- name: source.geo.region_name - external: ecs -- name: source.ip - external: ecs -- name: source.mac - external: ecs -- name: source.port - external: ecs -- name: tags - external: ecs -- name: url.domain - external: ecs -- name: url.original - external: ecs -- name: url.path - external: ecs -- name: url.scheme - external: ecs -- name: user.domain - external: ecs -- name: user.name - external: ecs -- name: user_agent.original - external: ecs diff --git a/packages/symantec_endpoint/docs/README.md b/packages/symantec_endpoint/docs/README.md index b06a6b186a8..a52191ad0c8 100644 --- a/packages/symantec_endpoint/docs/README.md +++ b/packages/symantec_endpoint/docs/README.md @@ -120,125 +120,23 @@ See vendor documentation: [External Logging settings and log event severity leve | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Name of the dataset. | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. | constant_keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.not_before | Time at which the certificate is first considered valid. | date | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | -| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | | log.syslog.process.name | Deprecated. Use the ECS log.syslog.appname field. | alias | | log.syslog.process.pid | Deprecated. Use the ECS log.syslog.procid field. | long | -| log.syslog.procid | The process name or ID that originated the Syslog message, if available. | keyword | -| log.syslog.structured_data | Structured data expressed in RFC 5424 messages, if available. These are key-value pairs formed from the structured data portion of the syslog message, as defined in RFC 5424 Section 6.3. | flattened | -| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | observer.product | The product name of the observer. | constant_keyword | | observer.type | The type of the observer the data is coming from. | constant_keyword | | observer.vendor | Vendor name of the observer. | constant_keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.port | Port of the source. | long | | symantec_endpoint.log.action | The action taken on the traffic, e.g. "Blocked". | keyword | | symantec_endpoint.log.actual_action | Actual action from risk logs and proactive detection (SONAR) logs. | keyword | | symantec_endpoint.log.admin | Name of the SEPM admin. | keyword | @@ -338,17 +236,6 @@ See vendor documentation: [External Logging settings and log event severity leve | symantec_endpoint.log.user2 | User when scan ended. | keyword | | symantec_endpoint.log.user_name | | keyword | | symantec_endpoint.log.web_domain | The web domain. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | An example event for `log` looks as following: diff --git a/packages/symantec_endpoint/manifest.yml b/packages/symantec_endpoint/manifest.yml index 0955664c4c3..b802cb2c24c 100644 --- a/packages/symantec_endpoint/manifest.yml +++ b/packages/symantec_endpoint/manifest.yml @@ -1,13 +1,13 @@ name: symantec_endpoint title: Symantec Endpoint Protection -version: "2.15.0" +version: "2.16.0" description: Collect logs from Symantec Endpoint Protection with Elastic Agent. type: integration format_version: "3.0.3" categories: ["security", "edr_xdr"] conditions: kibana: - version: "^7.16.0 || ^8.0.0" + version: "^8.13.0" icons: - src: /img/logo.svg title: Symantec diff --git a/packages/symantec_endpoint_security/_dev/build/build.yml b/packages/symantec_endpoint_security/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/symantec_endpoint_security/_dev/build/build.yml +++ b/packages/symantec_endpoint_security/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/symantec_endpoint_security/changelog.yml b/packages/symantec_endpoint_security/changelog.yml index 5d42a97fba0..de78a93cc4a 100644 --- a/packages/symantec_endpoint_security/changelog.yml +++ b/packages/symantec_endpoint_security/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "0.1.0" changes: - description: Initial release. diff --git a/packages/symantec_endpoint_security/data_stream/event/fields/beats.yml b/packages/symantec_endpoint_security/data_stream/event/fields/beats.yml index 083dcfe307e..fff1b3f1b6b 100644 --- a/packages/symantec_endpoint_security/data_stream/event/fields/beats.yml +++ b/packages/symantec_endpoint_security/data_stream/event/fields/beats.yml @@ -4,9 +4,6 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. - name: aws.s3 type: group fields: diff --git a/packages/symantec_endpoint_security/docs/README.md b/packages/symantec_endpoint_security/docs/README.md index 0500b26fac5..112168e98c7 100644 --- a/packages/symantec_endpoint_security/docs/README.md +++ b/packages/symantec_endpoint_security/docs/README.md @@ -3398,5 +3398,4 @@ An example event for `event` looks as following: | ses.verdict_id | The outcome of the Scan. | keyword | | ses.verdict_value | The outcome value of the Scan. | keyword | | ses.version | The event type version, in the form major.minor. | keyword | -| tags | User defined tags. | keyword | diff --git a/packages/symantec_endpoint_security/manifest.yml b/packages/symantec_endpoint_security/manifest.yml index 1f4e26c5bbe..01a9d075934 100644 --- a/packages/symantec_endpoint_security/manifest.yml +++ b/packages/symantec_endpoint_security/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: symantec_endpoint_security title: Symantec Endpoint Security -version: 0.1.0 +version: "0.2.0" description: Collect logs from Symantec Endpoint Security with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/tanium/_dev/build/build.yml b/packages/tanium/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/tanium/_dev/build/build.yml +++ b/packages/tanium/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/tanium/changelog.yml b/packages/tanium/changelog.yml index f515613a613..254d69cb362 100644 --- a/packages/tanium/changelog.yml +++ b/packages/tanium/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.10.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.9.1" changes: - description: Resolved ignore_malformed issues with fields. diff --git a/packages/tanium/data_stream/action_history/fields/beats.yml b/packages/tanium/data_stream/action_history/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/tanium/data_stream/action_history/fields/beats.yml +++ b/packages/tanium/data_stream/action_history/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/tanium/data_stream/client_status/fields/beats.yml b/packages/tanium/data_stream/client_status/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/tanium/data_stream/client_status/fields/beats.yml +++ b/packages/tanium/data_stream/client_status/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/tanium/data_stream/discover/fields/beats.yml b/packages/tanium/data_stream/discover/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/tanium/data_stream/discover/fields/beats.yml +++ b/packages/tanium/data_stream/discover/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/tanium/data_stream/endpoint_config/fields/beats.yml b/packages/tanium/data_stream/endpoint_config/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/tanium/data_stream/endpoint_config/fields/beats.yml +++ b/packages/tanium/data_stream/endpoint_config/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/tanium/data_stream/reporting/fields/beats.yml b/packages/tanium/data_stream/reporting/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/tanium/data_stream/reporting/fields/beats.yml +++ b/packages/tanium/data_stream/reporting/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/tanium/data_stream/threat_response/fields/beats.yml b/packages/tanium/data_stream/threat_response/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/tanium/data_stream/threat_response/fields/beats.yml +++ b/packages/tanium/data_stream/threat_response/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/tanium/docs/README.md b/packages/tanium/docs/README.md index a07beb31254..ae30bdf8645 100644 --- a/packages/tanium/docs/README.md +++ b/packages/tanium/docs/README.md @@ -165,7 +165,6 @@ An example event for `action_history` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | tanium.action_history.action.id | Action Id. | long | | tanium.action_history.action.name | Action Name. | keyword | | tanium.action_history.approver | Approver of the action. | keyword | @@ -270,7 +269,6 @@ An example event for `client_status` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | tanium.client_status.client_network_location | Network location of client. | ip | | tanium.client_status.computer_id | Computer ID of client. | keyword | | tanium.client_status.full_version | Full version of client. | version | @@ -374,7 +372,6 @@ An example event for `discover` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | tanium.discover.arp | Address Resolution Protocol. | double | | tanium.discover.aws_api | Aws Api version. | double | | tanium.discover.centralized_nmap | Centralized Nmap. | double | @@ -509,7 +506,6 @@ An example event for `endpoint_config` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | tanium.endpoint_config.action | Name of event's action. | keyword | | tanium.endpoint_config.item.data_category | Data category of the config item. | keyword | | tanium.endpoint_config.item.domain | Domain of the config item. | keyword | @@ -631,7 +627,6 @@ An example event for `reporting` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | tanium.reporting.computer_name | Name of the computer. | keyword | | tanium.reporting.count | Count of report on the computer system. | long | | tanium.reporting.is_virtual | Boolean flag mentions if computer is virtualise or not. | keyword | @@ -976,7 +971,6 @@ An example event for `threat_response` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | tanium.threat_response.action | Action for the threat response. | keyword | | tanium.threat_response.computer.ip | Computer ip of the threat response. | ip | | tanium.threat_response.computer.name | Computer name of the threat response. | keyword | diff --git a/packages/tanium/manifest.yml b/packages/tanium/manifest.yml index 4ef85147d95..466f341455c 100644 --- a/packages/tanium/manifest.yml +++ b/packages/tanium/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.3" name: tanium title: Tanium -version: "1.9.1" +version: "1.10.0" description: This Elastic integration collects logs from Tanium with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/tenable_io/changelog.yml b/packages/tenable_io/changelog.yml index 7fc7bc2157f..162283dac22 100644 --- a/packages/tenable_io/changelog.yml +++ b/packages/tenable_io/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.1.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "3.0.1" changes: - description: Resolved ignore_malformed issues with fields. diff --git a/packages/tenable_io/data_stream/asset/fields/agent.yml b/packages/tenable_io/data_stream/asset/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/tenable_io/data_stream/asset/fields/agent.yml +++ b/packages/tenable_io/data_stream/asset/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/tenable_io/data_stream/asset/fields/ecs.yml b/packages/tenable_io/data_stream/asset/fields/ecs.yml deleted file mode 100644 index 99ea44f80e6..00000000000 --- a/packages/tenable_io/data_stream/asset/fields/ecs.yml +++ /dev/null @@ -1,20 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: message -- external: ecs - name: network.name -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: tags diff --git a/packages/tenable_io/data_stream/asset/fields/overridden-ecs.yml b/packages/tenable_io/data_stream/asset/fields/overridden-ecs.yml deleted file mode 100644 index 230ed31e27c..00000000000 --- a/packages/tenable_io/data_stream/asset/fields/overridden-ecs.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: event.original - type: keyword - ignore_above: 8191 - description: Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. diff --git a/packages/tenable_io/data_stream/plugin/fields/agent.yml b/packages/tenable_io/data_stream/plugin/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/tenable_io/data_stream/plugin/fields/agent.yml +++ b/packages/tenable_io/data_stream/plugin/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/tenable_io/data_stream/plugin/fields/ecs.yml b/packages/tenable_io/data_stream/plugin/fields/ecs.yml deleted file mode 100644 index f13d7301aa8..00000000000 --- a/packages/tenable_io/data_stream/plugin/fields/ecs.yml +++ /dev/null @@ -1,22 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: message -- external: ecs - name: tags -- external: ecs - name: vulnerability.id -- external: ecs - name: vulnerability.reference -- external: ecs - name: vulnerability.scanner.vendor -- external: ecs - name: vulnerability.score.base -- external: ecs - name: vulnerability.score.temporal diff --git a/packages/tenable_io/data_stream/plugin/fields/overridden-ecs.yml b/packages/tenable_io/data_stream/plugin/fields/overridden-ecs.yml deleted file mode 100644 index 230ed31e27c..00000000000 --- a/packages/tenable_io/data_stream/plugin/fields/overridden-ecs.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: event.original - type: keyword - ignore_above: 8191 - description: Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. diff --git a/packages/tenable_io/data_stream/scan/fields/agent.yml b/packages/tenable_io/data_stream/scan/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/tenable_io/data_stream/scan/fields/agent.yml +++ b/packages/tenable_io/data_stream/scan/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/tenable_io/data_stream/scan/fields/ecs.yml b/packages/tenable_io/data_stream/scan/fields/ecs.yml deleted file mode 100644 index a9578688660..00000000000 --- a/packages/tenable_io/data_stream/scan/fields/ecs.yml +++ /dev/null @@ -1,18 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: message -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: tags diff --git a/packages/tenable_io/data_stream/scan/fields/overridden-ecs.yml b/packages/tenable_io/data_stream/scan/fields/overridden-ecs.yml deleted file mode 100644 index 230ed31e27c..00000000000 --- a/packages/tenable_io/data_stream/scan/fields/overridden-ecs.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: event.original - type: keyword - ignore_above: 8191 - description: Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. diff --git a/packages/tenable_io/data_stream/vulnerability/fields/agent.yml b/packages/tenable_io/data_stream/vulnerability/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/tenable_io/data_stream/vulnerability/fields/agent.yml +++ b/packages/tenable_io/data_stream/vulnerability/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/tenable_io/data_stream/vulnerability/fields/ecs.yml b/packages/tenable_io/data_stream/vulnerability/fields/ecs.yml deleted file mode 100644 index 0468da3e2dc..00000000000 --- a/packages/tenable_io/data_stream/vulnerability/fields/ecs.yml +++ /dev/null @@ -1,40 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: message -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: tags -- external: ecs - name: vulnerability.category -- external: ecs - name: vulnerability.classification -- external: ecs - name: vulnerability.enumeration -- external: ecs - name: vulnerability.id -- external: ecs - name: vulnerability.reference -- external: ecs - name: vulnerability.report_id -- external: ecs - name: vulnerability.scanner.vendor -- external: ecs - name: vulnerability.score.base -- external: ecs - name: vulnerability.score.version -- external: ecs - name: vulnerability.score.temporal -- external: ecs - name: vulnerability.severity diff --git a/packages/tenable_io/data_stream/vulnerability/fields/overridden-ecs.yml b/packages/tenable_io/data_stream/vulnerability/fields/overridden-ecs.yml deleted file mode 100644 index 230ed31e27c..00000000000 --- a/packages/tenable_io/data_stream/vulnerability/fields/overridden-ecs.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: event.original - type: keyword - ignore_above: 8191 - description: Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. diff --git a/packages/tenable_io/docs/README.md b/packages/tenable_io/docs/README.md index f9435a89039..b2984146ee7 100644 --- a/packages/tenable_io/docs/README.md +++ b/packages/tenable_io/docs/README.md @@ -257,54 +257,17 @@ An example event for `asset` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.name | Name given by operators to sections of their network. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | | tenable_io.asset.acr_score | The Asset Criticality Rating (ACR) for the asset. With Lumin, Tenable assigns an ACR to each asset on your network to represent the asset's relative risk as an integer from 1 to 10. | long | | tenable_io.asset.agent_names | The names of any Nessus agents that scanned and identified the asset. | keyword | | tenable_io.asset.agent_uuid | The unique identifier of the Nessus agent that identified the asset. | keyword | @@ -559,50 +522,17 @@ An example event for `plugin` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | | tenable_io.plugin.attributes.always_run | | boolean | | tenable_io.plugin.attributes.bid | | long | | tenable_io.plugin.attributes.compliance | | boolean | @@ -678,11 +608,6 @@ An example event for `plugin` looks as following: | tenable_io.plugin.attributes.xrefs.type | | keyword | | tenable_io.plugin.id | The ID of the plugin. | keyword | | tenable_io.plugin.name | The name of the plugin. | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | -| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | -| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float | ### vulnerability @@ -900,53 +825,17 @@ An example event for `vulnerability` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | | tenable_io.vulnerability.asset.agent_uuid | The UUID of the agent that performed the scan where the vulnerability was found. | keyword | | tenable_io.vulnerability.asset.bios_uuid | The BIOS UUID of the asset where the vulnerability was found. | keyword | | tenable_io.vulnerability.asset.device_type | The type of asset where the vulnerability was found. | keyword | @@ -1076,18 +965,7 @@ An example event for `vulnerability` looks as following: | tenable_io.vulnerability.severity.modification_type | The type of modification a user made to the vulnerability's severity. Possible values include:none, recasted and accepted. | keyword | | tenable_io.vulnerability.severity.value | The severity of the vulnerability as defined using the Common Vulnerability Scoring System (CVSS) base score. Possible values include info, low, medium, high and critical. | keyword | | tenable_io.vulnerability.state | The state of the vulnerability as determined by the Tenable Vulnerability Management state service. Possible values include: open, reopen and fixed. | keyword | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | -| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | | vulnerability.description | The description of the vulnerability. | text | -| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | -| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | -| vulnerability.report_id | The report or scan identification number. | keyword | -| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | ### scan @@ -1186,53 +1064,17 @@ An example event for `scan` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | | tenable_io.scan.control | If true, the scan has a schedule and can be launched. | boolean | | tenable_io.scan.creation_date | For newly-created scans, the date on which the scan configuration was originally created. For scans that have been launched at least once, this attribute does not represent the date on which the scan configuration was originally created. Instead, it represents the date on which the scan was first launched, in Unix time format. | date | | tenable_io.scan.enabled | Indicates whether the scan schedule is active (true) or inactive (false). | boolean | diff --git a/packages/tenable_io/manifest.yml b/packages/tenable_io/manifest.yml index 0b113f79e0e..ba3dcad5cbe 100644 --- a/packages/tenable_io/manifest.yml +++ b/packages/tenable_io/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.2" name: tenable_io title: Tenable Vulnerability Management -version: "3.0.1" +version: "3.1.0" description: Collect logs from Tenable Vulnerability Management with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/tenable_io-screenshot.png title: Tenable Vulnerability Management dashboard screenshot diff --git a/packages/tenable_sc/changelog.yml b/packages/tenable_sc/changelog.yml index 0732cac4400..1f60cdb129c 100644 --- a/packages/tenable_sc/changelog.yml +++ b/packages/tenable_sc/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.22.0" changes: - description: Improve handling of empty responses. diff --git a/packages/tenable_sc/data_stream/asset/fields/agent.yml b/packages/tenable_sc/data_stream/asset/fields/agent.yml index 215021047d4..f833857d0fe 100644 --- a/packages/tenable_sc/data_stream/asset/fields/agent.yml +++ b/packages/tenable_sc/data_stream/asset/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/tenable_sc/data_stream/asset/fields/ecs.yml b/packages/tenable_sc/data_stream/asset/fields/ecs.yml deleted file mode 100644 index 94317a5fa34..00000000000 --- a/packages/tenable_sc/data_stream/asset/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: related.ip -- external: ecs - name: related.hosts -- external: ecs - name: tags diff --git a/packages/tenable_sc/data_stream/plugin/fields/agent.yml b/packages/tenable_sc/data_stream/plugin/fields/agent.yml index 215021047d4..f833857d0fe 100644 --- a/packages/tenable_sc/data_stream/plugin/fields/agent.yml +++ b/packages/tenable_sc/data_stream/plugin/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/tenable_sc/data_stream/plugin/fields/ecs.yml b/packages/tenable_sc/data_stream/plugin/fields/ecs.yml deleted file mode 100644 index 4aadb92e274..00000000000 --- a/packages/tenable_sc/data_stream/plugin/fields/ecs.yml +++ /dev/null @@ -1,14 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: network.transport -- external: ecs - name: related.hash -- external: ecs - name: tags diff --git a/packages/tenable_sc/data_stream/vulnerability/fields/agent.yml b/packages/tenable_sc/data_stream/vulnerability/fields/agent.yml index 215021047d4..f833857d0fe 100644 --- a/packages/tenable_sc/data_stream/vulnerability/fields/agent.yml +++ b/packages/tenable_sc/data_stream/vulnerability/fields/agent.yml @@ -5,162 +5,15 @@ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - name: containerized type: boolean description: >- diff --git a/packages/tenable_sc/data_stream/vulnerability/fields/ecs.yml b/packages/tenable_sc/data_stream/vulnerability/fields/ecs.yml deleted file mode 100644 index 1388fea1271..00000000000 --- a/packages/tenable_sc/data_stream/vulnerability/fields/ecs.yml +++ /dev/null @@ -1,42 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: network.transport -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: tags -- external: ecs - name: vulnerability.category -- external: ecs - name: vulnerability.classification -- external: ecs - name: vulnerability.description -- external: ecs - name: vulnerability.enumeration -- external: ecs - name: vulnerability.id -- external: ecs - name: vulnerability.severity -- external: ecs - name: vulnerability.reference -- external: ecs - name: vulnerability.report_id -- external: ecs - name: vulnerability.scanner.vendor -- external: ecs - name: vulnerability.score.base -- external: ecs - name: vulnerability.score.temporal -- external: ecs - name: vulnerability.score.version diff --git a/packages/tenable_sc/docs/README.md b/packages/tenable_sc/docs/README.md index 9a13e717bf4..f7732f9c08c 100644 --- a/packages/tenable_sc/docs/README.md +++ b/packages/tenable_sc/docs/README.md @@ -143,51 +143,17 @@ An example event for `asset` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | | tenable_sc.asset.bios.guid | GUID of bios. | keyword | | tenable_sc.asset.custom_hash | Hash representing the values of the field names mentioned in uniqueness field in order to uniquely identify an asset. | keyword | | tenable_sc.asset.dns.name | DNS name of the asset. | keyword | @@ -388,50 +354,17 @@ An example event for `plugin` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | | tenable_sc.plugin.base_score | The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). | double | | tenable_sc.plugin.check_type | The type of the compliance check that detected the vulnerability. | keyword | | tenable_sc.plugin.copyright | The copyright information related to the plugin. | keyword | @@ -715,52 +648,17 @@ An example event for `vulnerability` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | | tenable_sc.vulnerability.accept_risk | N/A. | keyword | | tenable_sc.vulnerability.age | The time in days between the first and last time the vulnerability was seen. | long | | tenable_sc.vulnerability.base_score | Intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments. | keyword | @@ -819,16 +717,3 @@ An example event for `vulnerability` looks as following: | tenable_sc.vulnerability.vpr.score | The Vulnerability Priority Rating (VPR) score for the vulnerability. | double | | tenable_sc.vulnerability.vuln_pub_date | The date on which the vulnerability was published. | date | | tenable_sc.vulnerability.xref | References to third-party information about the vulnerability, exploit, or update associated with the plugin. | keyword | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | -| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | -| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | -| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | -| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | -| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | -| vulnerability.report_id | The report or scan identification number. | keyword | -| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/tenable_sc/manifest.yml b/packages/tenable_sc/manifest.yml index a5c963af178..0c0fb8891b8 100644 --- a/packages/tenable_sc/manifest.yml +++ b/packages/tenable_sc/manifest.yml @@ -2,7 +2,7 @@ format_version: "3.0.2" name: tenable_sc title: Tenable.sc # The version must be updated in the input configuration templates as well, in order to set the correct User-Agent header. Until elastic/kibana#121310 is implemented we will have to manually sync these. -version: "1.22.0" +version: "1.23.0" description: | Collect logs from Tenable.sc with Elastic Agent. type: integration @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/tenable_sc-screenshot.png title: Tenable.sc vulnerability dashboard screenshot diff --git a/packages/thycotic_ss/changelog.yml b/packages/thycotic_ss/changelog.yml index 62c79def1ad..ee6e591369a 100644 --- a/packages/thycotic_ss/changelog.yml +++ b/packages/thycotic_ss/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.8.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.7.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/thycotic_ss/data_stream/logs/fields/ecs.yml b/packages/thycotic_ss/data_stream/logs/fields/ecs.yml index 38d7ca618aa..adb0dc85322 100644 --- a/packages/thycotic_ss/data_stream/logs/fields/ecs.yml +++ b/packages/thycotic_ss/data_stream/logs/fields/ecs.yml @@ -1,90 +1,2 @@ - external: ecs name: '@timestamp' -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.code -- external: ecs - name: event.ingested -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.timezone -- external: ecs - name: event.type -- external: ecs - name: event.category -- external: ecs - name: event.kind -- external: ecs - name: group.id -- external: ecs - name: group.name -- external: ecs - name: host.hostname -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: log.level -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: message -- external: ecs - name: observer.product -- external: ecs - name: observer.type -- external: ecs - name: observer.vendor -- external: ecs - name: observer.version -- external: ecs - name: observer.hostname -- external: ecs - name: observer.ip -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.ip -- external: ecs - name: source.mac -- external: ecs - name: tags -- external: ecs - name: user.domain -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/thycotic_ss/docs/README.md b/packages/thycotic_ss/docs/README.md index 57ad649f44a..3ae9890cde4 100644 --- a/packages/thycotic_ss/docs/README.md +++ b/packages/thycotic_ss/docs/README.md @@ -190,48 +190,7 @@ The following fields may be used by the package: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | input.type | | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| tags | List of keywords used to tag each event. | keyword | | thycotic_ss.event.folder.folder | | keyword | | thycotic_ss.event.folder.id | | keyword | | thycotic_ss.event.folder.name | | keyword | @@ -253,10 +212,4 @@ The following fields may be used by the package: | thycotic_ss.event.user.full_name | | keyword | | thycotic_ss.event.user.id | | keyword | | thycotic_ss.event.user.name | | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/thycotic_ss/manifest.yml b/packages/thycotic_ss/manifest.yml index e28026f8f65..f786874bda6 100644 --- a/packages/thycotic_ss/manifest.yml +++ b/packages/thycotic_ss/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: thycotic_ss title: "Thycotic Secret Server" -version: "1.7.0" +version: "1.8.0" source: license: "Elastic-2.0" description: "Thycotic Secret Server logs" @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.5.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/ti_abusech/changelog.yml b/packages/ti_abusech/changelog.yml index ba3fd5c699a..eaf3227c855 100644 --- a/packages/ti_abusech/changelog.yml +++ b/packages/ti_abusech/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.1.0" changes: - description: Improve error handling and reporting in malwarebazaar data stream. diff --git a/packages/ti_abusech/data_stream/malware/fields/agent.yml b/packages/ti_abusech/data_stream/malware/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_abusech/data_stream/malware/fields/agent.yml +++ b/packages/ti_abusech/data_stream/malware/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_abusech/data_stream/malware/fields/beats.yml b/packages/ti_abusech/data_stream/malware/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_abusech/data_stream/malware/fields/beats.yml +++ b/packages/ti_abusech/data_stream/malware/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_abusech/data_stream/malware/fields/ecs.yml b/packages/ti_abusech/data_stream/malware/fields/ecs.yml deleted file mode 100644 index bb08d74e4bb..00000000000 --- a/packages/ti_abusech/data_stream/malware/fields/ecs.yml +++ /dev/null @@ -1,47 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: tags -- external: ecs - name: related.hash -- external: ecs - name: event.created -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.pe.imphash -- external: ecs - name: threat.indicator.file.hash.ssdeep -- name: threat.indicator.file.hash.tlsh - type: keyword - description: "The file's import tlsh, if available." -- name: threat.indicator.provider - external: ecs -- name: threat.indicator.name - external: ecs -- name: labels - external: ecs diff --git a/packages/ti_abusech/data_stream/malwarebazaar/fields/agent.yml b/packages/ti_abusech/data_stream/malwarebazaar/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/fields/agent.yml +++ b/packages/ti_abusech/data_stream/malwarebazaar/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_abusech/data_stream/malwarebazaar/fields/beats.yml b/packages/ti_abusech/data_stream/malwarebazaar/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/fields/beats.yml +++ b/packages/ti_abusech/data_stream/malwarebazaar/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_abusech/data_stream/malwarebazaar/fields/ecs.yml b/packages/ti_abusech/data_stream/malwarebazaar/fields/ecs.yml deleted file mode 100644 index cc05f196864..00000000000 --- a/packages/ti_abusech/data_stream/malwarebazaar/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: tags -- external: ecs - name: related.hash -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: event.created -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.file.name -- external: ecs - name: threat.indicator.file.extension -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.mime_type -- external: ecs - name: threat.software.alias -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.ssdeep -- name: threat.indicator.file.hash.sha384 - type: keyword - description: "The file's sha384 hash, if available." -- name: threat.indicator.file.hash.tlsh - type: keyword - description: "The file's import tlsh, if available." -- external: ecs - name: threat.indicator.file.pe.imphash -- external: ecs - name: threat.indicator.file.elf.telfhash -- name: threat.indicator.file.x509.subject.common_name - external: ecs -- name: threat.indicator.file.x509.issuer.common_name - external: ecs -- name: threat.indicator.file.x509.public_key_algorithm - external: ecs -- name: threat.indicator.file.x509.not_before - external: ecs -- name: threat.indicator.file.x509.not_after - external: ecs -- name: threat.indicator.file.x509.serial_number - external: ecs -- name: threat.indicator.provider - external: ecs -- name: threat.indicator.geo.country_iso_code - external: ecs -- name: threat.indicator.name - external: ecs -- name: labels - external: ecs diff --git a/packages/ti_abusech/data_stream/threatfox/fields/agent.yml b/packages/ti_abusech/data_stream/threatfox/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_abusech/data_stream/threatfox/fields/agent.yml +++ b/packages/ti_abusech/data_stream/threatfox/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_abusech/data_stream/threatfox/fields/beats.yml b/packages/ti_abusech/data_stream/threatfox/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_abusech/data_stream/threatfox/fields/beats.yml +++ b/packages/ti_abusech/data_stream/threatfox/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml b/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml deleted file mode 100644 index e994b9dc5aa..00000000000 --- a/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml +++ /dev/null @@ -1,88 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: tags -- external: ecs - name: related.hash -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: event.created -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.file.name -- external: ecs - name: threat.indicator.file.extension -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.mime_type -- external: ecs - name: threat.software.alias -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.ssdeep -- external: ecs - name: threat.indicator.file.hash.sha384 -- external: ecs - name: threat.indicator.file.hash.tlsh -- external: ecs - name: threat.indicator.file.pe.imphash -- external: ecs - name: threat.indicator.file.elf.telfhash -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.port -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.reference -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.software.name -- external: ecs - name: threat.software.reference -- external: ecs - name: threat.indicator.name -- external: ecs - name: labels diff --git a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-dump.log-expected.json b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-dump.log-expected.json index 33a3cc03f15..e043fd8a27a 100644 --- a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-dump.log-expected.json +++ b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-dump.log-expected.json @@ -3,7 +3,7 @@ { "abusech": { "url": { - "deleted_at": "2024-04-17T16:09:49.442Z", + "deleted_at": "2024-06-20T04:56:13.743Z", "id": "2786904", "threat": "malware_download", "url_status": "online" @@ -16,7 +16,7 @@ "category": [ "threat" ], - "ingested": "2024-04-17T15:11:19.442760096Z", + "ingested": "2024-06-20T03:57:43.743250436Z", "kind": "enrichment", "original": "{\"id\":\"2786904\",\"dateadded\":\"2024-03-19 11:34:09 UTC\",\"url\":\"http://115.55.244.160:41619/Mozi.m\",\"url_status\":\"online\",\"last_online\":\"2024-03-19 11:34:09 UTC\",\"threat\":\"malware_download\",\"tags\":[\"elf\",\"Mozi\"],\"urlhaus_link\":\"https://urlhaus.abuse.ch/url/2786904/\",\"reporter\":\"lrz_urlhaus\"}", "type": [ @@ -54,7 +54,7 @@ { "abusech": { "url": { - "deleted_at": "2024-04-17T16:09:49.442Z", + "deleted_at": "2024-06-20T04:56:13.743Z", "id": "2786903", "threat": "malware_download", "url_status": "online" @@ -67,7 +67,7 @@ "category": [ "threat" ], - "ingested": "2024-04-17T15:11:19.442771804Z", + "ingested": "2024-06-20T03:57:43.743264045Z", "kind": "enrichment", "original": "{\"id\":\"2786903\",\"dateadded\":\"2024-03-19 11:33:08 UTC\",\"url\":\"http://27.206.236.188:59429/i\",\"url_status\":\"online\",\"last_online\":\"2024-03-19 11:33:08 UTC\",\"threat\":\"malware_download\",\"tags\":[\"32-bit\",\"elf\",\"mips\",\"Mozi\"],\"urlhaus_link\":\"https://urlhaus.abuse.ch/url/2786903/\",\"reporter\":\"geenensp\"}", "type": [ diff --git a/packages/ti_abusech/data_stream/url/fields/agent.yml b/packages/ti_abusech/data_stream/url/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_abusech/data_stream/url/fields/agent.yml +++ b/packages/ti_abusech/data_stream/url/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_abusech/data_stream/url/fields/beats.yml b/packages/ti_abusech/data_stream/url/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_abusech/data_stream/url/fields/beats.yml +++ b/packages/ti_abusech/data_stream/url/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_abusech/data_stream/url/fields/ecs.yml b/packages/ti_abusech/data_stream/url/fields/ecs.yml deleted file mode 100644 index a79e7924260..00000000000 --- a/packages/ti_abusech/data_stream/url/fields/ecs.yml +++ /dev/null @@ -1,54 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: tags -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.reference -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.fragment -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.name -- external: ecs - name: labels diff --git a/packages/ti_abusech/docs/README.md b/packages/ti_abusech/docs/README.md index 3f76752f36e..dffed3b7c6d 100644 --- a/packages/ti_abusech/docs/README.md +++ b/packages/ti_abusech/docs/README.md @@ -43,78 +43,22 @@ The AbuseCH URL data_stream retrieves full list of active threat intelligence in | abusech.url.threat | The threat corresponding to this malware URL. | keyword | | abusech.url.url_status | The current status of the URL. Possible values are: online, offline and unknown. | keyword | | abusech.url.urlhaus_reference | Link to URLhaus entry. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.interval | User-configured value for `Interval` setting. This is used in calculation of indicator expiration time. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | ### Malware @@ -132,71 +76,21 @@ The AbuseCH malware data_stream retrieves threat intelligence indicators from th | abusech.malware.virustotal.link | Link to the Virustotal report. | keyword | | abusech.malware.virustotal.percent | AV detection in percent. | float | | abusech.malware.virustotal.result | AV detection ratio. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | ### MalwareBazaar @@ -226,86 +120,21 @@ The AbuseCH malwarebazaar data_stream retrieves threat intelligence indicators f | abusech.malwarebazaar.intelligence.mail.IT | Malware seen in IT spam traffic. | keyword | | abusech.malwarebazaar.intelligence.uploads | Number of uploads from MalwareBazaar. | long | | abusech.malwarebazaar.ioc_expiration_duration | The configured expiration duration. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword | -| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha384 | The file's sha384 hash, if available. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword | -| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| threat.indicator.file.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| threat.indicator.file.x509.not_before | Time at which the certificate is first considered valid. | date | -| threat.indicator.file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| threat.indicator.file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| threat.indicator.file.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword | ### Threat Fox @@ -324,90 +153,18 @@ The AbuseCH threatfox data_stream retrieves threat intelligence indicators from | abusech.threatfox.tags | A list of tags associated with the queried malware sample. | keyword | | abusech.threatfox.threat_type | The type of threat. | keyword | | abusech.threatfox.threat_type_desc | The threat descsription. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword | -| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha384 | SHA384 hash. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.hash.tlsh | TLSH hash. | keyword | -| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword | -| threat.software.name | The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. | keyword | -| threat.software.reference | The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. | keyword | diff --git a/packages/ti_abusech/elasticsearch/transform/latest_malware/fields/ecs.yml b/packages/ti_abusech/elasticsearch/transform/latest_malware/fields/ecs.yml index f2d8810b7f8..341ded8e127 100644 --- a/packages/ti_abusech/elasticsearch/transform/latest_malware/fields/ecs.yml +++ b/packages/ti_abusech/elasticsearch/transform/latest_malware/fields/ecs.yml @@ -62,4 +62,4 @@ - name: threat.feed.dashboard_id type: constant_keyword description: Dashboard ID used for Kibana CTI UI - value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 \ No newline at end of file + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 diff --git a/packages/ti_abusech/elasticsearch/transform/latest_malwarebazaar/fields/ecs.yml b/packages/ti_abusech/elasticsearch/transform/latest_malwarebazaar/fields/ecs.yml index b20161a264d..b8e179e3488 100644 --- a/packages/ti_abusech/elasticsearch/transform/latest_malwarebazaar/fields/ecs.yml +++ b/packages/ti_abusech/elasticsearch/transform/latest_malwarebazaar/fields/ecs.yml @@ -93,4 +93,4 @@ - name: threat.feed.dashboard_id type: constant_keyword description: Dashboard ID used for Kibana CTI UI - value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 \ No newline at end of file + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 diff --git a/packages/ti_abusech/elasticsearch/transform/latest_url/fields/ecs.yml b/packages/ti_abusech/elasticsearch/transform/latest_url/fields/ecs.yml index d2e06310dbd..53b57d765b4 100644 --- a/packages/ti_abusech/elasticsearch/transform/latest_url/fields/ecs.yml +++ b/packages/ti_abusech/elasticsearch/transform/latest_url/fields/ecs.yml @@ -69,4 +69,4 @@ - name: threat.feed.dashboard_id type: constant_keyword description: Dashboard ID used for Kibana CTI UI - value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 \ No newline at end of file + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index d4570c22f39..361d540c292 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -1,13 +1,13 @@ name: ti_abusech title: AbuseCH -version: "2.1.0" +version: "2.2.0" description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. type: integration format_version: "3.0.3" categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" icons: - src: /img/abusech2.svg title: AbuseCH diff --git a/packages/ti_anomali/changelog.yml b/packages/ti_anomali/changelog.yml index e9dec6c8ef0..fe2cd13c3ae 100644 --- a/packages/ti_anomali/changelog.yml +++ b/packages/ti_anomali/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.22.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.21.0" changes: - description: Add destination index alias and fix docs. diff --git a/packages/ti_anomali/data_stream/threatstream/fields/agent.yml b/packages/ti_anomali/data_stream/threatstream/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_anomali/data_stream/threatstream/fields/agent.yml +++ b/packages/ti_anomali/data_stream/threatstream/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_anomali/data_stream/threatstream/fields/beats.yml b/packages/ti_anomali/data_stream/threatstream/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_anomali/data_stream/threatstream/fields/beats.yml +++ b/packages/ti_anomali/data_stream/threatstream/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_anomali/data_stream/threatstream/fields/ecs.yml b/packages/ti_anomali/data_stream/threatstream/fields/ecs.yml deleted file mode 100644 index dc643b95903..00000000000 --- a/packages/ti_anomali/data_stream/threatstream/fields/ecs.yml +++ /dev/null @@ -1,72 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: tags -- external: ecs - name: error.message -- external: ecs - name: event.severity -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.as.organization.name -- external: ecs - name: threat.indicator.geo.location -- external: ecs - name: threat.indicator.geo.country_iso_code -- external: ecs - name: labels diff --git a/packages/ti_anomali/docs/README.md b/packages/ti_anomali/docs/README.md index c80c2e3c4ab..2c496c354c8 100644 --- a/packages/ti_anomali/docs/README.md +++ b/packages/ti_anomali/docs/README.md @@ -163,85 +163,19 @@ An example event for `threatstream` looks as following: | anomali.threatstream.update_id | Update ID. | keyword | | anomali.threatstream.url | URL for the indicator. | keyword | | anomali.threatstream.value_type | Data type of the indicator. Possible values: ip, domain, url, email, md5. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | diff --git a/packages/ti_anomali/manifest.yml b/packages/ti_anomali/manifest.yml index f47b6d4b908..0a24809b304 100644 --- a/packages/ti_anomali/manifest.yml +++ b/packages/ti_anomali/manifest.yml @@ -1,13 +1,13 @@ name: ti_anomali title: Anomali -version: "1.21.0" +version: "1.22.0" description: Ingest threat intelligence indicators from Anomali with Elastic Agent. type: integration format_version: 3.0.2 categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" icons: - src: /img/anomali.svg title: Anomali diff --git a/packages/ti_cif3/changelog.yml b/packages/ti_cif3/changelog.yml index 5d3177b7437..2fac90c48a9 100644 --- a/packages/ti_cif3/changelog.yml +++ b/packages/ti_cif3/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.14.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.13.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_cif3/data_stream/feed/fields/beats.yml b/packages/ti_cif3/data_stream/feed/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_cif3/data_stream/feed/fields/beats.yml +++ b/packages/ti_cif3/data_stream/feed/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_cif3/data_stream/feed/fields/ecs.yml b/packages/ti_cif3/data_stream/feed/fields/ecs.yml index 18abb0a68db..5e8cd8465f7 100644 --- a/packages/ti_cif3/data_stream/feed/fields/ecs.yml +++ b/packages/ti_cif3/data_stream/feed/fields/ecs.yml @@ -1,106 +1,4 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: tags -- external: ecs - name: related.hash -- external: ecs - name: related.ip -- external: ecs - name: related.hosts -- external: ecs - name: event.created -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.category -- external: ecs - name: event.provider -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: network.protocol -- external: ecs - name: network.transport -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.reference -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.sightings -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.file.pe.imphash -- external: ecs - name: threat.indicator.file.hash.ssdeep - name: threat.indicator.tls.client.ja3 level: extended type: keyword description: An md5 hash that identifies clients based on their TLS handshake. -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.as.organization.name -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.geo.location -- external: ecs - name: threat.indicator.geo.country_iso_code -- external: ecs - name: threat.indicator.geo.region_name -- external: ecs - name: threat.indicator.geo.timezone -- external: ecs - name: threat.indicator.name -- external: ecs - name: labels diff --git a/packages/ti_cif3/docs/README.md b/packages/ti_cif3/docs/README.md index 666dae4a399..6dee6248430 100644 --- a/packages/ti_cif3/docs/README.md +++ b/packages/ti_cif3/docs/README.md @@ -72,69 +72,14 @@ CIFv3 `confidence` field values (0..10) are converted to ECS confidence (None, L | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.geo.region_name | Region name. | keyword | -| threat.indicator.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | | threat.indicator.tls.client.ja3 | An md5 hash that identifies clients based on their TLS handshake. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | An example event for `feed` looks as following: diff --git a/packages/ti_cif3/manifest.yml b/packages/ti_cif3/manifest.yml index 3580b2b3cc2..d5a258a9f2d 100644 --- a/packages/ti_cif3/manifest.yml +++ b/packages/ti_cif3/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: ti_cif3 title: "Collective Intelligence Framework v3" -version: "1.13.1" +version: "1.14.0" description: "Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent." type: integration categories: @@ -9,7 +9,7 @@ categories: - threat_intel conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" icons: - src: /img/csg_logo_big.svg title: csirtgadgets logo diff --git a/packages/ti_crowdstrike/changelog.yml b/packages/ti_crowdstrike/changelog.yml index 641e659e0f5..5d6ee86fef8 100644 --- a/packages/ti_crowdstrike/changelog.yml +++ b/packages/ti_crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.0.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-common-config.yml b/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-common-config.yml index 36106b22efb..1f0a54d166d 100644 --- a/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-common-config.yml +++ b/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-common-config.yml @@ -2,7 +2,6 @@ fields: tags: - preserve_original_event - preserve_duplicate_custom_fields - dynamic_fields: # This can be removed after ES 8.14 is the minimum version. # Relates: https://github.com/elastic/elasticsearch/pull/105689 diff --git a/packages/ti_crowdstrike/data_stream/intel/fields/beats.yml b/packages/ti_crowdstrike/data_stream/intel/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/ti_crowdstrike/data_stream/intel/fields/beats.yml +++ b/packages/ti_crowdstrike/data_stream/intel/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/ti_crowdstrike/data_stream/ioc/fields/beats.yml b/packages/ti_crowdstrike/data_stream/ioc/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/ti_crowdstrike/data_stream/ioc/fields/beats.yml +++ b/packages/ti_crowdstrike/data_stream/ioc/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/ti_crowdstrike/docs/README.md b/packages/ti_crowdstrike/docs/README.md index 3852df59040..638365f0f04 100644 --- a/packages/ti_crowdstrike/docs/README.md +++ b/packages/ti_crowdstrike/docs/README.md @@ -266,7 +266,6 @@ An example event for `intel` looks as following: | input.type | Type of filebeat input. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | threat.feed.name | Display friendly feed name. | constant_keyword | | ti_crowdstrike.intel._marker | A special marker associated with the Intel Indicator. | keyword | | ti_crowdstrike.intel.actors | Information related to actors associated with the Intel Indicator. | keyword | @@ -425,7 +424,6 @@ An example event for `ioc` looks as following: | input.type | Type of filebeat input. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | threat.feed.name | Display friendly feed name. | constant_keyword | | ti_crowdstrike.ioc.action | Describes the action taken when the IOC is detected. | keyword | | ti_crowdstrike.ioc.applied_globally | Indicates whether the IOC is applied globally. | boolean | diff --git a/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/ecs.yml b/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/ecs.yml index 630d61d9b7f..5ff0db55f80 100644 --- a/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/ecs.yml +++ b/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/ecs.yml @@ -51,4 +51,4 @@ - name: threat.feed.name type: constant_keyword description: Display friendly feed name. - value: CrowdStrike Intel \ No newline at end of file + value: CrowdStrike Intel diff --git a/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/fields/ecs.yml index 93108af9ebb..60de423993f 100644 --- a/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/fields/ecs.yml +++ b/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -55,4 +55,4 @@ - name: threat.feed.name type: constant_keyword description: Display friendly feed name. - value: CrowdStrike IOC \ No newline at end of file + value: CrowdStrike IOC diff --git a/packages/ti_crowdstrike/manifest.yml b/packages/ti_crowdstrike/manifest.yml index 4e17c778467..fbda4e8a894 100644 --- a/packages/ti_crowdstrike/manifest.yml +++ b/packages/ti_crowdstrike/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_crowdstrike title: CrowdStrike Falcon Intelligence -version: 1.0.1 +version: "1.1.0" description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent. type: integration categories: diff --git a/packages/ti_cybersixgill/changelog.yml b/packages/ti_cybersixgill/changelog.yml index 5ed502d8ca7..2947ecc9b5a 100644 --- a/packages/ti_cybersixgill/changelog.yml +++ b/packages/ti_cybersixgill/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.30.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.29.1" changes: - description: Fix sample event. diff --git a/packages/ti_cybersixgill/data_stream/threat/fields/agent.yml b/packages/ti_cybersixgill/data_stream/threat/fields/agent.yml index 845b84ed9c0..4bdd88d3cd7 100644 --- a/packages/ti_cybersixgill/data_stream/threat/fields/agent.yml +++ b/packages/ti_cybersixgill/data_stream/threat/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml deleted file mode 100644 index 022139ab678..00000000000 --- a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,69 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.severity -- external: ecs - name: event.created -- external: ecs - name: tags -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.fragment -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.reference -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.tactic.name -- external: ecs - name: threat.tactic.id -- external: ecs - name: threat.tactic.reference -# Manually define this as a workaround for failing tests and validation -- name: threat.indicator.name - level: extended - type: keyword - description: The display name indicator in an UI friendly format -- external: ecs - name: labels diff --git a/packages/ti_cybersixgill/docs/README.md b/packages/ti_cybersixgill/docs/README.md index 726fbde7b26..ef1b83205a0 100644 --- a/packages/ti_cybersixgill/docs/README.md +++ b/packages/ti_cybersixgill/docs/README.md @@ -19,19 +19,7 @@ To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_cybe | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | cybersixgill.actor | The related actor for the indicator. | keyword | | cybersixgill.deleted_at | The timestamp when indicator is (or will be) expired. | date | | cybersixgill.expiration_duration | The configured expiration duration. | keyword | @@ -47,64 +35,15 @@ To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_cybe | dataset.name | Dataset name. | constant_keyword | | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | An example event for `threat` looks as following: diff --git a/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/ecs.yml index 9d58dae5eae..f38a6d7c1cb 100644 --- a/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/ecs.yml +++ b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -82,4 +82,4 @@ - name: threat.feed.dashboard_id type: constant_keyword description: Dashboard ID used for Kibana CTI UI - value: ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738 \ No newline at end of file + value: ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738 diff --git a/packages/ti_cybersixgill/manifest.yml b/packages/ti_cybersixgill/manifest.yml index d22b1497ace..14458999d3c 100644 --- a/packages/ti_cybersixgill/manifest.yml +++ b/packages/ti_cybersixgill/manifest.yml @@ -1,13 +1,13 @@ name: ti_cybersixgill title: Cybersixgill -version: "1.29.1" +version: "1.30.0" description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. type: integration format_version: "3.0.2" categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" policy_templates: - name: cybersixgill title: Cybersixgill Threat Intel diff --git a/packages/ti_eclecticiq/_dev/build/build.yml b/packages/ti_eclecticiq/_dev/build/build.yml index 49e8fdaa97d..2bfcfc223b0 100644 --- a/packages/ti_eclecticiq/_dev/build/build.yml +++ b/packages/ti_eclecticiq/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@v8.10.0 + reference: "git@v8.11.0" diff --git a/packages/ti_eclecticiq/changelog.yml b/packages/ti_eclecticiq/changelog.yml index 66a87c88368..0539ee50b5b 100644 --- a/packages/ti_eclecticiq/changelog.yml +++ b/packages/ti_eclecticiq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.0.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_eclecticiq/data_stream/threat/_dev/test/pipeline/test-outgoing-feed-event.json-expected.json b/packages/ti_eclecticiq/data_stream/threat/_dev/test/pipeline/test-outgoing-feed-event.json-expected.json index cf21503aca1..8b39b3bc8e9 100644 --- a/packages/ti_eclecticiq/data_stream/threat/_dev/test/pipeline/test-outgoing-feed-event.json-expected.json +++ b/packages/ti_eclecticiq/data_stream/threat/_dev/test/pipeline/test-outgoing-feed-event.json-expected.json @@ -9,7 +9,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -38,7 +38,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -78,7 +78,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -127,7 +127,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -178,7 +178,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -229,7 +229,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -277,7 +277,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -329,7 +329,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -377,7 +377,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -427,7 +427,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -471,7 +471,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -503,7 +503,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -546,7 +546,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -592,7 +592,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -635,7 +635,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -678,7 +678,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -718,7 +718,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -761,7 +761,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -804,7 +804,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -847,7 +847,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -890,7 +890,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -937,7 +937,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -985,7 +985,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -1023,7 +1023,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -1056,7 +1056,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ @@ -1089,7 +1089,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "email": { "subject": "Test email subject" @@ -1122,7 +1122,7 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ diff --git a/packages/ti_eclecticiq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eclecticiq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index 0fd46ba1c30..6f820915d43 100644 --- a/packages/ti_eclecticiq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_eclecticiq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # hard coded fields - set: field: ecs.version - value: 8.10.0 + value: 8.11.0 - set: field: event.kind value: enrichment diff --git a/packages/ti_eclecticiq/data_stream/threat/fields/ecs.yml b/packages/ti_eclecticiq/data_stream/threat/fields/ecs.yml deleted file mode 100644 index e76a9ef82ea..00000000000 --- a/packages/ti_eclecticiq/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,96 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: tags -- external: ecs - name: event.url -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: event.start -- external: ecs - name: event.end -- external: ecs - name: event.provider -- external: ecs - name: event.category -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.marking.tlp -- name: threat.indicator.name - level: extended - type: keyword - description: The display name indicator in an UI friendly format -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: vulnerability.id -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: email.subject -- external: ecs - name: threat.indicator.file.path -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha384 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.file.hash.ssdeep -- external: ecs - name: host.hostname -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.software.name -- external: ecs - name: threat.software.type -- external: ecs - name: organization.name -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: process.command_line -- external: ecs - name: process.name -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: user_agent.original -- external: ecs - name: threat.indicator.registry.value -- external: ecs - name: rule.name -- external: ecs - name: threat.indicator.x509.serial_number -- external: ecs - name: server.mac -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip diff --git a/packages/ti_eclecticiq/data_stream/threat/sample_event.json b/packages/ti_eclecticiq/data_stream/threat/sample_event.json index 5615bf1147d..0f530dde506 100644 --- a/packages/ti_eclecticiq/data_stream/threat/sample_event.json +++ b/packages/ti_eclecticiq/data_stream/threat/sample_event.json @@ -6,14 +6,14 @@ } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ "threat" ], - "dataset": "ti_eclecticiq.threat", "created": "2023-06-08T12:00:30.187Z", + "dataset": "ti_eclecticiq.threat", "id": "XugasX/Bvu/150lNyQjzIGR0zZ8=", "kind": "enrichment", "original": "{\"calculated.relevancy\": \"0.68\", \"calculated.source_reliability\": \"A\", \"calculated.tlp\": \"GREEN\", \"diff\": \"add\", \"entity.id\": \"5e814485-012d-423d-b769-026bfed0f451\", \"entity.title\": \"Example\", \"entity.type\": \"malware\", \"meta.classification\": \"\", \"meta.confidence\": \"\", \"meta.entity_url\": \"https://test.com/entity/5e814485-012d-423d-b769-026bfed0f451\", \"meta.estimated_observed_time\": \"2019-07-09T17:42:44.777000+00:00\", \"meta.estimated_threat_end_time\": \"\", \"meta.estimated_threat_start_time\": \"2022-05-11T14:00:00.188000+00:00\", \"meta.ingest_time\": \"2023-06-08T12:00:30.187097+00:00\", \"meta.relevancy\": \"0.68\", \"meta.source_reliability\": \"A\", \"meta.tags\": \"tag1;tag2\", \"meta.taxonomy\": \"\", \"meta.terms_of_use\": \"\", \"meta.tlp\": \"GREEN\", \"source.ids\": \"47ec245c-9e7b-467e-a016-77a22ff12dd5\", \"source.names\": \"Test Source\", \"timestamp\": \"2023-06-20 18:06:10.126780+00:00\", \"type\": \"domain\", \"value\": \"example.com\", \"value_url\": \"https://test.com/main/extracts/domain/test\"}", diff --git a/packages/ti_eclecticiq/docs/README.md b/packages/ti_eclecticiq/docs/README.md index c4a3c23fc84..e49747ffd0e 100644 --- a/packages/ti_eclecticiq/docs/README.md +++ b/packages/ti_eclecticiq/docs/README.md @@ -186,14 +186,14 @@ An example event for `threat` looks as following: } }, "ecs": { - "version": "8.10.0" + "version": "8.11.0" }, "event": { "category": [ "threat" ], - "dataset": "ti_eclecticiq.threat", "created": "2023-06-08T12:00:30.187Z", + "dataset": "ti_eclecticiq.threat", "id": "XugasX/Bvu/150lNyQjzIGR0zZ8=", "kind": "enrichment", "original": "{\"calculated.relevancy\": \"0.68\", \"calculated.source_reliability\": \"A\", \"calculated.tlp\": \"GREEN\", \"diff\": \"add\", \"entity.id\": \"5e814485-012d-423d-b769-026bfed0f451\", \"entity.title\": \"Example\", \"entity.type\": \"malware\", \"meta.classification\": \"\", \"meta.confidence\": \"\", \"meta.entity_url\": \"https://test.com/entity/5e814485-012d-423d-b769-026bfed0f451\", \"meta.estimated_observed_time\": \"2019-07-09T17:42:44.777000+00:00\", \"meta.estimated_threat_end_time\": \"\", \"meta.estimated_threat_start_time\": \"2022-05-11T14:00:00.188000+00:00\", \"meta.ingest_time\": \"2023-06-08T12:00:30.187097+00:00\", \"meta.relevancy\": \"0.68\", \"meta.source_reliability\": \"A\", \"meta.tags\": \"tag1;tag2\", \"meta.taxonomy\": \"\", \"meta.terms_of_use\": \"\", \"meta.tlp\": \"GREEN\", \"source.ids\": \"47ec245c-9e7b-467e-a016-77a22ff12dd5\", \"source.names\": \"Test Source\", \"timestamp\": \"2023-06-20 18:06:10.126780+00:00\", \"type\": \"domain\", \"value\": \"example.com\", \"value_url\": \"https://test.com/main/extracts/domain/test\"}", @@ -236,63 +236,9 @@ An example event for `threat` looks as following: | data_stream.type | Data stream type. | constant_keyword | | eclecticiq.threat.deleted_at | Date when observable was removed from dataset | date | | eclecticiq.threat.observable_id | The ID of the observable, based on kind and value. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | input.type | Input type | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha384 | SHA384 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| threat.indicator.file.path.text | Multi-field of `threat.indicator.file.path`. | match_only_text | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.name | The display name indicator in an UI friendly format | keyword | -| threat.indicator.registry.value | Name of the value written. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| threat.software.name | The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. | keyword | -| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | diff --git a/packages/ti_eclecticiq/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_eclecticiq/elasticsearch/transform/latest_ioc/fields/ecs.yml index 755244bdb14..62a39367662 100644 --- a/packages/ti_eclecticiq/elasticsearch/transform/latest_ioc/fields/ecs.yml +++ b/packages/ti_eclecticiq/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -107,4 +107,4 @@ - name: threat.feed.name type: constant_keyword description: Display friendly feed name - value: EclecticIQ \ No newline at end of file + value: EclecticIQ diff --git a/packages/ti_eclecticiq/manifest.yml b/packages/ti_eclecticiq/manifest.yml index 6ede1f0d9e9..0c1933fa3b2 100644 --- a/packages/ti_eclecticiq/manifest.yml +++ b/packages/ti_eclecticiq/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_eclecticiq title: EclecticIQ -version: 1.0.1 +version: "1.1.0" description: Ingest threat intelligence from EclecticIQ with Elastic Agent type: integration categories: @@ -9,7 +9,7 @@ categories: - threat_intel conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic icons: diff --git a/packages/ti_eset/changelog.yml b/packages/ti_eset/changelog.yml index 3bced928f0a..d7b6ea60178 100644 --- a/packages/ti_eset/changelog.yml +++ b/packages/ti_eset/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.1.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_eset/data_stream/apt/fields/agent.yml b/packages/ti_eset/data_stream/apt/fields/agent.yml index 845b84ed9c0..4bdd88d3cd7 100644 --- a/packages/ti_eset/data_stream/apt/fields/agent.yml +++ b/packages/ti_eset/data_stream/apt/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_eset/data_stream/apt/fields/ecs.yml b/packages/ti_eset/data_stream/apt/fields/ecs.yml deleted file mode 100644 index 5162c5f7184..00000000000 --- a/packages/ti_eset/data_stream/apt/fields/ecs.yml +++ /dev/null @@ -1,92 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.created -- external: ecs - name: tags -- external: ecs - name: threat.indicator.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.feed.name -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.name -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.x509.issuer.common_name -- external: ecs - name: threat.indicator.x509.issuer.country -- external: ecs - name: threat.indicator.x509.issuer.distinguished_name -- external: ecs - name: threat.indicator.x509.issuer.locality -- external: ecs - name: threat.indicator.x509.issuer.organization -- external: ecs - name: threat.indicator.x509.issuer.state_or_province -- external: ecs - name: threat.indicator.x509.issuer.organizational_unit -- external: ecs - name: threat.indicator.x509.not_after -- external: ecs - name: threat.indicator.x509.not_before -- external: ecs - name: threat.indicator.x509.serial_number -- external: ecs - name: threat.indicator.x509.signature_algorithm -- external: ecs - name: threat.indicator.x509.subject.common_name -- external: ecs - name: threat.indicator.x509.subject.country -- external: ecs - name: threat.indicator.x509.subject.distinguished_name -- external: ecs - name: threat.indicator.x509.subject.locality -- external: ecs - name: threat.indicator.x509.subject.organization -- external: ecs - name: threat.indicator.x509.subject.state_or_province -- external: ecs - name: threat.indicator.x509.subject.organizational_unit -- external: ecs - name: threat.indicator.x509.version_number diff --git a/packages/ti_eset/data_stream/botnet/fields/agent.yml b/packages/ti_eset/data_stream/botnet/fields/agent.yml index 845b84ed9c0..4bdd88d3cd7 100644 --- a/packages/ti_eset/data_stream/botnet/fields/agent.yml +++ b/packages/ti_eset/data_stream/botnet/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_eset/data_stream/botnet/fields/ecs.yml b/packages/ti_eset/data_stream/botnet/fields/ecs.yml deleted file mode 100644 index 43534883f1c..00000000000 --- a/packages/ti_eset/data_stream/botnet/fields/ecs.yml +++ /dev/null @@ -1,42 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.created -- external: ecs - name: tags -- external: ecs - name: threat.indicator.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.feed.name diff --git a/packages/ti_eset/data_stream/cc/fields/agent.yml b/packages/ti_eset/data_stream/cc/fields/agent.yml index 845b84ed9c0..4bdd88d3cd7 100644 --- a/packages/ti_eset/data_stream/cc/fields/agent.yml +++ b/packages/ti_eset/data_stream/cc/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_eset/data_stream/cc/fields/ecs.yml b/packages/ti_eset/data_stream/cc/fields/ecs.yml deleted file mode 100644 index d3f9633c4c9..00000000000 --- a/packages/ti_eset/data_stream/cc/fields/ecs.yml +++ /dev/null @@ -1,36 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.created -- external: ecs - name: tags -- external: ecs - name: threat.indicator.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.feed.name diff --git a/packages/ti_eset/data_stream/domains/fields/agent.yml b/packages/ti_eset/data_stream/domains/fields/agent.yml index 845b84ed9c0..4bdd88d3cd7 100644 --- a/packages/ti_eset/data_stream/domains/fields/agent.yml +++ b/packages/ti_eset/data_stream/domains/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_eset/data_stream/domains/fields/ecs.yml b/packages/ti_eset/data_stream/domains/fields/ecs.yml deleted file mode 100644 index f127a34e100..00000000000 --- a/packages/ti_eset/data_stream/domains/fields/ecs.yml +++ /dev/null @@ -1,38 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.created -- external: ecs - name: tags -- external: ecs - name: threat.indicator.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.feed.name diff --git a/packages/ti_eset/data_stream/files/fields/agent.yml b/packages/ti_eset/data_stream/files/fields/agent.yml index 845b84ed9c0..4bdd88d3cd7 100644 --- a/packages/ti_eset/data_stream/files/fields/agent.yml +++ b/packages/ti_eset/data_stream/files/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_eset/data_stream/files/fields/ecs.yml b/packages/ti_eset/data_stream/files/fields/ecs.yml deleted file mode 100644 index 43534883f1c..00000000000 --- a/packages/ti_eset/data_stream/files/fields/ecs.yml +++ /dev/null @@ -1,42 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.created -- external: ecs - name: tags -- external: ecs - name: threat.indicator.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.feed.name diff --git a/packages/ti_eset/data_stream/ip/fields/agent.yml b/packages/ti_eset/data_stream/ip/fields/agent.yml index 845b84ed9c0..4bdd88d3cd7 100644 --- a/packages/ti_eset/data_stream/ip/fields/agent.yml +++ b/packages/ti_eset/data_stream/ip/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_eset/data_stream/ip/fields/ecs.yml b/packages/ti_eset/data_stream/ip/fields/ecs.yml deleted file mode 100644 index 532e63297da..00000000000 --- a/packages/ti_eset/data_stream/ip/fields/ecs.yml +++ /dev/null @@ -1,40 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.created -- external: ecs - name: tags -- external: ecs - name: threat.indicator.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.feed.name -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.port diff --git a/packages/ti_eset/data_stream/url/fields/agent.yml b/packages/ti_eset/data_stream/url/fields/agent.yml index 845b84ed9c0..4bdd88d3cd7 100644 --- a/packages/ti_eset/data_stream/url/fields/agent.yml +++ b/packages/ti_eset/data_stream/url/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_eset/data_stream/url/fields/ecs.yml b/packages/ti_eset/data_stream/url/fields/ecs.yml deleted file mode 100644 index d3f9633c4c9..00000000000 --- a/packages/ti_eset/data_stream/url/fields/ecs.yml +++ /dev/null @@ -1,36 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.created -- external: ecs - name: tags -- external: ecs - name: threat.indicator.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.feed.name diff --git a/packages/ti_eset/docs/README.md b/packages/ti_eset/docs/README.md index c24edb7da7f..58315ad5f23 100644 --- a/packages/ti_eset/docs/README.md +++ b/packages/ti_eset/docs/README.md @@ -97,68 +97,20 @@ The minimum **Kibana version** required is **8.12.0**. | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | | eset.id | The UID of the event object. | keyword | | eset.labels | Threat labels. | keyword | | eset.valid_until | Event expiration date. | date | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | An example event for `botnet` looks as following: @@ -246,65 +198,20 @@ An example event for `botnet` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | | eset.id | The UID of the event object. | keyword | | eset.labels | Threat labels. | keyword | | eset.valid_until | Event expiration date. | date | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | An example event for `cc` looks as following: @@ -388,66 +295,20 @@ An example event for `cc` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | | eset.id | The UID of the event object. | keyword | | eset.labels | Threat labels. | keyword | | eset.valid_until | Event expiration date. | date | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | An example event for `domains` looks as following: @@ -532,68 +393,20 @@ An example event for `domains` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | | eset.id | The UID of the event object. | keyword | | eset.labels | Threat labels. | keyword | | eset.valid_until | Event expiration date. | date | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | An example event for `files` looks as following: @@ -681,67 +494,20 @@ An example event for `files` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | | eset.id | The UID of the event object. | keyword | | eset.labels | Threat labels. | keyword | | eset.valid_until | Event expiration date. | date | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | An example event for `ip` looks as following: @@ -823,96 +589,23 @@ An example event for `ip` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | | eset.category | Event category as defined by MISP. | keyword | | eset.id | The UID of the event object. | keyword | | eset.meta_category | Event sub-category as defined by MISP. | keyword | | eset.name | Human readable name describing the event. | keyword | | eset.type | Type of the event. | keyword | | eset.valid_until | Event expiration date. | date | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| threat.indicator.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| threat.indicator.x509.issuer.country | List of country \(C) codes | keyword | -| threat.indicator.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| threat.indicator.x509.issuer.locality | List of locality names (L) | keyword | -| threat.indicator.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| threat.indicator.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| threat.indicator.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| threat.indicator.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| threat.indicator.x509.not_before | Time at which the certificate is first considered valid. | date | -| threat.indicator.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| threat.indicator.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| threat.indicator.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| threat.indicator.x509.subject.country | List of country \(C) code | keyword | -| threat.indicator.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| threat.indicator.x509.subject.locality | List of locality names (L) | keyword | -| threat.indicator.x509.subject.organization | List of organizations (O) of subject. | keyword | -| threat.indicator.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| threat.indicator.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| threat.indicator.x509.version_number | Version of x509 format. | keyword | An example event for `apt` looks as following: @@ -998,65 +691,20 @@ An example event for `apt` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | | eset.id | The UID of the event object. | keyword | | eset.labels | Threat labels. | keyword | | eset.valid_until | Event expiration date. | date | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | An example event for `url` looks as following: diff --git a/packages/ti_eset/manifest.yml b/packages/ti_eset/manifest.yml index 251198e8869..5d49543d3a5 100644 --- a/packages/ti_eset/manifest.yml +++ b/packages/ti_eset/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_eset title: "ESET Threat Intelligence" -version: 1.1.1 +version: "1.2.0" description: "Ingest threat intelligence indicators from ESET Threat Intelligence with Elastic Agent." type: integration categories: @@ -9,7 +9,7 @@ categories: - threat_intel conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/ti_maltiverse/changelog.yml b/packages/ti_maltiverse/changelog.yml index 859efb5d827..0f30d18f9ef 100644 --- a/packages/ti_maltiverse/changelog.yml +++ b/packages/ti_maltiverse/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.2.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.1.1" changes: - description: Add missing fields for detection rules. diff --git a/packages/ti_maltiverse/data_stream/indicator/fields/ecs.yml b/packages/ti_maltiverse/data_stream/indicator/fields/ecs.yml deleted file mode 100644 index 92f7f496949..00000000000 --- a/packages/ti_maltiverse/data_stream/indicator/fields/ecs.yml +++ /dev/null @@ -1,88 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: tags -- external: ecs - name: error.message -- external: ecs - name: event.severity -- external: ecs - name: event.category -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: event.created -- external: ecs - name: event.original -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.feed.reference -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.url.registered_domain -- external: ecs - name: threat.indicator.url.top_level_domain -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.as.organization.name -- external: ecs - name: threat.indicator.geo.location -- external: ecs - name: threat.indicator.geo.city_name -- external: ecs - name: threat.indicator.geo.country_iso_code -- external: ecs - name: threat.indicator.sightings -- external: ecs - name: threat.indicator.reference -- external: ecs - name: labels diff --git a/packages/ti_maltiverse/docs/README.md b/packages/ti_maltiverse/docs/README.md index 78bd973b5a3..b78c32f1c83 100644 --- a/packages/ti_maltiverse/docs/README.md +++ b/packages/ti_maltiverse/docs/README.md @@ -27,20 +27,9 @@ Both, the data_stream and the _latest index have applied expiration through ILM | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | maltiverse.address | registered address | keyword | | maltiverse.address.address | Multi-field of `maltiverse.address`. | match_only_text | @@ -100,42 +89,6 @@ Both, the data_stream and the _latest index have applied expiration through ILM | maltiverse.tag | Tags of the threat | keyword | | maltiverse.type | Type of the threat | keyword | | maltiverse.urlchecksum | | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.reference | Reference information for the threat feed in a UI friendly format. | keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.city_name | City name. | keyword | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| threat.indicator.url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | An example event for `indicator` looks as following: diff --git a/packages/ti_maltiverse/manifest.yml b/packages/ti_maltiverse/manifest.yml index 08c6e9d5a37..f9fe5f2ba49 100644 --- a/packages/ti_maltiverse/manifest.yml +++ b/packages/ti_maltiverse/manifest.yml @@ -1,13 +1,13 @@ name: ti_maltiverse title: Maltiverse -version: "1.1.1" +version: "1.2.0" description: Ingest threat intelligence indicators from Maltiverse feeds with Elastic Agent type: integration format_version: 3.0.2 categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" icons: - src: /img/logo-maltiverse.svg title: Maltiverse diff --git a/packages/ti_mandiant_advantage/_dev/build/build.yml b/packages/ti_mandiant_advantage/_dev/build/build.yml index b33ec9554e4..2bfcfc223b0 100644 --- a/packages/ti_mandiant_advantage/_dev/build/build.yml +++ b/packages/ti_mandiant_advantage/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@8.11 + reference: "git@v8.11.0" diff --git a/packages/ti_mandiant_advantage/changelog.yml b/packages/ti_mandiant_advantage/changelog.yml index c357cb02190..fc6f6a0b178 100644 --- a/packages/ti_mandiant_advantage/changelog.yml +++ b/packages/ti_mandiant_advantage/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.0" + changes: + - description: ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.2.0" changes: - description: Improve handling of empty responses. diff --git a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml index b99f4c3fe77..3c8e64b475d 100644 --- a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml +++ b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml @@ -1,164 +1,3 @@ - external: ecs name: cloud.account.id dimension: true -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region -- external: ecs - name: container.id -- external: ecs - name: container.image.name -- external: ecs - name: container.labels -- external: ecs - name: container.name -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.module -- external: ecs - name: event.original -- external: ecs - name: event.risk_score -- external: ecs - name: event.type -- external: ecs - name: related.hash -- external: ecs - name: related.ip -- external: ecs - name: tags -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.as.organization.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha384 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.geo.city_name -- external: ecs - name: threat.indicator.geo.continent_name -- external: ecs - name: threat.indicator.geo.country_iso_code -- external: ecs - name: threat.indicator.geo.country_name -- external: ecs - name: threat.indicator.geo.location -- external: ecs - name: threat.indicator.geo.region_iso_code -- external: ecs - name: threat.indicator.geo.region_name -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.fragment -- external: ecs - name: threat.indicator.url.full - ignore_above: 4096 -- external: ecs - name: threat.indicator.url.original - ignore_above: 4096 -- external: ecs - name: threat.indicator.url.password -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.query - ignore_above: 4096 -- external: ecs - name: threat.indicator.url.registered_domain -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.subdomain -- external: ecs - name: threat.indicator.url.top_level_domain -- external: ecs - name: threat.indicator.url.username -- external: ecs - name: threat.group.id -- external: ecs - name: threat.group.name -- external: ecs - name: threat.software.type -- external: ecs - name: threat.software.name -- external: ecs - name: threat.feed.name -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: threat.indicator.marking.tlp_version -- external: ecs - name: host.architecture -- external: ecs - name: host.domain -- external: ecs - name: host.hostname -- external: ecs - name: host.id -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/sample_event.json b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/sample_event.json index 92a0a1a0a7d..6f5268c698e 100644 --- a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/sample_event.json +++ b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/sample_event.json @@ -1,7 +1,7 @@ { "@timestamp": "2023-05-05T15:45:59.710Z", "ecs": { - "version": "8.7.0" + "version": "8.11.0" }, "event": { "category": [ @@ -9,7 +9,7 @@ ], "kind": "enrichment", "module": "ti_mandiant_advantage_threat_intelligence", - "risk_score": 50.0, + "risk_score": 50, "type": [ "indicator" ] diff --git a/packages/ti_mandiant_advantage/docs/README.md b/packages/ti_mandiant_advantage/docs/README.md index 3e1267d9baf..9cc42076a82 100644 --- a/packages/ti_mandiant_advantage/docs/README.md +++ b/packages/ti_mandiant_advantage/docs/README.md @@ -59,7 +59,7 @@ An example event for `threat_intelligence` looks as following: { "@timestamp": "2023-05-05T15:45:59.710Z", "ecs": { - "version": "8.7.0" + "version": "8.11.0" }, "event": { "category": [ @@ -67,7 +67,7 @@ An example event for `threat_intelligence` looks as following: ], "kind": "enrichment", "module": "ti_mandiant_advantage_threat_intelligence", - "risk_score": 50.0, + "risk_score": 50, "type": [ "indicator" ] @@ -168,46 +168,13 @@ An example event for `threat_intelligence` looks as following: |---|---|---| | @timestamp | Event timestamp. | date | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | mandiant.threat_intelligence.ioc.associated_hashes | List of associated hashes and their types. | object | @@ -222,54 +189,4 @@ An example event for `threat_intelligence` looks as following: | mandiant.threat_intelligence.ioc.sources | List of the indicator sources. | object | | mandiant.threat_intelligence.ioc.type | IOC type. | keyword | | mandiant.threat_intelligence.ioc.value | IOC value. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | -| threat.group.id | The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. | keyword | -| threat.group.name | The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. | keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha384 | SHA384 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.city_name | City name. | keyword | -| threat.indicator.geo.continent_name | Name of the continent. | keyword | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.country_name | Country name. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.geo.region_iso_code | Region ISO code. | keyword | -| threat.indicator.geo.region_name | Region name. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.marking.tlp_version | Traffic Light Protocol version. | keyword | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.password | Password of the request. | keyword | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| threat.indicator.url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| threat.indicator.url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| threat.indicator.url.username | Username of the request. | keyword | -| threat.software.name | The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. | keyword | -| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. | keyword | diff --git a/packages/ti_mandiant_advantage/manifest.yml b/packages/ti_mandiant_advantage/manifest.yml index 1f6d30be0d8..c3414188796 100644 --- a/packages/ti_mandiant_advantage/manifest.yml +++ b/packages/ti_mandiant_advantage/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: ti_mandiant_advantage title: "Mandiant Advantage" -version: 1.2.0 +version: "1.3.0" source: license: "Elastic-2.0" description: "Collect Threat Intelligence from products within the Mandiant Advantage platform." @@ -11,7 +11,7 @@ categories: - security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/ti_misp/changelog.yml b/packages/ti_misp/changelog.yml index 85377169535..9d2f13560cd 100644 --- a/packages/ti_misp/changelog.yml +++ b/packages/ti_misp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.35.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.34.0" changes: - description: Allow user configuration of event limit in threat data stream. diff --git a/packages/ti_misp/data_stream/threat/fields/agent.yml b/packages/ti_misp/data_stream/threat/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_misp/data_stream/threat/fields/agent.yml +++ b/packages/ti_misp/data_stream/threat/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_misp/data_stream/threat/fields/beats.yml b/packages/ti_misp/data_stream/threat/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_misp/data_stream/threat/fields/beats.yml +++ b/packages/ti_misp/data_stream/threat/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_misp/data_stream/threat/fields/ecs.yml b/packages/ti_misp/data_stream/threat/fields/ecs.yml deleted file mode 100644 index 31cdaf0274f..00000000000 --- a/packages/ti_misp/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,76 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: tags -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: user.email -- external: ecs - name: user.roles -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.scanner_stats -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: threat.indicator.port -- external: ecs - name: threat.indicator.registry.key -- external: ecs - name: threat.indicator.registry.value -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.file.name diff --git a/packages/ti_misp/data_stream/threat_attributes/fields/agent.yml b/packages/ti_misp/data_stream/threat_attributes/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_misp/data_stream/threat_attributes/fields/agent.yml +++ b/packages/ti_misp/data_stream/threat_attributes/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_misp/data_stream/threat_attributes/fields/beats.yml b/packages/ti_misp/data_stream/threat_attributes/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_misp/data_stream/threat_attributes/fields/beats.yml +++ b/packages/ti_misp/data_stream/threat_attributes/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_misp/data_stream/threat_attributes/fields/ecs.yml b/packages/ti_misp/data_stream/threat_attributes/fields/ecs.yml index a9f7e59c644..258b3f57396 100644 --- a/packages/ti_misp/data_stream/threat_attributes/fields/ecs.yml +++ b/packages/ti_misp/data_stream/threat_attributes/fields/ecs.yml @@ -1,82 +1,2 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: tags -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: user.email -- external: ecs - name: user.roles -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.scanner_stats -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: threat.indicator.port -- external: ecs - name: threat.indicator.registry.key -- external: ecs - name: threat.indicator.registry.value -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.file.name -- external: ecs - name: organization.id -- external: ecs - name: labels - name: threat.indicator.email.subject type: keyword diff --git a/packages/ti_misp/docs/README.md b/packages/ti_misp/docs/README.md index 497af09798c..182de98481b 100644 --- a/packages/ti_misp/docs/README.md +++ b/packages/ti_misp/docs/README.md @@ -16,54 +16,18 @@ The filters themselves are based on the [MISP API documentation](https://www.cir | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | misp.attribute.category | The category of the attribute related to the event object. For example "Network Activity". | keyword | | misp.attribute.comment | Comments made to the attribute itself. | keyword | | misp.attribute.deleted | If the attribute has been removed from the event object. | boolean | @@ -137,39 +101,8 @@ The filters themselves are based on the [MISP API documentation](https://www.cir | misp.orgc.local | If the Organization Community was local or synced from a remote source. | boolean | | misp.orgc.name | The Organization Community name in which the event object was reported from. | keyword | | misp.orgc.uuid | The Organization Community UUID in which the event object was reported from. | keyword | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name. | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.registry.key | Hive-relative path of keys. | keyword | -| threat.indicator.registry.value | Name of the value written. | keyword | -| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.email | User email address. | keyword | -| user.roles | Array of user roles at the time of the event. | keyword | An example event for `threat` looks as following: @@ -303,56 +236,19 @@ To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_misp | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if the document is a source for the transform. This field is not added to destination indices to facilitate easier filtering of indicators for indicator match rules. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | misp.attribute.category | The category of the attribute. For example "Network Activity". | keyword | | misp.attribute.comment | Comments made to the attribute itself. | keyword | | misp.attribute.data | The data of the attribute | keyword | @@ -406,40 +302,8 @@ To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_misp | misp.object.template_version | The version of attribute object's template. | keyword | | misp.object.timestamp | The timestamp when the object was created. | date | | misp.object.uuid | The UUID of the object in which the attribute is attached. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | | threat.indicator.email.subject | | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.registry.key | Hive-relative path of keys. | keyword | -| threat.indicator.registry.value | Name of the value written. | keyword | -| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.email | User email address. | keyword | -| user.roles | Array of user roles at the time of the event. | keyword | diff --git a/packages/ti_misp/manifest.yml b/packages/ti_misp/manifest.yml index 5abf8aec31c..112529722fd 100644 --- a/packages/ti_misp/manifest.yml +++ b/packages/ti_misp/manifest.yml @@ -1,13 +1,13 @@ name: ti_misp title: MISP -version: "1.34.0" +version: "1.35.0" description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. type: integration format_version: "3.0.2" categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" icons: - src: /img/misp.svg title: MISP diff --git a/packages/ti_opencti/_dev/build/build.yml b/packages/ti_opencti/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/ti_opencti/_dev/build/build.yml +++ b/packages/ti_opencti/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/ti_opencti/changelog.yml b/packages/ti_opencti/changelog.yml index ba759a88b85..124b1855d9e 100644 --- a/packages/ti_opencti/changelog.yml +++ b/packages/ti_opencti/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.2.0" changes: - description: Extend `threat.indicator.type` definition to allow ECS conformance. diff --git a/packages/ti_opencti/data_stream/indicator/fields/ecs.yml b/packages/ti_opencti/data_stream/indicator/fields/ecs.yml index b7f2d2f1a58..f6d9a652390 100644 --- a/packages/ti_opencti/data_stream/indicator/fields/ecs.yml +++ b/packages/ti_opencti/data_stream/indicator/fields/ecs.yml @@ -1,8 +1,4 @@ # Manually define these as a workaround for failing expected values validation -- name: threat.indicator.name - level: extended - type: keyword - description: The display name indicator in an UI friendly format - name: threat.indicator.type level: extended type: keyword @@ -39,174 +35,12 @@ - x509-certificate - unknown - port -# Additional file hash algorithms - name: threat.indicator.file.hash.sha3_256 type: keyword description: SHA3-256 hash. - name: threat.indicator.file.hash.sha3_512 type: keyword description: SHA3-512 hash. -# External ECS defintions, required by the transform -- external: ecs - name: ecs.version -- external: ecs - name: event.agent_id_status -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.dataset -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: tags -- external: ecs - name: threat.feed.dashboard_id -- external: ecs - name: threat.feed.description -- external: ecs - name: threat.feed.name -- external: ecs - name: threat.feed.reference -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.as.organization.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.file.accessed -- external: ecs - name: threat.indicator.file.created -- external: ecs - name: threat.indicator.file.directory -- external: ecs - name: threat.indicator.file.drive_letter -- external: ecs - name: threat.indicator.file.extension -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha384 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.file.hash.ssdeep -- external: ecs - name: threat.indicator.file.hash.tlsh -- external: ecs - name: threat.indicator.file.mime_type -- external: ecs - name: threat.indicator.file.mtime -- external: ecs - name: threat.indicator.file.name -- external: ecs - name: threat.indicator.file.path -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.port -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.reference -- external: ecs - name: threat.indicator.registry.data.bytes -- external: ecs - name: threat.indicator.registry.data.strings -- external: ecs - name: threat.indicator.registry.data.type -- external: ecs - name: threat.indicator.registry.hive -- external: ecs - name: threat.indicator.registry.key -- external: ecs - name: threat.indicator.registry.path -- external: ecs - name: threat.indicator.registry.value -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.fragment -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.password -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.url.registered_domain -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.subdomain -- external: ecs - name: threat.indicator.url.top_level_domain -- external: ecs - name: threat.indicator.url.username -- external: ecs - name: threat.indicator.x509.alternative_names -- external: ecs - name: threat.indicator.x509.issuer.common_name -- external: ecs - name: threat.indicator.x509.not_after -- external: ecs - name: threat.indicator.x509.not_before -- external: ecs - name: threat.indicator.x509.public_key_algorithm -- external: ecs - name: threat.indicator.x509.public_key_exponent -- external: ecs - name: threat.indicator.x509.serial_number -- external: ecs - name: threat.indicator.x509.signature_algorithm -- external: ecs - name: threat.indicator.x509.subject.common_name -- external: ecs - name: threat.indicator.x509.version_number -# Below fields to be moved into base-fields.yml after kibana.version changed to >= 8.14 -# Related to fix: https://github.com/elastic/kibana/pull/177608 - name: event.module type: constant_keyword description: Event module diff --git a/packages/ti_opencti/docs/README.md b/packages/ti_opencti/docs/README.md index ede58b254d7..c8884ecc123 100644 --- a/packages/ti_opencti/docs/README.md +++ b/packages/ti_opencti/docs/README.md @@ -193,17 +193,7 @@ The documentation for ECS fields can be found at: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if the document is a source for the transform. This field is not added to destination indices to facilitate easier filtering of indicators for indicator match rules. | constant_keyword | | opencti.indicator.creator_identity_class | The type of the creator of this indicator (e.g. "organization"). | keyword | @@ -521,81 +511,7 @@ The documentation for ECS fields can be found at: | opencti.observable.x509_certificate.validity_not_before | The date on which the certificate validity period begins. | date | | opencti.observable.x509_certificate.value | The main value for the observable. | keyword | | opencti.observable.x509_certificate.version | The version of the encoded certificate. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. | keyword | -| threat.feed.description | Description of the threat feed in a UI friendly format. | keyword | -| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | -| threat.feed.reference | Reference information for the threat feed in a UI friendly format. | keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | -| threat.indicator.file.created | File creation time. Note that not all filesystems store the creation time. | date | -| threat.indicator.file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| threat.indicator.file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | -| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha384 | SHA384 hash. | keyword | | threat.indicator.file.hash.sha3_256 | SHA3-256 hash. | keyword | | threat.indicator.file.hash.sha3_512 | SHA3-512 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.hash.tlsh | TLSH hash. | keyword | -| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| threat.indicator.file.mtime | Last time the file content was modified. | date | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| threat.indicator.file.path.text | Multi-field of `threat.indicator.file.path`. | match_only_text | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.name | The display name indicator in an UI friendly format | keyword | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | -| threat.indicator.registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | -| threat.indicator.registry.data.type | Standard registry type for encoding contents | keyword | -| threat.indicator.registry.hive | Abbreviated name for the hive. | keyword | -| threat.indicator.registry.key | Hive-relative path of keys. | keyword | -| threat.indicator.registry.path | Full path, including hive, key and value | keyword | -| threat.indicator.registry.value | Name of the value written. | keyword | | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.1 or OpenCTI | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.password | Password of the request. | keyword | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| threat.indicator.url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| threat.indicator.url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| threat.indicator.url.username | Username of the request. | keyword | -| threat.indicator.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| threat.indicator.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| threat.indicator.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| threat.indicator.x509.not_before | Time at which the certificate is first considered valid. | date | -| threat.indicator.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| threat.indicator.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| threat.indicator.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| threat.indicator.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| threat.indicator.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| threat.indicator.x509.version_number | Version of x509 format. | keyword | diff --git a/packages/ti_opencti/manifest.yml b/packages/ti_opencti/manifest.yml index cd743ee76bf..58d590fa9fd 100644 --- a/packages/ti_opencti/manifest.yml +++ b/packages/ti_opencti/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: ti_opencti title: OpenCTI -version: "2.2.0" +version: "2.3.0" description: "Ingest threat intelligence indicators from OpenCTI with Elastic Agent." type: integration source: @@ -11,7 +11,7 @@ categories: - threat_intel conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" screenshots: - src: /img/screenshot1.png title: "Dashboard: OpenCTI Overview" diff --git a/packages/ti_otx/changelog.yml b/packages/ti_otx/changelog.yml index f9f9c620b70..1355341f819 100644 --- a/packages/ti_otx/changelog.yml +++ b/packages/ti_otx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.24.1" changes: - description: Fix type-mapping inconsistency for `otx.id` field. diff --git a/packages/ti_otx/data_stream/pulses_subscribed/fields/agent.yml b/packages/ti_otx/data_stream/pulses_subscribed/fields/agent.yml deleted file mode 100644 index 8cf2742f52d..00000000000 --- a/packages/ti_otx/data_stream/pulses_subscribed/fields/agent.yml +++ /dev/null @@ -1,50 +0,0 @@ -- name: cloud.account.id - external: ecs -- name: cloud.availability_zone - external: ecs -- name: cloud.instance.id - external: ecs -- name: cloud.instance.name - external: ecs -- name: cloud.machine.type - external: ecs -- name: cloud.provider - external: ecs -- name: cloud.region - external: ecs -- name: cloud.project.id - external: ecs -- name: container.id - external: ecs -- name: container.image.name - external: ecs -- name: container.labels - external: ecs -- name: container.name - external: ecs -- name: host.architecture - external: ecs -- name: host.domain - external: ecs -- name: host.hostname - external: ecs -- name: host.id - external: ecs -- name: host.ip - external: ecs -- name: host.mac - external: ecs -- name: host.name - external: ecs -- name: host.os.family - external: ecs -- name: host.os.kernel - external: ecs -- name: host.os.name - external: ecs -- name: host.os.platform - external: ecs -- name: host.os.version - external: ecs -- name: host.type - external: ecs diff --git a/packages/ti_otx/data_stream/pulses_subscribed/fields/beats.yml b/packages/ti_otx/data_stream/pulses_subscribed/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_otx/data_stream/pulses_subscribed/fields/beats.yml +++ b/packages/ti_otx/data_stream/pulses_subscribed/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_otx/data_stream/pulses_subscribed/fields/ecs.yml b/packages/ti_otx/data_stream/pulses_subscribed/fields/ecs.yml index 97db980d239..34fc117cd80 100644 --- a/packages/ti_otx/data_stream/pulses_subscribed/fields/ecs.yml +++ b/packages/ti_otx/data_stream/pulses_subscribed/fields/ecs.yml @@ -1,61 +1,3 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: tags -- external: ecs - name: related.hash -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.created -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.pe.imphash - name: threat.indicator.file.hash.pehash type: keyword description: "The file's pehash, if available." -- external: ecs - name: threat.indicator.provider -- external: ecs - name: labels diff --git a/packages/ti_otx/data_stream/threat/fields/agent.yml b/packages/ti_otx/data_stream/threat/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_otx/data_stream/threat/fields/agent.yml +++ b/packages/ti_otx/data_stream/threat/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_otx/data_stream/threat/fields/beats.yml b/packages/ti_otx/data_stream/threat/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_otx/data_stream/threat/fields/beats.yml +++ b/packages/ti_otx/data_stream/threat/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_otx/data_stream/threat/fields/ecs.yml b/packages/ti_otx/data_stream/threat/fields/ecs.yml index df4f0c7661d..34fc117cd80 100644 --- a/packages/ti_otx/data_stream/threat/fields/ecs.yml +++ b/packages/ti_otx/data_stream/threat/fields/ecs.yml @@ -1,61 +1,3 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: error.message -- external: ecs - name: tags -- external: ecs - name: related.hash -- external: ecs - name: related.ip -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.created -- external: ecs - name: event.category -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.pe.imphash - name: threat.indicator.file.hash.pehash type: keyword description: "The file's pehash, if available." -- external: ecs - name: threat.indicator.provider diff --git a/packages/ti_otx/docs/README.md b/packages/ti_otx/docs/README.md index d4989dc3553..31ce471790a 100644 --- a/packages/ti_otx/docs/README.md +++ b/packages/ti_otx/docs/README.md @@ -17,85 +17,27 @@ Retrieves all the related indicators over time, related to your pulse subscripti | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | otx.content | Extra text or descriptive content related to the indicator. | keyword | | otx.description | A description of the indicator. | keyword | | otx.id | The ID of the indicator. | keyword | | otx.indicator | The value of the indicator, for example if the type is domain, this would be the value. | keyword | | otx.title | Title describing the indicator. | keyword | | otx.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | | threat.indicator.file.hash.pehash | The file's pehash, if available. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | An example event for `threat` looks as following: @@ -181,52 +123,15 @@ The following subscriptions are included by this API: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | otx.content | | keyword | | otx.count | | integer | | otx.created | | date | @@ -258,30 +163,9 @@ The following subscriptions are included by this API: | otx.t2 | | double | | otx.t3 | | double | | otx.title | | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | | threat.indicator.file.hash.pehash | The file's pehash, if available. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | An example event for `pulses_subscribed` looks as following: diff --git a/packages/ti_otx/manifest.yml b/packages/ti_otx/manifest.yml index 1364cc0a303..29fca1f2893 100644 --- a/packages/ti_otx/manifest.yml +++ b/packages/ti_otx/manifest.yml @@ -1,13 +1,13 @@ name: ti_otx title: AlienVault OTX -version: "1.24.1" +version: "1.25.0" description: Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent. type: integration format_version: "3.0.2" categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" icons: - src: /img/otx.svg title: Alienvault OTX diff --git a/packages/ti_rapid7_threat_command/changelog.yml b/packages/ti_rapid7_threat_command/changelog.yml index 96ab632f5e6..b1620a43bf1 100644 --- a/packages/ti_rapid7_threat_command/changelog.yml +++ b/packages/ti_rapid7_threat_command/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.16.0" changes: - description: Improve handling of empty responses. diff --git a/packages/ti_rapid7_threat_command/data_stream/alert/fields/agent.yml b/packages/ti_rapid7_threat_command/data_stream/alert/fields/agent.yml index 1d37c906754..c51a2a4a1f8 100644 --- a/packages/ti_rapid7_threat_command/data_stream/alert/fields/agent.yml +++ b/packages/ti_rapid7_threat_command/data_stream/alert/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: If the host is a container. diff --git a/packages/ti_rapid7_threat_command/data_stream/alert/fields/ecs.yml b/packages/ti_rapid7_threat_command/data_stream/alert/fields/ecs.yml deleted file mode 100644 index 96396a61731..00000000000 --- a/packages/ti_rapid7_threat_command/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,20 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.created -- external: ecs - name: event.dataset -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.module -- external: ecs - name: event.original -- external: ecs - name: event.reference -- external: ecs - name: tags diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/fields/agent.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/fields/agent.yml index 1d37c906754..c51a2a4a1f8 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/fields/agent.yml +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: If the host is a container. diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/fields/ecs.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/fields/ecs.yml deleted file mode 100644 index efc88cc833d..00000000000 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/fields/ecs.yml +++ /dev/null @@ -1,103 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.dataset -- external: ecs - name: event.kind -- external: ecs - name: event.module -- external: ecs - name: event.original -- external: ecs - name: event.risk_score -- external: ecs - name: event.type -- external: ecs - name: related.hash -- external: ecs - name: related.ip -- external: ecs - name: tags -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.as.organization.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha384 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.geo.city_name -- external: ecs - name: threat.indicator.geo.continent_name -- external: ecs - name: threat.indicator.geo.country_iso_code -- external: ecs - name: threat.indicator.geo.country_name -- external: ecs - name: threat.indicator.geo.location -- external: ecs - name: threat.indicator.geo.region_iso_code -- external: ecs - name: threat.indicator.geo.region_name -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.fragment -- external: ecs - name: threat.indicator.url.full - ignore_above: 4096 -- external: ecs - name: threat.indicator.url.original - ignore_above: 4096 -- external: ecs - name: threat.indicator.url.password -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.query - ignore_above: 4096 -- external: ecs - name: threat.indicator.url.registered_domain -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.subdomain -- external: ecs - name: threat.indicator.url.top_level_domain -- external: ecs - name: threat.indicator.url.username diff --git a/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/agent.yml b/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/agent.yml index 1d37c906754..c51a2a4a1f8 100644 --- a/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/agent.yml +++ b/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/agent.yml @@ -5,162 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: If the host is a container. diff --git a/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/ecs.yml b/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/ecs.yml deleted file mode 100644 index e49c52a3ade..00000000000 --- a/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.dataset -- external: ecs - name: event.kind -- external: ecs - name: event.module -- external: ecs - name: event.type -- external: ecs - name: vulnerability.classification -- external: ecs - name: vulnerability.enumeration -- external: ecs - name: vulnerability.id -- external: ecs - name: vulnerability.reference -- external: ecs - name: vulnerability.scanner.vendor -- external: ecs - name: vulnerability.score.base -- external: ecs - name: vulnerability.severity -- external: ecs - name: tags diff --git a/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/overridden-ecs.yml b/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/overridden-ecs.yml deleted file mode 100644 index 230ed31e27c..00000000000 --- a/packages/ti_rapid7_threat_command/data_stream/vulnerability/fields/overridden-ecs.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: event.original - type: keyword - ignore_above: 8191 - description: Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. diff --git a/packages/ti_rapid7_threat_command/docs/README.md b/packages/ti_rapid7_threat_command/docs/README.md index fb137e15eeb..576bccbef67 100644 --- a/packages/ti_rapid7_threat_command/docs/README.md +++ b/packages/ti_rapid7_threat_command/docs/README.md @@ -334,49 +334,13 @@ An example event for `ioc` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | rapid7.tc.ioc.first_seen | IOC first seen date in Unix Millisecond Timestamp. | date | @@ -397,49 +361,6 @@ An example event for `ioc` looks as following: | rapid7.tc.ioc.type | IOC type. | keyword | | rapid7.tc.ioc.value | IOC value. | keyword | | rapid7.tc.ioc.whitelisted | An indicator which states if the IOC was checked and found as whitelisted or not. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha384 | SHA384 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.city_name | City name. | keyword | -| threat.indicator.geo.continent_name | Name of the continent. | keyword | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.country_name | Country name. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.geo.region_iso_code | Region ISO code. | keyword | -| threat.indicator.geo.region_name | Region name. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.password | Password of the request. | keyword | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| threat.indicator.url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| threat.indicator.url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| threat.indicator.url.username | Username of the request. | keyword | ### Alert @@ -548,48 +469,13 @@ An example event for `alert` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | rapid7.tc.alert.assets.type | Type of an asset. | keyword | @@ -618,7 +504,6 @@ An example event for `alert` looks as following: | rapid7.tc.alert.related_threat_ids | List of related threat IDs. | keyword | | rapid7.tc.alert.takedown_status | Alert remediation status. | keyword | | rapid7.tc.alert.update_date | Last update date of an alert in Unix Millisecond Timestamp. | date | -| tags | List of keywords used to tag each event. | keyword | ### Vulnerability @@ -760,48 +645,13 @@ An example event for `vulnerability` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | | rapid7.tc.vulnerability.cpe.range.version.end.excluding | The CPE version end range. | version | @@ -833,12 +683,4 @@ An example event for `vulnerability` looks as following: | rapid7.tc.vulnerability.related.threat_actors | List of related threat actors. | keyword | | rapid7.tc.vulnerability.severity | CVE severity. Allowed values: 'Critical', 'High', 'Medium', 'Low'. | keyword | | rapid7.tc.vulnerability.update_date | CVE's update date in ISO 8601 format. | date | -| tags | List of keywords used to tag each event. | keyword | -| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | -| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | -| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | -| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/ti_rapid7_threat_command/manifest.yml b/packages/ti_rapid7_threat_command/manifest.yml index ed9246e1879..677c7b3dd73 100644 --- a/packages/ti_rapid7_threat_command/manifest.yml +++ b/packages/ti_rapid7_threat_command/manifest.yml @@ -2,13 +2,13 @@ format_version: 3.0.2 name: ti_rapid7_threat_command title: Rapid7 Threat Command # The version must be updated manually in the transform.yml files and transform APIs mentioned in README. -version: "1.16.0" +version: "1.17.0" description: Collect threat intelligence from Threat Command API with Elastic Agent. type: integration categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: capabilities: - security diff --git a/packages/ti_recordedfuture/changelog.yml b/packages/ti_recordedfuture/changelog.yml index 3b9e405597d..0758329930c 100644 --- a/packages/ti_recordedfuture/changelog.yml +++ b/packages/ti_recordedfuture/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.26.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.25.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_recordedfuture/data_stream/threat/fields/agent.yml b/packages/ti_recordedfuture/data_stream/threat/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_recordedfuture/data_stream/threat/fields/agent.yml +++ b/packages/ti_recordedfuture/data_stream/threat/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_recordedfuture/data_stream/threat/fields/beats.yml b/packages/ti_recordedfuture/data_stream/threat/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_recordedfuture/data_stream/threat/fields/beats.yml +++ b/packages/ti_recordedfuture/data_stream/threat/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_recordedfuture/data_stream/threat/fields/ecs.yml b/packages/ti_recordedfuture/data_stream/threat/fields/ecs.yml deleted file mode 100644 index 96d2e39052c..00000000000 --- a/packages/ti_recordedfuture/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,76 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: tags -- external: ecs - name: error.message -- external: ecs - name: event.severity -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.as.organization.name -- external: ecs - name: threat.indicator.geo.location -- external: ecs - name: threat.indicator.geo.country_iso_code -- external: ecs - name: threat.indicator.scanner_stats -- external: ecs - name: threat.indicator.sightings -- external: ecs - name: labels diff --git a/packages/ti_recordedfuture/docs/README.md b/packages/ti_recordedfuture/docs/README.md index 99864f15a25..d2b9b5769bb 100644 --- a/packages/ti_recordedfuture/docs/README.md +++ b/packages/ti_recordedfuture/docs/README.md @@ -135,57 +135,19 @@ An example event for `threat` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | recordedfuture.evidence_details.criticality | | double | | recordedfuture.evidence_details.criticality_label | | keyword | | recordedfuture.evidence_details.evidence_string | | keyword | @@ -199,35 +161,5 @@ An example event for `threat` looks as following: | recordedfuture.list | User-configured risklist. | keyword | | recordedfuture.name | Indicator value. | keyword | | recordedfuture.risk_string | Details of risk rules observed. | keyword | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | -| threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | diff --git a/packages/ti_recordedfuture/manifest.yml b/packages/ti_recordedfuture/manifest.yml index 5b825c8e21b..1224f15c145 100644 --- a/packages/ti_recordedfuture/manifest.yml +++ b/packages/ti_recordedfuture/manifest.yml @@ -1,13 +1,13 @@ name: ti_recordedfuture title: Recorded Future -version: "1.25.1" +version: "1.26.0" description: Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. type: integration format_version: 3.0.2 categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/rf-overview.png title: "Dashboard: RecordedFuture Overview" diff --git a/packages/ti_threatconnect/_dev/build/build.yml b/packages/ti_threatconnect/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/ti_threatconnect/_dev/build/build.yml +++ b/packages/ti_threatconnect/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/ti_threatconnect/changelog.yml b/packages/ti_threatconnect/changelog.yml index 2ef77c2217b..928f5aaaac6 100644 --- a/packages/ti_threatconnect/changelog.yml +++ b/packages/ti_threatconnect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.0.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_threatconnect/data_stream/indicator/fields/beats.yml b/packages/ti_threatconnect/data_stream/indicator/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/ti_threatconnect/data_stream/indicator/fields/beats.yml +++ b/packages/ti_threatconnect/data_stream/indicator/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/ti_threatconnect/docs/README.md b/packages/ti_threatconnect/docs/README.md index 7ea338c3054..427b014914d 100644 --- a/packages/ti_threatconnect/docs/README.md +++ b/packages/ti_threatconnect/docs/README.md @@ -349,7 +349,6 @@ An example event for `indicator` looks as following: | input.type | Type of filebeat input. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | threat.feed.name | Display friendly feed name. | constant_keyword | | threat_connect.indicator.active.locked | Indicates whether the active status is locked. | boolean | | threat_connect.indicator.active.value | Indicates whether the indicator is active. | boolean | diff --git a/packages/ti_threatconnect/manifest.yml b/packages/ti_threatconnect/manifest.yml index c75b0d27c93..3afb0a38772 100644 --- a/packages/ti_threatconnect/manifest.yml +++ b/packages/ti_threatconnect/manifest.yml @@ -2,7 +2,7 @@ format_version: 3.0.3 name: ti_threatconnect title: ThreatConnect -version: 1.0.1 +version: "1.1.0" description: Collects Indicators from ThreatConnect using the Elastic Agent and saves them as logs inside Elastic type: integration categories: @@ -10,7 +10,7 @@ categories: - threat_intel conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/ti_threatq/changelog.yml b/packages/ti_threatq/changelog.yml index c0800ba0e11..c2553083e48 100644 --- a/packages/ti_threatq/changelog.yml +++ b/packages/ti_threatq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.28.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.27.1" changes: - description: Adjust field mappings for transform destination index. diff --git a/packages/ti_threatq/data_stream/threat/fields/agent.yml b/packages/ti_threatq/data_stream/threat/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/ti_threatq/data_stream/threat/fields/agent.yml +++ b/packages/ti_threatq/data_stream/threat/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/ti_threatq/data_stream/threat/fields/beats.yml b/packages/ti_threatq/data_stream/threat/fields/beats.yml index cb44bb29442..96190255552 100644 --- a/packages/ti_threatq/data_stream/threat/fields/beats.yml +++ b/packages/ti_threatq/data_stream/threat/fields/beats.yml @@ -7,6 +7,3 @@ - name: log.offset type: long description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_threatq/data_stream/threat/fields/ecs.yml b/packages/ti_threatq/data_stream/threat/fields/ecs.yml deleted file mode 100644 index 0c0abea1398..00000000000 --- a/packages/ti_threatq/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,66 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: tags -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: event.created -- external: ecs - name: event.original -- name: threat.feed.name - type: keyword -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: labels diff --git a/packages/ti_threatq/docs/README.md b/packages/ti_threatq/docs/README.md index 5579da67a88..f619f9c4e67 100644 --- a/packages/ti_threatq/docs/README.md +++ b/packages/ti_threatq/docs/README.md @@ -31,82 +31,20 @@ To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_thre | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | -| log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | | threatq.adversaries | Adversaries that are linked to the object | keyword | | threatq.attributes | These provide additional context about an object | flattened | | threatq.created_at | Object creation time | date | diff --git a/packages/ti_threatq/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_threatq/elasticsearch/transform/latest_ioc/fields/ecs.yml index fe7f103c293..0dabd5a6594 100644 --- a/packages/ti_threatq/elasticsearch/transform/latest_ioc/fields/ecs.yml +++ b/packages/ti_threatq/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -76,4 +76,3 @@ type: constant_keyword description: Event dataset value: ti_threatq.threat - diff --git a/packages/ti_threatq/manifest.yml b/packages/ti_threatq/manifest.yml index 5d3e765d28b..f6ce83ca7a1 100644 --- a/packages/ti_threatq/manifest.yml +++ b/packages/ti_threatq/manifest.yml @@ -1,13 +1,13 @@ name: ti_threatq title: ThreatQuotient -version: "1.27.1" +version: "1.28.0" description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent. type: integration format_version: "3.0.2" categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" icons: - src: /img/threatq.svg title: ThreatQuotient diff --git a/packages/ti_util/changelog.yml b/packages/ti_util/changelog.yml index 57eee3b7de4..008ca8a3909 100644 --- a/packages/ti_util/changelog.yml +++ b/packages/ti_util/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.0" + changes: + - description: Update the kibana constraint to ^8.13.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.5.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/ti_util/manifest.yml b/packages/ti_util/manifest.yml index b6c9189f2d9..d9bb481ce44 100644 --- a/packages/ti_util/manifest.yml +++ b/packages/ti_util/manifest.yml @@ -1,13 +1,13 @@ name: ti_util title: "Threat Intelligence Utilities" -version: "1.5.0" +version: "1.6.0" description: Prebuilt Threat Intelligence dashboard for Elastic Security categories: - security - threat_intel conditions: kibana: - version: ^8.5.0 + version: "^8.13.0" format_version: "3.0.3" type: integration screenshots: diff --git a/packages/ti_util/validation.yml b/packages/ti_util/validation.yml index 83ce7bbe929..9dcaa3b03ff 100644 --- a/packages/ti_util/validation.yml +++ b/packages/ti_util/validation.yml @@ -1,5 +1,5 @@ errors: exclude_checks: - - SVR00002 # Mandatory filters in dashboards. - - SVR00004 # References in dashboards. - - SVR00005 # Kibana version for saved tags. + - SVR00002 # Mandatory filters in dashboards. + - SVR00004 # References in dashboards. + - SVR00005 # Kibana version for saved tags. diff --git a/packages/tines/changelog.yml b/packages/tines/changelog.yml index 65628977b24..aad7971250e 100644 --- a/packages/tines/changelog.yml +++ b/packages/tines/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.11.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/tines/data_stream/audit_logs/fields/ecs.yml b/packages/tines/data_stream/audit_logs/fields/ecs.yml index 170800e18db..b7e148e95ed 100644 --- a/packages/tines/data_stream/audit_logs/fields/ecs.yml +++ b/packages/tines/data_stream/audit_logs/fields/ecs.yml @@ -6,113 +6,3 @@ name: data_stream.dataset - external: ecs name: data_stream.namespace -- external: ecs - name: message -- external: ecs - name: 'tags' -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.outcome -- external: ecs - name: event.original -- external: ecs - name: event.provider -- external: ecs - name: event.sequence -- external: ecs - name: event.type -- external: ecs - name: event.id -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.user.domain -- external: ecs - name: source.user.id -- external: ecs - name: source.user.name -- external: ecs - name: user.domain -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.email -- external: ecs - name: source.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.version -- external: ecs - name: user_agent.os.family -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.kernel -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.platform -- external: ecs - name: user_agent.os.type -- external: ecs - name: user_agent.os.version -- external: ecs - name: url.original -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.top_level_domain diff --git a/packages/tines/data_stream/time_saved/fields/ecs.yml b/packages/tines/data_stream/time_saved/fields/ecs.yml index 170800e18db..b7e148e95ed 100644 --- a/packages/tines/data_stream/time_saved/fields/ecs.yml +++ b/packages/tines/data_stream/time_saved/fields/ecs.yml @@ -6,113 +6,3 @@ name: data_stream.dataset - external: ecs name: data_stream.namespace -- external: ecs - name: message -- external: ecs - name: 'tags' -- external: ecs - name: ecs.version -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.code -- external: ecs - name: event.created -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.outcome -- external: ecs - name: event.original -- external: ecs - name: event.provider -- external: ecs - name: event.sequence -- external: ecs - name: event.type -- external: ecs - name: event.id -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: related.user -- external: ecs - name: source.user.domain -- external: ecs - name: source.user.id -- external: ecs - name: source.user.name -- external: ecs - name: user.domain -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.email -- external: ecs - name: source.ip -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location -- external: ecs - name: source.geo.name -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.version -- external: ecs - name: user_agent.os.family -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.kernel -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.platform -- external: ecs - name: user_agent.os.type -- external: ecs - name: user_agent.os.version -- external: ecs - name: url.original -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.path -- external: ecs - name: url.port -- external: ecs - name: url.registered_domain -- external: ecs - name: url.scheme -- external: ecs - name: url.top_level_domain diff --git a/packages/tines/docs/README.md b/packages/tines/docs/README.md index 7a0c08aca50..7242b575738 100644 --- a/packages/tines/docs/README.md +++ b/packages/tines/docs/README.md @@ -70,41 +70,7 @@ All fields ingested to this data stream are stored under `tines.audit_log` as ea | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | | tines.audit_log.created_at | The date and time that the audit log event occurred | date | | tines.audit_log.id | A unique ID for the audit log event | long | | tines.audit_log.inputs.actionIds | | long | @@ -172,34 +138,6 @@ All fields ingested to this data stream are stored under `tines.audit_log` as ea | tines.audit_log.user_id | The ID of the user who triggered the operation | long | | tines.audit_log.user_name | The name of the user who triggered the operation | keyword | | tines.tenant_url | The tenant URL associated that provided the event | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `audit` looks as following: @@ -345,74 +283,12 @@ All fields ingested to this data stream are stored under `tines.time_saved` as e | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | | tines.tenant_url | The tenant URL associated that provided the event | keyword | | tines.time_saved.date | The date and time for the time saved period | date | | tines.time_saved.story_id | Story ID for time saved | long | | tines.time_saved.team_id | Team ID for time saved | long | | tines.time_saved.value | Time saved in seconds | long | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | An example event for `time_saved` looks as following: diff --git a/packages/tines/manifest.yml b/packages/tines/manifest.yml index f16eef73735..e78276a97d3 100644 --- a/packages/tines/manifest.yml +++ b/packages/tines/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: tines title: "Tines" -version: "1.11.0" +version: "1.12.0" description: "Tines Logs & Time Saved Reports" type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/trellix_edr_cloud/_dev/build/build.yml b/packages/trellix_edr_cloud/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/trellix_edr_cloud/_dev/build/build.yml +++ b/packages/trellix_edr_cloud/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/trellix_edr_cloud/changelog.yml b/packages/trellix_edr_cloud/changelog.yml index b883c99f3ba..702a173c19e 100644 --- a/packages/trellix_edr_cloud/changelog.yml +++ b/packages/trellix_edr_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.1.0" changes: - description: Set sensitive values as secret. diff --git a/packages/trellix_edr_cloud/data_stream/event/fields/beats.yml b/packages/trellix_edr_cloud/data_stream/event/fields/beats.yml index 083dcfe307e..fff1b3f1b6b 100644 --- a/packages/trellix_edr_cloud/data_stream/event/fields/beats.yml +++ b/packages/trellix_edr_cloud/data_stream/event/fields/beats.yml @@ -4,9 +4,6 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. - name: aws.s3 type: group fields: diff --git a/packages/trellix_edr_cloud/docs/README.md b/packages/trellix_edr_cloud/docs/README.md index 44219233bae..bf450733c1d 100644 --- a/packages/trellix_edr_cloud/docs/README.md +++ b/packages/trellix_edr_cloud/docs/README.md @@ -357,7 +357,6 @@ An example event for `event` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | trellix_edr_cloud.event.access_type | | keyword | | trellix_edr_cloud.event.action | | keyword | | trellix_edr_cloud.event.arguments | | keyword | diff --git a/packages/trellix_edr_cloud/manifest.yml b/packages/trellix_edr_cloud/manifest.yml index 181b095988d..9b6e613d678 100644 --- a/packages/trellix_edr_cloud/manifest.yml +++ b/packages/trellix_edr_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: trellix_edr_cloud title: Trellix EDR Cloud -version: "1.1.0" +version: "1.2.0" description: Collect logs from Trellix EDR Cloud with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/trellix_epo_cloud/_dev/build/build.yml b/packages/trellix_epo_cloud/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/trellix_epo_cloud/_dev/build/build.yml +++ b/packages/trellix_epo_cloud/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/trellix_epo_cloud/changelog.yml b/packages/trellix_epo_cloud/changelog.yml index c5ab2775d1c..e7276684d5f 100644 --- a/packages/trellix_epo_cloud/changelog.yml +++ b/packages/trellix_epo_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.10.0" changes: - description: Set sensitive values as secret. diff --git a/packages/trellix_epo_cloud/data_stream/device/fields/beats.yml b/packages/trellix_epo_cloud/data_stream/device/fields/beats.yml index 80cbae91cae..cc9fcebf29b 100644 --- a/packages/trellix_epo_cloud/data_stream/device/fields/beats.yml +++ b/packages/trellix_epo_cloud/data_stream/device/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/trellix_epo_cloud/data_stream/event/fields/beats.yml b/packages/trellix_epo_cloud/data_stream/event/fields/beats.yml index 80cbae91cae..cc9fcebf29b 100644 --- a/packages/trellix_epo_cloud/data_stream/event/fields/beats.yml +++ b/packages/trellix_epo_cloud/data_stream/event/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/trellix_epo_cloud/data_stream/group/fields/beats.yml b/packages/trellix_epo_cloud/data_stream/group/fields/beats.yml index 80cbae91cae..cc9fcebf29b 100644 --- a/packages/trellix_epo_cloud/data_stream/group/fields/beats.yml +++ b/packages/trellix_epo_cloud/data_stream/group/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/trellix_epo_cloud/docs/README.md b/packages/trellix_epo_cloud/docs/README.md index 4ee6ec0b623..979c7b9e98b 100644 --- a/packages/trellix_epo_cloud/docs/README.md +++ b/packages/trellix_epo_cloud/docs/README.md @@ -215,7 +215,6 @@ An example event for `device` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | trellix_epo_cloud.device.attributes.agent.guid | | keyword | | trellix_epo_cloud.device.attributes.agent.platform | | keyword | | trellix_epo_cloud.device.attributes.agent.state | | boolean | @@ -438,7 +437,6 @@ An example event for `event` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | trellix_epo_cloud.event.attributes.agent.guid | | keyword | | trellix_epo_cloud.event.attributes.analyzer.dat_version | | keyword | | trellix_epo_cloud.event.attributes.analyzer.detection_method | | keyword | @@ -597,7 +595,6 @@ An example event for `group` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | trellix_epo_cloud.group.attributes.group_type.id | | keyword | | trellix_epo_cloud.group.attributes.l1_parent.id | | keyword | | trellix_epo_cloud.group.attributes.l2_parent.id | | keyword | diff --git a/packages/trellix_epo_cloud/manifest.yml b/packages/trellix_epo_cloud/manifest.yml index 0124cb44a98..301b76ad472 100644 --- a/packages/trellix_epo_cloud/manifest.yml +++ b/packages/trellix_epo_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: trellix_epo_cloud title: Trellix ePO Cloud -version: "1.10.0" +version: "1.11.0" source: license: Elastic-2.0 description: Collect logs from Trellix ePO Cloud with Elastic Agent. @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml index 4e9c309252f..977c7255282 100644 --- a/packages/trend_micro_vision_one/changelog.yml +++ b/packages/trend_micro_vision_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.19.1" changes: - description: Fix sample event. diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml +++ b/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml deleted file mode 100644 index f4275f1ecc4..00000000000 --- a/packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,34 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.id -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.severity -- external: ecs - name: event.type -- external: ecs - name: log.level -- external: ecs - name: related.ip -- external: ecs - name: tags -- external: ecs - name: url.domain -- external: ecs - name: url.extension -- external: ecs - name: url.fragment -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.scheme diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml +++ b/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml deleted file mode 100644 index 951fd69cf1c..00000000000 --- a/packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,20 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.type -- external: ecs - name: related.user -- external: ecs - name: source.user.name -- external: ecs - name: source.user.roles -- external: ecs - name: tags diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml index e313ec82874..48f513b61aa 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml +++ b/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml deleted file mode 100644 index f39d1f85028..00000000000 --- a/packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml +++ /dev/null @@ -1,90 +0,0 @@ -- external: ecs - name: client.ip -- external: ecs - name: destination.domain -- external: ecs - name: destination.ip -- external: ecs - name: destination.port -- external: ecs - name: ecs.version -- external: ecs - name: event.category -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.severity -- external: ecs - name: event.type -- external: ecs - name: file.hash.md5 -- external: ecs - name: file.hash.sha1 -- external: ecs - name: file.hash.sha256 -- external: ecs - name: file.name -- external: ecs - name: file.path -- external: ecs - name: file.size -- external: ecs - name: file.type -- external: ecs - name: http.request.referrer -- external: ecs - name: network.direction -- external: ecs - name: network.protocol -- external: ecs - name: observer.hostname -- external: ecs - name: observer.mac -- external: ecs - name: process.command_line -- external: ecs - name: process.name -- external: ecs - name: process.pid -- external: ecs - name: related.hash -- external: ecs - name: related.hosts -- external: ecs - name: related.ip -- external: ecs - name: source.ip -- external: ecs - name: source.port -- external: ecs - name: tags -- external: ecs - name: threat.tactic.id -- external: ecs - name: url.domain -- external: ecs - name: url.original -- external: ecs - name: url.path -- external: ecs - name: url.scheme -- external: ecs - name: user.domain -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name -- external: ecs - name: user_agent.original -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.version -- external: ecs - name: user_agent.version diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md index 444208b8605..65381dc22d2 100644 --- a/packages/trend_micro_vision_one/docs/README.md +++ b/packages/trend_micro_vision_one/docs/README.md @@ -186,54 +186,17 @@ An example event for `alert` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset | long | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | | trend_micro_vision_one.alert.alert_provider | Alert provider. | keyword | | trend_micro_vision_one.alert.campaign | An object-ref to a campaign object. | keyword | | trend_micro_vision_one.alert.created_by | Created by. | keyword | @@ -292,13 +255,6 @@ An example event for `alert` looks as following: | trend_micro_vision_one.alert.severity | Workbench alert severity. | keyword | | trend_micro_vision_one.alert.total_indicator_count | Total indicator pattern count. | long | | trend_micro_vision_one.alert.workbench_link | Workbench URL. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | ### audit @@ -391,54 +347,17 @@ An example event for `audit` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| source.user.roles | Array of user roles at the time of the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | | trend_micro_vision_one.audit.access_type | Source of the activity. | keyword | | trend_micro_vision_one.audit.activity | The activity that was performed. | keyword | | trend_micro_vision_one.audit.category | Category. | keyword | @@ -773,79 +692,17 @@ An example event for `detection` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | | trend_micro_vision_one.detection.action | Action by detect product. | keyword | | trend_micro_vision_one.detection.action_result | Action result by detect product. | keyword | | trend_micro_vision_one.detection.aggregated_count | Aggregated count. | long | @@ -957,20 +814,4 @@ An example event for `detection` looks as following: | trend_micro_vision_one.detection.url_cat | URL cat. | keyword | | trend_micro_vision_one.detection.user.domain | User domain. | keyword | | trend_micro_vision_one.detection.uuid | Log unique id. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/trend_micro_vision_one/manifest.yml b/packages/trend_micro_vision_one/manifest.yml index 563662497cf..05ce42731c2 100644 --- a/packages/trend_micro_vision_one/manifest.yml +++ b/packages/trend_micro_vision_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: trend_micro_vision_one title: Trend Micro Vision One -version: "1.19.1" +version: "1.20.0" description: Collect logs from Trend Micro Vision One with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" screenshots: - src: /img/trend-micro-vision-one-alert-dashboard-screenshot.png title: Trend Micro Vision One Dashboard Screenshot diff --git a/packages/trendmicro/_dev/build/build.yml b/packages/trendmicro/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/trendmicro/_dev/build/build.yml +++ b/packages/trendmicro/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/trendmicro/changelog.yml b/packages/trendmicro/changelog.yml index 5dad01043b1..4d1cac06c91 100644 --- a/packages/trendmicro/changelog.yml +++ b/packages/trendmicro/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.2.0" changes: - description: Add ECS categorizations for anti-malware events. diff --git a/packages/trendmicro/data_stream/deep_security/fields/beats.yml b/packages/trendmicro/data_stream/deep_security/fields/beats.yml index 9eff736e678..9daf23f1f79 100644 --- a/packages/trendmicro/data_stream/deep_security/fields/beats.yml +++ b/packages/trendmicro/data_stream/deep_security/fields/beats.yml @@ -25,6 +25,3 @@ - name: vol type: keyword description: The serial number of the volume that contains a file. (Windows-only) -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/trendmicro/docs/README.md b/packages/trendmicro/docs/README.md index f3744df5c9a..f9b2ba2d8f5 100644 --- a/packages/trendmicro/docs/README.md +++ b/packages/trendmicro/docs/README.md @@ -163,7 +163,6 @@ An example event for `deep_security` looks as following: | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | source.process.name | Source process name. | keyword | -| tags | User defined tags. | keyword | | trendmicro.deep_security.action | The action detected by the integrity rule. | keyword | | trendmicro.deep_security.aggregation_type | An integer that indicates how the event is aggregated:. | keyword | | trendmicro.deep_security.base_event_count | Base event count. | long | diff --git a/packages/trendmicro/manifest.yml b/packages/trendmicro/manifest.yml index 7ee4aef99cc..d191d1c2cb1 100644 --- a/packages/trendmicro/manifest.yml +++ b/packages/trendmicro/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: trendmicro title: Trend Micro Deep Security -version: "2.2.0" +version: "2.3.0" description: Collect logs from Trend Micro Deep Security with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.11.0" + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/vectra_detect/_dev/build/build.yml b/packages/vectra_detect/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/vectra_detect/_dev/build/build.yml +++ b/packages/vectra_detect/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/vectra_detect/changelog.yml b/packages/vectra_detect/changelog.yml index c048b595383..cb6c1760da2 100644 --- a/packages/vectra_detect/changelog.yml +++ b/packages/vectra_detect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.9.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.8.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-common-config.yml index d8ab55a55b3..7695fd785a3 100644 --- a/packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-common-config.yml +++ b/packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -11,4 +11,4 @@ fields: - preserve_duplicate_custom_fields numeric_keyword_fields: - vectra_detect.log.host.groups.id - - vectra_detect.log.host.groups.triage_filters.id \ No newline at end of file + - vectra_detect.log.host.groups.triage_filters.id diff --git a/packages/vectra_detect/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/vectra_detect/data_stream/log/_dev/test/system/test-tcp-config.yml index ab9d670a404..c88ba2ed662 100644 --- a/packages/vectra_detect/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/vectra_detect/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -9,4 +9,4 @@ data_stream: preserve_duplicate_custom_fields: true numeric_keyword_fields: - vectra_detect.log.host.groups.id - - vectra_detect.log.host.groups.triage_filters.id \ No newline at end of file + - vectra_detect.log.host.groups.triage_filters.id diff --git a/packages/vectra_detect/data_stream/log/_dev/test/system/test-tls-config.yml b/packages/vectra_detect/data_stream/log/_dev/test/system/test-tls-config.yml index c104905f041..75abd5d905c 100644 --- a/packages/vectra_detect/data_stream/log/_dev/test/system/test-tls-config.yml +++ b/packages/vectra_detect/data_stream/log/_dev/test/system/test-tls-config.yml @@ -61,4 +61,4 @@ data_stream: preserve_duplicate_custom_fields: true numeric_keyword_fields: - vectra_detect.log.host.groups.id - - vectra_detect.log.host.groups.triage_filters.id \ No newline at end of file + - vectra_detect.log.host.groups.triage_filters.id diff --git a/packages/vectra_detect/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/vectra_detect/data_stream/log/_dev/test/system/test-udp-config.yml index 769f35216e9..a52ed7dc9f3 100644 --- a/packages/vectra_detect/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/vectra_detect/data_stream/log/_dev/test/system/test-udp-config.yml @@ -9,4 +9,4 @@ data_stream: preserve_duplicate_custom_fields: true numeric_keyword_fields: - vectra_detect.log.host.groups.id - - vectra_detect.log.host.groups.triage_filters.id \ No newline at end of file + - vectra_detect.log.host.groups.triage_filters.id diff --git a/packages/vectra_detect/data_stream/log/fields/beats.yml b/packages/vectra_detect/data_stream/log/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/vectra_detect/data_stream/log/fields/beats.yml +++ b/packages/vectra_detect/data_stream/log/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/vectra_detect/docs/README.md b/packages/vectra_detect/docs/README.md index 99975b4ff10..a763f59e963 100644 --- a/packages/vectra_detect/docs/README.md +++ b/packages/vectra_detect/docs/README.md @@ -196,7 +196,6 @@ An example event for `log` looks as following: | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | vectra_detect.log.account.access_history.id | | keyword | | vectra_detect.log.account.access_history.last_seen | | date | | vectra_detect.log.account.access_history.privilege_category | | keyword | diff --git a/packages/vectra_detect/manifest.yml b/packages/vectra_detect/manifest.yml index 22cc96ebfea..8750bb58355 100644 --- a/packages/vectra_detect/manifest.yml +++ b/packages/vectra_detect/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: vectra_detect title: Vectra Detect -version: "1.8.0" +version: "1.9.0" source: license: Elastic-2.0 description: Collect logs from Vectra Detect with Elastic Agent. @@ -9,7 +9,7 @@ type: integration categories: ["security", "network_security"] conditions: kibana: - version: ^8.3.0 + version: "^8.13.0" elastic: subscription: basic screenshots: diff --git a/packages/wiz/_dev/build/build.yml b/packages/wiz/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/wiz/_dev/build/build.yml +++ b/packages/wiz/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index e2e3eb5625d..8f0947f72ab 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.1.1" changes: - description: Add cloudsecurity_cdr sub category label diff --git a/packages/wiz/data_stream/audit/fields/beats.yml b/packages/wiz/data_stream/audit/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/wiz/data_stream/audit/fields/beats.yml +++ b/packages/wiz/data_stream/audit/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/wiz/data_stream/issue/_dev/test/pipeline/test-issue.log-expected.json b/packages/wiz/data_stream/issue/_dev/test/pipeline/test-issue.log-expected.json index 03e8eaaf207..b7c650d39c9 100644 --- a/packages/wiz/data_stream/issue/_dev/test/pipeline/test-issue.log-expected.json +++ b/packages/wiz/data_stream/issue/_dev/test/pipeline/test-issue.log-expected.json @@ -16,7 +16,7 @@ "created": "2023-08-23T07:56:09.903Z", "id": "fff9cffd-64a7-412c-9535-cf837f4b0b40", "kind": "event", - "original": "{\"createdAt\": \"2023-08-23T07:56:09.903743Z\",\"dueAt\": \"2023-08-30T21:00:00Z\",\"entitySnapshot\": {\"cloudPlatform\": \"Kubernetes\",\"cloudProviderURL\": \"https://portal.az.com/#@sectest.on.com/resource//subscriptions/\",\"externalId\": \"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12\",\"id\": \"e507d472-b7da-5f05-9b25-72a271336b14\",\"name\": \"system:aggregate-to-edit\",\"nativeType\": \"ClusterRole\",\"providerId\": \"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12\",\"region\": \"us-01\",\"resourceGroupExternalId\": \"/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus\",\"status\": \"Active\",\"subscriptionExternalId\": \"998231069301\",\"subscriptionName\": \"demo-integrations\",\"subscriptionTags\": {},\"tags\": {\"kubernetes.io/bootstrapping\": \"rbac-defaults\",\"rbac.authorization.k8s.io/aggregate-to-edit\": \"true\"},\"type\": \"ACCESS_ROLE\"},\"id\": \"fff9cffd-64a7-412c-9535-cf837f4b0b40\",\"notes\": [{\"createdAt\": \"2023-08-23T07:56:09.903743Z\",\"serviceAccount\": {\"name\": \"rev-ke\"},\"text\": \"updated\",\"updatedAt\": \"2023-08-09T23:10:22.588721Z\",\"user\":{\"name\":\"admin\",\"email\":\"admin@example.com\"}},{\"createdAt\": \"2023-08-09T23:08:49.918941Z\",\"serviceAccount\": {\"name\": \"rev-ke2\"},\"text\": \"updated\",\"updatedAt\": \"2023-08-09T23:10:22.591487Z\",\"user\":{\"name\":\"root\",\"email\":\"root@example.com\"}}],\"projects\": [{\"businessUnit\": \"\",\"id\": \"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\": \"Project 2\",\"riskProfile\": {\"businessImpact\": \"MBI\"},\"slug\": \"project-2\"},{\"businessUnit\": \"Dev\",\"id\": \"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\": \"project 4\",\"riskProfile\": {\"businessImpact\": \"MBI\"},\"slug\": \"project-4\"},{\"businessUnit\": \"Dev\",\"id\": \"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\": \"Project1\",\"riskProfile\": {\"businessImpact\": \"MBI\"},\"slug\": \"project1\"}],\"resolvedAt\": \"2023-08-09T23:10:22.588721Z\",\"serviceTickets\": [{\"externalId\": \"638361121bbfdd10f6c1cbf3604bcb7e\",\"name\": \"SIR0010002\",\"url\": \"https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421\"}],\"severity\": \"INFORMATIONAL\",\"sourceRule\": {\"__typename\": \"Control\",\"controlDescription\": \"These EKS principals assume roles that provide bind, escalate and impersonate permissions. \\n\\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.\",\"id\": \"wc-id-1335\",\"name\": \"EKS principals assume roles that provide bind, escalate and impersonate permissions\",\"resolutionRecommendation\": \"To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.\",\"securitySubCategories\": [{\"category\": {\"framework\": {\"name\": \"CIS EKS 1.2.0\"},\"name\": \"4.1 RBAC and Service Accounts\"},\"title\": \"4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)\"},{\"category\": {\"framework\": {\"name\": \"Wiz for Risk Assessment\"},\"name\": \"Identity Management\"},\"title\": \"Privileged principal\"},{\"category\": {\"framework\": {\"name\": \"Wiz\"},\"name\": \"9 Container Security\"},\"title\": \"Container Security\"},{\"category\": {\"framework\": {\"name\": \"Wiz for Risk Assessment\"},\"name\": \"Container \u0026 Kubernetes Security\"},\"title\": \"Cluster misconfiguration\"}]},\"status\": \"IN_PROGRESS\",\"statusChangedAt\": \"2023-07-31T06:26:08.708199Z\",\"updatedAt\": \"2023-08-14T06:06:18.331647Z\"}", + "original": "{\"createdAt\": \"2023-08-23T07:56:09.903743Z\",\"dueAt\": \"2023-08-30T21:00:00Z\",\"entitySnapshot\": {\"cloudPlatform\": \"Kubernetes\",\"cloudProviderURL\": \"https://portal.az.com/#@sectest.on.com/resource//subscriptions/\",\"externalId\": \"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12\",\"id\": \"e507d472-b7da-5f05-9b25-72a271336b14\",\"name\": \"system:aggregate-to-edit\",\"nativeType\": \"ClusterRole\",\"providerId\": \"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12\",\"region\": \"us-01\",\"resourceGroupExternalId\": \"/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus\",\"status\": \"Active\",\"subscriptionExternalId\": \"998231069301\",\"subscriptionName\": \"demo-integrations\",\"subscriptionTags\": {},\"tags\": {\"kubernetes.io/bootstrapping\": \"rbac-defaults\",\"rbac.authorization.k8s.io/aggregate-to-edit\": \"true\"},\"type\": \"ACCESS_ROLE\"},\"id\": \"fff9cffd-64a7-412c-9535-cf837f4b0b40\",\"notes\": [{\"createdAt\": \"2023-08-23T07:56:09.903743Z\",\"serviceAccount\": {\"name\": \"rev-ke\"},\"text\": \"updated\",\"updatedAt\": \"2023-08-09T23:10:22.588721Z\",\"user\":{\"name\":\"admin\",\"email\":\"admin@example.com\"}},{\"createdAt\": \"2023-08-09T23:08:49.918941Z\",\"serviceAccount\": {\"name\": \"rev-ke2\"},\"text\": \"updated\",\"updatedAt\": \"2023-08-09T23:10:22.591487Z\",\"user\":{\"name\":\"root\",\"email\":\"root@example.com\"}}],\"projects\": [{\"businessUnit\": \"\",\"id\": \"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\": \"Project 2\",\"riskProfile\": {\"businessImpact\": \"MBI\"},\"slug\": \"project-2\"},{\"businessUnit\": \"Dev\",\"id\": \"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\": \"project 4\",\"riskProfile\": {\"businessImpact\": \"MBI\"},\"slug\": \"project-4\"},{\"businessUnit\": \"Dev\",\"id\": \"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\": \"Project1\",\"riskProfile\": {\"businessImpact\": \"MBI\"},\"slug\": \"project1\"}],\"resolvedAt\": \"2023-08-09T23:10:22.588721Z\",\"serviceTickets\": [{\"externalId\": \"638361121bbfdd10f6c1cbf3604bcb7e\",\"name\": \"SIR0010002\",\"url\": \"https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421\"}],\"severity\": \"INFORMATIONAL\",\"sourceRule\": {\"__typename\": \"Control\",\"controlDescription\": \"These EKS principals assume roles that provide bind, escalate and impersonate permissions. \\n\\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.\",\"id\": \"wc-id-1335\",\"name\": \"EKS principals assume roles that provide bind, escalate and impersonate permissions\",\"resolutionRecommendation\": \"To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.\",\"securitySubCategories\": [{\"category\": {\"framework\": {\"name\": \"CIS EKS 1.2.0\"},\"name\": \"4.1 RBAC and Service Accounts\"},\"title\": \"4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)\"},{\"category\": {\"framework\": {\"name\": \"Wiz for Risk Assessment\"},\"name\": \"Identity Management\"},\"title\": \"Privileged principal\"},{\"category\": {\"framework\": {\"name\": \"Wiz\"},\"name\": \"9 Container Security\"},\"title\": \"Container Security\"},{\"category\": {\"framework\": {\"name\": \"Wiz for Risk Assessment\"},\"name\": \"Container & Kubernetes Security\"},\"title\": \"Cluster misconfiguration\"}]},\"status\": \"IN_PROGRESS\",\"statusChangedAt\": \"2023-07-31T06:26:08.708199Z\",\"updatedAt\": \"2023-08-14T06:06:18.331647Z\"}", "type": [ "info" ] @@ -171,7 +171,7 @@ "framework": { "name": "Wiz for Risk Assessment" }, - "name": "Container \u0026 Kubernetes Security" + "name": "Container & Kubernetes Security" }, "title": "Cluster misconfiguration" } diff --git a/packages/wiz/data_stream/issue/fields/beats.yml b/packages/wiz/data_stream/issue/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/wiz/data_stream/issue/fields/beats.yml +++ b/packages/wiz/data_stream/issue/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/wiz/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/wiz/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json index df5e3717adc..573daea31d4 100644 --- a/packages/wiz/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json +++ b/packages/wiz/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json @@ -17,7 +17,7 @@ "vulnerability" ], "kind": "alert", - "original": "{\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"portalUrl\":\"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))\",\"name\":\"CVE-2020-3333\",\"CVEDescription\":\"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.\",\"CVSSSeverity\":\"MEDIUM\",\"score\":5.5,\"exploitabilityScore\":1.8,\"impactScore\":3.6,\"dataSourceName\":\"data Source\",\"hasExploit\":false,\"hasCisaKevExploit\":false,\"status\":\"OPEN\",\"vendorSeverity\":\"MEDIUM\",\"firstDetectedAt\":\"2022-05-01T11:36:10.063767Z\",\"lastDetectedAt\":\"2023-08-16T18:40:57Z\",\"resolvedAt\":\"2023-08-16T18:40:57Z\",\"description\":\"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\u003c4.0.3-35.amzn2.0.1`.\\n\\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\\n\\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.\",\"remediation\":\"yumupdatelibtiff\",\"detailedName\":\"libtiff\",\"version\":\"4.0.3-35.amzn2\",\"fixedVersion\":\"4.0.3-35.amzn2.0.1\",\"detectionMethod\":\"PACKAGE\",\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html\",\"locationPath\":\"package/library/file\",\"resolutionReason\":\"resolutionReason\",\"epssSeverity\":\"LOW\",\"epssPercentile\":46.2,\"epssProbability\":0.1,\"validatedInRuntime\":true,\"layerMetadata\":{\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"details\":\"xxxx\",\"isBaseLayer\":true},\"projects\":[{\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project2\",\"slug\":\"project-2\",\"businessUnit\":\"\",\"riskProfile\":{\"businessImpact\":\"MBI\"}},{\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project4\",\"slug\":\"project-4\",\"businessUnit\":\"Dev\",\"riskProfile\":{\"businessImpact\":\"MBI\"}},{\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"slug\":\"project1\",\"businessUnit\":\"Dev\",\"riskProfile\":{\"businessImpact\":\"MBI\"}}],\"ignoreRules\":{\"enabled\":true,\"expiredAt\":\"2023-08-16T18:40:57Z\",\"id\":\"aj3jqtvnaf\",\"name\":\"abc\"},\"vulnerableAsset\":{\"id\":\"c828de0d-4c42-5b1c-946b-2edee094d0b3\",\"type\":\"VIRTUAL_MACHINE\",\"name\":\"test-4\",\"region\":\"us-east-1\",\"providerUniqueId\":\"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3\",\"cloudProviderURL\":\"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3\",\"cloudPlatform\":\"AWS\",\"status\":\"Active\",\"subscriptionName\":\"wiz-integrations\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionId\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"tags\":{\"Name\":\"test-4\"},\"hasLimitedInternetExposure\":true,\"hasWideInternetExposure\":true,\"isAccessibleFromVPN\":false,\"isAccessibleFromOtherVnets\":false,\"isAccessibleFromOtherSubscriptions\":false,\"operatingSystem\":\"Linux\",\"ipAddresses\":[\"89.160.20.112\",\"89.160.20.128\"]}}", + "original": "{\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"portalUrl\":\"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))\",\"name\":\"CVE-2020-3333\",\"CVEDescription\":\"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.\",\"CVSSSeverity\":\"MEDIUM\",\"score\":5.5,\"exploitabilityScore\":1.8,\"impactScore\":3.6,\"dataSourceName\":\"data Source\",\"hasExploit\":false,\"hasCisaKevExploit\":false,\"status\":\"OPEN\",\"vendorSeverity\":\"MEDIUM\",\"firstDetectedAt\":\"2022-05-01T11:36:10.063767Z\",\"lastDetectedAt\":\"2023-08-16T18:40:57Z\",\"resolvedAt\":\"2023-08-16T18:40:57Z\",\"description\":\"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\\n\\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\\n\\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.\",\"remediation\":\"yumupdatelibtiff\",\"detailedName\":\"libtiff\",\"version\":\"4.0.3-35.amzn2\",\"fixedVersion\":\"4.0.3-35.amzn2.0.1\",\"detectionMethod\":\"PACKAGE\",\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html\",\"locationPath\":\"package/library/file\",\"resolutionReason\":\"resolutionReason\",\"epssSeverity\":\"LOW\",\"epssPercentile\":46.2,\"epssProbability\":0.1,\"validatedInRuntime\":true,\"layerMetadata\":{\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"details\":\"xxxx\",\"isBaseLayer\":true},\"projects\":[{\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project2\",\"slug\":\"project-2\",\"businessUnit\":\"\",\"riskProfile\":{\"businessImpact\":\"MBI\"}},{\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project4\",\"slug\":\"project-4\",\"businessUnit\":\"Dev\",\"riskProfile\":{\"businessImpact\":\"MBI\"}},{\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"slug\":\"project1\",\"businessUnit\":\"Dev\",\"riskProfile\":{\"businessImpact\":\"MBI\"}}],\"ignoreRules\":{\"enabled\":true,\"expiredAt\":\"2023-08-16T18:40:57Z\",\"id\":\"aj3jqtvnaf\",\"name\":\"abc\"},\"vulnerableAsset\":{\"id\":\"c828de0d-4c42-5b1c-946b-2edee094d0b3\",\"type\":\"VIRTUAL_MACHINE\",\"name\":\"test-4\",\"region\":\"us-east-1\",\"providerUniqueId\":\"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3\",\"cloudProviderURL\":\"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3\",\"cloudPlatform\":\"AWS\",\"status\":\"Active\",\"subscriptionName\":\"wiz-integrations\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionId\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"tags\":{\"Name\":\"test-4\"},\"hasLimitedInternetExposure\":true,\"hasWideInternetExposure\":true,\"isAccessibleFromVPN\":false,\"isAccessibleFromOtherVnets\":false,\"isAccessibleFromOtherSubscriptions\":false,\"operatingSystem\":\"Linux\",\"ipAddresses\":[\"89.160.20.112\",\"89.160.20.128\"]}}", "type": [ "info" ] @@ -27,7 +27,7 @@ "family": "Linux" } }, - "message": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\u003c4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", + "message": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", "related": { "ip": [ "89.160.20.112", @@ -49,7 +49,7 @@ "cve_description": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.", "cvss_severity": "MEDIUM", "data_source_name": "data Source", - "description": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\u003c4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", + "description": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.", "detailed_name": "libtiff", "detection_method": "PACKAGE", "epss": { diff --git a/packages/wiz/data_stream/vulnerability/fields/beats.yml b/packages/wiz/data_stream/vulnerability/fields/beats.yml index b3701b581cf..4084f1dc7f5 100644 --- a/packages/wiz/data_stream/vulnerability/fields/beats.yml +++ b/packages/wiz/data_stream/vulnerability/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md index 939f816e4f5..7b62a146861 100644 --- a/packages/wiz/docs/README.md +++ b/packages/wiz/docs/README.md @@ -190,7 +190,6 @@ An example event for `audit` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | wiz.audit.action | | keyword | | wiz.audit.action_parameters.client_id | | keyword | | wiz.audit.action_parameters.groups | | flattened | @@ -430,7 +429,6 @@ An example event for `issue` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | wiz.issue.created_at | | date | | wiz.issue.due_at | | date | | wiz.issue.entity_snapshot.cloud.platform | | keyword | @@ -677,7 +675,6 @@ An example event for `vulnerability` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | -| tags | User defined tags. | keyword | | wiz.vulnerability.cve_description | | keyword | | wiz.vulnerability.cvss_severity | | keyword | | wiz.vulnerability.data_source_name | | keyword | diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index b57f47aef86..717fe566e53 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: wiz title: Wiz -version: "1.1.1" +version: "1.2.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - cloudsecurity_cdr conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/zerofox/changelog.yml b/packages/zerofox/changelog.yml index 61053e7f158..fe6a1f33ac9 100644 --- a/packages/zerofox/changelog.yml +++ b/packages/zerofox/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.24.0" changes: - description: Improve handling of empty responses. diff --git a/packages/zerofox/data_stream/alerts/fields/agent.yml b/packages/zerofox/data_stream/alerts/fields/agent.yml index da4e652c53b..2bc58530bac 100644 --- a/packages/zerofox/data_stream/alerts/fields/agent.yml +++ b/packages/zerofox/data_stream/alerts/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/zerofox/data_stream/alerts/fields/base-fields.yml b/packages/zerofox/data_stream/alerts/fields/base-fields.yml index 0e4b6bde4fd..9d1a033605b 100644 --- a/packages/zerofox/data_stream/alerts/fields/base-fields.yml +++ b/packages/zerofox/data_stream/alerts/fields/base-fields.yml @@ -27,8 +27,3 @@ type: constant_keyword description: Event dataset value: zerofox.alerts -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/zerofox/data_stream/alerts/fields/ecs.yml b/packages/zerofox/data_stream/alerts/fields/ecs.yml deleted file mode 100644 index ebc4e721e65..00000000000 --- a/packages/zerofox/data_stream/alerts/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: ecs.version - external: ecs -- name: event.ingested - external: ecs -- name: event.original - external: ecs -- name: event.created - external: ecs -- name: event.id - external: ecs -- name: event.kind - external: ecs -- name: event.severity - external: ecs -- name: event.url - external: ecs -- name: rule.id - external: ecs -- name: rule.name - external: ecs -- name: rule.ruleset - external: ecs -- name: rule.category - external: ecs -- name: user.name - external: ecs -- name: user.roles - external: ecs -- name: network.name - external: ecs -- name: error.message - external: ecs diff --git a/packages/zerofox/docs/README.md b/packages/zerofox/docs/README.md index 0c15bdf9bbc..c4aeddee448 100644 --- a/packages/zerofox/docs/README.md +++ b/packages/zerofox/docs/README.md @@ -15,63 +15,19 @@ Contains alert data received from the ZeroFox Cloud Platform | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | dataset.name | Dataset name. | constant_keyword | | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | | zerofox.content_actions | | keyword | | zerofox.darkweb_term | | keyword | | zerofox.entity.entity_group.id | The entity group identifier. | integer | diff --git a/packages/zerofox/manifest.yml b/packages/zerofox/manifest.yml index d2e0226cb14..38a25dfe60e 100644 --- a/packages/zerofox/manifest.yml +++ b/packages/zerofox/manifest.yml @@ -1,6 +1,6 @@ name: zerofox title: ZeroFox -version: "1.24.0" +version: "1.25.0" description: Collect logs from ZeroFox with Elastic Agent. type: integration format_version: "3.0.2" @@ -13,7 +13,7 @@ categories: - security conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" policy_templates: - name: zerofox title: ZeroFox Alerts diff --git a/packages/zeronetworks/changelog.yml b/packages/zeronetworks/changelog.yml index c06b415bbd2..419ba71bd7c 100644 --- a/packages/zeronetworks/changelog.yml +++ b/packages/zeronetworks/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.14.0" changes: - description: Improve handling of empty responses. diff --git a/packages/zeronetworks/data_stream/audit/fields/agent.yml b/packages/zeronetworks/data_stream/audit/fields/agent.yml index b82e8558096..dbab79aaff6 100644 --- a/packages/zeronetworks/data_stream/audit/fields/agent.yml +++ b/packages/zeronetworks/data_stream/audit/fields/agent.yml @@ -1,59 +1,9 @@ -- name: cloud.account.id - external: ecs -- name: cloud.availability_zone - external: ecs -- name: cloud.instance.id - external: ecs -- name: cloud.instance.name - external: ecs -- name: cloud.machine.type - external: ecs -- name: cloud.project.id - external: ecs -- name: cloud.provider - external: ecs -- name: cloud.region - external: ecs -- name: container.id - external: ecs -- name: container.image.name - external: ecs -- name: container.labels - external: ecs -- name: container.name - external: ecs -- name: host.architecture - external: ecs - name: host.containerized type: boolean description: If the host is a container. -- name: host.domain - external: ecs -- name: host.hostname - external: ecs -- name: host.id - external: ecs -- name: host.ip - external: ecs -- name: host.mac - external: ecs -- name: host.name - external: ecs - name: host.os.build type: keyword description: OS build information. - name: host.os.codename type: keyword description: OS codename, if any. -- name: host.os.family - external: ecs -- name: host.os.kernel - external: ecs -- name: host.os.name - external: ecs -- name: host.os.platform - external: ecs -- name: host.os.version - external: ecs -- name: host.type - external: ecs diff --git a/packages/zeronetworks/data_stream/audit/fields/ecs.yml b/packages/zeronetworks/data_stream/audit/fields/ecs.yml deleted file mode 100644 index c245db21d10..00000000000 --- a/packages/zeronetworks/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: ecs.version - external: ecs -- name: error.message - external: ecs -- name: event.code - external: ecs -- name: event.type - external: ecs -- name: event.category - external: ecs -- name: event.kind - external: ecs -- name: event.ingested - external: ecs -- name: event.original - external: ecs -- name: tags - external: ecs -- name: user.id - external: ecs -- name: user.full_name - external: ecs -- name: related.user - external: ecs diff --git a/packages/zeronetworks/data_stream/audit/fields/fields.yml b/packages/zeronetworks/data_stream/audit/fields/fields.yml index 1c3d1fda7ad..bea91ea35cc 100644 --- a/packages/zeronetworks/data_stream/audit/fields/fields.yml +++ b/packages/zeronetworks/data_stream/audit/fields/fields.yml @@ -92,7 +92,7 @@ type: integer description: > The current inactive reason. - + - name: clientId type: keyword description: > @@ -107,12 +107,12 @@ type: date description: > When the token expires. - + - name: externalIP type: ip description: > The external IP of the user. - + - name: idp type: integer description: > @@ -137,14 +137,13 @@ type: keyword description: > The name of the token - + - name: newAsset type: group description: > Fields for the asset of the audit. fields: - - name: id type: keyword description: > @@ -195,17 +194,17 @@ type: keyword description: > The type of token that was created. - + - name: uacId type: keyword description: > The UAC id. - + - name: uacName type: keyword description: > The UAC name. - + - name: user type: keyword description: > diff --git a/packages/zeronetworks/manifest.yml b/packages/zeronetworks/manifest.yml index 28e953765e0..e975ebe0f5f 100644 --- a/packages/zeronetworks/manifest.yml +++ b/packages/zeronetworks/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: zeronetworks title: "Zero Networks" -version: "1.14.0" +version: "1.15.0" source: license: "Elastic-2.0" description: "Zero Networks Logs integration" @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.12.0" + version: "^8.13.0" elastic: subscription: "basic" screenshots: @@ -75,4 +75,3 @@ policy_templates: owner: github: elastic/security-service-integrations type: partner - diff --git a/packages/zoom/changelog.yml b/packages/zoom/changelog.yml index 6556912fd5a..53da81bec39 100644 --- a/packages/zoom/changelog.yml +++ b/packages/zoom/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.19.0" changes: - description: Set sensitive values as secret. diff --git a/packages/zoom/data_stream/webhook/fields/agent.yml b/packages/zoom/data_stream/webhook/fields/agent.yml index 845b84ed9c0..4bdd88d3cd7 100644 --- a/packages/zoom/data_stream/webhook/fields/agent.yml +++ b/packages/zoom/data_stream/webhook/fields/agent.yml @@ -5,180 +5,15 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/zoom/data_stream/webhook/fields/ecs.yml b/packages/zoom/data_stream/webhook/fields/ecs.yml deleted file mode 100644 index b88c073dd9e..00000000000 --- a/packages/zoom/data_stream/webhook/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- external: ecs - name: destination.user.id -- external: ecs - name: ecs.version -- external: ecs - name: error.message -- external: ecs - name: event.action -- external: ecs - name: event.category -- external: ecs - name: event.id -- external: ecs - name: event.ingested -- external: ecs - name: event.kind -- external: ecs - name: event.original -- external: ecs - name: event.outcome -- external: ecs - name: event.type -- external: ecs - name: message -- external: ecs - name: observer.product -- external: ecs - name: observer.vendor -- external: ecs - name: related.user -- external: ecs - name: source.user.id -- external: ecs - name: tags -- external: ecs - name: url.full -- external: ecs - name: user.changes.domain -- external: ecs - name: user.changes.email -- external: ecs - name: user.changes.full_name -- external: ecs - name: user.changes.group.domain -- external: ecs - name: user.changes.group.id -- external: ecs - name: user.changes.group.name -- external: ecs - name: user.changes.id -- external: ecs - name: user.changes.name -- external: ecs - name: user.domain -- external: ecs - name: user.email -- external: ecs - name: user.full_name -- external: ecs - name: user.id -- external: ecs - name: user.name -- external: ecs - name: user.target.domain -- external: ecs - name: user.target.email -- external: ecs - name: user.target.full_name -- external: ecs - name: user.target.group.domain -- external: ecs - name: user.target.group.id -- external: ecs - name: user.target.group.name -- external: ecs - name: user.target.id -- external: ecs - name: user.target.name diff --git a/packages/zoom/docs/README.md b/packages/zoom/docs/README.md index e19ef860ff7..73f2e418068 100644 --- a/packages/zoom/docs/README.md +++ b/packages/zoom/docs/README.md @@ -20,91 +20,19 @@ This integration is compatible with the Zoom Platform API as of September 2020. | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | dataset.name | Dataset name. | constant_keyword | | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.changes.email | User email address. | keyword | -| user.changes.full_name | User's full name, if available. | keyword | -| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | -| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.changes.group.name | Name of the group. | keyword | -| user.changes.id | Unique identifier of the user. | keyword | -| user.changes.name | Short name or login of the user. | keyword | -| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.full_name | User's full name, if available. | keyword | -| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | | zoom.account.account_alias | When an account alias is updated, this is the new value set | keyword | | zoom.account.account_name | When an account name is updated, this is the new value set | keyword | | zoom.account.account_support_email | When an account support_email is updated, this is the new value set | keyword | diff --git a/packages/zoom/manifest.yml b/packages/zoom/manifest.yml index 3517285db66..4907a006738 100644 --- a/packages/zoom/manifest.yml +++ b/packages/zoom/manifest.yml @@ -1,13 +1,13 @@ name: zoom title: Zoom -version: "1.19.0" +version: "1.20.0" description: Collect logs from Zoom with Elastic Agent. type: integration format_version: "3.0.2" categories: ["security", "productivity_security"] conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" policy_templates: - name: zoom title: Zoom logs diff --git a/packages/zscaler_zia/_dev/build/build.yml b/packages/zscaler_zia/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/zscaler_zia/_dev/build/build.yml +++ b/packages/zscaler_zia/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/zscaler_zia/changelog.yml b/packages/zscaler_zia/changelog.yml index bacb447dfb9..0f0fa0e7329 100644 --- a/packages/zscaler_zia/changelog.yml +++ b/packages/zscaler_zia/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.20.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "2.19.2" changes: - description: Include cintip field to web log template. diff --git a/packages/zscaler_zia/data_stream/alerts/fields/beats.yml b/packages/zscaler_zia/data_stream/alerts/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/zscaler_zia/data_stream/alerts/fields/beats.yml +++ b/packages/zscaler_zia/data_stream/alerts/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zia/data_stream/dns/fields/beats.yml b/packages/zscaler_zia/data_stream/dns/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/zscaler_zia/data_stream/dns/fields/beats.yml +++ b/packages/zscaler_zia/data_stream/dns/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zia/data_stream/firewall/fields/beats.yml b/packages/zscaler_zia/data_stream/firewall/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/zscaler_zia/data_stream/firewall/fields/beats.yml +++ b/packages/zscaler_zia/data_stream/firewall/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zia/data_stream/tunnel/fields/beats.yml b/packages/zscaler_zia/data_stream/tunnel/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/zscaler_zia/data_stream/tunnel/fields/beats.yml +++ b/packages/zscaler_zia/data_stream/tunnel/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zia/data_stream/web/fields/beats.yml b/packages/zscaler_zia/data_stream/web/fields/beats.yml index 2d5ae254634..d5fd38748ba 100644 --- a/packages/zscaler_zia/data_stream/web/fields/beats.yml +++ b/packages/zscaler_zia/data_stream/web/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zia/docs/README.md b/packages/zscaler_zia/docs/README.md index 9e186317888..536d1a50718 100644 --- a/packages/zscaler_zia/docs/README.md +++ b/packages/zscaler_zia/docs/README.md @@ -250,7 +250,6 @@ An example event for `alerts` looks as following: | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zia.alerts.connection_lost_minutes | Amount of time after loosing connection to a server in Minutes. | double | | zscaler_zia.alerts.log_feed_name | Name of the NSS log feed. | keyword | @@ -383,7 +382,6 @@ An example event for `dns` looks as following: | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zia.dns.department | Department of the user. | keyword | | zscaler_zia.dns.dom.category | URL Category of the FQDN in the DNS request. | keyword | | zscaler_zia.dns.duration.milliseconds | Duration of the DNS request in milliseconds. | long | @@ -538,7 +536,6 @@ An example event for `firewall` looks as following: | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zia.firewall.aggregate | | keyword | | zscaler_zia.firewall.client.destination.ip | Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. | ip | | zscaler_zia.firewall.client.destination.port | Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. | long | @@ -666,7 +663,6 @@ An example event for `tunnel` looks as following: | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zia.tunnel.action.type | Type of the record. Possible values [ WL_TUNNEL_IPSECPHASE1, WL_TUNNEL_IPSECPHASE2, WL_TUNNEL_EVENT, WL_TUNNEL_SAMPLES ]. | keyword | | zscaler_zia.tunnel.authentication.algorithm | Authentication algorithm. | keyword | | zscaler_zia.tunnel.authentication.type | Authentication type. | keyword | @@ -868,7 +864,6 @@ An example event for `web` looks as following: | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zia.web.app.class | The web application class of the application that was accessed. Equivalent to module. | keyword | | zscaler_zia.web.app.name | Cloud application name. | keyword | | zscaler_zia.web.bandwidth_throttle | Indicates whether the transaction was throttled due to a configured bandwidth policy. | keyword | diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index 5b04bd492d5..12750b3c899 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: zscaler_zia title: Zscaler Internet Access -version: "2.19.2" +version: "2.20.0" description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. type: integration categories: @@ -11,7 +11,7 @@ source: license: "Elastic-2.0" conditions: kibana: - version: ^8.12.0 + version: "^8.13.0" elastic: subscription: "basic" screenshots: diff --git a/packages/zscaler_zpa/_dev/build/build.yml b/packages/zscaler_zpa/_dev/build/build.yml index 71f48ba2a9c..2bfcfc223b0 100644 --- a/packages/zscaler_zpa/_dev/build/build.yml +++ b/packages/zscaler_zpa/_dev/build/build.yml @@ -1,4 +1,3 @@ dependencies: ecs: reference: "git@v8.11.0" - import_mappings: true diff --git a/packages/zscaler_zpa/changelog.yml b/packages/zscaler_zpa/changelog.yml index f982a44377d..800c14ccf37 100644 --- a/packages/zscaler_zpa/changelog.yml +++ b/packages/zscaler_zpa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 - version: "1.17.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/fields/beats.yml b/packages/zscaler_zpa/data_stream/app_connector_status/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/zscaler_zpa/data_stream/app_connector_status/fields/beats.yml +++ b/packages/zscaler_zpa/data_stream/app_connector_status/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zpa/data_stream/audit/fields/beats.yml b/packages/zscaler_zpa/data_stream/audit/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/zscaler_zpa/data_stream/audit/fields/beats.yml +++ b/packages/zscaler_zpa/data_stream/audit/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zpa/data_stream/browser_access/fields/beats.yml b/packages/zscaler_zpa/data_stream/browser_access/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/zscaler_zpa/data_stream/browser_access/fields/beats.yml +++ b/packages/zscaler_zpa/data_stream/browser_access/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zpa/data_stream/user_activity/fields/beats.yml b/packages/zscaler_zpa/data_stream/user_activity/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/zscaler_zpa/data_stream/user_activity/fields/beats.yml +++ b/packages/zscaler_zpa/data_stream/user_activity/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zpa/data_stream/user_status/fields/beats.yml b/packages/zscaler_zpa/data_stream/user_status/fields/beats.yml index 1214b97a0c7..28e147d9c90 100644 --- a/packages/zscaler_zpa/data_stream/user_status/fields/beats.yml +++ b/packages/zscaler_zpa/data_stream/user_status/fields/beats.yml @@ -4,6 +4,3 @@ - name: log.offset type: long description: Log offset. -- name: tags - type: keyword - description: User defined tags. diff --git a/packages/zscaler_zpa/docs/README.md b/packages/zscaler_zpa/docs/README.md index 23ebe780066..52befe3842a 100644 --- a/packages/zscaler_zpa/docs/README.md +++ b/packages/zscaler_zpa/docs/README.md @@ -128,7 +128,6 @@ Sample Response: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zpa.app_connector_status.connector.group | The App Connector group name. | keyword | | zscaler_zpa.app_connector_status.connector.name | The App Connector name. | keyword | | zscaler_zpa.app_connector_status.connector_start_time | Time in seconds at which App Connector was started. | date | @@ -318,7 +317,6 @@ An example event for `app_connector_status` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zpa.audit.client_audit_update | The flag to represent if the event is a client Audit log. | long | | zscaler_zpa.audit.object.id | The ID associated with the object name. | keyword | | zscaler_zpa.audit.object.name | The name of the object. This corresponds to the Resource Name in the Audit Log page. | keyword | @@ -445,7 +443,6 @@ An example event for `audit` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zpa.browser_access.client_private_ip | The private IP address of the user's device. | ip | | zscaler_zpa.browser_access.connection.id | The application connection ID. | keyword | | zscaler_zpa.browser_access.connection.status | The status of the connection. | keyword | @@ -656,7 +653,6 @@ An example event for `browser_access` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zpa.user_activity.app_group | The application group name. | keyword | | zscaler_zpa.user_activity.app_learn_time | Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority. | long | | zscaler_zpa.user_activity.application | The application name. | keyword | @@ -894,7 +890,6 @@ An example event for `user_activity` looks as following: | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | User defined tags. | keyword | | zscaler_zpa.user_status.client.type | The client type for the request (i.e., Zscaler Client Connector, ZPA LSS, or Web Browser). | keyword | | zscaler_zpa.user_status.fqdn.registered | The status of the hostname for the client-to-client connection. The expected values for this field are true or false. | boolean | | zscaler_zpa.user_status.fqdn.registered_error | The status of the registered hostname. | keyword | diff --git a/packages/zscaler_zpa/manifest.yml b/packages/zscaler_zpa/manifest.yml index e8334d439a1..31528c092c7 100644 --- a/packages/zscaler_zpa/manifest.yml +++ b/packages/zscaler_zpa/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: zscaler_zpa title: Zscaler Private Access -version: "1.17.0" +version: "1.18.0" source: license: Elastic-2.0 description: Collect logs from Zscaler Private Access (ZPA) with Elastic Agent. @@ -12,7 +12,7 @@ categories: - vpn_security conditions: kibana: - version: ^8.7.1 + version: "^8.13.0" elastic: subscription: basic screenshots: From 2feb483593f2d5e2edda77599b078b3fa1adba12 Mon Sep 17 00:00:00 2001 From: milan-elastic <118723373+milan-elastic@users.noreply.github.com> Date: Sun, 23 Jun 2024 22:47:10 +0530 Subject: [PATCH 035/105] Add global level data_stream.dataset dashboard filter (#10075) * add global filter on data_stream.dataset to improve performance * add global filter on data_stream.dataset to improve performance * remove validation.yml * Azure functions add global filter for dashboards to improve performance * MongoDB Atlas add global filter on data_stream.dataset to improve performance * update changelog.yml with PR link --- packages/azure_functions/changelog.yml | 5 + ...-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json | 4786 +++++++++-------- packages/azure_functions/manifest.yml | 2 +- packages/hashicorp_vault/changelog.yml | 5 + ...-1f321db0-f4b8-11eb-a89a-7378b1713db5.json | 427 +- ...-64b51280-f4ad-11eb-a89a-7378b1713db5.json | 556 +- ...-80603d50-f4b9-11eb-a89a-7378b1713db5.json | 70 - packages/hashicorp_vault/manifest.yml | 2 +- packages/hashicorp_vault/validation.yml | 5 - packages/kafka/changelog.yml | 5 + ...-943caca0-87ee-11e7-ad9c-db80de0bf8d3.json | 257 +- ...-ea488d90-8e63-11e8-8fa2-3d5f811fbd0f.json | 93 +- .../kibana/search/kafka-all-kafka-logs.json | 86 - .../kibana/search/kafka-stacktraces.json | 45 - packages/kafka/manifest.yml | 2 +- packages/microsoft_sqlserver/changelog.yml | 5 + ...-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json | 39 +- ...-361588b0-389b-11ec-9973-85eff9a74fdb.json | 542 +- ...-62b48570-fdf7-11ec-882e-ddefea6aeea3.json | 116 +- ...-a2ead240-18bb-11e9-9836-f37dedd3b411.json | 153 +- packages/microsoft_sqlserver/manifest.yml | 2 +- packages/microsoft_sqlserver/validation.yml | 4 - packages/mongodb/changelog.yml | 5 + .../dashboard/mongodb-Metrics-MongoDB.json | 226 +- ...-abcf35b0-0a82-11e8-bffe-ff7d4f68cf94.json | 263 +- packages/mongodb/manifest.yml | 2 +- packages/mongodb/validation.yml | 4 - packages/mongodb_atlas/changelog.yml | 5 + ...-88554c14-2b94-424f-8a3e-b6f65722fd51.json | 235 +- ...-b6ceb5eb-c380-42c1-a3ca-8fcd0bc3dc50.json | 158 +- packages/mongodb_atlas/manifest.yml | 2 +- packages/php_fpm/changelog.yml | 5 + ...-30d6d490-60c6-11ed-a227-676557292b43.json | 140 +- ...-6853a270-5a92-11ed-8d56-a14fd29a60cb.json | 253 +- packages/php_fpm/manifest.yml | 2 +- packages/postgresql/changelog.yml | 5 + ...-158be870-87f4-11e7-ad9c-db80de0bf8d3.json | 218 +- ...-4288b790-b79f-11e9-a579-f5c0a5d81340.json | 102 +- ...-e4c5f230-87f3-11e7-ad9c-db80de0bf8d3.json | 258 +- .../postgresql-PostgreSQL All Logs.json | 71 - ...postgresql-PostgreSQL Query Durations.json | 45 - .../postgresql-Slow PostgreSQL Queries.json | 45 - packages/postgresql/manifest.yml | 2 +- packages/postgresql/validation.yml | 5 - packages/rabbitmq/changelog.yml | 5 + .../rabbitmq-AV4YobKIge1VCbKU_qVo.json | 157 +- packages/rabbitmq/manifest.yml | 2 +- packages/rabbitmq/validation.yml | 3 - packages/redis/changelog.yml | 5 + ...-28969190-0511-11e9-9c60-d582a238e2c5.json | 149 +- ...-7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json | 194 +- .../dashboard/redis-AV4YjZ5pux-M-tCAunxK.json | 310 +- packages/redis/manifest.yml | 5 +- packages/redis/validation.yml | 4 - packages/vsphere/changelog.yml | 5 + .../vsphere/data_stream/log/fields/ecs.yml | 2 +- .../vsphere/data_stream/log/fields/fields.yml | 6 +- ...-6ef55590-0337-11ed-80a3-e31802c6cc3f.json | 289 +- ...-a2d04970-0336-11ed-80a3-e31802c6cc3f.json | 352 +- packages/vsphere/manifest.yml | 2 +- packages/vsphere/validation.yml | 3 - .../changelog.yml | 5 + ...-381af9f0-bae2-11ec-b244-51e5cddeab04.json | 1904 +++---- ...-5d9b0860-b582-11ec-89b4-c91c947c1fb3.json | 1400 ++--- ...-b8da46b0-b595-11ec-888d-b1230de080fd.json | 945 ++-- ...-db548380-c06d-11ec-8552-f3dc1a6b95f9.json | 1140 ++-- .../websphere_application_server/manifest.yml | 2 +- .../validation.yml | 4 - 68 files changed, 7186 insertions(+), 8965 deletions(-) delete mode 100644 packages/hashicorp_vault/kibana/search/hashicorp_vault-80603d50-f4b9-11eb-a89a-7378b1713db5.json delete mode 100644 packages/hashicorp_vault/validation.yml delete mode 100644 packages/kafka/kibana/search/kafka-all-kafka-logs.json delete mode 100644 packages/kafka/kibana/search/kafka-stacktraces.json delete mode 100644 packages/microsoft_sqlserver/validation.yml delete mode 100644 packages/mongodb/validation.yml delete mode 100644 packages/postgresql/kibana/search/postgresql-PostgreSQL All Logs.json delete mode 100644 packages/postgresql/kibana/search/postgresql-PostgreSQL Query Durations.json delete mode 100644 packages/postgresql/kibana/search/postgresql-Slow PostgreSQL Queries.json delete mode 100644 packages/postgresql/validation.yml delete mode 100644 packages/rabbitmq/validation.yml delete mode 100644 packages/redis/validation.yml delete mode 100644 packages/vsphere/validation.yml delete mode 100644 packages/websphere_application_server/validation.yml diff --git a/packages/azure_functions/changelog.yml b/packages/azure_functions/changelog.yml index 20ba87c66cc..84cc0e6f31e 100644 --- a/packages/azure_functions/changelog.yml +++ b/packages/azure_functions/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 0.5.0 + changes: + - description: Add global filter for dashboards to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: 0.4.2 changes: - description: Replace Azure AD with Microsoft Entra ID. diff --git a/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json b/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json index c32950ad070..9a11a237901 100644 --- a/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json +++ b/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json @@ -1,2461 +1,2467 @@ { - "id": "azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.7.0" - }, - "coreMigrationVersion": "8.8.0", - "typeMigrationVersion": "8.7.0", - "updated_at": "2023-11-07T16:40:02.986Z", - "created_at": "2023-11-07T16:40:02.986Z", - "version": "WzkyLDFd", - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\",\"fieldName\":\"azure.resource.name\",\"title\":\"Filter by Function App\",\"enhancements\":{},\"selectedOptions\":[]}},\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\",\"fieldName\":\"azure.resource.group\",\"title\":\"Filter by resource group\",\"enhancements\":{}}}}" - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "f6c3c469-2e64-4120-b144-997fb70575e2": { - "columnOrder": [ - "b0f015a9-aab1-4b26-b28f-65ce55f354de" - ], - "columns": { - "b0f015a9-aab1-4b26-b28f-65ce55f354de": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Active Function Apps", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {} - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layerId": "f6c3c469-2e64-4120-b144-997fb70575e2", - "layerType": "data", - "metricAccessor": "b0f015a9-aab1-4b26-b28f-65ce55f354de", - "showBar": false - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 6, - "i": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0", - "w": 10, - "x": 0, - "y": 0 + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\",\"fieldName\":\"azure.resource.name\",\"title\":\"Filter by Function App\",\"enhancements\":{},\"selectedOptions\":[]}},\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\",\"fieldName\":\"azure.resource.group\",\"title\":\"Filter by resource group\",\"enhancements\":{}}}}" }, - "panelIndex": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0", - "title": "Number of Active Function Apps", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "description": "Health Check Status indicates if there are any unhealthy instances and if they need replacing. A value of 100 means all instances of the App reported a healthy status. ", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "60014cf3-d9b4-46e8-ae69-999d31086fbc", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "113434b9-c581-4b79-9344-13864154c598": { - "columnOrder": [ - "68c19ae2-0676-4b4a-90e7-c60d2ca556ac", - "8952901b-a1b3-4bb5-9605-c68a31cef340", - "6439d7ec-458f-4daf-a97a-101e6f025660" - ], - "columns": { - "6439d7ec-458f-4daf-a97a-101e6f025660": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "azure.functions.health_check_status.avg: *" - }, - "isBucketed": false, - "label": "ExecutionCount", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.function_execution_count.total" + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" }, - "68c19ae2-0676-4b4a-90e7-c60d2ca556ac": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "6439d7ec-458f-4daf-a97a-101e6f025660", - "type": "column" + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "azure.function" }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" + "type": "phrase" }, - "8952901b-a1b3-4bb5-9605-c68a31cef340": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": "azure.functions.health_check_status.avg: *", - "disabled": false, - "index": "60014cf3-d9b4-46e8-ae69-999d31086fbc", - "key": "query", - "negate": false, - "type": "custom", - "value": "{\"bool\":{\"filter\":[{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"exists\":{\"field\":\"azure.functions.health_check_status.avg\"}}]}}],\"must\":[],\"must_not\":[],\"should\":[]}}" - }, - "query": { - "bool": { - "filter": [ - { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "exists": { - "field": "azure.functions.health_check_status.avg" - } - } - ] - } + "query": { + "match_phrase": { + "data_stream.dataset": "azure.function" + } } - ], - "must": [], - "must_not": [], - "should": [] } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "6439d7ec-458f-4daf-a97a-101e6f025660" - ], - "layerId": "113434b9-c581-4b79-9344-13864154c598", - "layerType": "data", - "seriesType": "line", - "splitAccessor": "68c19ae2-0676-4b4a-90e7-c60d2ca556ac", - "xAccessor": "8952901b-a1b3-4bb5-9605-c68a31cef340" - } ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "Captures the number of execution of the function app. ", - "enhancements": {}, - "hidePanelTitles": false + "query": { + "language": "kuery", + "query": "" + } + } }, - "gridData": { - "h": 15, - "i": "b9d5606f-9607-4c90-a75f-c2857b266bfa", - "w": 15, - "x": 10, - "y": 0 + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, - "panelIndex": "b9d5606f-9607-4c90-a75f-c2857b266bfa", - "title": "Function Execution Count by Function Apps", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "8e323fe9-19c2-405d-bbf6-ba61dc9a190f": { - "columnOrder": [ - "c4d0be17-9d74-468d-8e55-a064664300d1", - "2cbcc3e5-5848-4a88-910b-7c845618ae2e", - "b37bb938-9515-453c-a5ff-f384a7351317", - "b37bb938-9515-453c-a5ff-f384a7351317X1", - "b37bb938-9515-453c-a5ff-f384a7351317X0", - "b37bb938-9515-453c-a5ff-f384a7351317X2" - ], - "columns": { - "2cbcc3e5-5848-4a88-910b-7c845618ae2e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total number of invocations", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.requests.total" - }, - "b37bb938-9515-453c-a5ff-f384a7351317": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Success Percentage", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f6c3c469-2e64-4120-b144-997fb70575e2": { + "columnOrder": [ + "b0f015a9-aab1-4b26-b28f-65ce55f354de" + ], + "columns": { + "b0f015a9-aab1-4b26-b28f-65ce55f354de": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Active Function Apps", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } }, - "formula": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ", - "isFormulaBroken": false - }, - "references": [ - "b37bb938-9515-453c-a5ff-f384a7351317X2" - ], - "scale": "ratio" - }, - "b37bb938-9515-453c-a5ff-f384a7351317X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Success Percentage", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "azure.functions.http2xx.total" - }, - "b37bb938-9515-453c-a5ff-f384a7351317X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Success Percentage", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "azure.functions.requests.total" - }, - "b37bb938-9515-453c-a5ff-f384a7351317X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Success Percentage", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "b37bb938-9515-453c-a5ff-f384a7351317X0", - "b37bb938-9515-453c-a5ff-f384a7351317X1" - ], - "location": { - "max": 73, - "min": 0 - }, - "name": "divide", - "text": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ", - "type": "function" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "f6c3c469-2e64-4120-b144-997fb70575e2", + "layerType": "data", + "metricAccessor": "b0f015a9-aab1-4b26-b28f-65ce55f354de", + "showBar": false } - }, - "references": [ - "b37bb938-9515-453c-a5ff-f384a7351317X0", - "b37bb938-9515-453c-a5ff-f384a7351317X1" - ], - "scale": "ratio" }, - "c4d0be17-9d74-468d-8e55-a064664300d1": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Top 10 Function Apps", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e", - "type": "column" + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 6, + "i": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0", + "title": "Number of Active Function Apps", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Health Check Status indicates if there are any unhealthy instances and if they need replacing. A value of 100 means all instances of the App reported a healthy status. ", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598", + "type": "index-pattern" }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + { + "id": "metrics-*", + "name": "60014cf3-d9b4-46e8-ae69-999d31086fbc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "113434b9-c581-4b79-9344-13864154c598": { + "columnOrder": [ + "68c19ae2-0676-4b4a-90e7-c60d2ca556ac", + "8952901b-a1b3-4bb5-9605-c68a31cef340", + "6439d7ec-458f-4daf-a97a-101e6f025660" + ], + "columns": { + "6439d7ec-458f-4daf-a97a-101e6f025660": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.functions.health_check_status.avg: *" + }, + "isBucketed": false, + "label": "ExecutionCount", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.function_execution_count.total" + }, + "68c19ae2-0676-4b4a-90e7-c60d2ca556ac": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6439d7ec-458f-4daf-a97a-101e6f025660", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + }, + "8952901b-a1b3-4bb5-9605-c68a31cef340": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "c4d0be17-9d74-468d-8e55-a064664300d1", - "isTransposed": false - }, - { - "alignment": "left", - "colorMode": "cell", - "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e", - "isTransposed": false, - "palette": { - "name": "positive", - "params": { - "stops": [ - { - "color": "#d6e9e4", - "stop": 20 - }, - { - "color": "#aed3ca", - "stop": 40 - }, - { - "color": "#85bdb1", - "stop": 60 - }, - { - "color": "#5aa898", - "stop": 80 - }, - { - "color": "#209280", - "stop": 100 - } - ] - }, - "type": "palette" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "azure.functions.health_check_status.avg: *", + "disabled": false, + "index": "60014cf3-d9b4-46e8-ae69-999d31086fbc", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"filter\":[{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"exists\":{\"field\":\"azure.functions.health_check_status.avg\"}}]}}],\"must\":[],\"must_not\":[],\"should\":[]}}" + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "exists": { + "field": "azure.functions.health_check_status.avg" + } + } + ] + } + } + ], + "must": [], + "must_not": [], + "should": [] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6439d7ec-458f-4daf-a97a-101e6f025660" + ], + "layerId": "113434b9-c581-4b79-9344-13864154c598", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "68c19ae2-0676-4b4a-90e7-c60d2ca556ac", + "xAccessor": "8952901b-a1b3-4bb5-9605-c68a31cef340" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" }, - "summaryRow": "none" - }, - { - "alignment": "left", - "columnId": "b37bb938-9515-453c-a5ff-f384a7351317", - "isTransposed": false - } - ], - "layerId": "8e323fe9-19c2-405d-bbf6-ba61dc9a190f", - "layerType": "data" - } + "description": "Captures the number of execution of the function app. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b9d5606f-9607-4c90-a75f-c2857b266bfa", + "w": 15, + "x": 10, + "y": 0 + }, + "panelIndex": "b9d5606f-9607-4c90-a75f-c2857b266bfa", + "title": "Function Execution Count by Function Apps", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "description": "Shows the number of successful invocations as a percentage of the total invocations per function app. ", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "44c459b4-623b-4534-ba78-8904669ae9cb", - "w": 23, - "x": 25, - "y": 0 - }, - "panelIndex": "44c459b4-623b-4534-ba78-8904669ae9cb", - "title": "Success Rate", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "b0c25d59-67fb-4970-8b15-1da58db41925": { - "columnOrder": [ - "87ec7063-bff9-4d15-87e7-8f1da7b3f12b", - "bf6104e4-667c-4384-b819-842c52698256" - ], - "columns": { - "87ec7063-bff9-4d15-87e7-8f1da7b3f12b": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "accuracyMode": false, - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "bf6104e4-667c-4384-b819-842c52698256", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8e323fe9-19c2-405d-bbf6-ba61dc9a190f": { + "columnOrder": [ + "c4d0be17-9d74-468d-8e55-a064664300d1", + "2cbcc3e5-5848-4a88-910b-7c845618ae2e", + "b37bb938-9515-453c-a5ff-f384a7351317", + "b37bb938-9515-453c-a5ff-f384a7351317X1", + "b37bb938-9515-453c-a5ff-f384a7351317X0", + "b37bb938-9515-453c-a5ff-f384a7351317X2" + ], + "columns": { + "2cbcc3e5-5848-4a88-910b-7c845618ae2e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total number of invocations", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.requests.total" + }, + "b37bb938-9515-453c-a5ff-f384a7351317": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Success Percentage", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ", + "isFormulaBroken": false + }, + "references": [ + "b37bb938-9515-453c-a5ff-f384a7351317X2" + ], + "scale": "ratio" + }, + "b37bb938-9515-453c-a5ff-f384a7351317X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Success Percentage", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "azure.functions.http2xx.total" + }, + "b37bb938-9515-453c-a5ff-f384a7351317X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Success Percentage", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "azure.functions.requests.total" + }, + "b37bb938-9515-453c-a5ff-f384a7351317X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Success Percentage", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "b37bb938-9515-453c-a5ff-f384a7351317X0", + "b37bb938-9515-453c-a5ff-f384a7351317X1" + ], + "location": { + "max": 73, + "min": 0 + }, + "name": "divide", + "text": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ", + "type": "function" + } + }, + "references": [ + "b37bb938-9515-453c-a5ff-f384a7351317X0", + "b37bb938-9515-453c-a5ff-f384a7351317X1" + ], + "scale": "ratio" + }, + "c4d0be17-9d74-468d-8e55-a064664300d1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 Function Apps", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "bf6104e4-667c-4384-b819-842c52698256": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.requests.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "visualization": { + "columns": [ + { + "columnId": "c4d0be17-9d74-468d-8e55-a064664300d1", + "isTransposed": false + }, + { + "alignment": "left", + "colorMode": "cell", + "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e", + "isTransposed": false, + "palette": { + "name": "positive", + "params": { + "stops": [ + { + "color": "#d6e9e4", + "stop": 20 + }, + { + "color": "#aed3ca", + "stop": 40 + }, + { + "color": "#85bdb1", + "stop": 60 + }, + { + "color": "#5aa898", + "stop": 80 + }, + { + "color": "#209280", + "stop": 100 + } + ] + }, + "type": "palette" + }, + "summaryRow": "none" + }, + { + "alignment": "left", + "columnId": "b37bb938-9515-453c-a5ff-f384a7351317", + "isTransposed": false + } + ], + "layerId": "8e323fe9-19c2-405d-bbf6-ba61dc9a190f", + "layerType": "data" } - }, - "scale": "ratio", - "sourceField": "azure.functions.requests.total" - } - }, - "incompleteColumns": {} - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "layerId": "b0c25d59-67fb-4970-8b15-1da58db41925", - "layerType": "data", - "legendDisplay": "default", - "legendPosition": "right", - "metrics": [ - "bf6104e4-667c-4384-b819-842c52698256" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "87ec7063-bff9-4d15-87e7-8f1da7b3f12b" - ] - } - ], - "shape": "donut" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 9, - "i": "9196bdde-1f73-46f5-97f6-09db15a28b61", - "w": 10, - "x": 0, - "y": 6 - }, - "panelIndex": "9196bdde-1f73-46f5-97f6-09db15a28b61", - "title": "Total Number of Invocations across Function Apps", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "description": "Number of Function invocations that resulted in a HTTP 2xx response code", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "4689dc73-dc78-4c03-b975-62264d68c33b": { - "columnOrder": [ - "cb555077-660a-4e41-8974-9ad2d8e3b235", - "a3e51351-a9f0-414d-857e-d908e3919b15", - "a074efc1-3210-40c8-af5b-ba97da2de1ac" - ], - "columns": { - "a074efc1-3210-40c8-af5b-ba97da2de1ac": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.http2xx.total", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.http2xx.total" }, - "a3e51351-a9f0-414d-857e-d908e3919b15": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "cb555077-660a-4e41-8974-9ad2d8e3b235": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "a074efc1-3210-40c8-af5b-ba97da2de1ac", - "type": "column" + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Shows the number of successful invocations as a percentage of the total invocations per function app. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "44c459b4-623b-4534-ba78-8904669ae9cb", + "w": 23, + "x": 25, + "y": 0 + }, + "panelIndex": "44c459b4-623b-4534-ba78-8904669ae9cb", + "title": "Success Rate", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b0c25d59-67fb-4970-8b15-1da58db41925": { + "columnOrder": [ + "87ec7063-bff9-4d15-87e7-8f1da7b3f12b", + "bf6104e4-667c-4384-b819-842c52698256" + ], + "columns": { + "87ec7063-bff9-4d15-87e7-8f1da7b3f12b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bf6104e4-667c-4384-b819-842c52698256", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + }, + "bf6104e4-667c-4384-b819-842c52698256": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.requests.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "azure.functions.requests.total" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "a074efc1-3210-40c8-af5b-ba97da2de1ac" - ], - "layerId": "4689dc73-dc78-4c03-b975-62264d68c33b", - "layerType": "data", - "position": "top", - "seriesType": "bar", - "showGridlines": false, - "splitAccessor": "cb555077-660a-4e41-8974-9ad2d8e3b235", - "xAccessor": "a3e51351-a9f0-414d-857e-d908e3919b15" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "5430e8a9-47ae-4c82-96b7-b0287026409f", - "w": 16, - "x": 0, - "y": 15 - }, - "panelIndex": "5430e8a9-47ae-4c82-96b7-b0287026409f", - "title": "HTTP 2xx Responses", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "54edca01-9fb6-444a-8d98-ddb0ff36f9be": { - "columnOrder": [ - "6eddce7c-5301-479c-ab7b-8c574999c145", - "38a86941-b5ec-4a83-9684-0f70bb14a361", - "94937bdd-d5bb-469e-83b9-89e34f3a4614" - ], - "columns": { - "38a86941-b5ec-4a83-9684-0f70bb14a361": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "b0c25d59-67fb-4970-8b15-1da58db41925", + "layerType": "data", + "legendDisplay": "default", + "legendPosition": "right", + "metrics": [ + "bf6104e4-667c-4384-b819-842c52698256" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "87ec7063-bff9-4d15-87e7-8f1da7b3f12b" + ] + } + ], + "shape": "donut" + } }, - "6eddce7c-5301-479c-ab7b-8c574999c145": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "94937bdd-d5bb-469e-83b9-89e34f3a4614", - "type": "column" + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "9196bdde-1f73-46f5-97f6-09db15a28b61", + "w": 10, + "x": 0, + "y": 6 + }, + "panelIndex": "9196bdde-1f73-46f5-97f6-09db15a28b61", + "title": "Total Number of Invocations across Function Apps", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Number of Function invocations that resulted in a HTTP 2xx response code", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4689dc73-dc78-4c03-b975-62264d68c33b": { + "columnOrder": [ + "cb555077-660a-4e41-8974-9ad2d8e3b235", + "a3e51351-a9f0-414d-857e-d908e3919b15", + "a074efc1-3210-40c8-af5b-ba97da2de1ac" + ], + "columns": { + "a074efc1-3210-40c8-af5b-ba97da2de1ac": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.http2xx.total", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.http2xx.total" + }, + "a3e51351-a9f0-414d-857e-d908e3919b15": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "cb555077-660a-4e41-8974-9ad2d8e3b235": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a074efc1-3210-40c8-af5b-ba97da2de1ac", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a074efc1-3210-40c8-af5b-ba97da2de1ac" + ], + "layerId": "4689dc73-dc78-4c03-b975-62264d68c33b", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "cb555077-660a-4e41-8974-9ad2d8e3b235", + "xAccessor": "a3e51351-a9f0-414d-857e-d908e3919b15" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - "94937bdd-d5bb-469e-83b9-89e34f3a4614": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.http4xx.total", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.http4xx.total" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "94937bdd-d5bb-469e-83b9-89e34f3a4614" - ], - "layerId": "54edca01-9fb6-444a-8d98-ddb0ff36f9be", - "layerType": "data", - "position": "top", - "seriesType": "bar", - "showGridlines": false, - "splitAccessor": "6eddce7c-5301-479c-ab7b-8c574999c145", - "xAccessor": "38a86941-b5ec-4a83-9684-0f70bb14a361" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "5430e8a9-47ae-4c82-96b7-b0287026409f", + "w": 16, + "x": 0, + "y": 15 + }, + "panelIndex": "5430e8a9-47ae-4c82-96b7-b0287026409f", + "title": "HTTP 2xx Responses", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "Number of Function invocations that resulted in a HTTP 2xx response code", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2", - "w": 16, - "x": 16, - "y": 15 - }, - "panelIndex": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2", - "title": "HTTP 4xx Responses", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "description": "Number of server errors or exceptions. ", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8": { - "columnOrder": [ - "ed0b46b6-3210-492d-b67b-027e0b427588", - "f4765a92-4ba2-4936-afa3-7e8648c99a8d", - "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc" - ], - "columns": { - "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.http5xx.total", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.http5xx.total" - }, - "ed0b46b6-3210-492d-b67b-027e0b427588": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "54edca01-9fb6-444a-8d98-ddb0ff36f9be": { + "columnOrder": [ + "6eddce7c-5301-479c-ab7b-8c574999c145", + "38a86941-b5ec-4a83-9684-0f70bb14a361", + "94937bdd-d5bb-469e-83b9-89e34f3a4614" + ], + "columns": { + "38a86941-b5ec-4a83-9684-0f70bb14a361": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "6eddce7c-5301-479c-ab7b-8c574999c145": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "94937bdd-d5bb-469e-83b9-89e34f3a4614", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + }, + "94937bdd-d5bb-469e-83b9-89e34f3a4614": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.http4xx.total", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.http4xx.total" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "94937bdd-d5bb-469e-83b9-89e34f3a4614" + ], + "layerId": "54edca01-9fb6-444a-8d98-ddb0ff36f9be", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "6eddce7c-5301-479c-ab7b-8c574999c145", + "xAccessor": "38a86941-b5ec-4a83-9684-0f70bb14a361" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - "f4765a92-4ba2-4936-afa3-7e8648c99a8d": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc" - ], - "layerId": "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", - "layerType": "data", - "seriesType": "bar", - "splitAccessor": "ed0b46b6-3210-492d-b67b-027e0b427588", - "xAccessor": "f4765a92-4ba2-4936-afa3-7e8648c99a8d" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Number of Function invocations that resulted in a HTTP 2xx response code", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2", + "w": 16, + "x": 16, + "y": 15 + }, + "panelIndex": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2", + "title": "HTTP 4xx Responses", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "266a1bc1-c35b-4959-96c1-5d799a98754c", - "w": 16, - "x": 32, - "y": 15 - }, - "panelIndex": "266a1bc1-c35b-4959-96c1-5d799a98754c", - "title": "HTTP 5xx Error Responses", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "description": "The time taken for the app to serve requests.", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "8d0f0cfa-b115-4100-ba7e-1cadee108055": { - "columnOrder": [ - "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f", - "234483e9-2403-442e-bb76-d6315e2517af", - "bde63578-63d7-43ab-ad04-0b810b2f4033" - ], - "columns": { - "234483e9-2403-442e-bb76-d6315e2517af": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "bde63578-63d7-43ab-ad04-0b810b2f4033", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "description": "Number of server errors or exceptions. ", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8": { + "columnOrder": [ + "ed0b46b6-3210-492d-b67b-027e0b427588", + "f4765a92-4ba2-4936-afa3-7e8648c99a8d", + "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc" + ], + "columns": { + "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.http5xx.total", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.http5xx.total" + }, + "ed0b46b6-3210-492d-b67b-027e0b427588": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + }, + "f4765a92-4ba2-4936-afa3-7e8648c99a8d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc" + ], + "layerId": "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", + "layerType": "data", + "seriesType": "bar", + "splitAccessor": "ed0b46b6-3210-492d-b67b-027e0b427588", + "xAccessor": "f4765a92-4ba2-4936-afa3-7e8648c99a8d" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - "bde63578-63d7-43ab-ad04-0b810b2f4033": { - "dataType": "number", - "isBucketed": false, - "label": "Average of azure.functions.http_response_time.avg", - "operationType": "average", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.http_response_time.avg" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "bde63578-63d7-43ab-ad04-0b810b2f4033" - ], - "layerId": "8d0f0cfa-b115-4100-ba7e-1cadee108055", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f", - "xAccessor": "234483e9-2403-442e-bb76-d6315e2517af" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "266a1bc1-c35b-4959-96c1-5d799a98754c", + "w": 16, + "x": 32, + "y": 15 + }, + "panelIndex": "266a1bc1-c35b-4959-96c1-5d799a98754c", + "title": "HTTP 5xx Error Responses", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The time taken for the app to serve requests.", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "5ef0d281-2eff-415a-ac37-d778985db835", - "w": 24, - "x": 0, - "y": 29 - }, - "panelIndex": "5ef0d281-2eff-415a-ac37-d778985db835", - "title": "Averave Response Time(in seconds)", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "description": "The current amount of memory used by the app. ", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "750303c4-2d5f-4b67-8018-cba6ccc3e3f8": { - "columnOrder": [ - "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f", - "03e43362-ec04-4c0a-8cdf-0bd29107feee", - "1d2a33f9-47f5-4483-bd25-bf258b7fe434" - ], - "columns": { - "03e43362-ec04-4c0a-8cdf-0bd29107feee": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "1d2a33f9-47f5-4483-bd25-bf258b7fe434": { - "dataType": "number", - "isBucketed": false, - "label": "Average of azure.functions.average_memory_working_set.avg", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "description": "The time taken for the app to serve requests.", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "azure.functions.average_memory_working_set.avg" - }, - "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "1d2a33f9-47f5-4483-bd25-bf258b7fe434", - "type": "column" + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8d0f0cfa-b115-4100-ba7e-1cadee108055": { + "columnOrder": [ + "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f", + "234483e9-2403-442e-bb76-d6315e2517af", + "bde63578-63d7-43ab-ad04-0b810b2f4033" + ], + "columns": { + "234483e9-2403-442e-bb76-d6315e2517af": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bde63578-63d7-43ab-ad04-0b810b2f4033", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + }, + "bde63578-63d7-43ab-ad04-0b810b2f4033": { + "dataType": "number", + "isBucketed": false, + "label": "Average of azure.functions.http_response_time.avg", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.http_response_time.avg" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "1d2a33f9-47f5-4483-bd25-bf258b7fe434" - ], - "layerId": "750303c4-2d5f-4b67-8018-cba6ccc3e3f8", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f", - "xAccessor": "03e43362-ec04-4c0a-8cdf-0bd29107feee" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The current amount of memory used by the app. ", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "4f589bdd-7bbf-4b5e-88f7-68272155780d", - "w": 24, - "x": 24, - "y": 29 - }, - "panelIndex": "4f589bdd-7bbf-4b5e-88f7-68272155780d", - "title": "Memory Working Set by Function Apps", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "description": "The amount of incoming bandwidth consumed by the app. ", - "enhancements": {}, - "hidePanelTitles": false, - "attributes": { - "description": "", - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "5e26da41-85b9-4f3d-b666-9b027f19f4c0": { - "columnOrder": [ - "e3e826ac-4145-4caa-97c7-0074740c3bde", - "4d55692b-10e3-4d58-8bc0-2973e9d8bd58", - "f807ce10-f26f-4f0a-a838-2baea3bb5ac2" - ], - "columns": { - "4d55692b-10e3-4d58-8bc0-2973e9d8bd58": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bde63578-63d7-43ab-ad04-0b810b2f4033" + ], + "layerId": "8d0f0cfa-b115-4100-ba7e-1cadee108055", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f", + "xAccessor": "234483e9-2403-442e-bb76-d6315e2517af" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - "e3e826ac-4145-4caa-97c7-0074740c3bde": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "f807ce10-f26f-4f0a-a838-2baea3bb5ac2", - "type": "column" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The time taken for the app to serve requests.", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "5ef0d281-2eff-415a-ac37-d778985db835", + "w": 24, + "x": 0, + "y": 29 + }, + "panelIndex": "5ef0d281-2eff-415a-ac37-d778985db835", + "title": "Averave Response Time(in seconds)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The current amount of memory used by the app. ", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "750303c4-2d5f-4b67-8018-cba6ccc3e3f8": { + "columnOrder": [ + "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f", + "03e43362-ec04-4c0a-8cdf-0bd29107feee", + "1d2a33f9-47f5-4483-bd25-bf258b7fe434" + ], + "columns": { + "03e43362-ec04-4c0a-8cdf-0bd29107feee": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "1d2a33f9-47f5-4483-bd25-bf258b7fe434": { + "dataType": "number", + "isBucketed": false, + "label": "Average of azure.functions.average_memory_working_set.avg", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "azure.functions.average_memory_working_set.avg" + }, + "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1d2a33f9-47f5-4483-bd25-bf258b7fe434", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "f807ce10-f26f-4f0a-a838-2baea3bb5ac2": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.bytes_received.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "1d2a33f9-47f5-4483-bd25-bf258b7fe434" + ], + "layerId": "750303c4-2d5f-4b67-8018-cba6ccc3e3f8", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f", + "xAccessor": "03e43362-ec04-4c0a-8cdf-0bd29107feee" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } - }, - "scale": "ratio", - "sourceField": "azure.functions.bytes_received.total" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"azure.function\" " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "f807ce10-f26f-4f0a-a838-2baea3bb5ac2" - ], - "layerId": "5e26da41-85b9-4f3d-b666-9b027f19f4c0", - "layerType": "data", - "seriesType": "line", - "splitAccessor": "e3e826ac-4145-4caa-97c7-0074740c3bde", - "xAccessor": "4d55692b-10e3-4d58-8bc0-2973e9d8bd58" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "Bytes Received", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5e26da41-85b9-4f3d-b666-9b027f19f4c0", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 15, - "i": "96b12503-3f63-4f80-9419-f8d25b7356fc", - "w": 24, - "x": 0, - "y": 44 - }, - "panelIndex": "96b12503-3f63-4f80-9419-f8d25b7356fc", - "title": "Top 10 Function Apps by Bytes Received ", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "description": "The amount of outgoing bandwidth sent by the app. ", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "fa95f5df-3ddf-44ed-88b8-793641935e0a": { - "columnOrder": [ - "a3174d15-f56d-4533-b4e8-2006a55c51d4", - "4a76dd12-cd30-4e95-8b20-015379b31cf4", - "6d32a3d7-e8d2-4061-9d93-eeca1d25d957" - ], - "columns": { - "4a76dd12-cd30-4e95-8b20-015379b31cf4": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" }, - "6d32a3d7-e8d2-4061-9d93-eeca1d25d957": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.bytes_sent.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The current amount of memory used by the app. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4f589bdd-7bbf-4b5e-88f7-68272155780d", + "w": 24, + "x": 24, + "y": 29 + }, + "panelIndex": "4f589bdd-7bbf-4b5e-88f7-68272155780d", + "title": "Memory Working Set by Function Apps", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5e26da41-85b9-4f3d-b666-9b027f19f4c0", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "azure.functions.bytes_sent.total" - }, - "a3174d15-f56d-4533-b4e8-2006a55c51d4": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "6d32a3d7-e8d2-4061-9d93-eeca1d25d957", - "type": "column" + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5e26da41-85b9-4f3d-b666-9b027f19f4c0": { + "columnOrder": [ + "e3e826ac-4145-4caa-97c7-0074740c3bde", + "4d55692b-10e3-4d58-8bc0-2973e9d8bd58", + "f807ce10-f26f-4f0a-a838-2baea3bb5ac2" + ], + "columns": { + "4d55692b-10e3-4d58-8bc0-2973e9d8bd58": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e3e826ac-4145-4caa-97c7-0074740c3bde": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f807ce10-f26f-4f0a-a838-2baea3bb5ac2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + }, + "f807ce10-f26f-4f0a-a838-2baea3bb5ac2": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.bytes_received.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "azure.functions.bytes_received.total" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "6d32a3d7-e8d2-4061-9d93-eeca1d25d957" - ], - "layerId": "fa95f5df-3ddf-44ed-88b8-793641935e0a", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "a3174d15-f56d-4533-b4e8-2006a55c51d4", - "xAccessor": "4a76dd12-cd30-4e95-8b20-015379b31cf4" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The amount of outgoing bandwidth sent by the app. ", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "578f6fe3-6edb-4678-b13c-1e9510f1942b", - "w": 24, - "x": 24, - "y": 44 - }, - "panelIndex": "578f6fe3-6edb-4678-b13c-1e9510f1942b", - "title": "Top 10 Function Apps by Bytes Sent ", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "description": "The rate at which the app process is reading bytes from I/O operation", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0": { - "columnOrder": [ - "d3c92de9-3de0-4478-a4a6-432e2c42c0ab", - "10d4106f-6c96-4dc2-8866-3f1fe7e81898", - "755983df-cc70-41bc-88d7-56ae24060492" - ], - "columns": { - "10d4106f-6c96-4dc2-8866-3f1fe7e81898": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "755983df-cc70-41bc-88d7-56ae24060492": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.io_read_bytes_per_second.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "f807ce10-f26f-4f0a-a838-2baea3bb5ac2" + ], + "layerId": "5e26da41-85b9-4f3d-b666-9b027f19f4c0", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "e3e826ac-4145-4caa-97c7-0074740c3bde", + "xAccessor": "4d55692b-10e3-4d58-8bc0-2973e9d8bd58" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } - }, - "scale": "ratio", - "sourceField": "azure.functions.io_read_bytes_per_second.total" }, - "d3c92de9-3de0-4478-a4a6-432e2c42c0ab": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "755983df-cc70-41bc-88d7-56ae24060492", - "type": "column" + "title": "Bytes Received", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The amount of incoming bandwidth consumed by the app. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "96b12503-3f63-4f80-9419-f8d25b7356fc", + "w": 24, + "x": 0, + "y": 44 + }, + "panelIndex": "96b12503-3f63-4f80-9419-f8d25b7356fc", + "title": "Top 10 Function Apps by Bytes Received ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The amount of outgoing bandwidth sent by the app. ", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fa95f5df-3ddf-44ed-88b8-793641935e0a": { + "columnOrder": [ + "a3174d15-f56d-4533-b4e8-2006a55c51d4", + "4a76dd12-cd30-4e95-8b20-015379b31cf4", + "6d32a3d7-e8d2-4061-9d93-eeca1d25d957" + ], + "columns": { + "4a76dd12-cd30-4e95-8b20-015379b31cf4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "6d32a3d7-e8d2-4061-9d93-eeca1d25d957": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.bytes_sent.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "azure.functions.bytes_sent.total" + }, + "a3174d15-f56d-4533-b4e8-2006a55c51d4": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6d32a3d7-e8d2-4061-9d93-eeca1d25d957", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "755983df-cc70-41bc-88d7-56ae24060492" - ], - "layerId": "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", - "layerType": "data", - "position": "top", - "seriesType": "bar", - "showGridlines": false, - "splitAccessor": "d3c92de9-3de0-4478-a4a6-432e2c42c0ab", - "xAccessor": "10d4106f-6c96-4dc2-8866-3f1fe7e81898" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The rate at which the app process is reading bytes from I/O operation", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "f7c59600-cc99-4d51-b8f8-20976818476a", - "w": 24, - "x": 0, - "y": 59 - }, - "panelIndex": "f7c59600-cc99-4d51-b8f8-20976818476a", - "title": "IO Read Bytes Per Second", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "description": "The rate at which the app process is writing bytes to I/O operations.", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5": { - "columnOrder": [ - "bf621d88-b10b-4d8b-86fc-33034ed0fdc9", - "e2344323-fc84-49dc-9a63-ff7cc0ac618a", - "017dace0-c878-45e7-8d98-bfba5bdade86" - ], - "columns": { - "017dace0-c878-45e7-8d98-bfba5bdade86": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.io_write_bytes_per_second.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6d32a3d7-e8d2-4061-9d93-eeca1d25d957" + ], + "layerId": "fa95f5df-3ddf-44ed-88b8-793641935e0a", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "a3174d15-f56d-4533-b4e8-2006a55c51d4", + "xAccessor": "4a76dd12-cd30-4e95-8b20-015379b31cf4" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } - }, - "scale": "ratio", - "sourceField": "azure.functions.io_write_bytes_per_second.total" }, - "bf621d88-b10b-4d8b-86fc-33034ed0fdc9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "017dace0-c878-45e7-8d98-bfba5bdade86", - "type": "column" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The amount of outgoing bandwidth sent by the app. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "578f6fe3-6edb-4678-b13c-1e9510f1942b", + "w": 24, + "x": 24, + "y": 44 + }, + "panelIndex": "578f6fe3-6edb-4678-b13c-1e9510f1942b", + "title": "Top 10 Function Apps by Bytes Sent ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The rate at which the app process is reading bytes from I/O operation", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0": { + "columnOrder": [ + "d3c92de9-3de0-4478-a4a6-432e2c42c0ab", + "10d4106f-6c96-4dc2-8866-3f1fe7e81898", + "755983df-cc70-41bc-88d7-56ae24060492" + ], + "columns": { + "10d4106f-6c96-4dc2-8866-3f1fe7e81898": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "755983df-cc70-41bc-88d7-56ae24060492": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.io_read_bytes_per_second.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "azure.functions.io_read_bytes_per_second.total" + }, + "d3c92de9-3de0-4478-a4a6-432e2c42c0ab": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "755983df-cc70-41bc-88d7-56ae24060492", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "755983df-cc70-41bc-88d7-56ae24060492" + ], + "layerId": "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "d3c92de9-3de0-4478-a4a6-432e2c42c0ab", + "xAccessor": "10d4106f-6c96-4dc2-8866-3f1fe7e81898" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - "e2344323-fc84-49dc-9a63-ff7cc0ac618a": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "017dace0-c878-45e7-8d98-bfba5bdade86" - ], - "layerId": "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "splitAccessor": "bf621d88-b10b-4d8b-86fc-33034ed0fdc9", - "xAccessor": "e2344323-fc84-49dc-9a63-ff7cc0ac618a" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The rate at which the app process is reading bytes from I/O operation", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "f7c59600-cc99-4d51-b8f8-20976818476a", + "w": 24, + "x": 0, + "y": 59 + }, + "panelIndex": "f7c59600-cc99-4d51-b8f8-20976818476a", + "title": "IO Read Bytes Per Second", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The rate at which the app process is writing bytes to I/O operations.", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a", - "w": 24, - "x": 24, - "y": 59 - }, - "panelIndex": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a", - "title": "IO Write Bytes Per Second", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "description": "The rate at which the app process is issuing read I/O operations.", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "e16f3e88-0dc5-490a-b45d-86b3dbd359a3": { - "columnOrder": [ - "c5f39387-452a-4a77-8c48-831ecf41d972", - "d59f84c1-e509-4b82-bb73-8b30500124ec", - "32a41b5b-b737-4fd0-8b22-4a009d9c5555" - ], - "columns": { - "32a41b5b-b737-4fd0-8b22-4a009d9c5555": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.io_read_operations_per_second.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0, - "suffix": "/s" - } + { + "embeddableConfig": { + "attributes": { + "description": "The rate at which the app process is writing bytes to I/O operations.", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "azure.functions.io_read_operations_per_second.total" - }, - "c5f39387-452a-4a77-8c48-831ecf41d972": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "32a41b5b-b737-4fd0-8b22-4a009d9c5555", - "type": "column" + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5": { + "columnOrder": [ + "bf621d88-b10b-4d8b-86fc-33034ed0fdc9", + "e2344323-fc84-49dc-9a63-ff7cc0ac618a", + "017dace0-c878-45e7-8d98-bfba5bdade86" + ], + "columns": { + "017dace0-c878-45e7-8d98-bfba5bdade86": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.io_write_bytes_per_second.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "azure.functions.io_write_bytes_per_second.total" + }, + "bf621d88-b10b-4d8b-86fc-33034ed0fdc9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "017dace0-c878-45e7-8d98-bfba5bdade86", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + }, + "e2344323-fc84-49dc-9a63-ff7cc0ac618a": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "017dace0-c878-45e7-8d98-bfba5bdade86" + ], + "layerId": "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "bf621d88-b10b-4d8b-86fc-33034ed0fdc9", + "xAccessor": "e2344323-fc84-49dc-9a63-ff7cc0ac618a" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - "d59f84c1-e509-4b82-bb73-8b30500124ec": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "32a41b5b-b737-4fd0-8b22-4a009d9c5555" - ], - "layerId": "e16f3e88-0dc5-490a-b45d-86b3dbd359a3", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "c5f39387-452a-4a77-8c48-831ecf41d972", - "xAccessor": "d59f84c1-e509-4b82-bb73-8b30500124ec" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "showCurrentTimeMarker": false, - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The rate at which the app process is writing bytes to I/O operations.", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a", + "w": 24, + "x": 24, + "y": 59 + }, + "panelIndex": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a", + "title": "IO Write Bytes Per Second", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The rate at which the app process is issuing read I/O operations.", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab", - "w": 24, - "x": 0, - "y": 74 - }, - "panelIndex": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab", - "title": "IO Read Operations Per Second", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "description": "The rate at which the app process is issuing wite I/O operations.", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "effd480b-5d45-4c7e-9883-114e91117829": { - "columnOrder": [ - "62dfa6f9-8995-4b01-8038-0a32c921ce4e", - "fb0c0a99-931d-407b-90e1-a7695f4e877a", - "4ff3447e-d940-4369-8cec-7f6ef83dd20f" - ], - "columns": { - "4ff3447e-d940-4369-8cec-7f6ef83dd20f": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.io_write_operations_per_second.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0, - "suffix": "/s" - } + { + "embeddableConfig": { + "attributes": { + "description": "The rate at which the app process is issuing read I/O operations.", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "azure.functions.io_write_operations_per_second.total" - }, - "62dfa6f9-8995-4b01-8038-0a32c921ce4e": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "4ff3447e-d940-4369-8cec-7f6ef83dd20f", - "type": "column" + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e16f3e88-0dc5-490a-b45d-86b3dbd359a3": { + "columnOrder": [ + "c5f39387-452a-4a77-8c48-831ecf41d972", + "d59f84c1-e509-4b82-bb73-8b30500124ec", + "32a41b5b-b737-4fd0-8b22-4a009d9c5555" + ], + "columns": { + "32a41b5b-b737-4fd0-8b22-4a009d9c5555": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.io_read_operations_per_second.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0, + "suffix": "/s" + } + } + }, + "scale": "ratio", + "sourceField": "azure.functions.io_read_operations_per_second.total" + }, + "c5f39387-452a-4a77-8c48-831ecf41d972": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "32a41b5b-b737-4fd0-8b22-4a009d9c5555", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + }, + "d59f84c1-e509-4b82-bb73-8b30500124ec": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "32a41b5b-b737-4fd0-8b22-4a009d9c5555" + ], + "layerId": "e16f3e88-0dc5-490a-b45d-86b3dbd359a3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "c5f39387-452a-4a77-8c48-831ecf41d972", + "xAccessor": "d59f84c1-e509-4b82-bb73-8b30500124ec" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - "fb0c0a99-931d-407b-90e1-a7695f4e877a": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "4ff3447e-d940-4369-8cec-7f6ef83dd20f" - ], - "layerId": "effd480b-5d45-4c7e-9883-114e91117829", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "62dfa6f9-8995-4b01-8038-0a32c921ce4e", - "xAccessor": "fb0c0a99-931d-407b-90e1-a7695f4e877a" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The rate at which the app process is issuing read I/O operations.", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab", + "w": 24, + "x": 0, + "y": 74 + }, + "panelIndex": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab", + "title": "IO Read Operations Per Second", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The rate at which the app process is issuing wite I/O operations.", - "enhancements": {}, - "hidePanelTitles": false + { + "embeddableConfig": { + "attributes": { + "description": "The rate at which the app process is issuing wite I/O operations.", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "effd480b-5d45-4c7e-9883-114e91117829": { + "columnOrder": [ + "62dfa6f9-8995-4b01-8038-0a32c921ce4e", + "fb0c0a99-931d-407b-90e1-a7695f4e877a", + "4ff3447e-d940-4369-8cec-7f6ef83dd20f" + ], + "columns": { + "4ff3447e-d940-4369-8cec-7f6ef83dd20f": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.io_write_operations_per_second.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0, + "suffix": "/s" + } + } + }, + "scale": "ratio", + "sourceField": "azure.functions.io_write_operations_per_second.total" + }, + "62dfa6f9-8995-4b01-8038-0a32c921ce4e": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4ff3447e-d940-4369-8cec-7f6ef83dd20f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + }, + "fb0c0a99-931d-407b-90e1-a7695f4e877a": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4ff3447e-d940-4369-8cec-7f6ef83dd20f" + ], + "layerId": "effd480b-5d45-4c7e-9883-114e91117829", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "62dfa6f9-8995-4b01-8038-0a32c921ce4e", + "xAccessor": "fb0c0a99-931d-407b-90e1-a7695f4e877a" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The rate at which the app process is issuing wite I/O operations.", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6", + "w": 24, + "x": 24, + "y": 74 + }, + "panelIndex": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6", + "title": "IO Write Operations Per Second", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Azure Functions] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-18T12:11:00.652Z", + "id": "azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0:indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:60014cf3-d9b4-46e8-ae69-999d31086fbc", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "44c459b4-623b-4534-ba78-8904669ae9cb:indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9196bdde-1f73-46f5-97f6-09db15a28b61:indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5430e8a9-47ae-4c82-96b7-b0287026409f:indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2:indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "266a1bc1-c35b-4959-96c1-5d799a98754c:indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5ef0d281-2eff-415a-ac37-d778985db835:indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4f589bdd-7bbf-4b5e-88f7-68272155780d:indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "96b12503-3f63-4f80-9419-f8d25b7356fc:indexpattern-datasource-layer-5e26da41-85b9-4f3d-b666-9b027f19f4c0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "578f6fe3-6edb-4678-b13c-1e9510f1942b:indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f7c59600-cc99-4d51-b8f8-20976818476a:indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a:indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab:indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6:indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829", + "type": "index-pattern" }, - "gridData": { - "h": 15, - "i": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6", - "w": 24, - "x": 24, - "y": 74 + { + "id": "metrics-*", + "name": "controlGroup_ff8243f3-9c96-4cb0-b703-0af0107bc8f7:optionsListDataView", + "type": "index-pattern" }, - "panelIndex": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6", - "title": "IO Write Operations Per Second", - "type": "lens", - "version": "8.7.1" - } + { + "id": "metrics-*", + "name": "controlGroup_bebd2bf5-eb88-4157-b86b-e6fd9e322b13:optionsListDataView", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Azure Functions] Overview", - "version": 1 - }, - "references": [ - { - "id": "metrics-*", - "name": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0:indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:60014cf3-d9b4-46e8-ae69-999d31086fbc", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "44c459b4-623b-4534-ba78-8904669ae9cb:indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9196bdde-1f73-46f5-97f6-09db15a28b61:indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5430e8a9-47ae-4c82-96b7-b0287026409f:indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2:indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "266a1bc1-c35b-4959-96c1-5d799a98754c:indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5ef0d281-2eff-415a-ac37-d778985db835:indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4f589bdd-7bbf-4b5e-88f7-68272155780d:indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "578f6fe3-6edb-4678-b13c-1e9510f1942b:indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f7c59600-cc99-4d51-b8f8-20976818476a:indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a:indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab:indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6:indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_ff8243f3-9c96-4cb0-b703-0af0107bc8f7:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_bebd2bf5-eb88-4157-b86b-e6fd9e322b13:optionsListDataView", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "96b12503-3f63-4f80-9419-f8d25b7356fc:indexpattern-datasource-layer-5e26da41-85b9-4f3d-b666-9b027f19f4c0", - "id": "metrics-*" - } - ], - "managed": false + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/azure_functions/manifest.yml b/packages/azure_functions/manifest.yml index 6d036c85dc8..a9a4caeefcd 100644 --- a/packages/azure_functions/manifest.yml +++ b/packages/azure_functions/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: azure_functions title: "Azure Functions" -version: "0.4.2" +version: "0.5.0" source: license: "Elastic-2.0" description: "Get metrics and logs from Azure Functions" diff --git a/packages/hashicorp_vault/changelog.yml b/packages/hashicorp_vault/changelog.yml index a1e774c44a2..4d4494d3b0d 100644 --- a/packages/hashicorp_vault/changelog.yml +++ b/packages/hashicorp_vault/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: "1.24.0" changes: - description: Update package-spec to 3.0.3. diff --git a/packages/hashicorp_vault/kibana/dashboard/hashicorp_vault-1f321db0-f4b8-11eb-a89a-7378b1713db5.json b/packages/hashicorp_vault/kibana/dashboard/hashicorp_vault-1f321db0-f4b8-11eb-a89a-7378b1713db5.json index 19e96c0ba00..85b83537e81 100644 --- a/packages/hashicorp_vault/kibana/dashboard/hashicorp_vault-1f321db0-f4b8-11eb-a89a-7378b1713db5.json +++ b/packages/hashicorp_vault/kibana/dashboard/hashicorp_vault-1f321db0-f4b8-11eb-a89a-7378b1713db5.json @@ -1,10 +1,32 @@ { "attributes": { "description": "Hashicorp Vault operational logs.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "hashicorp_vault.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "hashicorp_vault.log" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +36,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -21,25 +45,16 @@ "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-27ad0671-d838-464d-9949-250e95bf8ebf", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "27ad0671-d838-464d-9949-250e95bf8ebf": { "columnOrder": [ @@ -54,7 +69,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "fd82c7ab-1504-4210-a3bd-bdee3f875c72": { "dataType": "date", @@ -62,6 +77,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -91,29 +107,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.log" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -141,6 +136,7 @@ "834ca219-ed3e-4a48-b865-ac6e9d562b36" ], "layerId": "27ad0671-d838-464d-9949-250e95bf8ebf", + "layerType": "data", "palette": { "name": "default", "type": "palette" @@ -154,6 +150,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -187,32 +184,22 @@ }, "panelIndex": "1ac68c0e-3c5a-49d6-81d3-5f4700cc709f", "title": "Log Volume by Agent", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-47ee6385-76b6-4b42-b35d-583cd8208fb4", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "47ee6385-76b6-4b42-b35d-583cd8208fb4": { "columnOrder": [ @@ -226,7 +213,7 @@ "label": "Logs", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -234,41 +221,24 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.log" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { "accessor": "f9cb4f81-44c1-4b1b-9a1e-b4087e7c562f", - "layerId": "47ee6385-76b6-4b42-b35d-583cd8208fb4" + "layerId": "47ee6385-76b6-4b42-b35d-583cd8208fb4", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -280,18 +250,12 @@ "y": 0 }, "panelIndex": "c875e4a1-139b-4197-b9cb-fffb0fa5ab72", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-47ee6385-76b6-4b42-b35d-583cd8208fb4", @@ -299,18 +263,14 @@ }, { "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", + "name": "790f312a-9594-41aa-b6a7-1c822da2114e", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "47ee6385-76b6-4b42-b35d-583cd8208fb4": { "columnOrder": [ @@ -324,7 +284,7 @@ "label": "Errors", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -340,28 +300,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.log" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-1", + "index": "790f312a-9594-41aa-b6a7-1c822da2114e", "key": "log.level", "negate": false, "params": { @@ -376,18 +315,23 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { "accessor": "f9cb4f81-44c1-4b1b-9a1e-b4087e7c562f", - "layerId": "47ee6385-76b6-4b42-b35d-583cd8208fb4" + "layerId": "47ee6385-76b6-4b42-b35d-583cd8208fb4", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -399,18 +343,12 @@ "y": 0 }, "panelIndex": "fa55332a-4ac9-4c7f-b8f1-a4031542120d", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-47ee6385-76b6-4b42-b35d-583cd8208fb4", @@ -418,18 +356,14 @@ }, { "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", + "name": "a78d053d-68f2-4f2c-8164-c627e4a0cf84", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "47ee6385-76b6-4b42-b35d-583cd8208fb4": { "columnOrder": [ @@ -459,28 +393,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.log" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-1", + "index": "a78d053d-68f2-4f2c-8164-c627e4a0cf84", "key": "log.level", "negate": false, "params": { @@ -495,18 +408,23 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { "accessor": "85994c44-017f-4c95-9bec-f54add925f28", - "layerId": "47ee6385-76b6-4b42-b35d-583cd8208fb4" + "layerId": "47ee6385-76b6-4b42-b35d-583cd8208fb4", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -518,48 +436,66 @@ "y": 0 }, "panelIndex": "759e3b76-90f0-453a-932c-5aee1c56ad73", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { + "attributes": { + "columns": [ + "agent.name", + "log.level", + "message", + "hashicorp_vault.log" + ], + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hashicorp_vault.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hashicorp_vault.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ] + }, "enhancements": {} }, "gridData": { "h": 21, - "i": "12f4a1f5-9ea6-423c-9c5a-7ab88558f5a6", + "i": "699f7654-8949-409e-9993-24b0f4e54545", "w": 24, "x": 24, "y": 6 }, - "panelIndex": "12f4a1f5-9ea6-423c-9c5a-7ab88558f5a6", - "panelRefName": "panel_12f4a1f5-9ea6-423c-9c5a-7ab88558f5a6", - "type": "search", - "version": "7.15.0-SNAPSHOT" + "panelIndex": "699f7654-8949-409e-9993-24b0f4e54545", + "title": "[Hashicorp Vault] Operational Logs", + "type": "search" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-27ad0671-d838-464d-9949-250e95bf8ebf", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "27ad0671-d838-464d-9949-250e95bf8ebf": { "columnOrder": [ @@ -592,7 +528,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "fd82c7ab-1504-4210-a3bd-bdee3f875c72": { "dataType": "date", @@ -600,6 +536,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -611,29 +548,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.log" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -661,6 +577,7 @@ "834ca219-ed3e-4a48-b865-ac6e9d562b36" ], "layerId": "27ad0671-d838-464d-9949-250e95bf8ebf", + "layerType": "data", "position": "top", "seriesType": "bar_stacked", "showGridlines": false, @@ -670,6 +587,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -703,32 +621,22 @@ }, "panelIndex": "58781719-8e14-400f-963a-8652bcf90d28", "title": "Log Volume by Level", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-27ad0671-d838-464d-9949-250e95bf8ebf", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "27ad0671-d838-464d-9949-250e95bf8ebf": { "columnOrder": [ @@ -761,7 +669,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "fd82c7ab-1504-4210-a3bd-bdee3f875c72": { "dataType": "date", @@ -769,6 +677,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -780,29 +689,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.log" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -830,6 +718,7 @@ "834ca219-ed3e-4a48-b865-ac6e9d562b36" ], "layerId": "27ad0671-d838-464d-9949-250e95bf8ebf", + "layerType": "data", "position": "top", "seriesType": "bar_stacked", "showGridlines": false, @@ -839,6 +728,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -872,23 +762,21 @@ }, "panelIndex": "f9db514e-50b6-44bc-b142-252f6b11ba02", "title": "Log Volume by Logger", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" } ], "timeRestore": false, "title": "[Hashicorp Vault] Operational Logs", "version": 1 }, - "coreMigrationVersion": "7.15.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-15T06:22:35.792Z", "id": "hashicorp_vault-1f321db0-f4b8-11eb-a89a-7378b1713db5", - "migrationVersion": { - "dashboard": "7.14.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "1ac68c0e-3c5a-49d6-81d3-5f4700cc709f:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -896,31 +784,11 @@ "name": "1ac68c0e-3c5a-49d6-81d3-5f4700cc709f:indexpattern-datasource-layer-27ad0671-d838-464d-9949-250e95bf8ebf", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "1ac68c0e-3c5a-49d6-81d3-5f4700cc709f:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c875e4a1-139b-4197-b9cb-fffb0fa5ab72:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "c875e4a1-139b-4197-b9cb-fffb0fa5ab72:indexpattern-datasource-layer-47ee6385-76b6-4b42-b35d-583cd8208fb4", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "c875e4a1-139b-4197-b9cb-fffb0fa5ab72:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fa55332a-4ac9-4c7f-b8f1-a4031542120d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "fa55332a-4ac9-4c7f-b8f1-a4031542120d:indexpattern-datasource-layer-47ee6385-76b6-4b42-b35d-583cd8208fb4", @@ -928,17 +796,7 @@ }, { "id": "logs-*", - "name": "fa55332a-4ac9-4c7f-b8f1-a4031542120d:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fa55332a-4ac9-4c7f-b8f1-a4031542120d:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "759e3b76-90f0-453a-932c-5aee1c56ad73:indexpattern-datasource-current-indexpattern", + "name": "fa55332a-4ac9-4c7f-b8f1-a4031542120d:790f312a-9594-41aa-b6a7-1c822da2114e", "type": "index-pattern" }, { @@ -948,22 +806,17 @@ }, { "id": "logs-*", - "name": "759e3b76-90f0-453a-932c-5aee1c56ad73:filter-index-pattern-0", + "name": "759e3b76-90f0-453a-932c-5aee1c56ad73:a78d053d-68f2-4f2c-8164-c627e4a0cf84", "type": "index-pattern" }, { "id": "logs-*", - "name": "759e3b76-90f0-453a-932c-5aee1c56ad73:filter-index-pattern-1", + "name": "699f7654-8949-409e-9993-24b0f4e54545:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" }, - { - "id": "hashicorp_vault-80603d50-f4b9-11eb-a89a-7378b1713db5", - "name": "12f4a1f5-9ea6-423c-9c5a-7ab88558f5a6:panel_12f4a1f5-9ea6-423c-9c5a-7ab88558f5a6", - "type": "search" - }, { "id": "logs-*", - "name": "58781719-8e14-400f-963a-8652bcf90d28:indexpattern-datasource-current-indexpattern", + "name": "699f7654-8949-409e-9993-24b0f4e54545:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -971,26 +824,12 @@ "name": "58781719-8e14-400f-963a-8652bcf90d28:indexpattern-datasource-layer-27ad0671-d838-464d-9949-250e95bf8ebf", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "58781719-8e14-400f-963a-8652bcf90d28:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9db514e-50b6-44bc-b142-252f6b11ba02:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "f9db514e-50b6-44bc-b142-252f6b11ba02:indexpattern-datasource-layer-27ad0671-d838-464d-9949-250e95bf8ebf", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9db514e-50b6-44bc-b142-252f6b11ba02:filter-index-pattern-0", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/hashicorp_vault/kibana/dashboard/hashicorp_vault-64b51280-f4ad-11eb-a89a-7378b1713db5.json b/packages/hashicorp_vault/kibana/dashboard/hashicorp_vault-64b51280-f4ad-11eb-a89a-7378b1713db5.json index 077c90fbf32..98becc4dba1 100644 --- a/packages/hashicorp_vault/kibana/dashboard/hashicorp_vault-64b51280-f4ad-11eb-a89a-7378b1713db5.json +++ b/packages/hashicorp_vault/kibana/dashboard/hashicorp_vault-64b51280-f4ad-11eb-a89a-7378b1713db5.json @@ -1,10 +1,32 @@ { "attributes": { "description": "Hashicorp Vault audit logs overview.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "hashicorp_vault.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "hashicorp_vault.audit" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -14,6 +36,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -21,11 +45,6 @@ "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-2fd4f863-dc26-44d1-9b43-7f4fc3ed14c0", @@ -33,18 +52,14 @@ }, { "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", + "name": "ad2e922f-96e8-40d3-9500-e655908bd26e", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "2fd4f863-dc26-44d1-9b43-7f4fc3ed14c0": { "columnOrder": [ @@ -58,7 +73,7 @@ "label": "Requests", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -74,28 +89,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.audit" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-1", + "index": "ad2e922f-96e8-40d3-9500-e655908bd26e", "key": "hashicorp_vault.audit.type", "negate": false, "params": { @@ -110,18 +104,23 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { "accessor": "c48424bb-1a3b-47e2-8e0b-aa98eac0cdad", - "layerId": "2fd4f863-dc26-44d1-9b43-7f4fc3ed14c0" + "layerId": "2fd4f863-dc26-44d1-9b43-7f4fc3ed14c0", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -133,18 +132,12 @@ "y": 0 }, "panelIndex": "83f33557-0d9d-4e73-bb7e-227b39132484", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-b847cacb-e41b-429c-8f53-8cdf53bea465", @@ -152,23 +145,19 @@ }, { "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", + "name": "d17f7019-fc4d-4514-8183-38dc211c1362", "type": "index-pattern" }, { "id": "logs-*", - "name": "filter-index-pattern-2", + "name": "1a87a732-5f09-4ac9-ad30-ca08f3cc7958", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b847cacb-e41b-429c-8f53-8cdf53bea465": { "columnOrder": [ @@ -182,7 +171,7 @@ "label": "Requests with root token policy", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -198,28 +187,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.audit" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-1", + "index": "d17f7019-fc4d-4514-8183-38dc211c1362", "key": "hashicorp_vault.audit.auth.policies", "negate": false, "params": { @@ -240,7 +208,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-2", + "index": "1a87a732-5f09-4ac9-ad30-ca08f3cc7958", "key": "hashicorp_vault.audit.type", "negate": false, "params": { @@ -255,18 +223,23 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { "accessor": "6a4f3808-ff70-42b5-8357-752540a94412", - "layerId": "b847cacb-e41b-429c-8f53-8cdf53bea465" + "layerId": "b847cacb-e41b-429c-8f53-8cdf53bea465", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -278,18 +251,12 @@ "y": 0 }, "panelIndex": "0232f3be-806f-40d8-ae0b-40aa512e6541", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-2fd4f863-dc26-44d1-9b43-7f4fc3ed14c0", @@ -297,23 +264,19 @@ }, { "id": "logs-*", - "name": "filter-index-pattern-0", + "name": "8f50cfee-73e2-48a5-8e3d-a4eb5205a259", "type": "index-pattern" }, { "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-2", + "name": "a5d47787-03bd-47e7-a57f-37397713e2f9", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "2fd4f863-dc26-44d1-9b43-7f4fc3ed14c0": { "columnOrder": [ @@ -327,7 +290,7 @@ "label": "Denied Requests", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -343,28 +306,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.audit" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-1", + "index": "8f50cfee-73e2-48a5-8e3d-a4eb5205a259", "key": "hashicorp_vault.audit.type", "negate": false, "params": { @@ -385,7 +327,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-2", + "index": "a5d47787-03bd-47e7-a57f-37397713e2f9", "key": "event.type", "negate": false, "params": { @@ -400,18 +342,23 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { "accessor": "c48424bb-1a3b-47e2-8e0b-aa98eac0cdad", - "layerId": "2fd4f863-dc26-44d1-9b43-7f4fc3ed14c0" + "layerId": "2fd4f863-dc26-44d1-9b43-7f4fc3ed14c0", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -423,32 +370,22 @@ "y": 0 }, "panelIndex": "23805a5e-7dde-403d-bc28-3314fd3db7d4", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-489fa819-f474-4d04-a6be-fe36193109b0", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "489fa819-f474-4d04-a6be-fe36193109b0": { "columnOrder": [ @@ -481,7 +418,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -489,29 +426,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -520,14 +436,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "300deebb-15ad-44be-98b7-1dbe04d6b19d" - ], "layerId": "489fa819-f474-4d04-a6be-fe36193109b0", + "layerType": "data", "legendDisplay": "show", - "metric": "4463bb63-735c-4f2e-99d8-c0e71a836b13", + "legendSize": "auto", + "metrics": [ + "4463bb63-735c-4f2e-99d8-c0e71a836b13" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "300deebb-15ad-44be-98b7-1dbe04d6b19d" + ] } ], "shape": "donut" @@ -549,32 +469,22 @@ }, "panelIndex": "9087a437-92b3-4cb4-a750-ae68b0858e09", "title": "Mount Type", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-2c264c26-91e6-4a34-aea3-01d6f88ed30b", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "2c264c26-91e6-4a34-aea3-01d6f88ed30b": { "columnOrder": [ @@ -588,7 +498,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "d5f83108-804a-43e1-860a-aa4a81914a1c": { "dataType": "string", @@ -614,29 +524,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -645,14 +534,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "d5f83108-804a-43e1-860a-aa4a81914a1c" - ], "layerId": "2c264c26-91e6-4a34-aea3-01d6f88ed30b", + "layerType": "data", "legendDisplay": "default", - "metric": "c3d83176-87df-4196-a0a4-c52050c7b024", + "legendSize": "auto", + "metrics": [ + "c3d83176-87df-4196-a0a4-c52050c7b024" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "d5f83108-804a-43e1-860a-aa4a81914a1c" + ] } ], "palette": { @@ -678,32 +571,22 @@ }, "panelIndex": "4db8db34-66f4-4f1c-ba4b-53cafe0c21a3", "title": "Auth Token Policies", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-791d2c5a-3c3a-4225-8221-6e03777579de", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "791d2c5a-3c3a-4225-8221-6e03777579de": { "columnOrder": [ @@ -737,6 +620,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -749,7 +633,7 @@ "label": "Total Events", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -757,29 +641,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -791,6 +654,7 @@ "ae60a0fa-37fb-42ca-8f3d-bc2b02daf701" ], "layerId": "791d2c5a-3c3a-4225-8221-6e03777579de", + "layerType": "data", "palette": { "name": "status", "type": "palette" @@ -804,6 +668,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -833,32 +698,22 @@ }, "panelIndex": "62d57354-4600-4729-a898-1b0e5eee57af", "title": "Event Outcome", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-874c0b4f-299a-4ae6-a04d-c06072907352", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "874c0b4f-299a-4ae6-a04d-c06072907352": { "columnOrder": [ @@ -891,7 +746,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -899,29 +754,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -949,6 +783,7 @@ "d4a9db3d-1864-4a8e-b255-34f3516babd2" ], "layerId": "874c0b4f-299a-4ae6-a04d-c06072907352", + "layerType": "data", "position": "top", "seriesType": "bar_horizontal", "showGridlines": false, @@ -957,6 +792,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_horizontal", @@ -990,32 +826,22 @@ }, "panelIndex": "a088f6c5-449d-4515-9665-b7a96aaa5cc5", "title": "Operation Type", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-7ac3e29e-e4e0-4e19-bac4-22565cfe0bcb", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7ac3e29e-e4e0-4e19-bac4-22565cfe0bcb": { "columnOrder": [ @@ -1047,7 +873,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1055,29 +881,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1086,14 +891,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "602d11b6-cd45-45ba-b1fa-6430016e4eda" - ], "layerId": "7ac3e29e-e4e0-4e19-bac4-22565cfe0bcb", + "layerType": "data", "legendDisplay": "show", - "metric": "8f9e210a-1ce1-4b3d-8f87-2a80fe3e034b", + "legendSize": "auto", + "metrics": [ + "8f9e210a-1ce1-4b3d-8f87-2a80fe3e034b" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "602d11b6-cd45-45ba-b1fa-6430016e4eda" + ] } ], "shape": "donut" @@ -1115,14 +924,13 @@ }, "panelIndex": "1c552cd9-e6c2-4b0a-87a8-7bdc13f7ce61", "title": "Event Type", - "type": "lens", - "version": "7.15.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"d6bce6c1-3b22-4697-ab6d-3073b7064328\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"indexPatternId\":\"logs-*\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"CLUSTERS\",\"id\":\"4d111e7b-044b-44c0-a962-7dc284f4f0f2\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSplitField\":\"\",\"topHitsSize\":1},\"id\":\"58c4d1f7-a53b-4b96-be01-93fc8e8232cc\",\"label\":\"Source Location\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"includeInFitToBounds\":true,\"type\":\"BLENDED_VECTOR\",\"joins\":[],\"query\":{\"query\":\"data_stream.dataset:\\\"hashicorp_vault.audit\\\" \",\"language\":\"kuery\"}}]", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map\"},\"id\":\"d6bce6c1-3b22-4697-ab6d-3073b7064328\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"sourceDescriptor\":{\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"CLUSTERS\",\"id\":\"4d111e7b-044b-44c0-a962-7dc284f4f0f2\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSplitField\":\"\",\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"id\":\"58c4d1f7-a53b-4b96-be01-93fc8e8232cc\",\"label\":\"Source Location\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"includeInFitToBounds\":true,\"type\":\"BLENDED_VECTOR\",\"joins\":[],\"query\":{\"query\":\"data_stream.dataset:\\\"hashicorp_vault.audit\\\" \",\"language\":\"kuery\"}}]", "mapStateJSON": "{\"zoom\":1.53,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-30d/d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", "title": "", "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" @@ -1153,23 +961,21 @@ }, "panelIndex": "761dd3e0-7eb2-4738-a475-1007d78b900f", "title": "Source Locations", - "type": "map", - "version": "7.15.0-SNAPSHOT" + "type": "map" } ], "timeRestore": false, "title": "[Hashicorp Vault] Audit Logs", "version": 1 }, - "coreMigrationVersion": "7.15.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-15T06:25:07.396Z", "id": "hashicorp_vault-64b51280-f4ad-11eb-a89a-7378b1713db5", - "migrationVersion": { - "dashboard": "7.14.0" - }, + "managed": false, "references": [ { "id": "logs-*", - "name": "83f33557-0d9d-4e73-bb7e-227b39132484:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -1179,17 +985,7 @@ }, { "id": "logs-*", - "name": "83f33557-0d9d-4e73-bb7e-227b39132484:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "83f33557-0d9d-4e73-bb7e-227b39132484:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0232f3be-806f-40d8-ae0b-40aa512e6541:indexpattern-datasource-current-indexpattern", + "name": "83f33557-0d9d-4e73-bb7e-227b39132484:ad2e922f-96e8-40d3-9500-e655908bd26e", "type": "index-pattern" }, { @@ -1199,22 +995,12 @@ }, { "id": "logs-*", - "name": "0232f3be-806f-40d8-ae0b-40aa512e6541:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0232f3be-806f-40d8-ae0b-40aa512e6541:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0232f3be-806f-40d8-ae0b-40aa512e6541:filter-index-pattern-2", + "name": "0232f3be-806f-40d8-ae0b-40aa512e6541:d17f7019-fc4d-4514-8183-38dc211c1362", "type": "index-pattern" }, { "id": "logs-*", - "name": "23805a5e-7dde-403d-bc28-3314fd3db7d4:indexpattern-datasource-current-indexpattern", + "name": "0232f3be-806f-40d8-ae0b-40aa512e6541:1a87a732-5f09-4ac9-ad30-ca08f3cc7958", "type": "index-pattern" }, { @@ -1224,22 +1010,12 @@ }, { "id": "logs-*", - "name": "23805a5e-7dde-403d-bc28-3314fd3db7d4:filter-index-pattern-0", + "name": "23805a5e-7dde-403d-bc28-3314fd3db7d4:8f50cfee-73e2-48a5-8e3d-a4eb5205a259", "type": "index-pattern" }, { "id": "logs-*", - "name": "23805a5e-7dde-403d-bc28-3314fd3db7d4:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "23805a5e-7dde-403d-bc28-3314fd3db7d4:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9087a437-92b3-4cb4-a750-ae68b0858e09:indexpattern-datasource-current-indexpattern", + "name": "23805a5e-7dde-403d-bc28-3314fd3db7d4:a5d47787-03bd-47e7-a57f-37397713e2f9", "type": "index-pattern" }, { @@ -1247,76 +1023,32 @@ "name": "9087a437-92b3-4cb4-a750-ae68b0858e09:indexpattern-datasource-layer-489fa819-f474-4d04-a6be-fe36193109b0", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "9087a437-92b3-4cb4-a750-ae68b0858e09:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4db8db34-66f4-4f1c-ba4b-53cafe0c21a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "4db8db34-66f4-4f1c-ba4b-53cafe0c21a3:indexpattern-datasource-layer-2c264c26-91e6-4a34-aea3-01d6f88ed30b", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "4db8db34-66f4-4f1c-ba4b-53cafe0c21a3:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "62d57354-4600-4729-a898-1b0e5eee57af:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "62d57354-4600-4729-a898-1b0e5eee57af:indexpattern-datasource-layer-791d2c5a-3c3a-4225-8221-6e03777579de", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "62d57354-4600-4729-a898-1b0e5eee57af:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a088f6c5-449d-4515-9665-b7a96aaa5cc5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "a088f6c5-449d-4515-9665-b7a96aaa5cc5:indexpattern-datasource-layer-874c0b4f-299a-4ae6-a04d-c06072907352", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "a088f6c5-449d-4515-9665-b7a96aaa5cc5:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1c552cd9-e6c2-4b0a-87a8-7bdc13f7ce61:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "1c552cd9-e6c2-4b0a-87a8-7bdc13f7ce61:indexpattern-datasource-layer-7ac3e29e-e4e0-4e19-bac4-22565cfe0bcb", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "1c552cd9-e6c2-4b0a-87a8-7bdc13f7ce61:filter-index-pattern-0", - "type": "index-pattern" - }, { "id": "logs-*", "name": "761dd3e0-7eb2-4738-a475-1007d78b900f:layer_1_source_index_pattern", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/hashicorp_vault/kibana/search/hashicorp_vault-80603d50-f4b9-11eb-a89a-7378b1713db5.json b/packages/hashicorp_vault/kibana/search/hashicorp_vault-80603d50-f4b9-11eb-a89a-7378b1713db5.json deleted file mode 100644 index 29ac4f6816b..00000000000 --- a/packages/hashicorp_vault/kibana/search/hashicorp_vault-80603d50-f4b9-11eb-a89a-7378b1713db5.json +++ /dev/null @@ -1,70 +0,0 @@ -{ - "attributes": { - "columns": [ - "agent.name", - "log.level", - "message", - "hashicorp_vault.log" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "hashicorp_vault.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "hashicorp_vault.log" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Hashicorp Vault] Operational Logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hashicorp_vault-80603d50-f4b9-11eb-a89a-7378b1713db5", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hashicorp_vault/manifest.yml b/packages/hashicorp_vault/manifest.yml index d9d88ae6cb4..847f539c069 100644 --- a/packages/hashicorp_vault/manifest.yml +++ b/packages/hashicorp_vault/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: hashicorp_vault title: Hashicorp Vault -version: "1.24.0" +version: "1.25.0" description: Collect logs and metrics from Hashicorp Vault with Elastic Agent. type: integration categories: diff --git a/packages/hashicorp_vault/validation.yml b/packages/hashicorp_vault/validation.yml deleted file mode 100644 index 9dcaa3b03ff..00000000000 --- a/packages/hashicorp_vault/validation.yml +++ /dev/null @@ -1,5 +0,0 @@ -errors: - exclude_checks: - - SVR00002 # Mandatory filters in dashboards. - - SVR00004 # References in dashboards. - - SVR00005 # Kibana version for saved tags. diff --git a/packages/kafka/changelog.yml b/packages/kafka/changelog.yml index 14b41a8e6c3..854349e1d45 100644 --- a/packages/kafka/changelog.yml +++ b/packages/kafka/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.14.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: "1.13.0" changes: - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values diff --git a/packages/kafka/kibana/dashboard/kafka-943caca0-87ee-11e7-ad9c-db80de0bf8d3.json b/packages/kafka/kibana/dashboard/kafka-943caca0-87ee-11e7-ad9c-db80de0bf8d3.json index 633a6aa6aca..56988cb9777 100644 --- a/packages/kafka/kibana/dashboard/kafka-943caca0-87ee-11e7-ad9c-db80de0bf8d3.json +++ b/packages/kafka/kibana/dashboard/kafka-943caca0-87ee-11e7-ad9c-db80de0bf8d3.json @@ -3,7 +3,30 @@ "description": "Logs Kafka integration dashboard", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kafka.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kafka.log" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -192,58 +215,7 @@ }, "panelIndex": "1", "title": "Number of stracktraces by class [Logs Kafka]", - "type": "lens", - "version": "8.7.0" - }, - { - "embeddableConfig": { - "columns": [ - "kafka.log.class", - "kafka.log.trace.class", - "kafka.log.trace.full" - ], - "enhancements": {}, - "sort": [ - "@timestamp", - "desc" - ] - }, - "gridData": { - "h": 12, - "i": "2", - "w": 24, - "x": 24, - "y": 0 - }, - "panelIndex": "2", - "panelRefName": "panel_2", - "type": "search", - "version": "8.7.0" - }, - { - "embeddableConfig": { - "columns": [ - "log.level", - "kafka.log.component", - "message" - ], - "enhancements": {}, - "sort": [ - "@timestamp", - "desc" - ] - }, - "gridData": { - "h": 20, - "i": "3", - "w": 48, - "x": 0, - "y": 20 - }, - "panelIndex": "3", - "panelRefName": "panel_3", - "type": "search", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -253,11 +225,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-9f47bfb1-37f3-43f2-bee8-765df082d9e2", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0d3f3d8b-6a25-4de7-9fc3-2640ac541625", - "type": "index-pattern" } ], "state": { @@ -333,31 +300,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0d3f3d8b-6a25-4de7-9fc3-2640ac541625", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kafka.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": { - "query": "kafka.log" - } - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -447,46 +390,162 @@ }, "panelIndex": "4", "title": "Log levels over time [Logs Kafka]", - "type": "lens", - "version": "8.7.0" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "kafka.log.class", + "kafka.log.trace.class", + "kafka.log.trace.full" + ], + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"kafka.log.trace.class:*\"},\"version\":true}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ] + }, + "columns": [ + "kafka.log.class", + "kafka.log.trace.class", + "kafka.log.trace.full" + ], + "enhancements": {}, + "sort": [ + "@timestamp", + "desc" + ] + }, + "gridData": { + "h": 12, + "i": "bf5f8731-180f-4b73-8c32-67610e4cb6c5", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "bf5f8731-180f-4b73-8c32-67610e4cb6c5", + "title": "Stacktraces [Logs Kafka]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "log.level", + "kafka.log.component", + "message" + ], + "grid": { + "columns": { + "kafka.log.component": { + "width": 195 + }, + "log.level": { + "width": 109 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"kafka.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"kafka.log\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, + "columns": [ + "log.level", + "kafka.log.component", + "message" + ], + "enhancements": {}, + "sort": [ + "@timestamp", + "desc" + ] + }, + "gridData": { + "h": 20, + "i": "8a7f140b-ae2b-4b8f-95a3-3a8dfc74d8b1", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "8a7f140b-ae2b-4b8f-95a3-3a8dfc74d8b1", + "title": "All logs [Logs Kafka]", + "type": "search" } ], "timeRestore": false, "title": "[Logs Kafka] Overview", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-26T07:00:13.043Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-22T06:53:10.744Z", "id": "kafka-943caca0-87ee-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "1:indexpattern-datasource-layer-d74d8027-0eee-45ec-941d-5e9e0b4e4ee9", "type": "index-pattern" }, { - "id": "kafka-stacktraces", - "name": "2:panel_2", - "type": "search" + "id": "logs-*", + "name": "4:indexpattern-datasource-layer-9f47bfb1-37f3-43f2-bee8-765df082d9e2", + "type": "index-pattern" }, { - "id": "kafka-all-kafka-logs", - "name": "3:panel_3", - "type": "search" + "id": "logs-*", + "name": "bf5f8731-180f-4b73-8c32-67610e4cb6c5:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" }, { "id": "logs-*", - "name": "4:indexpattern-datasource-layer-9f47bfb1-37f3-43f2-bee8-765df082d9e2", + "name": "8a7f140b-ae2b-4b8f-95a3-3a8dfc74d8b1:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "4:0d3f3d8b-6a25-4de7-9fc3-2640ac541625", + "name": "8a7f140b-ae2b-4b8f-95a3-3a8dfc74d8b1:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kafka/kibana/dashboard/kafka-ea488d90-8e63-11e8-8fa2-3d5f811fbd0f.json b/packages/kafka/kibana/dashboard/kafka-ea488d90-8e63-11e8-8fa2-3d5f811fbd0f.json index daa33307a32..0f78feb23a7 100644 --- a/packages/kafka/kibana/dashboard/kafka-ea488d90-8e63-11e8-8fa2-3d5f811fbd0f.json +++ b/packages/kafka/kibana/dashboard/kafka-ea488d90-8e63-11e8-8fa2-3d5f811fbd0f.json @@ -9,7 +9,49 @@ "description": "Kafka analysis of topics and consumer groups", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kafka.broker", + "kafka.consumergroup", + "kafka.partition" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kafka.broker" + } + }, + { + "match_phrase": { + "data_stream.dataset": "kafka.consumergroup" + } + }, + { + "match_phrase": { + "data_stream.dataset": "kafka.partition" + } + } + ] + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -332,8 +374,7 @@ }, "panelIndex": "1", "title": "Kafka Topic \u0026 Consumer Offsets", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -536,8 +577,7 @@ }, "panelIndex": "6", "title": "Consumer Group Lag by Topic", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -806,8 +846,7 @@ }, "panelIndex": "12", "title": "Consumer Partition Reassignments", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -908,8 +947,7 @@ }, "panelIndex": "13", "title": "Consumer Metrics", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -1083,8 +1121,7 @@ }, "panelIndex": "14", "title": "Kafka Consumer Group Clients", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -1210,8 +1247,7 @@ }, "panelIndex": "ad4575fb-5b4f-4c42-8c50-c2b60b2c72f7", "title": "Kafka Metrics", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -1337,8 +1373,7 @@ }, "panelIndex": "02a0cadd-8e80-4380-b9a1-0d41cfef29d6", "title": "Kafka Metrics", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -1464,8 +1499,7 @@ }, "panelIndex": "b7ca8c63-46bc-46f4-bf44-b211814b5a8b", "title": "Kafka Metrics", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -1591,8 +1625,7 @@ }, "panelIndex": "3bf5acc4-bca8-4dae-bf9d-7b7f5de0ef2f", "title": "Kafka Metrics", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -1762,8 +1795,7 @@ }, "panelIndex": "6d18f7a0-9156-476a-9b3d-9c2924bc00f1", "title": "Kafka Brokers", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -2006,21 +2038,23 @@ }, "panelIndex": "6e580e38-ab32-407c-8d49-7373decc50f1", "title": "Kafka Topic Details", - "type": "lens", - "version": "8.7.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Kafka] Overview", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-26T06:41:25.463Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-22T07:06:37.901Z", "id": "kafka-ea488d90-8e63-11e8-8fa2-3d5f811fbd0f", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, { "id": "metrics-*", "name": "13:indexpattern-datasource-layer-830f7c05-123b-4860-b1c0-35c43878b6b5", @@ -2117,5 +2151,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kafka/kibana/search/kafka-all-kafka-logs.json b/packages/kafka/kibana/search/kafka-all-kafka-logs.json deleted file mode 100644 index 797ba0e9e17..00000000000 --- a/packages/kafka/kibana/search/kafka-all-kafka-logs.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "columns": [ - "log.level", - "kafka.log.component", - "message" - ], - "description": "", - "grid": { - "columns": { - "kafka.log.component": { - "width": 195 - }, - "log.level": { - "width": 109 - } - } - }, - "hideChart": false, - "hits": 0, - "isTextBasedQuery": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kafka.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kafka.log" - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "timeRestore": false, - "title": "All logs [Logs Kafka]", - "usesAdHocDataView": false, - "version": 1 - }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-26T06:39:08.427Z", - "id": "kafka-all-kafka-logs", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/kafka/kibana/search/kafka-stacktraces.json b/packages/kafka/kibana/search/kafka-stacktraces.json deleted file mode 100644 index ea0c75a8add..00000000000 --- a/packages/kafka/kibana/search/kafka-stacktraces.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "kafka.log.class", - "kafka.log.trace.class", - "kafka.log.trace.full" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "kafka.log.trace.class:*" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Stacktraces [Logs Kafka]", - "version": 1 - }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-26T06:39:08.427Z", - "id": "kafka-stacktraces", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/kafka/manifest.yml b/packages/kafka/manifest.yml index 48c9b000d17..5b2b080fe73 100644 --- a/packages/kafka/manifest.yml +++ b/packages/kafka/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: kafka title: Kafka -version: "1.13.0" +version: "1.14.0" description: Collect logs and metrics from Kafka servers with Elastic Agent. type: integration categories: diff --git a/packages/microsoft_sqlserver/changelog.yml b/packages/microsoft_sqlserver/changelog.yml index daea9ec59e3..edab82dbd52 100644 --- a/packages/microsoft_sqlserver/changelog.yml +++ b/packages/microsoft_sqlserver/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.6.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: 2.5.1 changes: - description: Update documentation for `transaction_logs` metric collection limits. diff --git a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json index b0df96ee7de..b1f82de144d 100644 --- a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json +++ b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json @@ -1,15 +1,4 @@ { - "id": "microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.9.0" - }, - "updated_at": "2024-01-22T13:21:22.589Z", - "created_at": "2024-01-22T13:21:22.589Z", - "version": "WzEwMSwxXQ==", "attributes": { "controlGroupInput": { "chainingSystem": "HIERARCHICAL", @@ -227,8 +216,7 @@ }, "panelIndex": "033d2eb9-9d99-4c61-9d87-5410f2fa6607", "title": "Total Log Space Usage [Metrics Microsoft SqlServer]", - "type": "lens", - "version": "8.10.2" + "type": "lens" }, { "embeddableConfig": { @@ -404,8 +392,7 @@ }, "panelIndex": "ecca4f7b-5846-4659-a8a3-844276779869", "title": "Percentage of Used Space [Metrics Microsoft SqlServer]", - "type": "lens", - "version": "8.10.2" + "type": "lens" }, { "embeddableConfig": { @@ -580,8 +567,7 @@ }, "panelIndex": "41b881a5-df21-4ef0-90c6-9906a0107f5e", "title": "Used Space [Metrics Microsoft SqlServer]", - "type": "lens", - "version": "8.10.2" + "type": "lens" }, { "embeddableConfig": { @@ -756,8 +742,7 @@ }, "panelIndex": "d065062d-1b53-4cd1-80db-462b58e97632", "title": "Log Space Since Last Backup [Metrics Microsoft SqlServer]", - "type": "lens", - "version": "8.10.2" + "type": "lens" }, { "embeddableConfig": { @@ -932,8 +917,7 @@ }, "panelIndex": "ed535f03-9d86-4021-9d47-c315a012aceb", "title": "Recovery Size [Metrics Microsoft SqlServer]", - "type": "lens", - "version": "8.10.2" + "type": "lens" }, { "embeddableConfig": { @@ -1108,8 +1092,7 @@ }, "panelIndex": "1c270f8b-8e64-410d-a5e4-a4cc45c4fa2c", "title": "Log Size Since Last Checkpoint [Metrics Microsoft SqlServer]", - "type": "lens", - "version": "8.10.2" + "type": "lens" }, { "embeddableConfig": { @@ -1280,14 +1263,17 @@ }, "panelIndex": "af6dc077-868f-460c-bc8a-11019b087898", "title": "Active Log Size [Metrics Microsoft SqlServer]", - "type": "lens", - "version": "8.10.2" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Microsoft SQL Server] Transaction log", "version": 1 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-19T08:58:59.786Z", + "id": "microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b", + "managed": false, "references": [ { "id": "metrics-*", @@ -1340,7 +1326,6 @@ "type": "index-pattern" } ], - "managed": false, - "coreMigrationVersion": "8.8.0", + "type": "dashboard", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json index 96f4d45fdc9..2f0c1d5aa49 100644 --- a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json +++ b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json @@ -1,18 +1,6 @@ { - "id": "microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.9.0" - }, - "updated_at": "2024-01-22T13:21:22.589Z", - "created_at": "2024-01-22T13:21:22.589Z", - "version": "WzEwMiwxXQ==", "attributes": { "description": "Microsoft SQL Server Audit Events", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -47,40 +35,23 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ { - "version": "8.9.0", - "type": "lens", - "gridData": { - "h": 13, - "i": "842e1cfc-7341-462d-8949-eef99e130666", - "w": 18, - "x": 0, - "y": 0 - }, - "panelIndex": "842e1cfc-7341-462d-8949-eef99e130666", "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -122,28 +93,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "microsoft_sqlserver.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "microsoft_sqlserver.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -156,13 +107,13 @@ "layerType": "data", "legendDisplay": "default", "legendSize": "auto", + "metrics": [ + "a6937f39-2999-4be2-8371-619b5bf2fb67" + ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ "70000b7b-124a-439e-8ef2-6a8dad15c166" - ], - "metrics": [ - "a6937f39-2999-4be2-8371-619b5bf2fb67" ] } ], @@ -178,42 +129,31 @@ "timeRange": { "from": "now-2d", "to": "now" - }, - "type": "lens" + } }, - "title": "Microsoft SQL Server Event Types" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 13, - "i": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b", - "w": 17, - "x": 18, + "i": "842e1cfc-7341-462d-8949-eef99e130666", + "w": 18, + "x": 0, "y": 0 }, - "panelIndex": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b", + "panelIndex": "842e1cfc-7341-462d-8949-eef99e130666", + "title": "Microsoft SQL Server Event Types", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -251,28 +191,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "microsoft_sqlserver.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "microsoft_sqlserver.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -331,42 +251,31 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Rate of events" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 13, - "i": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb", - "w": 13, - "x": 35, + "i": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b", + "w": 17, + "x": 18, "y": 0 }, - "panelIndex": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb", + "panelIndex": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b", + "title": "Rate of events", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -416,28 +325,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "microsoft_sqlserver.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "microsoft_sqlserver.audit" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -496,52 +385,31 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Rate of Failed Logins" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { - "h": 9, - "i": "9df96bf5-959d-470c-afaa-f85cd3921d41", + "h": 13, + "i": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb", "w": 13, - "x": 0, - "y": 13 + "x": 35, + "y": 0 }, - "panelIndex": "9df96bf5-959d-470c-afaa-f85cd3921d41", + "panelIndex": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb", + "title": "Rate of Failed Logins", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-2", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -587,26 +455,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "microsoft_sqlserver.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "microsoft_sqlserver.audit" - } - } - }, { "$state": { "store": "appState" @@ -692,6 +540,7 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -748,52 +597,31 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Database Principal Changes" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 9, - "i": "c95238d4-553e-424f-9880-7377837f0ba2", + "i": "9df96bf5-959d-470c-afaa-f85cd3921d41", "w": 13, - "x": 13, + "x": 0, "y": 13 }, - "panelIndex": "c95238d4-553e-424f-9880-7377837f0ba2", + "panelIndex": "9df96bf5-959d-470c-afaa-f85cd3921d41", + "title": "Database Principal Changes", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-2", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -832,26 +660,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "microsoft_sqlserver.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "microsoft_sqlserver.audit" - } - } - }, { "$state": { "store": "appState" @@ -925,6 +733,7 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -983,52 +792,31 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Role Member Changes" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 9, - "i": "c48ea73e-2a8d-41bf-831c-275c516ee481", + "i": "c95238d4-553e-424f-9880-7377837f0ba2", "w": 13, - "x": 26, + "x": 13, "y": 13 }, - "panelIndex": "c48ea73e-2a8d-41bf-831c-275c516ee481", + "panelIndex": "c95238d4-553e-424f-9880-7377837f0ba2", + "title": "Role Member Changes", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-2", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -1088,26 +876,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "microsoft_sqlserver.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "microsoft_sqlserver.audit" - } - } - }, { "$state": { "store": "appState" @@ -1187,6 +955,7 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1250,47 +1019,31 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Audit Changes" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 9, - "i": "c68c4401-b3a5-486a-8e66-da4bad6b035d", - "w": 9, - "x": 39, + "i": "c48ea73e-2a8d-41bf-831c-275c516ee481", + "w": 13, + "x": 26, "y": 13 }, - "panelIndex": "c68c4401-b3a5-486a-8e66-da4bad6b035d", + "panelIndex": "c48ea73e-2a8d-41bf-831c-275c516ee481", + "title": "Audit Changes", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -1315,26 +1068,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "microsoft_sqlserver.audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "microsoft_sqlserver.audit" - } - } - }, { "$state": { "store": "appState" @@ -1356,6 +1089,7 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1374,164 +1108,70 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Number of Failed Logins" + "gridData": { + "h": 9, + "i": "c68c4401-b3a5-486a-8e66-da4bad6b035d", + "w": 9, + "x": 39, + "y": 13 + }, + "panelIndex": "c68c4401-b3a5-486a-8e66-da4bad6b035d", + "title": "Number of Failed Logins", + "type": "lens" } ], "timeRestore": false, "title": "[Logs Microsoft SQL Server Audit Events] Overview", "version": 1 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-05-13T12:13:02.139Z", + "id": "microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb", + "managed": false, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-1", - "type": "index-pattern" } ], - "managed": false, - "coreMigrationVersion": "8.8.0", + "type": "dashboard", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3.json b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3.json index 5b31b58c912..d58798e85a0 100644 --- a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3.json +++ b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3.json @@ -1,36 +1,48 @@ { - "id": "microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.9.0" - }, - "updated_at": "2024-01-22T13:21:22.589Z", - "created_at": "2024-01-22T13:21:22.589Z", - "version": "WzEwMywxXQ==", "attributes": { "description": "Error Logs of Microsoft SQL server overview", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], - "highlightAll": true, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_sqlserver.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_sqlserver.log" + } + } + } + ], "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, "optionsJSON": { - "darkTheme": false + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, "attributes": { "columns": [ "microsoft_sqlserver.log.origin", @@ -55,13 +67,6 @@ "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Microsoft SQL server Error Log", "references": [ { "id": "logs-*", @@ -73,8 +78,16 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" } - ] - } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Microsoft SQL server Error Log" + }, + "enhancements": {} }, "gridData": { "h": 25, @@ -84,20 +97,9 @@ "y": 12 }, "panelIndex": "acfd02ea-6f4d-4582-8a3e-8a43d3461128", - "type": "search", - "version": "8.0.0" + "type": "search" }, { - "version": "8.9.0", - "type": "lens", - "gridData": { - "h": 12, - "i": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f", "embeddableConfig": { "attributes": { "references": [ @@ -220,34 +222,50 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {}, - "type": "lens" + "enhancements": {} + }, + "gridData": { + "h": 12, + "i": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f", + "w": 48, + "x": 0, + "y": 0 }, - "title": "Microsoft SQL server Error Log origin" + "panelIndex": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f", + "title": "Microsoft SQL server Error Log origin", + "type": "lens" } ], "timeRestore": false, "title": "[Logs Microsoft SQL Server] Error Log Overview", "version": 1 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-19T08:58:41.370Z", + "id": "microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3", + "managed": false, "references": [ { "id": "logs-*", - "name": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f:indexpattern-datasource-layer-056140ff-8a51-44be-9c14-76e4418d0587", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { - "type": "index-pattern", + "id": "logs-*", "name": "acfd02ea-6f4d-4582-8a3e-8a43d3461128:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" + "type": "index-pattern" }, { - "type": "index-pattern", + "id": "logs-*", "name": "acfd02ea-6f4d-4582-8a3e-8a43d3461128:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f:indexpattern-datasource-layer-056140ff-8a51-44be-9c14-76e4418d0587", + "type": "index-pattern" } ], - "managed": false, - "coreMigrationVersion": "8.8.0", + "type": "dashboard", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json index 348df575b01..5b9b3d9e7ab 100644 --- a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json +++ b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json @@ -1,21 +1,32 @@ { - "id": "microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.9.0" - }, - "updated_at": "2024-01-22T13:21:22.589Z", - "created_at": "2024-01-22T13:21:22.589Z", - "version": "WzEwNCwxXQ==", "attributes": { "description": "A dashboard with key metrics about a Microsoft SQL Server instance performance", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_sqlserver.performance" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_sqlserver.performance" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -23,22 +34,14 @@ } }, "optionsJSON": { - "darkTheme": false, "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ { - "version": "8.9.0", - "type": "lens", - "gridData": { - "h": 15, - "i": "733a1dbb-abdd-45d9-a908-026db7545a29", - "w": 24, - "x": 0, - "y": 0 - }, - "panelIndex": "733a1dbb-abdd-45d9-a908-026db7545a29", "embeddableConfig": { "attributes": { "references": [ @@ -141,22 +144,20 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "User Connections [Metrics Microsoft SqlServer]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 15, - "i": "eeb38cf1-3e35-4a16-b910-21ef1aca2142", + "i": "733a1dbb-abdd-45d9-a908-026db7545a29", "w": 24, - "x": 24, + "x": 0, "y": 0 }, - "panelIndex": "eeb38cf1-3e35-4a16-b910-21ef1aca2142", + "panelIndex": "733a1dbb-abdd-45d9-a908-026db7545a29", + "title": "User Connections [Metrics Microsoft SqlServer]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ @@ -257,22 +258,20 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Batch Requests/sec [Microsoft SQL Server]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 15, - "i": "9537c5f9-fdeb-4101-a50c-419834b6bdc3", + "i": "eeb38cf1-3e35-4a16-b910-21ef1aca2142", "w": 24, - "x": 0, - "y": 15 + "x": 24, + "y": 0 }, - "panelIndex": "9537c5f9-fdeb-4101-a50c-419834b6bdc3", + "panelIndex": "eeb38cf1-3e35-4a16-b910-21ef1aca2142", + "title": "Batch Requests/sec [Microsoft SQL Server]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ @@ -375,22 +374,20 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Lock Waits/sec [Microsoft SQL Server]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 15, - "i": "3ceec42f-23d1-4ca2-8d59-c14ad798850f", + "i": "9537c5f9-fdeb-4101-a50c-419834b6bdc3", "w": 24, - "x": 24, + "x": 0, "y": 15 }, - "panelIndex": "3ceec42f-23d1-4ca2-8d59-c14ad798850f", + "panelIndex": "9537c5f9-fdeb-4101-a50c-419834b6bdc3", + "title": "Lock Waits/sec [Microsoft SQL Server]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ @@ -493,22 +490,20 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Buffer Cache Hit Ratio [Microsoft SQL Server]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 15, - "i": "1b64a2ab-638e-483a-826d-c2a8563b7fcf", + "i": "3ceec42f-23d1-4ca2-8d59-c14ad798850f", "w": 24, - "x": 0, - "y": 30 + "x": 24, + "y": 15 }, - "panelIndex": "1b64a2ab-638e-483a-826d-c2a8563b7fcf", + "panelIndex": "3ceec42f-23d1-4ca2-8d59-c14ad798850f", + "title": "Buffer Cache Hit Ratio [Microsoft SQL Server]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ @@ -611,17 +606,34 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "1b64a2ab-638e-483a-826d-c2a8563b7fcf", + "w": 24, + "x": 0, + "y": 30 }, - "title": "Transactions [Microsoft SQL Server]" + "panelIndex": "1b64a2ab-638e-483a-826d-c2a8563b7fcf", + "title": "Transactions [Microsoft SQL Server]", + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Microsoft SQL Server] Performance", "version": 1 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-19T09:16:04.927Z", + "id": "microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411", + "managed": false, "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, { "id": "metrics-*", "name": "733a1dbb-abdd-45d9-a908-026db7545a29:indexpattern-datasource-layer-c298fa42-a98b-441a-8fc4-7e829887f213", @@ -648,7 +660,6 @@ "type": "index-pattern" } ], - "managed": false, - "coreMigrationVersion": "8.8.0", + "type": "dashboard", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/microsoft_sqlserver/manifest.yml b/packages/microsoft_sqlserver/manifest.yml index ed18ca5b54f..a3e99dd5780 100644 --- a/packages/microsoft_sqlserver/manifest.yml +++ b/packages/microsoft_sqlserver/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_sqlserver title: "Microsoft SQL Server" -version: "2.5.1" +version: "2.6.0" description: Collect events from Microsoft SQL Server with Elastic Agent type: integration categories: diff --git a/packages/microsoft_sqlserver/validation.yml b/packages/microsoft_sqlserver/validation.yml deleted file mode 100644 index efdb1de132d..00000000000 --- a/packages/microsoft_sqlserver/validation.yml +++ /dev/null @@ -1,4 +0,0 @@ -errors: - exclude_checks: - - SVR00004 - - SVR00002 diff --git a/packages/mongodb/changelog.yml b/packages/mongodb/changelog.yml index cf136ab1599..5005968018f 100644 --- a/packages/mongodb/changelog.yml +++ b/packages/mongodb/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.14.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: 1.13.3 changes: - description: Update README with support of LDAP authentication. diff --git a/packages/mongodb/kibana/dashboard/mongodb-Metrics-MongoDB.json b/packages/mongodb/kibana/dashboard/mongodb-Metrics-MongoDB.json index 016424954ad..38ba842421f 100644 --- a/packages/mongodb/kibana/dashboard/mongodb-Metrics-MongoDB.json +++ b/packages/mongodb/kibana/dashboard/mongodb-Metrics-MongoDB.json @@ -1,31 +1,50 @@ { "attributes": { "description": "Overview of MongoDB server status", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], - "highlightAll": true, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "mongodb.status" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "mongodb.status" + } + } + } + ], "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, "optionsJSON": { - "darkTheme": false + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, "panelsJSON": [ { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-45c42eb1-8f78-4db0-96e4-1811e8492a82", @@ -33,8 +52,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "45c42eb1-8f78-4db0-96e4-1811e8492a82": { "columnOrder": [ @@ -110,9 +130,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:mongodb.collstats OR data_stream.dataset:mongodb.dbstats OR data_stream.dataset:mongodb.metrics OR data_stream.dataset:mongodb.replstatus OR data_stream.dataset:mongodb.status)" + "query": "" }, "visualization": { "columns": [ @@ -146,7 +167,9 @@ "paging": { "enabled": true, "size": 10 - } + }, + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -164,18 +187,12 @@ }, "panelIndex": "bc6d5996-59f3-4afa-a07a-9b195f98526b", "title": "Hosts", - "type": "lens", - "version": "8.1.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-629fcc28-f3f6-4e83-916c-2819fc27932f", @@ -183,8 +200,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "629fcc28-f3f6-4e83-916c-2819fc27932f": { "columnOrder": [ @@ -244,25 +262,29 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:mongodb.collstats OR data_stream.dataset:mongodb.dbstats OR data_stream.dataset:mongodb.metrics OR data_stream.dataset:mongodb.replstatus OR data_stream.dataset:mongodb.status)" + "query": "" }, "visualization": { "layers": [ { "categoryDisplay": "default", - "groups": [ - "89a1e248-457e-4c1f-8d2e-1a06d123b98b", - "7c1cd580-5b6c-4936-8bb8-b28afc94acb2" - ], "layerId": "629fcc28-f3f6-4e83-916c-2819fc27932f", "layerType": "data", "legendDisplay": "default", "legendPosition": "bottom", - "metric": "6b3897b4-0ed3-4d0b-ae9d-112beb917f2a", + "legendSize": "auto", + "metrics": [ + "6b3897b4-0ed3-4d0b-ae9d-112beb917f2a" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "89a1e248-457e-4c1f-8d2e-1a06d123b98b", + "7c1cd580-5b6c-4936-8bb8-b28afc94acb2" + ] } ], "palette": { @@ -287,18 +309,12 @@ }, "panelIndex": "aa0a1ce4-dab6-4b9d-a917-51ea8eabb3aa", "title": "Engine \u0026 Version", - "type": "lens", - "version": "8.1.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", @@ -306,8 +322,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4ac4c2b2-57a7-4452-9c9e-ded3004eb832": { "columnOrder": [ @@ -340,6 +357,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -352,9 +370,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:mongodb.collstats OR data_stream.dataset:mongodb.dbstats OR data_stream.dataset:mongodb.metrics OR data_stream.dataset:mongodb.replstatus OR data_stream.dataset:mongodb.status)" + "query": "" }, "visualization": { "gridlinesVisibilitySettings": { @@ -390,6 +409,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "bottom", "showSingleSeries": true }, @@ -420,18 +440,12 @@ }, "panelIndex": "38e509ef-aead-4347-8f62-79d1b27328e8", "title": "Concurrent transactions Write", - "type": "lens", - "version": "8.1.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", @@ -439,8 +453,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4ac4c2b2-57a7-4452-9c9e-ded3004eb832": { "columnOrder": [ @@ -495,6 +510,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -525,9 +541,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:mongodb.collstats OR data_stream.dataset:mongodb.dbstats OR data_stream.dataset:mongodb.metrics OR data_stream.dataset:mongodb.replstatus OR data_stream.dataset:mongodb.status)" + "query": "" }, "visualization": { "gridlinesVisibilitySettings": { @@ -587,6 +604,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "bottom", "showSingleSeries": true }, @@ -617,18 +635,12 @@ }, "panelIndex": "8d83ef8a-9338-4a39-8f56-1007e767f237", "title": "Operation counters", - "type": "lens", - "version": "8.1.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", @@ -636,8 +648,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4ac4c2b2-57a7-4452-9c9e-ded3004eb832": { "columnOrder": [ @@ -670,6 +683,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -682,9 +696,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:mongodb.collstats OR data_stream.dataset:mongodb.dbstats OR data_stream.dataset:mongodb.metrics OR data_stream.dataset:mongodb.replstatus OR data_stream.dataset:mongodb.status)" + "query": "" }, "visualization": { "gridlinesVisibilitySettings": { @@ -720,6 +735,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "bottom", "showSingleSeries": true }, @@ -750,18 +766,12 @@ }, "panelIndex": "01cd0dd5-fe82-474c-a71d-1d383a578ac3", "title": "Concurrent transactions Read", - "type": "lens", - "version": "8.1.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", @@ -769,8 +779,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4ac4c2b2-57a7-4452-9c9e-ded3004eb832": { "columnOrder": [ @@ -804,6 +815,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -825,9 +837,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:mongodb.collstats OR data_stream.dataset:mongodb.dbstats OR data_stream.dataset:mongodb.metrics OR data_stream.dataset:mongodb.replstatus OR data_stream.dataset:mongodb.status)" + "query": "" }, "visualization": { "gridlinesVisibilitySettings": { @@ -869,6 +882,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "bottom", "showSingleSeries": true }, @@ -899,18 +913,12 @@ }, "panelIndex": "bac2a243-da26-47e5-a25e-0190bbf6b2e5", "title": "WiredTiger Cache", - "type": "lens", - "version": "8.1.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", @@ -918,8 +926,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4ac4c2b2-57a7-4452-9c9e-ded3004eb832": { "columnOrder": [ @@ -964,6 +973,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -994,9 +1004,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:mongodb.collstats OR data_stream.dataset:mongodb.dbstats OR data_stream.dataset:mongodb.metrics OR data_stream.dataset:mongodb.replstatus OR data_stream.dataset:mongodb.status)" + "query": "" }, "visualization": { "gridlinesVisibilitySettings": { @@ -1050,6 +1061,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "bottom", "showSingleSeries": true }, @@ -1080,18 +1092,12 @@ }, "panelIndex": "f010c091-9148-441c-9104-d991418b0584", "title": "Asserts", - "type": "lens", - "version": "8.1.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", @@ -1099,8 +1105,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4ac4c2b2-57a7-4452-9c9e-ded3004eb832": { "columnOrder": [ @@ -1135,6 +1142,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -1165,9 +1173,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:mongodb.collstats OR data_stream.dataset:mongodb.dbstats OR data_stream.dataset:mongodb.metrics OR data_stream.dataset:mongodb.replstatus OR data_stream.dataset:mongodb.status)" + "query": "" }, "visualization": { "gridlinesVisibilitySettings": { @@ -1215,6 +1224,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "bottom", "showSingleSeries": true }, @@ -1245,23 +1255,21 @@ }, "panelIndex": "4de5684e-c5c9-45be-b15a-0251215994c2", "title": "Memory stats", - "type": "lens", - "version": "8.1.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics MongoDB] Overview", "version": 1 }, - "coreMigrationVersion": "8.1.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-05-13T09:03:41.189Z", "id": "mongodb-Metrics-MongoDB", - "migrationVersion": { - "dashboard": "8.1.0" - }, + "managed": false, "references": [ { "id": "metrics-*", - "name": "bc6d5996-59f3-4afa-a07a-9b195f98526b:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -1269,76 +1277,42 @@ "name": "bc6d5996-59f3-4afa-a07a-9b195f98526b:indexpattern-datasource-layer-45c42eb1-8f78-4db0-96e4-1811e8492a82", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "aa0a1ce4-dab6-4b9d-a917-51ea8eabb3aa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "aa0a1ce4-dab6-4b9d-a917-51ea8eabb3aa:indexpattern-datasource-layer-629fcc28-f3f6-4e83-916c-2819fc27932f", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "38e509ef-aead-4347-8f62-79d1b27328e8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "38e509ef-aead-4347-8f62-79d1b27328e8:indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "8d83ef8a-9338-4a39-8f56-1007e767f237:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "8d83ef8a-9338-4a39-8f56-1007e767f237:indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "01cd0dd5-fe82-474c-a71d-1d383a578ac3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "01cd0dd5-fe82-474c-a71d-1d383a578ac3:indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "bac2a243-da26-47e5-a25e-0190bbf6b2e5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "bac2a243-da26-47e5-a25e-0190bbf6b2e5:indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "f010c091-9148-441c-9104-d991418b0584:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "f010c091-9148-441c-9104-d991418b0584:indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "4de5684e-c5c9-45be-b15a-0251215994c2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "4de5684e-c5c9-45be-b15a-0251215994c2:indexpattern-datasource-layer-4ac4c2b2-57a7-4452-9c9e-ded3004eb832", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/mongodb/kibana/dashboard/mongodb-abcf35b0-0a82-11e8-bffe-ff7d4f68cf94.json b/packages/mongodb/kibana/dashboard/mongodb-abcf35b0-0a82-11e8-bffe-ff7d4f68cf94.json index 38cd21cc82a..c5b3eedb61b 100644 --- a/packages/mongodb/kibana/dashboard/mongodb-abcf35b0-0a82-11e8-bffe-ff7d4f68cf94.json +++ b/packages/mongodb/kibana/dashboard/mongodb-abcf35b0-0a82-11e8-bffe-ff7d4f68cf94.json @@ -1,83 +1,50 @@ { "attributes": { "description": "Logs MongoDB integration overview", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], - "highlightAll": true, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "mongodb.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "mongodb.log" + } + } + } + ], "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, "optionsJSON": { - "darkTheme": false + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, "panelsJSON": [ - { - "embeddableConfig": { - "columns": [ - "log.level", - "mongodb.log.component", - "mongodb.log.context", - "message" - ], - "enhancements": {}, - "sort": [ - "@timestamp", - "desc" - ] - }, - "gridData": { - "h": 12, - "i": "2", - "w": 32, - "x": 16, - "y": 0 - }, - "panelIndex": "2", - "panelRefName": "panel_2", - "type": "search", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "columns": [ - "log.level", - "mongodb.log.component", - "mongodb.log.context", - "message" - ], - "enhancements": {}, - "sort": [ - "@timestamp", - "asc" - ] - }, - "gridData": { - "h": 24, - "i": "3", - "w": 48, - "x": 0, - "y": 12 - }, - "panelIndex": "3", - "panelRefName": "panel_3", - "type": "search", - "version": "8.1.0" - }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-1b24032e-d5d1-486a-9722-73ee57f1af16", @@ -85,8 +52,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1b24032e-d5d1-486a-9722-73ee57f1af16": { "columnOrder": [ @@ -129,23 +97,27 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "data_stream.dataset : \"mongodb.log\"" + "query": "" }, "visualization": { "layers": [ { "categoryDisplay": "default", - "groups": [ - "a9b00096-3941-408c-86f1-d7f7aeaea864" - ], "layerId": "1b24032e-d5d1-486a-9722-73ee57f1af16", "layerType": "data", "legendDisplay": "show", - "metric": "d9fa1057-5a6f-4b9e-a169-c1f15e4a2e1a", + "legendSize": "auto", + "metrics": [ + "d9fa1057-5a6f-4b9e-a169-c1f15e4a2e1a" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "a9b00096-3941-408c-86f1-d7f7aeaea864" + ] } ], "palette": { @@ -170,40 +142,161 @@ }, "panelIndex": "c04eb490-6120-49a7-a289-4c330689eb64", "title": "Logs Severity", - "type": "lens", - "version": "8.1.0" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "log.level", + "mongodb.log.component", + "mongodb.log.context", + "message" + ], + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"mongodb.log\\\" and (log.level: E or log.level: F or log.level: W)\"},\"version\":true}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "fleet-managed-default", + "name": "tag-ref-fleet-managed-default", + "type": "tag" + }, + { + "id": "fleet-pkg-mongodb-default", + "name": "tag-ref-fleet-pkg-mongodb-default", + "type": "tag" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ] + }, + "columns": [ + "log.level", + "mongodb.log.component", + "mongodb.log.context", + "message" + ], + "enhancements": {}, + "sort": [ + "@timestamp", + "desc" + ] + }, + "gridData": { + "h": 12, + "i": "90c008d4-38c2-43ec-aa93-3c9a83a1b375", + "w": 32, + "x": 16, + "y": 0 + }, + "panelIndex": "90c008d4-38c2-43ec-aa93-3c9a83a1b375", + "title": "Error logs", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "log.level", + "mongodb.log.component", + "mongodb.log.context", + "message" + ], + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:mongodb.log\"},\"version\":true}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "fleet-managed-default", + "name": "tag-ref-fleet-managed-default", + "type": "tag" + }, + { + "id": "fleet-pkg-mongodb-default", + "name": "tag-ref-fleet-pkg-mongodb-default", + "type": "tag" + } + ], + "sort": [ + [ + "@timestamp", + "asc" + ] + ] + }, + "columns": [ + "log.level", + "mongodb.log.component", + "mongodb.log.context", + "message" + ], + "enhancements": {}, + "sort": [ + "@timestamp", + "asc" + ] + }, + "gridData": { + "h": 24, + "i": "11c27bd6-8e81-4f3b-b868-2e2fd4c20076", + "w": 48, + "x": 0, + "y": 12 + }, + "panelIndex": "11c27bd6-8e81-4f3b-b868-2e2fd4c20076", + "title": "Logs MongoDB", + "type": "search" } ], "timeRestore": false, "title": "[Logs MongoDB] Overview", "version": 1 }, - "coreMigrationVersion": "8.1.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-19T10:15:07.688Z", "id": "mongodb-abcf35b0-0a82-11e8-bffe-ff7d4f68cf94", - "migrationVersion": { - "dashboard": "8.1.0" - }, + "managed": false, "references": [ { - "id": "mongodb-e49fe000-0a7e-11e8-bffe-ff7d4f68cf94", - "name": "2:panel_2", - "type": "search" + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, { - "id": "mongodb-bfc96a60-0a80-11e8-bffe-ff7d4f68cf94", - "name": "3:panel_3", - "type": "search" + "id": "logs-*", + "name": "c04eb490-6120-49a7-a289-4c330689eb64:indexpattern-datasource-layer-1b24032e-d5d1-486a-9722-73ee57f1af16", + "type": "index-pattern" }, { "id": "logs-*", - "name": "c04eb490-6120-49a7-a289-4c330689eb64:indexpattern-datasource-current-indexpattern", + "name": "90c008d4-38c2-43ec-aa93-3c9a83a1b375:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "c04eb490-6120-49a7-a289-4c330689eb64:indexpattern-datasource-layer-1b24032e-d5d1-486a-9722-73ee57f1af16", + "name": "11c27bd6-8e81-4f3b-b868-2e2fd4c20076:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/mongodb/manifest.yml b/packages/mongodb/manifest.yml index eb00ab42757..d968aaa5fe8 100644 --- a/packages/mongodb/manifest.yml +++ b/packages/mongodb/manifest.yml @@ -1,6 +1,6 @@ name: mongodb title: MongoDB -version: "1.13.3" +version: "1.14.0" description: Collect logs and metrics from MongoDB instances with Elastic Agent. type: integration categories: diff --git a/packages/mongodb/validation.yml b/packages/mongodb/validation.yml deleted file mode 100644 index efdb1de132d..00000000000 --- a/packages/mongodb/validation.yml +++ /dev/null @@ -1,4 +0,0 @@ -errors: - exclude_checks: - - SVR00004 - - SVR00002 diff --git a/packages/mongodb_atlas/changelog.yml b/packages/mongodb_atlas/changelog.yml index edaa63040ea..963f72b2f03 100644 --- a/packages/mongodb_atlas/changelog.yml +++ b/packages/mongodb_atlas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.0.6" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: "0.0.5" changes: - description: MongoDB Atlas integration package with "organization" data stream. diff --git a/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-88554c14-2b94-424f-8a3e-b6f65722fd51.json b/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-88554c14-2b94-424f-8a3e-b6f65722fd51.json index a16e66af73d..74ed36bf594 100644 --- a/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-88554c14-2b94-424f-8a3e-b6f65722fd51.json +++ b/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-88554c14-2b94-424f-8a3e-b6f65722fd51.json @@ -61,7 +61,6 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { "e6b79055-c39d-4d4a-bb19-bc3690eaebad": { "columnOrder": [ @@ -124,7 +123,6 @@ }, "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -136,30 +134,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "27f966a9-6db9-4f8e-a26f-ece17d0f59b4", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_audit" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -227,7 +202,6 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { "6a395f87-9046-43eb-9868-fcb5fef2d588": { "columnOrder": [ @@ -249,7 +223,6 @@ }, "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -262,28 +235,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "970ff4e8-40d3-4202-88fe-e30cb734fcf2", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_audit" - } - } - }, { "$state": { "store": "appState" @@ -350,7 +301,6 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { "b854c8f5-b3d4-4671-a815-22ce69800910": { "columnOrder": [ @@ -414,7 +364,6 @@ }, "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -426,30 +375,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "638338d2-7c80-4da4-a43c-2bb67be66bbd", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_audit" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -512,12 +438,7 @@ }, { "id": "logs-*", - "name": "ea764634-d952-4afc-b0d0-6b2593e631d8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d965676-699b-4da6-9773-12c586fe1451", + "name": "e5be244c-432f-47c5-9406-9756e88a8999", "type": "index-pattern" } ], @@ -563,29 +484,7 @@ "meta": { "alias": null, "disabled": false, - "field": "data_stream.dataset", - "index": "ea764634-d952-4afc-b0d0-6b2593e631d8", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_audit" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9d965676-699b-4da6-9773-12c586fe1451", + "index": "e5be244c-432f-47c5-9406-9756e88a8999", "negate": false, "params": [ { @@ -674,12 +573,7 @@ }, { "id": "logs-*", - "name": "d26fabf1-07c9-440f-8ed7-36510678e8f2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1d1916b-8c57-4c7e-82c0-a169b86bc58a", + "name": "cd133b74-efe8-42ef-89a6-f69e5da3f9f5", "type": "index-pattern" } ], @@ -727,29 +621,7 @@ "meta": { "alias": null, "disabled": false, - "field": "data_stream.dataset", - "index": "d26fabf1-07c9-440f-8ed7-36510678e8f2", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_audit" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c1d1916b-8c57-4c7e-82c0-a169b86bc58a", + "index": "cd133b74-efe8-42ef-89a6-f69e5da3f9f5", "negate": false, "params": [ { @@ -840,7 +712,6 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { "2738d1cf-d706-488d-87f1-4a312f1b0aec": { "columnOrder": [ @@ -889,7 +760,6 @@ }, "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -901,30 +771,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "85a41d10-1b4d-4711-8048-1100e601ea6b", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_audit" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -983,7 +830,6 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { "c7b75e0b-22bc-4f3a-800b-8c8046a809b0": { "columnOrder": [ @@ -1060,7 +906,6 @@ }, "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -1072,30 +917,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "8e5b3099-5943-441f-9a3c-6ec2573af079", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_audit" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1303,30 +1125,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "b7eedcd9-3437-4fb3-9cd1-e68236cacee1", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_audit" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_audit" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1410,7 +1209,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-03-13T10:52:35.457Z", + "created_at": "2024-06-07T12:46:06.387Z", "id": "mongodb_atlas-88554c14-2b94-424f-8a3e-b6f65722fd51", "managed": false, "references": [ @@ -1441,12 +1240,7 @@ }, { "id": "logs-*", - "name": "c9c47a9b-0732-4bd9-b7d9-9900f5651b8c:ea764634-d952-4afc-b0d0-6b2593e631d8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9c47a9b-0732-4bd9-b7d9-9900f5651b8c:9d965676-699b-4da6-9773-12c586fe1451", + "name": "c9c47a9b-0732-4bd9-b7d9-9900f5651b8c:e5be244c-432f-47c5-9406-9756e88a8999", "type": "index-pattern" }, { @@ -1456,12 +1250,7 @@ }, { "id": "logs-*", - "name": "e7947ccd-02d3-4787-9d37-a93f2eefe560:d26fabf1-07c9-440f-8ed7-36510678e8f2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e7947ccd-02d3-4787-9d37-a93f2eefe560:c1d1916b-8c57-4c7e-82c0-a169b86bc58a", + "name": "e7947ccd-02d3-4787-9d37-a93f2eefe560:cd133b74-efe8-42ef-89a6-f69e5da3f9f5", "type": "index-pattern" }, { diff --git a/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-b6ceb5eb-c380-42c1-a3ca-8fcd0bc3dc50.json b/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-b6ceb5eb-c380-42c1-a3ca-8fcd0bc3dc50.json index 55568a8e0b3..fa4faba5914 100644 --- a/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-b6ceb5eb-c380-42c1-a3ca-8fcd0bc3dc50.json +++ b/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-b6ceb5eb-c380-42c1-a3ca-8fcd0bc3dc50.json @@ -58,12 +58,7 @@ }, { "id": "logs-*", - "name": "eb47556c-d770-4cc4-adba-5bc26a9c99e9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe22ce24-cb25-4bfc-b216-f24615c19601", + "name": "02b95cc9-ef22-415a-9b34-8378c5738765", "type": "index-pattern" } ], @@ -144,28 +139,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "eb47556c-d770-4cc4-adba-5bc26a9c99e9", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_database" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_database" - } - } - }, { "$state": { "store": "appState" @@ -174,7 +147,7 @@ "alias": null, "disabled": false, "field": "log.level", - "index": "fe22ce24-cb25-4bfc-b216-f24615c19601", + "index": "02b95cc9-ef22-415a-9b34-8378c5738765", "key": "log.level", "negate": true, "params": { @@ -255,7 +228,6 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { "de3eac83-7fe6-437f-a2a6-e68ac19cb300": { "columnOrder": [ @@ -302,7 +274,6 @@ } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -315,28 +286,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "dbcbe9e4-d0eb-400e-a756-1e331bc5fe82", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_database" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_database" - } - } - }, { "$state": { "store": "appState" @@ -413,11 +362,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-27ceb5f7-3fd0-4bb5-bcb8-02c056e4e0a5", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6ec257bf-90cf-4ab5-a72c-c26208d0ebcd", - "type": "index-pattern" } ], "state": { @@ -482,30 +426,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "6ec257bf-90cf-4ab5-a72c-c26208d0ebcd", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_database" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_database" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -563,7 +484,6 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { "96d79b7e-3e2c-4d1f-9068-e0343ed98ec8": { "columnOrder": [ @@ -611,7 +531,6 @@ } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } @@ -624,28 +543,6 @@ } }, "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "7f33123a-e17f-4b57-9f57-72b0687a47b5", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_database" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_database" - } - } - }, { "$state": { "store": "appState" @@ -720,11 +617,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-5d61c1b6-6caa-44f6-bdfe-56af89106f60", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ee5bc37c-3b8f-446f-84d7-83f75074598c", - "type": "index-pattern" } ], "state": { @@ -803,30 +695,7 @@ "layers": {} } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "ee5bc37c-3b8f-446f-84d7-83f75074598c", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "mongodb_atlas.mongod_database" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "mongodb_atlas.mongod_database" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -886,7 +755,7 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-04-16T13:16:31.306Z", + "created_at": "2024-06-07T12:47:34.760Z", "id": "mongodb_atlas-b6ceb5eb-c380-42c1-a3ca-8fcd0bc3dc50", "managed": false, "references": [ @@ -902,12 +771,7 @@ }, { "id": "logs-*", - "name": "556840e3-fd50-40ee-8dac-81fb08a9e2f4:eb47556c-d770-4cc4-adba-5bc26a9c99e9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "556840e3-fd50-40ee-8dac-81fb08a9e2f4:fe22ce24-cb25-4bfc-b216-f24615c19601", + "name": "556840e3-fd50-40ee-8dac-81fb08a9e2f4:02b95cc9-ef22-415a-9b34-8378c5738765", "type": "index-pattern" }, { @@ -920,11 +784,6 @@ "name": "fdb9a1a3-a892-49cf-87ef-ed2311b88040:indexpattern-datasource-layer-27ceb5f7-3fd0-4bb5-bcb8-02c056e4e0a5", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "fdb9a1a3-a892-49cf-87ef-ed2311b88040:6ec257bf-90cf-4ab5-a72c-c26208d0ebcd", - "type": "index-pattern" - }, { "id": "logs-*", "name": "3dc2c4c6-e34a-41ce-860d-7e0700e6deec:indexpattern-datasource-layer-96d79b7e-3e2c-4d1f-9068-e0343ed98ec8", @@ -935,11 +794,6 @@ "name": "6d436f31-838a-497b-9b83-bfd3cf66f23c:indexpattern-datasource-layer-5d61c1b6-6caa-44f6-bdfe-56af89106f60", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "6d436f31-838a-497b-9b83-bfd3cf66f23c:ee5bc37c-3b8f-446f-84d7-83f75074598c", - "type": "index-pattern" - }, { "id": "logs-*", "name": "controlGroup_b1c83e14-fc43-4648-8f9c-1a0e87595360:optionsListDataView", diff --git a/packages/mongodb_atlas/manifest.yml b/packages/mongodb_atlas/manifest.yml index c8f6aa036ba..bf0a653ee14 100644 --- a/packages/mongodb_atlas/manifest.yml +++ b/packages/mongodb_atlas/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: mongodb_atlas title: "MongoDB Atlas" -version: 0.0.5 +version: 0.0.6 source: license: "Elastic-2.0" description: This Elastic integration collects logs and metrics from MongoDB Atlas instance. diff --git a/packages/php_fpm/changelog.yml b/packages/php_fpm/changelog.yml index 51ac1e44a79..3c0abfec3a0 100644 --- a/packages/php_fpm/changelog.yml +++ b/packages/php_fpm/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: "1.2.1" changes: - description: Update README to follow documentation guidelines. diff --git a/packages/php_fpm/kibana/dashboard/php_fpm-30d6d490-60c6-11ed-a227-676557292b43.json b/packages/php_fpm/kibana/dashboard/php_fpm-30d6d490-60c6-11ed-a227-676557292b43.json index 731a5d4a7f7..c82b13ff4b1 100644 --- a/packages/php_fpm/kibana/dashboard/php_fpm-30d6d490-60c6-11ed-a227-676557292b43.json +++ b/packages/php_fpm/kibana/dashboard/php_fpm-30d6d490-60c6-11ed-a227-676557292b43.json @@ -55,11 +55,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-d9643729-e12e-4e3d-ba08-d48da266bbce", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b661bcca-b850-4cf2-bb56-3696825b0a62", - "type": "index-pattern" } ], "state": { @@ -136,29 +131,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b661bcca-b850-4cf2-bb56-3696825b0a62", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.process" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.process" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -236,11 +209,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-d9643729-e12e-4e3d-ba08-d48da266bbce", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a441ec79-5e7f-433b-89a0-6bcb9690488c", - "type": "index-pattern" } ], "state": { @@ -298,29 +266,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a441ec79-5e7f-433b-89a0-6bcb9690488c", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.process" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.process" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -399,11 +345,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-fbe2058d-ab9e-4a5b-9e37-9ef507abbe6b", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f683a750-2ee2-4078-aedd-b5d741d26b53", - "type": "index-pattern" } ], "state": { @@ -558,29 +499,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f683a750-2ee2-4078-aedd-b5d741d26b53", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.process" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.process" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -663,14 +582,10 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-a858b1f6-90ea-4557-9984-6c3b6e72304c", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d17167fb-efef-400b-8cc3-a6975c370492", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -745,29 +660,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d17167fb-efef-400b-8cc3-a6975c370492", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.process" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.process" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -881,7 +775,7 @@ "version": 1 }, "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-31T10:19:14.386Z", + "created_at": "2024-04-23T13:31:10.032Z", "id": "php_fpm-30d6d490-60c6-11ed-a227-676557292b43", "migrationVersion": { "dashboard": "8.7.0" @@ -897,31 +791,16 @@ "name": "1ed5459a-d03e-4a4b-872d-faff58d014de:indexpattern-datasource-layer-d9643729-e12e-4e3d-ba08-d48da266bbce", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "1ed5459a-d03e-4a4b-872d-faff58d014de:b661bcca-b850-4cf2-bb56-3696825b0a62", - "type": "index-pattern" - }, { "id": "logs-*", "name": "c733e783-e914-4a17-85a8-cda612ef83e6:indexpattern-datasource-layer-d9643729-e12e-4e3d-ba08-d48da266bbce", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "c733e783-e914-4a17-85a8-cda612ef83e6:a441ec79-5e7f-433b-89a0-6bcb9690488c", - "type": "index-pattern" - }, { "id": "logs-*", "name": "5c4d2a38-4913-43b6-a54a-a56cb1f9bb3d:indexpattern-datasource-layer-fbe2058d-ab9e-4a5b-9e37-9ef507abbe6b", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "5c4d2a38-4913-43b6-a54a-a56cb1f9bb3d:f683a750-2ee2-4078-aedd-b5d741d26b53", - "type": "index-pattern" - }, { "id": "logs-*", "name": "b4772749-232c-49a2-b12e-d9b559e51b33:indexpattern-datasource-layer-1be79645-d0a1-479e-8374-cfe5f5957bcf", @@ -932,11 +811,6 @@ "name": "b4772749-232c-49a2-b12e-d9b559e51b33:indexpattern-datasource-layer-a858b1f6-90ea-4557-9984-6c3b6e72304c", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "b4772749-232c-49a2-b12e-d9b559e51b33:d17167fb-efef-400b-8cc3-a6975c370492", - "type": "index-pattern" - }, { "id": "logs-*", "name": "controlGroup_bfd5cccd-6939-4445-8b50-c0773cf84b47:optionsListDataView", diff --git a/packages/php_fpm/kibana/dashboard/php_fpm-6853a270-5a92-11ed-8d56-a14fd29a60cb.json b/packages/php_fpm/kibana/dashboard/php_fpm-6853a270-5a92-11ed-8d56-a14fd29a60cb.json index f1f87d1ccb8..1481650b814 100755 --- a/packages/php_fpm/kibana/dashboard/php_fpm-6853a270-5a92-11ed-8d56-a14fd29a60cb.json +++ b/packages/php_fpm/kibana/dashboard/php_fpm-6853a270-5a92-11ed-8d56-a14fd29a60cb.json @@ -55,14 +55,10 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-756303a8-9ea6-4075-b840-8c185f9f9591", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6446d7d-d95d-45b4-b5d4-2bb3a808d295", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -93,29 +89,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f6446d7d-d95d-45b4-b5d4-2bb3a808d295", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.pool" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -155,11 +130,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-e774e25a-81ea-4ac1-a8c6-599a04351bf6", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f3142243-0fca-4613-a39f-c4cfeb0aa545", - "type": "index-pattern" } ], "state": { @@ -225,29 +195,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f3142243-0fca-4613-a39f-c4cfeb0aa545", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -332,14 +280,10 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-fe87988d-4f25-4383-9c4c-4c761c5deb59", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a630a7db-f13d-4ab1-bba6-f4b56f08fa06", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -370,29 +314,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a630a7db-f13d-4ab1-bba6-f4b56f08fa06", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.pool" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -432,14 +355,10 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-0a69272c-85a3-4b5e-84fe-29dfadbe7c65", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b3c62acd-3121-4505-bc63-9688217d682a", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -484,29 +403,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b3c62acd-3121-4505-bc63-9688217d682a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.pool" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -561,14 +459,10 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-d8f066c1-27ff-4f57-9b69-391adcf87dff", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e6f08aa9-d38a-49f2-84a8-17a3ae909dab", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -599,29 +493,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e6f08aa9-d38a-49f2-84a8-17a3ae909dab", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.pool" - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -664,16 +537,12 @@ }, { "id": "logs-*", - "name": "ce4eb805-3966-405b-a07a-a5e26b8907ad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b1f6fe7f-5725-4945-972a-edbb68eadcca", + "name": "214b6f60-fcfa-4f03-b715-4478fd340089", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -742,28 +611,7 @@ "meta": { "alias": null, "disabled": false, - "index": "ce4eb805-3966-405b-a07a-a5e26b8907ad", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.pool" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b1f6fe7f-5725-4945-972a-edbb68eadcca", + "index": "214b6f60-fcfa-4f03-b715-4478fd340089", "key": "php_fpm.pool.connections.listen_queue.max_size", "negate": true, "params": { @@ -778,6 +626,7 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -820,11 +669,6 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-85579a79-a389-4c79-87cb-4eecc709a0b5", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db327be1-4db2-4ca8-b3e1-18af61987bb4", - "type": "index-pattern" } ], "state": { @@ -873,29 +717,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "db327be1-4db2-4ca8-b3e1-18af61987bb4", - "key": "event.dataset", - "negate": false, - "params": { - "query": "php_fpm.pool" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "php_fpm.pool" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -968,7 +790,7 @@ "version": 1 }, "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-31T10:19:31.197Z", + "created_at": "2024-04-23T13:32:51.601Z", "id": "php_fpm-6853a270-5a92-11ed-8d56-a14fd29a60cb", "migrationVersion": { "dashboard": "8.7.0" @@ -984,51 +806,26 @@ "name": "75192bad-0b67-4e3f-91d9-dde39f1e03a0:indexpattern-datasource-layer-756303a8-9ea6-4075-b840-8c185f9f9591", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "75192bad-0b67-4e3f-91d9-dde39f1e03a0:f6446d7d-d95d-45b4-b5d4-2bb3a808d295", - "type": "index-pattern" - }, { "id": "logs-*", "name": "6ff5113c-e8b3-46e4-9934-84b83fb7d5b1:indexpattern-datasource-layer-e774e25a-81ea-4ac1-a8c6-599a04351bf6", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "6ff5113c-e8b3-46e4-9934-84b83fb7d5b1:f3142243-0fca-4613-a39f-c4cfeb0aa545", - "type": "index-pattern" - }, { "id": "logs-*", "name": "68fff557-6358-4076-a81c-5468de202555:indexpattern-datasource-layer-fe87988d-4f25-4383-9c4c-4c761c5deb59", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "68fff557-6358-4076-a81c-5468de202555:a630a7db-f13d-4ab1-bba6-f4b56f08fa06", - "type": "index-pattern" - }, { "id": "logs-*", "name": "eeabe160-e717-4614-8401-facdd31976cb:indexpattern-datasource-layer-0a69272c-85a3-4b5e-84fe-29dfadbe7c65", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "eeabe160-e717-4614-8401-facdd31976cb:b3c62acd-3121-4505-bc63-9688217d682a", - "type": "index-pattern" - }, { "id": "logs-*", "name": "e7a0d428-1f42-41ee-b0cc-2444ce257fa9:indexpattern-datasource-layer-d8f066c1-27ff-4f57-9b69-391adcf87dff", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "e7a0d428-1f42-41ee-b0cc-2444ce257fa9:e6f08aa9-d38a-49f2-84a8-17a3ae909dab", - "type": "index-pattern" - }, { "id": "logs-*", "name": "be4cc9f4-ba51-4e06-8be1-7493453de497:indexpattern-datasource-layer-366cbf5b-aad5-4b9c-bf7c-8b74c8e7f568", @@ -1036,12 +833,7 @@ }, { "id": "logs-*", - "name": "be4cc9f4-ba51-4e06-8be1-7493453de497:ce4eb805-3966-405b-a07a-a5e26b8907ad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "be4cc9f4-ba51-4e06-8be1-7493453de497:b1f6fe7f-5725-4945-972a-edbb68eadcca", + "name": "be4cc9f4-ba51-4e06-8be1-7493453de497:214b6f60-fcfa-4f03-b715-4478fd340089", "type": "index-pattern" }, { @@ -1049,11 +841,6 @@ "name": "75f8fe5c-c9ce-420e-a84d-6feb283addff:indexpattern-datasource-layer-85579a79-a389-4c79-87cb-4eecc709a0b5", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "75f8fe5c-c9ce-420e-a84d-6feb283addff:db327be1-4db2-4ca8-b3e1-18af61987bb4", - "type": "index-pattern" - }, { "id": "logs-*", "name": "controlGroup_79c32b59-977a-4270-8f9b-4238a9e8846c:optionsListDataView", diff --git a/packages/php_fpm/manifest.yml b/packages/php_fpm/manifest.yml index d21e6eb5fe0..d9981946b7f 100644 --- a/packages/php_fpm/manifest.yml +++ b/packages/php_fpm/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: php_fpm title: PHP-FPM -version: "1.2.1" +version: "1.3.0" description: This Elastic integration collects metrics from PHP-FPM. type: integration categories: diff --git a/packages/postgresql/changelog.yml b/packages/postgresql/changelog.yml index 34f4c276d0c..af7200468cb 100644 --- a/packages/postgresql/changelog.yml +++ b/packages/postgresql/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: "1.20.0" changes: - description: Add alias field for database oid fields. diff --git a/packages/postgresql/kibana/dashboard/postgresql-158be870-87f4-11e7-ad9c-db80de0bf8d3.json b/packages/postgresql/kibana/dashboard/postgresql-158be870-87f4-11e7-ad9c-db80de0bf8d3.json index d5d2301f669..f0ce0dbe6c7 100644 --- a/packages/postgresql/kibana/dashboard/postgresql-158be870-87f4-11e7-ad9c-db80de0bf8d3.json +++ b/packages/postgresql/kibana/dashboard/postgresql-158be870-87f4-11e7-ad9c-db80de0bf8d3.json @@ -1,51 +1,46 @@ { "attributes": { "description": "Overview dashboard for the Logs PostgreSQL integration", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], - "highlightAll": true, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "postgresql.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "postgresql.log" + } + } + } + ], "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, "optionsJSON": { - "darkTheme": false + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, "panelsJSON": [ - { - "embeddableConfig": { - "columns": [ - "user.name", - "postgresql.log.database", - "log.level", - "message", - "postgresql.log.query" - ], - "enhancements": {}, - "sort": [ - [ - "@timestamp", - "desc" - ] - ] - }, - "gridData": { - "h": 24, - "i": "2", - "w": 48, - "x": 0, - "y": 12 - }, - "panelIndex": "2", - "panelRefName": "panel_2", - "type": "search", - "version": "8.4.0" - }, { "embeddableConfig": { "attributes": { @@ -54,16 +49,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-56d00c13-083c-43bd-92bc-f2c9db3aba73", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b4df6588-4061-424b-bfbd-b3016d9b28c0", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "56d00c13-083c-43bd-92bc-f2c9db3aba73": { "columnOrder": [ @@ -111,27 +102,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b4df6588-4061-424b-bfbd-b3016d9b28c0", - "key": "query", - "negate": false, - "type": "custom", - "value": "{\"prefix\":{\"data_stream.dataset\":\"postgresql.\"}}" - }, - "query": { - "prefix": { - "data_stream.dataset": "postgresql." - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -171,8 +143,7 @@ }, "panelIndex": "c034e8f8-acea-4868-8dfa-32ca601b79f0", "title": "Log Level Count [Logs PostgreSQL]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -182,16 +153,12 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-0a0ddf56-9927-432f-9a0e-fc8fde7fc337", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3aa5d3-a8eb-43c6-9596-8b667c478512", - "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "0a0ddf56-9927-432f-9a0e-fc8fde7fc337": { "columnOrder": [ @@ -253,27 +220,8 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4d3aa5d3-a8eb-43c6-9596-8b667c478512", - "key": "query", - "negate": false, - "type": "custom", - "value": "{\"prefix\":{\"data_stream.dataset\":\"postgresql.\"}}" - }, - "query": { - "prefix": { - "data_stream.dataset": "postgresql." - } - } - } - ], + "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -328,24 +276,85 @@ }, "panelIndex": "5f78fd57-0821-4c47-a189-0ae518301385", "title": "Logs by level over time [Logs PostgreSQL]", - "type": "lens", - "version": "8.4.0" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "user.name", + "postgresql.log.database", + "log.level", + "message", + "postgresql.log.query" + ], + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"version\":true,\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"data_stream.dataset\",\"field\":\"data_stream.dataset\",\"params\":{\"query\":\"postgresql.log\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"postgresql.log\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, + "columns": [ + "user.name", + "postgresql.log.database", + "log.level", + "message", + "postgresql.log.query" + ], + "enhancements": {}, + "sort": [ + [ + "@timestamp", + "desc" + ] + ] + }, + "gridData": { + "h": 24, + "i": "6c7adb3d-43c8-4e58-b73b-6aa6112f2ae7", + "w": 48, + "x": 0, + "y": 12 + }, + "panelIndex": "6c7adb3d-43c8-4e58-b73b-6aa6112f2ae7", + "title": "All Logs [Logs PostgreSQL]", + "type": "search" } ], "timeRestore": false, "title": "[Logs PostgreSQL] Overview", "version": 1 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-18T11:46:22.672Z", "id": "postgresql-158be870-87f4-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ { - "id": "postgresql-PostgreSQL All Logs", - "name": "2:panel_2", - "type": "search" + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, { "id": "logs-*", @@ -354,19 +363,20 @@ }, { "id": "logs-*", - "name": "c034e8f8-acea-4868-8dfa-32ca601b79f0:b4df6588-4061-424b-bfbd-b3016d9b28c0", + "name": "5f78fd57-0821-4c47-a189-0ae518301385:indexpattern-datasource-layer-0a0ddf56-9927-432f-9a0e-fc8fde7fc337", "type": "index-pattern" }, { "id": "logs-*", - "name": "5f78fd57-0821-4c47-a189-0ae518301385:indexpattern-datasource-layer-0a0ddf56-9927-432f-9a0e-fc8fde7fc337", + "name": "6c7adb3d-43c8-4e58-b73b-6aa6112f2ae7:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "5f78fd57-0821-4c47-a189-0ae518301385:4d3aa5d3-a8eb-43c6-9596-8b667c478512", + "name": "6c7adb3d-43c8-4e58-b73b-6aa6112f2ae7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/postgresql/kibana/dashboard/postgresql-4288b790-b79f-11e9-a579-f5c0a5d81340.json b/packages/postgresql/kibana/dashboard/postgresql-4288b790-b79f-11e9-a579-f5c0a5d81340.json index 80d702c2131..d57340c9cd3 100644 --- a/packages/postgresql/kibana/dashboard/postgresql-4288b790-b79f-11e9-a579-f5c0a5d81340.json +++ b/packages/postgresql/kibana/dashboard/postgresql-4288b790-b79f-11e9-a579-f5c0a5d81340.json @@ -7,10 +7,45 @@ "panelsJSON": "{\"d2a5e399-93b3-4ced-a336-e999ad221e6f\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"postgresql.database.name\",\"title\":\"database\",\"id\":\"d2a5e399-93b3-4ced-a336-e999ad221e6f\",\"enhancements\":{},\"singleSelect\":true}}}" }, "description": "This PostgreSQL dashboard shows the most important database related metrics.\n\n", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "postgresql.statement", + "postgresql.database" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "postgresql.statement" + } + }, + { + "match_phrase": { + "data_stream.dataset": "postgresql.database" + } + } + ] + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -19,6 +54,9 @@ }, "optionsJSON": { "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -39,7 +77,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "93edde3a-a2da-40f4-a5c0-a34a92abaf5b": { "columnOrder": [ @@ -332,8 +370,7 @@ }, "panelIndex": "1d27d4d7-848f-47f4-ad14-eb9f405a211e", "title": "Rows Fetched/Returned", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -352,7 +389,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "71df4bff-eebd-4bf0-b4a2-a2485040428a": { "columnOrder": [ @@ -640,8 +677,7 @@ }, "panelIndex": "e1803fba-44aa-4862-a9e0-d9450e6886e5", "title": "Database Transactions", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -655,7 +691,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c9dcb8d5-0efe-4aed-b51c-83d911c9d795": { "columnOrder": [ @@ -852,8 +888,7 @@ }, "panelIndex": "5e7c5e3f-c2da-47b6-a79e-a67948349c91", "title": "Query Latency", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -867,7 +902,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8cdf46c4-bf70-45f9-89eb-e2a562d34461": { "columnOrder": [ @@ -981,8 +1016,7 @@ }, "panelIndex": "f4b4ccb4-a4e6-4e75-a417-b311b2af855f", "title": "Top Queries", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -1001,7 +1035,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1e79b213-1c4a-4d91-876c-3fd75b87bfa5": { "columnOrder": [ @@ -1303,8 +1337,7 @@ }, "panelIndex": "56209792-d332-4dfd-8dcd-0e3fb9814058", "title": "Fileblock IO", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -1328,7 +1361,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "2e76f238-e6d7-4213-a3a0-010a68d93b46": { "columnOrder": [ @@ -1757,8 +1790,7 @@ }, "panelIndex": "dd707783-a6fd-4b66-b21e-bffe0f19dba5", "title": "Rows Inserted/Deleted/Updated", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -1777,7 +1809,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "89644068-c063-4787-8de1-717c81a738b1": { "columnOrder": [ @@ -2065,8 +2097,7 @@ }, "panelIndex": "bc78b0ad-f561-4edf-b4ac-a578ffdc015b", "title": "Conflict/Deadlock Rates", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -2085,7 +2116,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "49ad78cb-a264-46fc-a7c3-5f189a936ca9": { "columnOrder": [ @@ -2319,8 +2350,7 @@ }, "panelIndex": "8642c711-b86e-4dc8-95b9-69a1b446dc69", "title": "Local block cache stats", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -2339,7 +2369,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4a939433-049b-4744-8995-a8c51ee9bb4f": { "columnOrder": [ @@ -2627,20 +2657,23 @@ }, "panelIndex": "f6a4fdcb-a12d-412a-afca-a77bba5290ba", "title": "Shared block cache stats", - "type": "lens", - "version": "8.4.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics PostgreSQL] Database Overview", "version": 1 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-18T11:52:41.568Z", "id": "postgresql-4288b790-b79f-11e9-a579-f5c0a5d81340", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, { "id": "metrics-*", "name": "1d27d4d7-848f-47f4-ad14-eb9f405a211e:indexpattern-datasource-layer-a27d1308-8e06-485d-97da-5e1f6a41c589", @@ -2732,5 +2765,6 @@ "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/postgresql/kibana/dashboard/postgresql-e4c5f230-87f3-11e7-ad9c-db80de0bf8d3.json b/packages/postgresql/kibana/dashboard/postgresql-e4c5f230-87f3-11e7-ad9c-db80de0bf8d3.json index 8eeac064f5d..7b89730d166 100644 --- a/packages/postgresql/kibana/dashboard/postgresql-e4c5f230-87f3-11e7-ad9c-db80de0bf8d3.json +++ b/packages/postgresql/kibana/dashboard/postgresql-e4c5f230-87f3-11e7-ad9c-db80de0bf8d3.json @@ -1,78 +1,46 @@ { "attributes": { "description": "Dashboard for analyzing the query durations of the Logs PostgreSQL integration", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], - "highlightAll": true, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "postgresql.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "postgresql.log" + } + } + } + ], "query": { "language": "kuery", "query": "postgresql.log.query:*" - }, - "version": true + } } }, "optionsJSON": { - "darkTheme": false + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, "panelsJSON": [ - { - "embeddableConfig": { - "columns": [ - "user.name", - "postgresql.log.database", - "event.duration", - "postgresql.log.query" - ], - "enhancements": {}, - "sort": [ - [ - "@timestamp", - "desc" - ] - ] - }, - "gridData": { - "h": 12, - "i": "2", - "w": 24, - "x": 24, - "y": 0 - }, - "panelIndex": "2", - "panelRefName": "panel_2", - "type": "search", - "version": "8.4.0" - }, - { - "embeddableConfig": { - "columns": [ - "user.name", - "postgresql.log.database", - "event.duration", - "postgresql.log.query" - ], - "enhancements": {}, - "sort": [ - [ - "@timestamp", - "desc" - ] - ] - }, - "gridData": { - "h": 20, - "i": "3", - "w": 48, - "x": 0, - "y": 12 - }, - "panelIndex": "3", - "panelRefName": "panel_3", - "type": "search", - "version": "8.4.0" - }, { "embeddableConfig": { "attributes": { @@ -85,7 +53,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8bd997c5-e539-4bf3-a16f-4dd771d2447c": { "columnOrder": [ @@ -199,35 +167,171 @@ }, "panelIndex": "16408b1a-8238-46ca-aa8e-67656147812b", "title": "Query count and cumulated duration [Logs PostgreSQL]", - "type": "lens", - "version": "8.4.0" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "user.name", + "postgresql.log.database", + "event.duration", + "postgresql.log.query" + ], + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.duration\u003e30000000\"},\"version\":true,\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"data_stream.dataset\",\"field\":\"data_stream.dataset\",\"params\":{\"query\":\"postgresql.log\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"postgresql.log\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, + "columns": [ + "user.name", + "postgresql.log.database", + "event.duration", + "postgresql.log.query" + ], + "enhancements": {}, + "sort": [ + [ + "@timestamp", + "desc" + ] + ] + }, + "gridData": { + "h": 12, + "i": "85caafb8-2fff-47a4-8c74-d062aaa8b89a", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "85caafb8-2fff-47a4-8c74-d062aaa8b89a", + "title": "Slow Queries [Logs PostgreSQL]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "user.name", + "postgresql.log.database", + "event.duration", + "postgresql.log.query" + ], + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.duration:*\"},\"version\":true,\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"data_stream.dataset\",\"field\":\"data_stream.dataset\",\"params\":{\"query\":\"postgresql.log\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"postgresql.log\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, + "columns": [ + "user.name", + "postgresql.log.database", + "event.duration", + "postgresql.log.query" + ], + "enhancements": {}, + "sort": [ + [ + "@timestamp", + "desc" + ] + ] + }, + "gridData": { + "h": 20, + "i": "9878feba-034c-4cc0-8a7b-5425ebd69c87", + "w": 48, + "x": 0, + "y": 12 + }, + "panelIndex": "9878feba-034c-4cc0-8a7b-5425ebd69c87", + "title": "Query Durations [Logs PostgreSQL]", + "type": "search" } ], "timeRestore": false, "title": "[Logs PostgreSQL] Query Duration Overview", "version": 1 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-18T11:58:47.110Z", "id": "postgresql-e4c5f230-87f3-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "dashboard": "8.4.0" - }, + "managed": false, "references": [ { - "id": "postgresql-Slow PostgreSQL Queries", - "name": "2:panel_2", - "type": "search" + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, { - "id": "postgresql-PostgreSQL Query Durations", - "name": "3:panel_3", - "type": "search" + "id": "logs-*", + "name": "16408b1a-8238-46ca-aa8e-67656147812b:indexpattern-datasource-layer-8bd997c5-e539-4bf3-a16f-4dd771d2447c", + "type": "index-pattern" }, { "id": "logs-*", - "name": "16408b1a-8238-46ca-aa8e-67656147812b:indexpattern-datasource-layer-8bd997c5-e539-4bf3-a16f-4dd771d2447c", + "name": "85caafb8-2fff-47a4-8c74-d062aaa8b89a:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "85caafb8-2fff-47a4-8c74-d062aaa8b89a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9878feba-034c-4cc0-8a7b-5425ebd69c87:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9878feba-034c-4cc0-8a7b-5425ebd69c87:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/postgresql/kibana/search/postgresql-PostgreSQL All Logs.json b/packages/postgresql/kibana/search/postgresql-PostgreSQL All Logs.json deleted file mode 100644 index 2aba04f7fb2..00000000000 --- a/packages/postgresql/kibana/search/postgresql-PostgreSQL All Logs.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "postgresql.log.database", - "log.level", - "message", - "postgresql.log.query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "query", - "negate": false, - "type": "custom", - "value": "{\"prefix\":{\"data_stream.dataset\":\"postgresql.\"}}" - }, - "query": { - "prefix": { - "data_stream.dataset": "postgresql." - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "All Logs [Logs PostgreSQL]", - "version": 1 - }, - "coreMigrationVersion": "8.4.0", - "id": "postgresql-PostgreSQL All Logs", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/postgresql/kibana/search/postgresql-PostgreSQL Query Durations.json b/packages/postgresql/kibana/search/postgresql-PostgreSQL Query Durations.json deleted file mode 100644 index 5187dbcd1e1..00000000000 --- a/packages/postgresql/kibana/search/postgresql-PostgreSQL Query Durations.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "postgresql.log.database", - "event.duration", - "postgresql.log.query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "event.duration:*" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Query Durations [Logs PostgreSQL]", - "version": 1 - }, - "coreMigrationVersion": "8.4.0", - "id": "postgresql-PostgreSQL Query Durations", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/postgresql/kibana/search/postgresql-Slow PostgreSQL Queries.json b/packages/postgresql/kibana/search/postgresql-Slow PostgreSQL Queries.json deleted file mode 100644 index 8e323571ab8..00000000000 --- a/packages/postgresql/kibana/search/postgresql-Slow PostgreSQL Queries.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "postgresql.log.database", - "event.duration", - "postgresql.log.query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "event.duration\u003e30000000" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Slow Queries [Logs PostgreSQL]", - "version": 1 - }, - "coreMigrationVersion": "8.4.0", - "id": "postgresql-Slow PostgreSQL Queries", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/postgresql/manifest.yml b/packages/postgresql/manifest.yml index 3187cddd683..b1da2fd738a 100644 --- a/packages/postgresql/manifest.yml +++ b/packages/postgresql/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: postgresql title: PostgreSQL -version: "1.20.0" +version: "1.21.0" description: Collect logs and metrics from PostgreSQL servers with Elastic Agent. type: integration categories: diff --git a/packages/postgresql/validation.yml b/packages/postgresql/validation.yml deleted file mode 100644 index b30742aaa63..00000000000 --- a/packages/postgresql/validation.yml +++ /dev/null @@ -1,5 +0,0 @@ -errors: - exclude_checks: - - SVR00001 - - SVR00002 - - SVR00004 diff --git a/packages/rabbitmq/changelog.yml b/packages/rabbitmq/changelog.yml index 691a1388cd4..08f56fccb39 100644 --- a/packages/rabbitmq/changelog.yml +++ b/packages/rabbitmq/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.14.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: 1.13.0 changes: - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values diff --git a/packages/rabbitmq/kibana/dashboard/rabbitmq-AV4YobKIge1VCbKU_qVo.json b/packages/rabbitmq/kibana/dashboard/rabbitmq-AV4YobKIge1VCbKU_qVo.json index 24df30dfc9b..6ec64444c6e 100644 --- a/packages/rabbitmq/kibana/dashboard/rabbitmq-AV4YobKIge1VCbKU_qVo.json +++ b/packages/rabbitmq/kibana/dashboard/rabbitmq-AV4YobKIge1VCbKU_qVo.json @@ -1,31 +1,75 @@ { "attributes": { "description": "Overview of RabbitMQ status", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], - "highlightAll": true, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "rabbitmq.connection", + "rabbitmq.exchange", + "rabbitmq.node", + "rabbitmq.queue" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "rabbitmq.connection" + } + }, + { + "match_phrase": { + "data_stream.dataset": "rabbitmq.exchange" + } + }, + { + "match_phrase": { + "data_stream.dataset": "rabbitmq.node" + } + }, + { + "match_phrase": { + "data_stream.dataset": "rabbitmq.queue" + } + } + ] + } + } + } + ], "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, "optionsJSON": { - "darkTheme": false + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, "panelsJSON": [ { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-b8d5be18-c592-43d3-8334-a190b4c492de", @@ -33,8 +77,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b8d5be18-c592-43d3-8334-a190b4c492de": { "columnOrder": [ @@ -77,6 +122,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "30s" }, "scale": "interval", @@ -89,9 +135,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:rabbitmq.connection OR data_stream.dataset:rabbitmq.exchange OR data_stream.dataset:rabbitmq.node OR data_stream.dataset:rabbitmq.queue)" + "query": "" }, "visualization": { "fittingFunction": "Linear", @@ -122,6 +169,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "top", "showSingleSeries": true }, @@ -151,18 +199,12 @@ }, "panelIndex": "b13d9cb9-a871-4c03-be12-167816b62bc3", "title": "Memory Usage [Metrics RabbitMQ]", - "type": "lens", - "version": "8.0.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-d3eb48e3-617c-4ed1-b74c-71152d8605e0", @@ -170,8 +212,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "d3eb48e3-617c-4ed1-b74c-71152d8605e0": { "columnOrder": [ @@ -194,19 +237,23 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:rabbitmq.connection OR data_stream.dataset:rabbitmq.exchange OR data_stream.dataset:rabbitmq.node OR data_stream.dataset:rabbitmq.queue)" + "query": "" }, "visualization": { "accessor": "dfd7c051-aea6-4e36-81eb-8750d4829c78", "layerId": "d3eb48e3-617c-4ed1-b74c-71152d8605e0", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -219,18 +266,12 @@ }, "panelIndex": "57f3b2bb-89e3-4b8b-8c60-b83f8141fe4b", "title": "Number of Nodes [Metrics RabbitMQ]", - "type": "lens", - "version": "8.0.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-a81422c0-c892-48b0-957f-cf0846da93cc", @@ -238,8 +279,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a81422c0-c892-48b0-957f-cf0846da93cc": { "columnOrder": [ @@ -254,6 +296,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "30s" }, "scale": "interval", @@ -294,9 +337,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:rabbitmq.connection OR data_stream.dataset:rabbitmq.exchange OR data_stream.dataset:rabbitmq.node OR data_stream.dataset:rabbitmq.queue)" + "query": "" }, "visualization": { "fittingFunction": "Linear", @@ -327,6 +371,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "top", "showSingleSeries": true }, @@ -356,18 +401,12 @@ }, "panelIndex": "878c5f3b-dbd2-4b42-9d83-235a436765e3", "title": "Erlang Process Usage [Metrics RabbitMQ]", - "type": "lens", - "version": "8.0.0" + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-37fa6aec-3586-4997-afcc-4252c61e20a4", @@ -375,8 +414,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "37fa6aec-3586-4997-afcc-4252c61e20a4": { "columnOrder": [ @@ -410,6 +450,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "30s" }, "scale": "interval", @@ -431,9 +472,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:rabbitmq.connection OR data_stream.dataset:rabbitmq.exchange OR data_stream.dataset:rabbitmq.node OR data_stream.dataset:rabbitmq.queue)" + "query": "" }, "visualization": { "fittingFunction": "Linear", @@ -476,6 +518,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "top", "showSingleSeries": true }, @@ -506,23 +549,21 @@ }, "panelIndex": "429e86d2-512c-4893-8f77-ee7768daa0b0", "title": "Queue Index Operations [Metrics RabbitMQ]", - "type": "lens", - "version": "8.0.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics RabbitMQ] Overview", "version": 1 }, - "coreMigrationVersion": "8.0.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-19T05:22:06.967Z", "id": "rabbitmq-AV4YobKIge1VCbKU_qVo", - "migrationVersion": { - "dashboard": "8.0.0" - }, + "managed": false, "references": [ { "id": "metrics-*", - "name": "b13d9cb9-a871-4c03-be12-167816b62bc3:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -530,36 +571,22 @@ "name": "b13d9cb9-a871-4c03-be12-167816b62bc3:indexpattern-datasource-layer-b8d5be18-c592-43d3-8334-a190b4c492de", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "57f3b2bb-89e3-4b8b-8c60-b83f8141fe4b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "57f3b2bb-89e3-4b8b-8c60-b83f8141fe4b:indexpattern-datasource-layer-d3eb48e3-617c-4ed1-b74c-71152d8605e0", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "878c5f3b-dbd2-4b42-9d83-235a436765e3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "878c5f3b-dbd2-4b42-9d83-235a436765e3:indexpattern-datasource-layer-a81422c0-c892-48b0-957f-cf0846da93cc", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "429e86d2-512c-4893-8f77-ee7768daa0b0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "429e86d2-512c-4893-8f77-ee7768daa0b0:indexpattern-datasource-layer-37fa6aec-3586-4997-afcc-4252c61e20a4", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/rabbitmq/manifest.yml b/packages/rabbitmq/manifest.yml index cdce65aa859..31b63eca77e 100644 --- a/packages/rabbitmq/manifest.yml +++ b/packages/rabbitmq/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: rabbitmq title: RabbitMQ Logs and Metrics -version: "1.13.0" +version: "1.14.0" description: Collect and parse logs from RabbitMQ servers with Elastic Agent. type: integration categories: diff --git a/packages/rabbitmq/validation.yml b/packages/rabbitmq/validation.yml deleted file mode 100644 index bcc8f74ac3a..00000000000 --- a/packages/rabbitmq/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00002 diff --git a/packages/redis/changelog.yml b/packages/redis/changelog.yml index 023c4884b41..6a7d135a5c1 100644 --- a/packages/redis/changelog.yml +++ b/packages/redis/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: "1.15.0" changes: - description: Add AUTH (username) and SSL/TLS support. diff --git a/packages/redis/kibana/dashboard/redis-28969190-0511-11e9-9c60-d582a238e2c5.json b/packages/redis/kibana/dashboard/redis-28969190-0511-11e9-9c60-d582a238e2c5.json index 22ce123c4c9..5f4de5f162f 100644 --- a/packages/redis/kibana/dashboard/redis-28969190-0511-11e9-9c60-d582a238e2c5.json +++ b/packages/redis/kibana/dashboard/redis-28969190-0511-11e9-9c60-d582a238e2c5.json @@ -1,24 +1,12 @@ { - "id": "redis-28969190-0511-11e9-9c60-d582a238e2c5", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.9.0" - }, - "updated_at": "2024-01-22T13:24:55.598Z", - "created_at": "2024-01-22T13:24:55.598Z", - "version": "WzEwNywxXQ==", "attributes": { "controlGroupInput": { - "controlStyle": "oneLine", "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", "panelsJSON": "{\"88495d21-6261-4c60-8de6-e9aa688b2085\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Keyspace\",\"fieldName\":\"redis.keyspace.id\",\"id\":\"88495d21-6261-4c60-8de6-e9aa688b2085\",\"selectedOptions\":[\"db0\",\"db1\"],\"enhancements\":{}}}}" }, "description": "Redis keys metrics", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -55,6 +43,41 @@ ] } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "redis.key", + "redis.keyspace" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "redis.key" + } + }, + { + "match_phrase": { + "data_stream.dataset": "redis.keyspace" + } + } + ] + } + } } ], "query": { @@ -64,22 +87,14 @@ } }, "optionsJSON": { - "darkTheme": false, "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ { - "version": "8.9.0", - "type": "lens", - "gridData": { - "h": 15, - "i": "79fa7446-f3ce-466c-a4b5-bd4fde483e5d", - "w": 12, - "x": 0, - "y": 0 - }, - "panelIndex": "79fa7446-f3ce-466c-a4b5-bd4fde483e5d", "embeddableConfig": { "attributes": { "references": [ @@ -211,22 +226,20 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Keys by type" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 15, - "i": "3199303d-19cf-430f-ab40-ac73f0ec9ea2", - "w": 36, - "x": 12, + "i": "79fa7446-f3ce-466c-a4b5-bd4fde483e5d", + "w": 12, + "x": 0, "y": 0 }, - "panelIndex": "3199303d-19cf-430f-ab40-ac73f0ec9ea2", + "panelIndex": "79fa7446-f3ce-466c-a4b5-bd4fde483e5d", + "title": "Keys by type", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ @@ -391,22 +404,20 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Lists length" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 15, - "i": "161bf113-0b65-4f2c-ad1c-64f06c8b2344", - "w": 24, - "x": 0, - "y": 15 + "i": "3199303d-19cf-430f-ab40-ac73f0ec9ea2", + "w": 36, + "x": 12, + "y": 0 }, - "panelIndex": "161bf113-0b65-4f2c-ad1c-64f06c8b2344", + "panelIndex": "3199303d-19cf-430f-ab40-ac73f0ec9ea2", + "title": "Lists length", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ @@ -558,22 +569,20 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, - "title": "Average size of string keys" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 15, - "i": "375cffab-4569-45e7-8848-c4464789a543", + "i": "161bf113-0b65-4f2c-ad1c-64f06c8b2344", "w": 24, - "x": 24, + "x": 0, "y": 15 }, - "panelIndex": "375cffab-4569-45e7-8848-c4464789a543", + "panelIndex": "161bf113-0b65-4f2c-ad1c-64f06c8b2344", + "title": "Average size of string keys", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ @@ -740,22 +749,39 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "375cffab-4569-45e7-8848-c4464789a543", + "w": 24, + "x": 24, + "y": 15 }, - "title": "Average keys TTL" + "panelIndex": "375cffab-4569-45e7-8848-c4464789a543", + "title": "Average keys TTL", + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Redis] Keys", "version": 1 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-19T07:16:18.086Z", + "id": "redis-28969190-0511-11e9-9c60-d582a238e2c5", + "managed": false, "references": [ { "id": "metrics-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, { "id": "metrics-*", "name": "79fa7446-f3ce-466c-a4b5-bd4fde483e5d:indexpattern-datasource-layer-9d7816a6-2ec8-4b54-aecf-ae00937afd79", @@ -797,7 +823,6 @@ "type": "index-pattern" } ], - "managed": false, - "coreMigrationVersion": "8.8.0", + "type": "dashboard", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/redis/kibana/dashboard/redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json b/packages/redis/kibana/dashboard/redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json index 07717123064..1176db19b7c 100644 --- a/packages/redis/kibana/dashboard/redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json +++ b/packages/redis/kibana/dashboard/redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json @@ -1,20 +1,45 @@ { - "id": "redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.9.0" - }, - "updated_at": "2024-01-22T13:24:55.598Z", - "created_at": "2024-01-22T13:24:55.598Z", - "version": "WzEwOCwxXQ==", "attributes": { "description": "Overview dashboard for the FIlebeat Redis integration", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "redis.log", + "redis.slowlog" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "redis.log" + } + }, + { + "match_phrase": { + "data_stream.dataset": "redis.slowlog" + } + } + ] + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -31,19 +56,6 @@ "panelsJSON": [ { "embeddableConfig": { - "columns": [ - "host.name", - "log.level", - "redis.log.role", - "message" - ], - "enhancements": {}, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], "attributes": { "columns": [ "host.name", @@ -56,14 +68,6 @@ "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"redis.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"redis.log\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logs [Logs Redis]", - "version": 1, "references": [ { "id": "logs-*", @@ -80,8 +84,29 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logs [Logs Redis]", + "version": 1 + }, + "columns": [ + "host.name", + "log.level", + "redis.log.role", + "message" + ], + "enhancements": {}, + "sort": [ + [ + "@timestamp", + "desc" ] - } + ] }, "gridData": { "h": 16, @@ -91,19 +116,10 @@ "y": 30 }, "panelIndex": "4", - "type": "search", - "version": "7.9.3" + "type": "search" }, { "embeddableConfig": { - "columns": [ - "host.name", - "message", - "redis.slowlog.duration.us", - "redis.slowlog.key" - ], - "enhancements": {}, - "sort": [], "attributes": { "columns": [ "host.name", @@ -116,6 +132,13 @@ "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:redis.slowlog\"},\"version\":true}" }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], "sort": [ [ "@timestamp", @@ -123,15 +146,16 @@ ] ], "title": "Slow logs [Logs Redis]", - "version": 1, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ] - } + "version": 1 + }, + "columns": [ + "host.name", + "message", + "redis.slowlog.duration.us", + "redis.slowlog.key" + ], + "enhancements": {}, + "sort": [] }, "gridData": { "h": 16, @@ -141,8 +165,7 @@ "y": 0 }, "panelIndex": "6", - "type": "search", - "version": "7.9.3" + "type": "search" }, { "embeddableConfig": { @@ -215,7 +238,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "data_stream.dataset:redis.slowlog" + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -286,8 +309,7 @@ }, "panelIndex": "048af531-a2d5-4a14-b7d2-6156dce83cbc", "title": "Top slowest commands [Logs Redis]", - "type": "lens", - "version": "8.10.2" + "type": "lens" }, { "embeddableConfig": { @@ -300,6 +322,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -364,9 +387,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "data_stream.dataset:redis.log" + "query": "" }, "visualization": { "layers": [ @@ -409,8 +433,7 @@ }, "panelIndex": "62b73fa0-e562-4af6-9d4e-9158eba31a8b", "title": "Log levels and roles breakdown [Logs Redis]", - "type": "lens", - "version": "8.10.2" + "type": "lens" }, { "embeddableConfig": { @@ -423,6 +446,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -480,9 +504,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "data_stream.dataset:redis.log" + "query": "" }, "visualization": { "gridlinesVisibilitySettings": { @@ -546,52 +571,59 @@ }, "panelIndex": "5150d808-cfa0-4a30-ab6f-e9517fa2ceec", "title": "Logs over time [Logs Redis]", - "type": "lens", - "version": "8.10.2" + "type": "lens" } ], "timeRestore": false, "title": "[Logs Redis] Overview", "version": 1 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-19T07:25:32.795Z", + "id": "redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b", + "managed": false, "references": [ { "id": "logs-*", - "name": "048af531-a2d5-4a14-b7d2-6156dce83cbc:indexpattern-datasource-layer-c0de1034-34c9-4f6a-b525-e39bd578cd2f", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "62b73fa0-e562-4af6-9d4e-9158eba31a8b:indexpattern-datasource-layer-257bce71-5aee-4178-a2be-194e662bfb13", + "name": "4:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "5150d808-cfa0-4a30-ab6f-e9517fa2ceec:indexpattern-datasource-layer-ebb70b66-e024-4a14-b179-d15c72b605bf", + "name": "4:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { - "type": "index-pattern", - "name": "4:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" + "id": "logs-*", + "name": "4:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" }, { - "type": "index-pattern", - "name": "4:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" + "id": "logs-*", + "name": "6:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" }, { - "type": "index-pattern", - "name": "4:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "id": "logs-*" + "id": "logs-*", + "name": "048af531-a2d5-4a14-b7d2-6156dce83cbc:indexpattern-datasource-layer-c0de1034-34c9-4f6a-b525-e39bd578cd2f", + "type": "index-pattern" }, { - "type": "index-pattern", - "name": "6:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" + "id": "logs-*", + "name": "62b73fa0-e562-4af6-9d4e-9158eba31a8b:indexpattern-datasource-layer-257bce71-5aee-4178-a2be-194e662bfb13", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5150d808-cfa0-4a30-ab6f-e9517fa2ceec:indexpattern-datasource-layer-ebb70b66-e024-4a14-b179-d15c72b605bf", + "type": "index-pattern" } ], - "managed": false, - "coreMigrationVersion": "8.8.0", + "type": "dashboard", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/redis/kibana/dashboard/redis-AV4YjZ5pux-M-tCAunxK.json b/packages/redis/kibana/dashboard/redis-AV4YjZ5pux-M-tCAunxK.json index 4d2ff1f06b5..919edbae1c7 100644 --- a/packages/redis/kibana/dashboard/redis-AV4YjZ5pux-M-tCAunxK.json +++ b/packages/redis/kibana/dashboard/redis-AV4YjZ5pux-M-tCAunxK.json @@ -1,52 +1,69 @@ { - "id": "redis-AV4YjZ5pux-M-tCAunxK", - "type": "dashboard", - "namespaces": [ - "default" - ], - "migrationVersion": { - "dashboard": "8.9.0" - }, - "updated_at": "2024-01-22T13:24:55.598Z", - "created_at": "2024-01-22T13:24:55.598Z", - "version": "WzEwOSwxXQ==", "attributes": { "description": "Overview of Redis server metrics", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], - "highlightAll": true, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "redis.info", + "redis.key", + "redis.keyspace" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "redis.info" + } + }, + { + "match_phrase": { + "data_stream.dataset": "redis.key" + } + }, + { + "match_phrase": { + "data_stream.dataset": "redis.keyspace" + } + } + ] + } + } + } + ], "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, "optionsJSON": { - "darkTheme": false + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, "panelsJSON": [ { - "version": "8.9.0", - "type": "lens", - "gridData": { - "h": 14, - "i": "9587ad36-13de-4de0-8586-16065d55d029", - "w": 12, - "x": 0, - "y": 0 - }, - "panelIndex": "9587ad36-13de-4de0-8586-16065d55d029", "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-42f14593-5da1-4fb7-adbc-aeb5e9a4e2cc", @@ -54,6 +71,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -78,9 +96,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:redis.info OR data_stream.dataset:redis.key OR data_stream.dataset:redis.keyspace)" + "query": "" }, "visualization": { "accessor": "659dc838-53d8-4d49-9133-e789047508c5", @@ -95,30 +114,23 @@ "type": "lens", "visualizationType": "lnsLegacyMetric" }, - "enhancements": {}, - "type": "lens" + "enhancements": {} }, - "title": "Clients [Metrics Redis]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 14, - "i": "452a1f6f-4931-4391-88bf-dfd23334b77b", - "w": 20, - "x": 12, + "i": "9587ad36-13de-4de0-8586-16065d55d029", + "w": 12, + "x": 0, "y": 0 }, - "panelIndex": "452a1f6f-4931-4391-88bf-dfd23334b77b", + "panelIndex": "9587ad36-13de-4de0-8586-16065d55d029", + "title": "Clients [Metrics Redis]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-663fc5eb-ba63-4cb6-b9af-d996c9496392", @@ -126,6 +138,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -173,9 +186,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:redis.info OR data_stream.dataset:redis.key OR data_stream.dataset:redis.keyspace)" + "query": "" }, "visualization": { "gridlinesVisibilitySettings": { @@ -230,22 +244,20 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {}, - "type": "lens" + "enhancements": {} }, - "title": "Connected clients [Metrics Redis]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 14, - "i": "6ceb010f-3be5-402d-a4cf-42f52a01d0db", - "w": 16, - "x": 32, + "i": "452a1f6f-4931-4391-88bf-dfd23334b77b", + "w": 20, + "x": 12, "y": 0 }, - "panelIndex": "6ceb010f-3be5-402d-a4cf-42f52a01d0db", + "panelIndex": "452a1f6f-4931-4391-88bf-dfd23334b77b", + "title": "Connected clients [Metrics Redis]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ @@ -256,6 +268,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -313,9 +326,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:redis.info OR data_stream.dataset:redis.key OR data_stream.dataset:redis.keyspace)" + "query": "" }, "visualization": { "emphasizeFitting": false, @@ -366,22 +380,20 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {}, - "type": "lens" + "enhancements": {} }, - "title": "Keyspaces [Metrics Redis]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { - "h": 8, - "i": "e38aacc7-f856-4306-86d2-3746d0143d6a", - "w": 48, - "x": 0, - "y": 14 + "h": 14, + "i": "6ceb010f-3be5-402d-a4cf-42f52a01d0db", + "w": 16, + "x": 32, + "y": 0 }, - "panelIndex": "e38aacc7-f856-4306-86d2-3746d0143d6a", + "panelIndex": "6ceb010f-3be5-402d-a4cf-42f52a01d0db", + "title": "Keyspaces [Metrics Redis]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ @@ -392,6 +404,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -494,9 +507,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:redis.info OR data_stream.dataset:redis.key OR data_stream.dataset:redis.keyspace)" + "query": "" }, "visualization": { "columns": [ @@ -542,30 +556,23 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {}, - "type": "lens" + "enhancements": {} }, - "title": "Hosts [Metrics Redis]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 8, - "i": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3", - "w": 16, + "i": "e38aacc7-f856-4306-86d2-3746d0143d6a", + "w": 48, "x": 0, - "y": 22 + "y": 14 }, - "panelIndex": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3", + "panelIndex": "e38aacc7-f856-4306-86d2-3746d0143d6a", + "title": "Hosts [Metrics Redis]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-495b0b3d-5f1c-49b0-ac9b-788f6f4d2b06", @@ -573,6 +580,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -617,9 +625,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:redis.info OR data_stream.dataset:redis.key OR data_stream.dataset:redis.keyspace)" + "query": "" }, "visualization": { "layers": [ @@ -629,13 +638,13 @@ "layerType": "data", "legendDisplay": "show", "legendSize": "auto", + "metrics": [ + "3996a38e-2cff-4888-b0cc-234ec8debdf8" + ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ "d32bf426-f3bf-43f9-a1f6-825c2ac9cd5a" - ], - "metrics": [ - "3996a38e-2cff-4888-b0cc-234ec8debdf8" ] } ], @@ -650,30 +659,23 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {}, - "type": "lens" + "enhancements": {} }, - "title": "Server Versions [Metrics Redis]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 8, - "i": "989efbbc-7d45-466c-8bb3-9322a6fa6a46", + "i": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3", "w": 16, - "x": 16, + "x": 0, "y": 22 }, - "panelIndex": "989efbbc-7d45-466c-8bb3-9322a6fa6a46", + "panelIndex": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3", + "title": "Server Versions [Metrics Redis]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-88f523d4-adf4-423a-9a09-a6ae74f410ff", @@ -681,6 +683,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -725,9 +728,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:redis.info OR data_stream.dataset:redis.key OR data_stream.dataset:redis.keyspace)" + "query": "" }, "visualization": { "layers": [ @@ -737,13 +741,13 @@ "layerType": "data", "legendDisplay": "show", "legendSize": "auto", + "metrics": [ + "3f54a1a9-ff71-44a3-80f5-f16d7db12c58" + ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ "a60e9838-ac8c-440d-b42f-07cc81d2694c" - ], - "metrics": [ - "3f54a1a9-ff71-44a3-80f5-f16d7db12c58" ] } ], @@ -758,30 +762,23 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {}, - "type": "lens" + "enhancements": {} }, - "title": "Server mode [Metrics Redis]" - }, - { - "version": "8.9.0", - "type": "lens", "gridData": { "h": 8, - "i": "eed90cad-e313-4af5-b26b-965cfc02ea24", + "i": "989efbbc-7d45-466c-8bb3-9322a6fa6a46", "w": 16, - "x": 32, + "x": 16, "y": 22 }, - "panelIndex": "eed90cad-e313-4af5-b26b-965cfc02ea24", + "panelIndex": "989efbbc-7d45-466c-8bb3-9322a6fa6a46", + "title": "Server mode [Metrics Redis]", + "type": "lens" + }, + { "embeddableConfig": { "attributes": { "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "indexpattern-datasource-layer-7dd18b64-cbba-40ed-b1e3-56aa0f27f3f3", @@ -789,6 +786,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -833,9 +831,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "(data_stream.dataset:redis.info OR data_stream.dataset:redis.key OR data_stream.dataset:redis.keyspace)" + "query": "" }, "visualization": { "layers": [ @@ -845,13 +844,13 @@ "layerType": "data", "legendDisplay": "show", "legendSize": "auto", + "metrics": [ + "a2c1d752-9b78-45b8-ae86-f71e48c5fee1" + ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ "cfccf32e-014a-43c4-b8f5-7bcc29ce6e46" - ], - "metrics": [ - "a2c1d752-9b78-45b8-ae86-f71e48c5fee1" ] } ], @@ -866,20 +865,32 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {}, - "type": "lens" + "enhancements": {} }, - "title": "Multiplexing API [Metrics Redis]" + "gridData": { + "h": 8, + "i": "eed90cad-e313-4af5-b26b-965cfc02ea24", + "w": 16, + "x": 32, + "y": 22 + }, + "panelIndex": "eed90cad-e313-4af5-b26b-965cfc02ea24", + "title": "Multiplexing API [Metrics Redis]", + "type": "lens" } ], "timeRestore": false, "title": "[Metrics Redis] Overview", "version": 1 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-19T07:20:04.193Z", + "id": "redis-AV4YjZ5pux-M-tCAunxK", + "managed": false, "references": [ { "id": "metrics-*", - "name": "9587ad36-13de-4de0-8586-16065d55d029:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { @@ -887,11 +898,6 @@ "name": "9587ad36-13de-4de0-8586-16065d55d029:indexpattern-datasource-layer-42f14593-5da1-4fb7-adbc-aeb5e9a4e2cc", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "452a1f6f-4931-4391-88bf-dfd23334b77b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "452a1f6f-4931-4391-88bf-dfd23334b77b:indexpattern-datasource-layer-663fc5eb-ba63-4cb6-b9af-d996c9496392", @@ -907,38 +913,22 @@ "name": "e38aacc7-f856-4306-86d2-3746d0143d6a:indexpattern-datasource-layer-0af489b3-738e-40c0-9ae4-43dd70bf9fed", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3:indexpattern-datasource-layer-495b0b3d-5f1c-49b0-ac9b-788f6f4d2b06", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "989efbbc-7d45-466c-8bb3-9322a6fa6a46:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "989efbbc-7d45-466c-8bb3-9322a6fa6a46:indexpattern-datasource-layer-88f523d4-adf4-423a-9a09-a6ae74f410ff", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "eed90cad-e313-4af5-b26b-965cfc02ea24:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "eed90cad-e313-4af5-b26b-965cfc02ea24:indexpattern-datasource-layer-7dd18b64-cbba-40ed-b1e3-56aa0f27f3f3", "type": "index-pattern" } ], - "managed": false, - "coreMigrationVersion": "8.8.0", + "type": "dashboard", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/redis/manifest.yml b/packages/redis/manifest.yml index 5946f0fb989..c714f04a15f 100644 --- a/packages/redis/manifest.yml +++ b/packages/redis/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: redis title: Redis -version: "1.15.0" +version: "1.16.0" description: Collect logs and metrics from Redis servers with Elastic Agent. type: integration categories: @@ -117,8 +117,7 @@ policy_templates: # xw23l/k8RoD1wRWaDVbgpjwSzt+kl+vJE/ip2w3h69eEZ9wbo6scRO5lCO2JM4Pr # 7RhLQyWn2u00L7/9Omw= # -----END CERTIFICATE----- - description: | - This section allows for the configuration of SSL settings to enable secure communication between the client and server. Both common and specific SSL options can be customized to ensure a secure and reliable connection. Example: [certificate_authorities](https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-ssl.html#client-certificate-authorities), [supported-protocols](https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-ssl.html#supported-protocols), [verification-mode](https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-ssl.html#client-verification-mode), [key](https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-ssl.html#client-key), [certificate](https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-ssl.html#client-certificate), etc. + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. multi: false required: false show_user: false diff --git a/packages/redis/validation.yml b/packages/redis/validation.yml deleted file mode 100644 index 99999428b3f..00000000000 --- a/packages/redis/validation.yml +++ /dev/null @@ -1,4 +0,0 @@ -errors: - exclude_checks: - - SVR00002 - - SVR00004 diff --git a/packages/vsphere/changelog.yml b/packages/vsphere/changelog.yml index f2215beb46b..ca8ab38cd2c 100644 --- a/packages/vsphere/changelog.yml +++ b/packages/vsphere/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: "1.11.1" changes: - description: Add more specific details to vSphere logs configuration documentation. diff --git a/packages/vsphere/data_stream/log/fields/ecs.yml b/packages/vsphere/data_stream/log/fields/ecs.yml index 79d93c6938e..33c6f6ae04e 100644 --- a/packages/vsphere/data_stream/log/fields/ecs.yml +++ b/packages/vsphere/data_stream/log/fields/ecs.yml @@ -92,4 +92,4 @@ - name: user_agent.device.name external: ecs - name: user_agent.name - external: ecs \ No newline at end of file + external: ecs diff --git a/packages/vsphere/data_stream/log/fields/fields.yml b/packages/vsphere/data_stream/log/fields/fields.yml index f48136cdd87..a8fe6f25e46 100644 --- a/packages/vsphere/data_stream/log/fields/fields.yml +++ b/packages/vsphere/data_stream/log/fields/fields.yml @@ -9,10 +9,10 @@ - name: api type: group fields: - - name: invocations - type: long + - name: invocations + type: long - name: file type: group fields: - name: path - type: keyword \ No newline at end of file + type: keyword diff --git a/packages/vsphere/kibana/dashboard/vsphere-6ef55590-0337-11ed-80a3-e31802c6cc3f.json b/packages/vsphere/kibana/dashboard/vsphere-6ef55590-0337-11ed-80a3-e31802c6cc3f.json index 00a50bc9a34..0c952cd22af 100644 --- a/packages/vsphere/kibana/dashboard/vsphere-6ef55590-0337-11ed-80a3-e31802c6cc3f.json +++ b/packages/vsphere/kibana/dashboard/vsphere-6ef55590-0337-11ed-80a3-e31802c6cc3f.json @@ -1,10 +1,32 @@ { "attributes": { "description": "Overview of the VSphere virtualmachine metrics", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "vsphere.virtualmachine" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "vsphere.virtualmachine" + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -13,6 +35,9 @@ }, "optionsJSON": { "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -24,11 +49,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-305a27a6-8ded-4a35-90ec-bdbea153be95", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9602e830-5783-4a74-98d4-b37e4ede99b6", - "type": "index-pattern" } ], "state": { @@ -177,39 +197,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9602e830-5783-4a74-98d4-b37e4ede99b6", - "key": "event.module", - "negate": false, - "params": [ - "vsphere" - ], - "type": "phrases", - "value": [ - "vsphere" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.module": "vsphere" - } - } - ] - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -254,8 +242,7 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 18, @@ -266,8 +253,7 @@ }, "panelIndex": "e41bc62d-3548-41e5-b1ce-be2ed9f9a23e", "title": "CPU/RAM/Network per VM [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -277,11 +263,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-f9113556-7eee-43d0-a1b9-9c6162f953ca", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "32dde00e-6d4f-4954-b071-0723b03cf202", - "type": "index-pattern" } ], "state": { @@ -335,39 +316,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "32dde00e-6d4f-4954-b071-0723b03cf202", - "key": "event.module", - "negate": false, - "params": [ - "vsphere" - ], - "type": "phrases", - "value": [ - "vsphere" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.module": "vsphere" - } - } - ] - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -403,8 +352,7 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 18, @@ -415,8 +363,7 @@ }, "panelIndex": "52c37c4c-f2e4-4041-995b-c607cd6cd6b5", "title": "OS Distribution [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -426,11 +373,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-89b3d010-342a-42fc-b780-ab57aef074dc", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8d541c67-8415-472a-a1bd-ca28b1181ea9", - "type": "index-pattern" } ], "state": { @@ -484,39 +426,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "8d541c67-8415-472a-a1bd-ca28b1181ea9", - "key": "event.module", - "negate": false, - "params": [ - "vsphere" - ], - "type": "phrases", - "value": [ - "vsphere" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.module": "vsphere" - } - } - ] - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -552,8 +462,7 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 19, @@ -564,8 +473,7 @@ }, "panelIndex": "471fb85f-0ccf-4f57-9e2a-0d779bee0c74", "title": "Networks from virtualmachine [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -575,11 +483,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-31b0ed59-b1e1-45d5-b129-c0ee83a3ca24", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "302b0a28-826e-41e8-bbc4-8a1bc84b1061", - "type": "index-pattern" } ], "state": { @@ -633,39 +536,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "302b0a28-826e-41e8-bbc4-8a1bc84b1061", - "key": "event.module", - "negate": false, - "params": [ - "vsphere" - ], - "type": "phrases", - "value": [ - "vsphere" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.module": "vsphere" - } - } - ] - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -701,8 +572,7 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 19, @@ -713,8 +583,7 @@ }, "panelIndex": "0818d44b-3bae-44a9-af56-4cf28e6ed595", "title": "VMs per ESXI host [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -724,11 +593,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-945e68fb-9759-4b91-b86f-0bc284d64655", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "87cce5d9-dd78-4624-8506-66af035b9221", - "type": "index-pattern" } ], "state": { @@ -805,39 +669,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "87cce5d9-dd78-4624-8506-66af035b9221", - "key": "event.module", - "negate": false, - "params": [ - "vsphere" - ], - "type": "phrases", - "value": [ - "vsphere" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.module": "vsphere" - } - } - ] - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -922,8 +754,7 @@ "visualizationType": "lnsHeatmap" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 35, @@ -934,29 +765,26 @@ }, "panelIndex": "312a7680-8b30-42dc-a426-65f55f348bdd", "title": "VM placements on ESXi Hosts[Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics VSphere] VMs overview", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-04-07T06:26:07.518Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-05-15T06:47:35.029Z", "id": "vsphere-6ef55590-0337-11ed-80a3-e31802c6cc3f", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "metrics-*", - "name": "e41bc62d-3548-41e5-b1ce-be2ed9f9a23e:indexpattern-datasource-layer-305a27a6-8ded-4a35-90ec-bdbea153be95", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "metrics-*", - "name": "e41bc62d-3548-41e5-b1ce-be2ed9f9a23e:9602e830-5783-4a74-98d4-b37e4ede99b6", + "name": "e41bc62d-3548-41e5-b1ce-be2ed9f9a23e:indexpattern-datasource-layer-305a27a6-8ded-4a35-90ec-bdbea153be95", "type": "index-pattern" }, { @@ -964,41 +792,22 @@ "name": "52c37c4c-f2e4-4041-995b-c607cd6cd6b5:indexpattern-datasource-layer-f9113556-7eee-43d0-a1b9-9c6162f953ca", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "52c37c4c-f2e4-4041-995b-c607cd6cd6b5:32dde00e-6d4f-4954-b071-0723b03cf202", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "471fb85f-0ccf-4f57-9e2a-0d779bee0c74:indexpattern-datasource-layer-89b3d010-342a-42fc-b780-ab57aef074dc", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "471fb85f-0ccf-4f57-9e2a-0d779bee0c74:8d541c67-8415-472a-a1bd-ca28b1181ea9", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "0818d44b-3bae-44a9-af56-4cf28e6ed595:indexpattern-datasource-layer-31b0ed59-b1e1-45d5-b129-c0ee83a3ca24", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "0818d44b-3bae-44a9-af56-4cf28e6ed595:302b0a28-826e-41e8-bbc4-8a1bc84b1061", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "312a7680-8b30-42dc-a426-65f55f348bdd:indexpattern-datasource-layer-945e68fb-9759-4b91-b86f-0bc284d64655", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "312a7680-8b30-42dc-a426-65f55f348bdd:87cce5d9-dd78-4624-8506-66af035b9221", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/vsphere/kibana/dashboard/vsphere-a2d04970-0336-11ed-80a3-e31802c6cc3f.json b/packages/vsphere/kibana/dashboard/vsphere-a2d04970-0336-11ed-80a3-e31802c6cc3f.json index 27043d9b96d..46a655423da 100644 --- a/packages/vsphere/kibana/dashboard/vsphere-a2d04970-0336-11ed-80a3-e31802c6cc3f.json +++ b/packages/vsphere/kibana/dashboard/vsphere-a2d04970-0336-11ed-80a3-e31802c6cc3f.json @@ -3,7 +3,43 @@ "description": "Overview of VSphere host and cluster metrics", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "vsphere.datastore", + "vsphere.host" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "vsphere.datastore" + } + }, + { + "match_phrase": { + "data_stream.dataset": "vsphere.host" + } + } + ] + } + } + } + ], "query": { "language": "kuery", "query": "" @@ -31,11 +67,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-c75685de-e613-4f57-9a3c-e7969788d076", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e9e14b4a-ce0c-4f87-8269-ac415e9edf7a", - "type": "index-pattern" } ], "state": { @@ -114,39 +145,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e9e14b4a-ce0c-4f87-8269-ac415e9edf7a", - "key": "event.module", - "negate": false, - "params": [ - "vsphere" - ], - "type": "phrases", - "value": [ - "vsphere" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.module": "vsphere" - } - } - ] - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -241,8 +240,7 @@ }, "panelIndex": "79151728-9595-42fa-b243-bd23b4e6d1f2", "title": "Free vs Used CPU on Cluster stacked [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -252,11 +250,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-5f4dfc6b-7d19-4d5a-afcc-cbef3e2ea135", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e43f0d5c-a33c-4e5c-8ed8-2c40a7e6d7f8", - "type": "index-pattern" } ], "state": { @@ -314,39 +307,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e43f0d5c-a33c-4e5c-8ed8-2c40a7e6d7f8", - "key": "event.module", - "negate": false, - "params": [ - "vsphere" - ], - "type": "phrases", - "value": [ - "vsphere" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.module": "vsphere" - } - } - ] - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -430,8 +391,7 @@ }, "panelIndex": "5116b94e-31bb-45c7-9d44-6788c4cd186c", "title": "Cluster Memory free vs used stacked [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -441,11 +401,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-5f4dfc6b-7d19-4d5a-afcc-cbef3e2ea135", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64edb2cf-ebb0-4d7f-9df2-7ceeebee5926", - "type": "index-pattern" } ], "state": { @@ -503,39 +458,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "64edb2cf-ebb0-4d7f-9df2-7ceeebee5926", - "key": "event.module", - "negate": false, - "params": [ - "vsphere" - ], - "type": "phrases", - "value": [ - "vsphere" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.module": "vsphere" - } - } - ] - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -618,8 +541,7 @@ }, "panelIndex": "acf88c63-16d1-4977-81d3-329c5ba5323b", "title": "Free vs Used Datastore [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -629,11 +551,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-5d349ee5-8107-420a-99af-1006c84e1612", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "743a7676-8f6a-4589-9947-5caa4145781a", - "type": "index-pattern" } ], "state": { @@ -687,39 +604,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "743a7676-8f6a-4589-9947-5caa4145781a", - "key": "event.module", - "negate": false, - "params": [ - "vsphere" - ], - "type": "phrases", - "value": [ - "vsphere" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.module": "vsphere" - } - } - ] - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -766,8 +651,7 @@ }, "panelIndex": "bb0cc3a4-a83c-4c3c-8ba8-f9ec06ab47c3", "title": "Datastore Types [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -777,11 +661,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-f63e57b4-f975-47bb-93f8-22a36a171f6b", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c8f7b81a-884f-40df-917f-712a774c79de", - "type": "index-pattern" } ], "state": { @@ -852,6 +731,7 @@ "format": { "id": "percent", "params": { + "compact": true, "decimals": 2 } }, @@ -928,29 +808,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c8f7b81a-884f-40df-917f-712a774c79de", - "key": "event.module", - "negate": false, - "params": { - "query": "vsphere" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.module": "vsphere" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1034,8 +892,7 @@ }, "panelIndex": "6f276888-f190-46d0-afe8-d71451264e04", "title": "Host top RAM util [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -1045,11 +902,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-f63e57b4-f975-47bb-93f8-22a36a171f6b", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f5c6fcc1-f04f-49a7-94d9-a2efd0afc5fc", - "type": "index-pattern" } ], "state": { @@ -1120,6 +972,7 @@ "format": { "id": "percent", "params": { + "compact": true, "decimals": 2 } }, @@ -1196,29 +1049,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f5c6fcc1-f04f-49a7-94d9-a2efd0afc5fc", - "key": "event.module", - "negate": false, - "params": { - "query": "vsphere" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.module": "vsphere" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1302,8 +1133,7 @@ }, "panelIndex": "eab189e0-4663-4b79-a835-b12720a9034a", "title": "Host top CPU util [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" }, { "embeddableConfig": { @@ -1313,11 +1143,6 @@ "id": "metrics-*", "name": "indexpattern-datasource-layer-f63e57b4-f975-47bb-93f8-22a36a171f6b", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "269b2f47-2c8b-4628-9da3-b6b9d8dbd9d7", - "type": "index-pattern" } ], "state": { @@ -1390,6 +1215,7 @@ "format": { "id": "percent", "params": { + "compact": true, "decimals": 2 } }, @@ -1466,29 +1292,7 @@ } } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "269b2f47-2c8b-4628-9da3-b6b9d8dbd9d7", - "key": "event.module", - "negate": false, - "params": { - "query": "vsphere" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.module": "vsphere" - } - } - } - ], + "filters": [], "internalReferences": [], "query": { "language": "kuery", @@ -1573,34 +1377,31 @@ }, "panelIndex": "8ac5e519-ad42-4c16-aa02-ef4d53bc58ab", "title": "Top Datastore Used [Metrics VSphere]", - "type": "lens", - "version": "8.7.0" + "type": "lens" } ], "timeRestore": false, "title": "[Metrics VSphere] Hosts Overview", "version": 1 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-04-05T10:14:27.339Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-05-15T06:52:41.568Z", "id": "vsphere-a2d04970-0336-11ed-80a3-e31802c6cc3f", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "metrics-*", - "name": "79151728-9595-42fa-b243-bd23b4e6d1f2:indexpattern-datasource-layer-c6244a5d-3a08-4a3a-8b19-ece0f0eaa4ee", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "metrics-*", - "name": "79151728-9595-42fa-b243-bd23b4e6d1f2:indexpattern-datasource-layer-c75685de-e613-4f57-9a3c-e7969788d076", + "name": "79151728-9595-42fa-b243-bd23b4e6d1f2:indexpattern-datasource-layer-c6244a5d-3a08-4a3a-8b19-ece0f0eaa4ee", "type": "index-pattern" }, { "id": "metrics-*", - "name": "79151728-9595-42fa-b243-bd23b4e6d1f2:e9e14b4a-ce0c-4f87-8269-ac415e9edf7a", + "name": "79151728-9595-42fa-b243-bd23b4e6d1f2:indexpattern-datasource-layer-c75685de-e613-4f57-9a3c-e7969788d076", "type": "index-pattern" }, { @@ -1608,61 +1409,32 @@ "name": "5116b94e-31bb-45c7-9d44-6788c4cd186c:indexpattern-datasource-layer-5f4dfc6b-7d19-4d5a-afcc-cbef3e2ea135", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "5116b94e-31bb-45c7-9d44-6788c4cd186c:e43f0d5c-a33c-4e5c-8ed8-2c40a7e6d7f8", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "acf88c63-16d1-4977-81d3-329c5ba5323b:indexpattern-datasource-layer-5f4dfc6b-7d19-4d5a-afcc-cbef3e2ea135", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "acf88c63-16d1-4977-81d3-329c5ba5323b:64edb2cf-ebb0-4d7f-9df2-7ceeebee5926", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "bb0cc3a4-a83c-4c3c-8ba8-f9ec06ab47c3:indexpattern-datasource-layer-5d349ee5-8107-420a-99af-1006c84e1612", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "bb0cc3a4-a83c-4c3c-8ba8-f9ec06ab47c3:743a7676-8f6a-4589-9947-5caa4145781a", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "6f276888-f190-46d0-afe8-d71451264e04:indexpattern-datasource-layer-f63e57b4-f975-47bb-93f8-22a36a171f6b", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "6f276888-f190-46d0-afe8-d71451264e04:c8f7b81a-884f-40df-917f-712a774c79de", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "eab189e0-4663-4b79-a835-b12720a9034a:indexpattern-datasource-layer-f63e57b4-f975-47bb-93f8-22a36a171f6b", "type": "index-pattern" }, - { - "id": "metrics-*", - "name": "eab189e0-4663-4b79-a835-b12720a9034a:f5c6fcc1-f04f-49a7-94d9-a2efd0afc5fc", - "type": "index-pattern" - }, { "id": "metrics-*", "name": "8ac5e519-ad42-4c16-aa02-ef4d53bc58ab:indexpattern-datasource-layer-f63e57b4-f975-47bb-93f8-22a36a171f6b", "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8ac5e519-ad42-4c16-aa02-ef4d53bc58ab:269b2f47-2c8b-4628-9da3-b6b9d8dbd9d7", - "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/vsphere/manifest.yml b/packages/vsphere/manifest.yml index c9bcf9b849f..cfc018ef2cd 100644 --- a/packages/vsphere/manifest.yml +++ b/packages/vsphere/manifest.yml @@ -1,7 +1,7 @@ title: VMware vSphere format_version: "3.0.2" name: vsphere -version: "1.11.1" +version: "1.12.0" description: This Elastic integration collects metrics and logs from vSphere/vCenter servers type: integration categories: diff --git a/packages/vsphere/validation.yml b/packages/vsphere/validation.yml deleted file mode 100644 index bcc8f74ac3a..00000000000 --- a/packages/vsphere/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00002 diff --git a/packages/websphere_application_server/changelog.yml b/packages/websphere_application_server/changelog.yml index 26131b7df3d..d7c6fd979cb 100644 --- a/packages/websphere_application_server/changelog.yml +++ b/packages/websphere_application_server/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.4.0" + changes: + - description: Add global filter on data_stream.dataset to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/10075 - version: 1.3.0 changes: - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values diff --git a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04.json b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04.json index 2d7534710b3..0b2d4e43075 100644 --- a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04.json +++ b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04.json @@ -1,993 +1,995 @@ { - "id": "websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-11-07T17:50:18.506Z", - "version": "WzQyMSwxXQ==", - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"1823c9ec-6346-4b88-9295-a75f2f74730d\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"ThreadPool Name\",\"fieldName\":\"websphere_application_server.threadpool.name\",\"id\":\"1823c9ec-6346-4b88-9295-a75f2f74730d\",\"enhancements\":{}}}}" - }, - "description": "ThreadPool dashboard for WebSphere Application Server Metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5b4f04cc-fca5-4e2e-b12e-a08d6a89d693": { - "columnOrder": [ - "7a5b1405-0e12-4508-82c5-9ffa9ba35996", - "c4075f33-09c9-4c38-af7e-190f5b70398e", - "816bda95-3cd2-410e-b17c-8ba494196cf4" - ], - "columns": { - "7a5b1405-0e12-4508-82c5-9ffa9ba35996": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "816bda95-3cd2-410e-b17c-8ba494196cf4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.stopped.declared: *" - }, - "isBucketed": false, - "label": "Declared Stopped Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.stopped.declared" + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"1823c9ec-6346-4b88-9295-a75f2f74730d\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"ThreadPool Name\",\"fieldName\":\"websphere_application_server.threadpool.name\",\"id\":\"1823c9ec-6346-4b88-9295-a75f2f74730d\",\"enhancements\":{}}}}" + }, + "description": "ThreadPool dashboard for WebSphere Application Server Metrics.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" }, - "c4075f33-09c9-4c38-af7e-190f5b70398e": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "816bda95-3cd2-410e-b17c-8ba494196cf4", - "type": "column" + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "websphere_application_server.threadpool" }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "websphere_application_server.threadpool" + } } - }, - "incompleteColumns": {} } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.stopped.declared : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "816bda95-3cd2-410e-b17c-8ba494196cf4" - ], - "layerId": "5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "c4075f33-09c9-4c38-af7e-190f5b70398e", - "xAccessor": "7a5b1405-0e12-4508-82c5-9ffa9ba35996" - } ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" + "query": { + "language": "kuery", + "query": "" } - } - }, - "title": "Declared Stopped Threads [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", - "type": "index-pattern" - } - ] - } + } }, - "gridData": { - "h": 10, - "i": "b007e627-23d4-4328-b064-3877c40ca3c3", - "w": 23, - "x": 0, - "y": 0 + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, - "panelIndex": "b007e627-23d4-4328-b064-3877c40ca3c3", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0": { - "columnOrder": [ - "2f965609-8b37-4e4d-9e83-20ef0901e869", - "6bd7c586-e630-4880-adb8-d82a050bda0c", - "83043110-a317-4821-8372-79219d3eae1e" - ], - "columns": { - "2f965609-8b37-4e4d-9e83-20ef0901e869": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Server Address", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "83043110-a317-4821-8372-79219d3eae1e", - "type": "column" + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5b4f04cc-fca5-4e2e-b12e-a08d6a89d693": { + "columnOrder": [ + "7a5b1405-0e12-4508-82c5-9ffa9ba35996", + "c4075f33-09c9-4c38-af7e-190f5b70398e", + "816bda95-3cd2-410e-b17c-8ba494196cf4" + ], + "columns": { + "7a5b1405-0e12-4508-82c5-9ffa9ba35996": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "816bda95-3cd2-410e-b17c-8ba494196cf4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.stopped.declared: *" + }, + "isBucketed": false, + "label": "Declared Stopped Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.stopped.declared" + }, + "c4075f33-09c9-4c38-af7e-190f5b70398e": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "816bda95-3cd2-410e-b17c-8ba494196cf4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.stopped.declared : * " }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "server.address" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "816bda95-3cd2-410e-b17c-8ba494196cf4" + ], + "layerId": "5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "c4075f33-09c9-4c38-af7e-190f5b70398e", + "xAccessor": "7a5b1405-0e12-4508-82c5-9ffa9ba35996" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } }, - "6bd7c586-e630-4880-adb8-d82a050bda0c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "ThreadPool Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "83043110-a317-4821-8372-79219d3eae1e", - "type": "column" + "title": "Declared Stopped Threads [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 10, + "i": "b007e627-23d4-4328-b064-3877c40ca3c3", + "w": 23, + "x": 0, + "y": 0 + }, + "panelIndex": "b007e627-23d4-4328-b064-3877c40ca3c3", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0": { + "columnOrder": [ + "2f965609-8b37-4e4d-9e83-20ef0901e869", + "6bd7c586-e630-4880-adb8-d82a050bda0c", + "83043110-a317-4821-8372-79219d3eae1e" + ], + "columns": { + "2f965609-8b37-4e4d-9e83-20ef0901e869": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Server Address", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "83043110-a317-4821-8372-79219d3eae1e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "server.address" + }, + "6bd7c586-e630-4880-adb8-d82a050bda0c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "ThreadPool Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "83043110-a317-4821-8372-79219d3eae1e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + }, + "83043110-a317-4821-8372-79219d3eae1e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.total: *" + }, + "isBucketed": false, + "label": "Total Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.total" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.total : * " }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" + "visualization": { + "columns": [ + { + "columnId": "2f965609-8b37-4e4d-9e83-20ef0901e869", + "isTransposed": false + }, + { + "columnId": "6bd7c586-e630-4880-adb8-d82a050bda0c", + "isTransposed": false + }, + { + "columnId": "83043110-a317-4821-8372-79219d3eae1e", + "isTransposed": false + } + ], + "layerId": "407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1, + "sorting": { + "columnId": "83043110-a317-4821-8372-79219d3eae1e", + "direction": "desc" + } + } }, - "83043110-a317-4821-8372-79219d3eae1e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.total: *" - }, - "isBucketed": false, - "label": "Total Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.total" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.total : * " - }, - "visualization": { - "columns": [ - { - "columnId": "2f965609-8b37-4e4d-9e83-20ef0901e869", - "isTransposed": false - }, - { - "columnId": "6bd7c586-e630-4880-adb8-d82a050bda0c", - "isTransposed": false - }, - { - "columnId": "83043110-a317-4821-8372-79219d3eae1e", - "isTransposed": false - } - ], - "layerId": "407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1, - "sorting": { - "columnId": "83043110-a317-4821-8372-79219d3eae1e", - "direction": "desc" - } - } + "title": "Total Threads in Thread Pool [Metrics WebSphere Application Server]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", + "w": 25, + "x": 23, + "y": 0 + }, + "panelIndex": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", + "type": "lens" }, - "title": "Total Threads in Thread Pool [Metrics WebSphere Application Server]", - "visualizationType": "lnsDatatable", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 15, - "i": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", - "w": 25, - "x": 23, - "y": 0 - }, - "panelIndex": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "8d78bbff-634f-4aff-9c25-d3f211b564eb": { - "columnOrder": [ - "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d", - "55c60233-3c4c-4db2-b414-dc40ada3b503", - "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270" - ], - "columns": { - "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.total: *" - }, - "isBucketed": false, - "label": "Total Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.total" - }, - "55c60233-3c4c-4db2-b414-dc40ada3b503": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8d78bbff-634f-4aff-9c25-d3f211b564eb", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "8d78bbff-634f-4aff-9c25-d3f211b564eb": { + "columnOrder": [ + "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d", + "55c60233-3c4c-4db2-b414-dc40ada3b503", + "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270" + ], + "columns": { + "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.total: *" + }, + "isBucketed": false, + "label": "Total Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.total" + }, + "55c60233-3c4c-4db2-b414-dc40ada3b503": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + }, + "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.total : * " }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270" + ], + "layerId": "8d78bbff-634f-4aff-9c25-d3f211b564eb", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "55c60233-3c4c-4db2-b414-dc40ada3b503", + "xAccessor": "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } }, - "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.total : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270" - ], - "layerId": "8d78bbff-634f-4aff-9c25-d3f211b564eb", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "55c60233-3c4c-4db2-b414-dc40ada3b503", - "xAccessor": "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" + "title": "Total Threads[Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 12, + "i": "f087d207-2453-4b0e-a31f-43ee8d5528c4", + "w": 23, + "x": 0, + "y": 10 }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } + "panelIndex": "f087d207-2453-4b0e-a31f-43ee8d5528c4", + "type": "lens" }, - "title": "Total Threads[Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8d78bbff-634f-4aff-9c25-d3f211b564eb", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 12, - "i": "f087d207-2453-4b0e-a31f-43ee8d5528c4", - "w": 23, - "x": 0, - "y": 10 - }, - "panelIndex": "f087d207-2453-4b0e-a31f-43ee8d5528c4", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "1decd051-dbf6-4a80-aa20-85278fedc2d4": { - "columnOrder": [ - "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e", - "cce82f91-3637-4406-8633-bcd5bfe8a984", - "2b1baf93-2b7f-430d-9048-f11cb2bfb65e" - ], - "columns": { - "2b1baf93-2b7f-430d-9048-f11cb2bfb65e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.active: *" - }, - "isBucketed": false, - "label": "Active Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.active" - }, - "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "cce82f91-3637-4406-8633-bcd5bfe8a984": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "2b1baf93-2b7f-430d-9048-f11cb2bfb65e", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-1decd051-dbf6-4a80-aa20-85278fedc2d4", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "1decd051-dbf6-4a80-aa20-85278fedc2d4": { + "columnOrder": [ + "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e", + "cce82f91-3637-4406-8633-bcd5bfe8a984", + "2b1baf93-2b7f-430d-9048-f11cb2bfb65e" + ], + "columns": { + "2b1baf93-2b7f-430d-9048-f11cb2bfb65e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.active: *" + }, + "isBucketed": false, + "label": "Active Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.active" + }, + "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "cce82f91-3637-4406-8633-bcd5bfe8a984": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2b1baf93-2b7f-430d-9048-f11cb2bfb65e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.active : * " }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.active : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "2b1baf93-2b7f-430d-9048-f11cb2bfb65e" - ], - "layerId": "1decd051-dbf6-4a80-aa20-85278fedc2d4", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "cce82f91-3637-4406-8633-bcd5bfe8a984", - "xAccessor": "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2b1baf93-2b7f-430d-9048-f11cb2bfb65e" + ], + "layerId": "1decd051-dbf6-4a80-aa20-85278fedc2d4", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "cce82f91-3637-4406-8633-bcd5bfe8a984", + "xAccessor": "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Active Threads [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" + "gridData": { + "h": 12, + "i": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", + "w": 25, + "x": 23, + "y": 15 }, - "yRightExtent": { - "mode": "full" - } - } + "panelIndex": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", + "type": "lens" }, - "title": "Active Threads [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-1decd051-dbf6-4a80-aa20-85278fedc2d4", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 12, - "i": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", - "w": 25, - "x": 23, - "y": 15 - }, - "panelIndex": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c": { - "columnOrder": [ - "ea4d6628-e862-4e42-a8f3-59572a45894e", - "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", - "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", - "b093e53a-a7e7-4b74-af63-b3da68cf3989" - ], - "columns": { - "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.total.created: *" - }, - "isBucketed": false, - "label": "Threads Created", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.total.created" - }, - "b093e53a-a7e7-4b74-af63-b3da68cf3989": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.total.destroyed: *" - }, - "isBucketed": false, - "label": "Threads Destroyed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.total.destroyed" - }, - "c4d4248d-67c1-454c-bea0-cfc45f7d43f9": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c": { + "columnOrder": [ + "ea4d6628-e862-4e42-a8f3-59572a45894e", + "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", + "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", + "b093e53a-a7e7-4b74-af63-b3da68cf3989" + ], + "columns": { + "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.total.created: *" + }, + "isBucketed": false, + "label": "Threads Created", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.total.created" + }, + "b093e53a-a7e7-4b74-af63-b3da68cf3989": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.total.destroyed: *" + }, + "isBucketed": false, + "label": "Threads Destroyed", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.total.destroyed" + }, + "c4d4248d-67c1-454c-bea0-cfc45f7d43f9": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + }, + "ea4d6628-e862-4e42-a8f3-59572a45894e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.total.created : * or websphere_application_server.threadpool.total.destroyed : * " }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", + "b093e53a-a7e7-4b74-af63-b3da68cf3989" + ], + "layerId": "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", + "xAccessor": "ea4d6628-e862-4e42-a8f3-59572a45894e" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Thread Count" + } }, - "ea4d6628-e862-4e42-a8f3-59572a45894e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.total.created : * or websphere_application_server.threadpool.total.destroyed : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "title": "Number of Threads Created and Destroyed [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 17, + "i": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99", + "w": 23, + "x": 0, + "y": 22 }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", - "b093e53a-a7e7-4b74-af63-b3da68cf3989" - ], - "layerId": "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", - "xAccessor": "ea4d6628-e862-4e42-a8f3-59572a45894e" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Thread Count" - } + "panelIndex": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99", + "type": "lens" }, - "title": "Number of Threads Created and Destroyed [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", - "type": "index-pattern" - } - ] - }, - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99", - "w": 23, - "x": 0, - "y": 22 - }, - "panelIndex": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c135b7c4-fd05-4a15-84d3-a959e24b077b": { - "columnOrder": [ - "a9009677-9999-4611-8f21-9a19fe50cda2", - "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd", - "91f4b685-d7b8-469f-b496-143f0f130cfe" - ], - "columns": { - "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "91f4b685-d7b8-469f-b496-143f0f130cfe", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-c135b7c4-fd05-4a15-84d3-a959e24b077b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "c135b7c4-fd05-4a15-84d3-a959e24b077b": { + "columnOrder": [ + "a9009677-9999-4611-8f21-9a19fe50cda2", + "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd", + "91f4b685-d7b8-469f-b496-143f0f130cfe" + ], + "columns": { + "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "91f4b685-d7b8-469f-b496-143f0f130cfe", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + }, + "91f4b685-d7b8-469f-b496-143f0f130cfe": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.cleared: *" + }, + "isBucketed": false, + "label": "Cleared Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.cleared" + }, + "a9009677-9999-4611-8f21-9a19fe50cda2": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.cleared : * " }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" - }, - "91f4b685-d7b8-469f-b496-143f0f130cfe": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.cleared: *" - }, - "isBucketed": false, - "label": "Cleared Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.cleared" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "91f4b685-d7b8-469f-b496-143f0f130cfe" + ], + "layerId": "c135b7c4-fd05-4a15-84d3-a959e24b077b", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd", + "xAccessor": "a9009677-9999-4611-8f21-9a19fe50cda2" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } }, - "a9009677-9999-4611-8f21-9a19fe50cda2": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.cleared : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "title": "Number of Cleared Threads [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 12, + "i": "52f44709-7bc3-4886-8a11-75e785a3816f", + "w": 25, + "x": 23, + "y": 27 }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "91f4b685-d7b8-469f-b496-143f0f130cfe" - ], - "layerId": "c135b7c4-fd05-4a15-84d3-a959e24b077b", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd", - "xAccessor": "a9009677-9999-4611-8f21-9a19fe50cda2" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Number of Cleared Threads [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-c135b7c4-fd05-4a15-84d3-a959e24b077b", - "type": "index-pattern" - } - ] - } + "panelIndex": "52f44709-7bc3-4886-8a11-75e785a3816f", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Metrics WebSphere Application Server] ThreadPool", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-22T09:43:18.490Z", + "id": "websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b007e627-23d4-4328-b064-3877c40ca3c3:indexpattern-datasource-layer-5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c:indexpattern-datasource-layer-407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f087d207-2453-4b0e-a31f-43ee8d5528c4:indexpattern-datasource-layer-8d78bbff-634f-4aff-9c25-d3f211b564eb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0:indexpattern-datasource-layer-1decd051-dbf6-4a80-aa20-85278fedc2d4", + "type": "index-pattern" }, - "gridData": { - "h": 12, - "i": "52f44709-7bc3-4886-8a11-75e785a3816f", - "w": 25, - "x": 23, - "y": 27 + { + "id": "metrics-*", + "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", + "type": "index-pattern" }, - "panelIndex": "52f44709-7bc3-4886-8a11-75e785a3816f", - "type": "lens", - "version": "8.3.0" - } + { + "id": "metrics-*", + "name": "52f44709-7bc3-4886-8a11-75e785a3816f:indexpattern-datasource-layer-c135b7c4-fd05-4a15-84d3-a959e24b077b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_1823c9ec-6346-4b88-9295-a75f2f74730d:optionsListDataView", + "type": "index-pattern" + } ], - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-15m", - "timeRestore": true, - "timeTo": "now", - "title": "[Metrics WebSphere Application Server] ThreadPool", - "version": 1 - }, - "references": [ - { - "id": "metrics-*", - "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_1823c9ec-6346-4b88-9295-a75f2f74730d:optionsListDataView", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "b007e627-23d4-4328-b064-3877c40ca3c3:indexpattern-datasource-layer-5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c:indexpattern-datasource-layer-407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "f087d207-2453-4b0e-a31f-43ee8d5528c4:indexpattern-datasource-layer-8d78bbff-634f-4aff-9c25-d3f211b564eb", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0:indexpattern-datasource-layer-1decd051-dbf6-4a80-aa20-85278fedc2d4", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "52f44709-7bc3-4886-8a11-75e785a3816f:indexpattern-datasource-layer-c135b7c4-fd05-4a15-84d3-a959e24b077b", - "id": "metrics-*" - } - ], - "migrationVersion": { - "dashboard": "8.3.0" - }, - "coreMigrationVersion": "8.3.0" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3.json b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3.json index 95d2271a6f5..8f3f1d7c4ce 100644 --- a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3.json +++ b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3.json @@ -1,724 +1,738 @@ { - "id": "websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-11-07T17:50:18.506Z", - "version": "WzQyMiwxXQ==", - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"9fb4cabe-4f7e-49e8-8afe-43acde518929\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"websphere_application_server.jdbc.data_source\",\"title\":\"Data Source\",\"id\":\"9fb4cabe-4f7e-49e8-8afe-43acde518929\",\"enhancements\":{}}}}" - }, - "description": "JDBC dashboard for WebSphere Application Server Metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5cb0751e-cee8-41d7-a221-1c89264c3c7e": { - "columnOrder": [ - "acf862f8-f0e1-482c-a70d-1599b559ba14", - "005f5de3-8a9a-4e48-8f85-293f2a8b283a", - "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9" - ], - "columns": { - "005f5de3-8a9a-4e48-8f85-293f2a8b283a": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.jdbc.data_source", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.jdbc.data_source" + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"9fb4cabe-4f7e-49e8-8afe-43acde518929\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"websphere_application_server.jdbc.data_source\",\"title\":\"Data Source\",\"id\":\"9fb4cabe-4f7e-49e8-8afe-43acde518929\",\"enhancements\":{}}}}" + }, + "description": "JDBC dashboard for WebSphere Application Server Metrics.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" }, - "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.total.operations_calls: *" - }, - "isBucketed": false, - "label": "Total operations calls", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.total.operations_calls" + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "websphere_application_server.jdbc" + }, + "type": "phrase" }, - "acf862f8-f0e1-482c-a70d-1599b559ba14": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" + "query": { + "match_phrase": { + "data_stream.dataset": "websphere_application_server.jdbc" + } } - }, - "incompleteColumns": {} } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.total.operations_calls > 0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9" - ], - "layerId": "5cb0751e-cee8-41d7-a221-1c89264c3c7e", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "005f5de3-8a9a-4e48-8f85-293f2a8b283a", - "xAccessor": "acf862f8-f0e1-482c-a70d-1599b559ba14" - } ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" + "query": { + "language": "kuery", + "query": "" } - } - }, - "title": "Number of Operation Calls [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5cb0751e-cee8-41d7-a221-1c89264c3c7e", - "type": "index-pattern" - } - ] - } + } }, - "gridData": { - "h": 12, - "i": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", - "w": 22, - "x": 0, - "y": 0 + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, - "panelIndex": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "6a787cb2-6500-4f46-bcc0-56ba379b2ec1": { - "columnOrder": [ - "6e346b5c-b6b3-4e66-ad29-3621b6165b6c", - "9c631c61-9a76-4650-90fe-b481257c028e", - "25cdb2ff-2d42-4703-9419-2375ef16c439", - "00acb34f-ae34-439a-9cb7-45a09bb69e15", - "03351030-51ad-4c19-9e9e-9a550b2e23e4", - "e7bed513-0fe1-460d-affc-4186777ff41a" - ], - "columns": { - "00acb34f-ae34-439a-9cb7-45a09bb69e15": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.closed: *" - }, - "isBucketed": false, - "label": "Closed Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.closed" - }, - "03351030-51ad-4c19-9e9e-9a550b2e23e4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.allocated: *" - }, - "isBucketed": false, - "label": "Allocated Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.allocated" - }, - "25cdb2ff-2d42-4703-9419-2375ef16c439": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.created: *" - }, - "isBucketed": false, - "label": "Created Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.created" - }, - "6e346b5c-b6b3-4e66-ad29-3621b6165b6c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "9c631c61-9a76-4650-90fe-b481257c028e": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.jdbc.data_source", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "03351030-51ad-4c19-9e9e-9a550b2e23e4", - "type": "column" + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5cb0751e-cee8-41d7-a221-1c89264c3c7e", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5cb0751e-cee8-41d7-a221-1c89264c3c7e": { + "columnOrder": [ + "acf862f8-f0e1-482c-a70d-1599b559ba14", + "005f5de3-8a9a-4e48-8f85-293f2a8b283a", + "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9" + ], + "columns": { + "005f5de3-8a9a-4e48-8f85-293f2a8b283a": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.jdbc.data_source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.jdbc.data_source" + }, + "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.total.operations_calls: *" + }, + "isBucketed": false, + "label": "Total operations calls", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.total.operations_calls" + }, + "acf862f8-f0e1-482c-a70d-1599b559ba14": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.total.operations_calls \u003e 0" }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.jdbc.data_source" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9" + ], + "layerId": "5cb0751e-cee8-41d7-a221-1c89264c3c7e", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "005f5de3-8a9a-4e48-8f85-293f2a8b283a", + "xAccessor": "acf862f8-f0e1-482c-a70d-1599b559ba14" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } }, - "e7bed513-0fe1-460d-affc-4186777ff41a": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.returned: *" - }, - "isBucketed": false, - "label": "Returned Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.returned" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.created > 0 or websphere_application_server.jdbc.connection.closed > 0 or websphere_application_server.jdbc.connection.allocated > 0 or websphere_application_server.jdbc.connection.returned > 0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "title": "Number of Operation Calls [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "25cdb2ff-2d42-4703-9419-2375ef16c439", - "00acb34f-ae34-439a-9cb7-45a09bb69e15", - "03351030-51ad-4c19-9e9e-9a550b2e23e4", - "e7bed513-0fe1-460d-affc-4186777ff41a" - ], - "layerId": "6a787cb2-6500-4f46-bcc0-56ba379b2ec1", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "9c631c61-9a76-4650-90fe-b481257c028e", - "xAccessor": "6e346b5c-b6b3-4e66-ad29-3621b6165b6c" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" + "gridData": { + "h": 12, + "i": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", + "w": 22, + "x": 0, + "y": 0 }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Count" - } + "panelIndex": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", + "type": "lens" }, - "title": "Number of Created, Closed, Allocated and Returned Connections [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-6a787cb2-6500-4f46-bcc0-56ba379b2ec1", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 17, - "i": "51bf1823-c26b-44d8-8776-b6b3635b5d75", - "w": 26, - "x": 22, - "y": 0 - }, - "panelIndex": "51bf1823-c26b-44d8-8776-b6b3635b5d75", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "093d1982-684a-40db-bed9-9426559b90ee": { - "columnOrder": [ - "5df21f55-a6e2-439c-a15d-3d1d63f30b67", - "aaf7723c-6ca8-4015-864d-8263d7488d72", - "a2c8801f-9e82-4502-a4db-8290bf4b4b7e" - ], - "columns": { - "5df21f55-a6e2-439c-a15d-3d1d63f30b67": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "a2c8801f-9e82-4502-a4db-8290bf4b4b7e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.free: *" - }, - "isBucketed": false, - "label": "Free Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.free" - }, - "aaf7723c-6ca8-4015-864d-8263d7488d72": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.jdbc.data_source", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "a2c8801f-9e82-4502-a4db-8290bf4b4b7e", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6a787cb2-6500-4f46-bcc0-56ba379b2ec1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "6a787cb2-6500-4f46-bcc0-56ba379b2ec1": { + "columnOrder": [ + "6e346b5c-b6b3-4e66-ad29-3621b6165b6c", + "9c631c61-9a76-4650-90fe-b481257c028e", + "25cdb2ff-2d42-4703-9419-2375ef16c439", + "00acb34f-ae34-439a-9cb7-45a09bb69e15", + "03351030-51ad-4c19-9e9e-9a550b2e23e4", + "e7bed513-0fe1-460d-affc-4186777ff41a" + ], + "columns": { + "00acb34f-ae34-439a-9cb7-45a09bb69e15": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.closed: *" + }, + "isBucketed": false, + "label": "Closed Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.closed" + }, + "03351030-51ad-4c19-9e9e-9a550b2e23e4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.allocated: *" + }, + "isBucketed": false, + "label": "Allocated Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.allocated" + }, + "25cdb2ff-2d42-4703-9419-2375ef16c439": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.created: *" + }, + "isBucketed": false, + "label": "Created Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.created" + }, + "6e346b5c-b6b3-4e66-ad29-3621b6165b6c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "9c631c61-9a76-4650-90fe-b481257c028e": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.jdbc.data_source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "03351030-51ad-4c19-9e9e-9a550b2e23e4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.jdbc.data_source" + }, + "e7bed513-0fe1-460d-affc-4186777ff41a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.returned: *" + }, + "isBucketed": false, + "label": "Returned Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.returned" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.created \u003e 0 or websphere_application_server.jdbc.connection.closed \u003e 0 or websphere_application_server.jdbc.connection.allocated \u003e 0 or websphere_application_server.jdbc.connection.returned \u003e 0" }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.jdbc.data_source" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "a2c8801f-9e82-4502-a4db-8290bf4b4b7e" - ], - "layerId": "093d1982-684a-40db-bed9-9426559b90ee", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "aaf7723c-6ca8-4015-864d-8263d7488d72", - "xAccessor": "5df21f55-a6e2-439c-a15d-3d1d63f30b67" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "25cdb2ff-2d42-4703-9419-2375ef16c439", + "00acb34f-ae34-439a-9cb7-45a09bb69e15", + "03351030-51ad-4c19-9e9e-9a550b2e23e4", + "e7bed513-0fe1-460d-affc-4186777ff41a" + ], + "layerId": "6a787cb2-6500-4f46-bcc0-56ba379b2ec1", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "9c631c61-9a76-4650-90fe-b481257c028e", + "xAccessor": "6e346b5c-b6b3-4e66-ad29-3621b6165b6c" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Count" + } + }, + "title": "Number of Created, Closed, Allocated and Returned Connections [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" + "gridData": { + "h": 17, + "i": "51bf1823-c26b-44d8-8776-b6b3635b5d75", + "w": 26, + "x": 22, + "y": 0 }, - "yRightExtent": { - "mode": "full" - } - } + "panelIndex": "51bf1823-c26b-44d8-8776-b6b3635b5d75", + "type": "lens" }, - "title": "Number of Free Connections [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-093d1982-684a-40db-bed9-9426559b90ee", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 17, - "i": "133482d2-129b-42c8-b785-576e02815b22", - "w": 22, - "x": 0, - "y": 12 - }, - "panelIndex": "133482d2-129b-42c8-b785-576e02815b22", - "title": "Number of Free Connections [Metrics WebSphere Application Server]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "f73c674c-32f9-437c-9556-c02eef1a0871": { - "columnOrder": [ - "c4abbc8f-c0f8-43de-aae9-ceeff9026807", - "880644a5-cf8e-4cd1-a607-0982600b03fa", - "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea" - ], - "columns": { - "880644a5-cf8e-4cd1-a607-0982600b03fa": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.jdbc.data_source", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-093d1982-684a-40db-bed9-9426559b90ee", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "093d1982-684a-40db-bed9-9426559b90ee": { + "columnOrder": [ + "5df21f55-a6e2-439c-a15d-3d1d63f30b67", + "aaf7723c-6ca8-4015-864d-8263d7488d72", + "a2c8801f-9e82-4502-a4db-8290bf4b4b7e" + ], + "columns": { + "5df21f55-a6e2-439c-a15d-3d1d63f30b67": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "a2c8801f-9e82-4502-a4db-8290bf4b4b7e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.free: *" + }, + "isBucketed": false, + "label": "Free Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.free" + }, + "aaf7723c-6ca8-4015-864d-8263d7488d72": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.jdbc.data_source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a2c8801f-9e82-4502-a4db-8290bf4b4b7e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.jdbc.data_source" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.jdbc.data_source" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a2c8801f-9e82-4502-a4db-8290bf4b4b7e" + ], + "layerId": "093d1982-684a-40db-bed9-9426559b90ee", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "aaf7723c-6ca8-4015-864d-8263d7488d72", + "xAccessor": "5df21f55-a6e2-439c-a15d-3d1d63f30b67" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } }, - "c4abbc8f-c0f8-43de-aae9-ceeff9026807": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.total.in_use: *" - }, - "isBucketed": false, - "label": "Total Connections In Use", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.total.in_use" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.total.in_use >0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 + "title": "Number of Free Connections [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "layers": [ - { - "accessors": [ - "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea" - ], - "layerId": "f73c674c-32f9-437c-9556-c02eef1a0871", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "880644a5-cf8e-4cd1-a607-0982600b03fa", - "xAccessor": "c4abbc8f-c0f8-43de-aae9-ceeff9026807" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" + "gridData": { + "h": 17, + "i": "133482d2-129b-42c8-b785-576e02815b22", + "w": 22, + "x": 0, + "y": 12 }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "panelIndex": "133482d2-129b-42c8-b785-576e02815b22", + "title": "Number of Free Connections [Metrics WebSphere Application Server]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-f73c674c-32f9-437c-9556-c02eef1a0871", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "f73c674c-32f9-437c-9556-c02eef1a0871": { + "columnOrder": [ + "c4abbc8f-c0f8-43de-aae9-ceeff9026807", + "880644a5-cf8e-4cd1-a607-0982600b03fa", + "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea" + ], + "columns": { + "880644a5-cf8e-4cd1-a607-0982600b03fa": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.jdbc.data_source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.jdbc.data_source" + }, + "c4abbc8f-c0f8-43de-aae9-ceeff9026807": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.total.in_use: *" + }, + "isBucketed": false, + "label": "Total Connections In Use", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.total.in_use" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.total.in_use \u003e0" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea" + ], + "layerId": "f73c674c-32f9-437c-9556-c02eef1a0871", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "880644a5-cf8e-4cd1-a607-0982600b03fa", + "xAccessor": "c4abbc8f-c0f8-43de-aae9-ceeff9026807" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Total Connections In Use [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" + "gridData": { + "h": 12, + "i": "bd9b0066-03c7-4477-a479-f47350a28d14", + "w": 26, + "x": 22, + "y": 17 }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Total Connections In Use [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-f73c674c-32f9-437c-9556-c02eef1a0871", - "type": "index-pattern" - } - ] - } + "panelIndex": "bd9b0066-03c7-4477-a479-f47350a28d14", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Metrics WebSphere Application Server] JDBC", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-22T09:44:51.087Z", + "id": "websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99:indexpattern-datasource-layer-5cb0751e-cee8-41d7-a221-1c89264c3c7e", + "type": "index-pattern" }, - "gridData": { - "h": 12, - "i": "bd9b0066-03c7-4477-a479-f47350a28d14", - "w": 26, - "x": 22, - "y": 17 + { + "id": "metrics-*", + "name": "51bf1823-c26b-44d8-8776-b6b3635b5d75:indexpattern-datasource-layer-6a787cb2-6500-4f46-bcc0-56ba379b2ec1", + "type": "index-pattern" }, - "panelIndex": "bd9b0066-03c7-4477-a479-f47350a28d14", - "type": "lens", - "version": "8.3.0" - } + { + "id": "metrics-*", + "name": "133482d2-129b-42c8-b785-576e02815b22:indexpattern-datasource-layer-093d1982-684a-40db-bed9-9426559b90ee", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bd9b0066-03c7-4477-a479-f47350a28d14:indexpattern-datasource-layer-f73c674c-32f9-437c-9556-c02eef1a0871", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_9fb4cabe-4f7e-49e8-8afe-43acde518929:optionsListDataView", + "type": "index-pattern" + } ], - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-15m", - "timeRestore": true, - "timeTo": "now", - "title": "[Metrics WebSphere Application Server] JDBC", - "version": 1 - }, - "references": [ - { - "id": "metrics-*", - "name": "controlGroup_9fb4cabe-4f7e-49e8-8afe-43acde518929:optionsListDataView", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99:indexpattern-datasource-layer-5cb0751e-cee8-41d7-a221-1c89264c3c7e", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "51bf1823-c26b-44d8-8776-b6b3635b5d75:indexpattern-datasource-layer-6a787cb2-6500-4f46-bcc0-56ba379b2ec1", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "133482d2-129b-42c8-b785-576e02815b22:indexpattern-datasource-layer-093d1982-684a-40db-bed9-9426559b90ee", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "bd9b0066-03c7-4477-a479-f47350a28d14:indexpattern-datasource-layer-f73c674c-32f9-437c-9556-c02eef1a0871", - "id": "metrics-*" - } - ], - "migrationVersion": { - "dashboard": "8.3.0" - }, - "coreMigrationVersion": "8.3.0" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd.json b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd.json index 31ff3e95a82..78050654881 100644 --- a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd.json +++ b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd.json @@ -1,485 +1,506 @@ { - "id": "websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-11-07T17:50:18.506Z", - "version": "WzQyMywxXQ==", - "attributes": { - "description": "Servlet dashboard for WebSphere Application Server Metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "39707dfa-c5ec-473f-8d7f-43c96a9beaef": { - "columnOrder": [ - "17f33a89-5e4f-4b62-a12e-ea9870e908ac" - ], - "columns": { - "17f33a89-5e4f-4b62-a12e-ea9870e908ac": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Errors", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.errors" + "attributes": { + "description": "Servlet dashboard for WebSphere Application Server Metrics.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "websphere_application_server.servlet" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "websphere_application_server.servlet" + } } - }, - "incompleteColumns": {} } - } + ], + "query": { + "language": "kuery", + "query": "" } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.servlet.errors : * " - }, - "visualization": { - "accessor": "17f33a89-5e4f-4b62-a12e-ea9870e908ac", - "layerId": "39707dfa-c5ec-473f-8d7f-43c96a9beaef", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Number of Errors [Metrics WebSphere Application Server]", - "visualizationType": "lnsMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-39707dfa-c5ec-473f-8d7f-43c96a9beaef", - "type": "index-pattern" - } - ] - } + } }, - "gridData": { - "h": 13, - "i": "310de529-9ca0-46bd-b1cc-223c1a51cb38", - "w": 11, - "x": 0, - "y": 0 + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, - "panelIndex": "310de529-9ca0-46bd-b1cc-223c1a51cb38", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "6bff5182-8367-4e11-8b9a-69bfe903149c": { - "columnOrder": [ - "e5379b96-4137-4122-ae12-4043ff5f1d83", - "1b761837-dde2-418e-b754-b51432eaf95a", - "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", - "302ef164-d49c-4a57-9a96-888917e2c880", - "302ef164-d49c-4a57-9a96-888917e2c880X0" - ], - "columns": { - "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.servlet.requests.processed: *" - }, - "isBucketed": false, - "label": "Requests Processed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.requests.processed" - }, - "1b761837-dde2-418e-b754-b51432eaf95a": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of App name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", - "type": "column" + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-39707dfa-c5ec-473f-8d7f-43c96a9beaef", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "39707dfa-c5ec-473f-8d7f-43c96a9beaef": { + "columnOrder": [ + "17f33a89-5e4f-4b62-a12e-ea9870e908ac" + ], + "columns": { + "17f33a89-5e4f-4b62-a12e-ea9870e908ac": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Errors", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.errors" + } + }, + "incompleteColumns": {} + } + } + } }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.servlet.app_name" - }, - "302ef164-d49c-4a57-9a96-888917e2c880": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Responses Processed", - "operationType": "formula", - "params": { - "formula": "last_value(websphere_application_server.servlet.responses.processed)", - "isFormulaBroken": false - }, - "references": [ - "302ef164-d49c-4a57-9a96-888917e2c880X0" - ], - "scale": "ratio" - }, - "302ef164-d49c-4a57-9a96-888917e2c880X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.servlet.responses.processed: *" - }, - "isBucketed": false, - "label": "Part of Responses Processed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.responses.processed" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.servlet.errors : * " + }, + "visualization": { + "accessor": "17f33a89-5e4f-4b62-a12e-ea9870e908ac", + "layerId": "39707dfa-c5ec-473f-8d7f-43c96a9beaef", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - "e5379b96-4137-4122-ae12-4043ff5f1d83": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.servlet.requests.processed > 0 or websphere_application_server.servlet.responses.processed > 0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "title": "Number of Errors [Metrics WebSphere Application Server]", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {} }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 + "gridData": { + "h": 13, + "i": "310de529-9ca0-46bd-b1cc-223c1a51cb38", + "w": 11, + "x": 0, + "y": 0 }, - "layers": [ - { - "accessors": [ - "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", - "302ef164-d49c-4a57-9a96-888917e2c880" - ], - "layerId": "6bff5182-8367-4e11-8b9a-69bfe903149c", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "1b761837-dde2-418e-b754-b51432eaf95a", - "xAccessor": "e5379b96-4137-4122-ae12-4043ff5f1d83" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": false, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Count" - } + "panelIndex": "310de529-9ca0-46bd-b1cc-223c1a51cb38", + "type": "lens" }, - "title": "Number of Processed Requests and Responses [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-6bff5182-8367-4e11-8b9a-69bfe903149c", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 13, - "i": "acdff898-96e0-4331-bd7c-47acfa3db816", - "w": 18, - "x": 11, - "y": 0 - }, - "panelIndex": "acdff898-96e0-4331-bd7c-47acfa3db816", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "96a84b63-1fad-48c6-b0de-179dcbfcd741": { - "columnOrder": [ - "2760f523-a7b0-4dd9-adff-5743a44190f4", - "72a036b6-01af-4812-9bcf-f43429e39eb7", - "990fce2d-1026-4d37-85ed-088d392b41f9", - "d2e271e9-cc11-46df-aae0-121042e38bfa" - ], - "columns": { - "2760f523-a7b0-4dd9-adff-5743a44190f4": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "72a036b6-01af-4812-9bcf-f43429e39eb7": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.servlet.app_name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "990fce2d-1026-4d37-85ed-088d392b41f9", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6bff5182-8367-4e11-8b9a-69bfe903149c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "6bff5182-8367-4e11-8b9a-69bfe903149c": { + "columnOrder": [ + "e5379b96-4137-4122-ae12-4043ff5f1d83", + "1b761837-dde2-418e-b754-b51432eaf95a", + "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", + "302ef164-d49c-4a57-9a96-888917e2c880", + "302ef164-d49c-4a57-9a96-888917e2c880X0" + ], + "columns": { + "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.servlet.requests.processed: *" + }, + "isBucketed": false, + "label": "Requests Processed", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.requests.processed" + }, + "1b761837-dde2-418e-b754-b51432eaf95a": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of App name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.servlet.app_name" + }, + "302ef164-d49c-4a57-9a96-888917e2c880": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Responses Processed", + "operationType": "formula", + "params": { + "formula": "last_value(websphere_application_server.servlet.responses.processed)", + "isFormulaBroken": false + }, + "references": [ + "302ef164-d49c-4a57-9a96-888917e2c880X0" + ], + "scale": "ratio" + }, + "302ef164-d49c-4a57-9a96-888917e2c880X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.servlet.responses.processed: *" + }, + "isBucketed": false, + "label": "Part of Responses Processed", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.responses.processed" + }, + "e5379b96-4137-4122-ae12-4043ff5f1d83": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.servlet.requests.processed \u003e 0 or websphere_application_server.servlet.responses.processed \u003e 0" }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.servlet.app_name" - }, - "990fce2d-1026-4d37-85ed-088d392b41f9": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.servlet.loaded: *" - }, - "isBucketed": false, - "label": "Loaded Servlets", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.loaded" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", + "302ef164-d49c-4a57-9a96-888917e2c880" + ], + "layerId": "6bff5182-8367-4e11-8b9a-69bfe903149c", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "1b761837-dde2-418e-b754-b51432eaf95a", + "xAccessor": "e5379b96-4137-4122-ae12-4043ff5f1d83" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Count" + } }, - "d2e271e9-cc11-46df-aae0-121042e38bfa": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.servlet.reloaded: *" - }, - "isBucketed": false, - "label": "Reloaded Servlets", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.reloaded" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.servlet.loaded > 0 or websphere_application_server.servlet.reloaded > 0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "title": "Number of Processed Requests and Responses [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 13, + "i": "acdff898-96e0-4331-bd7c-47acfa3db816", + "w": 18, + "x": 11, + "y": 0 }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "990fce2d-1026-4d37-85ed-088d392b41f9", - "d2e271e9-cc11-46df-aae0-121042e38bfa" - ], - "layerId": "96a84b63-1fad-48c6-b0de-179dcbfcd741", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "72a036b6-01af-4812-9bcf-f43429e39eb7", - "xAccessor": "2760f523-a7b0-4dd9-adff-5743a44190f4" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" + "panelIndex": "acdff898-96e0-4331-bd7c-47acfa3db816", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-96a84b63-1fad-48c6-b0de-179dcbfcd741", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "96a84b63-1fad-48c6-b0de-179dcbfcd741": { + "columnOrder": [ + "2760f523-a7b0-4dd9-adff-5743a44190f4", + "72a036b6-01af-4812-9bcf-f43429e39eb7", + "990fce2d-1026-4d37-85ed-088d392b41f9", + "d2e271e9-cc11-46df-aae0-121042e38bfa" + ], + "columns": { + "2760f523-a7b0-4dd9-adff-5743a44190f4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "72a036b6-01af-4812-9bcf-f43429e39eb7": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.servlet.app_name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "990fce2d-1026-4d37-85ed-088d392b41f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.servlet.app_name" + }, + "990fce2d-1026-4d37-85ed-088d392b41f9": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.servlet.loaded: *" + }, + "isBucketed": false, + "label": "Loaded Servlets", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.loaded" + }, + "d2e271e9-cc11-46df-aae0-121042e38bfa": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.servlet.reloaded: *" + }, + "isBucketed": false, + "label": "Reloaded Servlets", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.reloaded" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.servlet.loaded \u003e 0 or websphere_application_server.servlet.reloaded \u003e 0" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "990fce2d-1026-4d37-85ed-088d392b41f9", + "d2e271e9-cc11-46df-aae0-121042e38bfa" + ], + "layerId": "96a84b63-1fad-48c6-b0de-179dcbfcd741", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "72a036b6-01af-4812-9bcf-f43429e39eb7", + "xAccessor": "2760f523-a7b0-4dd9-adff-5743a44190f4" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Count" + } + }, + "title": "Number of Loaded and Reloaded Servlets [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {} }, - "yRightExtent": { - "mode": "full" + "gridData": { + "h": 13, + "i": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", + "w": 19, + "x": 29, + "y": 0 }, - "yTitle": "Count" - } - }, - "title": "Number of Loaded and Reloaded Servlets [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-96a84b63-1fad-48c6-b0de-179dcbfcd741", - "type": "index-pattern" - } - ] - } + "panelIndex": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Metrics WebSphere Application Server] Servlet", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-22T09:45:42.505Z", + "id": "websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "310de529-9ca0-46bd-b1cc-223c1a51cb38:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "gridData": { - "h": 13, - "i": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", - "w": 19, - "x": 29, - "y": 0 + { + "id": "metrics-*", + "name": "310de529-9ca0-46bd-b1cc-223c1a51cb38:indexpattern-datasource-layer-39707dfa-c5ec-473f-8d7f-43c96a9beaef", + "type": "index-pattern" }, - "panelIndex": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", - "type": "lens", - "version": "8.3.0" - } + { + "id": "metrics-*", + "name": "acdff898-96e0-4331-bd7c-47acfa3db816:indexpattern-datasource-layer-6bff5182-8367-4e11-8b9a-69bfe903149c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8:indexpattern-datasource-layer-96a84b63-1fad-48c6-b0de-179dcbfcd741", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Metrics WebSphere Application Server] Servlet", - "version": 1 - }, - "references": [ - { - "type": "index-pattern", - "name": "310de529-9ca0-46bd-b1cc-223c1a51cb38:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "310de529-9ca0-46bd-b1cc-223c1a51cb38:indexpattern-datasource-layer-39707dfa-c5ec-473f-8d7f-43c96a9beaef", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "acdff898-96e0-4331-bd7c-47acfa3db816:indexpattern-datasource-layer-6bff5182-8367-4e11-8b9a-69bfe903149c", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8:indexpattern-datasource-layer-96a84b63-1fad-48c6-b0de-179dcbfcd741", - "id": "metrics-*" - } - ], - "migrationVersion": { - "dashboard": "8.3.0" - }, - "coreMigrationVersion": "8.3.0" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9.json b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9.json index 10fbe37e736..7f09e223fb9 100644 --- a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9.json +++ b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9.json @@ -1,583 +1,603 @@ { - "id": "websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-11-07T17:50:18.506Z", - "version": "WzQyNCwxXQ==", - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"fa304aea-2c1b-4393-aef2-06114a566f7c\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Appname\",\"fieldName\":\"websphere_application_server.session_manager.app_name\",\"id\":\"fa304aea-2c1b-4393-aef2-06114a566f7c\",\"enhancements\":{}}}}" - }, - "description": "Session Manager dashboard for WebSphere Application Server Metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0eac0fd6-b8fc-4080-a3e6-3915b79b0fed": { - "columnOrder": [ - "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a" - ], - "columns": { - "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Invalidated sessions by Timeouts", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", - "key": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a", - "layerId": "0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Invalidated sessions by Timeouts [Metrics WebSphere Application Server]", - "visualizationType": "lnsMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", - "type": "index-pattern" - } - ] - } - }, - "gridData": { - "h": 17, - "i": "19872277-f696-4e82-a0d0-3a84dbc246e6", - "w": 14, - "x": 0, - "y": 0 + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"fa304aea-2c1b-4393-aef2-06114a566f7c\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Appname\",\"fieldName\":\"websphere_application_server.session_manager.app_name\",\"id\":\"fa304aea-2c1b-4393-aef2-06114a566f7c\",\"enhancements\":{}}}}" }, - "panelIndex": "19872277-f696-4e82-a0d0-3a84dbc246e6", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c": { - "columnOrder": [ - "b0fcb1bb-3640-4710-bb39-4e7ac9985961" - ], - "columns": { - "b0fcb1bb-3640-4710-bb39-4e7ac9985961": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Active Sessions", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.sessions.active" + "description": "Session Manager dashboard for WebSphere Application Server Metrics.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "websphere_application_server.session_manager" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "websphere_application_server.session_manager" + } } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "bb425378-17d3-46b5-aab3-d274bdd9f097", - "key": "websphere_application_server.session_manager.sessions.active", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "websphere_application_server.session_manager.sessions.active" } - } + ], + "query": { + "language": "kuery", + "query": "" } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "b0fcb1bb-3640-4710-bb39-4e7ac9985961", - "layerId": "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Active sessions [Metrics WebSphere Application Server]", - "visualizationType": "lnsMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb425378-17d3-46b5-aab3-d274bdd9f097", - "type": "index-pattern" - } - ] - } + } }, - "gridData": { - "h": 8, - "i": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", - "w": 9, - "x": 14, - "y": 0 + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, - "panelIndex": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "79027b05-459f-4773-823b-238f4e0b907a": { - "columnOrder": [ - "407e0b68-66ae-43db-a9e3-86e632694e6b", - "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee", - "a6370094-15b2-4777-ac22-fe0612a6d34f", - "1dc49faf-ed90-489c-94cc-b145a28cba19" - ], - "columns": { - "1dc49faf-ed90-489c-94cc-b145a28cba19": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Persistent Stores Data Read", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.persistent_stores.data_read" - }, - "407e0b68-66ae-43db-a9e3-86e632694e6b": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.session_manager.app_name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "1dc49faf-ed90-489c-94cc-b145a28cba19", - "type": "column" + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", + "type": "index-pattern" }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.session_manager.app_name" - }, - "a6370094-15b2-4777-ac22-fe0612a6d34f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Persistent Stores Data Written", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "id": "metrics-*", + "name": "4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "0eac0fd6-b8fc-4080-a3e6-3915b79b0fed": { + "columnOrder": [ + "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a" + ], + "columns": { + "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Invalidated sessions by Timeouts", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts" + } + }, + "incompleteColumns": {} + } + } + } }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.persistent_stores.data_written" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", + "key": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a", + "layerId": "0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Invalidated sessions by Timeouts [Metrics WebSphere Application Server]", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 + "gridData": { + "h": 17, + "i": "19872277-f696-4e82-a0d0-3a84dbc246e6", + "w": 14, + "x": 0, + "y": 0 }, - "layers": [ - { - "accessors": [ - "a6370094-15b2-4777-ac22-fe0612a6d34f", - "1dc49faf-ed90-489c-94cc-b145a28cba19" - ], - "layerId": "79027b05-459f-4773-823b-238f4e0b907a", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "splitAccessor": "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee", - "xAccessor": "407e0b68-66ae-43db-a9e3-86e632694e6b", - "yConfig": [ - { - "color": "#087dea", - "forAccessor": "a6370094-15b2-4777-ac22-fe0612a6d34f" - }, - { - "color": "#60c06d", - "forAccessor": "1dc49faf-ed90-489c-94cc-b145a28cba19" - } - ] - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" + "panelIndex": "19872277-f696-4e82-a0d0-3a84dbc246e6", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bb425378-17d3-46b5-aab3-d274bdd9f097", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c": { + "columnOrder": [ + "b0fcb1bb-3640-4710-bb39-4e7ac9985961" + ], + "columns": { + "b0fcb1bb-3640-4710-bb39-4e7ac9985961": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Active Sessions", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.sessions.active" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "bb425378-17d3-46b5-aab3-d274bdd9f097", + "key": "websphere_application_server.session_manager.sessions.active", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "websphere_application_server.session_manager.sessions.active" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b0fcb1bb-3640-4710-bb39-4e7ac9985961", + "layerId": "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Active sessions [Metrics WebSphere Application Server]", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 8, + "i": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", + "w": 9, + "x": 14, + "y": 0 }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" + "panelIndex": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-79027b05-459f-4773-823b-238f4e0b907a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "79027b05-459f-4773-823b-238f4e0b907a": { + "columnOrder": [ + "407e0b68-66ae-43db-a9e3-86e632694e6b", + "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee", + "a6370094-15b2-4777-ac22-fe0612a6d34f", + "1dc49faf-ed90-489c-94cc-b145a28cba19" + ], + "columns": { + "1dc49faf-ed90-489c-94cc-b145a28cba19": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Persistent Stores Data Read", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.persistent_stores.data_read" + }, + "407e0b68-66ae-43db-a9e3-86e632694e6b": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.session_manager.app_name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1dc49faf-ed90-489c-94cc-b145a28cba19", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.session_manager.app_name" + }, + "a6370094-15b2-4777-ac22-fe0612a6d34f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Persistent Stores Data Written", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.persistent_stores.data_written" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a6370094-15b2-4777-ac22-fe0612a6d34f", + "1dc49faf-ed90-489c-94cc-b145a28cba19" + ], + "layerId": "79027b05-459f-4773-823b-238f4e0b907a", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee", + "xAccessor": "407e0b68-66ae-43db-a9e3-86e632694e6b", + "yConfig": [ + { + "color": "#087dea", + "forAccessor": "a6370094-15b2-4777-ac22-fe0612a6d34f" + }, + { + "color": "#60c06d", + "forAccessor": "1dc49faf-ed90-489c-94cc-b145a28cba19" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Count" + } + }, + "title": "Persistent Store Data Read and Written [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "yRightExtent": { - "mode": "full" + "gridData": { + "h": 17, + "i": "83e5353e-78da-4523-8a4a-d370afc2eefa", + "w": 25, + "x": 23, + "y": 0 }, - "yTitle": "Count" - } + "panelIndex": "83e5353e-78da-4523-8a4a-d370afc2eefa", + "type": "lens" }, - "title": "Persistent Store Data Read and Written [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-79027b05-459f-4773-823b-238f4e0b907a", - "type": "index-pattern" - } - ] - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "10b45b12-77b4-4241-a864-55c5b313cd40", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c": { + "columnOrder": [ + "b0fcb1bb-3640-4710-bb39-4e7ac9985961" + ], + "columns": { + "b0fcb1bb-3640-4710-bb39-4e7ac9985961": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Created Sessions", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.sessions.created" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "10b45b12-77b4-4241-a864-55c5b313cd40", + "key": "websphere_application_server.session_manager.sessions.created", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "websphere_application_server.session_manager.sessions.created" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b0fcb1bb-3640-4710-bb39-4e7ac9985961", + "layerId": "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Created sessions [Metrics WebSphere Application Server]", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "396f488f-0d3c-44c2-bd13-312d9db09222", + "w": 9, + "x": 14, + "y": 8 + }, + "panelIndex": "396f488f-0d3c-44c2-bd13-312d9db09222", + "title": "Created sessions [Metrics WebSphere Application Server]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Metrics WebSphere Application Server] Session Manager", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-22T09:46:46.117Z", + "id": "websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" }, - "gridData": { - "h": 17, - "i": "83e5353e-78da-4523-8a4a-d370afc2eefa", - "w": 25, - "x": 23, - "y": 0 + { + "id": "metrics-*", + "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "panelIndex": "83e5353e-78da-4523-8a4a-d370afc2eefa", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c": { - "columnOrder": [ - "b0fcb1bb-3640-4710-bb39-4e7ac9985961" - ], - "columns": { - "b0fcb1bb-3640-4710-bb39-4e7ac9985961": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Created Sessions", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.sessions.created" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "10b45b12-77b4-4241-a864-55c5b313cd40", - "key": "websphere_application_server.session_manager.sessions.created", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "websphere_application_server.session_manager.sessions.created" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "b0fcb1bb-3640-4710-bb39-4e7ac9985961", - "layerId": "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Created sessions [Metrics WebSphere Application Server]", - "visualizationType": "lnsMetric", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "10b45b12-77b4-4241-a864-55c5b313cd40", - "type": "index-pattern" - } - ] - } + { + "id": "metrics-*", + "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:indexpattern-datasource-layer-0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", + "type": "index-pattern" }, - "gridData": { - "h": 9, - "i": "396f488f-0d3c-44c2-bd13-312d9db09222", - "w": 9, - "x": 14, - "y": 8 + { + "id": "metrics-*", + "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" }, - "panelIndex": "396f488f-0d3c-44c2-bd13-312d9db09222", - "title": "Created sessions [Metrics WebSphere Application Server]", - "type": "lens", - "version": "8.3.0" - } + { + "id": "metrics-*", + "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:bb425378-17d3-46b5-aab3-d274bdd9f097", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "83e5353e-78da-4523-8a4a-d370afc2eefa:indexpattern-datasource-layer-79027b05-459f-4773-823b-238f4e0b907a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "396f488f-0d3c-44c2-bd13-312d9db09222:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "396f488f-0d3c-44c2-bd13-312d9db09222:indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "396f488f-0d3c-44c2-bd13-312d9db09222:10b45b12-77b4-4241-a864-55c5b313cd40", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_fa304aea-2c1b-4393-aef2-06114a566f7c:optionsListDataView", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Metrics WebSphere Application Server] Session Manager", - "version": 1 - }, - "references": [ - { - "id": "metrics-*", - "name": "controlGroup_fa304aea-2c1b-4393-aef2-06114a566f7c:optionsListDataView", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:indexpattern-datasource-layer-0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:bb425378-17d3-46b5-aab3-d274bdd9f097", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "83e5353e-78da-4523-8a4a-d370afc2eefa:indexpattern-datasource-layer-79027b05-459f-4773-823b-238f4e0b907a", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "396f488f-0d3c-44c2-bd13-312d9db09222:indexpattern-datasource-current-indexpattern", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "396f488f-0d3c-44c2-bd13-312d9db09222:indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "id": "metrics-*" - }, - { - "type": "index-pattern", - "name": "396f488f-0d3c-44c2-bd13-312d9db09222:10b45b12-77b4-4241-a864-55c5b313cd40", - "id": "metrics-*" - } - ], - "migrationVersion": { - "dashboard": "8.3.0" - }, - "coreMigrationVersion": "8.3.0" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/websphere_application_server/manifest.yml b/packages/websphere_application_server/manifest.yml index cd1cc3ec1c4..535e1638d3b 100644 --- a/packages/websphere_application_server/manifest.yml +++ b/packages/websphere_application_server/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: websphere_application_server title: WebSphere Application Server -version: "1.3.0" +version: "1.4.0" description: Collects metrics from IBM WebSphere Application Server with Elastic Agent. type: integration categories: diff --git a/packages/websphere_application_server/validation.yml b/packages/websphere_application_server/validation.yml deleted file mode 100644 index efdb1de132d..00000000000 --- a/packages/websphere_application_server/validation.yml +++ /dev/null @@ -1,4 +0,0 @@ -errors: - exclude_checks: - - SVR00004 - - SVR00002 From ddea2d0936319bd79c48a30e030b37c43658c0d6 Mon Sep 17 00:00:00 2001 From: Rickyanto Ang Date: Sun, 23 Jun 2024 12:33:14 -0700 Subject: [PATCH 036/105] [Cloud Security] Update type text to password when isSecret is True (#10208) * updated manifest changing text to password where isSecret is true * change link --- packages/cloud_security_posture/changelog.yml | 5 +++++ .../data_stream/findings/manifest.yml | 10 +++++----- packages/cloud_security_posture/manifest.yml | 2 +- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/packages/cloud_security_posture/changelog.yml b/packages/cloud_security_posture/changelog.yml index 0a160728768..b457543e45d 100644 --- a/packages/cloud_security_posture/changelog.yml +++ b/packages/cloud_security_posture/changelog.yml @@ -9,6 +9,11 @@ # 1.4.x - 8.9.x # 1.3.x - 8.8.x # 1.2.x - 8.7.x +- version: "1.10.0-preview02" + changes: + - description: Change field type to password where isSecret is true + type: enhancement + link: https://github.com/elastic/integrations/pull/10208 - version: "1.10.0-preview01" changes: - description: Add cloud formation template url to create direct access keys credentials diff --git a/packages/cloud_security_posture/data_stream/findings/manifest.yml b/packages/cloud_security_posture/data_stream/findings/manifest.yml index 112d21ce544..227d0bdecc8 100644 --- a/packages/cloud_security_posture/data_stream/findings/manifest.yml +++ b/packages/cloud_security_posture/data_stream/findings/manifest.yml @@ -26,7 +26,7 @@ streams: required: false show_user: true - name: secret_access_key - type: text + type: password title: Secret Access Key multi: false required: false @@ -76,7 +76,7 @@ streams: required: false show_user: true - name: secret_access_key - type: text + type: password title: Secret Access Key multi: false required: false @@ -193,7 +193,7 @@ streams: required: false show_user: true - name: azure.credentials.client_secret - type: text + type: password title: Client Secret multi: false required: false @@ -206,7 +206,7 @@ streams: required: false show_user: true - name: azure.credentials.client_password - type: text + type: password title: Client Password multi: false required: false @@ -219,7 +219,7 @@ streams: required: false show_user: true - name: azure.credentials.client_certificate_password - type: text + type: password title: Client Certificate Password multi: false required: false diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml index 4faff7a43af..95de2122a7d 100644 --- a/packages/cloud_security_posture/manifest.yml +++ b/packages/cloud_security_posture/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: cloud_security_posture title: "Security Posture Management" -version: "1.10.0-preview01" +version: "1.10.0-preview02" source: license: "Elastic-2.0" description: "Identify & remediate configuration risks in your Cloud infrastructure" From 73f75b56c3a2053c368983c85c5c8091b1a3f3d4 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Mon, 24 Jun 2024 17:34:04 +1000 Subject: [PATCH 037/105] [ti_opencti] Ignore missing createdBy, improve reg hive name handling (#10203) - Avoid failing the pipeline if the createdBy field is null or absent. - Avoid failing if a Windows registry key name doesn't have a path separator in it. - Match and normalize specific Windows registry hive names rather than assuming the first part of a path is a hive. The `opencti.observable.windows_registry_key.attribute_key` value is unchanged, but the ECS field `threat.indicator.registry.hive` is now set to the abbreviated name, as expected. --- packages/ti_opencti/changelog.yml | 5 ++ .../test-ipv4-addr-createdby-is-null.json | 47 ++++++++++++ ...-addr-createdby-is-null.json-expected.json | 73 ++++++++++++++++++ .../test-windows-registry-key-no-hive.json | 61 +++++++++++++++ ...ws-registry-key-no-hive.json-expected.json | 76 +++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 2 + .../ecs_from_windows_registry_key.yml | 21 ++++- packages/ti_opencti/manifest.yml | 2 +- 8 files changed, 284 insertions(+), 3 deletions(-) create mode 100644 packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr-createdby-is-null.json create mode 100644 packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr-createdby-is-null.json-expected.json create mode 100644 packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key-no-hive.json create mode 100644 packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key-no-hive.json-expected.json diff --git a/packages/ti_opencti/changelog.yml b/packages/ti_opencti/changelog.yml index 124b1855d9e..ef67ccc3bd4 100644 --- a/packages/ti_opencti/changelog.yml +++ b/packages/ti_opencti/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.1" + changes: + - description: Ignore missing createdBy, improve registry hive name handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/10203 - version: "2.3.0" changes: - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr-createdby-is-null.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr-createdby-is-null.json new file mode 100644 index 00000000000..ee449555da9 --- /dev/null +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr-createdby-is-null.json @@ -0,0 +1,47 @@ +{ + "events": [ + { + "confidence": 15, + "created": "2022-06-21T07:08:58.222Z", + "createdBy": null, + "description": "Simple indicator of observable {216.160.83.57}", + "externalReferences": { + "edges": [] + }, + "id": "a1f3e8b3-d1c0-4fca-929b-81d3570a4c3c", + "is_inferred": false, + "killChainPhases": [], + "lang": "en", + "modified": "2022-07-21T08:13:19.927Z", + "name": "216.160.83.57", + "objectLabel": [], + "objectMarking": [], + "observables": { + "edges": [ + { + "node": { + "entity_type": "IPv4-Addr", + "id": "25ee0d9d-d68e-49e9-bf5e-ec530baa8604", + "observable_value": "216.160.83.57", + "standard_id": "ipv4-addr--b4c90ba2-9df9-50ca-870c-093d6883fb88", + "value": "216.160.83.57" + } + } + ], + "pageInfo": { + "globalCount": 1 + } + }, + "pattern": "[ipv4-addr:value = '216.160.83.57']", + "pattern_type": "stix", + "pattern_version": null, + "revoked": true, + "standard_id": "indicator--8e4329db-e015-541d-8397-3b3816d7473a", + "valid_from": "2022-06-21T08:11:01.786Z", + "valid_until": "2022-07-21T08:11:01.785Z", + "x_opencti_detection": false, + "x_opencti_main_observable_type": "IPv4-Addr", + "x_opencti_score": 50 + } + ] +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr-createdby-is-null.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr-createdby-is-null.json-expected.json new file mode 100644 index 00000000000..abf76156f30 --- /dev/null +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr-createdby-is-null.json-expected.json @@ -0,0 +1,73 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "threat" + ], + "created": "2022-06-21T07:08:58.222Z", + "id": "a1f3e8b3-d1c0-4fca-929b-81d3570a4c3c", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "opencti": { + "indicator": { + "detection": false, + "invalid_or_revoked_from": "2022-07-21T08:11:01.785Z", + "is_inferred": false, + "lang": "en", + "observables_count": 1, + "pattern": "[ipv4-addr:value = '216.160.83.57']", + "pattern_type": "stix", + "revoked": true, + "score": 50, + "standard_id": "indicator--8e4329db-e015-541d-8397-3b3816d7473a", + "valid_from": "2022-06-21T08:11:01.786Z", + "valid_until": "2022-07-21T08:11:01.785Z" + }, + "observable": { + "ipv4_addr": { + "entity_type": "IPv4-Addr", + "id": "25ee0d9d-d68e-49e9-bf5e-ec530baa8604", + "standard_id": "ipv4-addr--b4c90ba2-9df9-50ca-870c-093d6883fb88", + "value": "216.160.83.57" + } + } + }, + "related": { + "ip": [ + "216.160.83.57" + ] + }, + "tags": [ + "forwarded", + "opencti-indicator", + "ecs-indicator-detail" + ], + "threat": { + "feed": { + "dashboard_id": "ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd", + "description": "Indicator data from OpenCTI", + "name": "OpenCTI", + "reference": "https://docs.opencti.io/latest/usage/overview/" + }, + "indicator": { + "confidence": "Low", + "description": "Simple indicator of observable {216.160.83.57}", + "ip": [ + "216.160.83.57" + ], + "modified_at": "2022-07-21T08:13:19.927Z", + "name": "216.160.83.57", + "reference": "https://demo.opencti.io/dashboard/observations/indicators/a1f3e8b3-d1c0-4fca-929b-81d3570a4c3c", + "type": "ipv4-addr" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key-no-hive.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key-no-hive.json new file mode 100644 index 00000000000..139516a56db --- /dev/null +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key-no-hive.json @@ -0,0 +1,61 @@ +{ + "events": [ + { + "id": "e300e111-f6c6-4305-9069-fcb2f5fb2938", + "standard_id": "indicator--6cec4cfd-299f-5cd2-ad1a-9259d44331e5", + "is_inferred": false, + "revoked": true, + "confidence": 15, + "lang": "en", + "created": "2016-10-25T14:13:17.000Z", + "modified": "2023-01-17T06:30:13.710Z", + "pattern_type": "stix", + "pattern_version": "2.1", + "pattern": "[windows-registry-key:key = '{59031A47-3F72-44A7-80C5-5595FE6B30EE}']", + "name": "{59031A47-3F72-44A7-80C5-5595FE6B30EE}", + "description": "Sedreco", + "valid_from": "2016-10-25T14:13:17.000Z", + "valid_until": "2017-10-25T14:13:17.000Z", + "x_opencti_score": 40, + "x_opencti_detection": false, + "x_opencti_main_observable_type": "Windows-Registry-Key", + "createdBy": { + "identity_class": "organization", + "name": "CIRCL" + }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "technical-report" + } + ], + "killChainPhases": [], + "externalReferences": { + "edges": [] + }, + "observables": { + "edges": [ + { + "node": { + "id": "12befd29-7fba-46c2-8b17-733878fe8d74", + "standard_id": "windows-registry-key--e4bb86e8-5280-5059-924a-6e8431fc2b78", + "entity_type": "Windows-Registry-Key", + "observable_value": "{59031A47-3F72-44A7-80C5-5595FE6B30EE}", + "attribute_key": "{59031A47-3F72-44A7-80C5-5595FE6B30EE}", + "modified_time": null, + "number_of_subkeys": null + } + } + ], + "pageInfo": { + "globalCount": 1 + } + } + } + ] +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key-no-hive.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key-no-hive.json-expected.json new file mode 100644 index 00000000000..eb339c9e9ea --- /dev/null +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key-no-hive.json-expected.json @@ -0,0 +1,76 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "threat" + ], + "created": "2016-10-25T14:13:17.000Z", + "id": "e300e111-f6c6-4305-9069-fcb2f5fb2938", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "opencti": { + "indicator": { + "creator_identity_class": "organization", + "detection": false, + "invalid_or_revoked_from": "2017-10-25T14:13:17.000Z", + "is_inferred": false, + "lang": "en", + "observables_count": 1, + "pattern": "[windows-registry-key:key = '{59031A47-3F72-44A7-80C5-5595FE6B30EE}']", + "pattern_type": "stix", + "pattern_version": "2.1", + "revoked": true, + "score": 40, + "standard_id": "indicator--6cec4cfd-299f-5cd2-ad1a-9259d44331e5", + "valid_from": "2016-10-25T14:13:17.000Z", + "valid_until": "2017-10-25T14:13:17.000Z" + }, + "observable": { + "windows_registry_key": { + "attribute_key": "{59031A47-3F72-44A7-80C5-5595FE6B30EE}", + "entity_type": "Windows-Registry-Key", + "id": "12befd29-7fba-46c2-8b17-733878fe8d74", + "standard_id": "windows-registry-key--e4bb86e8-5280-5059-924a-6e8431fc2b78", + "value": "{59031A47-3F72-44A7-80C5-5595FE6B30EE}" + } + } + }, + "tags": [ + "forwarded", + "opencti-indicator", + "technical-report", + "ecs-indicator-detail" + ], + "threat": { + "feed": { + "dashboard_id": "ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd", + "description": "Indicator data from OpenCTI", + "name": "OpenCTI", + "reference": "https://docs.opencti.io/latest/usage/overview/" + }, + "indicator": { + "confidence": "Low", + "description": "Sedreco", + "marking": { + "tlp": "CLEAR" + }, + "modified_at": "2023-01-17T06:30:13.710Z", + "name": "{59031A47-3F72-44A7-80C5-5595FE6B30EE}", + "provider": "CIRCL", + "reference": "https://demo.opencti.io/dashboard/observations/indicators/e300e111-f6c6-4305-9069-fcb2f5fb2938", + "registry": { + "key": "{59031A47-3F72-44A7-80C5-5595FE6B30EE}" + }, + "type": "windows-registry-key" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml index a406a1f3049..4fe6da87a91 100644 --- a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml @@ -156,9 +156,11 @@ processors: - rename: field: createdBy.name target_field: threat.indicator.provider + ignore_missing: true - rename: field: createdBy.identity_class target_field: opencti.indicator.creator_identity_class + ignore_missing: true - remove: field: createdBy ignore_missing: true diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_windows_registry_key.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_windows_registry_key.yml index edcdf818e87..337fb6e462e 100644 --- a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_windows_registry_key.yml +++ b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_windows_registry_key.yml @@ -2,9 +2,26 @@ description: Build ECS fields from an OpenCTI windows registry key observable processors: - - dissect: + - grok: field: _ingest._value.attribute_key - pattern: "%{_tmp_registry.hive}\\%{_tmp_registry.key}" + patterns: + - '^(%{HIVE_NAMES:_tmp_registry.hive}\\)?%{GREEDYDATA:_tmp_registry.key}$' + pattern_definitions: + HIVE_NAMES: "(?i:HKEY_CLASSES_ROOT|HKCR|HKEY_CURRENT_USER|HKCU|HKEY_LOCAL_MACHINE|HKLM|HKEY_USERS|HKU|HKEY_CURRENT_CONFIG|HKCC)" + + - script: + description: Normalize hive names (ECS uses abbreviated names) + lang: painless + params: + HKEY_CLASSES_ROOT: HKCR + HKEY_CURRENT_USER: HKCU + HKEY_LOCAL_MACHINE: HKLM + HKEY_USERS: HKU + HKEY_CURRENT_CONFIG: HKCC + source: | + def name = ctx._tmp_registry.hive.toUpperCase(); + ctx._tmp_registry.hive = params.getOrDefault(name, name); + if: ctx._tmp_registry?.hive != null # append object - append: diff --git a/packages/ti_opencti/manifest.yml b/packages/ti_opencti/manifest.yml index 58d590fa9fd..01bcb8a3604 100644 --- a/packages/ti_opencti/manifest.yml +++ b/packages/ti_opencti/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: ti_opencti title: OpenCTI -version: "2.3.0" +version: "2.3.1" description: "Ingest threat intelligence indicators from OpenCTI with Elastic Agent." type: integration source: From 8be6041db024b306f8ff93f628363bfcb4d6279c Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Mon, 24 Jun 2024 18:12:27 +1000 Subject: [PATCH 038/105] Remove references to Kibana versions from READMEs (#10182) The source of truth for Kibana version constraints is the manifest file. Hard-coded references in READMEs easily become out of date, so it's better to not have them. --- packages/azure_network_watcher_nsg/_dev/build/docs/README.md | 2 -- packages/azure_network_watcher_nsg/changelog.yml | 5 +++++ packages/azure_network_watcher_nsg/docs/README.md | 2 -- packages/azure_network_watcher_nsg/manifest.yml | 2 +- .../azure_network_watcher_vnet/_dev/build/docs/README.md | 2 -- packages/azure_network_watcher_vnet/changelog.yml | 5 +++++ packages/azure_network_watcher_vnet/docs/README.md | 2 -- packages/azure_network_watcher_vnet/manifest.yml | 2 +- packages/eset_protect/_dev/build/docs/README.md | 1 - packages/eset_protect/changelog.yml | 5 +++++ packages/eset_protect/docs/README.md | 1 - packages/eset_protect/manifest.yml | 2 +- packages/imperva_cloud_waf/_dev/build/docs/README.md | 2 -- packages/imperva_cloud_waf/changelog.yml | 5 +++++ packages/imperva_cloud_waf/docs/README.md | 2 -- packages/imperva_cloud_waf/manifest.yml | 2 +- packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md | 2 -- packages/sentinel_one_cloud_funnel/changelog.yml | 5 +++++ packages/sentinel_one_cloud_funnel/docs/README.md | 2 -- packages/sentinel_one_cloud_funnel/manifest.yml | 2 +- packages/symantec_edr_cloud/_dev/build/docs/README.md | 1 - packages/symantec_edr_cloud/changelog.yml | 5 +++++ packages/symantec_edr_cloud/docs/README.md | 1 - packages/symantec_edr_cloud/manifest.yml | 2 +- packages/ti_crowdstrike/_dev/build/docs/README.md | 1 - packages/ti_crowdstrike/changelog.yml | 5 +++++ packages/ti_crowdstrike/docs/README.md | 1 - packages/ti_crowdstrike/manifest.yml | 2 +- packages/ti_eset/_dev/build/docs/README.md | 2 -- packages/ti_eset/changelog.yml | 5 +++++ packages/ti_eset/docs/README.md | 2 -- packages/ti_eset/manifest.yml | 2 +- 32 files changed, 48 insertions(+), 34 deletions(-) diff --git a/packages/azure_network_watcher_nsg/_dev/build/docs/README.md b/packages/azure_network_watcher_nsg/_dev/build/docs/README.md index fd628dd4de1..23f1c7eeb77 100644 --- a/packages/azure_network_watcher_nsg/_dev/build/docs/README.md +++ b/packages/azure_network_watcher_nsg/_dev/build/docs/README.md @@ -30,8 +30,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html#_minimum_requirements). -The minimum **Kibana version** required is **8.12.0**. - ## Setup ### To collect data from Azure Network Watcher NSG follow the below steps: diff --git a/packages/azure_network_watcher_nsg/changelog.yml b/packages/azure_network_watcher_nsg/changelog.yml index 8fd6ed043a0..f719d19265c 100644 --- a/packages/azure_network_watcher_nsg/changelog.yml +++ b/packages/azure_network_watcher_nsg/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.1" + changes: + - description: Remove reference to a Kibana version from the README. + type: bugfix + link: https://github.com/elastic/integrations/pull/10182 - version: "0.2.0" changes: - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/azure_network_watcher_nsg/docs/README.md b/packages/azure_network_watcher_nsg/docs/README.md index 6a39e15b95d..cfba9df00c8 100644 --- a/packages/azure_network_watcher_nsg/docs/README.md +++ b/packages/azure_network_watcher_nsg/docs/README.md @@ -30,8 +30,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html#_minimum_requirements). -The minimum **Kibana version** required is **8.12.0**. - ## Setup ### To collect data from Azure Network Watcher NSG follow the below steps: diff --git a/packages/azure_network_watcher_nsg/manifest.yml b/packages/azure_network_watcher_nsg/manifest.yml index 304c80719b0..4b334037ca7 100644 --- a/packages/azure_network_watcher_nsg/manifest.yml +++ b/packages/azure_network_watcher_nsg/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.2 name: azure_network_watcher_nsg title: Azure Network Watcher NSG -version: "0.2.0" +version: "0.2.1" description: Collect logs from Azure Network Watcher NSG with Elastic Agent. type: integration categories: diff --git a/packages/azure_network_watcher_vnet/_dev/build/docs/README.md b/packages/azure_network_watcher_vnet/_dev/build/docs/README.md index f52d1f918a1..daa8ca05edf 100644 --- a/packages/azure_network_watcher_vnet/_dev/build/docs/README.md +++ b/packages/azure_network_watcher_vnet/_dev/build/docs/README.md @@ -30,8 +30,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html#_minimum_requirements). -The minimum **Kibana version** required is **8.12.0**. - ## Setup ### To collect data from Azure Network Watcher VNet follow the below steps: diff --git a/packages/azure_network_watcher_vnet/changelog.yml b/packages/azure_network_watcher_vnet/changelog.yml index 585b475a4c0..c21df52f804 100644 --- a/packages/azure_network_watcher_vnet/changelog.yml +++ b/packages/azure_network_watcher_vnet/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.1" + changes: + - description: Remove reference to a Kibana version from the README. + type: bugfix + link: https://github.com/elastic/integrations/pull/10182 - version: "0.2.0" changes: - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/azure_network_watcher_vnet/docs/README.md b/packages/azure_network_watcher_vnet/docs/README.md index 7b6af8bc33f..bf840e36349 100644 --- a/packages/azure_network_watcher_vnet/docs/README.md +++ b/packages/azure_network_watcher_vnet/docs/README.md @@ -30,8 +30,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html#_minimum_requirements). -The minimum **Kibana version** required is **8.12.0**. - ## Setup ### To collect data from Azure Network Watcher VNet follow the below steps: diff --git a/packages/azure_network_watcher_vnet/manifest.yml b/packages/azure_network_watcher_vnet/manifest.yml index 9f673edf658..396ad00a73e 100644 --- a/packages/azure_network_watcher_vnet/manifest.yml +++ b/packages/azure_network_watcher_vnet/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.2 name: azure_network_watcher_vnet title: Azure Network Watcher VNet -version: "0.2.0" +version: "0.2.1" description: Collect logs from Azure Network Watcher VNet with Elastic Agent. type: integration categories: diff --git a/packages/eset_protect/_dev/build/docs/README.md b/packages/eset_protect/_dev/build/docs/README.md index 9a1d98e1762..ec52d89a11c 100644 --- a/packages/eset_protect/_dev/build/docs/README.md +++ b/packages/eset_protect/_dev/build/docs/README.md @@ -34,7 +34,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **Kibana version** required is **8.12.0**. This module has been tested against the **ESET PROTECT (version: 5.0.9.1)**. ## Setup diff --git a/packages/eset_protect/changelog.yml b/packages/eset_protect/changelog.yml index 792ad666df9..e76531a56e1 100644 --- a/packages/eset_protect/changelog.yml +++ b/packages/eset_protect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Remove reference to a Kibana version from the README. + type: bugfix + link: https://github.com/elastic/integrations/pull/10182 - version: "1.1.0" changes: - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/eset_protect/docs/README.md b/packages/eset_protect/docs/README.md index 2746af7ce61..8b19005369b 100644 --- a/packages/eset_protect/docs/README.md +++ b/packages/eset_protect/docs/README.md @@ -34,7 +34,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **Kibana version** required is **8.12.0**. This module has been tested against the **ESET PROTECT (version: 5.0.9.1)**. ## Setup diff --git a/packages/eset_protect/manifest.yml b/packages/eset_protect/manifest.yml index b8d9f67c55f..3ed74fe2ae3 100644 --- a/packages/eset_protect/manifest.yml +++ b/packages/eset_protect/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: eset_protect title: ESET PROTECT -version: "1.1.0" +version: "1.1.1" description: Collect logs from ESET PROTECT with Elastic Agent. type: integration categories: diff --git a/packages/imperva_cloud_waf/_dev/build/docs/README.md b/packages/imperva_cloud_waf/_dev/build/docs/README.md index 26708cb53d0..aaf29d7d62b 100644 --- a/packages/imperva_cloud_waf/_dev/build/docs/README.md +++ b/packages/imperva_cloud_waf/_dev/build/docs/README.md @@ -30,8 +30,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **Kibana version** required is **8.10.1**. - ## Setup ### Steps to setup Amazon S3 Connection(Push Mode): diff --git a/packages/imperva_cloud_waf/changelog.yml b/packages/imperva_cloud_waf/changelog.yml index 5e79d16a91c..70eca994361 100644 --- a/packages/imperva_cloud_waf/changelog.yml +++ b/packages/imperva_cloud_waf/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Remove reference to a Kibana version from the README. + type: bugfix + link: https://github.com/elastic/integrations/pull/10182 - version: "1.1.0" changes: - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/imperva_cloud_waf/docs/README.md b/packages/imperva_cloud_waf/docs/README.md index ff9072a365b..83580a21a11 100644 --- a/packages/imperva_cloud_waf/docs/README.md +++ b/packages/imperva_cloud_waf/docs/README.md @@ -30,8 +30,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **Kibana version** required is **8.10.1**. - ## Setup ### Steps to setup Amazon S3 Connection(Push Mode): diff --git a/packages/imperva_cloud_waf/manifest.yml b/packages/imperva_cloud_waf/manifest.yml index b63e836fcac..1988b7b8bbb 100644 --- a/packages/imperva_cloud_waf/manifest.yml +++ b/packages/imperva_cloud_waf/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: imperva_cloud_waf title: Imperva Cloud WAF -version: "1.1.0" +version: "1.1.1" description: Collect logs from Imperva Cloud WAF with Elastic Agent. type: integration categories: diff --git a/packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md b/packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md index 225a2d63282..f1efe624ac9 100644 --- a/packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md +++ b/packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md @@ -57,8 +57,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **kibana.version** required is **8.11.0**. - ## Setup ### To collect data from an AWS S3 bucket, follow the below steps: diff --git a/packages/sentinel_one_cloud_funnel/changelog.yml b/packages/sentinel_one_cloud_funnel/changelog.yml index ac5ef5e71c2..948578a3996 100644 --- a/packages/sentinel_one_cloud_funnel/changelog.yml +++ b/packages/sentinel_one_cloud_funnel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Remove reference to a Kibana version from the README. + type: bugfix + link: https://github.com/elastic/integrations/pull/10182 - version: "1.2.0" changes: - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/sentinel_one_cloud_funnel/docs/README.md b/packages/sentinel_one_cloud_funnel/docs/README.md index 74ed92a1074..086fa0b3cde 100644 --- a/packages/sentinel_one_cloud_funnel/docs/README.md +++ b/packages/sentinel_one_cloud_funnel/docs/README.md @@ -57,8 +57,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **kibana.version** required is **8.11.0**. - ## Setup ### To collect data from an AWS S3 bucket, follow the below steps: diff --git a/packages/sentinel_one_cloud_funnel/manifest.yml b/packages/sentinel_one_cloud_funnel/manifest.yml index 256d4fa2631..94ffb922169 100644 --- a/packages/sentinel_one_cloud_funnel/manifest.yml +++ b/packages/sentinel_one_cloud_funnel/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: sentinel_one_cloud_funnel title: SentinelOne Cloud Funnel -version: "1.2.0" +version: "1.2.1" description: Collect logs from SentinelOne Cloud Funnel with Elastic Agent. type: integration categories: ["security", "edr_xdr"] diff --git a/packages/symantec_edr_cloud/_dev/build/docs/README.md b/packages/symantec_edr_cloud/_dev/build/docs/README.md index 082c61effce..718dc24c709 100644 --- a/packages/symantec_edr_cloud/_dev/build/docs/README.md +++ b/packages/symantec_edr_cloud/_dev/build/docs/README.md @@ -30,7 +30,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **Kibana version** required is **8.10.1**. This module has been tested against the **Symantec EDR Cloud API Version v1**. ## Setup diff --git a/packages/symantec_edr_cloud/changelog.yml b/packages/symantec_edr_cloud/changelog.yml index 50f76ab8f41..6f5ff795e95 100644 --- a/packages/symantec_edr_cloud/changelog.yml +++ b/packages/symantec_edr_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Remove reference to a Kibana version from the README. + type: bugfix + link: https://github.com/elastic/integrations/pull/10182 - version: "1.2.0" changes: - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/symantec_edr_cloud/docs/README.md b/packages/symantec_edr_cloud/docs/README.md index 8126cac0e25..a8dbe6878e5 100644 --- a/packages/symantec_edr_cloud/docs/README.md +++ b/packages/symantec_edr_cloud/docs/README.md @@ -30,7 +30,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **Kibana version** required is **8.10.1**. This module has been tested against the **Symantec EDR Cloud API Version v1**. ## Setup diff --git a/packages/symantec_edr_cloud/manifest.yml b/packages/symantec_edr_cloud/manifest.yml index 3582b346960..af8dc7e1a94 100644 --- a/packages/symantec_edr_cloud/manifest.yml +++ b/packages/symantec_edr_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: symantec_edr_cloud title: Symantec EDR Cloud -version: "1.2.0" +version: "1.2.1" source: license: Elastic-2.0 description: Collect logs from Symantec EDR Cloud with Elastic Agent. diff --git a/packages/ti_crowdstrike/_dev/build/docs/README.md b/packages/ti_crowdstrike/_dev/build/docs/README.md index dee7d0b94a0..a173ce7188f 100644 --- a/packages/ti_crowdstrike/_dev/build/docs/README.md +++ b/packages/ti_crowdstrike/_dev/build/docs/README.md @@ -35,7 +35,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **kibana.version** required is **8.11.0**. This module has been tested against the **CrowdStrike Falcon Intelligence API Version v1**. ## Setup diff --git a/packages/ti_crowdstrike/changelog.yml b/packages/ti_crowdstrike/changelog.yml index 5d6ee86fef8..4d124645919 100644 --- a/packages/ti_crowdstrike/changelog.yml +++ b/packages/ti_crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Remove reference to a Kibana version from the README. + type: bugfix + link: https://github.com/elastic/integrations/pull/10182 - version: "1.1.0" changes: - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_crowdstrike/docs/README.md b/packages/ti_crowdstrike/docs/README.md index 638365f0f04..cb47ece75ef 100644 --- a/packages/ti_crowdstrike/docs/README.md +++ b/packages/ti_crowdstrike/docs/README.md @@ -35,7 +35,6 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **kibana.version** required is **8.11.0**. This module has been tested against the **CrowdStrike Falcon Intelligence API Version v1**. ## Setup diff --git a/packages/ti_crowdstrike/manifest.yml b/packages/ti_crowdstrike/manifest.yml index fbda4e8a894..639c2168d15 100644 --- a/packages/ti_crowdstrike/manifest.yml +++ b/packages/ti_crowdstrike/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_crowdstrike title: CrowdStrike Falcon Intelligence -version: "1.1.0" +version: "1.1.1" description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent. type: integration categories: diff --git a/packages/ti_eset/_dev/build/docs/README.md b/packages/ti_eset/_dev/build/docs/README.md index a9841015836..dd51fabe41c 100644 --- a/packages/ti_eset/_dev/build/docs/README.md +++ b/packages/ti_eset/_dev/build/docs/README.md @@ -74,8 +74,6 @@ and we provide deployment manifests for running on Kubernetes. There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **Kibana version** required is **8.12.0**. - ## Setup ### Enabling the integration in Elastic: diff --git a/packages/ti_eset/changelog.yml b/packages/ti_eset/changelog.yml index d7b6ea60178..a8a539f1f0e 100644 --- a/packages/ti_eset/changelog.yml +++ b/packages/ti_eset/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Remove reference to a Kibana version from the README. + type: bugfix + link: https://github.com/elastic/integrations/pull/10182 - version: "1.2.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_eset/docs/README.md b/packages/ti_eset/docs/README.md index 58315ad5f23..84f68aef70f 100644 --- a/packages/ti_eset/docs/README.md +++ b/packages/ti_eset/docs/README.md @@ -74,8 +74,6 @@ and we provide deployment manifests for running on Kubernetes. There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -The minimum **Kibana version** required is **8.12.0**. - ## Setup ### Enabling the integration in Elastic: diff --git a/packages/ti_eset/manifest.yml b/packages/ti_eset/manifest.yml index 5d49543d3a5..1b79fa1d80b 100644 --- a/packages/ti_eset/manifest.yml +++ b/packages/ti_eset/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_eset title: "ESET Threat Intelligence" -version: "1.2.0" +version: "1.2.1" description: "Ingest threat intelligence indicators from ESET Threat Intelligence with Elastic Agent." type: integration categories: From 3b36c289678551dc7b65c801b00c5fbf87034ef0 Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Mon, 24 Jun 2024 20:59:03 +0530 Subject: [PATCH 039/105] m365_defender: Improve ECS Mappings for Detection Rules (#10179) A followup of PR https://github.com/elastic/integrations/pull/9860 to enhance ECS mappings for detection rules. --- packages/m365_defender/changelog.yml | 5 + .../event/_dev/test/pipeline/test-device.log | 2 + .../pipeline/test-device.log-expected.json | 396 ++++++++++++++++-- .../ingest_pipeline/pipeline_device.yml | 123 +++++- packages/m365_defender/manifest.yml | 2 +- 5 files changed, 483 insertions(+), 45 deletions(-) diff --git a/packages/m365_defender/changelog.yml b/packages/m365_defender/changelog.yml index 496046b12fc..134b6f1b748 100644 --- a/packages/m365_defender/changelog.yml +++ b/packages/m365_defender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.14.0" + changes: + - description: Improve ECS mappings + type: enhancement + link: https://github.com/elastic/integrations/pull/10179 - version: "2.13.0" changes: - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log index 5bbb4e3a632..1ad897c7779 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log @@ -12,6 +12,8 @@ {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceProcessEvents","operationName":"Publish","properties":{"AccountDomain":"testmachine6","AccountName":"administrator1","AccountObjectId":null,"AccountSid":"S-1-5-21-1874808502-2282282112-3464708742-500","AccountUpn":null,"ActionType":"ProcessCreated","AdditionalFields":"[]","AppGuardContainerId":null,"DeviceId":"999b6fd7c532534ba50b3232fa992c38a273d4fb","DeviceName":"testmachine6","FileName":"smartscreen.exe","FileSize":2387456,"FolderPath":"C:\\Windows\\System32\\smartscreen.exe","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"svchost.exe -k DcomLaunch -p","InitiatingProcessCreationTime":"2022-11-09T17:39:34.1193719Z","InitiatingProcessFileName":"svchost.exe","InitiatingProcessFileSize":55320,"InitiatingProcessFolderPath":"c:\\windows\\system32\\svchost.exe","NetworkAdapterName":"en01","InitiatingProcessId":996,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessLogonId":999,"InitiatingProcessMD5":"b7f884c1b74a263f746ee12a5f7c9f6a","InitiatingProcessParentCreationTime":"2022-11-09T17:39:33.8279942Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":852,"InitiatingProcessSHA1":"1bc5066ddf693fc034d6514618854e26a84fd0d1","InitiatingProcessSHA256":"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88","InitiatingProcessSignatureStatus":"Valid","InitiatingProcessSignerType":"OsVendor","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Host Process for Windows Services","InitiatingProcessVersionInfoInternalFileName":"svchost.exe","InitiatingProcessVersionInfoOriginalFileName":"svchost.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.1806","LogonId":1443318,"MD5":"b9d697df9e883f0d99720b0430448cb1","MachineGroup":"UnassignedGroup","ProcessCommandLine":"smartscreen.exe -Embedding","ProcessCreationTime":"2022-11-09T17:59:52.0344972Z","ProcessId":6412,"ProcessIntegrityLevel":"High","ProcessTokenElevation":"TokenElevationTypeDefault","ProcessVersionInfoCompanyName":"Microsoft Corporation","ProcessVersionInfoFileDescription":"Windows Defender SmartScreen","ProcessVersionInfoInternalFileName":"smartscreen.exe","ProcessVersionInfoOriginalFileName":"smartscreen.exe","ProcessVersionInfoProductName":"Microsoft® Windows® Operating System","ProcessVersionInfoProductVersion":"10.0.19041.2251","ReportId":4824,"SHA1":"9dec87de894f5228033f87cf874441502bfa4f97","SHA256":"8011a5f4ac65d85cbe593bdad886449e3807d950b234e77c675a0f7ca3b7c781","Timestamp":"2022-11-09T17:59:52.6265786Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-09T18:03:21.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceRegistryEvents","operationName":"Publish","properties":{"ActionType":"RegistryValueSet","AppGuardContainerId":null,"DeviceId":"999b6fd7c532534ba50b3232fa992c38a273d4fb","DeviceName":"testmachine6","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive","InitiatingProcessCreationTime":"2022-11-09T19:17:20.4156553Z","InitiatingProcessFileName":"powershell.exe","InitiatingProcessFileSize":452608,"InitiatingProcessFolderPath":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","InitiatingProcessId":5900,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"04029e121a0cfa5991749937dd22a1d9","InitiatingProcessParentCreationTime":"2022-11-09T19:16:54.9433819Z","InitiatingProcessParentFileName":"SenseIR.exe","InitiatingProcessParentId":5668,"InitiatingProcessSHA1":"f43d9bb316e30ae1a3494ac5b0624f6bea1bf054","InitiatingProcessSHA256":"9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Windows PowerShell","InitiatingProcessVersionInfoInternalFileName":"POWERSHELL","InitiatingProcessVersionInfoOriginalFileName":"PowerShell.EXE","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.546","MachineGroup":"UnassignedGroup","PreviousRegistryKey":null,"PreviousRegistryValueData":null,"PreviousRegistryValueName":"Blob","RegistryKey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C","RegistryValueData":null,"RegistryValueName":"Blob","RegistryValueType":"Binary","ReportId":6571,"Timestamp":"2022-11-09T19:17:43.5752234Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-09T19:23:21.8925266Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceRegistryEvents","operationName":"Publish","properties":{"ActionType":"RegistryValueSet","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-device3","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"\"MsSense.exe\"","InitiatingProcessCreationTime":"2024-05-06T11:55:32.2214858Z","InitiatingProcessFileName":"mssense.exe","InitiatingProcessFileSize":522184,"InitiatingProcessFolderPath":"c:\\program files\\windows defender advanced threat protection\\mssense.exe","InitiatingProcessId":4688,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"71fc679ef0665dde1cbb72c95cecf894","InitiatingProcessParentCreationTime":"2024-05-06T11:48:52.81722Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":688,"InitiatingProcessSHA1":"d608e39caae86429f9f45b7f9a1f0417222cf641","InitiatingProcessSHA256":"1b32190da2ba5be59c35fa659cc063d1dd98a9f87d0b0a716f99fbc1c8433022","InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Windows Defender Advanced Threat Protection Service Executable","InitiatingProcessVersionInfoInternalFileName":"MsSense.exe","InitiatingProcessVersionInfoOriginalFileName":"MsSense.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.8737.26020.1018","MachineGroup":null,"PreviousRegistryKey":"","PreviousRegistryValueData":null,"PreviousRegistryValueName":"782655b2-0575-4aa2-82b8-7fd560afeff6","RegistryKey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Security","RegistryValueData":null,"RegistryValueName":"782655b2-0575-4aa2-82b8-7fd560afeff6","RegistryValueType":"Binary","ReportId":21669,"Timestamp":"2024-05-08T15:23:15.8225851Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-05-08T15:27:56.0452290Z"} +{"Tenant":"DefaultTenant","_TimeReceivedBySvc":"2024-06-19T01:07:05.1053450Z","category":"AdvancedHunting-DeviceRegistryEvents","operationName":"Publish","properties":{"ActionType":"RegistryKeyDeleted","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-user","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"svchost.exe -k netsvcs -p -s wlidsvc","InitiatingProcessCreationTime":"2024-06-19T01:06:24.8543864Z","InitiatingProcessFileName":"svchost.exe","InitiatingProcessFileSize":57528,"InitiatingProcessFolderPath":"c:\\windows\\system32\\svchost.exe","InitiatingProcessId":3176,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"7469cc568ad6821fd9d925542730a7d8","InitiatingProcessParentCreationTime":"2024-06-18T16:30:41.690549Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":728,"InitiatingProcessRemoteSessionDeviceName":null,"InitiatingProcessRemoteSessionIP":null,"InitiatingProcessSHA1":"e4e3f6bbad17b41a42687b3d75ade4a10b0870ec","InitiatingProcessSHA256":"6fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23522e503","InitiatingProcessSessionId":0,"InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Host Process for Windows Services","InitiatingProcessVersionInfoInternalFileName":"svchost.exe","InitiatingProcessVersionInfoOriginalFileName":"svchost.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.19041.4355","IsInitiatingProcessRemoteSession":false,"MachineGroup":null,"PreviousRegistryKey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926649C","PreviousRegistryValueData":null,"PreviousRegistryValueName":null,"RegistryKey":"","RegistryValueData":null,"RegistryValueName":null,"RegistryValueType":"None","ReportId":7857,"Timestamp":"2024-06-19T01:06:24.9112589Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-06-19T01:09:19.9778014Z"} +{"Tenant":"DefaultTenant","_TimeReceivedBySvc":"2024-06-19T07:33:10.2684381Z","category":"AdvancedHunting-DeviceRegistryEvents","operationName":"Publish","properties":{"ActionType":"RegistryValueSet","AppGuardContainerId":"","DeviceId":"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583","DeviceName":"desktop-user","InitiatingProcessAccountDomain":"nt authority","InitiatingProcessAccountName":"system","InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":"\"MsSense.exe\"","InitiatingProcessCreationTime":"2024-06-18T16:30:43.2552366Z","InitiatingProcessFileName":"mssense.exe","InitiatingProcessFileSize":522200,"InitiatingProcessFolderPath":"c:\\program files\\windows defender advanced threat protection\\mssense.exe","InitiatingProcessId":3144,"InitiatingProcessIntegrityLevel":"System","InitiatingProcessMD5":"c311a5744bc0f42b2dbea2c68d1cbd06","InitiatingProcessParentCreationTime":"2024-06-18T16:30:41.690549Z","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":728,"InitiatingProcessRemoteSessionDeviceName":null,"InitiatingProcessRemoteSessionIP":null,"InitiatingProcessSHA1":"9e30598eded8386d8050f409ebd86b1fa5ec474e","InitiatingProcessSHA256":"6ea1404c4e81bc30f75d6a202c32485ca1e331b41bf3fd019bfffcc7425707b6","InitiatingProcessSessionId":0,"InitiatingProcessTokenElevation":"TokenElevationTypeDefault","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoFileDescription":"Windows Defender Advanced Threat Protection Service Executable","InitiatingProcessVersionInfoInternalFileName":"MsSense.exe","InitiatingProcessVersionInfoOriginalFileName":"MsSense.exe","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.8750.27558.1004","IsInitiatingProcessRemoteSession":false,"MachineGroup":null,"PreviousRegistryKey":"","PreviousRegistryValueData":"133632450540305655","PreviousRegistryValueName":"CrashHeartbeat","RegistryKey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection","RegistryValueData":"133632558540099193","RegistryValueName":"CrashHeartbeat","RegistryValueType":"Qword","ReportId":9370,"Timestamp":"2024-06-19T07:30:54.2606584Z"},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2024-06-19T07:35:47.9510563Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T12:17:42.7782364Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "ConnectionFailed","RemoteIP": "175.16.199.0","RemotePort": 80,"RemoteUrl": "subdomain.domain.tld","LocalIP": "89.160.20.112","LocalPort": 50258,"Protocol": "Tcp","LocalIPType": "Private","RemoteIPType": "Public","InitiatingProcessSHA1": "3e44b0d0319d24fa51b472de23062b10c0c32ec3","InitiatingProcessSHA256": "fe0ddd41ed02f1faa59526c53178c8366d9c90a777619eaaf7b7e5656f3ea4cb","InitiatingProcessMD5": "df9b3bee634a5578481a8c7cf4f614a3","InitiatingProcessFileName": "msedgewebview2.exe","InitiatingProcessFileSize": 3657056,"InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation","InitiatingProcessVersionInfoProductName": "Microsoft Edge WebView2","InitiatingProcessVersionInfoProductVersion": "114.0.1823.79","InitiatingProcessVersionInfoInternalFileName": "msedgewebview2_exe","InitiatingProcessVersionInfoOriginalFileName": "msedgewebview2.exe","InitiatingProcessVersionInfoFileDescription": "Microsoft Edge WebView2","InitiatingProcessId": 17916,"InitiatingProcessCommandLine": "\"msedgewebview2.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir=\"C:\\Users\\username\\AppData\\Local\\Citrix\\SelfService\\CitrixWebControlCache\\EBWebView\" --webview-exe-name=SelfService.exe --webview-exe-version=22.3.1.22 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=3456 --field-trial-handle=1824,i --enable-features=msSingleSignOnOSForPrimaryAccountIsShared --disable-features=MojoIpcz /prefetch:3 /pfhostedapp:1234","InitiatingProcessCreationTime": "2023-08-09T18:43:00.0810399Z","InitiatingProcessFolderPath": "c:\\program files (x86)\\microsoft\\edgewebview\\application\\114.0.1823.79\\msedgewebview2.exe","InitiatingProcessParentFileName": "msedgewebview2.exe","InitiatingProcessParentId": 17808,"InitiatingProcessParentCreationTime": "2023-08-09T18:42:58.8197327Z","InitiatingProcessAccountDomain": "corporatedomain","InitiatingProcessAccountName": "username","InitiatingProcessAccountSid": "S-1-5-21-57989841-2025429265-839522115-329672","InitiatingProcessAccountUpn": "email@domain","InitiatingProcessAccountObjectId": "3600a12b-9d66-4dc3-9e2a-956c3623d0e4","InitiatingProcessIntegrityLevel": "Medium","InitiatingProcessTokenElevation": "TokenElevationTypeDefault","ReportId": 110313,"AppGuardContainerId":null,"AdditionalFields":null},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:21.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T12:16:10.7489034Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "DnsConnectionInspected","RemoteIP": "175.16.199.0","RemotePort": 53,"RemoteUrl":null,"LocalIP": "89.160.20.112","LocalPort": 54125,"Protocol": "Udp","LocalIPType":null,"RemoteIPType":null,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessMD5":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessId": 0,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFolderPath":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId": 0,"InitiatingProcessParentCreationTime":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessTokenElevation": "None","ReportId": 19542,"AppGuardContainerId":null,"AdditionalFields": { "direction": "Out", "trans_id": "18296", "rtt": "0.05926012992858887", "query": "janeslaptop1.corporatedomain", "qclass": "1", "qclass_name": "C_INTERNET", "qtype": "1", "qtype_name": "A", "rcode": "0", "uid": "CpeJkh3698EpWwy4Z9", "rcode_name": "NOERROR", "AA": "true", "TC": "false", "RD": "true", "RA": "true", "answers": "[\"89.160.20.112\"]", "TTLs": "[1200.0]", "rejected": "false", "ts": "133370937691236740"}},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:22.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T12:16:28.6231143Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "NtlmAuthenticationInspected","RemoteIP": "175.16.199.0","RemotePort": 135,"RemoteUrl":null,"LocalIP": "89.160.20.112","LocalPort": 55514,"Protocol": "Tcp","LocalIPType":null,"RemoteIPType":null,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessMD5":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessId": 0,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFolderPath":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId": 0,"InitiatingProcessParentCreationTime":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessTokenElevation": "None","ReportId": 33108,"AppGuardContainerId":null,"AdditionalFields": { "direction": "In", "server_nb_computer_name": "hostname", "server_nb_domain_name": "corporatedomain", "server_dns_computer_name": "janeslaptop1.corporatedomain", "server_dns_domain_name": "corporatedomain", "server_tree_name": "corporatedomain", "uid": "Cd6CKC1yC7AvYHXnq", "server_version": "10.0 22621 15", "ts": "133370931234950000"}},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:23.9948950Z"} diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json index 85afb6f8534..046570315a0 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json @@ -239,7 +239,10 @@ }, "host": { "id": "de6509d550e605faf3bbeac0905ab9590fe12345", - "name": "testmachine5" + "name": "testmachine5", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -402,7 +405,10 @@ }, "host": { "id": "de6509d550e605faf3bbeac0905ab9590fe12345", - "name": "testmachine5" + "name": "testmachine5", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -546,7 +552,10 @@ }, "host": { "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", - "name": "desktop-device" + "name": "desktop-device", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -699,7 +708,10 @@ }, "host": { "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", - "name": "desktop-device2" + "name": "desktop-device2", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -1374,7 +1386,7 @@ "version": "8.11.0" }, "event": { - "action": "processcreated", + "action": "start", "category": [ "process" ], @@ -1386,7 +1398,10 @@ }, "host": { "id": "999b6fd7c532534ba50b3232fa992c38a273d4fb", - "name": "testmachine6" + "name": "testmachine6", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -1581,7 +1596,10 @@ }, "host": { "id": "999b6fd7c532534ba50b3232fa992c38a273d4fb", - "name": "testmachine6" + "name": "testmachine6", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -1624,7 +1642,7 @@ "registry_value_name": "Blob" }, "registry": { - "key": "SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C", + "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C", "value_name": "Blob", "value_type": "Binary" }, @@ -1673,8 +1691,9 @@ "data": { "type": "Binary" }, + "hive": "HKLM", "key": "SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C", - "path": "SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C\\Blob", + "path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C\\Blob", "value": "Blob" }, "related": { @@ -1720,7 +1739,10 @@ }, "host": { "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", - "name": "desktop-device3" + "name": "desktop-device3", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -1762,7 +1784,7 @@ "registry_value_name": "782655b2-0575-4aa2-82b8-7fd560afeff6" }, "registry": { - "key": "SYSTEM\\ControlSet001\\Control\\WMI\\Security", + "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Security", "value_name": "782655b2-0575-4aa2-82b8-7fd560afeff6", "value_type": "Binary" }, @@ -1807,8 +1829,9 @@ "data": { "type": "Binary" }, + "hive": "HKLM", "key": "SYSTEM\\ControlSet001\\Control\\WMI\\Security", - "path": "SYSTEM\\ControlSet001\\Control\\WMI\\Security\\782655b2-0575-4aa2-82b8-7fd560afeff6", + "path": "HKLM\\SYSTEM\\ControlSet001\\Control\\WMI\\Security\\782655b2-0575-4aa2-82b8-7fd560afeff6", "value": "782655b2-0575-4aa2-82b8-7fd560afeff6" }, "related": { @@ -1836,6 +1859,289 @@ "name": "system" } }, + { + "@timestamp": "2024-06-19T01:06:24.911Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "registrykeydeleted", + "category": [ + "registry" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"_TimeReceivedBySvc\":\"2024-06-19T01:07:05.1053450Z\",\"category\":\"AdvancedHunting-DeviceRegistryEvents\",\"operationName\":\"Publish\",\"properties\":{\"ActionType\":\"RegistryKeyDeleted\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-user\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"svchost.exe -k netsvcs -p -s wlidsvc\",\"InitiatingProcessCreationTime\":\"2024-06-19T01:06:24.8543864Z\",\"InitiatingProcessFileName\":\"svchost.exe\",\"InitiatingProcessFileSize\":57528,\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\svchost.exe\",\"InitiatingProcessId\":3176,\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessMD5\":\"7469cc568ad6821fd9d925542730a7d8\",\"InitiatingProcessParentCreationTime\":\"2024-06-18T16:30:41.690549Z\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessParentId\":728,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"InitiatingProcessSHA1\":\"e4e3f6bbad17b41a42687b3d75ade4a10b0870ec\",\"InitiatingProcessSHA256\":\"6fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23522e503\",\"InitiatingProcessSessionId\":0,\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Host Process for Windows Services\",\"InitiatingProcessVersionInfoInternalFileName\":\"svchost.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"svchost.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.4355\",\"IsInitiatingProcessRemoteSession\":false,\"MachineGroup\":null,\"PreviousRegistryKey\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Windows Live ID Token Issuer\\\\Certificates\\\\B68D8F953E551914324E557E6164D68B9926649C\",\"PreviousRegistryValueData\":null,\"PreviousRegistryValueName\":null,\"RegistryKey\":\"\",\"RegistryValueData\":null,\"RegistryValueName\":null,\"RegistryValueType\":\"None\",\"ReportId\":7857,\"Timestamp\":\"2024-06-19T01:06:24.9112589Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-06-19T01:09:19.9778014Z\"}", + "type": [ + "deletion" + ] + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-user", + "os": { + "type": "windows" + } + }, + "m365_defender": { + "event": { + "action": { + "type": "RegistryKeyDeleted" + }, + "category": "AdvancedHunting-DeviceRegistryEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-user" + }, + "initiating_process": { + "account_domain": "nt authority", + "account_name": "system", + "account_sid": "S-1-5-18", + "command_line": "svchost.exe -k netsvcs -p -s wlidsvc", + "creation_time": "2024-06-19T01:06:24.854Z", + "file_name": "svchost.exe", + "file_size": 57528, + "folder_path": "c:\\windows\\system32\\svchost.exe", + "id": 3176, + "integrity_level": "System", + "md5": "7469cc568ad6821fd9d925542730a7d8", + "parent_creation_time": "2024-06-18T16:30:41.690Z", + "parent_file_name": "services.exe", + "parent_id": 728, + "sha1": "e4e3f6bbad17b41a42687b3d75ade4a10b0870ec", + "sha256": "6fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23522e503", + "token_elevation": "TokenElevationTypeDefault", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "Host Process for Windows Services", + "version_info_internal_file_name": "svchost.exe", + "version_info_original_file_name": "svchost.exe", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.0.19041.4355" + }, + "operation_name": "Publish", + "previous": { + "registry_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926649C" + }, + "registry": { + "value_type": "None" + }, + "report_id": "7857", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-06-19T01:09:19.977Z", + "timestamp": "2024-06-19T01:06:24.911Z" + } + }, + "process": { + "args": [ + "svchost.exe", + "-k", + "netsvcs", + "-p", + "-s", + "wlidsvc" + ], + "args_count": 6, + "command_line": "svchost.exe -k netsvcs -p -s wlidsvc", + "executable": "c:\\windows\\system32\\svchost.exe", + "hash": { + "md5": "7469cc568ad6821fd9d925542730a7d8", + "sha1": "e4e3f6bbad17b41a42687b3d75ade4a10b0870ec", + "sha256": "6fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23522e503" + }, + "name": "svchost.exe", + "parent": { + "name": "services.exe", + "pid": 728, + "start": "2024-06-18T16:30:41.690Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Host Process for Windows Services", + "file_version": "10.0.19041.4355", + "original_file_name": "svchost.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 3176, + "start": "2024-06-19T01:06:24.854Z" + }, + "registry": { + "data": { + "type": "None" + }, + "hive": "HKLM", + "key": "SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926649C" + }, + "related": { + "hash": [ + "7469cc568ad6821fd9d925542730a7d8", + "e4e3f6bbad17b41a42687b3d75ade4a10b0870ec", + "6fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23522e503" + ], + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-user", + "nt authority" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } + }, + { + "@timestamp": "2024-06-19T07:30:54.260Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "modification", + "category": [ + "registry" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"_TimeReceivedBySvc\":\"2024-06-19T07:33:10.2684381Z\",\"category\":\"AdvancedHunting-DeviceRegistryEvents\",\"operationName\":\"Publish\",\"properties\":{\"ActionType\":\"RegistryValueSet\",\"AppGuardContainerId\":\"\",\"DeviceId\":\"2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583\",\"DeviceName\":\"desktop-user\",\"InitiatingProcessAccountDomain\":\"nt authority\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessAccountSid\":\"S-1-5-18\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessCommandLine\":\"\\\"MsSense.exe\\\"\",\"InitiatingProcessCreationTime\":\"2024-06-18T16:30:43.2552366Z\",\"InitiatingProcessFileName\":\"mssense.exe\",\"InitiatingProcessFileSize\":522200,\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\windows defender advanced threat protection\\\\mssense.exe\",\"InitiatingProcessId\":3144,\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessMD5\":\"c311a5744bc0f42b2dbea2c68d1cbd06\",\"InitiatingProcessParentCreationTime\":\"2024-06-18T16:30:41.690549Z\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessParentId\":728,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"InitiatingProcessSHA1\":\"9e30598eded8386d8050f409ebd86b1fa5ec474e\",\"InitiatingProcessSHA256\":\"6ea1404c4e81bc30f75d6a202c32485ca1e331b41bf3fd019bfffcc7425707b6\",\"InitiatingProcessSessionId\":0,\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows Defender Advanced Threat Protection Service Executable\",\"InitiatingProcessVersionInfoInternalFileName\":\"MsSense.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"MsSense.exe\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft® Windows® Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.8750.27558.1004\",\"IsInitiatingProcessRemoteSession\":false,\"MachineGroup\":null,\"PreviousRegistryKey\":\"\",\"PreviousRegistryValueData\":\"133632450540305655\",\"PreviousRegistryValueName\":\"CrashHeartbeat\",\"RegistryKey\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\",\"RegistryValueData\":\"133632558540099193\",\"RegistryValueName\":\"CrashHeartbeat\",\"RegistryValueType\":\"Qword\",\"ReportId\":9370,\"Timestamp\":\"2024-06-19T07:30:54.2606584Z\"},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2024-06-19T07:35:47.9510563Z\"}", + "type": [ + "change" + ] + }, + "host": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-user", + "os": { + "type": "windows" + } + }, + "m365_defender": { + "event": { + "action": { + "type": "RegistryValueSet" + }, + "category": "AdvancedHunting-DeviceRegistryEvents", + "device": { + "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "name": "desktop-user" + }, + "initiating_process": { + "account_domain": "nt authority", + "account_name": "system", + "account_sid": "S-1-5-18", + "command_line": "\"MsSense.exe\"", + "creation_time": "2024-06-18T16:30:43.255Z", + "file_name": "mssense.exe", + "file_size": 522200, + "folder_path": "c:\\program files\\windows defender advanced threat protection\\mssense.exe", + "id": 3144, + "integrity_level": "System", + "md5": "c311a5744bc0f42b2dbea2c68d1cbd06", + "parent_creation_time": "2024-06-18T16:30:41.690Z", + "parent_file_name": "services.exe", + "parent_id": 728, + "sha1": "9e30598eded8386d8050f409ebd86b1fa5ec474e", + "sha256": "6ea1404c4e81bc30f75d6a202c32485ca1e331b41bf3fd019bfffcc7425707b6", + "token_elevation": "TokenElevationTypeDefault", + "version_info_company_name": "Microsoft Corporation", + "version_info_file_description": "Windows Defender Advanced Threat Protection Service Executable", + "version_info_internal_file_name": "MsSense.exe", + "version_info_original_file_name": "MsSense.exe", + "version_info_product_name": "Microsoft® Windows® Operating System", + "version_info_product_version": "10.8750.27558.1004" + }, + "operation_name": "Publish", + "previous": { + "registry_value_data": "133632450540305655", + "registry_value_name": "CrashHeartbeat" + }, + "registry": { + "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection", + "value_data": "133632558540099193", + "value_name": "CrashHeartbeat", + "value_type": "Qword" + }, + "report_id": "9370", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2024-06-19T07:35:47.951Z", + "timestamp": "2024-06-19T07:30:54.260Z" + } + }, + "process": { + "args": [ + "MsSense.exe" + ], + "args_count": 1, + "command_line": "\"MsSense.exe\"", + "executable": "c:\\program files\\windows defender advanced threat protection\\mssense.exe", + "hash": { + "md5": "c311a5744bc0f42b2dbea2c68d1cbd06", + "sha1": "9e30598eded8386d8050f409ebd86b1fa5ec474e", + "sha256": "6ea1404c4e81bc30f75d6a202c32485ca1e331b41bf3fd019bfffcc7425707b6" + }, + "name": "mssense.exe", + "parent": { + "name": "services.exe", + "pid": 728, + "start": "2024-06-18T16:30:41.690Z" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Windows Defender Advanced Threat Protection Service Executable", + "file_version": "10.8750.27558.1004", + "original_file_name": "MsSense.exe", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 3144, + "start": "2024-06-18T16:30:43.255Z" + }, + "registry": { + "data": { + "strings": [ + "133632558540099193", + "133632450540305655" + ], + "type": "Qword" + }, + "hive": "HKLM", + "key": "SOFTWARE\\Microsoft\\Windows Advanced Threat Protection", + "path": "HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\CrashHeartbeat", + "value": "CrashHeartbeat" + }, + "related": { + "hash": [ + "c311a5744bc0f42b2dbea2c68d1cbd06", + "9e30598eded8386d8050f409ebd86b1fa5ec474e", + "6ea1404c4e81bc30f75d6a202c32485ca1e331b41bf3fd019bfffcc7425707b6" + ], + "hosts": [ + "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", + "desktop-user", + "nt authority" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "nt authority", + "id": "S-1-5-18", + "name": "system" + } + }, { "@timestamp": "2023-07-19T12:17:42.778Z", "destination": { @@ -1871,7 +2177,10 @@ }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", - "name": "janeslaptop1.corporatedomain" + "name": "janeslaptop1.corporatedomain", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -2586,7 +2895,10 @@ }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", - "name": "janeslaptop1.corporatedomain" + "name": "janeslaptop1.corporatedomain", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -2890,7 +3202,10 @@ }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", - "name": "janeslaptop1.corporatedomain" + "name": "janeslaptop1.corporatedomain", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -3184,7 +3499,10 @@ }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", - "name": "janeslaptop1.corporatedomain" + "name": "janeslaptop1.corporatedomain", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -3933,7 +4251,7 @@ "version": "8.11.0" }, "event": { - "action": "processcreated", + "action": "start", "category": [ "process" ], @@ -3945,7 +4263,10 @@ }, "host": { "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", - "name": "janeslaptop1.corporatedomain" + "name": "janeslaptop1.corporatedomain", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -4293,7 +4614,10 @@ }, "host": { "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", - "name": "desktop-device210" + "name": "desktop-device210", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -4440,7 +4764,10 @@ }, "host": { "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", - "name": "desktop-name" + "name": "desktop-name", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -4542,7 +4869,12 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "desktop-name", + "id": "S-1-5-21-2850353385-2443355826-2041408518-1001", + "name": "jonh" + } }, { "@timestamp": "2024-05-06T19:51:06.481Z", @@ -4562,7 +4894,10 @@ }, "host": { "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", - "name": "desktop-name" + "name": "desktop-name", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -4659,7 +4994,12 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "desktop-name", + "id": "S-1-5-21-2850353385-2443355826-2041408518-1001", + "name": "jonh" + } }, { "@timestamp": "2024-05-02T15:53:56.358Z", @@ -4686,7 +5026,10 @@ }, "host": { "id": "2cde6cee4dd3a5932ee140f871f6095966e74ff9", - "name": "desktop-d45trp5" + "name": "desktop-d45trp5", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { @@ -4846,7 +5189,10 @@ }, "host": { "id": "2af9e3da2eb7bd1b6c1fccb55ab5cd4cdec1e583", - "name": "desktop-name" + "name": "desktop-name", + "os": { + "type": "windows" + } }, "m365_defender": { "event": { diff --git a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml index c66b737837d..71db9368b75 100644 --- a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml +++ b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml @@ -530,14 +530,6 @@ processors: target_field: m365_defender.event.registry.key tag: rename_json_properties_RegistryKey ignore_missing: true - - script: - description: Remove HKEY_CURRENT_USER\ and HKEY_LOCAL_MACHINE\ from registry key - lang: painless - if: ctx.m365_defender?.event?.registry?.key != null - source: | - String key = ctx.m365_defender.event.registry.key; - def regex = /HKEY_CURRENT_USER\\|HKEY_LOCAL_MACHINE\\/; - ctx.m365_defender.event.registry.key = regex.matcher(key).replaceAll(''); - rename: field: json.properties.RegistryValueName target_field: m365_defender.event.registry.value_name @@ -1950,6 +1942,48 @@ processors: field: host.os.type value: macos if: ctx.m365_defender?.event?.os?.platform != null && ctx.m365_defender.event.os.platform.toLowerCase().contains('macos') + # host.os.type can also be derived for Windows based on event.category + - set: + field: host.os.type + value: windows + if: >- + ctx.event?.category != null && ( + ctx.event.category.contains('api') || + ctx.event.category.contains('registry') || + ctx.event.category.contains('library') || + ctx.event.category.contains('driver') + ) + - set: + field: host.os.type + value: windows + if: >- + ctx.event?.category != null && ctx.event.category.contains('file') && ( + ctx.m365_defender?.event?.initiating_process?.account_sid != null || + ctx.m365_defender?.event?.request?.account_sid != null + ) + - set: + field: host.os.type + value: windows + if: >- + ctx.event?.category != null && ctx.event.category.contains('process') && ( + ctx.m365_defender?.event?.initiating_process?.account_sid != null + ) + - set: + field: host.os.type + value: windows + if: >- + ctx.event?.category != null && ctx.event.category.contains('authentication') && ( + ctx.m365_defender?.event?.initiating_process?.account_sid != null || + ctx.m365_defender?.event?.account?.sid != null + ) + - set: + field: host.os.type + value: windows + if: >- + ctx.event?.category != null && ctx.event.category.contains('network') && ( + ctx.m365_defender?.event?.initiating_process?.account_sid != null + ) + - set: field: host.os.full copy_from: m365_defender.event.os.platform @@ -1998,22 +2032,61 @@ processors: allow_duplicates: false # Registry Mapping - - set: - field: registry.key - copy_from: m365_defender.event.registry.key - tag: set_registry_key - ignore_empty_value: true + # registry hive abbreviation taken from current or previous registry key + - grok: + field: m365_defender.event.registry.key + description: Extract and remove HIVE_NAMES from registry key + tag: grok_registry_key + if: ctx.m365_defender?.event?.registry?.key != null && ctx.m365_defender.event.registry.key != '' + patterns: + - '^(%{HIVE_NAMES:_tmp.registry.hive}\\)?%{GREEDYDATA:registry.key}$' + pattern_definitions: + HIVE_NAMES: "(?i:HKEY_CLASSES_ROOT|HKCR|HKEY_CURRENT_USER|HKCU|HKEY_LOCAL_MACHINE|HKLM|HKEY_USERS|HKU|HKEY_CURRENT_CONFIG|HKCC)" + - grok: + field: m365_defender.event.previous.registry_key + description: Extract and remove HIVE_NAMES from previous registry key + tag: grok_registry_previous_key + if: ctx.registry?.key == null && ctx.m365_defender?.event?.previous?.registry_key != null && ctx.m365_defender.event.previous.registry_key != '' + patterns: + - '^(%{HIVE_NAMES:_tmp.registry.hive}\\)?%{GREEDYDATA:registry.key}$' + pattern_definitions: + HIVE_NAMES: "(?i:HKEY_CLASSES_ROOT|HKCR|HKEY_CURRENT_USER|HKCU|HKEY_LOCAL_MACHINE|HKLM|HKEY_USERS|HKU|HKEY_CURRENT_CONFIG|HKCC)" + - script: + description: Normalize hive names (ECS uses abbreviated names) derived from https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users + tag: set_registry_hive + lang: painless + if: ctx._tmp?.registry?.hive != null + params: + HKEY_CLASSES_ROOT: HKCR + HKEY_CURRENT_USER: HKCU + HKEY_LOCAL_MACHINE: HKLM + HKEY_USERS: HKU + HKEY_CURRENT_CONFIG: HKCC + source: | + def name = ctx._tmp.registry.hive.toUpperCase(); + if (ctx.registry == null) { + ctx.registry = new HashMap(); + } + ctx.registry.hive = params.getOrDefault(name, name); - set: field: registry.value copy_from: m365_defender.event.registry.value_name tag: set_registry_value ignore_empty_value: true + - set: + field: registry.value + description: Derived from previous value during registry changes. + copy_from: m365_defender.event.previous.registry_value_name + if: ctx.registry?.value == null + tag: set_registry_value_prev + ignore_empty_value: true - set: field: registry.path + description: registry.hive + registry.key + registry.value value: >- - {{{registry.key}}}\{{{registry.value}}} + {{{#registry.hive}}}{{{registry.hive}}}{{{/registry.hive}}}\{{{registry.key}}}\{{{registry.value}}} tag: set_registry_path - if: ctx.registry?.key != null && ctx.registry.value != null + if: ctx.registry?.key != null && ctx.registry.key != '' && ctx.registry.value != null ignore_empty_value: true - append: field: registry.data.strings @@ -2021,6 +2094,13 @@ processors: tag: append_registry_data_strings allow_duplicates: false if: ctx.m365_defender?.event?.registry?.value_data != null + - append: + field: registry.data.strings + description: Derived from previous value during registry changes. + value: '{{{m365_defender.event.previous.registry_value_data}}}' + tag: append_registry_data_strings_prev + allow_duplicates: false + if: ctx.m365_defender?.event?.previous?.registry_value_data != null - set: field: registry.data.type copy_from: m365_defender.event.registry.value_type @@ -2159,7 +2239,7 @@ processors: copy_from: m365_defender.event.initiating_process.account_name tag: set_user_name_initiating_process_account_name ignore_empty_value: true - if: ctx.event?.category != null && (ctx.event.category.contains('library') || ctx.event.category.contains('registry') || ctx.event.category.contains('network') || ctx.event.category.contains('driver')) && ctx.user?.name == null + if: ctx.event?.category != null && (ctx.event.category.contains('library') || ctx.event.category.contains('registry') || ctx.event.category.contains('network') || ctx.event.category.contains('driver') || ctx.event.category.contains('api')) && ctx.user?.name == null - set: field: user.domain copy_from: m365_defender.event.account.domain @@ -2170,7 +2250,7 @@ processors: copy_from: m365_defender.event.initiating_process.account_domain tag: set_user_domain_initiating_process_account_domain ignore_empty_value: true - if: ctx.event?.category != null && (ctx.event.category.contains('library') || ctx.event.category.contains('registry') || ctx.event.category.contains('network') || ctx.event.category.contains('driver')) && ctx.user?.domain == null + if: ctx.event?.category != null && (ctx.event.category.contains('library') || ctx.event.category.contains('registry') || ctx.event.category.contains('network') || ctx.event.category.contains('driver') || ctx.event.category.contains('api')) && ctx.user?.domain == null - set: field: user.id copy_from: m365_defender.event.account.sid @@ -2181,7 +2261,7 @@ processors: copy_from: m365_defender.event.initiating_process.account_sid tag: set_user_id_initiating_process_account_sid ignore_empty_value: true - if: ctx.event?.category != null && (ctx.event.category.contains('library') || ctx.event.category.contains('file') || ctx.event.category.contains('registry') || ctx.event.category.contains('network') || ctx.event.category.contains('driver')) && ctx.user?.id == null + if: ctx.event?.category != null && (ctx.event.category.contains('library') || ctx.event.category.contains('file') || ctx.event.category.contains('registry') || ctx.event.category.contains('network') || ctx.event.category.contains('driver') || ctx.event.category.contains('api')) && ctx.user?.id == null - set: field: user.id copy_from: m365_defender.event.request.account_sid @@ -2264,7 +2344,7 @@ processors: if: ctx.event?.category != null && ctx.event.category.contains('network') && ctx.m365_defender?.event?.network_direction == null # Event Outcome/Actions mapping - # Special handling when event.category is 'file' or 'registry' or 'driver' for better compatibility and detection rules. + # Special handling when event.category is 'file' or 'registry' or 'driver' or 'process' for better compatibility and detection rules. - set: field: event.action value: deletion @@ -2300,6 +2380,11 @@ processors: value: load tag: set_event_action_load if: ctx.event?.category != null && ctx.event.category.contains('driver') + - set: + field: event.action + value: start + tag: set_event_action_start + if: ctx.event?.category != null && ctx.event.category.contains('process') && ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase() == 'processcreated' # For all other categories, copy the value from m365_defender.event.action.type - set: field: event.action diff --git a/packages/m365_defender/manifest.yml b/packages/m365_defender/manifest.yml index 34ac3273997..557198103cd 100644 --- a/packages/m365_defender/manifest.yml +++ b/packages/m365_defender/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: m365_defender title: Microsoft M365 Defender -version: "2.13.0" +version: "2.14.0" description: Collect logs from Microsoft M365 Defender with Elastic Agent. categories: - "security" From 3d4271c3ae37b5194b4715a5fd6fea7db7a5e8f8 Mon Sep 17 00:00:00 2001 From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com> Date: Mon, 24 Jun 2024 16:00:48 -0500 Subject: [PATCH 040/105] [cisco_asa] Extract user agent from 722055 logs to correct field (#10229) - Ensure that the user agent is extracted to user_agent.original for 722055 logs - Add sample logs - Add user_agent.original to ECS fields --- packages/cisco_asa/changelog.yml | 5 + .../pipeline/test-additional-messages.log | 2 + ...test-additional-messages.log-expected.json | 136 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../cisco_asa/data_stream/log/fields/ecs.yml | 2 + packages/cisco_asa/docs/README.md | 2 + packages/cisco_asa/manifest.yml | 2 +- 7 files changed, 150 insertions(+), 3 deletions(-) diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index 6845bf773cf..a3f283f1294 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.35.1" + changes: + - description: Extract user agent from 722055 logs to correct field. + type: bugfix + link: https://github.com/elastic/integrations/pull/10229 - version: "2.35.0" changes: - description: Add additional log types. diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log index a140c5dcbd3..f50594962bb 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log @@ -150,3 +150,5 @@ May 5 19:02:25 dev01: %ASA-6-716039: Group User IP <17 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-716058: Group GROUP_1 User USER_1 IP 10.20.0.1 AnyConnect session lost connection. Waiting to resume. <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-716059: Group User IP <10.20.0.1> AnyConnect session resumed. Connection from 172.16.0.1. <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-716059: Group GROUP_1 User USER_1 IP 10.20.0.1 AnyConnect session resumed. Connection from 172.16.0.1. +<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-722055: Group User IP <10.20.0.1> Client Type: user-agent +<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-722055: Group GROUP_1 User USER_1 IP 10.20.0.1 Client Type: user-agent diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json index 88df8474d62..5d3f36f0658 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -10615,6 +10615,142 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2023-10-03T16:40:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "code": "722055", + "kind": "event", + "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-722055: Group User IP <10.20.0.1> Client Type: user-agent", + "severity": 6, + "timezone": "UTC", + "type": [ + "connection", + "info" + ] + }, + "host": { + "hostname": "myAsaHostname" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 17 + }, + "priority": 140, + "severity": { + "code": 4 + } + } + }, + "observer": { + "hostname": "myAsaHostname", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "myAsaHostname" + ], + "ip": [ + "10.20.0.1" + ], + "user": [ + "USER 1" + ] + }, + "source": { + "address": "10.20.0.1", + "ip": "10.20.0.1", + "user": { + "group": { + "name": "GROUP 1" + }, + "name": "USER 1" + } + }, + "tags": [ + "preserve_original_event" + ], + "user_agent": { + "original": "user-agent" + } + }, + { + "@timestamp": "2023-10-03T16:40:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "code": "722055", + "kind": "event", + "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-722055: Group GROUP_1 User USER_1 IP 10.20.0.1 Client Type: user-agent", + "severity": 6, + "timezone": "UTC", + "type": [ + "connection", + "info" + ] + }, + "host": { + "hostname": "myAsaHostname" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 17 + }, + "priority": 140, + "severity": { + "code": 4 + } + } + }, + "observer": { + "hostname": "myAsaHostname", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "myAsaHostname" + ], + "ip": [ + "10.20.0.1" + ], + "user": [ + "USER_1" + ] + }, + "source": { + "address": "10.20.0.1", + "ip": "10.20.0.1", + "user": { + "group": { + "name": "GROUP_1" + }, + "name": "USER_1" + } + }, + "tags": [ + "preserve_original_event" + ], + "user_agent": { + "original": "user-agent" + } } ] } \ No newline at end of file diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 362bd29fed5..9cb15ddafec 100644 --- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -973,8 +973,8 @@ processors: field: "message" description: "722055" patterns: - - '^Group <%{NOTBRACKET:source.user.group.name}> User <%{NOTBRACKET:source.user.name}> IP <%{NOTBRACKET:source.address}> Client Type: %{GREEDYDATA:user_agent}$' - - '^Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{NOTSPACE:source.address} Client Type: %{GREEDYDATA:user_agent}$' + - '^Group <%{NOTBRACKET:source.user.group.name}> User <%{NOTBRACKET:source.user.name}> IP <%{NOTBRACKET:source.address}> Client Type: %{GREEDYDATA:user_agent.original}$' + - '^Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{NOTSPACE:source.address} Client Type: %{GREEDYDATA:user_agent.original}$' pattern_definitions: NOTBRACKET: "[^<>]+" - grok: diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml index 687880f7bf3..6082d23f267 100644 --- a/packages/cisco_asa/data_stream/log/fields/ecs.yml +++ b/packages/cisco_asa/data_stream/log/fields/ecs.yml @@ -250,6 +250,8 @@ name: url.top_level_domain - external: ecs name: url.username +- external: ecs + name: user_agent.original - external: ecs name: user.email - external: ecs diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md index 2aa8eb708e2..f038208502b 100644 --- a/packages/cisco_asa/docs/README.md +++ b/packages/cisco_asa/docs/README.md @@ -373,3 +373,5 @@ An example event for `log` looks as following: | user.email | User email address. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 26050dda1ab..07a6d577322 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_asa title: Cisco ASA -version: "2.35.0" +version: "2.35.1" description: Collect logs from Cisco ASA with Elastic Agent. type: integration categories: From 50397dd07530dbd12daf0c0c1418492ed085d108 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20K=C3=B6tting?= <145989254+SimonKoetting@users.noreply.github.com> Date: Tue, 25 Jun 2024 08:41:14 +0200 Subject: [PATCH 041/105] zscaler_zia: prevent failure with non-encoded urls (#10226) --- packages/zscaler_zia/changelog.yml | 5 +++++ .../web/elasticsearch/ingest_pipeline/default.yml | 2 ++ packages/zscaler_zia/manifest.yml | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/packages/zscaler_zia/changelog.yml b/packages/zscaler_zia/changelog.yml index 0f0fa0e7329..a516aab796e 100644 --- a/packages/zscaler_zia/changelog.yml +++ b/packages/zscaler_zia/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.20.1" + changes: + - description: Prevent failure on not encoded URLs. + type: bugfix + link: https://github.com/elastic/integrations/pull/10226 - version: "2.20.0" changes: - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index 1614baadd69..c1547d26d55 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -204,10 +204,12 @@ processors: - urldecode: field: url.original ignore_missing: true + ignore_failure: true if: ctx.url?.original != null && ctx.url.original != '' - urldecode: field: json.eua ignore_missing: true + ignore_failure: true if: ctx.json?.eua != null && ctx.json.eua != '' - user_agent: field: json.eua diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index 12750b3c899..c82dd405dfa 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: zscaler_zia title: Zscaler Internet Access -version: "2.20.0" +version: "2.20.1" description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. type: integration categories: From 5dbebf921d188ae87949f5ea9ea081784879696b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 09:54:54 +0200 Subject: [PATCH 042/105] Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 (#10230) Bumps [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp) from 0.7.5 to 0.7.7. - [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/go-retryablehttp/compare/v0.7.5...v0.7.7) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-retryablehttp dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 40ca16ada41..7661ef478d8 100644 --- a/go.mod +++ b/go.mod @@ -95,7 +95,7 @@ require ( github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-retryablehttp v0.7.5 // indirect + github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/huandu/xstrings v1.4.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect diff --git a/go.sum b/go.sum index 0984de47496..721f901aca4 100644 --- a/go.sum +++ b/go.sum @@ -241,13 +241,12 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c= -github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= +github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M= -github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= +github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= +github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog= github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68= github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= From cb08534927ae8d7cca5fb607214629675184b087 Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Tue, 25 Jun 2024 13:25:42 +0530 Subject: [PATCH 043/105] ti_eclecticiq: Add CEL resource.tracer limit (#10232) Add CEL resource.tracer limit. We have seen cases where the response size exceeds the default `resource.tracer.maxsize` 1 MB and responses are dropped. Add `resource.tracer.maxsize` and `resource.tracer.maxbackups` to capture large responses and avoid loss of visibility. --- packages/ti_eclecticiq/changelog.yml | 5 +++++ .../data_stream/threat/agent/stream/input.yml.hbs | 2 ++ packages/ti_eclecticiq/manifest.yml | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/packages/ti_eclecticiq/changelog.yml b/packages/ti_eclecticiq/changelog.yml index 0539ee50b5b..cf0d1667eb9 100644 --- a/packages/ti_eclecticiq/changelog.yml +++ b/packages/ti_eclecticiq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Increase CEL resource.tracer.maxsize to prevent loss of trace responses. + type: enhancement + link: https://github.com/elastic/integrations/pull/10232 - version: "1.1.0" changes: - description: ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_eclecticiq/data_stream/threat/agent/stream/input.yml.hbs b/packages/ti_eclecticiq/data_stream/threat/agent/stream/input.yml.hbs index eae68f56f97..58391a73fcb 100644 --- a/packages/ti_eclecticiq/data_stream/threat/agent/stream/input.yml.hbs +++ b/packages/ti_eclecticiq/data_stream/threat/agent/stream/input.yml.hbs @@ -5,6 +5,8 @@ resource.url: {{url}} {{#if enable_request_tracer}} resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +resource.tracer.maxsize: 5 {{/if}} {{#if ssl}} resource.ssl: {{ssl}} diff --git a/packages/ti_eclecticiq/manifest.yml b/packages/ti_eclecticiq/manifest.yml index 0c1933fa3b2..25b5407d454 100644 --- a/packages/ti_eclecticiq/manifest.yml +++ b/packages/ti_eclecticiq/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_eclecticiq title: EclecticIQ -version: "1.1.0" +version: "1.2.0" description: Ingest threat intelligence from EclecticIQ with Elastic Agent type: integration categories: From c42512807190a0bcf270ad8e88dd2d210210adb5 Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Tue, 25 Jun 2024 13:26:14 +0530 Subject: [PATCH 044/105] o365: Increase CEL tracer log count (#10233) Increase request tracer log count to 10. For large tenants, when CEL program makes a series of requests, we have seen cases where the tracer logs wouldn't capture a full list of responses even during a single interval because of limitation on number of tracer logs. This leads to lack of visibility if certain requests return non-200 response, leading to data loss. Increasing the tracer logs count to 10 from 5. --- packages/o365/changelog.yml | 5 +++++ packages/o365/data_stream/audit/agent/stream/cel.yml.hbs | 2 +- packages/o365/manifest.yml | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index f3e4dfe3485..e2b63923fe6 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.5.0" + changes: + - description: Increase request tracer log count to ten. + type: enhancement + link: https://github.com/elastic/integrations/pull/10233 - version: "2.4.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs b/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs index 1c9e47a9dbe..b312ebd519e 100644 --- a/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs +++ b/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs @@ -53,7 +53,7 @@ resource.rate_limit.burst: {{resource_rate_limit_burst}} {{#if enable_request_tracer}} resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" -resource.tracer.maxbackups: 5 +resource.tracer.maxbackups: 10 resource.tracer.maxsize: 5 {{/if}} diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index 0d3d815c6f2..6e451bc00a6 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Microsoft 365 -version: "2.4.0" +version: "2.5.0" description: Collect logs from Microsoft 365 with Elastic Agent. type: integration format_version: "3.0.2" From d302d9dc9ac2f528e6131de4a9b3638757af2605 Mon Sep 17 00:00:00 2001 From: Nic Date: Tue, 25 Jun 2024 03:15:12 -0500 Subject: [PATCH 045/105] [windows] Preserve original event when toggled on (#10197) * Fix preserve original event. * Make fix work and add for all other Windows data streams * Update PR number --- packages/windows/changelog.yml | 5 +++++ .../applocker_exe_and_dll/agent/stream/winlog.yml.hbs | 8 ++++++++ .../agent/stream/winlog.yml.hbs | 8 ++++++++ .../agent/stream/winlog.yml.hbs | 8 ++++++++ .../agent/stream/winlog.yml.hbs | 8 ++++++++ .../data_stream/forwarded/agent/stream/winlog.yml.hbs | 10 +++++++++- .../data_stream/powershell/agent/stream/winlog.yml.hbs | 10 +++++++++- .../powershell_operational/agent/stream/winlog.yml.hbs | 10 +++++++++- .../sysmon_operational/agent/stream/winlog.yml.hbs | 10 +++++++++- packages/windows/manifest.yml | 2 +- 10 files changed, 74 insertions(+), 5 deletions(-) diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 15f92db0e99..85c10ed517a 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.45.1" + changes: + - description: Add missing preserve_original_event tag when toggled on for AppLocker, Powershell, Forwarded, and Sysmon. + type: bugfix + link: https://github.com/elastic/integrations/pull/10197 - version: "1.45.0" changes: - description: Add powershell.file.script_block_hash and powershell.file.script_block_signature fields. diff --git a/packages/windows/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs index 9a17afec936..31a89bfbce9 100644 --- a/packages/windows/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs @@ -14,6 +14,14 @@ tags: {{#each tags as |tag|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{else}} +{{#if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} {{/if}} {{#if preserve_original_event}} include_xml: true diff --git a/packages/windows/data_stream/applocker_msi_and_script/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/applocker_msi_and_script/agent/stream/winlog.yml.hbs index f228697bc26..9a88a2d1d18 100644 --- a/packages/windows/data_stream/applocker_msi_and_script/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/applocker_msi_and_script/agent/stream/winlog.yml.hbs @@ -14,6 +14,14 @@ tags: {{#each tags as |tag|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{else}} +{{#if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} {{/if}} {{#if preserve_original_event}} include_xml: true diff --git a/packages/windows/data_stream/applocker_packaged_app_deployment/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/applocker_packaged_app_deployment/agent/stream/winlog.yml.hbs index 48e1042f06c..6e33c9d4673 100644 --- a/packages/windows/data_stream/applocker_packaged_app_deployment/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/applocker_packaged_app_deployment/agent/stream/winlog.yml.hbs @@ -14,6 +14,14 @@ tags: {{#each tags as |tag|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{else}} +{{#if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} {{/if}} {{#if preserve_original_event}} include_xml: true diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs index ff81f22a6c0..a14840d4d7c 100644 --- a/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs @@ -14,6 +14,14 @@ tags: {{#each tags as |tag|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{else}} +{{#if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} {{/if}} {{#if preserve_original_event}} include_xml: true diff --git a/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs index 89b422f0d48..f3708f9de89 100644 --- a/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs @@ -11,9 +11,17 @@ language: {{language}} {{/if}} {{#if tags.length}} tags: -{{#each tags as |tag i|}} +{{#each tags as |tag|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{else}} +{{#if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} {{/if}} {{#if preserve_original_event}} include_xml: true diff --git a/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs index ff24e2b09f8..ff14f89bdde 100644 --- a/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs @@ -11,9 +11,17 @@ language: {{language}} {{/if}} {{#if tags.length}} tags: -{{#each tags as |tag i|}} +{{#each tags as |tag|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{else}} +{{#if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} {{/if}} {{#if preserve_original_event}} include_xml: true diff --git a/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs index bf3f5372e23..39823fbf542 100644 --- a/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs @@ -11,9 +11,17 @@ language: {{language}} {{/if}} {{#if tags.length}} tags: -{{#each tags as |tag i|}} +{{#each tags as |tag|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{else}} +{{#if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} {{/if}} {{#if preserve_original_event}} include_xml: true diff --git a/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs index 54e04d5a428..e15ed072204 100644 --- a/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs @@ -11,9 +11,17 @@ language: {{language}} {{/if}} {{#if tags.length}} tags: -{{#each tags as |tag i|}} +{{#each tags as |tag|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{else}} +{{#if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} {{/if}} {{#if preserve_original_event}} include_xml: true diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index a902c901b9d..a5f7ba95e8f 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 1.45.0 +version: 1.45.1 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: From fbd39468c706d5d631acf8d532ce7fdbdb57cda6 Mon Sep 17 00:00:00 2001 From: Nic Date: Tue, 25 Jun 2024 04:02:02 -0500 Subject: [PATCH 046/105] [winlog] Preserve original event when toggled on (#10198) * Fix preserve original event. * Make fix work and add for all other Windows data streams * Update PR number * Fix preserve event for winlog * Revert "Make fix work and add for all other Windows data streams" This reverts commit 751aaa9ba88f68d75e4d3839fe1fc65c830d7ff2. * Revert "Update PR number" This reverts commit 3b4a68af74d9e08050080e58736fe074d4b0f2bc. * Revert "Fix preserve original event." This reverts commit d9e44b8e6719e81dbe80c1493838605bed672f0a. --- packages/winlog/agent/input/winlog.yml.hbs | 16 ++++++++++++---- packages/winlog/changelog.yml | 7 ++++++- packages/winlog/manifest.yml | 2 +- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/packages/winlog/agent/input/winlog.yml.hbs b/packages/winlog/agent/input/winlog.yml.hbs index d513725eb47..c542a8355c3 100644 --- a/packages/winlog/agent/input/winlog.yml.hbs +++ b/packages/winlog/agent/input/winlog.yml.hbs @@ -2,9 +2,6 @@ condition: ${host.platform} == 'windows' data_stream: dataset: {{data_stream.dataset}} name: {{channel}} -{{#if preserve_original_event}} -include_xml: true -{{/if}} {{#if providers}} provider: {{#each providers as |p|}} @@ -22,9 +19,20 @@ language: {{language}} {{/if}} {{#if tags.length}} tags: -{{#each tags as |tag i|}} +{{#each tags as |tag|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{else}} +{{#if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true {{/if}} {{#if pipeline}} pipeline: {{pipeline}} diff --git a/packages/winlog/changelog.yml b/packages/winlog/changelog.yml index f22a9629d67..766059fcb08 100644 --- a/packages/winlog/changelog.yml +++ b/packages/winlog/changelog.yml @@ -1,10 +1,15 @@ # newer versions go on top +- version: "2.1.2" + changes: + - description: Add missing preserve_original_event tag when toggled on for Winlog + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "2.1.1" changes: - description: Changed owners type: enhancement link: https://github.com/elastic/integrations/pull/8943 -- version: 2.1.0 +- version: "2.1.0" changes: - description: ECS version updated to 8.11.0. type: enhancement diff --git a/packages/winlog/manifest.yml b/packages/winlog/manifest.yml index 3a5276dd35a..64eb5c2aefc 100644 --- a/packages/winlog/manifest.yml +++ b/packages/winlog/manifest.yml @@ -3,7 +3,7 @@ name: winlog title: Custom Windows Event Logs description: Collect and parse logs from any Windows event log channel with Elastic Agent. type: input -version: "2.1.1" +version: "2.1.2" conditions: kibana: version: '^8.10.1' From 0a5f9cda5ffd64e78535fdf0b7c9e43037733e86 Mon Sep 17 00:00:00 2001 From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Date: Tue, 25 Jun 2024 09:03:48 -0400 Subject: [PATCH 047/105] [Security Rules] Update security rules package to v8.14.4-beta.1 (#10239) --- .../security_detection_engine/changelog.yml | 5 + ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json | 67 ++++++ ...c41e478-5263-4c69-8f9e-7dfd2c22da64_7.json | 142 ++++++++++++ ...c5dd5-838b-446e-b1ac-c995c7f8108a_105.json | 80 +++++++ ...1d055-5c66-4adf-9c59-fc0fa58336a5_105.json | 78 +++++++ ...1d055-5c66-4adf-9c71-fc0fa58338c7_104.json | 72 ++++++ ...1d055-5c66-4adf-9d60-fc0fa58337b6_105.json | 73 ++++++ ...1d055-5c66-4adf-9d82-fc0fa58449c8_104.json | 59 +++++ ...1d055-5c66-4adf-9e93-fc0fa69550c9_104.json | 66 ++++++ ...68559-b274-4948-ad0b-f8415bb31126_104.json | 43 ++++ ...92657ba-ab0e-4901-89a2-911d611eee98_2.json | 166 ++++++++++++++ ...e8096-e2b0-4bd8-80c9-34a820813fff_209.json | 43 ++++ ...fc667-9ff1-4b33-9f40-fefca8537eb0_104.json | 77 +++++++ ...ec04b-d902-4f89-8aff-92cd9043c16f_104.json | 69 ++++++ ...3f18264-2d6d-11ef-9413-f661ea17fbce_1.json | 75 +++++++ ...6e1bc-867a-11ee-b13e-f661ea17fbcd_101.json | 60 +++++ ...86980-1fb1-4dff-b311-3be941549c8d_104.json | 43 ++++ ...a657da0-1df2-11ef-a327-f661ea17fbcc_1.json | 97 ++++++++ ...e32e6-6104-46d9-a06e-da0f8b5795a0_104.json | 47 ++++ ...0272b-9724-4bc6-a3ca-f1532b81e5c2_104.json | 66 ++++++ ...a342e-03fb-42d0-8656-0367eb2dead5_105.json | 95 ++++++++ ...804f5-b289-43d6-a881-9387cf594f75_105.json | 73 ++++++ ...834ca-f861-414c-8602-150d5505b777_102.json | 74 +++++++ ...fbdc5-db15-485e-bc24-f5707f820c4b_104.json | 45 ++++ ...7bfa0a9-37c0-44d6-b724-54bf16787492_1.json | 109 +++++++++ ...56272-1998-4b8c-be14-e287035c4d10_105.json | 62 ++++++ ...83105-4681-46c3-9890-0c66d05e776b_104.json | 62 ++++++ ...d676480-9655-4507-adc6-4eec311efff8_1.json | 98 ++++++++ ...fc812-7996-4795-8869-9c4ea595fe88_105.json | 74 +++++++ ...96015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json | 87 ++++++++ ...48b96-c922-4adb-b51c-b767f1ea5b76_109.json | 74 +++++++ ...0d56f-5c0e-4ac6-aece-bee96645b172_106.json | 89 ++++++++ ...b0119-0560-43ba-860a-7235dd8cee8d_105.json | 68 ++++++ ...edc4c-c54c-49c6-97a1-651223819448_104.json | 68 ++++++ ...3d8d9-b476-451d-a9e0-7a5addd70670_209.json | 43 ++++ ...b70d3-e2c3-455e-af1b-2626a5a1a276_209.json | 43 ++++ ...94326d2-56c0-4342-b553-4abfaf421b5b_1.json | 88 ++++++++ ...02f01-969f-4167-8d77-07827ac4cee0_104.json | 68 ++++++ ...02f01-969f-4167-8f55-07827ac3acc9_104.json | 68 ++++++ ...02f01-969f-4167-8f66-07827ac3bdd9_104.json | 61 +++++ ...75852-b0f5-4b8b-89c3-a226efae5726_207.json | 113 ++++++++++ ...4e734c0-2cda-11ef-84e1-f661ea17fbce_1.json | 75 +++++++ ...5b99adc-2cda-11ef-84e1-f661ea17fbce_1.json | 75 +++++++ ...cf974-6587-4f65-9252-d866a3fdfd9c_105.json | 68 ++++++ ...02377-d226-4e12-b54c-1906b5aec4f6_104.json | 69 ++++++ ...61809f3-fb5b-465c-8bff-23a8a068ac60_7.json | 127 +++++++++++ ...ab184d3-72b3-4639-b242-6597c99d8bca_8.json | 209 ++++++++++++++++++ ...e61a8-c560-4dbd-acca-1e1438bff36b_104.json | 69 ++++++ ...06eae-d5ec-4b14-b4fd-e8ba8086f0e1_209.json | 43 ++++ ...0bfb8-26b7-4e5e-924e-218144a3fa71_104.json | 43 ++++ ...7b919-665f-4aac-b9e8-68369bf2340c_104.json | 66 ++++++ ...66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json | 142 ++++++++++++ ...42eb2-583c-439f-b04d-1fdd7c1417cc_104.json | 48 ++++ ...c4d8c-f014-40ef-88b6-79a1d67cd499_104.json | 62 ++++++ ...b5533-ca2a-41f6-a8b0-ee98abe0f573_105.json | 44 ++++ ...6a419-9b3f-4f57-8ff8-ac4cd2d5f530_104.json | 69 ++++++ ...f3a06-1e0a-48ec-b96a-faf2309fae46_104.json | 62 ++++++ ...73fa0-9d43-465e-b8bf-50230da6718b_104.json | 66 ++++++ ...5c059-c19a-4a96-8ae3-41496ef3bcf9_104.json | 66 ++++++ ...93e61db-82d6-4095-99aa-714988118064_1.json | 129 +++++++++++ ...28dee-c999-400f-b640-50a081cc0fd1_209.json | 43 ++++ ...97323-72a8-46a9-a08e-3f5b04a4a97a_104.json | 69 ++++++ ...aed74-c816-40d3-a810-48d6fbd8b2fd_105.json | 96 ++++++++ ...77d63-9679-4ce3-be25-3ba8b795e5fa_104.json | 43 ++++ ...3e22c8b-ea47-45d1-b502-b57b6de950b3_7.json | 137 ++++++++++++ ...90f47-6bd5-4a49-bd49-a2f886476fb9_105.json | 62 ++++++ .../security_detection_engine/manifest.yml | 2 +- 67 files changed, 4973 insertions(+), 1 deletion(-) create mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_109.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_207.json create mode 100644 packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_105.json diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 930b4af4558..9d6ec7e5784 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.14.4-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/10239 - version: 8.14.3 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json new file mode 100644 index 00000000000..a585b9fbcc4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", + "false_positives": [ + "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_process_creation" + ], + "name": "Anomalous Windows Process Creation", + "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "machine_learning", + "version": 106 + }, + "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_7.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_7.json new file mode 100644 index 00000000000..c7acf5e1e74 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_7.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel IP Address Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "source.ip:* or destination.ip:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 99, + "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", + "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Threat Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + } + ], + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "timestamp_override": "event.ingested", + "type": "threat_match", + "version": 7 + }, + "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_105.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_105.json new file mode 100644 index 00000000000..35276222da4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_105.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", + "false_positives": [ + "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_rare_user", + "name": "Rare User Logon", + "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "risk_score": 21, + "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + }, + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_105.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_105.json new file mode 100644 index 00000000000..e02c6a7becb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_105.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_user_name" + ], + "name": "Unusual Windows Username", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + }, + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_104.json new file mode 100644 index 00000000000..096b020c7c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_104.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_service" + ], + "name": "Unusual Windows Service", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_105.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_105.json new file mode 100644 index 00000000000..8a365d49c80 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_105.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", + "false_positives": [ + "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_script" + ], + "name": "Suspicious Powershell Script", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_104.json new file mode 100644 index 00000000000..1d5fbd713f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_104.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", + "false_positives": [ + "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_user_runas_event" + ], + "name": "Unusual Windows User Privilege Elevation Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_104.json new file mode 100644 index 00000000000..48d5d54d8dc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_104.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", + "false_positives": [ + "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_user_type10_remote_login" + ], + "name": "Unusual Windows Remote User", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_104.json b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_104.json new file mode 100644 index 00000000000..61fa6ac6256 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_104.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_server_domain", + "name": "Unusual Network Destination Domain Name", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "17e68559-b274-4948-ad0b-f8415bb31126_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_2.json b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_2.json new file mode 100644 index 00000000000..f49a7251f26 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_2.json @@ -0,0 +1,166 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.", + "from": "now-9m", + "index": [ + "logs-fim.event-*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Persistence via File Modification", + "query": "file where host.os.type == \"linux\" and event.dataset == \"fim.event\" and event.action == \"updated\" and\nfile.path : (\n // cron, anacron & at\n \"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.monthly/*\",\n \"/etc/cron.weekly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/etc/cron.allow\",\n \"/etc/cron.deny\", \"/var/spool/anacron/*\", \"/var/spool/cron/atjobs/*\",\n\n // systemd services & timers\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\",\n\n // LD_PRELOAD\n \"/etc/ld.so.preload\", \"/etc/ld.so.conf.d/*\", \"/etc/ld.so.conf\",\n\n // message-of-the-day (MOTD)\n \"/etc/update-motd.d/*\",\n\n // SSH\n \"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\",\n\n // system-wide shell configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/zsh/*\", \"/etc/csh.cshrc\",\n \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n\n // root and user shell configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\",\n\n // runtime control\n \"/etc/rc.common\", \"/etc/rc.local\",\n\n // init daemon\n \"/etc/init.d/*\",\n\n // passwd/sudoers/shadow\n \"/etc/passwd\", \"/etc/shadow\", \"/etc/sudoers\", \"/etc/sudoers.d/*\",\n\n // Systemd udevd\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\",\n\n // XDG/KDE autostart entries\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\"\n) and not (\n file.path : (\n \"/var/spool/cron/crontabs/tmp.*\", \"/run/udev/rules.d/*rules.*\", \"/home/*/.ssh/known_hosts.*\", \"/root/.ssh/known_hosts.*\"\n ) or\n file.extension in (\"dpkg-new\", \"dpkg-remove\", \"SEQ\")\n)\n", + "related_integrations": [ + { + "package": "fim", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "192657ba-ab0e-4901-89a2-911d611eee98", + "setup": "## Setup\n\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\n\n### Elastic FIM Integration Setup\nTo configure the Elastic FIM integration, follow these steps:\n\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\n3. In the Kibana home page, click on \"Integrations\" in the left sidebar.\n4. Search for \"File Integrity Monitoring\" in the search bar and select the integration.\n5. Provide a name and optional description for the integration.\n6. Select the appropriate agent policy for your Linux system or create a new one.\n7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\n8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\n\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: File Integrity Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + }, + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "192657ba-ab0e-4901-89a2-911d611eee98_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_209.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_209.json new file mode 100644 index 00000000000..53e386f6a1b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_209.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", + "false_positives": [ + "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_error_code", + "name": "Rare AWS Error Code", + "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^2.0.0" + } + ], + "risk_score": 21, + "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 209 + }, + "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_104.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_104.json new file mode 100644 index 00000000000..fc388ca8351 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_104.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", + "false_positives": [ + "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_sudo_user" + ], + "name": "Unusual Sudo Activity", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_104.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_104.json new file mode 100644 index 00000000000..ac8c438999e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_104.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_metadata_user" + ], + "name": "Unusual Linux User Calling the Metadata Service", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "1faec04b-d902-4f89-8aff-92cd9043c16f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_1.json new file mode 100644 index 00000000000..d958fbc5fa5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_1.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", + "false_positives": [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users." + ], + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "High Number of Okta Device Token Cookies Generated for Authentication", + "note": "## Triage and analysis\n\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", + "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.request_uri == \"/api/v1/authn\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count >= 30\n| SORT\n source_auth_count DESC\n", + "references": [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" + ], + "risk_score": 21, + "rule_id": "23f18264-2d6d-11ef-9413-f661ea17fbce", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + }, + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.004", + "name": "Credential Stuffing", + "reference": "https://attack.mitre.org/techniques/T1110/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "23f18264-2d6d-11ef-9413-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101.json b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101.json new file mode 100644 index 00000000000..d2c28ecbbdb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101.json @@ -0,0 +1,60 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.", + "from": "now-30m", + "interval": "15m", + "language": "esql", + "license": "Elastic License v2", + "name": "Okta User Sessions Started from Different Geolocations", + "note": "\n## Triage and analysis\n\n### Investigating Okta User Sessions Started from Different Geolocations\n\nThis rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", + "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.security_context.is_proxy != true and okta.actor.id != \"unknown\"\n AND event.outcome == \"success\"\n| STATS\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\n BY okta.actor.id, okta.actor.alternate_id\n| WHERE\n geo_auth_counts >= 2\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/" + ], + "risk_score": 47, + "rule_id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 101 + }, + "id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_104.json b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_104.json new file mode 100644 index 00000000000..72e7b13afe3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_104.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_destination_country", + "name": "Network Traffic to Rare Destination Country", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "35f86980-1fb1-4dff-b311-3be941549c8d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_1.json new file mode 100644 index 00000000000..235840b0a19 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_1.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against vulnerabilities that were found in the customer environment.", + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "rapid7.tc.vulnerability.id", + "negate": true, + "type": "exists" + }, + "query": { + "exists": { + "field": "rapid7.tc.vulnerability.id" + } + } + } + ], + "from": "now-35m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "30m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Rapid7 Threat Command CVEs Correlation", + "note": "## Triage and Analysis\n\n### Investigating Rapid7 Threat Command CVEs Correlation\n\nRapid7 Threat Command CVEs Correlation rule allows matching CVEs from user indices within the vulnerabilities collected from Rapid7 Threat Command integrations.\n\nThe matches will be based on the latest values of CVEs from the last 180 days. So it's essential to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf a vulnerability matches a local observation, the following enriched fields will be generated to identify the vulnerability, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic vulnerability that matched the local observation\n- `threat.indicator.matched.field` - this identifies the vulnerability field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the vulnerability type that matched the local observation\n\nAdditional investigation can be done by reviewing the source of the activity and considering the history of the vulnerability that was matched. This can help understand if the activity is related to legitimate behavior.\n\n- Investigation can be validated and reviewed based on the data that was matched and by viewing the source of that activity.\n- Consider the history of the vulnerability that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n", + "query": "vulnerability.id : *\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://docs.elastic.co/integrations/ti_rapid7_threat_command" + ], + "related_integrations": [ + { + "package": "ti_rapid7_threat_command", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "vulnerability.id", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "3a657da0-1df2-11ef-a327-f661ea17fbcc", + "setup": "\n## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n\n## Max Signals\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.\n", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Data Source: Windows", + "Data Source: Network", + "Data Source: Rapid7 Threat Command", + "Rule Type: Threat Match", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Use Case: Asset Visibility", + "Use Case: Continuous Monitoring" + ], + "threat_index": [ + "logs-ti_rapid7_threat_command_latest.vulnerability" + ], + "threat_indicator_path": "rapid7.tc.vulnerability", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "vulnerability.id", + "type": "mapping", + "value": "vulnerability.id" + } + ] + } + ], + "threat_query": "@timestamp >= \"now-30d/d\" and vulnerability.id : * and event.module: ti_rapid7_threat_command", + "timestamp_override": "event.ingested", + "type": "threat_match", + "version": 1 + }, + "id": "3a657da0-1df2-11ef-a327-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_104.json b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_104.json new file mode 100644 index 00000000000..829408dfd88 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_104.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_network_port_activity" + ], + "name": "Unusual Linux Network Port Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_104.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_104.json new file mode 100644 index 00000000000..3bc5a56c166 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_104.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies an unusually high number of authentication attempts.", + "false_positives": [ + "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "suspicious_login_activity", + "name": "Unusual Login Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "risk_score": 21, + "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_105.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_105.json new file mode 100644 index 00000000000..177bd528359 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", + "false_positives": [ + "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_path_activity" + ], + "name": "Unusual Windows Path Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "445a342e-03fb-42d0-8656-0367eb2dead5_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_105.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_105.json new file mode 100644 index 00000000000..1787b1ada6e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_105.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_rare_process_by_host_linux" + ], + "name": "Unusual Process For a Linux Host", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Linux Host\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for an individual Linux host in your environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "46f804f5-b289-43d6-a881-9387cf594f75_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_102.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_102.json new file mode 100644 index 00000000000..d9f52184420 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_102.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.", + "false_positives": [ + "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." + ], + "from": "now-9m", + "index": [ + "logs-*", + "metrics-*", + "traces-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Agent Spoofing - Multiple Hosts Using Same Agent", + "query": "event.agent_id_status:* and not tags:forwarded\n", + "required_fields": [ + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + }, + { + "ecs": true, + "name": "tags", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "493834ca-f861-414c-8602-150d5505b777", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "host.id", + "value": 2 + } + ], + "field": [ + "agent.id" + ], + "value": 2 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 102 + }, + "id": "493834ca-f861-414c-8602-150d5505b777_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_104.json b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_104.json new file mode 100644 index 00000000000..e3ca4cad058 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_104.json @@ -0,0 +1,45 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_network_activity" + ], + "name": "Unusual Linux Network Activity", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "52afbdc5-db15-485e-bc24-f5707f820c4b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_1.json b/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_1.json new file mode 100644 index 00000000000..b181a682bcd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_1.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "DNS Global Query Block List Modified or Disabled", + "query": "registry where host.os.type == \"windows\" and event.type : \"change\" and\n(\n (registry.value : \"EnableGlobalQueryBlockList\" and registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.value : \"GlobalQueryBlockList\" and not registry.data.strings : \"wpad\")\n)\n", + "references": [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", + "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "57bfa0a9-37c0-44d6-b724-54bf16787492", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1557", + "name": "Adversary-in-the-Middle", + "reference": "https://attack.mitre.org/techniques/T1557/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "57bfa0a9-37c0-44d6-b724-54bf16787492_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_105.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_105.json new file mode 100644 index 00000000000..1bf6592d64b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_105.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_user_discovery" + ], + "name": "Unusual Linux User Discovery Activity", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "59756272-1998-4b8c-be14-e287035c4d10_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_104.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_104.json new file mode 100644 index 00000000000..39ebdb15b21 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_104.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_process_discovery" + ], + "name": "Unusual Linux Process Discovery Activity", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "5c983105-4681-46c3-9890-0c66d05e776b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_1.json b/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_1.json new file mode 100644 index 00000000000..974654d5070 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_1.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unsigned DLL loaded by DNS Service", + "query": "any where host.os.type == \"windows\" and event.category : (\"library\", \"process\") and\n event.type : (\"start\", \"change\") and event.action : (\"load\", \"Image loaded*\") and\n process.executable : \"?:\\\\windows\\\\system32\\\\dns.exe\" and \n not ?dll.code_signature.trusted == true and\n not file.code_signature.status == \"Valid\"\n", + "references": [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://adsecurity.org/?p=4064", + "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d676480-9655-4507-adc6-4eec311efff8", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "5d676480-9655-4507-adc6-4eec311efff8_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_105.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_105.json new file mode 100644 index 00000000000..9d29e67f791 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_105.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_process_all_hosts" + ], + "name": "Anomalous Process For a Linux Population", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Linux Population\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for all of the monitored Linux hosts in your fleet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "647fc812-7996-4795-8869-9c4ea595fe88_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json b/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json new file mode 100644 index 00000000000..e182f223a9b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programatic access keys for another IAM user.", + "false_positives": [ + "While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user." + ], + "from": "now-10m", + "language": "esql", + "license": "Elastic License v2", + "name": "AWS IAM User Created Access Keys For Another User", + "note": "## Triage and analysis\n\n### Investigating AWS IAM User Created Access Keys For Another User\n\nAWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. \nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new \nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\n\n\n#### Possible investigation steps\n\n- Identify both related accounts and their role in the environment.\n- Review IAM permission policies for the user identities.\n- Identify the applications or users that should use these accounts.\n- Investigate other alerts associated with the accounts during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owners and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the newly created credentials from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"CreateAccessKey\" and event.outcome == \"success\" and user.name != user.target.name\n", + "references": [ + "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html" + ], + "risk_score": 47, + "rule_id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.001", + "name": "Additional Cloud Credentials", + "reference": "https://attack.mitre.org/techniques/T1098/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.001", + "name": "Additional Cloud Credentials", + "reference": "https://attack.mitre.org/techniques/T1098/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_109.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_109.json new file mode 100644 index 00000000000..87d4cfe3641 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_109.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_rare_process_by_host_windows" + ], + "name": "Unusual Process For a Windows Host", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 109 + }, + "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_106.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_106.json new file mode 100644 index 00000000000..6716545ece2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_106.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_process_all_hosts" + ], + "name": "Anomalous Process For a Windows Population", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 106 + }, + "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_105.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_105.json new file mode 100644 index 00000000000..a8551cc3f41 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_105.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.", + "false_positives": [ + "Users working late, or logging in from unusual time zones while traveling, may trigger this rule." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_rare_hour_for_a_user", + "name": "Unusual Hour for a User to Logon", + "note": "## Triage and analysis\n\n### Investigating Unusual Hour for a User to Logon\n\nThis rule uses a machine learning job to detect a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. It can also indicate unauthorized user activity, as it often occurs during non-business hours.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, network connections, data access, and logon events.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n\n### False positive analysis\n\n- Users may need to log in during non-business hours to perform work-related tasks. Examine whether the company policies authorize this or if the activity is done under change management.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "risk_score": 21, + "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "745b0119-0560-43ba-860a-7235dd8cee8d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_104.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_104.json new file mode 100644 index 00000000000..902c08c0f9b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_104.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_dns_question", + "name": "Unusual DNS Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.004", + "name": "DNS", + "reference": "https://attack.mitre.org/techniques/T1071/004/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "746edc4c-c54c-49c6-97a1-651223819448_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_209.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_209.json new file mode 100644 index 00000000000..b34747a54e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_209.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", + "false_positives": [ + "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges." + ], + "from": "now-60m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_distinct_count_error_message", + "name": "Spike in AWS Error Messages", + "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^2.0.0" + } + ], + "risk_score": 21, + "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 209 + }, + "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_209.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_209.json new file mode 100644 index 00000000000..8c13558664f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_209.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_city", + "name": "Unusual City For an AWS Command", + "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^2.0.0" + } + ], + "risk_score": 21, + "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 209 + }, + "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_1.json b/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_1.json new file mode 100644 index 00000000000..2bcbd453ca5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_1.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a \"wpad\" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential WPAD Spoofing via DNS Record Creation", + "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5137\" and winlog.event_data.ObjectDN : \"DC=wpad,*\"\n", + "references": [ + "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing", + "https://cube0x0.github.io/Pocing-Beyond-DA/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectDN", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "894326d2-56c0-4342-b553-4abfaf421b5b", + "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1557", + "name": "Adversary-in-the-Middle", + "reference": "https://attack.mitre.org/techniques/T1557/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "894326d2-56c0-4342-b553-4abfaf421b5b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_104.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_104.json new file mode 100644 index 00000000000..1d606a007b7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_104.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", + "false_positives": [ + "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_user_agent", + "name": "Unusual Web User Agent", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "91f02f01-969f-4167-8d77-07827ac4cee0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_104.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_104.json new file mode 100644 index 00000000000..3c7474b5af3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_104.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_urls", + "name": "Unusual Web Request", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "91f02f01-969f-4167-8f55-07827ac3acc9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_104.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_104.json new file mode 100644 index 00000000000..4322895dac0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_104.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", + "false_positives": [ + "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_dns_tunneling", + "name": "DNS Tunneling", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "91f02f01-969f-4167-8f66-07827ac3bdd9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_207.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_207.json new file mode 100644 index 00000000000..7673981297e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_207.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", + "false_positives": [ + "Automated processes that use Terraform may lead to false positives." + ], + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Security Token Service (STS) AssumeRole Usage", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 207 + }, + "id": "93075852-b0f5-4b8b-89c3-a226efae5726_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_1.json new file mode 100644 index 00000000000..bb2fffb1cc5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_1.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", + "false_positives": [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users." + ], + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Multiple Okta User Authentication Events with Client Address", + "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Client Address\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\nSince this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", + "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action == \"user.session.start\" OR event.action RLIKE \"user\\\\.authentication(.*)\")\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count > 5\n| SORT\n source_auth_count DESC\n", + "references": [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" + ], + "risk_score": 21, + "rule_id": "94e734c0-2cda-11ef-84e1-f661ea17fbce", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + }, + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.004", + "name": "Credential Stuffing", + "reference": "https://attack.mitre.org/techniques/T1110/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "94e734c0-2cda-11ef-84e1-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_1.json new file mode 100644 index 00000000000..5e7b2e18651 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_1.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", + "false_positives": [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users." + ], + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Same Device Token Hash\n\nThis rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", + "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.dt_hash != \"-\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\n| WHERE\n target_auth_count > 20\n| SORT\n target_auth_count DESC\n", + "references": [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" + ], + "risk_score": 21, + "rule_id": "95b99adc-2cda-11ef-84e1-f661ea17fbce", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + }, + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.004", + "name": "Credential Stuffing", + "reference": "https://attack.mitre.org/techniques/T1110/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "95b99adc-2cda-11ef-84e1-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_105.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_105.json new file mode 100644 index 00000000000..6deff05823e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_105.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.", + "false_positives": [ + "A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_high_count_logon_fails", + "name": "Spike in Failed Logon Events", + "note": "## Triage and analysis\n\n### Investigating Spike in Failed Logon Events\n\nThis rule uses a machine learning job to detect a substantial spike in failed authentication events. This could indicate attempts to enumerate users, password spraying, brute force, etc.\n\n#### Possible investigation steps\n\n- Identify the users involved and if the activity targets a specific user or a set of users.\n- Check if the authentication comes from different sources.\n- Investigate if the host where the failed authentication events occur is exposed to the internet.\n - If the host is exposed to the internet, and the source of these attempts is external, the activity can be related to bot activity and possibly not directed at your organization.\n - If the host is not exposed to the internet, investigate the hosts where the authentication attempts are coming from, as this can indicate that they are compromised and the attacker is trying to move laterally.\n- Investigate other alerts associated with the involved users and hosts during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Investigate whether there are successful authentication events from the involved sources. This could indicate a successful brute force or password spraying attack.\n\n### False positive analysis\n\n- If the account is used in automation tasks, it is possible that they are using expired credentials, causing a spike in authentication failures.\n- Authentication failures can be related to permission issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Assess whether the asset should be exposed to the internet, and take action to reduce your attack surface.\n - If the asset needs to be exposed to the internet, restrict access to remote login services to specific IPs.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "risk_score": 21, + "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "99dcf974-6587-4f65-9252-d866a3fdfd9c_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_104.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_104.json new file mode 100644 index 00000000000..0beeca5cd59 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_104.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_metadata_process" + ], + "name": "Unusual Linux Process Calling the Metadata Service", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "9d302377-d226-4e12-b54c-1906b5aec4f6_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_7.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_7.json new file mode 100644 index 00000000000..ff131e30411 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_7.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Windows Registry Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry.path:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", + "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Threat Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threat.indicator.registry.path" + } + ] + } + ], + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "timestamp_override": "event.ingested", + "type": "threat_match", + "version": 7 + }, + "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_8.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_8.json new file mode 100644 index 00000000000..0216914a7f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_8.json @@ -0,0 +1,209 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Hash Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.hash.*", + "type": "unknown" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.hash.*", + "type": "unknown" + } + ], + "risk_score": 99, + "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", + "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Threat Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "dll.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "dll.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "dll.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "process.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "process.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "process.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + } + ], + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "timestamp_override": "event.ingested", + "type": "threat_match", + "version": 8 + }, + "id": "aab184d3-72b3-4639-b242-6597c99d8bca_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_104.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_104.json new file mode 100644 index 00000000000..edf0eb8a905 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_104.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_metadata_process" + ], + "name": "Unusual Windows Process Calling the Metadata Service", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "abae61a8-c560-4dbd-acca-1e1438bff36b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_209.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_209.json new file mode 100644 index 00000000000..985732dce0c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_209.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", + "false_positives": [ + "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_username", + "name": "Unusual AWS Command for a User", + "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^2.0.0" + } + ], + "risk_score": 21, + "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 209 + }, + "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_104.json b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_104.json new file mode 100644 index 00000000000..02c9ab21b55 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_104.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_network_events", + "name": "Spike in Network Traffic", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "b240bfb8-26b7-4e5e-924e-218144a3fa71_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_104.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_104.json new file mode 100644 index 00000000000..68dee018fb9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_104.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_user_name" + ], + "name": "Unusual Linux Username", + "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "b347b919-665f-4aac-b9e8-68369bf2340c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json b/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json new file mode 100644 index 00000000000..c54ef8d8d94 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via Service ImagePath Modification", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and process.executable != null and \n event.action == \"modification\" and registry.value == \"ImagePath\" and\n registry.key : (\n \"*\\\\ADWS\", \"*\\\\AppHostSvc\", \"*\\\\AppReadiness\", \"*\\\\AudioEndpointBuilder\", \"*\\\\AxInstSV\", \"*\\\\camsvc\", \"*\\\\CertSvc\",\n \"*\\\\COMSysApp\", \"*\\\\CscService\", \"*\\\\defragsvc\", \"*\\\\DeviceAssociationService\", \"*\\\\DeviceInstall\", \"*\\\\DevQueryBroker\",\n \"*\\\\Dfs\", \"*\\\\DFSR\", \"*\\\\diagnosticshub.standardcollector.service\", \"*\\\\DiagTrack\", \"*\\\\DmEnrollmentSvc\", \"*\\\\DNS\",\n \"*\\\\dot3svc\", \"*\\\\Eaphost\", \"*\\\\GraphicsPerfSvc\", \"*\\\\hidserv\", \"*\\\\HvHost\", \"*\\\\IISADMIN\", \"*\\\\IKEEXT\",\n \"*\\\\InstallService\", \"*\\\\iphlpsvc\", \"*\\\\IsmServ\", \"*\\\\LanmanServer\", \"*\\\\MSiSCSI\", \"*\\\\NcbService\", \"*\\\\Netlogon\",\n \"*\\\\Netman\", \"*\\\\NtFrs\", \"*\\\\PlugPlay\", \"*\\\\Power\", \"*\\\\PrintNotify\", \"*\\\\ProfSvc\", \"*\\\\PushToInstall\", \"*\\\\RSoPProv\",\n \"*\\\\sacsvr\", \"*\\\\SENS\", \"*\\\\SensorDataService\", \"*\\\\SgrmBroker\", \"*\\\\ShellHWDetection\", \"*\\\\shpamsvc\", \"*\\\\StorSvc\",\n \"*\\\\svsvc\", \"*\\\\swprv\", \"*\\\\SysMain\", \"*\\\\Themes\", \"*\\\\TieringEngineService\", \"*\\\\TokenBroker\", \"*\\\\TrkWks\",\n \"*\\\\UALSVC\", \"*\\\\UserManager\", \"*\\\\vm3dservice\", \"*\\\\vmicguestinterface\", \"*\\\\vmicheartbeat\", \"*\\\\vmickvpexchange\",\n \"*\\\\vmicrdv\", \"*\\\\vmicshutdown\", \"*\\\\vmicvmsession\", \"*\\\\vmicvss\", \"*\\\\vmvss\", \"*\\\\VSS\", \"*\\\\w3logsvc\", \"*\\\\W3SVC\",\n \"*\\\\WalletService\", \"*\\\\WAS\", \"*\\\\wercplsupport\", \"*\\\\WerSvc\", \"*\\\\Winmgmt\", \"*\\\\wisvc\", \"*\\\\wmiApSrv\",\n \"*\\\\WPDBusEnum\", \"*\\\\WSearch\"\n ) and\n not (\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\*.exe\",\n \"%systemroot%\\\\system32\\\\*.exe\",\n \"%windir%\\\\system32\\\\*.exe\",\n \"%SystemRoot%\\\\system32\\\\svchost.exe -k *\",\n \"%windir%\\\\system32\\\\svchost.exe -k *\"\n ) and\n not registry.data.strings : (\n \"*\\\\cmd.exe\",\n \"*\\\\cscript.exe\",\n \"*\\\\ieexec.exe\",\n \"*\\\\iexpress.exe\",\n \"*\\\\installutil.exe\",\n \"*\\\\Microsoft.Workflow.Compiler.exe\",\n \"*\\\\msbuild.exe\",\n \"*\\\\mshta.exe\",\n \"*\\\\msiexec.exe\",\n \"*\\\\msxsl.exe\",\n \"*\\\\net.exe\",\n \"*\\\\powershell.exe\",\n \"*\\\\pwsh.exe\",\n \"*\\\\reg.exe\",\n \"*\\\\RegAsm.exe\",\n \"*\\\\RegSvcs.exe\",\n \"*\\\\regsvr32.exe\",\n \"*\\\\rundll32.exe\",\n \"*\\\\vssadmin.exe\",\n \"*\\\\wbadmin.exe\",\n \"*\\\\wmic.exe\",\n \"*\\\\wscript.exe\"\n )\n )\n", + "references": [ + "https://cube0x0.github.io/Pocing-Beyond-DA/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.key", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.011", + "name": "Services Registry Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1574/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_104.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_104.json new file mode 100644 index 00000000000..71659a6c434 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_104.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_network_activity" + ], + "name": "Unusual Windows Network Activity", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_104.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_104.json new file mode 100644 index 00000000000..c3401e1194c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_104.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_network_connection_discovery" + ], + "name": "Unusual Linux Network Connection Discovery", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1049", + "name": "System Network Connections Discovery", + "reference": "https://attack.mitre.org/techniques/T1049/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_105.json b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_105.json new file mode 100644 index 00000000000..5253d3f20a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_105.json @@ -0,0 +1,44 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_by_destination_country", + "name": "Spike in Network Traffic To a Country", + "note": "## Triage and analysis\n\n### Investigating Spike in Network Traffic To a Country\n\nMonitoring network traffic for anomalies is a good methodology for uncovering various potentially suspicious activities. For example, data exfiltration or infected machines may communicate with a command-and-control (C2) server in another country your company doesn't have business with.\n\nThis rule uses a machine learning job to detect a significant spike in the network traffic to a country, which can indicate reconnaissance or enumeration activities, an infected machine being used as a bot in a DDoS attack, or potentially data exfiltration.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate other alerts associated with the involved assets during the past 48 hours.\n- Examine the data available and determine the exact users and processes involved in those connections.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Consider the time of day. If the user is a human (not a program or script), did the activity occurs during working hours?\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the connections by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n - Remove and block malicious artifacts identified during triage.\n- Consider implementing temporary network border rules to block or alert connections to the target country, if relevant.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 105 + }, + "id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_104.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_104.json new file mode 100644 index 00000000000..ed17e1f66c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_104.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", + "false_positives": [ + "Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_user_compiler" + ], + "name": "Anomalous Linux Compiler Activity", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Resource Development" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0042", + "name": "Resource Development", + "reference": "https://attack.mitre.org/tactics/TA0042/" + }, + "technique": [ + { + "id": "T1588", + "name": "Obtain Capabilities", + "reference": "https://attack.mitre.org/techniques/T1588/", + "subtechnique": [ + { + "id": "T1588.001", + "name": "Malware", + "reference": "https://attack.mitre.org/techniques/T1588/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_104.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_104.json new file mode 100644 index 00000000000..61173a0a14e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_104.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_information_discovery" + ], + "name": "Unusual Linux System Information Discovery Activity", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_104.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_104.json new file mode 100644 index 00000000000..b195068b708 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_104.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.", + "false_positives": [ + "Business travelers who roam to new locations may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_rare_source_ip_for_a_user", + "name": "Unusual Source IP for a User to Logon from", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "risk_score": 21, + "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "d4b73fa0-9d43-465e-b8bf-50230da6718b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_104.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_104.json new file mode 100644 index 00000000000..406638d6aa0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_104.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.", + "false_positives": [ + "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_high_count_logon_events", + "name": "Spike in Logon Events", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "risk_score": 21, + "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_1.json b/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_1.json new file mode 100644 index 00000000000..c89dc959d0b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_1.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "NTDS Dump via Wbadmin", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name : \"wbadmin.exe\") and \n process.args : \"recovery\" and process.command_line : \"*ntds.dit*\"\n", + "references": [ + "https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d93e61db-82d6-4095-99aa-714988118064", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1006", + "name": "Direct Volume Access", + "reference": "https://attack.mitre.org/techniques/T1006/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "d93e61db-82d6-4095-99aa-714988118064_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_209.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_209.json new file mode 100644 index 00000000000..d2adedba36f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_209.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_country", + "name": "Unusual Country For an AWS Command", + "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "aws", + "version": "^2.0.0" + } + ], + "risk_score": 21, + "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 209 + }, + "id": "dca28dee-c999-400f-b640-50a081cc0fd1_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_104.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_104.json new file mode 100644 index 00000000000..619c3d0fa64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_104.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_metadata_user" + ], + "name": "Unusual Windows User Calling the Metadata Service", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_105.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_105.json new file mode 100644 index 00000000000..3c3285f70ff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_105.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.", + "false_positives": [ + "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip", + "name": "Spike in Successful Logon Events from a Source IP", + "note": "## Triage and analysis\n\n### Investigating Spike in Successful Logon Events from a Source IP\n\nThis rule uses a machine learning job to detect a substantial spike in successful authentication events. This could indicate post-exploitation activities that aim to test which hosts, services, and other resources the attacker can access with the compromised credentials.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Check if the authentication comes from different sources.\n- Use the historical data available to determine if the same behavior happened in the past.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "risk_score": 21, + "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + }, + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_104.json b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_104.json new file mode 100644 index 00000000000..4ad83d95a16 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_104.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_network_denies", + "name": "Spike in Firewall Denies", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_7.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_7.json new file mode 100644 index 00000000000..574a8f8921c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_7.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel URL Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "url.full:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], + "risk_score": 99, + "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", + "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Threat Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threat.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "url.original", + "type": "mapping", + "value": "threat.indicator.url.original" + } + ] + } + ], + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "timestamp_override": "event.ingested", + "type": "threat_match", + "version": 7 + }, + "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_105.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_105.json new file mode 100644 index 00000000000..cfb6e3b2763 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_105.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_network_configuration_discovery" + ], + "name": "Unusual Linux Network Configuration Discovery", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", + "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index abe87f65fe8..366892ed695 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -21,4 +21,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.14.3 +version: 8.14.4-beta.1 From 3702a314e807c62d68807180b4aa513445386f77 Mon Sep 17 00:00:00 2001 From: Andrew Gizas Date: Tue, 25 Jun 2024 16:05:25 +0300 Subject: [PATCH 048/105] [Prometheus Collector]Set ssl verification mode none and default username to empty (#10088) * ssl verification mode none and default username * Update packages/prometheus/data_stream/collector/manifest.yml Co-authored-by: Tetiana Kravchenko * Update packages/prometheus/changelog.yml Co-authored-by: Aman <38116245+devamanv@users.noreply.github.com> --------- Co-authored-by: Tetiana Kravchenko Co-authored-by: Aman <38116245+devamanv@users.noreply.github.com> --- packages/prometheus/changelog.yml | 5 +++++ .../data_stream/collector/agent/stream/stream.yml.hbs | 1 + packages/prometheus/data_stream/collector/manifest.yml | 8 +++++++- packages/prometheus/manifest.yml | 2 +- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/packages/prometheus/changelog.yml b/packages/prometheus/changelog.yml index 830015d1582..f1f0cdf6c50 100644 --- a/packages/prometheus/changelog.yml +++ b/packages/prometheus/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.3" + changes: + - description: Adding ssl verfication mode and removing default username for collector + type: bugfix + link: https://github.com/elastic/integrations/pull/10088 - version: "1.15.2" changes: - description: Fix typo - Replace "darastream" with "datastream" diff --git a/packages/prometheus/data_stream/collector/agent/stream/stream.yml.hbs b/packages/prometheus/data_stream/collector/agent/stream/stream.yml.hbs index abdcaf52791..fb3bec0e7d7 100644 --- a/packages/prometheus/data_stream/collector/agent/stream/stream.yml.hbs +++ b/packages/prometheus/data_stream/collector/agent/stream/stream.yml.hbs @@ -16,6 +16,7 @@ period: {{period}} rate_counters: {{rate_counters}} {{#if bearer_token_file}} bearer_token_file: {{bearer_token_file}} +ssl.verification_mode: {{ssl.verification_mode}} {{/if}} {{#if ssl.certificate_authorities}} ssl.certificate_authorities: diff --git a/packages/prometheus/data_stream/collector/manifest.yml b/packages/prometheus/data_stream/collector/manifest.yml index 00521e90033..1838ca0c3a8 100644 --- a/packages/prometheus/data_stream/collector/manifest.yml +++ b/packages/prometheus/data_stream/collector/manifest.yml @@ -64,6 +64,13 @@ streams: secret: false required: false show_user: false + - name: ssl.verification_mode + type: text + title: SSL Verification Mode + multi: false + required: false + show_user: false + default: none - name: ssl.certificate_authorities type: text title: SSL Certificate Authorities @@ -91,7 +98,6 @@ streams: multi: false required: false show_user: false - default: user - name: password type: password secret: true diff --git a/packages/prometheus/manifest.yml b/packages/prometheus/manifest.yml index f9c5dd8edef..0ebaa2a1ddf 100644 --- a/packages/prometheus/manifest.yml +++ b/packages/prometheus/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.10.0 name: prometheus title: Prometheus -version: 1.15.2 +version: 1.15.3 description: Collect metrics from Prometheus servers with Elastic Agent. type: integration categories: From fc6e8c50a01ca785d7b8ef52b972eddc7e910fef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Tue, 25 Jun 2024 15:50:15 +0200 Subject: [PATCH 049/105] Map all fields from cloud asset inventory integration (#10211) * Map all fields from cloud asset inventory integration * Map only specific fields as flattened * Remove flattened fields, decision will be made later --- packages/cloud_asset_inventory/changelog.yml | 2 +- .../asset_inventory/fields/asset.yml | 41 +++++++++++---- .../asset_inventory/fields/cloud.yml | 51 +++++++++++++++++++ .../asset_inventory/fields/host.yml | 20 ++++++++ .../asset_inventory/fields/iam.yml | 10 ++++ .../asset_inventory/fields/network.yml | 41 +++++++++++++++ .../fields/resource_policies.yml | 35 +++++++++++++ .../data_stream/asset_inventory/manifest.yml | 2 +- packages/cloud_asset_inventory/manifest.yml | 2 +- 9 files changed, 192 insertions(+), 12 deletions(-) create mode 100644 packages/cloud_asset_inventory/data_stream/asset_inventory/fields/cloud.yml create mode 100644 packages/cloud_asset_inventory/data_stream/asset_inventory/fields/host.yml create mode 100644 packages/cloud_asset_inventory/data_stream/asset_inventory/fields/iam.yml create mode 100644 packages/cloud_asset_inventory/data_stream/asset_inventory/fields/network.yml create mode 100644 packages/cloud_asset_inventory/data_stream/asset_inventory/fields/resource_policies.yml diff --git a/packages/cloud_asset_inventory/changelog.yml b/packages/cloud_asset_inventory/changelog.yml index 02cd25e99a5..ec98656a863 100644 --- a/packages/cloud_asset_inventory/changelog.yml +++ b/packages/cloud_asset_inventory/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top # version map: # 0.1.x - 8.15.x -- version: "0.1.2" +- version: "0.1.4" changes: - description: Add Cloud Asset Inventory type: enhancement diff --git a/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/asset.yml b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/asset.yml index 778f16485f2..3ca4aff6da8 100644 --- a/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/asset.yml +++ b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/asset.yml @@ -1,13 +1,36 @@ - name: asset - type: group + type: group fields: + - name: id + type: keyword + + - name: name + type: text + + - name: category + type: keyword + + - name: sub_category + type: keyword + + - name: type + type: keyword + + - name: sub_type + type: keyword + + - name: tags + type: object + object_type: keyword + - name: raw - # https://github.com/elastic/package-spec/blob/main/spec/integration/data_stream/fields/fields.spec.yml#L312 + type: group + dynamic: true ignore_malformed: true - type: group - fields: - - name: bucket_policy - type: object - object_type: keyword - enabled: false - \ No newline at end of file + fields: + - name: bucket_policy + type: object + object_type: keyword + ignore_malformed: true + + \ No newline at end of file diff --git a/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/cloud.yml b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/cloud.yml new file mode 100644 index 00000000000..633ac6c9592 --- /dev/null +++ b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/cloud.yml @@ -0,0 +1,51 @@ +- name: cloud + type: group + fields: + - name: availability_zone + type: keyword + + - name: provider + type: keyword + + - name: region + type: keyword + + - name: account + type: group + fields: + - name: id + type: keyword + + - name: name + type: text + + - name: instance + type: group + fields: + - name: id + type: keyword + + - name: name + type: text + + - name: project + type: group + fields: + - name: id + type: keyword + + - name: name + type: text + + - name: service + type: group + fields: + - name: name + type: text + + - name: machine + type: group + fields: + - name: machine_type + type: keyword + diff --git a/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/host.yml b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/host.yml new file mode 100644 index 00000000000..8b6b5a66421 --- /dev/null +++ b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/host.yml @@ -0,0 +1,20 @@ +- name: host + type: group + fields: + - name: architecture + type: keyword + + - name: imageId + type: keyword + + - name: instance_type + type: keyword + + - name: platform + type: keyword + + - name: platform_details + type: keyword + + + \ No newline at end of file diff --git a/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/iam.yml b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/iam.yml new file mode 100644 index 00000000000..5a3fee09f3c --- /dev/null +++ b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/iam.yml @@ -0,0 +1,10 @@ +- name: iam + type: group + fields: + - name: id + type: keyword + + - name: arn + type: keyword + + \ No newline at end of file diff --git a/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/network.yml b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/network.yml new file mode 100644 index 00000000000..caac1812a83 --- /dev/null +++ b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/network.yml @@ -0,0 +1,41 @@ +- name: network + type: group + fields: + - name: ipv6_address + type: keyword + + - name: network_id + type: keyword + + - name: private_dns_name + type: keyword + + - name: private_ip_address + type: keyword + + - name: public_dns_name + type: keyword + + - name: public_ip_address + type: keyword + + - name: network_interface_ids + type: keyword + + - name: route_table_ids + type: keyword + + - name: security_group_ids + type: keyword + + - name: subnet_ids + type: keyword + + - name: transit_gateway_ids + type: keyword + + - name: vpc_ids + type: keyword + + + \ No newline at end of file diff --git a/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/resource_policies.yml b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/resource_policies.yml new file mode 100644 index 00000000000..5b4e577e42a --- /dev/null +++ b/packages/cloud_asset_inventory/data_stream/asset_inventory/fields/resource_policies.yml @@ -0,0 +1,35 @@ +- name: resource_policies + type: group + fields: + - name: version + type: keyword + + - name: id + type: keyword + + - name: effect + type: keyword + + - name: principal + type: object + object_type: keyword + + - name: action + type: keyword + + - name: notAction + type: keyword + + - name: resource + type: keyword + + - name: noResource + type: keyword + + - name: condition + type: group + ignore_malformed: true + dynamic: true + + + diff --git a/packages/cloud_asset_inventory/data_stream/asset_inventory/manifest.yml b/packages/cloud_asset_inventory/data_stream/asset_inventory/manifest.yml index 0ffd1324967..dd469418622 100644 --- a/packages/cloud_asset_inventory/data_stream/asset_inventory/manifest.yml +++ b/packages/cloud_asset_inventory/data_stream/asset_inventory/manifest.yml @@ -6,7 +6,7 @@ elasticsearch: dynamic_dataset: true index_template: mappings: - dynamic: true + dynamic: false streams: - input: cloudbeat/asset_inventory_aws title: AWS Asset Inventory diff --git a/packages/cloud_asset_inventory/manifest.yml b/packages/cloud_asset_inventory/manifest.yml index 87b1e64b1f7..8da5b56a78e 100644 --- a/packages/cloud_asset_inventory/manifest.yml +++ b/packages/cloud_asset_inventory/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: cloud_asset_inventory title: "Cloud Asset Inventory" -version: "0.1.2" +version: "0.1.4" source: license: "Elastic-2.0" description: "Discover and Create Cloud Assets Inventory" From 24e7d48599b034f3fa0417eb58d05bbc82086da0 Mon Sep 17 00:00:00 2001 From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Date: Tue, 25 Jun 2024 09:56:31 -0400 Subject: [PATCH 050/105] [Security Rules] Update security rules package to v8.14.4 (#10245) --- packages/security_detection_engine/changelog.yml | 5 +++++ packages/security_detection_engine/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 9d6ec7e5784..6d8be62f6e4 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.14.4 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/10245 - version: 8.14.4-beta.1 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 366892ed695..a227837f64e 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -21,4 +21,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.14.4-beta.1 +version: 8.14.4 From 5b20afc88768b6a5df9f57533072e008ce28670a Mon Sep 17 00:00:00 2001 From: jonathan molinatto Date: Tue, 25 Jun 2024 13:41:51 -0400 Subject: [PATCH 051/105] [cisco_asa] Loosen a grok pattern for a Customer issue (#10243) [cisco_asa] Loosen grok patterns for 725007 (and similarly patterned) messages to correct matching misses Ensure that the loosening does not match invalid lines Add sample logs --- packages/cisco_asa/changelog.yml | 5 ++ .../pipeline/test-additional-messages.log | 1 + ...test-additional-messages.log-expected.json | 66 +++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 8 +-- packages/cisco_asa/manifest.yml | 2 +- 5 files changed, 77 insertions(+), 5 deletions(-) diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index a3f283f1294..23de5ede142 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.35.2" + changes: + - description: Loosen a grok pattern for a customer SDH. + type: bugfix + link: https://github.com/elastic/integrations/pull/10243 - version: "2.35.1" changes: - description: Extract user agent from 722055 logs to correct field. diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log index f50594962bb..ce4bde61be2 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log @@ -133,6 +133,7 @@ May 5 19:02:25 dev01: %ASA-6-716039: Group User IP <17 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-725001: Starting SSL handshake with client inside:172.16.0.1/1133 for TLSv1.2 session. <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-725002: Device completed SSL handshake with client inside:172.16.0.1/1133 to 10.20.0.1/443 for TLSv1.2 session. <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-725007: SSL session with client inside:172.16.0.1/1133 to 10.20.0.1/443 terminated. +<166>2024-06-20T22:25:26Z: %ASA-6-725007: SSL session with client outside:172.16.0.1/49243 to 10.20.0.1/443 terminated <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-725016: Device selects trust-point TRUSTPOINT_1 for client inside:172.16.0.1/1133 to 10.20.0.1/443 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-5-737003: IPAA: Session=0x1122334455667788, DHCP configured, no viable servers found for tunnel-group TUNNEL_GROUP_1 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group TUNNEL_GROUP_1 diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json index 5d3f36f0658..7b8731481f5 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -9539,6 +9539,72 @@ "preserve_original_event" ] }, + { + "@timestamp": "2024-06-20T22:25:26.000Z", + "cisco": { + "asa": { + "peer_type": "client", + "source_interface": "outside" + } + }, + "destination": { + "ip": "10.20.0.1", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "code": "725007", + "kind": "event", + "original": "<166>2024-06-20T22:25:26Z: %ASA-6-725007: SSL session with client outside:172.16.0.1/49243 to 10.20.0.1/443 terminated", + "outcome": "success", + "severity": 6, + "timezone": "UTC", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 166, + "severity": { + "code": 6 + } + } + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "172.16.0.1", + "10.20.0.1" + ] + }, + "source": { + "ip": "172.16.0.1", + "port": 49243 + }, + "tags": [ + "preserve_original_event" + ] + }, { "@timestamp": "2023-10-03T16:40:40.000Z", "cisco": { diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 9cb15ddafec..22eaeb18c1e 100644 --- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -982,20 +982,20 @@ processors: if: "ctx._temp_.cisco.message_id == '725001'" tag: parse_725001 patterns: - - '^Starting SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port} for %{NOTSPACE:_temp_.cisco.tls_version} session.$' - - '^Starting SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} for %{NOTSPACE:_temp_.cisco.tls_version} session.$' + - '^Starting SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port} for %{NOTSPACE:_temp_.cisco.tls_version} session' + - '^Starting SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} for %{NOTSPACE:_temp_.cisco.tls_version} session' - grok: field: message if: "ctx._temp_.cisco.message_id == '725002'" tag: parse_725002 patterns: - - '^Device completed SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port} for %{NOTSPACE:_temp_.cisco.tls_version} session.$' + - '^Device completed SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port} for %{NOTSPACE:_temp_.cisco.tls_version}' - grok: field: message if: "ctx._temp_.cisco.message_id == '725007'" tag: parse_725007 patterns: - - '^SSL session with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port} terminated.$' + - '^SSL session with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port} terminated' - grok: field: message if: "ctx._temp_.cisco.message_id == '725016'" diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 07a6d577322..e6f47a51391 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_asa title: Cisco ASA -version: "2.35.1" +version: "2.35.2" description: Collect logs from Cisco ASA with Elastic Agent. type: integration categories: From 4d81bd6c7e03924f7e86842da79c3b890359e5d9 Mon Sep 17 00:00:00 2001 From: Nic Date: Tue, 25 Jun 2024 16:36:21 -0500 Subject: [PATCH 052/105] [o365] clarify title and description (#10218) --- packages/o365/_dev/build/docs/README.md | 10 +++++----- packages/o365/changelog.yml | 5 +++++ packages/o365/data_stream/audit/manifest.yml | 2 +- packages/o365/docs/README.md | 10 +++++----- packages/o365/manifest.yml | 6 +++--- 5 files changed, 19 insertions(+), 14 deletions(-) diff --git a/packages/o365/_dev/build/docs/README.md b/packages/o365/_dev/build/docs/README.md index cca735f0d38..fb5d0d2c8dc 100644 --- a/packages/o365/_dev/build/docs/README.md +++ b/packages/o365/_dev/build/docs/README.md @@ -21,8 +21,8 @@ Once the application is registered, configure and/or note the following to setup - If `User.Read` permission under `Microsoft.Graph` tile is not added by default, add this permission. - After the permissions are added, the admin has to grant consent for these permissions. -Once the secret is created and permissions are granted by admin, setup Elastic Agent's O365 integration: -- Click `Add Microsoft 365`. +Once the secret is created and permissions are granted by admin, setup Elastic Agent's Microsoft O365 integration: +- Click `Add Microsoft Office 365`. - Enable `Collect Office 365 audit logs via Management Activity API using CEL Input`. - Add `Directory (tenant) ID` noted in Step 1 into `Directory (tenant) ID` parameter. This is required field. - Add `Application (client) ID` noted in Step 1 into `Application (client) ID` parameter. This is required field. @@ -31,13 +31,13 @@ Once the secret is created and permissions are granted by admin, setup Elastic A - Modify any other parameters as necessary. -**NOTE:** As Microsoft is no longer supporting Azure Active Directory Authentication Library (ADAL), the existing o365audit input is being deprecated in favor of new [CEL](https://www.elastic.co/guide/en/beats/filebeat/8.6/filebeat-input-cel.html) input in version `1.18.0`. Hence for versions `>= 1.18.0`, certificate based authentication (provided by earlier o365audit input) is no longer supported. +**NOTE:** As Microsoft is no longer supporting Azure Active Directory Authentication Library (ADAL), the existing o365audit input has been deprecated in favor of the [CEL](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html) input in version `1.18.0`. Hence for versions `>= 1.18.0`, certificate based authentication (provided by earlier o365audit input) is no longer supported. We request users upgrading from integration version `< 1.18.0` to `>= 1.18.0` to follow these steps: 1. Upgrade the Elastic Stack version to `>= 8.7.1`. -2. Upgrade the integration navigating via `Integrations -> Microsoft 365 -> Settings -> Upgrade` -3. Upgrade the integration policy navigating via `Integrations -> Microsoft 365 -> integration policies -> Version (Upgrade)`. If `Upgrade` option doesn't appear under the `Version`, that means the policy is already upgraded in the previous step. Please go to the next step. +2. Upgrade the integration navigating via `Integrations -> Microsoft Office 365 -> Settings -> Upgrade` +3. Upgrade the integration policy navigating via `Integrations -> Microsoft Office 365 -> integration policies -> Version (Upgrade)`. If `Upgrade` option doesn't appear under the `Version`, that means the policy is already upgraded in the previous step. Please go to the next step. 4. Modify the integration policy: * Disable existing configuration (marked as `Deprecated`) and enable `Collect Office 365 audit logs via CEL` configuration. diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index e2b63923fe6..ccddbe6cf66 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.5.1" + changes: + - description: Add Office to titles and description to better align with integration purpose. + type: bugfix + link: https://github.com/elastic/integrations/pull/10218 - version: "2.5.0" changes: - description: Increase request tracer log count to ten. diff --git a/packages/o365/data_stream/audit/manifest.yml b/packages/o365/data_stream/audit/manifest.yml index d2cb9e2795a..b20e4451e82 100644 --- a/packages/o365/data_stream/audit/manifest.yml +++ b/packages/o365/data_stream/audit/manifest.yml @@ -1,5 +1,5 @@ type: logs -title: Office 365 audit logs +title: Microsoft Office 365 audit logs streams: - input: cel enabled: true diff --git a/packages/o365/docs/README.md b/packages/o365/docs/README.md index 0024af294a7..75624ab7a01 100644 --- a/packages/o365/docs/README.md +++ b/packages/o365/docs/README.md @@ -21,8 +21,8 @@ Once the application is registered, configure and/or note the following to setup - If `User.Read` permission under `Microsoft.Graph` tile is not added by default, add this permission. - After the permissions are added, the admin has to grant consent for these permissions. -Once the secret is created and permissions are granted by admin, setup Elastic Agent's O365 integration: -- Click `Add Microsoft 365`. +Once the secret is created and permissions are granted by admin, setup Elastic Agent's Microsoft O365 integration: +- Click `Add Microsoft Office 365`. - Enable `Collect Office 365 audit logs via Management Activity API using CEL Input`. - Add `Directory (tenant) ID` noted in Step 1 into `Directory (tenant) ID` parameter. This is required field. - Add `Application (client) ID` noted in Step 1 into `Application (client) ID` parameter. This is required field. @@ -31,13 +31,13 @@ Once the secret is created and permissions are granted by admin, setup Elastic A - Modify any other parameters as necessary. -**NOTE:** As Microsoft is no longer supporting Azure Active Directory Authentication Library (ADAL), the existing o365audit input is being deprecated in favor of new [CEL](https://www.elastic.co/guide/en/beats/filebeat/8.6/filebeat-input-cel.html) input in version `1.18.0`. Hence for versions `>= 1.18.0`, certificate based authentication (provided by earlier o365audit input) is no longer supported. +**NOTE:** As Microsoft is no longer supporting Azure Active Directory Authentication Library (ADAL), the existing o365audit input has been deprecated in favor of the [CEL](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html) input in version `1.18.0`. Hence for versions `>= 1.18.0`, certificate based authentication (provided by earlier o365audit input) is no longer supported. We request users upgrading from integration version `< 1.18.0` to `>= 1.18.0` to follow these steps: 1. Upgrade the Elastic Stack version to `>= 8.7.1`. -2. Upgrade the integration navigating via `Integrations -> Microsoft 365 -> Settings -> Upgrade` -3. Upgrade the integration policy navigating via `Integrations -> Microsoft 365 -> integration policies -> Version (Upgrade)`. If `Upgrade` option doesn't appear under the `Version`, that means the policy is already upgraded in the previous step. Please go to the next step. +2. Upgrade the integration navigating via `Integrations -> Microsoft Office 365 -> Settings -> Upgrade` +3. Upgrade the integration policy navigating via `Integrations -> Microsoft Office 365 -> integration policies -> Version (Upgrade)`. If `Upgrade` option doesn't appear under the `Version`, that means the policy is already upgraded in the previous step. Please go to the next step. 4. Modify the integration policy: * Disable existing configuration (marked as `Deprecated`) and enable `Collect Office 365 audit logs via CEL` configuration. diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index 6e451bc00a6..5a8c9ef0f2a 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,7 +1,7 @@ name: o365 -title: Microsoft 365 -version: "2.5.0" -description: Collect logs from Microsoft 365 with Elastic Agent. +title: Microsoft Office 365 +version: "2.5.1" +description: Collect logs from Microsoft Office 365 with Elastic Agent. type: integration format_version: "3.0.2" categories: [security, productivity_security] From 3da25c30f211fab105e646f17509df2586e1647e Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Wed, 26 Jun 2024 12:56:23 +0530 Subject: [PATCH 053/105] ti_rapid7_threat_command: Add IOC expiration (#9925) * Add IOC expiration * Remove existing custom rules, views, and transforms in favour of Elastic SIEM rules. --- .../_dev/build/docs/README.md | 237 +++---- .../_dev/deploy/docker/files/config.yml | 6 +- .../fields/base-fields.yml | 3 - .../fields/ecs.yml | 26 - .../fields/fields.yml | 176 ----- .../manifest.yml | 1 - .../transform.yml | 25 - .../fields/base-fields.yml | 3 - .../fields/ecs.yml | 182 ----- .../fields/fields.yml | 19 - .../manifest.yml | 1 - .../transform.yml | 29 - .../manifest.yml | 1 - .../transform.yml | 25 - .../fields/overridden-ecs.yml | 4 - .../manifest.yml | 1 - .../transform.yml | 25 - .../manifest.yml | 1 - .../transform.yml | 22 - .../ti_rapid7_threat_command/changelog.yml | 5 + .../data_stream/alert/fields/fields.yml | 4 +- .../data_stream/alert/sample_event.json | 41 +- .../_dev/test/pipeline/test-common-config.yml | 2 + .../test-ioc-event.json-expected.json | 21 + .../_dev/test/system/test-default-config.yml | 1 + .../ioc/agent/stream/httpjson.yml.hbs | 7 + .../ioc/elasticsearch/ilm/default_policy.json | 23 + .../elasticsearch/ingest_pipeline/default.yml | 95 +++ .../data_stream/ioc/fields/fields.yml | 10 +- .../ioc/fields/is-ioc-transform-source.yml | 4 + .../data_stream/ioc/lifecycle.yml | 1 + .../data_stream/ioc/manifest.yml | 9 + .../data_stream/ioc/sample_event.json | 33 +- .../vulnerability/sample_event.json | 18 +- .../ti_rapid7_threat_command/docs/README.md | 311 ++++---- .../transform/latest_alert}/fields/agent.yml | 0 .../latest_alert}/fields/base-fields.yml | 0 .../transform/latest_alert}/fields/ecs.yml | 6 +- .../transform/latest_alert}/fields/fields.yml | 4 +- .../transform/latest_alert/manifest.yml | 18 + .../transform/latest_alert/transform.yml | 40 ++ .../transform/latest_ioc}/fields/agent.yml | 0 .../latest_ioc}/fields/base-fields.yml | 0 .../transform/latest_ioc}/fields/ecs.yml | 14 +- .../transform/latest_ioc}/fields/fields.yml | 10 +- .../transform/latest_ioc/manifest.yml | 18 + .../transform/latest_ioc/transform.yml | 43 ++ .../latest_vulnerability}/fields/agent.yml | 12 +- .../fields/base-fields.yml | 0 .../latest_vulnerability}/fields/ecs.yml | 2 + .../latest_vulnerability}/fields/fields.yml | 0 .../latest_vulnerability/manifest.yml | 18 + .../latest_vulnerability/transform.yml | 40 ++ ...ti_rapid7_threat_command-alert_details.png | Bin 270832 -> 0 bytes ..._rapid7_threat_command-ioc_correlation.png | Bin 212269 -> 0 bytes ...threat_command-ioc_correlation_details.png | Bin 359663 -> 0 bytes ...reat_command-vulnerability_correlation.png | Bin 216435 -> 0 bytes ...mand-vulnerability_correlation_details.png | Bin 334670 -> 0 bytes ...-0ee0c5f0-7208-11ed-af6f-3913a325a746.json | 666 ------------------ ...-1abe9f50-591c-11ed-a133-234996671b18.json | 141 ++-- ...-20735802-0864-485a-8b6f-e138aae5900d.json | 128 ++-- ...-2388d940-f6b4-11ec-ad26-2fb998639a1e.json | 504 ------------- ...-24d08610-7227-11ed-af6f-3913a325a746.json | 598 ---------------- ...-7fdae3b0-590a-11ed-abd0-858c1d0aec26.json | 465 ------------ ...-8dea15b0-f3a3-11ec-aff5-576c7e430437.json | 651 ----------------- ...-8f985fb0-6988-11ed-8bdb-110ff35bc478.json | 83 ++- .../361f11b4-9960-449c-92d1-78552fdc1e2f.json | 21 - .../4892667b-bbca-4e6e-ba53-adb5991962e1.json | 20 - .../724c3004-3d26-417c-a40a-3aba3114e6e5.json | 20 - .../95d4b197-dd52-4a27-b78e-57e6b1d65576.json | 20 - .../bc0cc792-9280-4992-b678-f722214374ff.json | 20 - .../c5231120-f6a1-11ec-9af4-21d6785db030.json | 20 - .../fde85dca-3e55-4134-8dae-0a026d1d568e.json | 20 - .../af814670-3279-11ed-93fa-d354b323cd1b.json | 229 ------ .../eaecc8f0-6704-11ed-80b2-9bbc46f73b72.json | 91 --- ...eat_command-security-solution-default.json | 14 + .../ti_rapid7_threat_command/manifest.yml | 23 +- 77 files changed, 959 insertions(+), 4372 deletions(-) delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/base-fields.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/ecs.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/fields.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/manifest.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/transform.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/base-fields.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/ecs.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/fields.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/manifest.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/transform.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/manifest.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/transform.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/overridden-ecs.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/manifest.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/transform.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/manifest.yml delete mode 100644 packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/transform.yml create mode 100644 packages/ti_rapid7_threat_command/data_stream/ioc/elasticsearch/ilm/default_policy.json create mode 100644 packages/ti_rapid7_threat_command/data_stream/ioc/fields/is-ioc-transform-source.yml create mode 100644 packages/ti_rapid7_threat_command/data_stream/ioc/lifecycle.yml rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform => elasticsearch/transform/latest_alert}/fields/agent.yml (100%) rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform => elasticsearch/transform/latest_alert}/fields/base-fields.yml (100%) rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform => elasticsearch/transform/latest_alert}/fields/ecs.yml (86%) rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform => elasticsearch/transform/latest_alert}/fields/fields.yml (98%) create mode 100644 packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/manifest.yml create mode 100644 packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/transform.yml rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform => elasticsearch/transform/latest_ioc}/fields/agent.yml (100%) rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform => elasticsearch/transform/latest_ioc}/fields/base-fields.yml (100%) rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform => elasticsearch/transform/latest_ioc}/fields/ecs.yml (93%) rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform => elasticsearch/transform/latest_ioc}/fields/fields.yml (88%) create mode 100644 packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/manifest.yml create mode 100644 packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/transform.yml rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform => elasticsearch/transform/latest_vulnerability}/fields/agent.yml (97%) rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform => elasticsearch/transform/latest_vulnerability}/fields/base-fields.yml (100%) rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform => elasticsearch/transform/latest_vulnerability}/fields/ecs.yml (94%) rename packages/ti_rapid7_threat_command/{_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform => elasticsearch/transform/latest_vulnerability}/fields/fields.yml (100%) create mode 100644 packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/manifest.yml create mode 100644 packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/transform.yml delete mode 100644 packages/ti_rapid7_threat_command/img/ti_rapid7_threat_command-alert_details.png delete mode 100644 packages/ti_rapid7_threat_command/img/ti_rapid7_threat_command-ioc_correlation.png delete mode 100644 packages/ti_rapid7_threat_command/img/ti_rapid7_threat_command-ioc_correlation_details.png delete mode 100644 packages/ti_rapid7_threat_command/img/ti_rapid7_threat_command-vulnerability_correlation.png delete mode 100644 packages/ti_rapid7_threat_command/img/ti_rapid7_threat_command-vulnerability_correlation_details.png delete mode 100644 packages/ti_rapid7_threat_command/kibana/dashboard/ti_rapid7_threat_command-0ee0c5f0-7208-11ed-af6f-3913a325a746.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/dashboard/ti_rapid7_threat_command-2388d940-f6b4-11ec-ad26-2fb998639a1e.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/dashboard/ti_rapid7_threat_command-24d08610-7227-11ed-af6f-3913a325a746.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/dashboard/ti_rapid7_threat_command-7fdae3b0-590a-11ed-abd0-858c1d0aec26.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/dashboard/ti_rapid7_threat_command-8dea15b0-f3a3-11ec-aff5-576c7e430437.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/index_pattern/361f11b4-9960-449c-92d1-78552fdc1e2f.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/index_pattern/4892667b-bbca-4e6e-ba53-adb5991962e1.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/index_pattern/724c3004-3d26-417c-a40a-3aba3114e6e5.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/index_pattern/95d4b197-dd52-4a27-b78e-57e6b1d65576.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/index_pattern/bc0cc792-9280-4992-b678-f722214374ff.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/index_pattern/c5231120-f6a1-11ec-9af4-21d6785db030.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/index_pattern/fde85dca-3e55-4134-8dae-0a026d1d568e.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/security_rule/af814670-3279-11ed-93fa-d354b323cd1b.json delete mode 100644 packages/ti_rapid7_threat_command/kibana/security_rule/eaecc8f0-6704-11ed-80b2-9bbc46f73b72.json create mode 100644 packages/ti_rapid7_threat_command/kibana/tag/ti_rapid7_threat_command-security-solution-default.json diff --git a/packages/ti_rapid7_threat_command/_dev/build/docs/README.md b/packages/ti_rapid7_threat_command/_dev/build/docs/README.md index 9a7c7381458..603cb6e794e 100644 --- a/packages/ti_rapid7_threat_command/_dev/build/docs/README.md +++ b/packages/ti_rapid7_threat_command/_dev/build/docs/README.md @@ -18,19 +18,51 @@ The Rapid7 Threat Command integration collects three types of data: ioc, alert, - This integration has been tested against Rapid7 Threat Command `IOC API v2`, `Alert API v1`, and `Vulnerability API v1`. -- Rapid7 Threat Command integration is compatible with Elastic stack `v8.4.0` and newer. +- Rapid7 Threat Command integration is compatible with Elastic stack `v8.12.0` and newer. ## Requirements -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended or self-manage the Elastic Stack on your own hardware. +### Elasticsearch -This package requires at least a [Platinum level subscription](https://www.elastic.co/subscriptions#:~:text=Basic%201%2C%202-,Plati%C2%ADnum,-Enter%C2%ADprise) to use drill-downs and alert actions. Please ensure that you have a **Trial** or **Platinum level** subscription installed on your cluster before proceeding. +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +### Elastic Agent + +Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +You have a few options for installing and managing an Elastic Agent: + +#### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +#### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +#### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Other prerequisites + +The minimum **kibana.version** required is **8.12.0**. Check the prerequisites for [Transforms](https://www.elastic.co/guide/en/elasticsearch/reference/current/transform-setup.html#transform-setup). Check the prerequisites for [Actions and Connectors](https://www.elastic.co/guide/en/kibana/current/create-connector-api.html#_prerequisites_16). -### Filtering IOCs +## Setup + +### Integration settings + +#### IOC Expiration Duration + +This setting enforces all active Indicators of Compromise (IOCs) to expire after this duration since their last seen time indicated in the feed. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g `10d`). If invalid units are provided, default value `90d` i.e., 90 days is used to expire the indicators. More details on indicator expiration, read [Expiration of Indicators of Compromise (IOCs)](https://www.elastic.co/docs/current/integrations/ti_rapid7_threat_command#expiration-of-indicators-of-compromise-\(iocs\)) section. + +#### Filtering IOCs In order to filter the results based on severity and type, one can make use of **IOC Severities** and **IOC Types** parameters: @@ -38,7 +70,7 @@ In order to filter the results based on severity and type, one can make use of * - Allowed values for IOC Types: IpAddresses, Urls, Domains, Hashes, Emails. -### Filtering Alerts +#### Filtering Alerts In order to filter the results based on severity, type, and status, one can make use of **Alert Severities**, **Alert Types**, **Fetch Closed Alerts** parameters: @@ -48,7 +80,7 @@ In order to filter the results based on severity, type, and status, one can make **Note**: Individual policies need to be configured to retrieve both **Closed** and **Open** alerts. -### Filtering Vulnerabilities +#### Filtering Vulnerabilities In order to filter the results based on severity, one can make use of the **Vulnerability Severities** parameter: @@ -56,122 +88,93 @@ In order to filter the results based on severity, one can make use of the **Vuln Click on **Add row** to filter out data using multiple values of the parameter. -## Setup +### Major changes after integration version `1.16.0` + +**If the integration is being upgraded from version <=1.16.0 to >=2.0.0, one or more actions in below sections are required for the integration to work.** + +#### Removal of custom rules + +The integration versions until `1.16.0` added custom security detection rules for storing matching indicators and CVEs from user indices to those ingested from Rapid7 Threat Command integration. These rules are now replaced by one or more of [Elastic prebuilt detection rules](https://www.elastic.co/guide/en/security/current/prebuilt-rules.html). Following are the changes: -Once the integration is configured and data collection is started, add transforms to identify the latest documents and process data of correlation indices. - -### Add Transforms for Unique IOCs and Detection Rule - -1. In Kibana, go to **Management > Dev Tools**. -2. Add the below APIs to the console and execute it. -- Create a template for unique IOCs index -``` -POST _index_template/rapid7-tc-unique-ioc-template -{"index_patterns":["rapid7-tc-unique-iocs"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"agent":{"properties":{"ephemeral_id":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"cloud":{"properties":{"account":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"availability_zone":{"type":"keyword","ignore_above":1024},"image":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"instance":{"properties":{"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"machine":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"project":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"provider":{"type":"keyword","ignore_above":1024},"region":{"type":"keyword","ignore_above":1024}}},"container":{"properties":{"id":{"type":"keyword","ignore_above":1024},"image":{"properties":{"name":{"type":"keyword","ignore_above":1024}}},"name":{"type":"keyword","ignore_above":1024}}},"data_stream":{"properties":{"dataset":{"type":"constant_keyword"},"namespace":{"type":"constant_keyword"},"type":{"type":"constant_keyword"}}},"ecs":{"properties":{"version":{"type":"keyword"}}},"elastic_agent":{"properties":{"id":{"type":"keyword","ignore_above":1024},"snapshot":{"type":"boolean"},"version":{"type":"keyword","ignore_above":1024}}},"error":{"properties":{"message":{"type":"match_only_text"}}},"event":{"properties":{"category":{"type":"keyword"},"created":{"type":"date"},"dataset":{"type":"keyword"},"kind":{"type":"keyword"},"module":{"type":"keyword"},"original":{"type":"keyword"},"risk_score":{"type":"float"},"type":{"type":"keyword"}}},"host":{"properties":{"architecture":{"type":"keyword","ignore_above":1024},"containerized":{"type":"boolean"},"domain":{"type":"keyword","ignore_above":1024},"hostname":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"ip":{"type":"ip"},"mac":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"os":{"properties":{"build":{"type":"keyword","ignore_above":1024},"codename":{"type":"keyword","ignore_above":1024},"family":{"type":"keyword","ignore_above":1024},"kernel":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"text"}}},"platform":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"type":{"type":"keyword","ignore_above":1024}}},"input":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"log":{"properties":{"offset":{"type":"long"}}},"related":{"properties":{"hash":{"type":"keyword"},"ip":{"type":"ip"}}},"rapid7":{"properties":{"tc":{"properties":{"ioc":{"properties":{"first_seen":{"type":"date"},"geolocation":{"type":"keyword"},"last_seen":{"type":"date"},"last_update_date":{"type":"date"},"provider":{"type":"keyword"},"related":{"properties":{"campaigns":{"type":"keyword"},"malware":{"type":"keyword"},"threat_actors":{"type":"keyword"}}},"reported_feeds":{"type":"nested","properties":{"confidence":{"type":"long"},"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"score":{"type":"double"},"severity":{"type":"keyword"},"status":{"type":"keyword"},"tags":{"type":"keyword"},"type":{"type":"keyword"},"value":{"type":"keyword","ignore_above":4096},"whitelisted":{"type":"keyword"}}}}}}},"tags":{"type":"keyword"},"threat":{"properties":{"indicator":{"properties":{"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"match_only_text"}}}}}}},"confidence":{"type":"keyword","ignore_above":1024},"description":{"type":"keyword","ignore_above":1024},"email":{"properties":{"address":{"type":"keyword"}}},"file":{"properties":{"hash":{"properties":{"md5":{"type":"keyword","ignore_above":1024},"sha1":{"type":"keyword","ignore_above":1024},"sha256":{"type":"keyword","ignore_above":1024},"sha512":{"type":"keyword","ignore_above":1024},"sha384":{"type":"keyword","ignore_above":1024}}}}},"first_seen":{"type":"date"},"geo":{"properties":{"city_name":{"type":"keyword","ignore_above":1024},"continent_code":{"type":"keyword","ignore_above":1024},"continent_name":{"type":"keyword","ignore_above":1024},"country_iso_code":{"type":"keyword","ignore_above":1024},"country_name":{"type":"keyword","ignore_above":1024},"location":{"type":"geo_point"},"name":{"type":"keyword","ignore_above":1024},"postal_code":{"type":"keyword","ignore_above":1024},"region_iso_code":{"type":"keyword","ignore_above":1024},"region_name":{"type":"keyword","ignore_above":1024},"timezone":{"type":"keyword","ignore_above":1024}}},"ip":{"type":"ip"},"last_seen":{"type":"date"},"modified_at":{"type":"date"},"provider":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"url":{"properties":{"domain":{"type":"keyword","ignore_above":1024},"extension":{"type":"keyword","ignore_above":1024},"fragment":{"type":"keyword","ignore_above":1024},"full":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"original":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"password":{"type":"wildcard","ignore_above":1024},"path":{"type":"wildcard","ignore_above":1024},"port":{"type":"long"},"query":{"type":"keyword","ignore_above":4096},"registered_domain":{"type":"keyword","ignore_above":1024},"scheme":{"type":"keyword","ignore_above":1024},"subdomain":{"type":"keyword","ignore_above":1024},"top_level_domain":{"type":"keyword","ignore_above":1024},"username":{"type":"keyword","ignore_above":1024}}}}}}}}}}} -``` -- Create a transform for unique IOCs -``` -PUT _transform/ti_rapid7_threat_command_unique_ioc_transform -{"source":{"index":["logs-*"],"query":{"bool":{"should":[{"match_phrase":{"data_stream.dataset":"ti_rapid7_threat_command.ioc"}}],"minimum_should_match":1}}},"dest":{"index":"rapid7-tc-unique-iocs","pipeline":"0.1.0-ti_rapid7_threat_command-unique-ioc-transform-pipeline"},"frequency":"30m","sync":{"time":{"field":"event.ingested","delay":"60s"}},"latest":{"unique_key":["rapid7.tc.ioc.value"],"sort":"@timestamp"},"description":"This transform creates index to maintain unique values of IOCs."} -``` -- Start a transform for unique IOCs -``` -POST _transform/ti_rapid7_threat_command_unique_ioc_transform/_start -``` -- Create a template for correlation index of IOC rule transform -``` -POST _index_template/ioc-rule-transform-template -{"index_patterns":["rapid7-tc-ioc-correlations"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"rapid7":{"properties":{"tc":{"properties":{"ioc":{"properties":{"tags":{"type":"keyword"},"value":{"type":"keyword","ignore_above":4096},"related":{"properties":{"campaigns":{"type":"keyword"},"malware":{"type":"keyword"},"threat_actors":{"type":"keyword"}}}}}}}}},"threat":{"properties":{"enrichment":{"properties":{"indicator":{"properties":{"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"match_only_text"}}}}}}},"confidence":{"type":"keyword","ignore_above":1024},"description":{"type":"keyword","ignore_above":1024},"email":{"properties":{"address":{"type":"keyword"}}},"file":{"properties":{"hash":{"properties":{"md5":{"type":"keyword","ignore_above":1024},"sha1":{"type":"keyword","ignore_above":1024},"sha256":{"type":"keyword","ignore_above":1024},"sha512":{"type":"keyword","ignore_above":1024},"sha384":{"type":"keyword","ignore_above":1024}}}}},"first_seen":{"type":"date"},"geo":{"properties":{"city_name":{"type":"keyword","ignore_above":1024},"continent_code":{"type":"keyword","ignore_above":1024},"continent_name":{"type":"keyword","ignore_above":1024},"country_iso_code":{"type":"keyword","ignore_above":1024},"country_name":{"type":"keyword","ignore_above":1024},"location":{"type":"geo_point"},"name":{"type":"keyword","ignore_above":1024},"postal_code":{"type":"keyword","ignore_above":1024},"region_iso_code":{"type":"keyword","ignore_above":1024},"region_name":{"type":"keyword","ignore_above":1024},"timezone":{"type":"keyword","ignore_above":1024}}},"ip":{"type":"ip"},"last_seen":{"type":"date"},"modified_at":{"type":"date"},"provider":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"url":{"properties":{"domain":{"type":"keyword","ignore_above":1024},"extension":{"type":"keyword","ignore_above":1024},"fragment":{"type":"keyword","ignore_above":1024},"full":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"original":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"password":{"type":"wildcard","ignore_above":1024},"path":{"type":"wildcard","ignore_above":1024},"port":{"type":"long"},"query":{"type":"keyword","ignore_above":4096},"registered_domain":{"type":"keyword","ignore_above":1024},"scheme":{"type":"keyword","ignore_above":1024},"subdomain":{"type":"keyword","ignore_above":1024},"top_level_domain":{"type":"keyword","ignore_above":1024},"username":{"type":"keyword","ignore_above":1024}}}}},"matched":{"properties":{"atomic":{"type":"keyword"},"field":{"type":"keyword"},"id":{"type":"keyword"},"index":{"type":"keyword"},"occured":{"type":"keyword"},"type":{"type":"keyword"}}}}},"indicator":{"properties":{"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"match_only_text"}}}}}}},"confidence":{"type":"keyword","ignore_above":1024},"description":{"type":"keyword","ignore_above":1024},"email":{"properties":{"address":{"type":"keyword"}}},"file":{"properties":{"hash":{"properties":{"md5":{"type":"keyword","ignore_above":1024},"sha1":{"type":"keyword","ignore_above":1024},"sha256":{"type":"keyword","ignore_above":1024},"sha512":{"type":"keyword","ignore_above":1024},"sha384":{"type":"keyword","ignore_above":1024}}}}},"first_seen":{"type":"date"},"geo":{"properties":{"city_name":{"type":"keyword","ignore_above":1024},"continent_code":{"type":"keyword","ignore_above":1024},"continent_name":{"type":"keyword","ignore_above":1024},"country_iso_code":{"type":"keyword","ignore_above":1024},"country_name":{"type":"keyword","ignore_above":1024},"location":{"type":"geo_point"},"name":{"type":"keyword","ignore_above":1024},"postal_code":{"type":"keyword","ignore_above":1024},"region_iso_code":{"type":"keyword","ignore_above":1024},"region_name":{"type":"keyword","ignore_above":1024},"timezone":{"type":"keyword","ignore_above":1024}}},"ip":{"type":"ip"},"last_seen":{"type":"date"},"provider":{"type":"keyword","ignore_above":1024},"modified_at":{"type":"date"},"type":{"type":"keyword","ignore_above":1024},"url":{"properties":{"domain":{"type":"keyword","ignore_above":1024},"extension":{"type":"keyword","ignore_above":1024},"fragment":{"type":"keyword","ignore_above":1024},"full":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"original":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"password":{"type":"wildcard","ignore_above":1024},"path":{"type":"wildcard","ignore_above":1024},"port":{"type":"long"},"query":{"type":"keyword","ignore_above":4096},"registered_domain":{"type":"keyword","ignore_above":1024},"scheme":{"type":"keyword","ignore_above":1024},"subdomain":{"type":"keyword","ignore_above":1024},"top_level_domain":{"type":"keyword","ignore_above":1024},"username":{"type":"keyword","ignore_above":1024}}}}}}}}}}} -``` -- Create a transform for IOC detection rule -``` -PUT _transform/ti_rapid7_threat_command_ioc_rule_transform -{"source":{"index":[".internal.alerts-security.alerts-default-*"],"query":{"bool":{"filter":[{"match_phrase":{"kibana.alert.rule.tags":"Rapid7 Threat Command"}},{"match_phrase":{"kibana.alert.rule.tags":"IOC"}},{"match_phrase":{"kibana.alert.rule.category":"Indicator Match Rule"}}]}}},"dest":{"index":"rapid7-tc-ioc-correlations","pipeline":"0.1.0-ti_rapid7_threat_command-ioc-rule-transform-pipeline"},"frequency":"30m","sync":{"time":{"field":"@timestamp","delay":"60s"}},"latest":{"unique_key":["kibana.alert.uuid"],"sort":"@timestamp"},"retention_policy":{"time":{"field":"@timestamp","max_age":"60d"}},"description":"This transform creates index to populate the IOC Correlation and IOC Correlation Details Dashboards."} -``` -- Start a transform for IOC detection Rule -``` -POST _transform/ti_rapid7_threat_command_ioc_rule_transform/_start -``` - -### Add Transforms for Unique alerts - -1. In Kibana, go to **Management > Dev Tools**. -2. Add below API to the console and execute it. -- Create a template for unique alerts index -``` -POST _index_template/rapid7-tc-unique-alert-template -{"index_patterns":["rapid7-tc-unique-alerts"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"agent":{"properties":{"ephemeral_id":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"cloud":{"properties":{"account":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"availability_zone":{"type":"keyword","ignore_above":1024},"image":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"instance":{"properties":{"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"machine":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"project":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"provider":{"type":"keyword","ignore_above":1024},"region":{"type":"keyword","ignore_above":1024}}},"container":{"properties":{"id":{"type":"keyword","ignore_above":1024},"image":{"properties":{"name":{"type":"keyword","ignore_above":1024}}},"name":{"type":"keyword","ignore_above":1024}}},"data_stream":{"properties":{"dataset":{"type":"constant_keyword"},"namespace":{"type":"constant_keyword"},"type":{"type":"constant_keyword"}}},"ecs":{"properties":{"version":{"type":"keyword","ignore_above":1024}}},"elastic_agent":{"properties":{"id":{"type":"keyword","ignore_above":1024},"snapshot":{"type":"boolean"},"version":{"type":"keyword","ignore_above":1024}}},"error":{"properties":{"message":{"type":"match_only_text"}}},"event":{"properties":{"agent_id_status":{"type":"keyword","ignore_above":1024},"category":{"type":"keyword","ignore_above":1024},"created":{"type":"date"},"dataset":{"type":"constant_keyword"},"id":{"type":"keyword","ignore_above":1024},"ingested":{"type":"date","format":"strict_date_time_no_millis||strict_date_optional_time||epoch_millis"},"kind":{"type":"keyword","ignore_above":1024},"module":{"type":"constant_keyword"},"original":{"type":"keyword","index":false,"doc_values":false,"ignore_above":1024},"reference":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024}}},"host":{"properties":{"architecture":{"type":"keyword","ignore_above":1024},"containerized":{"type":"boolean"},"domain":{"type":"keyword","ignore_above":1024},"hostname":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"ip":{"type":"ip"},"mac":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"os":{"properties":{"build":{"type":"keyword","ignore_above":1024},"codename":{"type":"keyword","ignore_above":1024},"family":{"type":"keyword","ignore_above":1024},"kernel":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"text"}}},"platform":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"type":{"type":"keyword","ignore_above":1024}}},"input":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"log":{"properties":{"offset":{"type":"long"}}},"rapid7":{"properties":{"tc":{"properties":{"alert":{"properties":{"assets":{"type":"nested","properties":{"type":{"type":"keyword","ignore_above":1024},"value":{"type":"keyword","ignore_above":1024}}},"assignees":{"type":"keyword","ignore_above":1024},"details":{"properties":{"description":{"type":"keyword","ignore_above":1024},"images":{"type":"keyword","ignore_above":1024},"severity":{"type":"keyword","ignore_above":1024},"source":{"properties":{"date":{"type":"date"},"email":{"type":"keyword","ignore_above":1024},"leak_name":{"type":"keyword","ignore_above":1024},"network_type":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"url":{"type":"keyword","ignore_above":1024}}},"subtype":{"type":"keyword","ignore_above":1024},"tags":{"type":"nested","properties":{"created_by":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"title":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024}}},"found_date":{"type":"date"},"id":{"type":"keyword","ignore_above":1024},"is_closed":{"type":"boolean"},"is_flagged":{"type":"boolean"},"related_iocs":{"type":"keyword","ignore_above":1024},"related_threat_ids":{"type":"keyword","ignore_above":1024},"takedown_status":{"type":"keyword","ignore_above":1024},"update_date":{"type":"date"}}}}}}},"tags":{"type":"keyword","ignore_above":1024}}}}} -``` -- Create a transform for unique alerts -``` -PUT _transform/ti_rapid7_threat_command_unique_alert_transform -{"source":{"index":["logs-*"],"query":{"bool":{"should":[{"match_phrase":{"data_stream.dataset":"ti_rapid7_threat_command.alert"}}],"minimum_should_match":1}}},"dest":{"index":"rapid7-tc-unique-alerts"},"frequency":"30m","sync":{"time":{"field":"event.ingested","delay":"60s"}},"latest":{"unique_key":["event.id"],"sort":"@timestamp"},"retention_policy":{"time":{"field":"@timestamp","max_age":"180d"}},"description":"This transform creates index to maintain unique values of Alerts."} -``` -- Start a transform for unique alerts -``` -POST _transform/ti_rapid7_threat_command_unique_alert_transform/_start -``` - -### Add Transforms for Unique CVEs and Detection Rule - -1. In Kibana, go to **Management > Dev Tools**. -2. Add below API to the console and execute it. -- Create a template for unique CVEs index -``` -POST _index_template/rapid7-tc-unique-cve-template -{"index_patterns":["rapid7-tc-unique-cves"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"cloud":{"properties":{"account":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"availability_zone":{"type":"keyword","ignore_above":1024},"image":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"instance":{"properties":{"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"machine":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"project":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"provider":{"type":"keyword","ignore_above":1024},"region":{"type":"keyword","ignore_above":1024}}},"container":{"properties":{"id":{"type":"keyword","ignore_above":1024},"image":{"properties":{"name":{"type":"keyword","ignore_above":1024}}},"name":{"type":"keyword","ignore_above":1024}}},"data_stream":{"properties":{"dataset":{"type":"constant_keyword"},"namespace":{"type":"constant_keyword"},"type":{"type":"constant_keyword"}}},"ecs":{"properties":{"version":{"type":"keyword","ignore_above":1024}}},"error":{"properties":{"message":{"type":"match_only_text"}}},"event":{"properties":{"agent_id_status":{"type":"keyword","ignore_above":1024},"category":{"type":"keyword","ignore_above":1024},"created":{"type":"date"},"dataset":{"type":"keyword","ignore_above":1024},"ingested":{"type":"date","format":"strict_date_time_no_millis||strict_date_optional_time||epoch_millis"},"kind":{"type":"keyword","ignore_above":1024},"module":{"type":"keyword","ignore_above":1024},"original":{"type":"keyword","index":false,"doc_values":false,"ignore_above":8191},"type":{"type":"keyword","ignore_above":1024}}},"host":{"properties":{"architecture":{"type":"keyword","ignore_above":1024},"containerized":{"type":"boolean"},"domain":{"type":"keyword","ignore_above":1024},"hostname":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"ip":{"type":"ip"},"mac":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"os":{"properties":{"build":{"type":"keyword","ignore_above":1024},"codename":{"type":"keyword","ignore_above":1024},"family":{"type":"keyword","ignore_above":1024},"kernel":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"text"}}},"platform":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"type":{"type":"keyword","ignore_above":1024}}},"input":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"log":{"properties":{"offset":{"type":"long"}}},"rapid7":{"properties":{"tc":{"properties":{"vulnerability":{"properties":{"cpe":{"properties":{"range":{"properties":{"version":{"properties":{"end":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}},"start":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}}}}}},"title":{"type":"keyword","ignore_above":1024},"value":{"type":"keyword","ignore_above":1024},"vendor_product":{"type":"keyword","ignore_above":1024}}},"cvss_score":{"type":"double"},"exploit_availability":{"type":"boolean"},"id":{"type":"keyword","ignore_above":1024},"intsights_score":{"type":"double"},"mention":{"properties":{"first_date":{"type":"keyword"},"last_date":{"type":"keyword"}}},"mentions":{"properties":{"source":{"properties":{"clear_web_cyber_blogs":{"type":"long"},"code_repositories":{"type":"long"},"dark_web":{"type":"long"},"exploit":{"type":"long"},"hacking_forum":{"type":"long"},"instant_message":{"type":"long"},"paste_site":{"type":"long"},"social_media":{"type":"long"}}},"total":{"type":"long"}}},"origin":{"type":"keyword","ignore_above":1024},"published_date":{"type":"date"},"related":{"properties":{"campaigns":{"type":"keyword","ignore_above":1024},"malware":{"type":"keyword","ignore_above":1024},"threat_actors":{"type":"keyword","ignore_above":1024}}},"severity":{"type":"keyword","ignore_above":1024},"update_date":{"type":"date"}}}}}}},"tags":{"type":"keyword","ignore_above":1024},"vulnerability":{"properties":{"classification":{"type":"keyword","ignore_above":1024},"enumeration":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"reference":{"type":"keyword","ignore_above":1024},"scanner":{"properties":{"vendor":{"type":"keyword","ignore_above":1024}}},"score":{"properties":{"base":{"type":"float"}}},"severity":{"type":"keyword","ignore_above":1024}}}}}}} -``` -- Create a transform for unique CVEs -``` -PUT _transform/ti_rapid7_threat_command_unique_cve_transform -{"source":{"index":["logs-*"],"query":{"bool":{"should":[{"match_phrase":{"data_stream.dataset":"ti_rapid7_threat_command.vulnerability"}}],"minimum_should_match":1}}},"dest":{"index":"rapid7-tc-unique-cves"},"frequency":"30m","sync":{"time":{"field":"event.ingested","delay":"60s"}},"latest":{"unique_key":["vulnerability.id"],"sort":"@timestamp"},"retention_policy":{"time":{"field":"@timestamp","max_age":"180d"}},"description":"This transform creates index to maintain unique values of CVEs."} -``` -- Start a transform for unique CVEs -``` -POST _transform/ti_rapid7_threat_command_unique_cve_transform/_start -``` -- Create a template for correlation index of CVE rule transform -``` -POST _index_template/cve-rule-transform-template -{"index_patterns":["rapid7-tc-cve-correlations"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"rapid7":{"properties":{"tc":{"properties":{"vulnerability":{"properties":{"cpe":{"properties":{"range":{"properties":{"version":{"properties":{"end":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}},"start":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}}}}}},"title":{"type":"keyword","ignore_above":1024},"value":{"type":"keyword","ignore_above":1024},"vendor_product":{"type":"keyword","ignore_above":1024}}},"cvss_score":{"type":"double"},"exploit_availability":{"type":"boolean"},"id":{"type":"keyword","ignore_above":1024},"intsights_score":{"type":"double"},"mention":{"properties":{"first_date":{"type":"keyword"},"last_date":{"type":"keyword"}}},"mentions":{"properties":{"source":{"properties":{"clear_web_cyber_blogs":{"type":"long"},"code_repositories":{"type":"long"},"dark_web":{"type":"long"},"exploit":{"type":"long"},"hacking_forum":{"type":"long"},"instant_message":{"type":"long"},"paste_site":{"type":"long"},"social_media":{"type":"long"}}},"total":{"type":"long"}}},"origin":{"type":"keyword","ignore_above":1024},"published_date":{"type":"date"},"related":{"properties":{"campaigns":{"type":"keyword","ignore_above":1024},"malware":{"type":"keyword","ignore_above":1024},"threat_actors":{"type":"keyword","ignore_above":1024}}},"severity":{"type":"keyword","ignore_above":1024},"update_date":{"type":"date"}}}}}}},"threat":{"properties":{"enrichments":{"properties":{"feed":{"type":"object"},"indicator":{"properties":{"cpe":{"properties":{"range":{"properties":{"version":{"properties":{"end":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}},"start":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}}}}}},"title":{"type":"keyword","ignore_above":1024},"value":{"type":"keyword","ignore_above":1024},"vendor_product":{"type":"keyword","ignore_above":1024}}},"cvss_score":{"type":"double"},"exploit_availability":{"type":"boolean"},"id":{"type":"keyword","ignore_above":1024},"intsights_score":{"type":"double"},"mention":{"properties":{"first_date":{"type":"keyword"},"last_date":{"type":"keyword"}}},"mentions":{"properties":{"source":{"properties":{"clear_web_cyber_blogs":{"type":"long"},"code_repositories":{"type":"long"},"dark_web":{"type":"long"},"exploit":{"type":"long"},"hacking_forum":{"type":"long"},"instant_message":{"type":"long"},"paste_site":{"type":"long"},"social_media":{"type":"long"}}},"total":{"type":"long"}}},"origin":{"type":"keyword","ignore_above":1024},"published_date":{"type":"date"},"related":{"properties":{"campaigns":{"type":"keyword","ignore_above":1024},"malware":{"type":"keyword","ignore_above":1024},"threat_actors":{"type":"keyword","ignore_above":1024}}},"severity":{"type":"keyword","ignore_above":1024},"update_date":{"type":"date"}}},"matched":{"properties":{"atomic":{"type":"keyword"},"field":{"type":"keyword"},"id":{"type":"keyword"},"index":{"type":"keyword"},"type":{"type":"keyword"}}}}}}},"vulnerability":{"properties":{"classification":{"type":"keyword","ignore_above":1024},"enumeration":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"reference":{"type":"keyword","ignore_above":1024},"scanner":{"properties":{"vendor":{"type":"keyword","ignore_above":1024}}},"score":{"properties":{"base":{"type":"float"}}},"severity":{"type":"keyword","ignore_above":1024}}}}}}} -``` -- Create a transform for CVE detection Rule -``` -PUT _transform/ti_rapid7_threat_command_cve_rule_transform -{"source":{"index":[".internal.alerts-security.alerts-default-*"],"query":{"bool":{"filter":[{"match_phrase":{"kibana.alert.rule.tags":"Rapid7 Threat Command"}},{"match_phrase":{"kibana.alert.rule.tags":"CVE"}},{"match_phrase":{"kibana.alert.rule.category":"Indicator Match Rule"}}]}}},"dest":{"index":"rapid7-tc-cve-correlations","pipeline":"0.1.0-ti_rapid7_threat_command-cve-rule-transform-pipeline"},"frequency":"30m","sync":{"time":{"field":"@timestamp","delay":"60s"}},"latest":{"unique_key":["kibana.alert.uuid"],"sort":"@timestamp"},"description":"This transform creates index to populate the Vulnerability Correlation and Vulnerability Correlation Details Dashboards."} -``` -- Start a transform for CVE detection Rule -``` -POST _transform/ti_rapid7_threat_command_cve_rule_transform/_start -``` - -For more details, please refer to the [Kibana Dev Tools Guide](https://www.elastic.co/guide/en/kibana/current/console-kibana.html) - -### Enabling correlation detection rule in Elasticsearch - -1. In Kibana, go to **Security > Manage > Rules**. -2. Click the **Load Elastic prebuilt rules and timeline templates** button to load Elastic prebuilt detection rules. By default, all loaded prebuilt rules are disabled. -3. In the integrations search bar, type **Rapid7 Threat Command IOCs Correlation** for the IOC correlation rule and **Rapid7 Threat Command CVEs Correlation** for the CVE correlation rule. -4. To enable a detection rule, switch on the rule’s **Enabled** toggle. -### Add Webhook Connectors for adding tags and comments +| Rule in `<= v1.16.0` | Replaced by Rule in `v2.0.0` | +| ---------------------------------------------------| --------------------------------------------------------------------| +| `Rapid7 Threat Command IOCs Correlation` | `Threat Intel Hash Indicator Match`, `Threat Intel IP Address Indicator Match`, `Threat Intel URL Indicator Match`, `Threat Intel Windows Registry Indicator Match` | +| `Rapid7 Threat Command CVEs Correlation` | `Rapid7 Threat Command CVEs Correlation` | -Please refer to the Setup Guide of **Rapid7 Threat Command IOCs Correlation** to tag the specific IOC in the Rapid7 Threat Command platform on correlation match. +After upgrading to `2.0.0`, users are advised to disable and delete old rules to avoid duplicate [Security Alerts](https://www.elastic.co/guide/en/security/current/alerts-ui-manage.html). Users must also install and enable new rules in their place as documented [here](#install-and-enable-detection-rule-in-elasticsearch). -1. In Kibana, go to **Security > Manage > Rules**. -2. In the integrations search bar, type **Rapid7 Threat Command IOCs Correlation** and click on it. -3. In the About section, select **Setup Guide** and follow the steps. +#### Removal of custom views and dashboards -## Retention policy -Retention policy is used to retire data older than the default period. Refer to [Retention Policy](https://www.elastic.co/guide/en/elasticsearch/reference/current/put-transform.html#:~:text=to%20false.-,retention_policy,-(Optional%2C%20object)%20Defines) page for more information. +The integration until version `1.16.0` adds custom indices and [Data Views](https://www.elastic.co/guide/en/kibana/current/data-views.html) namely `rapid7-tc-ioc-correlations` and `rapid7-tc-cve-correlations` to store matching indicators and CVEs from user indices with the help of [custom rules](#removal-of-custom-rules). Since the custom rules are replaced with Elastic prebuilt rules, these custom views are deleted. Users can view the same matching indicators and CVEs by navigating to `Security` -> `Alerts` page. Read [View Detection Alert](https://www.elastic.co/guide/en/security/current/view-alert-details.html) for more details. -The following table indicates the retention period for each data stream. Users can update the retention period once transform is configured: +Some dashboards that depended on above custom views were also removed. These dashboards include `IOC Correlation`, `IOC Correlation Details`, `Vulnerability Correlation`, and `Vulnerability Correlation Details`. Users can view these correlations by navigating to the same `Security` -> `Alerts` page. -| Data stream | Retention Period | -| --------------| -----------------| -| IOC | 60 days | -| Alert | 180 days | -| Vulnerability | 180 days | +#### Removal of custom transforms + +This integration versions until `1.16.0` guided users to create custom transforms on datasets `IOC`, `Alert`, and `Vulnerability` with the commands to execute from Kibana Dev Tools. Starting `2.0.0`, the integration replaces them with fleet-managed transforms, which are automatically installed and started after upgrade. Following are the changes: + +| Transform Name `<= v1.16.0` | Transform Name `v2.0.0` | +| --------------------------------------------------------- | ------------------------------------------------------------------| +| `ti_rapid7_threat_command_unique_ioc_transform` | `logs-ti_rapid7_threat_command.latest_ioc-default-*` | +| `ti_rapid7_threat_command_ioc_rule_transform` | `N/A` | +| `ti_rapid7_threat_command_unique_alert_transform` | `logs-ti_rapid7_threat_command.latest_alert-default-*` | +| `ti_rapid7_threat_command_unique_cve_transform` | `logs-ti_rapid7_threat_command.latest_vulnerability-default-*` | +| `ti_rapid7_threat_command_cve_rule_transform` | `N/A` | + +In versions `<= v1.16.0`, the transforms `ti_rapid7_threat_command_ioc_rule_transform` and `ti_rapid7_threat_command_cve_rule_transform` were used to index the security alerts generated from the [custom rules](#removal-of-custom-rules) into [custom views](#removal-of-custom-views-and-dashboards). Since both custom rules and custom views are deleted, these transforms are no longer required. + +If users are upgrading to any version after `1.16.0`, it is advised to stop and delete all of the transforms used in older versions to avoid duplicate data and [Security Alerts](https://www.elastic.co/guide/en/security/current/alerts-ui-manage.html). + +#### Expiration of Indicators of Compromise (IOCs) +The threat landscape is always evolving and therefore the IOCs need to update to reflect the current state or expired when the indicators are no longer relevant. + +The ingested indicators from the integration are expired after the duration configured by `IOC Expiration Duration` integration setting. This setting is `required` property and must be set by the users. Refer [IOC Expiration Duration](#ioc-expiration-duration) section for more details. + +The [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) named `logs-ti_rapid7_threat_command.latest_ioc-default-*` is created to faciliate only active IOCs be available to the end users. This transform creates destination indices named `logs-ti_rapid7_threat_command_latest.dest_ioc-*` which only contains active and unexpired IOCs. This latest destination index also has an alias named `logs-ti_rapid7_threat_command_latest.ioc`. When querying for active indicators or setting up indicator match rules, only use the latest destination indices or the alias to avoid false positives from expired IOCs. + +Dashboards are also pointing to the latest destination indices containing only active indicators. + +An [ILM Policy](#ilm-policy) is added to avoid unbounded growth on source datastream `.ds-logs-ti_rapid7_threat_command.ioc-*` indices. + +#### ILM Policy +Due to the addition of [fleet-managed transforms](#removal-of-custom-transforms), ILM policy is also added to `IOC`, `Alert`, and `Vulnerability` datasets so that source datastream-backed indices `.ds-logs-ti_rapid7_threat_command.ioc-*`, `.ds-logs-ti_rapid7_threat_command.alert-*`, `.ds-logs-ti_rapid7_threat_command.vulnerability-*` doesn't lead to unbounded growth. This means data in these source indices will be deleted based on the ILM policy, which defaults to `5 days` from ingested date. + +| Source datastream-backed indices | Policy Name | Default Retention | +| --------------------------------------------------------------| ---------------------------------------------------------------|-------------------| +| `.ds-logs-ti_rapid7_threat_command.ioc-*` | logs-ti_rapid7_threat_command.ioc-default_policy | 5 days | +| `.ds-logs-ti_rapid7_threat_command.alert-*` | logs-ti_rapid7_threat_command.alert-default_policy | 5 days | +| `.ds-logs-ti_rapid7_threat_command.vulnerability-*` | logs-ti_rapid7_threat_command.vulnerability-default_policy | 5 days | + +The ILM policies can be modified as per user needs. + +### Detection Rules + +As noted in above sections, there are 5 prebuilt detection rules that are available and need to be added by the users. 4 rules are for matching indicators, while 1 rule is for matching vulnerabilities. Following are the rules: + +- Threat Intel Hash Indicator Match. +- Threat Intel IP Address Indicator Match. +- Threat Intel URL Indicator Match. +- Threat Intel Windows Registry Indicator Match. +- Rapid7 Threat Command CVEs Correlation. + +#### Install and Enable Detection Rule in Elasticsearch + +1. In Kibana, go to **Security > Rules > Detection rules (SIEM)**. +2. Click on **Add Elastic Rules**. +3. In the integrations search bar, type and search for each of the 5 rules from above. +4. Click on **Install rule** to install the rule. +4. To enable a detection rule, switch on the rule’s **Enabled** toggle. + +### Add Connectors for rules + +1. In Kibana, go to **Security > Rules > Detection rules (SIEM)**. +2. Under **Installed Rules**, click on each of the 5 rules from above. +3. Click on `Edit rule settings`. +4. Under **Actions** tab, choose a connector from the list `Select a connector type`. +5. [Configure the connector](https://www.elastic.co/guide/en/kibana/current/action-types.html). + +For more details on Rule Actions, read [Rule Actions](https://www.elastic.co/guide/en/kibana/current/create-and-manage-rules.html#defining-rules-actions-details). For adding Webhook Connector to Rule Actions, read [Webhook - Case Management](https://www.elastic.co/guide/en/kibana/current/cases-webhook-action-type.html). ## Limitations @@ -182,7 +185,7 @@ The following table indicates the retention period for each data stream. Users c - If you don't see any data for IOCs, Alerts, or CVEs, check the Agent logs to see if there are errors. - * Common error types: + **Common errors**: 1. Module is not included in the ETP Suite subscription. Verify the system modules of your account using below CURL request. ``` @@ -199,8 +202,6 @@ The following table indicates the retention period for each data stream. Users c 1. Check whether transforms are running without any errors. If you face any issues in transforms please refer to [Troubleshooting transforms](https://www.elastic.co/guide/en/elasticsearch/reference/current/transform-troubleshooting.html). 2. Check whether source indices fields (e.g. `source.ip`, `url.full`, `vulnerability.id` etc.) are mapped according to the [ECS schema](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). -- If you don't see matched documents in **Matched CVE Details** drill down as per the **Match Count**, please adjust the time range accordingly to analyze all the matched documents. - ## Logs reference ### IOC diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/files/config.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/files/config.yml index 06e6fb7dac3..05d94ed537e 100644 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/files/config.yml +++ b/packages/ti_rapid7_threat_command/_dev/deploy/docker/files/config.yml @@ -8,7 +8,7 @@ rules: responses: - status_code: 200 body: |- - {"content":[{"value":"http://89.160.20.112/test/example.jpg","type":"Urls","status":"Active","severity":"Low","score":13.26086956521739,"lastUpdateDate":"2022-05-08T10:39:07.841Z","lastSeen":"2022-05-04T20:06:10.000Z","firstSeen":"2022-05-04T20:06:10.000Z","relatedMalware":["remcos"],"relatedCampaigns":[],"relatedThreatActors":[],"reportedFeeds":[{"id":"5b68306df84f7c8696047fdd","name":"Test Feed","confidenceLevel":2}],"whitelisted":false,"tags":[]},{"value":"89.160.20.112","type":"IpAddresses","status":"Active","severity":"Low","score":13.26086956521739,"lastUpdateDate":"2022-05-05T10:39:07.851Z","lastSeen":"2022-05-04T20:11:04.000Z","firstSeen":"2022-05-04T20:11:04.000Z","relatedMalware":["remcos"],"relatedCampaigns":[],"relatedThreatActors":[],"reportedFeeds":[{"id":"5b68306df84f7c8696047fdd","name":"Test Feed","confidenceLevel":2}],"whitelisted":false,"tags":["Test"]}]} + {"content":[{"value":"http://88.160.20.110/test/sample.jpg","type":"Urls","status":"Active","severity":"Low","score":15.26086956521739,"lastUpdateDate":"2024-06-15T10:39:07.841Z","lastSeen":"2024-06-15T09:06:10.000Z","firstSeen":"2024-05-19T20:06:10.000Z","relatedMalware":["remcos"],"relatedCampaigns":[],"relatedThreatActors":[],"reportedFeeds":[{"id":"5b68306df84f7c8696047fdd","name":"Test Feed","confidenceLevel":2}],"whitelisted":false,"tags":[]},{"value":"http://89.160.20.112/test/example.jpg","type":"Urls","status":"Active","severity":"Low","score":13.26086956521739,"lastUpdateDate":"2022-06-17T10:39:07.841Z","lastSeen":"2022-06-17T20:06:10.000Z","firstSeen":"2022-05-04T20:06:10.000Z","relatedMalware":["remcos"],"relatedCampaigns":[],"relatedThreatActors":[],"reportedFeeds":[{"id":"5b68306df84f7c8696047fdd","name":"Test Feed","confidenceLevel":2}],"whitelisted":false,"tags":[]},{"value":"89.160.20.112","type":"IpAddresses","status":"Active","severity":"Low","score":13.26086956521739,"lastUpdateDate":"2022-06-16T10:39:07.851Z","lastSeen":"2022-06-15T20:11:04.000Z","firstSeen":"2022-05-04T20:11:04.000Z","relatedMalware":["remcos"],"relatedCampaigns":[],"relatedThreatActors":[],"reportedFeeds":[{"id":"5b68306df84f7c8696047fdd","name":"Test Feed","confidenceLevel":2}],"whitelisted":false,"tags":["Test"]},{"value":"89.160.20.156","type":"IpAddresses","status":"Active","severity":"Low","score":16.26086956521739,"lastUpdateDate":"2024-06-15T23:39:07.851Z","lastSeen":"2024-06-15T20:11:04.000Z","firstSeen":"2024-05-14T20:11:04.000Z","relatedMalware":["remcos"],"relatedCampaigns":[],"relatedThreatActors":[],"reportedFeeds":[{"id":"5b68306df84f7c8696047fdd","name":"Test Feed","confidenceLevel":2}],"whitelisted":false,"tags":["Test"]}]} - path: /public/v1/data/alerts/alerts-list request_headers: authorization: ["Basic .*"] @@ -26,7 +26,7 @@ rules: responses: - status_code: 200 body: |- - {"_id":"123456789abcdefgh8866123","FoundDate":"2022-11-02T10:03:56.139Z","Details":{"Title":"Suspected Phishing Domain - 'example.com'","Type":"Phishing","SubType":"RegisteredSuspiciousDomain","Severity":"Low","Tags":[{"Name":"Phishing Domain - Default Detection Rule","CreatedBy":"ProfilingRule","_id":"1al3p6789zxcvbnmas8a8q60"}],"Source":{"Type":"WHOIS servers","NetworkType":"ClearWeb","URL":"http://example.com"},"Images":["1al5s6789z6e2b0m9s8a8q60"],"Description":"A suspicious domain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain."},"Assignees":[],"Assets":[{"Type":"Domains","Value":"example.com"}],"TakedownStatus":"NotSent","IsFlagged":false,"UpdateDate":"2022-11-02T10:03:56.139Z","RelatedIocs":["example.com"],"RelatedThreatIDs":["6a4e7t9a111bd0003bcc2a57"],"Closed":{"IsClosed":true}} + {"_id":"123456789abcdefgh8866123","FoundDate":"2022-11-02T10:03:56.139Z","Details":{"Title":"Suspected Phishing Domain - 'example.com'","Type":"Phishing","SubType":"RegisteredSuspiciousDomain","Severity":"Low","Tags":[{"Name":"Phishing Domain - Default Detection Rule","CreatedBy":"ProfilingRule","_id":"1al3p6789zxcvbnmas8a8q60"}],"Source":{"Type":"WHOIS servers","NetworkType":"ClearWeb","URL":"http://example.com"},"Images":["1al5s6789z6e2b0m9s8a8q60"],"Description":"A suspicious domain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain."},"Assignees":[],"Assets":[{"Type":"Domains","Value":"example.com"}],"TakedownStatus":"NotSent","IsFlagged":false,"UpdateDate":"2024-01-02T10:03:56.139Z","RelatedIocs":["example.com"],"RelatedThreatIDs":["6a4e7t9a111bd0003bcc2a57"],"Closed":{"IsClosed":true}} - path: /public/v1/data/alerts/get-complete-alert/123456789zxcvbnmas8a8q60 request_headers: authorization: ["Basic .*"] @@ -44,4 +44,4 @@ rules: responses: - status_code: 200 body: |- - {"content":[{"cveId":"CVE-2020-7064","cpe":[{"Title":"Php","Value":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","VendorProduct":"php php","Range":{"VersionStartIncluding":"1.0.0","VersionEndIncluding":"4.0.0","VersionStartExcluding":"","VersionEndExcluding":""}}],"publishedDate":"2020-04-01T04:15:00.000Z","updateDate":"2020-08-24T21:46:48.619Z","severity":"Low","intsightsScore":16,"cvssScore":5.4,"mentionsAmount":0,"mentionsPerSource":{"SocialMedia":0,"PasteSite":0,"HackingForum":0,"InstantMessage":0,"DarkWeb":0,"CodeRepositories":0,"Exploit":0,"ClearWebCyberBlogs":0},"firstMentionDate":"N/A","lastMentionDate":"2020-04-01T04:15:00.000Z","exploitAvailability":false,"vulnerabilityOrigin":["Qualys"],"relatedMalware":["doppeldridex","dridex"],"relatedCampaigns":["SolarWinds"],"relatedThreatActors":["doppelspider"]}]} + {"content":[{"cveId":"CVE-2020-7064","cpe":[{"Title":"Php","Value":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","VendorProduct":"php php","Range":{"VersionStartIncluding":"1.0.0","VersionEndIncluding":"4.0.0","VersionStartExcluding":"","VersionEndExcluding":""}}],"publishedDate":"2020-04-01T04:15:00.000Z","updateDate":"2020-08-24T21:46:48.619Z","severity":"Low","intsightsScore":16,"cvssScore":5.4,"mentionsAmount":0,"mentionsPerSource":{"SocialMedia":0,"PasteSite":0,"HackingForum":0,"InstantMessage":0,"DarkWeb":0,"CodeRepositories":0,"Exploit":0,"ClearWebCyberBlogs":0},"firstMentionDate":"N/A","lastMentionDate":"2020-04-01T04:15:00.000Z","exploitAvailability":false,"vulnerabilityOrigin":["Qualys"],"relatedMalware":["doppeldridex","dridex"],"relatedCampaigns":["SolarWinds"],"relatedThreatActors":["doppelspider"]},{"cveId":"CVE-2020-5555","cpe":[{"Title":"Phpsample","Value":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","VendorProduct":"php php","Range":{"VersionStartIncluding":"1.0.0","VersionEndIncluding":"4.0.0","VersionStartExcluding":"","VersionEndExcluding":""}}],"publishedDate":"2024-03-01T04:15:00.000Z","updateDate":"2024-06-16T21:46:48.619Z","severity":"Low","intsightsScore":15,"cvssScore":5.3,"mentionsAmount":0,"mentionsPerSource":{"SocialMedia":0,"PasteSite":0,"HackingForum":0,"InstantMessage":0,"DarkWeb":0,"CodeRepositories":0,"Exploit":0,"ClearWebCyberBlogs":0},"firstMentionDate":"N/A","lastMentionDate":"2024-06-16T04:15:00.000Z","exploitAvailability":false,"vulnerabilityOrigin":["Qualys"],"relatedMalware":["doppeldridex","dridex"],"relatedCampaigns":["SolarWinds"],"relatedThreatActors":["doppelspider"]},{"cveId":"CVE-2020-6666","cpe":[{"Title":"Phpsample","Value":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","VendorProduct":"php php","Range":{"VersionStartIncluding":"1.0.0","VersionEndIncluding":"4.0.0","VersionStartExcluding":"","VersionEndExcluding":""}}],"publishedDate":"2024-06-01T04:15:00.000Z","updateDate":"2024-06-15T21:46:48.619Z","severity":"Medium","intsightsScore":36,"cvssScore":7.6,"mentionsAmount":0,"mentionsPerSource":{"SocialMedia":0,"PasteSite":0,"HackingForum":0,"InstantMessage":0,"DarkWeb":0,"CodeRepositories":0,"Exploit":0,"ClearWebCyberBlogs":0},"firstMentionDate":"N/A","lastMentionDate":"2024-06-15T04:15:00.000Z","exploitAvailability":false,"vulnerabilityOrigin":["Qualys"],"relatedMalware":["doppeldridex","dridex"],"relatedCampaigns":["SolarWinds"],"relatedThreatActors":["doppelspider"]}]} diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/base-fields.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/base-fields.yml deleted file mode 100644 index 601770f7bb3..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/base-fields.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/ecs.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/ecs.yml deleted file mode 100644 index d8b8c66a3fb..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/ecs.yml +++ /dev/null @@ -1,26 +0,0 @@ -- external: ecs - name: threat.enrichments.matched.atomic -- external: ecs - name: threat.enrichments.matched.field -- external: ecs - name: threat.enrichments.matched.id -- external: ecs - name: threat.enrichments.matched.index -- external: ecs - name: threat.enrichments.matched.occurred -- external: ecs - name: threat.enrichments.matched.type -- external: ecs - name: vulnerability.classification -- external: ecs - name: vulnerability.enumeration -- external: ecs - name: vulnerability.id -- external: ecs - name: vulnerability.reference -- external: ecs - name: vulnerability.scanner.vendor -- external: ecs - name: vulnerability.score.base -- external: ecs - name: vulnerability.severity diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/fields.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/fields.yml deleted file mode 100644 index 6f7a88f0199..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/fields/fields.yml +++ /dev/null @@ -1,176 +0,0 @@ -- name: rapid7.tc.vulnerability - type: group - fields: - - name: cpe - type: group - fields: - - name: range - type: group - fields: - - name: version - type: group - fields: - - name: end - type: group - fields: - - name: excluding - type: version - - name: including - type: version - - name: start - type: group - fields: - - name: excluding - type: version - - name: including - type: version - - name: title - type: keyword - - name: value - type: keyword - - name: vendor_product - type: keyword - - name: cvss_score - type: double - - name: exploit_availability - type: boolean - - name: id - type: keyword - - name: intsights_score - type: double - - name: mention - type: group - fields: - - name: first_date - type: keyword - - name: last_date - type: keyword - - name: mentions - type: group - fields: - - name: source - type: group - fields: - - name: clear_web_cyber_blogs - type: long - - name: code_repositories - type: long - - name: dark_web - type: long - - name: exploit - type: long - - name: hacking_forum - type: long - - name: instant_message - type: long - - name: paste_site - type: long - - name: social_media - type: long - - name: total - type: long - - name: origin - type: keyword - - name: published_date - type: date - - name: related - type: group - fields: - - name: campaigns - type: keyword - - name: malware - type: keyword - - name: threat_actors - type: keyword - - name: severity - type: keyword - - name: update_date - type: date -- name: threat.enrichments.indicator - type: group - fields: - - name: cpe - type: group - fields: - - name: range - type: group - fields: - - name: version - type: group - fields: - - name: end - type: group - fields: - - name: excluding - type: version - - name: including - type: version - - name: start - type: group - fields: - - name: excluding - type: version - - name: including - type: version - - name: title - type: keyword - - name: value - type: keyword - - name: vendor_product - type: keyword - - name: cvss_score - type: double - - name: exploit_availability - type: boolean - - name: id - type: keyword - - name: intsights_score - type: double - - name: mention - type: group - fields: - - name: first_date - type: keyword - - name: last_date - type: keyword - - name: mentions - type: group - fields: - - name: source - type: group - fields: - - name: clear_web_cyber_blogs - type: long - - name: code_repositories - type: long - - name: dark_web - type: long - - name: exploit - type: long - - name: hacking_forum - type: long - - name: instant_message - type: long - - name: paste_site - type: long - - name: social_media - type: long - - name: total - type: long - - name: origin - type: keyword - - name: published_date - type: date - - name: related - type: group - fields: - - name: campaigns - type: keyword - - name: malware - type: keyword - - name: threat_actors - type: keyword - - name: severity - type: keyword - - name: update_date - type: date diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/manifest.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/manifest.yml deleted file mode 100644 index c3a2507fb30..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/manifest.yml +++ /dev/null @@ -1 +0,0 @@ -start: true diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/transform.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/transform.yml deleted file mode 100644 index 4890e4369fe..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_cve_rule_transform/transform.yml +++ /dev/null @@ -1,25 +0,0 @@ -source: - index: - - .internal.alerts-security.alerts-default-* - query: - bool: - filter: - - match_phrase: - kibana.alert.rule.tags: Rapid7 Threat Command - - match_phrase: - kibana.alert.rule.tags: CVE - - match_phrase: - kibana.alert.rule.category: Indicator Match Rule -dest: - index: rapid7-tc-cve-correlations - pipeline: 0.1.0-ti_rapid7_threat_command-cve-rule-transform-pipeline -frequency: 30m -sync: - time: - field: '@timestamp' - delay: 60s -latest: - unique_key: - - kibana.alert.uuid - sort: '@timestamp' -description: This transform creates index to populate the Vulnerability Correlation and Vulnerability Correlation Details Dashboards. diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/base-fields.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/base-fields.yml deleted file mode 100644 index 601770f7bb3..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/base-fields.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/ecs.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/ecs.yml deleted file mode 100644 index e8d88cdf02a..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/ecs.yml +++ /dev/null @@ -1,182 +0,0 @@ -- external: ecs - name: threat.enrichments.indicator.as.number -- external: ecs - name: threat.enrichments.indicator.as.organization.name -- external: ecs - name: threat.enrichments.indicator.confidence -- external: ecs - name: threat.enrichments.indicator.description -- external: ecs - name: threat.enrichments.indicator.email.address -- external: ecs - name: threat.enrichments.indicator.file.hash.md5 -- external: ecs - name: threat.enrichments.indicator.file.hash.sha1 -- external: ecs - name: threat.enrichments.indicator.file.hash.sha256 -- external: ecs - name: threat.enrichments.indicator.file.hash.sha384 -- external: ecs - name: threat.enrichments.indicator.file.hash.sha512 -- external: ecs - name: threat.enrichments.indicator.first_seen -- external: ecs - name: threat.enrichments.indicator.geo.city_name -- external: ecs - name: threat.enrichments.indicator.geo.continent_code -- external: ecs - name: threat.enrichments.indicator.geo.continent_name -- external: ecs - name: threat.enrichments.indicator.geo.country_iso_code -- external: ecs - name: threat.enrichments.indicator.geo.country_name -- external: ecs - name: threat.enrichments.indicator.geo.location -- external: ecs - name: threat.enrichments.indicator.geo.name -- external: ecs - name: threat.enrichments.indicator.geo.postal_code -- external: ecs - name: threat.enrichments.indicator.geo.region_iso_code -- external: ecs - name: threat.enrichments.indicator.geo.region_name -- external: ecs - name: threat.enrichments.indicator.geo.timezone -- external: ecs - name: threat.enrichments.indicator.ip -- external: ecs - name: threat.enrichments.indicator.last_seen -- external: ecs - name: threat.enrichments.indicator.modified_at -- external: ecs - name: threat.enrichments.indicator.provider -- external: ecs - name: threat.enrichments.indicator.type -- external: ecs - name: threat.enrichments.indicator.url.domain -- external: ecs - name: threat.enrichments.indicator.url.extension -- external: ecs - name: threat.enrichments.indicator.url.fragment -- external: ecs - name: threat.enrichments.indicator.url.full - ignore_above: 4096 -- external: ecs - name: threat.enrichments.indicator.url.original - ignore_above: 4096 -- external: ecs - name: threat.enrichments.indicator.url.password -- external: ecs - name: threat.enrichments.indicator.url.path -- external: ecs - name: threat.enrichments.indicator.url.port -- external: ecs - name: threat.enrichments.indicator.url.query - ignore_above: 4096 -- external: ecs - name: threat.enrichments.indicator.url.registered_domain -- external: ecs - name: threat.enrichments.indicator.url.scheme -- external: ecs - name: threat.enrichments.indicator.url.subdomain -- external: ecs - name: threat.enrichments.indicator.url.top_level_domain -- external: ecs - name: threat.enrichments.indicator.url.username -- external: ecs - name: threat.enrichments.matched.atomic -- external: ecs - name: threat.enrichments.matched.field -- external: ecs - name: threat.enrichments.matched.id -- external: ecs - name: threat.enrichments.matched.index -- external: ecs - name: threat.enrichments.matched.occurred -- external: ecs - name: threat.enrichments.matched.type -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.as.organization.name -- external: ecs - name: threat.indicator.confidence -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.file.hash.sha384 -- external: ecs - name: threat.indicator.file.hash.sha512 -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.geo.city_name -- external: ecs - name: threat.indicator.geo.continent_code -- external: ecs - name: threat.indicator.geo.continent_name -- external: ecs - name: threat.indicator.geo.country_iso_code -- external: ecs - name: threat.indicator.geo.country_name -- external: ecs - name: threat.indicator.geo.location -- external: ecs - name: threat.indicator.geo.name -- external: ecs - name: threat.indicator.geo.postal_code -- external: ecs - name: threat.indicator.geo.region_iso_code -- external: ecs - name: threat.indicator.geo.region_name -- external: ecs - name: threat.indicator.geo.timezone -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.modified_at -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.fragment -- external: ecs - name: threat.indicator.url.full - ignore_above: 4096 -- external: ecs - name: threat.indicator.url.original - ignore_above: 4096 -- external: ecs - name: threat.indicator.url.password -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.query - ignore_above: 4096 -- external: ecs - name: threat.indicator.url.registered_domain -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.subdomain -- external: ecs - name: threat.indicator.url.top_level_domain -- external: ecs - name: threat.indicator.url.username diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/fields.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/fields.yml deleted file mode 100644 index 9a8d5de9c12..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/fields/fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: rapid7.tc.ioc - type: group - fields: - - name: related - type: group - fields: - - name: campaigns - type: keyword - - name: malware - type: keyword - - name: threat_actors - type: keyword - - name: tags - type: keyword - description: List of IOC tags. - - name: value - type: keyword - description: IOC value. - ignore_above: 4096 diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/manifest.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/manifest.yml deleted file mode 100644 index c3a2507fb30..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/manifest.yml +++ /dev/null @@ -1 +0,0 @@ -start: true diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/transform.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/transform.yml deleted file mode 100644 index a1f5e6c0c73..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_ioc_rule_transform/transform.yml +++ /dev/null @@ -1,29 +0,0 @@ -source: - index: - - .internal.alerts-security.alerts-default-* - query: - bool: - filter: - - match_phrase: - kibana.alert.rule.tags: Rapid7 Threat Command - - match_phrase: - kibana.alert.rule.tags: IOC - - match_phrase: - kibana.alert.rule.category: Indicator Match Rule -dest: - index: rapid7-tc-ioc-correlations - pipeline: 0.1.0-ti_rapid7_threat_command-ioc-rule-transform-pipeline -frequency: 30m -sync: - time: - field: '@timestamp' - delay: 60s -latest: - unique_key: - - kibana.alert.uuid - sort: '@timestamp' -retention_policy: - time: - field: '@timestamp' - max_age: 60d -description: This transform creates index to populate the IOC Correlation and IOC Correlation Details Dashboards. diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/manifest.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/manifest.yml deleted file mode 100644 index c3a2507fb30..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/manifest.yml +++ /dev/null @@ -1 +0,0 @@ -start: true diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/transform.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/transform.yml deleted file mode 100644 index be4a4f03e4a..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/transform.yml +++ /dev/null @@ -1,25 +0,0 @@ -source: - index: - - logs-* - query: - bool: - should: - - match_phrase: - data_stream.dataset: ti_rapid7_threat_command.alert - minimum_should_match: 1 -dest: - index: rapid7-tc-unique-alerts -frequency: 30m -sync: - time: - field: 'event.ingested' - delay: 60s -latest: - unique_key: - - event.id - sort: '@timestamp' -retention_policy: - time: - field: '@timestamp' - max_age: 180d -description: This transform creates index to maintain unique values of Alerts. diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/overridden-ecs.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/overridden-ecs.yml deleted file mode 100644 index 230ed31e27c..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/overridden-ecs.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: event.original - type: keyword - ignore_above: 8191 - description: Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/manifest.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/manifest.yml deleted file mode 100644 index c3a2507fb30..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/manifest.yml +++ /dev/null @@ -1 +0,0 @@ -start: true diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/transform.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/transform.yml deleted file mode 100644 index 6a38a6bce69..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/transform.yml +++ /dev/null @@ -1,25 +0,0 @@ -source: - index: - - logs-* - query: - bool: - should: - - match_phrase: - data_stream.dataset: ti_rapid7_threat_command.vulnerability - minimum_should_match: 1 -dest: - index: rapid7-tc-unique-cves -frequency: 30m -sync: - time: - field: 'event.ingested' - delay: 60s -latest: - unique_key: - - vulnerability.id - sort: '@timestamp' -retention_policy: - time: - field: '@timestamp' - max_age: 180d -description: This transform creates index to maintain unique values of CVEs. diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/manifest.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/manifest.yml deleted file mode 100644 index c3a2507fb30..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/manifest.yml +++ /dev/null @@ -1 +0,0 @@ -start: true diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/transform.yml b/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/transform.yml deleted file mode 100644 index f8a94c4a4a8..00000000000 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/transform.yml +++ /dev/null @@ -1,22 +0,0 @@ -source: - index: - - logs-* - query: - bool: - should: - - match_phrase: - data_stream.dataset: ti_rapid7_threat_command.ioc - minimum_should_match: 1 -dest: - index: rapid7-tc-unique-iocs - pipeline: 0.1.0-ti_rapid7_threat_command-unique-ioc-transform-pipeline -frequency: 30m -sync: - time: - field: 'event.ingested' - delay: 60s -latest: - unique_key: - - rapid7.tc.ioc.value - sort: '@timestamp' -description: This transform creates index to maintain unique values of IOCs. diff --git a/packages/ti_rapid7_threat_command/changelog.yml b/packages/ti_rapid7_threat_command/changelog.yml index b1620a43bf1..dcfbb2ef0b6 100644 --- a/packages/ti_rapid7_threat_command/changelog.yml +++ b/packages/ti_rapid7_threat_command/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Add support for IOC expiration + type: enhancement + link: https://github.com/elastic/integrations/pull/9925 - version: "1.17.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_rapid7_threat_command/data_stream/alert/fields/fields.yml b/packages/ti_rapid7_threat_command/data_stream/alert/fields/fields.yml index b9441f4bf8a..e48e7e8dfab 100644 --- a/packages/ti_rapid7_threat_command/data_stream/alert/fields/fields.yml +++ b/packages/ti_rapid7_threat_command/data_stream/alert/fields/fields.yml @@ -2,7 +2,7 @@ type: group fields: - name: assets - type: nested + type: group fields: - name: type type: keyword @@ -50,7 +50,7 @@ type: keyword description: Subtype of an alert. - name: tags - type: nested + type: group fields: - name: created_by type: keyword diff --git a/packages/ti_rapid7_threat_command/data_stream/alert/sample_event.json b/packages/ti_rapid7_threat_command/data_stream/alert/sample_event.json index 2ba8d382df8..6f761bf1e94 100644 --- a/packages/ti_rapid7_threat_command/data_stream/alert/sample_event.json +++ b/packages/ti_rapid7_threat_command/data_stream/alert/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2022-11-02T10:03:56.139Z", + "@timestamp": "2022-11-02T10:12:46.260Z", "agent": { - "ephemeral_id": "743b16ad-875e-4038-9516-8f13a9aa47df", - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", + "ephemeral_id": "0a1f430f-ec76-4046-9683-49dd5ebaeab2", + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_rapid7_threat_command.alert", @@ -16,20 +16,20 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", - "snapshot": true, - "version": "8.11.0" + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-09-26T13:25:23.714Z", + "created": "2024-06-26T07:01:05.859Z", "dataset": "ti_rapid7_threat_command.alert", - "id": "123456789abcdefgh8866123", - "ingested": "2023-09-26T13:25:26Z", + "id": "123456789zxcvbnmas8a8q60", + "ingested": "2024-06-26T07:01:15Z", "kind": "alert", "module": "ti_rapid7_threat_command", - "original": "{\"Assets\":[{\"Type\":\"Domains\",\"Value\":\"example.com\"}],\"Assignees\":[],\"Closed\":{\"IsClosed\":true},\"Details\":{\"Description\":\"A suspicious domain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain.\",\"Images\":[\"1al5s6789z6e2b0m9s8a8q60\"],\"Severity\":\"Low\",\"Source\":{\"NetworkType\":\"ClearWeb\",\"Type\":\"WHOIS servers\",\"URL\":\"http://example.com\"},\"SubType\":\"RegisteredSuspiciousDomain\",\"Tags\":[{\"CreatedBy\":\"ProfilingRule\",\"Name\":\"Phishing Domain - Default Detection Rule\",\"_id\":\"1al3p6789zxcvbnmas8a8q60\"}],\"Title\":\"Suspected Phishing Domain - 'example.com'\",\"Type\":\"Phishing\"},\"FoundDate\":\"2022-11-02T10:03:56.139Z\",\"IsFlagged\":false,\"RelatedIocs\":[\"example.com\"],\"RelatedThreatIDs\":[\"6a4e7t9a111bd0003bcc2a57\"],\"TakedownStatus\":\"NotSent\",\"UpdateDate\":\"2022-11-02T10:03:56.139Z\",\"_id\":\"123456789abcdefgh8866123\"}", - "reference": "https://dashboard.ti.insight.rapid7.com/#/threat-command/alerts/?search=123456789abcdefgh8866123" + "original": "{\"Assets\":[{\"Type\":\"Domains\",\"Value\":\"example.com\"}],\"Assignees\":[],\"Closed\":{\"IsClosed\":true},\"Details\":{\"Description\":\"A suspicious subdomain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain.\",\"Images\":[],\"Severity\":\"Low\",\"Source\":{\"NetworkType\":\"ClearWeb\",\"Type\":\"WHOIS servers\",\"URL\":\"http://example.com\"},\"SubType\":\"RegisteredSuspiciousDomain\",\"Tags\":[{\"CreatedBy\":\"ProfilingRule\",\"Name\":\"Phishing Domain - Default Detection Rule\",\"_id\":\"1al3p6789z6c2b7m9s8a8q60\"}],\"Title\":\"Suspected Phishing Domain - 'example.com'\",\"Type\":\"Phishing\"},\"FoundDate\":\"2022-11-02T10:12:46.260Z\",\"IsFlagged\":false,\"RelatedIocs\":[\"example.com\"],\"RelatedThreatIDs\":[\"6a4e7t9a111bd0003bcc2a55\"],\"TakedownStatus\":\"NotSent\",\"UpdateDate\":\"2022-11-02T10:12:46.260Z\",\"_id\":\"123456789zxcvbnmas8a8q60\"}", + "reference": "https://dashboard.ti.insight.rapid7.com/#/threat-command/alerts/?search=123456789zxcvbnmas8a8q60" }, "input": { "type": "httpjson" @@ -44,10 +44,7 @@ } ], "details": { - "description": "A suspicious domain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain.", - "images": [ - "1al5s6789z6e2b0m9s8a8q60" - ], + "description": "A suspicious subdomain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain.", "severity": "Low", "source": { "network_type": "ClearWeb", @@ -58,25 +55,25 @@ "tags": [ { "created_by": "ProfilingRule", - "id": "1al3p6789zxcvbnmas8a8q60", + "id": "1al3p6789z6c2b7m9s8a8q60", "name": "Phishing Domain - Default Detection Rule" } ], "title": "Suspected Phishing Domain - 'example.com'", "type": "Phishing" }, - "found_date": "2022-11-02T10:03:56.139Z", - "id": "123456789abcdefgh8866123", + "found_date": "2022-11-02T10:12:46.260Z", + "id": "123456789zxcvbnmas8a8q60", "is_closed": true, "is_flagged": false, "related_iocs": [ "example.com" ], "related_threat_ids": [ - "6a4e7t9a111bd0003bcc2a57" + "6a4e7t9a111bd0003bcc2a55" ], "takedown_status": "NotSent", - "update_date": "2022-11-02T10:03:56.139Z" + "update_date": "2022-11-02T10:12:46.260Z" } } }, @@ -86,4 +83,4 @@ "rapid7-threat-command-alert", "Phishing Domain - Default Detection Rule" ] -} +} \ No newline at end of file diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-common-config.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-common-config.yml index 36a61b6a6fd..26327479955 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-common-config.yml +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-common-config.yml @@ -1,6 +1,8 @@ fields: tags: - preserve_original_event + _conf: + ioc_expiration_duration: 5d dynamic_fields: # This can be removed after ES 8.14 is the minimum version. # Relates: https://github.com/elastic/elasticsearch/pull/105689 diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-ioc-event.json-expected.json b/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-ioc-event.json-expected.json index c2f29f3b740..60bb431e77e 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-ioc-event.json-expected.json +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/pipeline/test-ioc-event.json-expected.json @@ -20,6 +20,8 @@ "rapid7": { "tc": { "ioc": { + "deleted_at": "2022-05-01T00:42:52.707Z", + "expiration_duration": "5d", "first_seen": "2022-04-26T00:07:31.971Z", "last_seen": "2022-04-26T00:07:31.971Z", "last_update_date": "2022-04-26T00:42:52.707Z", @@ -53,6 +55,7 @@ "first_seen": "2022-04-26T00:07:31.971Z", "last_seen": "2022-04-26T00:07:31.971Z", "modified_at": "2022-04-26T00:42:52.707Z", + "name": "http://example.com/test/abc", "provider": [ "Test Feed1", "Test Feed2" @@ -88,6 +91,8 @@ "rapid7": { "tc": { "ioc": { + "deleted_at": "2022-05-07T12:46:58.392Z", + "expiration_duration": "5d", "first_seen": "2019-07-05T09:49:18.001Z", "last_seen": "2020-11-29T13:54:24.794Z", "last_update_date": "2022-05-02T12:46:58.392Z", @@ -131,6 +136,7 @@ "first_seen": "2019-07-05T09:49:18.001Z", "last_seen": "2020-11-29T13:54:24.794Z", "modified_at": "2022-05-02T12:46:58.392Z", + "name": "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed", "provider": [ "Test Feed" ], @@ -158,6 +164,8 @@ "rapid7": { "tc": { "ioc": { + "deleted_at": "2022-05-07T12:46:58.391Z", + "expiration_duration": "5d", "first_seen": "2019-08-08T17:00:22.878Z", "last_seen": "2021-01-20T10:17:55.664Z", "last_update_date": "2022-05-02T12:46:58.391Z", @@ -204,6 +212,7 @@ "first_seen": "2019-08-08T17:00:22.878Z", "last_seen": "2021-01-20T10:17:55.664Z", "modified_at": "2022-05-02T12:46:58.391Z", + "name": "5eb63bbbe01eeed093cb22bb8f5acdc3", "provider": [ "Test Feed" ], @@ -230,6 +239,8 @@ "rapid7": { "tc": { "ioc": { + "deleted_at": "2022-05-07T12:12:52.797Z", + "expiration_duration": "5d", "first_seen": "2022-02-22T16:14:54.217Z", "last_seen": "2022-02-25T16:09:01.031Z", "last_update_date": "2022-05-02T12:12:52.797Z", @@ -261,6 +272,7 @@ "first_seen": "2022-02-22T16:14:54.217Z", "last_seen": "2022-02-25T16:09:01.031Z", "modified_at": "2022-05-02T12:12:52.797Z", + "name": "example.com", "provider": [ "Test Feed" ], @@ -291,6 +303,8 @@ "rapid7": { "tc": { "ioc": { + "deleted_at": "2022-05-02T12:07:13.029Z", + "expiration_duration": "5d", "first_seen": "2021-12-05T04:59:45.194Z", "geolocation": "US", "last_seen": "2022-05-02T11:51:13.296Z", @@ -335,6 +349,7 @@ "ip": "1.128.3.4", "last_seen": "2022-05-02T11:51:13.296Z", "modified_at": "2022-05-02T12:07:13.029Z", + "name": "1.128.3.4", "provider": [ "Test Feed" ], @@ -362,6 +377,8 @@ "rapid7": { "tc": { "ioc": { + "deleted_at": "2022-05-03T11:42:22.219Z", + "expiration_duration": "5d", "first_seen": "2022-03-14T20:49:18.675Z", "geolocation": "SG", "last_seen": "2022-05-03T11:33:36.880Z", @@ -415,6 +432,7 @@ "ip": "89.160.20.112", "last_seen": "2022-05-03T11:33:36.880Z", "modified_at": "2022-05-03T11:42:22.219Z", + "name": "89.160.20.112", "provider": [ "Test Feed" ], @@ -442,6 +460,8 @@ "rapid7": { "tc": { "ioc": { + "deleted_at": "2022-05-09T18:45:30.843Z", + "expiration_duration": "5d", "first_seen": "2021-11-12T15:03:32.730Z", "last_seen": "2022-05-04T18:15:25.301Z", "last_update_date": "2022-05-04T18:45:30.843Z", @@ -474,6 +494,7 @@ "first_seen": "2021-11-12T15:03:32.730Z", "last_seen": "2022-05-04T18:15:25.301Z", "modified_at": "2022-05-04T18:45:30.843Z", + "name": "example.com/", "provider": [ "Test Feed" ], diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/system/test-default-config.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/system/test-default-config.yml index 5cf4d1624a9..0ab0ae57434 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/system/test-default-config.yml +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/_dev/test/system/test-default-config.yml @@ -8,3 +8,4 @@ vars: data_stream: vars: preserve_original_event: true + ioc_expiration_duration: 50d diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/agent/stream/httpjson.yml.hbs b/packages/ti_rapid7_threat_command/data_stream/ioc/agent/stream/httpjson.yml.hbs index ea32b3dffcc..12d8033333f 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/agent/stream/httpjson.yml.hbs +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/agent/stream/httpjson.yml.hbs @@ -62,6 +62,13 @@ response.split: target: body.content ignore_empty_value: true +{{#if ioc_expiration_duration}} +fields_under_root: true +fields: + _conf: + ioc_expiration_duration: "{{ioc_expiration_duration}}" +{{/if}} + tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/elasticsearch/ilm/default_policy.json b/packages/ti_rapid7_threat_command/data_stream/ioc/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..ec3f7c9942e --- /dev/null +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "1d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + }, + "delete": { + "min_age": "4d", + "actions": { + "delete": {} + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml index 00e8ee64910..660a7bcedfc 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml @@ -264,6 +264,42 @@ processors: ignore_empty_value: true if: ctx.threat?.indicator?.geo?.country_iso_code == null ignore_failure: true + - set: + field: threat.indicator.name + copy_from: threat.indicator.url.original + ignore_empty_value: true + if: ctx.threat?.indicator?.url?.original != null && ctx.threat.indicator.type == 'url' + - set: + field: threat.indicator.name + copy_from: threat.indicator.url.domain + ignore_empty_value: true + if: ctx.threat?.indicator?.url?.domain != null && ctx.threat.indicator.type == 'domain-name' + - set: + field: threat.indicator.name + copy_from: threat.indicator.ip + ignore_empty_value: true + if: >- + ctx.threat?.indicator?.ip != null && ( + ctx.threat.indicator.type == 'ipv4-addr' || + ctx.threat.indicator.type == 'ipv6-addr' + ) + - set: + field: threat.indicator.name + copy_from: threat.indicator.email.address + ignore_empty_value: true + if: ctx.threat?.indicator?.email?.address == 'email-addr' + - set: + field: threat.indicator.name + copy_from: threat.indicator.file.hash.md5 + ignore_empty_value: true + - set: + field: threat.indicator.name + copy_from: threat.indicator.file.hash.sha1 + ignore_empty_value: true + - set: + field: threat.indicator.name + copy_from: threat.indicator.file.hash.sha256 + ignore_empty_value: true - foreach: field: json.reported_feeds processor: @@ -311,6 +347,65 @@ processors: return; } ignore_failure: true + - script: + lang: painless + tag: script-default-deleted_at + if: ctx.rapid7?.tc?.ioc?.deleted_at == null && ctx._conf?.ioc_expiration_duration != null && ctx._conf.ioc_expiration_duration != '' + description: Indicator Expiration is done after `_conf.ioc_expiration_duration` (default 90d) since its creation time. This script adds a default `rapid7.tc.ioc.deleted_at` field to allow indicator expiration. + source: > + ZonedDateTime _tmp_deleted_at; + ZonedDateTime _tmp_last_seen; + if (ctx.rapid7.tc.ioc.status instanceof String && ctx.rapid7.tc.ioc.status.toLowerCase().contains('retire')) { + _tmp_deleted_at = ZonedDateTime.parse(ctx['@timestamp']); + } + else { + def dur = ctx._conf.ioc_expiration_duration; + if (ctx.threat?.indicator?.modified_at != null) { + _tmp_last_seen = ZonedDateTime.parse(ctx.threat.indicator.modified_at); + } + else if (ctx.threat?.indicator?.last_seen != null) { + _tmp_last_seen = ZonedDateTime.parse(ctx.threat.indicator.last_seen); + } + else { + _tmp_last_seen = ZonedDateTime.parse(ctx.threat.indicator.first_seen); + } + if (dur instanceof String){ + String time_unit = dur.substring(dur.length() - 1); + String time_value = dur.substring(0, dur.length() - 1); + if (time_unit == 'd') { + _tmp_deleted_at = _tmp_last_seen.plusDays(Long.parseLong(time_value)); + } else if (time_unit == 'h') { + _tmp_deleted_at = _tmp_last_seen.plusHours(Long.parseLong(time_value)); + } else if (time_unit == 'm') { + _tmp_deleted_at = _tmp_last_seen.plusMinutes(Long.parseLong(time_value)); + } + } + // Add default IOC expiration of `90 days` from last_seen if '_conf.ioc_expiration_duration' is an invalid value. + if (_tmp_deleted_at == null) { + _tmp_deleted_at = _tmp_last_seen.plusDays(90L); + } + } + ctx.rapid7.tc.ioc.deleted_at = _tmp_deleted_at; + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: rapid7.tc.ioc.deleted_at + tag: date_deleted_at + target_field: rapid7.tc.ioc.deleted_at + formats: + - ISO8601 + - UNIX + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: _conf.ioc_expiration_duration + tag: rename_conf_ioc_expiration_duration + target_field: rapid7.tc.ioc.expiration_duration + ignore_missing: true - script: lang: painless description: This script processor iterates over the whole document to remove fields with null values. diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/fields/fields.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/fields/fields.yml index 83e94b0b220..58feba97d49 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/fields/fields.yml +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/fields/fields.yml @@ -29,7 +29,7 @@ type: keyword description: List of IOC related threat actors. - name: reported_feeds - type: nested + type: group fields: - name: confidence type: double @@ -62,3 +62,11 @@ - name: whitelisted type: keyword description: An indicator which states if the IOC was checked and found as whitelisted or not. + - name: deleted_at + type: date + description: | + The timestamp when indicator is (or will be) expired. + - name: expiration_duration + type: keyword + description: | + The configured expiration duration. diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/fields/is-ioc-transform-source.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/fields/is-ioc-transform-source.yml new file mode 100644 index 00000000000..cada3823491 --- /dev/null +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/fields/is-ioc-transform-source.yml @@ -0,0 +1,4 @@ +- name: labels.is_ioc_transform_source + type: constant_keyword + value: "true" + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/lifecycle.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/lifecycle.yml new file mode 100644 index 00000000000..5a4af9095b7 --- /dev/null +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "5d" diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/manifest.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/manifest.yml index 4a69485ce43..446fb083b07 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/manifest.yml +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/manifest.yml @@ -1,5 +1,6 @@ title: Rapid7 Threat Command IOCs type: logs +ilm_policy: logs-ti_rapid7_threat_command.ioc-default_policy streams: - input: httpjson title: Rapid7 Threat Command IOCs @@ -22,6 +23,14 @@ streams: multi: false required: true show_user: true + - name: ioc_expiration_duration + type: text + title: IOC Expiration Duration + multi: false + required: true + show_user: true + description: >- + Enforces all active IOCs to expire after this duration since their last seen time indicated in the feed. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g `10d`). If invalid units are provided, default value `90d` i.e., 90 days is used. Check `README` for more details how IOC expiration works and removal of custom transforms and views used in older versions. - name: severities type: text title: IOC Severities diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/sample_event.json b/packages/ti_rapid7_threat_command/data_stream/ioc/sample_event.json index 77f116a569f..5e95b750cec 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/sample_event.json +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2022-05-05T10:39:07.851Z", + "@timestamp": "2022-06-16T10:39:07.851Z", "agent": { - "ephemeral_id": "26a79bb1-c4ec-498b-b31e-e125ba1f3bc3", - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", + "ephemeral_id": "bc74bf1e-3b49-4a4f-b121-ce54d80ad098", + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_rapid7_threat_command.ioc", @@ -16,21 +16,21 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", - "snapshot": true, - "version": "8.11.0" + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-09-26T13:26:21.497Z", + "created": "2024-06-26T07:01:52.941Z", "dataset": "ti_rapid7_threat_command.ioc", - "ingested": "2023-09-26T13:26:22Z", + "ingested": "2024-06-26T07:02:02Z", "kind": "enrichment", "module": "ti_rapid7_threat_command", - "original": "{\"firstSeen\":\"2022-05-04T20:11:04.000Z\",\"lastSeen\":\"2022-05-04T20:11:04.000Z\",\"lastUpdateDate\":\"2022-05-05T10:39:07.851Z\",\"relatedCampaigns\":[],\"relatedMalware\":[\"remcos\"],\"relatedThreatActors\":[],\"reportedFeeds\":[{\"confidenceLevel\":2,\"id\":\"5b68306df84f7c8696047fdd\",\"name\":\"Test Feed\"}],\"score\":13.26086956521739,\"severity\":\"Low\",\"status\":\"Active\",\"tags\":[\"Test\"],\"type\":\"IpAddresses\",\"value\":\"89.160.20.112\",\"whitelisted\":false}", + "original": "{\"firstSeen\":\"2022-05-04T20:11:04.000Z\",\"lastSeen\":\"2022-06-15T20:11:04.000Z\",\"lastUpdateDate\":\"2022-06-16T10:39:07.851Z\",\"relatedCampaigns\":[],\"relatedMalware\":[\"remcos\"],\"relatedThreatActors\":[],\"reportedFeeds\":[{\"confidenceLevel\":2,\"id\":\"5b68306df84f7c8696047fdd\",\"name\":\"Test Feed\"}],\"score\":13.26086956521739,\"severity\":\"Low\",\"status\":\"Active\",\"tags\":[\"Test\"],\"type\":\"IpAddresses\",\"value\":\"89.160.20.112\",\"whitelisted\":false}", "risk_score": 13.26087, "type": [ "indicator" @@ -42,9 +42,11 @@ "rapid7": { "tc": { "ioc": { + "deleted_at": "2022-08-05T10:39:07.851Z", + "expiration_duration": "50d", "first_seen": "2022-05-04T20:11:04.000Z", - "last_seen": "2022-05-04T20:11:04.000Z", - "last_update_date": "2022-05-05T10:39:07.851Z", + "last_seen": "2022-06-15T20:11:04.000Z", + "last_update_date": "2022-06-16T10:39:07.851Z", "related": { "malware": [ "remcos" @@ -103,12 +105,13 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.112", - "last_seen": "2022-05-04T20:11:04.000Z", - "modified_at": "2022-05-05T10:39:07.851Z", + "last_seen": "2022-06-15T20:11:04.000Z", + "modified_at": "2022-06-16T10:39:07.851Z", + "name": "89.160.20.112", "provider": [ "Test Feed" ], "type": "ipv4-addr" } } -} +} \ No newline at end of file diff --git a/packages/ti_rapid7_threat_command/data_stream/vulnerability/sample_event.json b/packages/ti_rapid7_threat_command/data_stream/vulnerability/sample_event.json index 6934808976d..6fead7e4343 100644 --- a/packages/ti_rapid7_threat_command/data_stream/vulnerability/sample_event.json +++ b/packages/ti_rapid7_threat_command/data_stream/vulnerability/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-08-24T21:46:48.619Z", "agent": { - "ephemeral_id": "79ef7310-154a-4f30-a450-263900ebad89", - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", + "ephemeral_id": "98178c63-7de1-4041-877c-bf829b4fc0d3", + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_rapid7_threat_command.vulnerability", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", - "snapshot": true, - "version": "8.11.0" + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -26,9 +26,9 @@ "threat", "vulnerability" ], - "created": "2023-09-26T13:27:12.970Z", + "created": "2024-06-26T07:02:37.947Z", "dataset": "ti_rapid7_threat_command.vulnerability", - "ingested": "2023-09-26T13:27:15Z", + "ingested": "2024-06-26T07:02:49Z", "kind": "event", "module": "ti_rapid7_threat_command", "original": "{\"cpe\":[{\"Range\":{\"VersionEndExcluding\":\"\",\"VersionEndIncluding\":\"4.0.0\",\"VersionStartExcluding\":\"\",\"VersionStartIncluding\":\"1.0.0\"},\"Title\":\"Php\",\"Value\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"VendorProduct\":\"php php\"}],\"cveId\":\"CVE-2020-7064\",\"cvssScore\":5.4,\"exploitAvailability\":false,\"firstMentionDate\":\"N/A\",\"intsightsScore\":16,\"lastMentionDate\":\"2020-04-01T04:15:00.000Z\",\"mentionsAmount\":0,\"mentionsPerSource\":{\"ClearWebCyberBlogs\":0,\"CodeRepositories\":0,\"DarkWeb\":0,\"Exploit\":0,\"HackingForum\":0,\"InstantMessage\":0,\"PasteSite\":0,\"SocialMedia\":0},\"publishedDate\":\"2020-04-01T04:15:00.000Z\",\"relatedCampaigns\":[\"SolarWinds\"],\"relatedMalware\":[\"doppeldridex\",\"dridex\"],\"relatedThreatActors\":[\"doppelspider\"],\"severity\":\"Low\",\"updateDate\":\"2020-08-24T21:46:48.619Z\",\"vulnerabilityOrigin\":[\"Qualys\"]}", @@ -119,4 +119,4 @@ }, "severity": "Low" } -} +} \ No newline at end of file diff --git a/packages/ti_rapid7_threat_command/docs/README.md b/packages/ti_rapid7_threat_command/docs/README.md index 576bccbef67..0128421f2fe 100644 --- a/packages/ti_rapid7_threat_command/docs/README.md +++ b/packages/ti_rapid7_threat_command/docs/README.md @@ -18,19 +18,51 @@ The Rapid7 Threat Command integration collects three types of data: ioc, alert, - This integration has been tested against Rapid7 Threat Command `IOC API v2`, `Alert API v1`, and `Vulnerability API v1`. -- Rapid7 Threat Command integration is compatible with Elastic stack `v8.4.0` and newer. +- Rapid7 Threat Command integration is compatible with Elastic stack `v8.12.0` and newer. ## Requirements -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended or self-manage the Elastic Stack on your own hardware. +### Elasticsearch -This package requires at least a [Platinum level subscription](https://www.elastic.co/subscriptions#:~:text=Basic%201%2C%202-,Plati%C2%ADnum,-Enter%C2%ADprise) to use drill-downs and alert actions. Please ensure that you have a **Trial** or **Platinum level** subscription installed on your cluster before proceeding. +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +### Elastic Agent + +Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +You have a few options for installing and managing an Elastic Agent: + +#### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +#### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +#### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Other prerequisites + +The minimum **kibana.version** required is **8.12.0**. Check the prerequisites for [Transforms](https://www.elastic.co/guide/en/elasticsearch/reference/current/transform-setup.html#transform-setup). Check the prerequisites for [Actions and Connectors](https://www.elastic.co/guide/en/kibana/current/create-connector-api.html#_prerequisites_16). -### Filtering IOCs +## Setup + +### Integration settings + +#### IOC Expiration Duration + +This setting enforces all active Indicators of Compromise (IOCs) to expire after this duration since their last seen time indicated in the feed. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g `10d`). If invalid units are provided, default value `90d` i.e., 90 days is used to expire the indicators. More details on indicator expiration, read [Expiration of Indicators of Compromise (IOCs)](https://www.elastic.co/docs/current/integrations/ti_rapid7_threat_command#expiration-of-indicators-of-compromise-\(iocs\)) section. + +#### Filtering IOCs In order to filter the results based on severity and type, one can make use of **IOC Severities** and **IOC Types** parameters: @@ -38,7 +70,7 @@ In order to filter the results based on severity and type, one can make use of * - Allowed values for IOC Types: IpAddresses, Urls, Domains, Hashes, Emails. -### Filtering Alerts +#### Filtering Alerts In order to filter the results based on severity, type, and status, one can make use of **Alert Severities**, **Alert Types**, **Fetch Closed Alerts** parameters: @@ -48,7 +80,7 @@ In order to filter the results based on severity, type, and status, one can make **Note**: Individual policies need to be configured to retrieve both **Closed** and **Open** alerts. -### Filtering Vulnerabilities +#### Filtering Vulnerabilities In order to filter the results based on severity, one can make use of the **Vulnerability Severities** parameter: @@ -56,122 +88,93 @@ In order to filter the results based on severity, one can make use of the **Vuln Click on **Add row** to filter out data using multiple values of the parameter. -## Setup +### Major changes after integration version `1.16.0` -Once the integration is configured and data collection is started, add transforms to identify the latest documents and process data of correlation indices. +**If the integration is being upgraded from version <=1.16.0 to >=2.0.0, one or more actions in below sections are required for the integration to work.** -### Add Transforms for Unique IOCs and Detection Rule +#### Removal of custom rules -1. In Kibana, go to **Management > Dev Tools**. -2. Add the below APIs to the console and execute it. -- Create a template for unique IOCs index -``` -POST _index_template/rapid7-tc-unique-ioc-template -{"index_patterns":["rapid7-tc-unique-iocs"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"agent":{"properties":{"ephemeral_id":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"cloud":{"properties":{"account":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"availability_zone":{"type":"keyword","ignore_above":1024},"image":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"instance":{"properties":{"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"machine":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"project":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"provider":{"type":"keyword","ignore_above":1024},"region":{"type":"keyword","ignore_above":1024}}},"container":{"properties":{"id":{"type":"keyword","ignore_above":1024},"image":{"properties":{"name":{"type":"keyword","ignore_above":1024}}},"name":{"type":"keyword","ignore_above":1024}}},"data_stream":{"properties":{"dataset":{"type":"constant_keyword"},"namespace":{"type":"constant_keyword"},"type":{"type":"constant_keyword"}}},"ecs":{"properties":{"version":{"type":"keyword"}}},"elastic_agent":{"properties":{"id":{"type":"keyword","ignore_above":1024},"snapshot":{"type":"boolean"},"version":{"type":"keyword","ignore_above":1024}}},"error":{"properties":{"message":{"type":"match_only_text"}}},"event":{"properties":{"category":{"type":"keyword"},"created":{"type":"date"},"dataset":{"type":"keyword"},"kind":{"type":"keyword"},"module":{"type":"keyword"},"original":{"type":"keyword"},"risk_score":{"type":"float"},"type":{"type":"keyword"}}},"host":{"properties":{"architecture":{"type":"keyword","ignore_above":1024},"containerized":{"type":"boolean"},"domain":{"type":"keyword","ignore_above":1024},"hostname":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"ip":{"type":"ip"},"mac":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"os":{"properties":{"build":{"type":"keyword","ignore_above":1024},"codename":{"type":"keyword","ignore_above":1024},"family":{"type":"keyword","ignore_above":1024},"kernel":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"text"}}},"platform":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"type":{"type":"keyword","ignore_above":1024}}},"input":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"log":{"properties":{"offset":{"type":"long"}}},"related":{"properties":{"hash":{"type":"keyword"},"ip":{"type":"ip"}}},"rapid7":{"properties":{"tc":{"properties":{"ioc":{"properties":{"first_seen":{"type":"date"},"geolocation":{"type":"keyword"},"last_seen":{"type":"date"},"last_update_date":{"type":"date"},"provider":{"type":"keyword"},"related":{"properties":{"campaigns":{"type":"keyword"},"malware":{"type":"keyword"},"threat_actors":{"type":"keyword"}}},"reported_feeds":{"type":"nested","properties":{"confidence":{"type":"long"},"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"score":{"type":"double"},"severity":{"type":"keyword"},"status":{"type":"keyword"},"tags":{"type":"keyword"},"type":{"type":"keyword"},"value":{"type":"keyword","ignore_above":4096},"whitelisted":{"type":"keyword"}}}}}}},"tags":{"type":"keyword"},"threat":{"properties":{"indicator":{"properties":{"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"match_only_text"}}}}}}},"confidence":{"type":"keyword","ignore_above":1024},"description":{"type":"keyword","ignore_above":1024},"email":{"properties":{"address":{"type":"keyword"}}},"file":{"properties":{"hash":{"properties":{"md5":{"type":"keyword","ignore_above":1024},"sha1":{"type":"keyword","ignore_above":1024},"sha256":{"type":"keyword","ignore_above":1024},"sha512":{"type":"keyword","ignore_above":1024},"sha384":{"type":"keyword","ignore_above":1024}}}}},"first_seen":{"type":"date"},"geo":{"properties":{"city_name":{"type":"keyword","ignore_above":1024},"continent_code":{"type":"keyword","ignore_above":1024},"continent_name":{"type":"keyword","ignore_above":1024},"country_iso_code":{"type":"keyword","ignore_above":1024},"country_name":{"type":"keyword","ignore_above":1024},"location":{"type":"geo_point"},"name":{"type":"keyword","ignore_above":1024},"postal_code":{"type":"keyword","ignore_above":1024},"region_iso_code":{"type":"keyword","ignore_above":1024},"region_name":{"type":"keyword","ignore_above":1024},"timezone":{"type":"keyword","ignore_above":1024}}},"ip":{"type":"ip"},"last_seen":{"type":"date"},"modified_at":{"type":"date"},"provider":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"url":{"properties":{"domain":{"type":"keyword","ignore_above":1024},"extension":{"type":"keyword","ignore_above":1024},"fragment":{"type":"keyword","ignore_above":1024},"full":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"original":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"password":{"type":"wildcard","ignore_above":1024},"path":{"type":"wildcard","ignore_above":1024},"port":{"type":"long"},"query":{"type":"keyword","ignore_above":4096},"registered_domain":{"type":"keyword","ignore_above":1024},"scheme":{"type":"keyword","ignore_above":1024},"subdomain":{"type":"keyword","ignore_above":1024},"top_level_domain":{"type":"keyword","ignore_above":1024},"username":{"type":"keyword","ignore_above":1024}}}}}}}}}}} -``` -- Create a transform for unique IOCs -``` -PUT _transform/ti_rapid7_threat_command_unique_ioc_transform -{"source":{"index":["logs-*"],"query":{"bool":{"should":[{"match_phrase":{"data_stream.dataset":"ti_rapid7_threat_command.ioc"}}],"minimum_should_match":1}}},"dest":{"index":"rapid7-tc-unique-iocs","pipeline":"0.1.0-ti_rapid7_threat_command-unique-ioc-transform-pipeline"},"frequency":"30m","sync":{"time":{"field":"event.ingested","delay":"60s"}},"latest":{"unique_key":["rapid7.tc.ioc.value"],"sort":"@timestamp"},"description":"This transform creates index to maintain unique values of IOCs."} -``` -- Start a transform for unique IOCs -``` -POST _transform/ti_rapid7_threat_command_unique_ioc_transform/_start -``` -- Create a template for correlation index of IOC rule transform -``` -POST _index_template/ioc-rule-transform-template -{"index_patterns":["rapid7-tc-ioc-correlations"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"rapid7":{"properties":{"tc":{"properties":{"ioc":{"properties":{"tags":{"type":"keyword"},"value":{"type":"keyword","ignore_above":4096},"related":{"properties":{"campaigns":{"type":"keyword"},"malware":{"type":"keyword"},"threat_actors":{"type":"keyword"}}}}}}}}},"threat":{"properties":{"enrichment":{"properties":{"indicator":{"properties":{"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"match_only_text"}}}}}}},"confidence":{"type":"keyword","ignore_above":1024},"description":{"type":"keyword","ignore_above":1024},"email":{"properties":{"address":{"type":"keyword"}}},"file":{"properties":{"hash":{"properties":{"md5":{"type":"keyword","ignore_above":1024},"sha1":{"type":"keyword","ignore_above":1024},"sha256":{"type":"keyword","ignore_above":1024},"sha512":{"type":"keyword","ignore_above":1024},"sha384":{"type":"keyword","ignore_above":1024}}}}},"first_seen":{"type":"date"},"geo":{"properties":{"city_name":{"type":"keyword","ignore_above":1024},"continent_code":{"type":"keyword","ignore_above":1024},"continent_name":{"type":"keyword","ignore_above":1024},"country_iso_code":{"type":"keyword","ignore_above":1024},"country_name":{"type":"keyword","ignore_above":1024},"location":{"type":"geo_point"},"name":{"type":"keyword","ignore_above":1024},"postal_code":{"type":"keyword","ignore_above":1024},"region_iso_code":{"type":"keyword","ignore_above":1024},"region_name":{"type":"keyword","ignore_above":1024},"timezone":{"type":"keyword","ignore_above":1024}}},"ip":{"type":"ip"},"last_seen":{"type":"date"},"modified_at":{"type":"date"},"provider":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"url":{"properties":{"domain":{"type":"keyword","ignore_above":1024},"extension":{"type":"keyword","ignore_above":1024},"fragment":{"type":"keyword","ignore_above":1024},"full":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"original":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"password":{"type":"wildcard","ignore_above":1024},"path":{"type":"wildcard","ignore_above":1024},"port":{"type":"long"},"query":{"type":"keyword","ignore_above":4096},"registered_domain":{"type":"keyword","ignore_above":1024},"scheme":{"type":"keyword","ignore_above":1024},"subdomain":{"type":"keyword","ignore_above":1024},"top_level_domain":{"type":"keyword","ignore_above":1024},"username":{"type":"keyword","ignore_above":1024}}}}},"matched":{"properties":{"atomic":{"type":"keyword"},"field":{"type":"keyword"},"id":{"type":"keyword"},"index":{"type":"keyword"},"occured":{"type":"keyword"},"type":{"type":"keyword"}}}}},"indicator":{"properties":{"as":{"properties":{"number":{"type":"long"},"organization":{"properties":{"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"match_only_text"}}}}}}},"confidence":{"type":"keyword","ignore_above":1024},"description":{"type":"keyword","ignore_above":1024},"email":{"properties":{"address":{"type":"keyword"}}},"file":{"properties":{"hash":{"properties":{"md5":{"type":"keyword","ignore_above":1024},"sha1":{"type":"keyword","ignore_above":1024},"sha256":{"type":"keyword","ignore_above":1024},"sha512":{"type":"keyword","ignore_above":1024},"sha384":{"type":"keyword","ignore_above":1024}}}}},"first_seen":{"type":"date"},"geo":{"properties":{"city_name":{"type":"keyword","ignore_above":1024},"continent_code":{"type":"keyword","ignore_above":1024},"continent_name":{"type":"keyword","ignore_above":1024},"country_iso_code":{"type":"keyword","ignore_above":1024},"country_name":{"type":"keyword","ignore_above":1024},"location":{"type":"geo_point"},"name":{"type":"keyword","ignore_above":1024},"postal_code":{"type":"keyword","ignore_above":1024},"region_iso_code":{"type":"keyword","ignore_above":1024},"region_name":{"type":"keyword","ignore_above":1024},"timezone":{"type":"keyword","ignore_above":1024}}},"ip":{"type":"ip"},"last_seen":{"type":"date"},"provider":{"type":"keyword","ignore_above":1024},"modified_at":{"type":"date"},"type":{"type":"keyword","ignore_above":1024},"url":{"properties":{"domain":{"type":"keyword","ignore_above":1024},"extension":{"type":"keyword","ignore_above":1024},"fragment":{"type":"keyword","ignore_above":1024},"full":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"original":{"type":"wildcard","ignore_above":4096,"fields":{"text":{"type":"match_only_text"}}},"password":{"type":"wildcard","ignore_above":1024},"path":{"type":"wildcard","ignore_above":1024},"port":{"type":"long"},"query":{"type":"keyword","ignore_above":4096},"registered_domain":{"type":"keyword","ignore_above":1024},"scheme":{"type":"keyword","ignore_above":1024},"subdomain":{"type":"keyword","ignore_above":1024},"top_level_domain":{"type":"keyword","ignore_above":1024},"username":{"type":"keyword","ignore_above":1024}}}}}}}}}}} -``` -- Create a transform for IOC detection rule -``` -PUT _transform/ti_rapid7_threat_command_ioc_rule_transform -{"source":{"index":[".internal.alerts-security.alerts-default-*"],"query":{"bool":{"filter":[{"match_phrase":{"kibana.alert.rule.tags":"Rapid7 Threat Command"}},{"match_phrase":{"kibana.alert.rule.tags":"IOC"}},{"match_phrase":{"kibana.alert.rule.category":"Indicator Match Rule"}}]}}},"dest":{"index":"rapid7-tc-ioc-correlations","pipeline":"0.1.0-ti_rapid7_threat_command-ioc-rule-transform-pipeline"},"frequency":"30m","sync":{"time":{"field":"@timestamp","delay":"60s"}},"latest":{"unique_key":["kibana.alert.uuid"],"sort":"@timestamp"},"retention_policy":{"time":{"field":"@timestamp","max_age":"60d"}},"description":"This transform creates index to populate the IOC Correlation and IOC Correlation Details Dashboards."} -``` -- Start a transform for IOC detection Rule -``` -POST _transform/ti_rapid7_threat_command_ioc_rule_transform/_start -``` +The integration versions until `1.16.0` added custom security detection rules for storing matching indicators and CVEs from user indices to those ingested from Rapid7 Threat Command integration. These rules are now replaced by one or more of [Elastic prebuilt detection rules](https://www.elastic.co/guide/en/security/current/prebuilt-rules.html). Following are the changes: -### Add Transforms for Unique alerts -1. In Kibana, go to **Management > Dev Tools**. -2. Add below API to the console and execute it. -- Create a template for unique alerts index -``` -POST _index_template/rapid7-tc-unique-alert-template -{"index_patterns":["rapid7-tc-unique-alerts"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"agent":{"properties":{"ephemeral_id":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"cloud":{"properties":{"account":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"availability_zone":{"type":"keyword","ignore_above":1024},"image":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"instance":{"properties":{"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"machine":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"project":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"provider":{"type":"keyword","ignore_above":1024},"region":{"type":"keyword","ignore_above":1024}}},"container":{"properties":{"id":{"type":"keyword","ignore_above":1024},"image":{"properties":{"name":{"type":"keyword","ignore_above":1024}}},"name":{"type":"keyword","ignore_above":1024}}},"data_stream":{"properties":{"dataset":{"type":"constant_keyword"},"namespace":{"type":"constant_keyword"},"type":{"type":"constant_keyword"}}},"ecs":{"properties":{"version":{"type":"keyword","ignore_above":1024}}},"elastic_agent":{"properties":{"id":{"type":"keyword","ignore_above":1024},"snapshot":{"type":"boolean"},"version":{"type":"keyword","ignore_above":1024}}},"error":{"properties":{"message":{"type":"match_only_text"}}},"event":{"properties":{"agent_id_status":{"type":"keyword","ignore_above":1024},"category":{"type":"keyword","ignore_above":1024},"created":{"type":"date"},"dataset":{"type":"constant_keyword"},"id":{"type":"keyword","ignore_above":1024},"ingested":{"type":"date","format":"strict_date_time_no_millis||strict_date_optional_time||epoch_millis"},"kind":{"type":"keyword","ignore_above":1024},"module":{"type":"constant_keyword"},"original":{"type":"keyword","index":false,"doc_values":false,"ignore_above":1024},"reference":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024}}},"host":{"properties":{"architecture":{"type":"keyword","ignore_above":1024},"containerized":{"type":"boolean"},"domain":{"type":"keyword","ignore_above":1024},"hostname":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"ip":{"type":"ip"},"mac":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"os":{"properties":{"build":{"type":"keyword","ignore_above":1024},"codename":{"type":"keyword","ignore_above":1024},"family":{"type":"keyword","ignore_above":1024},"kernel":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"text"}}},"platform":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"type":{"type":"keyword","ignore_above":1024}}},"input":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"log":{"properties":{"offset":{"type":"long"}}},"rapid7":{"properties":{"tc":{"properties":{"alert":{"properties":{"assets":{"type":"nested","properties":{"type":{"type":"keyword","ignore_above":1024},"value":{"type":"keyword","ignore_above":1024}}},"assignees":{"type":"keyword","ignore_above":1024},"details":{"properties":{"description":{"type":"keyword","ignore_above":1024},"images":{"type":"keyword","ignore_above":1024},"severity":{"type":"keyword","ignore_above":1024},"source":{"properties":{"date":{"type":"date"},"email":{"type":"keyword","ignore_above":1024},"leak_name":{"type":"keyword","ignore_above":1024},"network_type":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024},"url":{"type":"keyword","ignore_above":1024}}},"subtype":{"type":"keyword","ignore_above":1024},"tags":{"type":"nested","properties":{"created_by":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"title":{"type":"keyword","ignore_above":1024},"type":{"type":"keyword","ignore_above":1024}}},"found_date":{"type":"date"},"id":{"type":"keyword","ignore_above":1024},"is_closed":{"type":"boolean"},"is_flagged":{"type":"boolean"},"related_iocs":{"type":"keyword","ignore_above":1024},"related_threat_ids":{"type":"keyword","ignore_above":1024},"takedown_status":{"type":"keyword","ignore_above":1024},"update_date":{"type":"date"}}}}}}},"tags":{"type":"keyword","ignore_above":1024}}}}} -``` -- Create a transform for unique alerts -``` -PUT _transform/ti_rapid7_threat_command_unique_alert_transform -{"source":{"index":["logs-*"],"query":{"bool":{"should":[{"match_phrase":{"data_stream.dataset":"ti_rapid7_threat_command.alert"}}],"minimum_should_match":1}}},"dest":{"index":"rapid7-tc-unique-alerts"},"frequency":"30m","sync":{"time":{"field":"event.ingested","delay":"60s"}},"latest":{"unique_key":["event.id"],"sort":"@timestamp"},"retention_policy":{"time":{"field":"@timestamp","max_age":"180d"}},"description":"This transform creates index to maintain unique values of Alerts."} -``` -- Start a transform for unique alerts -``` -POST _transform/ti_rapid7_threat_command_unique_alert_transform/_start -``` +| Rule in `<= v1.16.0` | Replaced by Rule in `v2.0.0` | +| ---------------------------------------------------| --------------------------------------------------------------------| +| `Rapid7 Threat Command IOCs Correlation` | `Threat Intel Hash Indicator Match`, `Threat Intel IP Address Indicator Match`, `Threat Intel URL Indicator Match`, `Threat Intel Windows Registry Indicator Match` | +| `Rapid7 Threat Command CVEs Correlation` | `Rapid7 Threat Command CVEs Correlation` | -### Add Transforms for Unique CVEs and Detection Rule +After upgrading to `2.0.0`, users are advised to disable and delete old rules to avoid duplicate [Security Alerts](https://www.elastic.co/guide/en/security/current/alerts-ui-manage.html). Users must also install and enable new rules in their place as documented [here](#install-and-enable-detection-rule-in-elasticsearch). -1. In Kibana, go to **Management > Dev Tools**. -2. Add below API to the console and execute it. -- Create a template for unique CVEs index -``` -POST _index_template/rapid7-tc-unique-cve-template -{"index_patterns":["rapid7-tc-unique-cves"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"cloud":{"properties":{"account":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"availability_zone":{"type":"keyword","ignore_above":1024},"image":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"instance":{"properties":{"id":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024}}},"machine":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"project":{"properties":{"id":{"type":"keyword","ignore_above":1024}}},"provider":{"type":"keyword","ignore_above":1024},"region":{"type":"keyword","ignore_above":1024}}},"container":{"properties":{"id":{"type":"keyword","ignore_above":1024},"image":{"properties":{"name":{"type":"keyword","ignore_above":1024}}},"name":{"type":"keyword","ignore_above":1024}}},"data_stream":{"properties":{"dataset":{"type":"constant_keyword"},"namespace":{"type":"constant_keyword"},"type":{"type":"constant_keyword"}}},"ecs":{"properties":{"version":{"type":"keyword","ignore_above":1024}}},"error":{"properties":{"message":{"type":"match_only_text"}}},"event":{"properties":{"agent_id_status":{"type":"keyword","ignore_above":1024},"category":{"type":"keyword","ignore_above":1024},"created":{"type":"date"},"dataset":{"type":"keyword","ignore_above":1024},"ingested":{"type":"date","format":"strict_date_time_no_millis||strict_date_optional_time||epoch_millis"},"kind":{"type":"keyword","ignore_above":1024},"module":{"type":"keyword","ignore_above":1024},"original":{"type":"keyword","index":false,"doc_values":false,"ignore_above":8191},"type":{"type":"keyword","ignore_above":1024}}},"host":{"properties":{"architecture":{"type":"keyword","ignore_above":1024},"containerized":{"type":"boolean"},"domain":{"type":"keyword","ignore_above":1024},"hostname":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"ip":{"type":"ip"},"mac":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024},"os":{"properties":{"build":{"type":"keyword","ignore_above":1024},"codename":{"type":"keyword","ignore_above":1024},"family":{"type":"keyword","ignore_above":1024},"kernel":{"type":"keyword","ignore_above":1024},"name":{"type":"keyword","ignore_above":1024,"fields":{"text":{"type":"text"}}},"platform":{"type":"keyword","ignore_above":1024},"version":{"type":"keyword","ignore_above":1024}}},"type":{"type":"keyword","ignore_above":1024}}},"input":{"properties":{"type":{"type":"keyword","ignore_above":1024}}},"log":{"properties":{"offset":{"type":"long"}}},"rapid7":{"properties":{"tc":{"properties":{"vulnerability":{"properties":{"cpe":{"properties":{"range":{"properties":{"version":{"properties":{"end":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}},"start":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}}}}}},"title":{"type":"keyword","ignore_above":1024},"value":{"type":"keyword","ignore_above":1024},"vendor_product":{"type":"keyword","ignore_above":1024}}},"cvss_score":{"type":"double"},"exploit_availability":{"type":"boolean"},"id":{"type":"keyword","ignore_above":1024},"intsights_score":{"type":"double"},"mention":{"properties":{"first_date":{"type":"keyword"},"last_date":{"type":"keyword"}}},"mentions":{"properties":{"source":{"properties":{"clear_web_cyber_blogs":{"type":"long"},"code_repositories":{"type":"long"},"dark_web":{"type":"long"},"exploit":{"type":"long"},"hacking_forum":{"type":"long"},"instant_message":{"type":"long"},"paste_site":{"type":"long"},"social_media":{"type":"long"}}},"total":{"type":"long"}}},"origin":{"type":"keyword","ignore_above":1024},"published_date":{"type":"date"},"related":{"properties":{"campaigns":{"type":"keyword","ignore_above":1024},"malware":{"type":"keyword","ignore_above":1024},"threat_actors":{"type":"keyword","ignore_above":1024}}},"severity":{"type":"keyword","ignore_above":1024},"update_date":{"type":"date"}}}}}}},"tags":{"type":"keyword","ignore_above":1024},"vulnerability":{"properties":{"classification":{"type":"keyword","ignore_above":1024},"enumeration":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"reference":{"type":"keyword","ignore_above":1024},"scanner":{"properties":{"vendor":{"type":"keyword","ignore_above":1024}}},"score":{"properties":{"base":{"type":"float"}}},"severity":{"type":"keyword","ignore_above":1024}}}}}}} -``` -- Create a transform for unique CVEs -``` -PUT _transform/ti_rapid7_threat_command_unique_cve_transform -{"source":{"index":["logs-*"],"query":{"bool":{"should":[{"match_phrase":{"data_stream.dataset":"ti_rapid7_threat_command.vulnerability"}}],"minimum_should_match":1}}},"dest":{"index":"rapid7-tc-unique-cves"},"frequency":"30m","sync":{"time":{"field":"event.ingested","delay":"60s"}},"latest":{"unique_key":["vulnerability.id"],"sort":"@timestamp"},"retention_policy":{"time":{"field":"@timestamp","max_age":"180d"}},"description":"This transform creates index to maintain unique values of CVEs."} -``` -- Start a transform for unique CVEs -``` -POST _transform/ti_rapid7_threat_command_unique_cve_transform/_start -``` -- Create a template for correlation index of CVE rule transform -``` -POST _index_template/cve-rule-transform-template -{"index_patterns":["rapid7-tc-cve-correlations"],"template":{"mappings":{"properties":{"@timestamp":{"type":"date"},"rapid7":{"properties":{"tc":{"properties":{"vulnerability":{"properties":{"cpe":{"properties":{"range":{"properties":{"version":{"properties":{"end":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}},"start":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}}}}}},"title":{"type":"keyword","ignore_above":1024},"value":{"type":"keyword","ignore_above":1024},"vendor_product":{"type":"keyword","ignore_above":1024}}},"cvss_score":{"type":"double"},"exploit_availability":{"type":"boolean"},"id":{"type":"keyword","ignore_above":1024},"intsights_score":{"type":"double"},"mention":{"properties":{"first_date":{"type":"keyword"},"last_date":{"type":"keyword"}}},"mentions":{"properties":{"source":{"properties":{"clear_web_cyber_blogs":{"type":"long"},"code_repositories":{"type":"long"},"dark_web":{"type":"long"},"exploit":{"type":"long"},"hacking_forum":{"type":"long"},"instant_message":{"type":"long"},"paste_site":{"type":"long"},"social_media":{"type":"long"}}},"total":{"type":"long"}}},"origin":{"type":"keyword","ignore_above":1024},"published_date":{"type":"date"},"related":{"properties":{"campaigns":{"type":"keyword","ignore_above":1024},"malware":{"type":"keyword","ignore_above":1024},"threat_actors":{"type":"keyword","ignore_above":1024}}},"severity":{"type":"keyword","ignore_above":1024},"update_date":{"type":"date"}}}}}}},"threat":{"properties":{"enrichments":{"properties":{"feed":{"type":"object"},"indicator":{"properties":{"cpe":{"properties":{"range":{"properties":{"version":{"properties":{"end":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}},"start":{"properties":{"excluding":{"type":"version"},"including":{"type":"version"}}}}}}},"title":{"type":"keyword","ignore_above":1024},"value":{"type":"keyword","ignore_above":1024},"vendor_product":{"type":"keyword","ignore_above":1024}}},"cvss_score":{"type":"double"},"exploit_availability":{"type":"boolean"},"id":{"type":"keyword","ignore_above":1024},"intsights_score":{"type":"double"},"mention":{"properties":{"first_date":{"type":"keyword"},"last_date":{"type":"keyword"}}},"mentions":{"properties":{"source":{"properties":{"clear_web_cyber_blogs":{"type":"long"},"code_repositories":{"type":"long"},"dark_web":{"type":"long"},"exploit":{"type":"long"},"hacking_forum":{"type":"long"},"instant_message":{"type":"long"},"paste_site":{"type":"long"},"social_media":{"type":"long"}}},"total":{"type":"long"}}},"origin":{"type":"keyword","ignore_above":1024},"published_date":{"type":"date"},"related":{"properties":{"campaigns":{"type":"keyword","ignore_above":1024},"malware":{"type":"keyword","ignore_above":1024},"threat_actors":{"type":"keyword","ignore_above":1024}}},"severity":{"type":"keyword","ignore_above":1024},"update_date":{"type":"date"}}},"matched":{"properties":{"atomic":{"type":"keyword"},"field":{"type":"keyword"},"id":{"type":"keyword"},"index":{"type":"keyword"},"type":{"type":"keyword"}}}}}}},"vulnerability":{"properties":{"classification":{"type":"keyword","ignore_above":1024},"enumeration":{"type":"keyword","ignore_above":1024},"id":{"type":"keyword","ignore_above":1024},"reference":{"type":"keyword","ignore_above":1024},"scanner":{"properties":{"vendor":{"type":"keyword","ignore_above":1024}}},"score":{"properties":{"base":{"type":"float"}}},"severity":{"type":"keyword","ignore_above":1024}}}}}}} -``` -- Create a transform for CVE detection Rule -``` -PUT _transform/ti_rapid7_threat_command_cve_rule_transform -{"source":{"index":[".internal.alerts-security.alerts-default-*"],"query":{"bool":{"filter":[{"match_phrase":{"kibana.alert.rule.tags":"Rapid7 Threat Command"}},{"match_phrase":{"kibana.alert.rule.tags":"CVE"}},{"match_phrase":{"kibana.alert.rule.category":"Indicator Match Rule"}}]}}},"dest":{"index":"rapid7-tc-cve-correlations","pipeline":"0.1.0-ti_rapid7_threat_command-cve-rule-transform-pipeline"},"frequency":"30m","sync":{"time":{"field":"@timestamp","delay":"60s"}},"latest":{"unique_key":["kibana.alert.uuid"],"sort":"@timestamp"},"description":"This transform creates index to populate the Vulnerability Correlation and Vulnerability Correlation Details Dashboards."} -``` -- Start a transform for CVE detection Rule -``` -POST _transform/ti_rapid7_threat_command_cve_rule_transform/_start -``` +#### Removal of custom views and dashboards -For more details, please refer to the [Kibana Dev Tools Guide](https://www.elastic.co/guide/en/kibana/current/console-kibana.html) +The integration until version `1.16.0` adds custom indices and [Data Views](https://www.elastic.co/guide/en/kibana/current/data-views.html) namely `rapid7-tc-ioc-correlations` and `rapid7-tc-cve-correlations` to store matching indicators and CVEs from user indices with the help of [custom rules](#removal-of-custom-rules). Since the custom rules are replaced with Elastic prebuilt rules, these custom views are deleted. Users can view the same matching indicators and CVEs by navigating to `Security` -> `Alerts` page. Read [View Detection Alert](https://www.elastic.co/guide/en/security/current/view-alert-details.html) for more details. -### Enabling correlation detection rule in Elasticsearch +Some dashboards that depended on above custom views were also removed. These dashboards include `IOC Correlation`, `IOC Correlation Details`, `Vulnerability Correlation`, and `Vulnerability Correlation Details`. Users can view these correlations by navigating to the same `Security` -> `Alerts` page. -1. In Kibana, go to **Security > Manage > Rules**. -2. Click the **Load Elastic prebuilt rules and timeline templates** button to load Elastic prebuilt detection rules. By default, all loaded prebuilt rules are disabled. -3. In the integrations search bar, type **Rapid7 Threat Command IOCs Correlation** for the IOC correlation rule and **Rapid7 Threat Command CVEs Correlation** for the CVE correlation rule. -4. To enable a detection rule, switch on the rule’s **Enabled** toggle. +#### Removal of custom transforms + +This integration versions until `1.16.0` guided users to create custom transforms on datasets `IOC`, `Alert`, and `Vulnerability` with the commands to execute from Kibana Dev Tools. Starting `2.0.0`, the integration replaces them with fleet-managed transforms, which are automatically installed and started after upgrade. Following are the changes: + +| Transform Name `<= v1.16.0` | Transform Name `v2.0.0` | +| --------------------------------------------------------- | ------------------------------------------------------------------| +| `ti_rapid7_threat_command_unique_ioc_transform` | `logs-ti_rapid7_threat_command.latest_ioc-default-*` | +| `ti_rapid7_threat_command_ioc_rule_transform` | `N/A` | +| `ti_rapid7_threat_command_unique_alert_transform` | `logs-ti_rapid7_threat_command.latest_alert-default-*` | +| `ti_rapid7_threat_command_unique_cve_transform` | `logs-ti_rapid7_threat_command.latest_vulnerability-default-*` | +| `ti_rapid7_threat_command_cve_rule_transform` | `N/A` | + +In versions `<= v1.16.0`, the transforms `ti_rapid7_threat_command_ioc_rule_transform` and `ti_rapid7_threat_command_cve_rule_transform` were used to index the security alerts generated from the [custom rules](#removal-of-custom-rules) into [custom views](#removal-of-custom-views-and-dashboards). Since both custom rules and custom views are deleted, these transforms are no longer required. + +If users are upgrading to any version after `1.16.0`, it is advised to stop and delete all of the transforms used in older versions to avoid duplicate data and [Security Alerts](https://www.elastic.co/guide/en/security/current/alerts-ui-manage.html). + +#### Expiration of Indicators of Compromise (IOCs) +The threat landscape is always evolving and therefore the IOCs need to update to reflect the current state or expired when the indicators are no longer relevant. + +The ingested indicators from the integration are expired after the duration configured by `IOC Expiration Duration` integration setting. This setting is `required` property and must be set by the users. Refer [IOC Expiration Duration](#ioc-expiration-duration) section for more details. + +The [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) named `logs-ti_rapid7_threat_command.latest_ioc-default-*` is created to faciliate only active IOCs be available to the end users. This transform creates destination indices named `logs-ti_rapid7_threat_command_latest.dest_ioc-*` which only contains active and unexpired IOCs. This latest destination index also has an alias named `logs-ti_rapid7_threat_command_latest.ioc`. When querying for active indicators or setting up indicator match rules, only use the latest destination indices or the alias to avoid false positives from expired IOCs. + +Dashboards are also pointing to the latest destination indices containing only active indicators. -### Add Webhook Connectors for adding tags and comments +An [ILM Policy](#ilm-policy) is added to avoid unbounded growth on source datastream `.ds-logs-ti_rapid7_threat_command.ioc-*` indices. -Please refer to the Setup Guide of **Rapid7 Threat Command IOCs Correlation** to tag the specific IOC in the Rapid7 Threat Command platform on correlation match. +#### ILM Policy +Due to the addition of [fleet-managed transforms](#removal-of-custom-transforms), ILM policy is also added to `IOC`, `Alert`, and `Vulnerability` datasets so that source datastream-backed indices `.ds-logs-ti_rapid7_threat_command.ioc-*`, `.ds-logs-ti_rapid7_threat_command.alert-*`, `.ds-logs-ti_rapid7_threat_command.vulnerability-*` doesn't lead to unbounded growth. This means data in these source indices will be deleted based on the ILM policy, which defaults to `5 days` from ingested date. -1. In Kibana, go to **Security > Manage > Rules**. -2. In the integrations search bar, type **Rapid7 Threat Command IOCs Correlation** and click on it. -3. In the About section, select **Setup Guide** and follow the steps. +| Source datastream-backed indices | Policy Name | Default Retention | +| --------------------------------------------------------------| ---------------------------------------------------------------|-------------------| +| `.ds-logs-ti_rapid7_threat_command.ioc-*` | logs-ti_rapid7_threat_command.ioc-default_policy | 5 days | +| `.ds-logs-ti_rapid7_threat_command.alert-*` | logs-ti_rapid7_threat_command.alert-default_policy | 5 days | +| `.ds-logs-ti_rapid7_threat_command.vulnerability-*` | logs-ti_rapid7_threat_command.vulnerability-default_policy | 5 days | -## Retention policy -Retention policy is used to retire data older than the default period. Refer to [Retention Policy](https://www.elastic.co/guide/en/elasticsearch/reference/current/put-transform.html#:~:text=to%20false.-,retention_policy,-(Optional%2C%20object)%20Defines) page for more information. +The ILM policies can be modified as per user needs. -The following table indicates the retention period for each data stream. Users can update the retention period once transform is configured: +### Detection Rules -| Data stream | Retention Period | -| --------------| -----------------| -| IOC | 60 days | -| Alert | 180 days | -| Vulnerability | 180 days | +As noted in above sections, there are 5 prebuilt detection rules that are available and need to be added by the users. 4 rules are for matching indicators, while 1 rule is for matching vulnerabilities. Following are the rules: + +- Threat Intel Hash Indicator Match. +- Threat Intel IP Address Indicator Match. +- Threat Intel URL Indicator Match. +- Threat Intel Windows Registry Indicator Match. +- Rapid7 Threat Command CVEs Correlation. + +#### Install and Enable Detection Rule in Elasticsearch + +1. In Kibana, go to **Security > Rules > Detection rules (SIEM)**. +2. Click on **Add Elastic Rules**. +3. In the integrations search bar, type and search for each of the 5 rules from above. +4. Click on **Install rule** to install the rule. +4. To enable a detection rule, switch on the rule’s **Enabled** toggle. + +### Add Connectors for rules + +1. In Kibana, go to **Security > Rules > Detection rules (SIEM)**. +2. Under **Installed Rules**, click on each of the 5 rules from above. +3. Click on `Edit rule settings`. +4. Under **Actions** tab, choose a connector from the list `Select a connector type`. +5. [Configure the connector](https://www.elastic.co/guide/en/kibana/current/action-types.html). + +For more details on Rule Actions, read [Rule Actions](https://www.elastic.co/guide/en/kibana/current/create-and-manage-rules.html#defining-rules-actions-details). For adding Webhook Connector to Rule Actions, read [Webhook - Case Management](https://www.elastic.co/guide/en/kibana/current/cases-webhook-action-type.html). ## Limitations @@ -182,7 +185,7 @@ The following table indicates the retention period for each data stream. Users c - If you don't see any data for IOCs, Alerts, or CVEs, check the Agent logs to see if there are errors. - * Common error types: + **Common errors**: 1. Module is not included in the ETP Suite subscription. Verify the system modules of your account using below CURL request. ``` @@ -199,8 +202,6 @@ The following table indicates the retention period for each data stream. Users c 1. Check whether transforms are running without any errors. If you face any issues in transforms please refer to [Troubleshooting transforms](https://www.elastic.co/guide/en/elasticsearch/reference/current/transform-troubleshooting.html). 2. Check whether source indices fields (e.g. `source.ip`, `url.full`, `vulnerability.id` etc.) are mapped according to the [ECS schema](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). -- If you don't see matched documents in **Matched CVE Details** drill down as per the **Match Count**, please adjust the time range accordingly to analyze all the matched documents. - ## Logs reference ### IOC @@ -213,13 +214,13 @@ An example event for `ioc` looks as following: ```json { - "@timestamp": "2022-05-05T10:39:07.851Z", + "@timestamp": "2022-06-16T10:39:07.851Z", "agent": { - "ephemeral_id": "26a79bb1-c4ec-498b-b31e-e125ba1f3bc3", - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", + "ephemeral_id": "bc74bf1e-3b49-4a4f-b121-ce54d80ad098", + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_rapid7_threat_command.ioc", @@ -230,21 +231,21 @@ An example event for `ioc` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", - "snapshot": true, - "version": "8.11.0" + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-09-26T13:26:21.497Z", + "created": "2024-06-26T07:01:52.941Z", "dataset": "ti_rapid7_threat_command.ioc", - "ingested": "2023-09-26T13:26:22Z", + "ingested": "2024-06-26T07:02:02Z", "kind": "enrichment", "module": "ti_rapid7_threat_command", - "original": "{\"firstSeen\":\"2022-05-04T20:11:04.000Z\",\"lastSeen\":\"2022-05-04T20:11:04.000Z\",\"lastUpdateDate\":\"2022-05-05T10:39:07.851Z\",\"relatedCampaigns\":[],\"relatedMalware\":[\"remcos\"],\"relatedThreatActors\":[],\"reportedFeeds\":[{\"confidenceLevel\":2,\"id\":\"5b68306df84f7c8696047fdd\",\"name\":\"Test Feed\"}],\"score\":13.26086956521739,\"severity\":\"Low\",\"status\":\"Active\",\"tags\":[\"Test\"],\"type\":\"IpAddresses\",\"value\":\"89.160.20.112\",\"whitelisted\":false}", + "original": "{\"firstSeen\":\"2022-05-04T20:11:04.000Z\",\"lastSeen\":\"2022-06-15T20:11:04.000Z\",\"lastUpdateDate\":\"2022-06-16T10:39:07.851Z\",\"relatedCampaigns\":[],\"relatedMalware\":[\"remcos\"],\"relatedThreatActors\":[],\"reportedFeeds\":[{\"confidenceLevel\":2,\"id\":\"5b68306df84f7c8696047fdd\",\"name\":\"Test Feed\"}],\"score\":13.26086956521739,\"severity\":\"Low\",\"status\":\"Active\",\"tags\":[\"Test\"],\"type\":\"IpAddresses\",\"value\":\"89.160.20.112\",\"whitelisted\":false}", "risk_score": 13.26087, "type": [ "indicator" @@ -256,9 +257,11 @@ An example event for `ioc` looks as following: "rapid7": { "tc": { "ioc": { + "deleted_at": "2022-08-05T10:39:07.851Z", + "expiration_duration": "50d", "first_seen": "2022-05-04T20:11:04.000Z", - "last_seen": "2022-05-04T20:11:04.000Z", - "last_update_date": "2022-05-05T10:39:07.851Z", + "last_seen": "2022-06-15T20:11:04.000Z", + "last_update_date": "2022-06-16T10:39:07.851Z", "related": { "malware": [ "remcos" @@ -317,8 +320,9 @@ An example event for `ioc` looks as following: "region_name": "Östergötland County" }, "ip": "89.160.20.112", - "last_seen": "2022-05-04T20:11:04.000Z", - "modified_at": "2022-05-05T10:39:07.851Z", + "last_seen": "2022-06-15T20:11:04.000Z", + "modified_at": "2022-06-16T10:39:07.851Z", + "name": "89.160.20.112", "provider": [ "Test Feed" ], @@ -326,7 +330,6 @@ An example event for `ioc` looks as following: } } } - ``` **Exported fields** @@ -342,7 +345,10 @@ An example event for `ioc` looks as following: | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | input.type | Input type | keyword | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | log.offset | Log offset | long | +| rapid7.tc.ioc.deleted_at | The timestamp when indicator is (or will be) expired. | date | +| rapid7.tc.ioc.expiration_duration | The configured expiration duration. | keyword | | rapid7.tc.ioc.first_seen | IOC first seen date in Unix Millisecond Timestamp. | date | | rapid7.tc.ioc.geolocation | Geographical location of an IP address. | keyword | | rapid7.tc.ioc.last_seen | IOC last seen date in Unix Millisecond Timestamp. | date | @@ -373,13 +379,13 @@ An example event for `alert` looks as following: ```json { - "@timestamp": "2022-11-02T10:03:56.139Z", + "@timestamp": "2022-11-02T10:12:46.260Z", "agent": { - "ephemeral_id": "743b16ad-875e-4038-9516-8f13a9aa47df", - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", + "ephemeral_id": "0a1f430f-ec76-4046-9683-49dd5ebaeab2", + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_rapid7_threat_command.alert", @@ -390,20 +396,20 @@ An example event for `alert` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", - "snapshot": true, - "version": "8.11.0" + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-09-26T13:25:23.714Z", + "created": "2024-06-26T07:01:05.859Z", "dataset": "ti_rapid7_threat_command.alert", - "id": "123456789abcdefgh8866123", - "ingested": "2023-09-26T13:25:26Z", + "id": "123456789zxcvbnmas8a8q60", + "ingested": "2024-06-26T07:01:15Z", "kind": "alert", "module": "ti_rapid7_threat_command", - "original": "{\"Assets\":[{\"Type\":\"Domains\",\"Value\":\"example.com\"}],\"Assignees\":[],\"Closed\":{\"IsClosed\":true},\"Details\":{\"Description\":\"A suspicious domain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain.\",\"Images\":[\"1al5s6789z6e2b0m9s8a8q60\"],\"Severity\":\"Low\",\"Source\":{\"NetworkType\":\"ClearWeb\",\"Type\":\"WHOIS servers\",\"URL\":\"http://example.com\"},\"SubType\":\"RegisteredSuspiciousDomain\",\"Tags\":[{\"CreatedBy\":\"ProfilingRule\",\"Name\":\"Phishing Domain - Default Detection Rule\",\"_id\":\"1al3p6789zxcvbnmas8a8q60\"}],\"Title\":\"Suspected Phishing Domain - 'example.com'\",\"Type\":\"Phishing\"},\"FoundDate\":\"2022-11-02T10:03:56.139Z\",\"IsFlagged\":false,\"RelatedIocs\":[\"example.com\"],\"RelatedThreatIDs\":[\"6a4e7t9a111bd0003bcc2a57\"],\"TakedownStatus\":\"NotSent\",\"UpdateDate\":\"2022-11-02T10:03:56.139Z\",\"_id\":\"123456789abcdefgh8866123\"}", - "reference": "https://dashboard.ti.insight.rapid7.com/#/threat-command/alerts/?search=123456789abcdefgh8866123" + "original": "{\"Assets\":[{\"Type\":\"Domains\",\"Value\":\"example.com\"}],\"Assignees\":[],\"Closed\":{\"IsClosed\":true},\"Details\":{\"Description\":\"A suspicious subdomain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain.\",\"Images\":[],\"Severity\":\"Low\",\"Source\":{\"NetworkType\":\"ClearWeb\",\"Type\":\"WHOIS servers\",\"URL\":\"http://example.com\"},\"SubType\":\"RegisteredSuspiciousDomain\",\"Tags\":[{\"CreatedBy\":\"ProfilingRule\",\"Name\":\"Phishing Domain - Default Detection Rule\",\"_id\":\"1al3p6789z6c2b7m9s8a8q60\"}],\"Title\":\"Suspected Phishing Domain - 'example.com'\",\"Type\":\"Phishing\"},\"FoundDate\":\"2022-11-02T10:12:46.260Z\",\"IsFlagged\":false,\"RelatedIocs\":[\"example.com\"],\"RelatedThreatIDs\":[\"6a4e7t9a111bd0003bcc2a55\"],\"TakedownStatus\":\"NotSent\",\"UpdateDate\":\"2022-11-02T10:12:46.260Z\",\"_id\":\"123456789zxcvbnmas8a8q60\"}", + "reference": "https://dashboard.ti.insight.rapid7.com/#/threat-command/alerts/?search=123456789zxcvbnmas8a8q60" }, "input": { "type": "httpjson" @@ -418,10 +424,7 @@ An example event for `alert` looks as following: } ], "details": { - "description": "A suspicious domain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain.", - "images": [ - "1al5s6789z6e2b0m9s8a8q60" - ], + "description": "A suspicious subdomain 'example.com' was found to have characteristics indicating it may be used to carry out phishing attacks. | Recommendations: It is recommended to block the domain in your URL filtering and mail systems. This can prevent phishing emails being received by your employees and access to websites attempting to steal sensitive information. Click “Remediate” in order to initiate the takedown process for this domain.", "severity": "Low", "source": { "network_type": "ClearWeb", @@ -432,25 +435,25 @@ An example event for `alert` looks as following: "tags": [ { "created_by": "ProfilingRule", - "id": "1al3p6789zxcvbnmas8a8q60", + "id": "1al3p6789z6c2b7m9s8a8q60", "name": "Phishing Domain - Default Detection Rule" } ], "title": "Suspected Phishing Domain - 'example.com'", "type": "Phishing" }, - "found_date": "2022-11-02T10:03:56.139Z", - "id": "123456789abcdefgh8866123", + "found_date": "2022-11-02T10:12:46.260Z", + "id": "123456789zxcvbnmas8a8q60", "is_closed": true, "is_flagged": false, "related_iocs": [ "example.com" ], "related_threat_ids": [ - "6a4e7t9a111bd0003bcc2a57" + "6a4e7t9a111bd0003bcc2a55" ], "takedown_status": "NotSent", - "update_date": "2022-11-02T10:03:56.139Z" + "update_date": "2022-11-02T10:12:46.260Z" } } }, @@ -461,7 +464,6 @@ An example event for `alert` looks as following: "Phishing Domain - Default Detection Rule" ] } - ``` **Exported fields** @@ -518,11 +520,11 @@ An example event for `vulnerability` looks as following: { "@timestamp": "2020-08-24T21:46:48.619Z", "agent": { - "ephemeral_id": "79ef7310-154a-4f30-a450-263900ebad89", - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", + "ephemeral_id": "98178c63-7de1-4041-877c-bf829b4fc0d3", + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_rapid7_threat_command.vulnerability", @@ -533,9 +535,9 @@ An example event for `vulnerability` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "dc81497a-8431-4ec0-aeca-be9bfd9982ba", - "snapshot": true, - "version": "8.11.0" + "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -543,9 +545,9 @@ An example event for `vulnerability` looks as following: "threat", "vulnerability" ], - "created": "2023-09-26T13:27:12.970Z", + "created": "2024-06-26T07:02:37.947Z", "dataset": "ti_rapid7_threat_command.vulnerability", - "ingested": "2023-09-26T13:27:15Z", + "ingested": "2024-06-26T07:02:49Z", "kind": "event", "module": "ti_rapid7_threat_command", "original": "{\"cpe\":[{\"Range\":{\"VersionEndExcluding\":\"\",\"VersionEndIncluding\":\"4.0.0\",\"VersionStartExcluding\":\"\",\"VersionStartIncluding\":\"1.0.0\"},\"Title\":\"Php\",\"Value\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"VendorProduct\":\"php php\"}],\"cveId\":\"CVE-2020-7064\",\"cvssScore\":5.4,\"exploitAvailability\":false,\"firstMentionDate\":\"N/A\",\"intsightsScore\":16,\"lastMentionDate\":\"2020-04-01T04:15:00.000Z\",\"mentionsAmount\":0,\"mentionsPerSource\":{\"ClearWebCyberBlogs\":0,\"CodeRepositories\":0,\"DarkWeb\":0,\"Exploit\":0,\"HackingForum\":0,\"InstantMessage\":0,\"PasteSite\":0,\"SocialMedia\":0},\"publishedDate\":\"2020-04-01T04:15:00.000Z\",\"relatedCampaigns\":[\"SolarWinds\"],\"relatedMalware\":[\"doppeldridex\",\"dridex\"],\"relatedThreatActors\":[\"doppelspider\"],\"severity\":\"Low\",\"updateDate\":\"2020-08-24T21:46:48.619Z\",\"vulnerabilityOrigin\":[\"Qualys\"]}", @@ -637,7 +639,6 @@ An example event for `vulnerability` looks as following: "severity": "Low" } } - ``` **Exported fields** diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/agent.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/agent.yml similarity index 100% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/agent.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/agent.yml diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/base-fields.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/base-fields.yml similarity index 100% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/base-fields.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/base-fields.yml diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/ecs.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/ecs.yml similarity index 86% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/ecs.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/ecs.yml index 710a840f973..dd0281c840c 100644 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/ecs.yml +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/ecs.yml @@ -2,10 +2,10 @@ name: ecs.version - external: ecs name: error.message -- external: ecs - name: event.category - external: ecs name: event.created +- external: ecs + name: event.ingested - external: ecs name: event.dataset - external: ecs @@ -18,7 +18,5 @@ name: event.original - external: ecs name: event.reference -- external: ecs - name: event.type - external: ecs name: tags diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/fields.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/fields.yml similarity index 98% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/fields.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/fields.yml index b9441f4bf8a..e48e7e8dfab 100644 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_alert_transform/fields/fields.yml +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/fields/fields.yml @@ -2,7 +2,7 @@ type: group fields: - name: assets - type: nested + type: group fields: - name: type type: keyword @@ -50,7 +50,7 @@ type: keyword description: Subtype of an alert. - name: tags - type: nested + type: group fields: - name: created_by type: keyword diff --git a/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/manifest.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/manifest.yml new file mode 100644 index 00000000000..f5296fd0c0a --- /dev/null +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/transform.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/transform.yml new file mode 100644 index 00000000000..40ba97cae5a --- /dev/null +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_alert/transform.yml @@ -0,0 +1,40 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-ti_rapid7_threat_command.alert-*" + query: + bool: + must_not: + exists: + field: error.message +# The version suffix on the dest.index should be incremented if a breaking change +# is made to the index mapping. You must also bump the fleet_transform_version +# for any change to this transform configuration to take effect. The old destination +# index is not automatically removed. We are dependent on https://github.com/elastic/package-spec/issues/523 to give +# us that ability in order to prevent having duplicate data and prevent query +# time field type conflicts. +dest: + index: "logs-ti_rapid7_threat_command_latest.dest_alert-1" + aliases: + - alias: "logs-ti_rapid7_threat_command_latest.alert" + move_on_creation: true +latest: + unique_key: + - event.dataset + - event.id + sort: "@timestamp" +description: Rapid7 Threat Command Unique Alerts. +frequency: 30s +sync: + time: + field: event.ingested + delay: 120s +retention_policy: + time: + field: "@timestamp" + max_age: 180d +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/agent.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/agent.yml similarity index 100% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/agent.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/agent.yml diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/base-fields.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/base-fields.yml similarity index 100% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/base-fields.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/base-fields.yml diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/ecs.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/ecs.yml similarity index 93% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/ecs.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/ecs.yml index a658ea2d5b9..97643d2f89c 100644 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/ecs.yml +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -6,6 +6,8 @@ name: event.category - external: ecs name: event.created +- external: ecs + name: event.ingested - external: ecs name: event.dataset - external: ecs @@ -48,8 +50,6 @@ name: threat.indicator.first_seen - external: ecs name: threat.indicator.geo.city_name -- external: ecs - name: threat.indicator.geo.continent_code - external: ecs name: threat.indicator.geo.continent_name - external: ecs @@ -58,16 +58,10 @@ name: threat.indicator.geo.country_name - external: ecs name: threat.indicator.geo.location -- external: ecs - name: threat.indicator.geo.name -- external: ecs - name: threat.indicator.geo.postal_code - external: ecs name: threat.indicator.geo.region_iso_code - external: ecs name: threat.indicator.geo.region_name -- external: ecs - name: threat.indicator.geo.timezone - external: ecs name: threat.indicator.ip - external: ecs @@ -109,3 +103,7 @@ name: threat.indicator.url.top_level_domain - external: ecs name: threat.indicator.url.username +- external: ecs + name: threat.indicator.name +- external: ecs + name: labels diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/fields.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/fields.yml similarity index 88% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/fields.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/fields.yml index 83e94b0b220..58feba97d49 100644 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/fields.yml +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/fields/fields.yml @@ -29,7 +29,7 @@ type: keyword description: List of IOC related threat actors. - name: reported_feeds - type: nested + type: group fields: - name: confidence type: double @@ -62,3 +62,11 @@ - name: whitelisted type: keyword description: An indicator which states if the IOC was checked and found as whitelisted or not. + - name: deleted_at + type: date + description: | + The timestamp when indicator is (or will be) expired. + - name: expiration_duration + type: keyword + description: | + The configured expiration duration. diff --git a/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/manifest.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/manifest.yml new file mode 100644 index 00000000000..f5296fd0c0a --- /dev/null +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/transform.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/transform.yml new file mode 100644 index 00000000000..2803e260060 --- /dev/null +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_ioc/transform.yml @@ -0,0 +1,43 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-ti_rapid7_threat_command.ioc-*" + query: + bool: + must_not: + exists: + field: error.message + must: + exists: + field: labels.is_ioc_transform_source +# The version suffix on the dest.index should be incremented if a breaking change +# is made to the index mapping. You must also bump the fleet_transform_version +# for any change to this transform configuration to take effect. The old destination +# index is not automatically removed. We are dependent on https://github.com/elastic/package-spec/issues/523 to give +# us that ability in order to prevent having duplicate IoC data and prevent query +# time field type conflicts. +dest: + index: "logs-ti_rapid7_threat_command_latest.dest_ioc-1" + aliases: + - alias: "logs-ti_rapid7_threat_command_latest.ioc" + move_on_creation: true +latest: + unique_key: + - event.dataset + - threat.indicator.name + sort: "@timestamp" +description: Latest Rapid7 Threat Command IOC data +frequency: 30s +sync: + time: + field: event.ingested + delay: 120s +retention_policy: + time: + field: rapid7.tc.ioc.deleted_at + max_age: 1m +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/agent.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/agent.yml similarity index 97% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/agent.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/agent.yml index 73e076a93b1..1d37c906754 100644 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/agent.yml +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/agent.yml @@ -163,21 +163,15 @@ description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean - description: > - If the host is a container. - + description: If the host is a container. - name: os.build type: keyword example: "18D109" - description: > - OS build information. - + description: OS build information. - name: os.codename type: keyword example: "stretch" - description: > - OS codename, if any. - + description: OS codename, if any. - name: input.type type: keyword description: Input type diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/base-fields.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/base-fields.yml similarity index 100% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_ioc_transform/fields/base-fields.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/base-fields.yml diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/ecs.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/ecs.yml similarity index 94% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/ecs.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/ecs.yml index e49c52a3ade..85c11899093 100644 --- a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/ecs.yml +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/ecs.yml @@ -6,6 +6,8 @@ name: event.category - external: ecs name: event.created +- external: ecs + name: event.ingested - external: ecs name: event.dataset - external: ecs diff --git a/packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/fields.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/fields.yml similarity index 100% rename from packages/ti_rapid7_threat_command/_dev/deploy/docker/transform/ti_rapid7_threat_command_unique_cve_transform/fields/fields.yml rename to packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/fields/fields.yml diff --git a/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/manifest.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/manifest.yml new file mode 100644 index 00000000000..f5296fd0c0a --- /dev/null +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/transform.yml b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/transform.yml new file mode 100644 index 00000000000..b30ec6324ac --- /dev/null +++ b/packages/ti_rapid7_threat_command/elasticsearch/transform/latest_vulnerability/transform.yml @@ -0,0 +1,40 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-ti_rapid7_threat_command.vulnerability-*" + query: + bool: + must_not: + exists: + field: error.message +# The version suffix on the dest.index should be incremented if a breaking change +# is made to the index mapping. You must also bump the fleet_transform_version +# for any change to this transform configuration to take effect. The old destination +# index is not automatically removed. We are dependent on https://github.com/elastic/package-spec/issues/523 to give +# us that ability in order to prevent having duplicate data and prevent query +# time field type conflicts. +dest: + index: "logs-ti_rapid7_threat_command_latest.dest_vulnerability-1" + aliases: + - alias: "logs-ti_rapid7_threat_command_latest.vulnerability" + move_on_creation: true +latest: + unique_key: + - event.dataset + - vulnerability.id + sort: "@timestamp" +description: Rapid7 Threat Command Unique CVEs. +frequency: 30s +sync: + time: + field: event.ingested + delay: 120s +retention_policy: + time: + field: "@timestamp" + max_age: 180d +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/ti_rapid7_threat_command/img/ti_rapid7_threat_command-alert_details.png b/packages/ti_rapid7_threat_command/img/ti_rapid7_threat_command-alert_details.png deleted file mode 100644 index 9c36c994d3b7c4f95dcdb9c7fe956697f0ee5885..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 270832 zcmYJab97}-&@LR?wr$SDwsm67#I|jFV%xTJ;!HHj#C9gOPm(Xc``-6{f1K5;_v-Gw zyH3?p)m2YNsVGS!BM=~ffq@~*%1EezfkDlKfk6bpL3}+SE=NE9YQSC8q{YDMW{6I{ zI#3p(ilSg(jR}aLAJAWYct;r>7celCq5pp1V-6LjU|^r6vJ#>io`&b|usKu{ZY%KR zj7EzFn~Pg-mzg9E?(XIm7Vj)LTge6JqEQQ*ss|nms!zow-6;|`6@O`OlwMu;h{-X? zL@}Ut;g|wPetHDC?f0IXpI+Y5Y(5!EXadr#zMFfPqkqoK#QNUsg-wi)d#38> z`1&mS&p^$dH2fn%jUivd(wLX!=t>Ag!a>V0&2Cipg9*90Ly1*qGamSjgz$r_a~l$V zZU3rYXY>&m6FOsc@cN4n%{Ao`qM`asfI%%xkq>e-P~fa-#8@Eq4~nvnS6BD#pRpfV zqsDA_2?W87ir|zwd9zk1$HA0FL7qR&VH?1I0gY{ur`lsx3QQF#)3c?w$!w0ti5ignQX>v@4UhX<;L;T)39}zk{wFZ)$|ZSg_LVaP=(#fC#{c7d z9s$WP8`;9s>3i@m0U(abJ2CYSHay{kl4CtWWLd&Vr^MBlo>*kXby(eWmM2o;d?2|r zn+wS<&u&m!8nDBr zZIQV$CDUCfb9Ta*jRYQ{BiC#Bj+tflSsT*;3HUbQml?o@7aM_lCn%T4dM~^Bjcs$M zXdjz+sg2VzQ#vEUy~Rrgp>3LGlV$bD8D$s;5H4=p_dN@lJI5{$=ov}BvYFXFVJz_5 z){opLV@1=dQn&-YvmVPEs_?-igf--bJoMPBef{Fb^V-BuU@{I_a+YBGHiGX@DD(l> zZyA}tXz5T|Wu|y0bY|2O71vY>B+p!AW^AiuSXfz|^3Zgw^xr_o^d(_1CDyJEG4olg z+CVn3sj{G*_lZHKDNVLx`7l>x2!ho7Xx~9FA6Lo8NG$Bg0yci83}8GK!fhbd)F3l9 z!mTKMMwlK0)&cncw5B%DB%iTtn_yguRsA8&^wDYpBu07$0FAJ5h2KapAxR{x2qIz7 zW3h@wZN}O3SBn=VPdu{UpwIqOC=dAO9Fq3#;WI_5l&0k27rgjyu4*uh8GfZSmUOTQ z5Kl1_2o2=<<4HG+X5hhz5X)48fPzY>B1vqS0la56M7RQSC^L-| zI2Y_GXioF|b#*WuxeD~cL^GUmV>vTAV|{Yy6>%iQ&|o`z z?Ez|5MDd`=NCr42+gr!P6*U5N-mg_}cSy)OED zxWMIRZVuCmhXg|zbKmg`6DoGK4!TGrhmu;8qsdhX8nb+Nz3cH9D;mWyGzSkd zG8C8)8^bYMNmPECQ{uD~cYhbOdJs>70&H}Ti7qKLTM2Rkn?Gj)|FS!yipsi1nZ5Ik zoFWDuLiyaP$~&SbwPV(;aR^7-LebX{g2+a4yp&FjsuucT8L42dSjJ#kxB(KFs6+)! z^(u`ZET-I%Gz2U1WF<-LsghH9Da)dC3!sb{20;idJ*38TO+#^T5JwvmI+~uTjhYPN zRhj6xp)MQ(O!z{gIwBp}@<Tie~B?YBsvfT||`ajCoauS2QUrRO&;jF8XGfT{W z$=354+Q(Hs4~Jr1l`QC~(3qcvS5Xp+!zHih1%qKgXQx5$>3r4Y;j}eZsR9palyVr7 z2RIFxAiB1wV01_>A~qUWd|Nas&p?}uSWe@ZRlx{Rj=<+%hs@zEy46(RyUxZWqu9+z_V4ZPK4 zA%dhf$K(+Vh5SpLWExt4AQj#|m}ejY`V;(4Df~-rQ*f3Q3p$ zJ4|Xr6mrN-MPk4YhVe97ZU9?=Tq`x-}n&=3SazWj;PPr}i^4A8LYPbs;-Ugv^Hvbh=%i``Cvma*iE-&%}gm)+v@(GW#i zZ}@t8<@rNy{up1@Wnu=)alXO40z+UOHae`%+3{kfb6^h&OJEbH>!VKKbRjx!t$QjQ zldGF5?LM810L&JR@I{h4(2C1EigU@gYlAC0)AC8B_}OU#P%p(ABtNZqr%pLC(PMjE zcgc*CN@jDtZ@%Y!lwc(bzuc#cp~ftl6)(=Heit@BJ|a>ZW{^4~c!J&Ay19|f#k3lX zV_PO_tF2|86@CJ}zIyXu$)!`3TN!`15hje}q#kailBFW0D6&l?`D_0(3ux@?=qX@- zO*)tax49WlnKT#lm$WUMZ?i-?bSkpxfh`K}H`t3YWAj_z9nd1zihq8sp^p?f*^In3 zWZg9seW2&t6^!Q&`75NL0@A2K;%OsWHRr=t+^dtD+ad@Ak(W?Y&H3ehA!ZRNKtZHq zLkP-ygF?sQ79K!+bT}$msFXyMa>h~YBnE=tFO>+u>g3|4PMg`NV?plPtVQH*0*5)M z7zCTSQJq{#Lr040{W(i2ygzQK{!$7@G7Dnh5=J@zcc!gpE?y_N^OhE_fTly4k?B;m zkwHli$rEPAAi0cFP{1KJ+6ad!FyiVx|WdA?)?_6=^eW*DCHydxpYiIydcCq$1a& zj@zuxS1dQC#_#qf2B7BfzzOjhJe+R{qlZCln47RNm5RK{$7i<_fbMOT$5TdzV*xDNVvExpsf`)Qr8xXpX~b*xn3x#l zJb|0D{*TgxKG1CpYv1*hx-#&D2nnV*siJDG9ZYTKe(M^FcDZF^<*{w)^SJ+GxjbJ8 zpabA#XTNmr-oF_x6o<`Wu^-wNk@tB9iitEF2R7 ztK3Xc^4|P|2pJAM!as~XY|kMK%=YHB97ev;N`|sc%LcverJJc;i=Q!38NY1*U2A?< z)+QcG1b4Ih!R$C8GDvuA6F!=ju1UUs0b#Yiri((%=X<&F^3v(0hPRjZcN{{*4_q6+ zF#?qsRJ;9pm6nz!B|TOF6>rIg*X33{cJ*|OKan+DGM@ewkf0I>O@&TMqVxwBuIxRxjzF zll`_1HZRS>Zw|PuhCSYgzZa{u`1ttyu3u)u26tCGbvW`1j~`}c?6aqrR#!hReXe|u z*SC4SZcF~c-%(1_VWpXQ{rDmD&Mf2Xx9P|M)=1#c=smfPLgWExt>}qNSC{!&LWXN0 zK46n$?7>47&)$vK5>b+>MVQfg|J^1s%tYv=BXfw?pBk3+Div9YnhXT%Fe+7vci z-3%jbLmgE>Mlo4p@v@%2zP@RzE*bnk6<%@x>R0@qD7v8}c<8Ps9US4bvtlCM-PJ`v zK=_;SH{t22fF#Lhm62-fU2gD~CPbT>YCu)?Rkk+v)m0VM6gAb1pB*wSEsa`7B*KN6 ztVwMnqS-ETPZ!l$N8#OA4Cs{Z@4xX{C(30P`lzsqGCTnOv1L^<;4syz40lqDKufEp zpSxF=k0;5{$W)&rEhtm}h1OH_YbK*@H6=2Y%HE)Lt_uw|wX@s?=;`U{sA?Lh?zNpZ zYO7874kl)^VoB{Xw<0quB0JXjrKXyVkXUfwC|RccE)#4ON+;6)b@Se)lfTJe5$oG{cM{+O`-f6mRB{C-i7{B~_(@t$^n_h4Vz@N`W|* zpaOFNn>(S8uVD^dPV+R7?<@~v-wbos8i=w*?quR5CA zk(&me&_FSuk0R`IgrR?uwdTm#@g#SkqCodlFJ+Phcc93uA|d+k-12Q)+R*#7QvL1m zLeSCJh>74!0fLFvb@fn)A=>YHYUuhOZTcS@6a4O@Xq5)$H#VRmEUc{9Nt7dt8UnWS z5&}Rbvw~0ONkb7&q$}+XpM4S(;K;9?vwmf@y(9bd);2c$zRxP#xqY5Yul)V*>uiAB z{Cr%f!pg?o(saYXP}+Qf&VX$pyh?}7Q(!g}63qTC&H9A|l&XOHxwe(n$(cis)7?>R zVd0O@QwF3BwC<*+pWcC?{|NU zu%j%sp{!dyM$H)k|rcNY?jMWl0vM3+nPuKw>_1NeX zOGZI~&S`m7B4tUKI8qoDMzM|zUL$`^|2<>Aja8k;8u6i7DcgmiHu5NzV==VzooAv*&74O*yyO1^z*)4iNvZoT29i=MNhiiVE!mw({C{jTk`QCH7ruhaC!{*fansQ zT)pz_c&`e9Tmx4`W2{JyXh{3y=4B}!GovH(_6L$dZ1E;=PdPG5MNtM`T5VW7=D~uk z4LO#OqFj&BrpgfXud>XWlvZ}x{t;TNv0|k4N#u#O-}T-?*z3Z4o9!Op?K~iyBen?G zac9X;!us&-?#kVHmkMjB~2O)y4?-By)TYx^$fn+ zw^!HO3g*r<+b5`YnZ5deljXjLX$Ned-W`BJk7r@GkCwW+Ivrlys_l-fWHI|4krgGI zaCW!-a?)P(+QNP-+tv%=WaR|kbEoXPXTmtiC_Y4)OMKD)lHISm$DEg&4Id#sVah?0ps1{TR<*XcsA^!q z%g^85z?QE-}!0ew&Yig1p(c38{4SB@t4AhXqVyUn?v6q{yM0%PUf@wP>KR zz;Fg>6LknCtLz{qt+M}TD(Uc^6B-Z?J4*8S$o%PYm7kqG(|-VngcJ`C^uE6S7za(0 z`oB4NUn(HQ&W4%Rjaxx(Pw1`wSy|oO++5sT)ZA;EW@eJji++biC0Xh2ZmUBHuX$-q zdMKrKEF8eb%B7A-5OO!Zs*6AJCakZK!np83{m#vOb+Of3T|9T;%*+HO&sgMHsGge<rcu z7pj1}?RMYgW14Q%amX3)Xy$VCu}*Na+ufrTo42HM1Y6z-n`_eFGHq>bbTquO5LgfZ z?Q7{MUQM8jLd3VWv9-3gq-y|}+uCaL@hG2Uc-GR?kiQ9{)Mm3}PcLDG9pYxr-R$mu zI^QyDcZxFITftQJxVp5itpB6Ij5h8ai$*a1bMcATvdiyml(4>c(Zj;g+kQe*zv=4Q zB&jvB;N%NJna;Wv0b7e(6cIR>vO4=r@N;cX1AWiVS5N(S-ef!FcV(3zF zDt4(NGWHp;q-vFvzelg>pVQXO3TFA^rL~P+4Z0g|@`7F$>eVVD&Z$`SnK2X!i{S@e ztRgvSeeiAZM)V>gr01-2HX*JGFXN=o1u% zc#JJcUg@|d4x#sVYkq!f$@}QMbG_YR2=F|S^5v#@I5{Eh7p||_OdAdIF_+qk!Ue}_ zE|c%24It7r_JDJG-wzyl@Q}g==ZY{$Up$Fzpbhg1hRsJKczMYkq5E!r!A$)i|5k~^ zdaYEB$nw!sx4M`yUQd0VbTuOPN#%8aQN-Gl>-*t;yUKZ{{Lxg0-p?n34H{iq7M%_8v`6gHo>|}W4J{R`A-2wV7BDel*ba?7}f8ajMy=Wav zxJbqHWnvI|I&U7K&I@lVyX@U`=KATb_Y$wAWW z>BEFJ;SylNXw&3*zM9a^y|k3NnlIGZJ*b5hPsRUuej?D&UR1bSX<-BhJ6Kh;#LcZo z{QNemt<51&WHs>!x?|<~g&idQuhzGh5B96OsmUx?0 z?&mO|@ocAxM8l78zoA~#(*N!1W=Ih3`%dzApZzAY zJpVS$JBu&N9~u zJ&fzjU=%gL?c%NQ8|BkUVocf^b~fcH?ot4jyT6|I`RtMIr+=l-;Cod6S*@p?)n~?9@(!`nMDdzD06agt zC=INAeeuhEHSLj-=F3oBpJn~oh>4MZcz6hxLg0a^D$@ciwzRb^E-dIWYdScwj~BA# zQOw?8(z<(Gp-ZSPUK69U8HNbqx89t5Q*NUo3k%01JoEH)l!VxKKU4u!M1zK5%`W~n#)>muy4$o-OImmdHFp~FPr(f{arZ6j~*V{_m&i0p5<3ZtIg?S<>h+rZjmSv-5n)mUG{d&j{A=n zp+9?Ek;mxO1U;Or^la8&+70_1AE%VJgtos6=%_Cf=^J+VAJuxy8s!=)6ZxMY~)=a-$QJG_q9qrV01k@s8HdsmywzgLt0nWboB0{%s&N;{g`+Uhn~oS%cl ztT|BPD4l~R&#JAgq1)>w&YWOE<~(NfPgmAo4qOuY@0yq2?_B<->{}@18;W*N_U6|UGhR8&UN{Q8^jF#gR)Tzz`}`9c0zx&QTVbGlE2 z+!;Z1E~xZrOTgvh=rDAbOk%E&Lubwml=Dp6uT7= zZHZ5cf6?hlPlQ0=kn|O*L%hOgmJdLLX!$z(g3i~|X<i79}c6SrjYq*jOIB~bOPBKnLN$Bsm`1fKC>g7Fl zO&&sdSo!)2(9?d!lb^f7AZe{SePUu_pQDp<$RH8r+3BGORDh@-acg2Diaj zdRFPar@>y4=%<935(`tUNJYtb)Cca3Jbe?yYiHRl&|x2IChfbBLwq=8ufyka*t}`4 z5V@?nd~m>ES^a7$cFcaVxiBlh*N^MmLo-@#s%nJUdxN>&8@nGc)Q(VUCzlM}b77J1 zbu=09`sx3s7w~l9;CH9D{c5hKSG~(w*05Te|9VgRu~%*Ma-05{AMnusUT^f;YE)fa zTdI6w*yVfJn&0F93_wm-Z3-$s`|XN5mLg`Dz?T~BaA1&NT+4l>8n+l}jP;rF@q ztDf&XTrkD3QGu;hRK-~g)m1f4Re$#z_?V(h#Z-S;az$@3y=U>o(h4khRliS^=ig)d zq@|}rB;omeP!XWmL^DjvG2skZh#P|x2QyMsxTpzYRxjEf4p;kMCxuZb1{+gm1p-bx z)@kOKgG(B9Yl6w@>R}7r{Xb9l28*bo=im-d+|($ND#k8?VvUdR$8hzlcGTc|Lci_2 z78DyHv)o$O_F$rjCBz)wxmhY5F z>aO|H(m=b8zgjYBXeqN;s&&;4v0%Akkh7@itL3P06!)^>)xuTq>(u@P!z(I^*@%@j zj3DAh_LT;zGr7>UD_4;7+ zIX`|KNhkMZXG24jee)b0_ItEX8PSI2Q$H}-L{(EQ2Uz#sf+9tZv1fjGXz|vl$(z_2 zn7Bx~F^59`mG>1ptKPAflVQdLIAk9xlghmVNQ z-S&^`?T=m5fM;>Xv(IbP&z&gR_`lk6O3eRQ*b^XmiLfdDBNGs1rs(~>4+;Xh9MANE zZl(LK!&n!VmV&Q0pOgaj)bp8GSwq+|+jntV)%OuU;G*j$qW-L%&aYXM;Y3AcNeQW9 z-C%z6ZGz09f)?PER4v}Ml#~pcK7sP6=$c~OnJq7%&ci(=Ai%}N-S&KM4SRvEo|c8- z>FX=h`NcG%BrooEcz@pWTPHf&ukV(lTCt|K&d@;DzOH_Az4xs3`?l};er>%>fk>HSo&d*=c9c&8+!$QygLBdztCUrDmXY#lq~tUt@>NZBksU0*SoIU*K|_MeWXmg}Q4VMD`=W}SJM<^b-j-ur;WsN@0w>&;4Qew@#P$FqEh-#DsG_^OkI|~zBZOnnxdKns%yj*D z)9b!gfalF%m^K8+1%Jb2TsNf3WDzg+LhQKMYoL>I)wWGtx*MkqX0$Bb3`LrdGWiRx z)$mZ@bcW7Li;6%-pJxHBU0pxhbv{q7J}&!TmOoDig5HB3TEFCvNgJOJ7S_|QfhF)H z8i^Q7J`jaTo0gVtzt!{dG8=HYPx_Y8zOuft0E+m045+WIB_txc_mo0N=2F;;$}^$+U!~7)0J`0O1_e5LG^6cox(F#slCL>k^oEd5*L$ly_(7fca<5n0WzXH~LO*YTh2`~nc%{_#jt$Ap>DHh_ zuj)xVj}F+^F;_)FuUpIQf$M=k_j5zi{=0YiCzdwOa<7gKq#p#BeGZx!P-BR*0&i25 zV;*iT!$Uw|<6%`-TUl0eg8xC-alRn;cixw^>hhT13|*)fo148?hY7yJR_I&47qpYr zH_E=J&8&hRr`LV)FO^Y$)9s1<9x*qWYd@k?brv-Y6S)NmV*EdFg+G%LdNhmx&Ud4= z{2|2`-F(6~FSEVR8Wqtln_gHz?T%Nh!&l^C%vk9x< zVd6pQApqMbo>AL#chw?a(Ct)1%SWE0MSxvEUvraAcLUO6)R-z@FN)I7BRpaZha}+q z-?8v#=F$<2Wm-_4UbT%4LrXK=(h~PV+RLSW|4}tV1VvojG<;7>dGpQMqD=~C&`?A| zzzwdD2WUJfbN8d!VrKFCH?Q3JKRam8A2E|QtY67~*1r3}T|wezPDJ&)LS=st<)WFS zx;m#UetkE^^Db>Zzx(+Fu94^NA#PqJlUoeR*#20;=Y7OZrJ>&qCF`(8T~*)ysyc0Y zx%5&9_^qzNkI%mM1X4fH%dzm|;N7gv#B+7MZ@>@UKMV7!rnoz6E(cNStX}}HK870h zE?@t?v*@V7`#3cw{JuJSd1Bk;wCnphtrx#{YxFwr(031_&zF9^LGA1B!HHrVtSgI_ zaoqJ*cA!hj(KGb9IaKZe&EH9*UK$wXT#@40SzRI2GqFr5ggj031&po0jGET%!0w@y z??s3{T*Rf;gWf&HXpXUODSPo!^R)2mv2@wo|8wMEo-DoXK4+(=l!e#r{qGmww>M zzLG%i-vjR2EoSrdbPWyl3?TD4NoGMk)JU|6^1vHdroG8CNqI%_6b9Z%6rK82;=MkglJ=XX6 ze9%O`ewU{t;3mmf77G*Jm-<5ftL&ZdG3NlfA^mi+(K};(zs3E0=>G`W-Bp#*R@1*1 ze!u)IFKRjs_;?RMhl8obL5v^CVi5VY{N}L@8rAv$F&e#9*I%tRzvaJgUF8Y+J@RkA zvzSJ*!YwW2<>`H$8a{58`#&B+U?0C?gPYlUgYMUd`T$BSq`Tk(8*d(rLg?Z!(=TM9 z1*8JlxL8=2k8-Qo1~beY#UOLa7@qgyuqq@-+(Z&o4{UYuU|>_5CwsW**NF57tE9LM zm!VYEYj*r(e?sI8@EkYj4*yIC$PQyPMivCae7Hsp%2ye;^D|M~vt#IMVm4-!-n#UI zwyD!$9E|*FvlO60qN~zeUE2k2?(;ayXPKw#hlju=l}34KX;*zEQJC>%!y%XUqD@$R zIr#XU&ZhWf^OO;a2K9JE8}!1|5(LkUWGvI5jt?YzOIE1IcP*)i{^qb<>U3I);qE0* z7Sh^UBmJ(7(u9pjjXon$ZNlng(lm^!Wgg>!^~`o>o;s5Y_K*u6Nsg@!Mr+mOnNho} zeg#RB_Pf5e2F*cdHdp4P;(B%)+zwomAUH-PR)jQ#_WKpB+_c4HB=VAz^IRmWoHtSL zqw|uC_|)*#!$U||QN+$<0n)ft0g{SK#C#U5&TLqW9LE^cl`CfGyu2jZac7!3Evuby z^)$))Nx$_ZvsLyQPZ~w&ifG)*6(e;!I%;I^OQi`2+M{>Youf-=p_%db?HsYFuqm(% z6&M6ibyj#*%fiiw1HQoo6i8w*KkIQb+`}m?^8k{(vY9$;eUq1yqshFY1&c6Z!YQMz z=b#uZT(G(eB!WzNDo@nZnsjpG)!JLycxWxXlbfl%)Yt^8EEAg*(QAt6QnC13posoF z@X$^q|E(HNrV$qg`t%`<;{4f-aZh!PkWH|9#*|}QcfD3M002NYB>Ssev6MC|{GQi4 zafILF1piAii|Y%n>}6|yRh)LiaD9bH&!vjzs@0{nc3m6y?3hD*^K zZBTirM$WY6>GXNJ*>?ezf@yxV?8d$volCSTDXi=y?KgrJz%24F#g2O!R?mctpJSt% zk@HEjcZF|{R+%bt zFJt=eW8~!-jowdq27)*saJC#vR3?{m_28DAaoAj)WuQeDy<9E*e_1Bp{u>kWF6sJ~IG>$vQLvn|n%94_e>KO!tD3U29o@m8laVANTQhhvCPB?hC zK;p5{;&cW}Zo0rM1qqYr8cV6>9li5w3+6f2sD#Z{ zg)@Lg5UB!7m6O;Fq!9(T-N)=%QKI4vX*96(0NUpv5Q?;i+Lu}Vfh?T-0ZTK;RC;=P z`tss+S1|V9f2d}`sL%4nXq(9qd^=JOcs`*aSq6rl?_wQbyQaj@7`J#jYP^CWPvxplN+RlxC~*o&rpXj z-j8*CFK<}SL|quZbawytt*WZ3vPyhTze$ZC%FStzMbblbPV?u_p1P~o`SCx$$_T_u zGL6|hkCnD5K1Q*Sk|Cxm><1_2|3g+0d%pUmxTIV!|QxHJD1TTCm*(WLCC2Z_hnD{~QK zWDyt{A(j}`C?b`;qYDwlDJjH4gQ^=s^6;ffT%a6nu^$ro#}uEhSJ?B4>HYe@DnLDV#AZu)+z-e>ABa zy7J`KH^zt}Vd4W@#7~XmDMi&hWZ)SoalXT3_Wp7Tjht7Ndiaacl+DslUfBJDKo75j zZiivc)+P&N5f=i8eLGV*_u&8Hz7c>d7edK<>l1f}Iv#Nel&89NR2}0WVHq%V+t+JZ zA~u8b^Fw~olFr){#iM?6YJ6DCENs-nrI>6EW;xDa88=5=Rhv)O1TtLkdyl`b6gn!J zEtnrd16!NyGxfAPow<30^>hxi^L2C|B4mbwx{^?YCzQFV4F?Jbcxb`LY3JY&evpcx zi2{rzx3*)%WD?sXmpX#ALI1Mh*vZQVJY~cVi|ERP&S{$2lG$xl#1t|469d!2zs_}` z8d{pbm#&T$QzQ!d>mF)ac6{h-qVf{uW1{!mVD|xu-|Z`SL;xP&^=$UC#FE5FD*yhK ziX~5FbfEQhB_RzNO_=x?J>cjfv2LMvDJFh`Fo>Oy&Umy0?r1!C@J%xQW?EiJwtXgq z4s~A~_JW4@7z-iF^6t`Hz*OEsG&~k)%+?gx2!(@3VZ3?(5oYa~|0^O2GL9OUy6k$#V9DGb;c&pC@>*^mo+55SwCFvbp#bI3|6KrR^Fd756rt$~sdQn-oQtEUoh4 z_?KDp?cCQ?Rt61hfPAeDq0g9SbO~~W#;)RBN%&h+a^Gl5pwuz zd+ed#dIm_p9MkEdO?c#&{F8UWM&X3$<{=}!s3s=9(;~3_1Z)lJP4^9cs zu3QusTfq%i%FX#_A}NUjdT}NQZ+#qPJgy?x>OWqnteIKq`bA!Te!@smr7E=29&reL z9QZMKFg2ylj)*u+&caR#DX^~_OQO29Y>gb?UpN7mdR z76=^~Oudb@l=xZ>y=o30Nl+Jgly>?>g(4rcZ~x+n@DsU9CY{{f1)h|ICxyjBWjd0R z$0jGX1wvfn{~)sY)+oY-d>9K6yK*4vk7UA>sL4iW`b{vP|S!ZFZkz>B# z#F8c3kdMJIlLEl#-(Re&6hdLl5z&-%WDutT#V-(^C9zyOII&gef(*kN=Fm-}j!J!8 z`YM(v+qHu@FZPup5CcaDonkJYkYPT|D`^OXC0!n2PldATMT*#D3WiEiVlg8WaG)>R z;^`>?pv=lr^}pj)h!+^$I3!;uyAhtEadwK|DP)a8pBJfBX4q<_Xz=nbGX1$b4rmH# zy2OnC1+Uw!d5JJ=8%k?Ow=xD?TZo~fyR?x z8#oPd%>F|0jj5y1f-f^@j*S>JZfH&?1An3&cw3`U`D4nF#4;n)c?yAw9+cAC0>LgX zA>qe~_=S&xMPA06x6g7T^8CQ)8FLsR0r(x9IG|x zO6SZgAn1pdUb3*zn7;SLf0GXKzNM$-T4!ps3FWNxysb0Bpi#wZ?yVBl!q`zE_+eU( zWBJUYZdU~647U*z7KcrexcXKTxUL^2U2~uT_xqpwAk48_a20){wn8~^&KGT*hkPGg z3^w!)iC7symB(mff~qjP<*021xT&<$w@h+wt8W;|ew?D$oAWQO0RB=d=*vD}f#&4_ ze6~WX&Df4diV%@Hyo!Yy(1TA}L5Vno2PGUSxoGs3ZN{FI#8E>+2m-~=q8;lMl! z2fpx!{M+MY+YqeVsc@oi`x_(!DhgkfJ!Dmfo!eIoz6-7dLOtvJB(Gbegyl#3y7L3< z*bZE`3iaQT?N<{XdV2vorHLSSV1e<0mYe*_{QfuMt0CptkvM!-JTS*%{wPG5_Z~{OCy?493aJusi=eNJkK|H&~l>Qe-<-f1^ znt79G@)+pZ^qYr+R4kpQUT$ab@b|MRhZPhl(h1TXkyd135?XVVR<|Pe|C<8z>{wYL ze0|w_e}lze;*^=B+!=) z52e`q@U^_^yUAg3%+f<_PnG*TH}UE3s2`3b^98fFAh_lP9_t@<@W#g^vAIczBH~1b zwGKGh$A?g)r*QwTxW7b$5h#6^ugv-}cZT^ROx+7UmzDBJ9PYhQO;t+(=kh7P{u6h0 z0c|^e*m!#T>B=1SYzmy7c-AvA>`(kr)IT6_#_43Y1+RfnIkI?utL z|CIU8DJLas9BfVJlIeVi!X~HYr&Koh$t`w8<1{A3y2d(;u`C)-cIbCE06?Aw)2ey} zCIcSs+brtOt5P~H-sxax)}^Tp6W}eqZ6b~zKW{0Qll&mz1A0|PSwWi4@m4kb(x1pi zS<$; z)o`0)K1mv3Hj>oNRv8K`Ev&e|D$vtt zhc!gw)v*oW9CHn_;;yRFu+lvIcDl@yhC=v5;bh28bfVD&d=~Au+=k_ogVcLbtDU?$ znq(M1p<`*IoU%E@)%T)DOKeNotVOd@`05CMXb8Fx{b<|HS%XK*eD8gXn;b& z??=X{L@a3bDPwZkRHW9pn!l$zIE;vg67RldD`6k<*)Yn~s;;~SU$+#>hvG4?IRB3( zdt#B{f+CPJWK;0nqI<;VGvR+b7jv-dfoE|wvahZyWhss`yO3!7kZ-lSjc{NF0kfM= z2CuMmp>pnypw$u|MGM)a8$pF__fEFffZUbmV{PW0(}7;e-LT?;kQJ@VTur*v74Rh<#^5 ze>1~Uob5`8?PBFF^N8*nPuoz{%!h@$87@l3VTu<0qgyss#L0!^rGnzEckGd4MuV5N zWI8dB$%yA>)~Rg5$;w&VeYO-smcWqBZCoG zMM6#(dwjVdFh^=GBu}+?wVdu(j=8c}3Hm=JzQnDfEDA=Tv7?ohtmbtwviI8mAjLD9 zc$v8eyb_th!MfmN;Y=5clP=X@Au}P z!CTZF(&GY&;f~NOWdl|XBJ>lraOzf0tlyQZ(rP1q1gT4~Or$)W&lCLh+Bbldt;Eb3 zLfM%4Dr+P#m87|5KpmwW9pi|O{n^6GxUO^FSf>;xmraCTqdI8A=nW8mbk=UyVF`zD zxv6N(59)ZZg!lwrAdMvNhSJ>OC_$WmEl!Q`tNRpsolOL3ih zWcA9_3fMPBWHySku__ef>|8+u8KW_0bEZ7;43d&031i6SY-aK7Ep;^eNl8H;H;s*! zVoSW&iRk*}zpTE?r@|IBIUl*{8vas;52AsAFAF7Z2^?&}r%HuP=13v$bx?vRz^3dV zw~VEdFWqE6VBVZHkGLaaN`t2(wpX=m64niSIc+D`ZkO!l21q;k%XY zqyMgu<&=`5mp3(8Dw@N8bCoX{?$SvYqYmGo1GnO37`_WUNShC2Baw5S-ADxgL%iRp zO@_vXi2r~5ivZQm1Ai;tpFc3m7qJA?KEgJv(%9}lk|WQ0DzMC#W2&$;rf}8ZGs{X8 z4|q7qwmvjMEt3zprrmu975{KK5`3$eI!dH!q47w1Wf>6vm5OQiy`tY96S{nw0X+ca z_$vHZ)$yZ@y08HQo;)?%+*1FPPymr)(O;6RHe+KyGx#tbTBr0lcy3PzxX8U`F$3}9dP|XnkVFRtF7o)Y41{5WUz;2%e4TNz1lfw zI2vpP8&XhHEvKdh7&i*RY3>wZaB7;{Re`@P|DjFh!HcCBzUP}+FL6MwjvtCHi9wy6 z7Yh^(J%~15q)G>s5Vd=lS`hL`KmPx z)D_q`?s)oY7{Wmn%L1O#UZDiGUBQ2;zh`=8T2U@AjYpE@awANThRP^t+F+8U4Hp_D zrARX4FEg`CW{}{g??=r*`bfmUNn%`Mq5=StfY!)l7LhnNA$nS7O`fHUtc+Q()a3Eb z^uVpq?H}QM3_Zy*|5U!8|9^D7b9kgp*F74eV{>AAqKPM-sAFSd+qNdQZQHhuiEWz` z%<1QS-tYUJbFOp#>At$VYFAbF-Mj9+Ypu0&up^>EIrrI1(SQ+`D1j8FfeVo3DEegL zBn5h02lblzabjk^l8d*CeWJm0Rh%HW*S+|hyOjY5!w&Kn!ygbO7>4&@uGNu@HH_u~ zfQI^%9B&6T>pJ(J1ac0`wvoz-ynM!DHJM$HaWUDIdt4c48elvfw05N1ED$t=YIef0 zjFU=p+#F@wgcVLv5$i^u}h#m?`Pi<8f$My9gkWW~q2W~`5VFfNn5RTV*1AnAXYywhH+e(K& zc1lFp==*|bELc__c)qWx>UOcVFaS1Z8oT~XzyG;g3kw;yZ242n-Vxbgqr@?VwMF#z zuIw%|)N1JaOW=2w04=nz;XU}a&dzuStV6iU(}4K!yYQ!{=6Z)SY~d{PCZ!?v$25wO zSMIB~4}Krs$$0%Wq^Lr(uv)JoYJsoBS%fh^yU2JW2q}vIZf+D&*w*DGToxrJ#lPCRzLLi!fl zx_KEnHC8u=;D~17qzK35bbGcp6hVK;J2jNu8=Wi+ASMOrSRjuhmPw%ck%h%c?0J5F zQBd-%FajU(TZ$YGV0~%aF)Wo09io%eB0$1)s*-h9L?0i0&EW`LgeqKP{ zfY8~op&v)_#S6VwtRmo$wBsZVw}mq5Xk2N0rI%tM6d4)I;=(dQarzgDGX<&?$bnPgofHU`H6cF`^e4s+O$rU}ZLJ zh4;EsOIydXX|-=8kdzBw`{Pt@8=nv_Cq28(>(N5mvt!6Yh#DyoiER)a9(Rc)5unI| zpl+zENyxQ!x4om6&FROBOlK3D%I`ZkRc2(PA++~w@@3nwC-K)X>H%;*PO zez3nzEd5I`2Rp1~ySy<;39eSbxqs4Q&BsgTm8H!}lbS=y&o&Ni3iqyXFBdy@4Heye zv^+c|JUmCwQDm1q<=S2WhQ=V0Z%IKg2q`CBw>KRHq=v`UB(L#%z2VE0vb6QLa>N%a zDmD#4$2lA8n2E2eze~fP6;Fg9UldLEf-!({iy9xxOw*Ck)eMzWOfVR%ZW#4sRM0t> zYRHROv1)HrFeC4CZ9_@Tblcy(>pWhDcdPAlG8$$_(XCP@Sv(<;$#eOcKmu&r6MJa$ZDnyiCJj4NKi zr>8$gZ7H6|l?BzZj=U;Pd#FMpEsnm`>uJuZdBl~W`}I_IZWv=h(~|h#1XzjCtg_yo zT9nw=hV>?a+I8`tjtZ3fbOBdwEIoD|uCo@7TvWNyIWfk ziH<#FPTSau9j0BkcwJ8h^)rCzbCwbuvH&p!iZO$hy>oF673o0?<>(|)>k}F&1_qSJ zDL$84@=hN1HgtRCCbx?nmvL-<+7WVB7#P(h5!sd*x?5o~cFwQeM9~!NI=`JW3T5S@ zW+oY0`Gz`wi-+JB_1KOoDbH`MDk^Dte?AmdFJXtp$jL_jN%=r7L7ILL`)k3Kj(bLY zBba2RsJ(C0clx-JU*V`^C=w^}qCMj_(mhh{P5IlH61@h5J#V?*(%Q2RYd3LS>4ojs zTvpRkYia3F+I#5RT1T$H)z(^~%s62H{7Gpts`Pck^SxLh}}!P;>Vo>#xSn3}8U^msKrwjJiS^ln2j z83tkg#&x~^vU_+Vt62xXby*f{`&gb#E#O!U4OO6>*7STFRa|R#aq}tlbm*YB6%C!V z_&OXB*k<<3e^*jn|7o%B^AOkq`*Ek%{rt4POr14EsUkovv$2p3Bx+;R5?p9aD=S*Z zaQvaW(a@o}qNF>geacj?QN5j>tsB;Pd)4-BX8YHQ*CU6RWkQ7S+gZo9`|+Q&i~^1* zokN!^(`)U&9gdKu)z9ltHcYu6hxDetFH1#5v5H!{)=4ZGjMQH>O5d9%x}@P>PmiCk ztK!$nGi}UnW-WpzR(o1^EJ~T3C2Ib@oPG0of3iHTMz|WUmzp^_S*!TY>sxI4UgPWF zqeEw13FR8&d3^McA(x=zcV?>PzgE8 zqmf|8f{Li9-)qvqL->lZuz@~d-hy%MlD|%CC#e%{rzBKTBUyegS#)(!{~a$z>&z0< z%MYCquKlSj{SRMDf`L(<{e~u2o>{ThB<2Y!{H9}0)||wO15@PjUG=BfKT(*{#-hR2LIId1<-3V)HYMIuqZI>1g zrJ|;ylI8Q&5KfRt7+`nGk0Nhu@)Iy(GSY?$Y><038+mdDHXRZ|QGm``6A|>@=^iMMm`x?wfl-D~@|ncsa2irQ{nW`3MzplU$rO^t*c(-tL1b+vf-RqJQ6~eUI18iV_x4gvfkJi3wLIE=Hlj}wx2+%YMnNG_^Mlr_oJQGuEO%`;iL+jnU`^?OXN2c-<$G@>WT zq?M+O7O{%``6Nr5j)5x58Qpg6)ux`x{0-XMT|GN9v(}=Dj_$Iu62FC^YyX*IpC_823SG6s-%O7;i%vF_0F_X9D4p&_{rxy9gM@Bba&>T}h`fGr^D%GJo78sYPffhvj7lr>@L8 zH;!9$xje}{-xi<~O55=^1^ME8EeaZoD3O%ms4bR-nQc$e%kjC~3`Y@o2a(cdf zhN3NdJoxf5f7du+*yU_lKd7antMibs{1bk74?wNmwzbcAyVd5nUR>Ju%B_~xVp{8K z;ZfXLc(M7+#QCj>%gT;j4-`(i#Qni6m{b$jP3q+S_y`1%t{LE`P%R!m)j9Zu<6<+m(8lH|OJl?Q8Xe>h;cN$Qi=1tqgTg%;(;H zxGE>l;`XYBEza%I`7mZCow^51=$3$^Qp7kgsR-*QtPD-{<0KUMIP>4YV@kE(MeF-t zqLA`V&C4oxXB|h93#wm-dh^7ulgXf%%^d3m_}^U} zS+nJSz2-ZPJP$7oKRO5^iq2D*8=WpR)qiGbJgBKIBO*psimC*+;M4wEZ*x_f+BKQT z9^QP5A->}4Jl@O>0|mD42yfOnzAolg9+$UE<)ekZ6m?sVMk99D%6bkTVc6Tc{-ON! zm`h@JnU|Y#?{}NiUkEGNOs7AeuHR#fUN;woU3}ks->G||`nO-Rw!N>r*g~F)cPdi^ z%OU8&wdVbn-6e4-r%6x3?8@s?A&N&|T}^tsC?fFa#^%{C^;Fw?S1YkAic_#sx*y_F zVu*O;uUr^vDw(0t>nPMz)^GNH$X)WU3~4a{8Iek|`PSA}Fg0SR(8GspJkQb+V!nLe zSX^}a9FGbsGV@%{F3INFP}bu8-qz~5+zm?EG*m@J#gjzJFa~jDwB+s2?n3Ss9d7Da zkAQe$x2O9*OM<;lqanaOQnHtz&PJ$>tSM2U%N9;)=;+W#$X`%5>U2ekL)567&8UyfxejxEotpyNe&V+UU3jp{AbfOCUR4<7?8r zE|ac5b^l&%|D7ZLB)$TvrxX_}m1Mi0h3z|IRm+=Ma}dT+KKqa42zb?=rzwSQb=iH* zKh2Xc^Rk#znYX{VEy?!%V^p`!cvhYiBUaEy-<9wdo!PkSRv0$`4IALaj1l;vA{J9~ z@e*b@f_xbu!qP(oPq8?y(-A{_qOP0jl)QYw<5t>G1mVS2(sI^@^S#+~raNBo`ejgE zOrvRCV{vgs;;Q+yPo1Is9GmwQz=7hE(>0h^!^q6QKri?GZGH^H({OiZaxuTZq8PfWtSs0k7lFSIx82#61q+T_Pai*I`90rHy2~Ai7k?3n>`T~rD5@T(EOE$g zHqpE$kcSp0_5!JqSaKrNfir=q2l5E-iW zE?s9d@5WtK4ZE~-p{nKSIl}zDhoeJ;!bnEsuk2p8Y}D&D7O>H|dOv(_dp7&`mywm# z-5ZG9+}j5k^ZhebqNi^9KWAC{-~|?%4A=;PHF*BCDAOpc7$~Xw`lxw0w)^PQjsd^X z5v#i27SxW5m!Gf780eD!yn+7WcXmo~4@Maep1Ob3y*27eCpdmnc2rQ>_~?82TwP@C zwrsUF@$uKy*VeaAM$LqlP!%)(eK>nq8NJ-%-NltLZLEF@IU+kX3mzyEUpBBf^MQkA z{dPAK+BpPa%ao+j_Boa!@GAHHS=)jC<@&Rx=Ho%i7tBlWC)e!e#zoT8l6yEeLdwC~ zvy*DFyJrpJ^Yd1ku4dq3e(v>IX%%C9~GHFkP5!4LQA7 z3f+fL4yPixWzEim{3e|+CQ@d~iI8hn(R@|S^0d+t_f+?Qqi)pPvMj}gL+etL3{4U- zW|B(fb8>YT;d(zyCbFkTO&Az}5F~vD#whk^VTxcQ;LsBKy~mY_9sh zSrc6%6&8v#H%Pjr)(UaTdrfW;l%YiY?K2!*litVgS>H?yz8$eKl%?ee1zdMux{#xIGfA9e|9VJVKtuT#EnybNO?6O(sN(ZRQo7j za#}5WpWh~9gLD3ud#Vk6XW~v9)HU1)roS45|L>l+E0ist<1Trc(tBY;%aJjqna+*8G22xYJmYH+}bu<22H$KdhZXb(z+iJ zH3Ne>sEm@x+d733s$7Pmvi6?gP!S{=*7?de7-VPv{R0bblFj%OG*l>mi3?N5WOqpOnpE~AzbXHsHevIe%UVHkY zbR`PBGs5jT&hY<@@x3S3sG6_ChzT{U1H}phYTbW7hJrPI&Z>+Cq~!AGLGcM{ND2>^ zldN3G#w?IaVvkwWX;kS+%r5eJyGm79c6GDLgzByh15kYvFu(Ytp#esEm6-c&gf&%@urY{}f+6fUtom3W_ z^%+r#2#5ns{Kz!&!mP0~HUW5Loxv%Ys-wV>f?uKNf4~cOpb=`c+|w`^)8T$7#U{Dg zZeM=?dzQ0((S{c@B!<*eH6|hny$O-z??a*yA?@8svufosX3*DPXffoN-b>qO*XU~n z;!YCyzO`(hblE%G7^uh9Rk?wZ)ta3ikK;oTDF=nxs;Xu8*k+JIy$ZNJE6BJZJ8l*% z#WyeXG>Rmc6*UzKhbyBixa<=vE3NBF7j~_rS{}J>S?_0kA(pSq;)8 za&}%p(lULA4u21Iy)G+s-zMxRAnq;~ww7E#ifGq8cT#-Gsi~=du3WnvZ+iVrbG+%U zcisOzsYijzIvyYQ2I&S()_l(2=X@Nn4I#_UbBG-lWTGloDIgVVXcX4m+tfURe&9h< zf!EuyvNUGjL+XTuuc_D+SntkWwX_p2(w3-DI1}Uc$V}!bP_0+jTfez#KWIrtOJ1Onw_->3XHgf#Y@O2FWCo%$PBtg-sv< z4|D!pBrtpJ;fR-DFXz87VM@+gby^(v)+1vi_xN6RwQTb$>1uUYKHI<-&#H5LDK^LM zOrcL{)v>Os>gZ_C@wz+6gM=MZLqVE!oSFiIZS8cku;3(f{2Gm5wsH9R%9irylzD1y zHLIA$EbVP!qL_B86>d5_joXNdFZ`7TL6pU zQ#4roF)$;Lr5%y!`D_Z>OMT3&sBi(!m+SXezqdZil4!2|%9`Rv2PYYxP5)kI_`cZo zyytulY{QKO!QJbYBCvN)3w71r3?c=Zvu)7^YtSy{@Wo4>Ie({bfoy3gENu03rDp2j zX?GnE?jN29@89g;m6lp~R;-JP%uN&CjBnL63WKUjAWzQAQ=b9*)&vUE=gr_9l@z># zIHgheD4NyT?w_EI*o}x^Xjw#Z)#!iCS>5=rgeqp?4a6?#4{p zQHak8viy)GG`~y*{sprUrohe2*2zxS(z=0ly}WYJdJG#Y+imMTn6Dq&2jxlmKL;JF zbUc-X3Y!8Z`%WK{+Ne#j#Y@No7w9X#Lh}b{&x#Fna&3~q8xQU1*wv{s;3AsgcLj_6 z2IFE@)=5ej3o5^_leaUsFz~W)aiNsgxzb9-&q_~E%}jfSO+bpO+DS)>K?KUoAjZu2 zrSNli$?K{;?={GA5vuxf703UeU>B@33Cit#!)U9j!J)6j~6A)}7YrlEbzLm04+ z>%Hrr99+B@uiDz3PKH4n<{8_q4T~GvEgOrQJ8e_v1HV$_N^}6-Dz>3Bpc^ z-ztiVkIHpO9#3BzS6t4%(g9|{(od9QNFzl3{;lKr9Ii^=Zjircx32bXDXHNPbHiQ5 zc$j@UmluatdOfLiotdQ>wz5gY*v!Yx%Ei}=s-)aOFil9#X2#0*-Wtm}eAkP7I}cZ0 zE=rcS^pw2xCE7-fLyMz@$?aXDmpMo?5jpd; zJ`yy`IgC6So-SBhS#&`d796)TJEF4wuhquTXmHFfy1u1TzZ{; zB3!v?&@^V;fu?rv-p(1z<;K29QBFo>{}%3r`eg#aC^}Zd*dLu0{;O16h-^`=Q~GdJ z^yJ?m*X_?$E>}yTOilGCO!o`y)DEL7)qeD(wp^RXB~ET>zBseY_h|@-1?*I;lqBBq z@y-A<*OZmyrGQMjjLqpwvXi%`rkSal?6$q0y525++_$SX|DdUn`xnQLfT_8;6&5y@ z+3$Hj@uQ=dnOiQ)*r}pv*@bM(s{Gq>HknqWGSBCJWk>SuNTSPX_QBd~zUaQLV4P!! zs4-`Kw?9kE_%N)}`R-6C`DS7agutD+^7^hUH(0b#irw8XoF;E9D%v?YS?lxA+D)7097}ac zhH(KXk_wMI$C4!){69O0Wa&Uz%}iR%bhhqI4&3O6sHm7|#OWBM7S5$?KA#mbxQKfM zwuAxIh@T)T@K05qm33ZjPQs|l@3$*LDYNCQ_>wD(OY@4MgeXG+{&TxRE$gp~ z`=L^V^A8V;H=}lvb*9(V$T6Edv&#*Q?ECch$;sGlI!vKr8!AXYORO#Qp%<+>H5D&5 zHdilVa|4ebjI1ET)V#!GYm^o-jlKC%0l^Zdb?>EqvKiPhl(28Gn?I?qYa?ZuAD@sB zQIJJN`~y9CzHqL;BB(7b2Y&gI<++w|**X7>rLnc1D9RG)F>1(W;^ z3s-=#?hi*j_h#GLZ39>C4a&g6QYBWjZ=KX=!Opv524o zko1&Ghc`$5AFm`;MgT_bs4|Q9(>G#IZlw}w;JZk$|l##^0EqqPz>uR zBv}O=O^uVamLHPkQrb@{e=1$1oy9Z|Gx@dbfk0>0Mi>!Y5%0|`|GY;%b#%hVMS$;j-2TdBTDxe09mcn;h{#kG zTJGPqo7qv<{R;~6j7&|J^T(}jou#)QL;4RsHugyybax_9GM)4^IbuDcHH9ljm`;1-lHxX8ymByLeH#PH;aU# z=yLgXS5%xA#dMNLLJM&Jn^nKn+adodrf~3N;aUc3LgNNo+&Bmli4)-3&^2mlUQGU` zf_Z!AVcb?yy3$qO?qg-^2|t+-Ml~5=^Y}C^7ju1W#kHZZs;$;U6#cWy$&$^mt0I#rqp7m9{`k*f+1&2qVH!qgM@1KB&Inrz%fkA4M>m&yX+=@q;+5{L z+LEgB+lGZqG`&KqKc<$$*1Gv5)uSAx7w9QRRE{1mr5>iDs&-*bgT%zR-RbUb z;q|f@HsGn%rAbkC9=CL)sjxp#QIXYDgw$kg6Z3r6)^ML-7?195<@+O!qeRG|t>oGz zp85ky$GVK}<9EqK%GHC5(7bXSF6RKVZ(K~Mc~ zT`T4a>+-X!%1av}t#}(0#8*0tGoCZTBCPw0_si4XEInaH8$x`YEM0YG#+o>~iej=S zb6-?l+QtPK&bYsuvH~AyW67N#)2BV389fC|s2>uL?+7akV+p@St3gVpUbk(>+0)E= zJSh0a?>5KVzJ|G@cvL;>l4!=kYGc&I5H(>hFGcB601Y1YkC~WEn)i+@D0%2m7XwmU zg^EW1*~_HZljZ4Da4ZBP5A~Hh1@UCv;BW>;8dN=UwEgblcSnq|an+RUKvfmVMn50| z#h_xGnWDfv(~FE{T~^I4w-7BRfQhN9^uSyT1AnIC*37EZw)c##+{UI(gCg1spJFGW zLS7cA(3f>csnBQ^_Ile_M%lx#`UX=hCvfZZ!!fCtB3Cxw2pow9GLbkPGWrY8Az^EK zJB^?|sa7zCJ2f%#pX2VkwM!-9x1uA1IZBGWc>G3O0qSvc3-tPc^fP(S8yWVyUix&7 zvm^+7q;Oz%EM+JdL@b9J@TFNF7%UK^;5MNUcr--KlzZyTUskRM69b>gnOkZf3q_nn zX$@0VQ7Z4|MS`_RsymALq@NigF-F!84r_>8bk5>}@FKz;D?VT=dnON5AFzkLCf?v@ zDHLflwz6iR0iz6NP1rA-C`T5X-w{mc6#c0hKbP0N>bl+WGSTyKj@&W@z{d1i!V8C` z&HYlFBS^gDEE(|b3>=OJV4om#!l(>u>NDo{7b?Dp6sIPIWT7F$J*k0tkhpLMvy)up z5v>HtGDsb;(9+HMOAt8>B?tHbM$kRrTVL>%iBXW$2L`}=8&5~^RduqmP}hDLvBHb# z{m)GfGmng)o?{aS4XUim1=+ChyG|%3L7gxSg6gB4*oQ17!C|EnREgN0iRyfq zz}`jm;j)IHdmEjWz2~2K-nrxoT4p0oovwnPpdsQo1GMUDTlqLS^)GPs##lKH8jp^O z&&mPy83;5A)+EFBY=qCAHQs+C2catuvIbBksrD!$*$mOg6Q`<6lj0A*6ARqpwJf6^ zg0JnkM9;wH(}6$(Rv{emjy(5~Kqor5zkUq`KBh(n-R}YCqTyCRLDD0>u1V6CiTNFguC57>NOAALZ;vS_T5vn>+lDNerOSVa= z)5T|~()O9I;^1gV)xV{fjb*apPqW>i!x|dg{`Nhw>qEYowS5(_}NoT_|?B*}>sb6pgKyQ(=4U zPbVUX96gAi2j=upU?7$ln6X>c&lj#i{r={{YaWk8_Al7cD;Bd|CeUi&+@;y4+Qb8- z9=}wK8E+l9QTdBR&Fo@mAs{N5&QFn%iiWRYspQ< zjLR~XR*I329+lUt$+m%L*v*RrUh2l~J9>mL0<_i!sj-Np$|T5jl*1q`P;H`;fL5z!ZY36GCkzY|}4B-{%1Y)ZYem-0)RO|CRZL0g{! zDTr#yK6KkrvKbztsQ`uGBW4z~gt86~5fQvWCKid`bpkH_=tUSW+Yi75!Kn*kCG%Mx zNx+?<*Ccyx9y0x$eF!cp>hsOGZCt?UEf(zZ+Uufa54W!vlyuvV_D{t1{bBfx5& zIP2xHPM@lfH@#YKF7dCd;N z^tT_~>l%9VooKVVw_kgJtI;#?5`=1#_RKA=S$5beKlYHZwh5)qWJ^ZV#Qpd?^0BB7 z_yZoOi_dD(L0~;nLjUT zJ+fYUMYz!6gGcYT%?LifO$LbS`Suef1;?QLyMHW?rW2fk(gntN01z`Ls_pE*x| zsK=V`yAW-&fLo=m5;SGm5a*S5p%7hOA>7p`H8)XErcw@HQoI;L^@@~hj zN^rJu$2Sh^a}-Hc7(XZ(Q+aUX;qE0u03<>oHNtRmnrBi$WsyL*iCa=iS07nZMDBzT zOyy3Y1LPI1P%HVcv!gN$p}b$PQy=4~M;c{iOI@m7NUuIgW~B-_}rsipHNqNUCGP9rGC_r}C! zz1oXEiNAQiAKtC84)lfydWUDmuj^y6i_NOMa{~;&hJMp#MRZX4LbW z2%9gHKVT0Pqj6rp;QMqMpTDaY@7ZbRpUjG`7pj^5MJlRZMo4U`QG+OI7yE=O2ErDnwI}dgWb?^}*;q~6Dl+ev>XHZLO3m5|h zJ5%x^`K?hvCk&OdZ@hpCfD_yU%q|DY&j}Zz*ISi@3=xAC4ZjNvMW${<>0)rLs=69h zr0>GeKz$`O0ARA441j*k#Uu&~ur8C2MUm=56+UiQV*s5rW--xws-gauOcHqP>udQ5 zLZc#J)DfcG48T?q-Euei-YOsVyqQ6w;d<%WnDVH>9VGf)9T8%$Y;I*~kaKX=l~3a_ z>w9qd<)_joAt#jYN-L2HZlwf!$5*l-^WPB4;i*0#f2sRLuQ`!Li<)!^DhidxGHfLR zt~@EMzPTJ<0(v>+Djm!SaB-!aIp`=7)=Y(8@M=+R%?L2YJTc^Ko&E^_FW&`b|MPz2 zdirCI0OPBQycFS#guKh%!w=4!=4`yM_6?tt3GOwl%w$D9z~Eam5)blv+?;@ zDNX;^?mC#s3s+ap!b8i|;C4GFUo*O@@_yJb3gwOq0Al&Vk>9iSu*f?b|2;}=(9T(4 zHlwqwGO7d&iL-qyZ6KsO-ToKxPe5X3qI(9`|1pa4Z8%YPx3zVAti0SS*Jt?+(v1~; zW?i(8DqgpN{neQGrD16JHaE|@Lpzo3@o?lvj7-+Q7wSK!`Ju6uwBI*h+ioCPZA-_> zkKcA&0=&~tO)fK-L^Z>tI3*g)DgM12{*%-eAi2xxc;0p8C1q~6f{Eg!x6T4_rT=$< zD0tAB9XWxfk;D*pAE4rI|MStys~>Sz>JZZE+#LU&`@6ZIo%k*PcajoebX&n73PB%H z`Qye!Dm|KngHk{JcS<1^Y0-yAAqoWY$eM;C0PSNUw0cJWDz-eRq?TVdn*xdSI72b# zO11{snhdEm_*dFvdLxZqFpIdZNMY58q5+LpY*Ywbs;^oHp1znYu?6z2dc16&*8p6a zT)|)h8oox#88{{VjdePeW(cd%Em_)5zq>4?6!N8<% zRrr#T-~$Y6((o;;(ww5)GYlL-^xy@Ozpq3h(t<)*ze*pprTdLB1QC@_*M_ain1U7q z$Dcc0n}AJDke_LqYy|&x1rHILL4?j~p5h#7GCtMnuyIy?x?D4vN{UF!+_a>28{9qJ-TnPh}#MZHO&_5JnZ`GLKjP--SQ7u^CO8Xd+@1 zGstuJg~*tYKJ4&_h^H378>LYap?zo(;Fmi7RoeQ1F5ywO9EKjzw!}gY+W?@(sD%-{&f0Nb zuF#;jxoAN0qpFcgAvdef2wS9!TILom;Px7k z=t>DtT|g1~Dw(BM#^f?hO$;bp>B@mSaAz0`x^;%Aja~+*t>bBVK@6;`CbmL$a7;9C zU=o0U2Y0wC&(C)ifD43Z15m`nHDI!8+7P@bZqreU(~ zMw&zqVJfqA9Eipm>SF{83p;{%#c+DI7|`u<<4CIuFjH!yn3FO>!2#F~!L5?P*RuXl z&6BPr&}^Xy2=)np?JNlRjpumVEM^-;5Z#! zCtc;h5tZtM?P`hrjYdvn$|&(vKxJ!%!Ac^PigQfqARQP6NG%fHkXLfmY7#c_k7V6s zF3q&YhNf+xh&*R^H?fZi`o@9)UO%Qhm8cWaQIWoCC3Fa!+=DqZFHHlrE*U4t2u6Zm z7^HF!*KVLy0B=zKMPPAeQ=vM_5UWu92AyA`7e6>`V7pel&;PjqN5 zUbRxio4jMsNF@ES@Qc);VYO;J_Wx&bX+!+z)4!qQK@+m*FlKpBtOzgxPuz~s*vREW z;z$6^PTAeCp_WuXeT71_HOhA`J^fAZI9CVZ{R51!8haLR;nP z2@q)&1<1EY0q6?*P2~Lti(*(p#yl_(p2c>r6#K%7CZe!dIo9O;D@nav0j?hk5r6ovX4PCIx2X!jMa*#RvXOwwROFi;nkWnDX_e`oEq+cwNl{i_AkxN!Zxqo0t z&>y6Zt4)7}{@+o?#fv9**)wR4%^=K!36);Qxr_arxc+IG%HjW?x%qGbqlI~v2#c+Z z#tCH`!W^QhVpT`KCe>sb0!C3v#uOw*(gzZwWYYe-K)dut2hg&N8-!*5j~xajBiO9L z&Y(mFV|)?^%Nbyvq{@#Ct{SRuo1+=>l$MokF5jnWk6 zn-Py*;K;V1Wzc3IG*C9a56j}qz#}{)c9u>_sQLUTBZ3m=9{qy`79PPUD-~re7eiP* z&zPnIqF#RaA8vmu%Fccjn6n9|-*iqGc4^VEAqz$^8~aPo-voBU{9mMqRw$a05bz`h zuqFNl3#uf{G{9$#e&)n`m0eyH_j!G&5<|4Y9VE_iC}_%mGTt{=b?*H@FF!&@TRewyTBz z$C&(KM}ZzT$|yr{`le{#)#*hZ&f}vFKbd#> zRo8%2su|rxIA0u@_Q46nZ~!C+?`B>MYKKovLJV?408%;0Zj$&}q)Q5;aFN6HGh&gI ziuj;4(IXj3W67Zabg8SO!kUic&?Jmd4wySTakkj|%etpbQ9>FA_o@@Ak) zh3pMjy(AZ_mz)iz<}igI1u1+AX^{G9Ap<6&ZN9vq1ZQjh@4>D}h(>ImAfs|}6>9z% zFEnmx?vzC6MHzZ|C2oEE-e;BgPCF3_b7(e-WOn!;TacOP5YPj!{Q;=KQ{~Bq*nW0G zq_I_cslhA^=D|QkaA>SaKSE8!HT{Akpol@;bswir6L8YTXK@~N*ZUmNeA0xpv*_+9 zs}E7dN21(?cnX5VG|PW5UjxqX5D4-*cbh7g;AznFWs_Fh3}6mRcoGch!C>lJq8MPW zPg;noG1{hnxG&q%_6+J$C;59zsM0R8BC{;CYH$UKW> zV~Blq-VdQ8Q3eas$7YE$1g9tA;sC?ex1Vh>$Rf|WE5 zXlB7`n?SW!ad)SrqEVqybH72=H$o6%MSuvTC#1^Bk})2H#A=I$;o#_@v&9l=KlHwL zB_L;<3t`CX5d$Cz8fJ}1lXxhDpdqM&5l!@?A*RSS!~7fj#mmfa$0=_+f#{WFzXU_J zsLBvLvQAuz8*foI8r{f!^f1Fihe))z3Uj$}hY>C3*9!s5Z z?=vc;9STN6=&4To!`|`Fc>67 zV@}F|$~obP>6dBOJ&UNYQt7@htFAto?#G=O0@q@RJ*p;A!YUH9&Wa!pt?rQ6QUh<5 z+ZkAHJ&!kux;w3jm`n)r^L}vGO+$W!hXMa~(=Zi;XHW+DZ;(e9eKB(l2}lQ1(8~g+ ztd$4tA)vhibvK$9a+1jm_dm8{6eGZ20jJ6)ziz-)tbdraXmP~$8Z1G9HU&`cCUtP2 z9^@fPu7xuAGRs5?1$>UbOoxmpyo=rvQ4BQ(SBf|gJ!(OZMFt!VDT7rI9Et^;E|p(~ zJdhB+QBjrK{pVqjo(!_+zP(0K zjWy7pv@x!n7M`GRjl&sHQijSr*<{xa--EA|uSyVj2nXH(0j1~PO9e=LXK|v6plBnE zUp9w5R+?2oEwTj27E37$;f0MP$xVn;jGNhItQ$yl zZi)Cgi5UNAGT5*c(khE392WjI8G5S_|2?xYe48k@~h#$-f~q74Vsb$<2Uk`*G&<}xsYj>m)lHh6#*hOT>HZ{VO9 zfQg!;IwtYmtXATrY(K`&Zf8@}K=Ni|QxE4ap=Mf~4bog5*Pyeu6%Vo1L~bDvy1 z|5jZaTkM7#X{?!4i8VD9uYpxtX&w6dk33~+izM0gE!TW7i-`+vKbS?Vb@;Pwaf(Mj zT6kgtPSSn)G&Q>9&Ahd0=z=-qgtq1WYIN$03%gFBuM_X-z!iJ;{xW1=Jo;Hgzr*ruXK66-0{2kz9E1-& zE4_w1g#dfbu4r5GTixL|hMEdE{U#9_S1Ke>G)9x=$ZpsyJkYoTcF`ZO>txWt`QKF7 z%vY!Jpo9WFmOZC7=*$L_BdK$LxEBc33Zw3_0s`CmP4ouZ$zMEH=6|bDJ8AC3c3jfy z3l1hr=Lqf1!!SDB^(X5xjJh}u+VmWy3t7T@Ez_~#M4h%2FYIGengbmBCm_BFbl@*g zWR;+x5X52@ehm}bBUZ%YkSOT`12n^$DJtR0G+_a=Swq0p1zWuvo}m_zd8Cs@G!L6` zH4MM@{g`RZ@&o1b7ODXUK;aMu1kCutwmF&r!qKQvuhR8X7on8#_BM-QP>Cf|b~$9_ z__;Y}A=Gfb>czf+Pxw#}9V&ns0MdR?Xq?nCDDCGCxF#b*C;zfJ?=>%cKgS`Q`h}bE z8*dL0+|d*HCT^fQx`%_oF9T6)WEE!4Yuoyb zqc*T3B}&G>7{p-o2*8Htrq2&BAL(-r+W^|-fW@N|VBv!AMvBH8-w3vtO6BTjI@ZG! z%wm59_LY|34T;JAF(HjQPT>2-bD6?jF^#~THg8bKhcjR`-kz6{YzzJSM?xyprvob+ ziQ*Xm7qI99Zf(`LxJz$kMIe8kWK&i=DiyGZ-i?DG>;x`2b&!JzW`HnK0PheK^?j|6oOmOtCtoViAE3XEbSaIosK5%n`AL zVkXqE{v9ibEUj>LXfxKUh=ITr(wes23d#tg>q|PynW8#l4=x1|rd?X@`1ynDzxg!2 zPOHl~qrC=p#{}cIWEc`M16GWJ_zfrb*fD&dF-=K497`aFseyX1xplU}Rf=;Gz=qf0wRuLi)Qu6co2Z0B~QDu_swRZi7npb>AqK8bE}d8@I@eZ zM}L!6FJO_WMLvzW2RopURfs-~ogoxt9ORmV)hnld&(c!X{$t zIk@IWk~mogX_R=Jk$w!4gGT`6(8={*YvSd!^#2!E=M-I6w>IE7jg7{(ZQE?HZZK*CV)5a>9XoCA8)bZF zmxs*1iU@MXu6nT2u9+0DQ*|5^u+wU53O!&m903u^Z&P{fqvUI7blt`RmzRF?hhaia zAOa2?%%kIRwik12U}0N2rj_zl!!{t-d2-W+ZRXh*T7+k*=g& zUg0hbmQz|UezAuwv?EENb++|f<4mWFH&Bw7Q%9THXJo~hW%<$C{0|1}1+{+rE1FWb zT5I6c+!+8_Lo6wNFIHCh9ll6e(hi@-8CdTQGzH`>SDo20c^;3EQIpcTOTjeiZ1oG2 z8Iec7m2|}s*qM-TviA=*oh6VB!$5m!b2;R?gRzQlDV=*}ARbKRnx>IcpLWHow5`{z z+-P~FrGWPe;Hwo>7y(PRI5Nf93tyqlfMj6i$AGB&+lnr9^=5^_%Q3os8DnefwfmQo zniR9YYimPGOTU+nmL?*FX(y$s%gG$$8&Klm?&pKiittG=-uy}be2Fawk3}x3!~bT{ zxrakfJG7)!RqQHD{}o7TbrY@A(65d|{6Qtm8{<7<*_t#}=h4&3fW?2EXD|ML3Q9G9r`5;kWm zMq!DBQDMBYv;<#|+)o8#EXKvE6EGh@U8g_WRV5<)pqxw1|a0Zi>JG(?C zaTuY5sRpcwktA7YKRzy$7#t2Iy$Cw;MtOuN`g|FRocJrQsL|sxrf1IO)zo&1%v6@9 zMsP*5MUb!ndel}%P?*Qv(a74-Ob}05BN^M3TT`&Pwz+#shl~Qs2O0>>&UY>~pp`I; zmH?z8K#5cC6eJ5Z;Z!4EkC;T{M0OGfG(<%>w>K%ufe(IbH>pm5R2Q+4XWws_C(ru{#{1&Ss@k7o_VUex zZX_$RN_A|B#;ANfdHc+~qUz~Y_Aqwb1}BnrRSxo0_9Qg%sc>z15RwBA8 zF&?>_Q{c@qXrj9WCBva5V5GsV0E7Ppau!Cq7rFdL5gt+-u6sFB@gYYx`-n0ViTyNj zRsPask1TjEurK!4O~jC5=Syju7!vOR&MuKlo*4*clUiJV|qan+D6wQw)A-zj3` zi$6kItxEu+_~Mh0l*gim$HNW`wA5G*4Fp{BGh5OI>z^ukmoTeZ}~NON}{MgfKTW(`0wE4;`G%utel>LB-u$k2?%yiW>1p<8WC zdgmX}1lBk)X{4_=<9&*ca3-_wL+jHOV0}UDa z$F{Ci1-yHSoe?U#_8hc> zRY;8L0rlFUF|c5dg=|>tgOlS&zkf$h0vK*Rm^T&J;Ig$_wD)Lip>;zHh)(AJowTt#3Sy~AQv1V0devG z@p(WKAyS_jJp$_ugZ;-wGUZr>(qUF+qBCTMy%E5WklfD;$(#V6->s1YKpNp7n#jrh zO3M;}o!I7LI*1TpdGPcy@FHg9#CvLpGMdyNT=E#r{2~ymMy;^7Xyq765HUIU{h=Ep zDkv)8HN`b^`?#s!c+!c#|4Em{=Y8h(QmzkRfK)@@9VI0LC^QApLoy~98Ea~!2e{%8 zeBo&hksSfhC>;}DTMh#uwZp^7^zaQMDIUdP`F&!{99#KMo+!4J?7y$)ki+&Bo)M>i zDNme`Kf$w&7yx`rTJZK&uieeaim`-K1bcRMmoF@M0GI6G#CW+Y<{$i&5Nop6-9@_R zh;sd5>vEvFLUesv8&l?Z`tLQkn}b=`aA$3S@o{%9_&W^A^flG6Uz!Aai($uN!z^J5yhq=T(A^ z0NX~ZsxZC@mTFz8;V4@!$`#XwR=g*GoOv4D}L&Sz1fL&GBy9v;wUQ6e%AtxBq+@`OX*i5y}R z5$zYs5%b8@(%@iB2)Dv33Yw~4{H{t0_k$@9e#AaCk43gZb_D$R>9JB>eGx7NKmGUa zHNMOUWP-zQ^Vz+jDO(=&=$h%@2AwRd7s?d_OGm%=_TmF`hm7hMMbzixdMvG6i8fbg zxKNsh8$=M2-iy~7@+YE=3PToT?bC02v7XULtr;m-m+t zwD71YTpgVp|GeEsPhSD6=qk%=oZ7a4rG>@i{l`oPgpyjY7T?HNv^cil*|rC8`uiZ% zrOATY3plAd61%X>drk#Uz|#|b9H~an?#k==(`t7U$Ay$qJ%5&fxF+CqFMFg4ww|}7 zNr5$eOUN!zf_$u89DG~}Dz|X_KPSXS##K)5y)A%QyrklsS8E8QaHnPi8h4l3|dITNqbhKGttTMaQyzM;y4n-sWNx?|b zZmU?^+0iy%yaWVn;8P*k(QGyXNJOoH>0#EZ1#rO9m%jNZpH(lKn zHaQ0-C~247+wR?^em-9F*3VvqEuR2xYI6(kw|Dso`YSj3ECG-y#~A_KzFz$(#b(vp zj;mF1iP^Bj;eBRqX{+Ff=84bl;rk$ce%Z7-!`W5}!Y}IzIUJm{nq55H?5tJE($+E3 z0`GDr#;M#+2Tw~=J_6N`3md|1yM)K)9h+6)V~oO7)r*|ooyYId+P}6gCaE~tJ&6b9 z3H(~MJGeyI;H|rwdQiTKM;fZiQ!~uSvsGGY-iH@a>hd-j%bAF^hMg|?_C`)#!19U` zwbbLsW!JPxK5lN_C1DO877l@CZ3F#Z$-lLEKvJ#Z{Qmvn;$kB`ECNX`1m-im+F@94 zZ%TVjv1UZX=+@?D4(?>dXvOLma_?v2(@R@mCB3XvVXIVHW+wj1Nm{|UrM`R;R8M_* z<7tHeKd;;V{bPRwrM}h{lf3dx{Pc9D3)R$#ESPxGi&EvQ7ne%*}6R(4Itlh+ZbJ1^vL&o2bMfalW`9Y)Gx}6uo)LN6*{HAZgI%ZKg9r zfP45Hbgsho?ef>xHkLQEt(g($=A32z%+1bZern@Crx)B4!+V3NWUaPX*j?9qT)4Y7 zX}!5m$-E-eE|=GOt9e3n5{uXdFPBuv9YQmYFp+OVs&@+m^gNkTuq(P zyK3j-NJ~CWB#TQ~g@uKg)x*cl$U>n`DyB4ZPFlp6q)+;M%ygIXtgNgWvs&MqOoVQ~ z=*%9g0I8eBq_gdnUFUm7BCks-1Y?%p@hXuyU!K0TKd)l)G93K2CeV{6?|)L^{XtnW zRa+%??^WA9XkmA+TaoS6IlFPvn9^CDVCiB)i935$uo*-^OxPP6CEB}dXlNKFWI-2M zQ;jVzX(kDwB(#3SV&M*diI!DB8!`MEvc6vYTC90nRCrFui6Ck#c@CwLh7I(ayteLRG6bwcwYn=()(j<>g$pT5bF)$#H05gppi z$*+jrg^uWUDxTk5MODFmII|-l$it-s3B0{upUU~H_qte^^i)->T!cEqM`0_|Xw^I> zr>3oPFOA*BCx)L^pnnPRh^j8`5sRydR$!*8GH9)xQa>tVc&0c^aNtl?*ZHPt0+Kx% zA{~+h`06OuR5Rp@Pdbi|oevy{v6OFJ6W7blgud}rhM*2-ClPmY$wwX6af9DMbubRaH~73Q=-SKqnKY zA50WBkb~?QHJnRcCl)2Czg7inOv0wWsUkNsMM_}QYj@T6j94d>lvt3>*DX^$8T8`) zhGo{fsQ2`lgNR3Zos0Ny+tJ}K!tZjy&wU;a9~1f}07XxCz~J@D+e$`cEZ%N^%SKH` zVvBBW?O4AJONdhOoNE+?B<3}&Fh9Nu1NgY3MYi9~8=+{-V!93T5s=u{B@4>Ljpx^h zcc4Uc--kj1$ga$l=C15rjhg;72N%KSVDl!Yvb-F$uCXLVv8p5`dom&`&KuP50c{?!IrLlF`DEiadQdwGV>Zf+cM5wG~}Fc2La zLU9J-THj@Pn!IdW9Ia{Rgt>ITeLHyQknHM~i!KJWg9uJ_a0v30eTq(PxgoHKKd&drR1q!=5c+^hlWxj6Ouo3(ucq<=<4ij85C(1N%>Lr9~yrUN15 z0#c4WcqC%ObyZKAbr^AGa^t8Dj#vj3^P1P=3EQ&a#uPN^1O@_5BGFk%gVWk?8&D1C za7@B7CT+G0^2YNidiu?zMQS0mII)$zvRY*^2p=_@dkTWG72o;rF6bsTG?A#1 zgBz>_TVPNeX$VGO8P!E-uFOT4#!VO2=+{b45dunSVIe_oMG+FrZ<_jZn5eW}5=5kX z^mG$d-)!XNgSLU$Svl$);C0~xms1)XZ6mZ!I<9uk-rbAlq|bK}hF0Zcl&c@|i|Xn< z6LRBb-8=kE-Z%NNGc7GER7&bvX*ix(S-OO|;lt`mSS~t2N$ZC;)|K~Io#F2j)m1PD zven&XluM=_=7w8E_M#et##B&7LhGr?XO=bBbzuYz|tTXx=k=`xL z`|YS6M;ZZ1o|dpk^3;}anp$Q`a${R-YfY)qSJ#%1f02YK)bex1XT&@;T>%!}ii*nz zQxw#bg@c7x?SCfm6L(Kj7^l;$ZRu$3Y2DVCU$u0I>T*BK452`K z^=&d=95#Enc-P}NCIaht^cOIBmFpU4H`VhV0-BCVr_U%g-cv5NID;tFg=%i-C@JX4 zP6FLRTT{QKVhG?wR*;Jinn|v-v|z{8&SKToM-F1T1C8C?Gl_ocXzM9#fGkB}t2tdRkJeeg&H-+qW0p2yczk?*ec1zq zmMAFL?&PbSkOSqK(+liT3V{^)GjNp`qM4HSJYyHOF57gsdz->7mHFjUkc`z6FUV^I zB*tt+-oJjo{(YbA{d}(d>#`b9C>dMOVr&&sJ6I zL6Wng-fu5HrYxN_>mT*6FHLGLmj-*e3pcIj(cRqO>)hDLxVZAnUGqWhoto6q__{o;0@zq2FY1-jK4{cD#H#J#OUcTRk{2Y+~HHNgi3SY?2}Y zCt&O}@m2a~6CN5QcB*r5(kA}<$x!xBTXsEe%##b#uw z=i(F)>RH=rG1SD8{DzqlHS}1Jm{A&c<6ic*+Vi$59)z*%+I&Sw$kHCtgpJS!vIP}Q zLc6IWG$oL3;bjo5QeZLcnXXl%PkD2?L|Y=lUeUoF9OxR^Ix3EAdad({;N@W0J&iuQ z`@BT}aY~moGy}X*qk?^lhb1MSHZl@@I|1~O1m6t8xI|&0(C@Mq&zi!?mT-}?Y7vnO zA4J>%^3AIN(?2Q9KY+^4)3;YS#63UEIg3P$DWWVJ;gKCwZ+R`$l+{|gAbS|y_S`!3 zltfnxRW%Po-p(uZ?WQ~VbUXMq&MW9O4fG-_>LnV6Mr8Rd-6R%L=;DgoH%jRvj1+XD z;U^u96`PqPdHpmZhLehc0E=dv-tzYEQ;LChk4x&M2ELEW5(1C(%u=$CpPvCB5CU~v zh>%~@(F(-V9j}6F6R+*u8**pJ=<}~U$k5n4m z=;cL<8*}l(!7RjQUjs-OJu}pSszvE)ibzkFVW1i%kC5nUFYa#cW-qtSs0io#)u5AN zsy6@Ii08o3^NEnh#NAs{@}&M&h2JLu^*1vkT42Q#V=Z&-i>o9N5gwCMXDpF-ReQUq ziM1|e9HU4{(SZsAZp2uxBm@2Pqd{*4)o}>r-}?!?`2gsP>ifV+00`jNRocFPvTT!2 zv%0V)z{y(2!mSR_e81i-HT-jziBx@+h=e%cQM3;$*v2|SV0mgu!6wADv9jT`*9We+ zx*CL5s%TqP?Q@mgsMv|zcF6@=OEu`qSkl5D$^NU1T$MFeMoxCih5*3s^0ry?dg2`} zuKsha^32Si0i0fsx9rwr3L@kwOX|XZI?zYLa1W75r=GtwOffPu!v^&?FE?9qV1I#H zS#ju*Hg9&JlH_odZoH7qRrGs03ix~0`*%6XJEI$0ae%)7Fx7}i|H2;fGJx|ltuXi( z`8>;1$Md!D+Cn`&t}LBMVCS}TV|Vu>$h(`ImNq+8tIdEd3uXb=&<`6#N|+vU0H7ol z$wh@~A6RGPnoW{^>VC_v)%v!~7d4SRtVxtsIbyThc_U)x8#W45C9|3Ddn;F;)mY-} z-_nVbhWfZuP-_(1n!H3?2)xl(*Xil$A&QhRQ&RIls50wEUu2Z81lL@?M26L*s+JG% zN4}OU-|VPuFX?PIzf?lukn>d+EG>t9a@XWu8a-6aED6twPARdvZ7#)oX*7u2)UvHC zqq*2}7Qy6DjjOF?_`TKEVzFAIt}Mj3mi76FdPEYBlN^~5=-wEE^2H%C=NyOsJAW-E z+Z^HWAiKOCneG)mmgkS@-nVVyKSdoSEkjlj_bUj8mHo}f-?JZq4x`}!6Z0f3cv0U- zJ2gF*o%B0t40sL>57fY6q53xX>v(yU9NULK8{^0*O)~kl^dba_zERt+iImM& zAQai%!Toth$GKDK<3YP~)WzLM=t)F=4~R&s#Kb_US>IjVJVuJftXmh}vfs0VU@>b{ z5!o?uo?&YAnw{G-&&|SjW9WB&rXE;R#l)zonHmy!L0P<$xS-bS$B7={($bo$mAc#W z<8Wixd2efj{#;NKsaRI0qbI?(q9wPb}vwFM}bX z&vtzT4pLRk#2R)uy^c(8rq%2iz)9FtR^IB*S&CoXT>1X`y}n-#ZD^)xAuXSP*$DXU z&h*s%GOz4GC??tl-08fN1!tc=1QcbNm5+zi2K&MF%V;AzfBc9#N9S|jAvqjDKQy>WJ$h%OQxkS| zNpsnG#rcA6)Y8|to>@UMHa2#)%8KRR3h%Xz4>M28~Fz7S;Sd zw@O#vrOk1$zq`6_Uooc58lLXB*WJv0y09f^>z|#S*ZrLf5$5?PHH(vaZb%D7uK=R; zDa|oDx_SCirrTIq;S=E@!XCvmr)YC@bu?tjQF%XK6Xxh%TGrUaZ0w318AWtq9lidf zfMTtq6$p{fFHzx1KKS&9hYrk289pZddzAKT*5LDW8%1hlr&h|meu7ph%?>eqS0KbPE}GrN^GWpHE0;qXe`&*!y%j~gMAL2-hQ8uIFg=a)k^ z_8$jtV;)jyeEe>sfhFape4So_qWlmp>t|Z<;CYWNm^;I0FBu~%t->#D#f6KB0~y1m zuKV|6mv86i&Z8(pLFk|UkgOx`vlQ`TM@#Fk!z-a{*ELVt96}DqCR*<5yZMlit6{=I zoOADXx<&{QMVYIs}C2wpKt}8@p(zpspNY&y!1O9GLrxAGacg&UU}0 z{`TP$XLky*t*?PVCH0UIDV_#L9Uc73U3|QJZ@2qFAePZPx8+2yTDX=59+}A!yx)t$ zw}78SGhJ<*@l~i-xjKaSL_4jet(}ef$oE!?a4Zp(|*iB|&1 zo|22M2z)d@LgI-r4WIa>zwxLDK zBBZ+&!PLmoD{3pj(?2}(xPHowVt&p|&dt%+b}g*WJMQ&;rWtslErCFVy)VPHc=&h* zKVIcsA6-wUfnfar8Xh%G$-rI=f8)~eGrms^S(3cdPzpKY{sj)K8IovyHFZqE%0W1U zeg_gJ884yl!D3nA&u3RuY;0%K!*MgpE?0t%miB_tvO9B5k%`L;tf;7@x)9&VGqre- zV7e*NQ@^6XXBZzdfR705qz~uH>`R1Sa5AQF?{}c~{jh?DL?z0QQwlPHl5K)`fl-;8 zb8gRKf)-1(J#L6JcG?RPAY?p566=~COHWN*bqP9@>`$ho(O6*x?Cg;QBS?sKS$(Zw zl20_=i(8CL%sb44m(o5#$Dg}xcVOw_;pT5ozv91}s_`PV#dXLJK+YQ{)j@}(YJ#u5 z7n2Cg(kUbPEuw?@76z2N%P0(cns`+(;6xN%@K8!F4wq0$$|}#N;a#5dbb~6*v!YzMPNG)} zFw`gMETZ4KfAy3_lroiHUQ)n|g8;{fHGa%cq(h|yh-!a_88BX-vRN;pS`N=gUCI%{ zry1DbDy>wR*Op@y{i)EFZqy)zr zYGWWqwy9`2ml(kr*}>1v7;BFWqNfXxw-auds7WjK36b2+)$d7c_c1`S#=<{Bg*EZQ zi%|AGZTx;au73?JIVoBB_Q5KhV`yNYR69kyyZEE5RFJBS!k^J>vQGW*ICvmCS6k5A z`Nt1I=m2Sb2`>-j%~hiHMa%*Gtvkxwj3cMe_?>O|ol`-0bXY z*WJ?mdP_c9z~aFO>08Jhy)WApbG!)S_(!A&p^$^5zpenLuAh-$1N#e|%%Q&#lai7_ zuUGZ2(}tXbjuOd}5{y*KG; zVIqhz4r*|G_hrvNml8?Lz_SiQm)NQCMN<)Y89mKlFpJ>s0FErPG3@7a-qs{SLl7(o zBUPhtF<-M7W1*7@9$S4!d~(KTGA|NZw&Z2gR7`z?V)Va7N8Y@fAdHcRY=I1)MI*;yI z$73Is<3+}H9#B#)2SzfHR_jcMxSvcu2y6*ldGd8tL}z zsg>x!{%E=wyg+leD6btL%(_MqHE{M&%V!-}cn;>Ha>W3gz!?bps^cJuTN(-uSFay7 z`RPrRpMK29X3LVV!^7%YT&}x;k|xMA3BIXC;54Q;N53J@1D7573E_C|W{-GkelCtA z;rNp?>KkYd!>xA=@a02`=k_Zj1xoKh45Q z@u*oEC4b;(tIb*`4!6qH7Es1$is+%47ZkFbOse@`4M6LNH3O2G(i~6rCk;qb4 zk{BgX=vQTRfn-`BRx1PQM`nUs0;94EfRpSGT*$=AF|_gY2faV-%p@$|z5L>Bn@U&q zxo0dmSi0#DsZ}LSj)B~#T>Lp+e85Q&5IllyJie73t$#*O&y=>P!04>LfJxxR!~cFS z_xlO1M*(v>VlsSEwTkoLJZN}Ct?*wXX+3UD8DF60AW~h2bM(y; z$`uo6bDF(R%=&a&ol;1l5okEJsztKeLNNI&bekcDnP}F)V)wSyz;EFVd@1!Z6X`a* z4P}VJ(cx!gkIreMejLmT(S%^1)rT(JB0&^X>)xiSP_Omm2(x?}5~A7hWSO#7zT%tv z3~#58A=3qi-Oxm6r&G5UnJn8-By3^Z*boP=d(2oIbV3^DRb9fG!A}~e?Yt7dIO&vD9T%GI&QNP0yA|w*9jWPLWA%Ur*|)mzd-s$==kA)V1FAuO$?R zz$vrTGT;&)-os^R=f|u1H5g}cWrH=*7o%9-$h1f*PtAg{e04n?S^?^{T`;;mls12j z{jBlDK*?c#RKao*Ddi%DhN7ms2`t*Db8`~ce5~wz^eevc#zwCZn!>UH)wd#$Z11ZzJ&Sm%Z zXR9t!dL7Eb?<>-<&7XM+sOz~sQ?$-n>Nn94IuLf?ObIjsQUQA4T0^W-P#Y37-cvM^ zItZ|9raO)R)03!N$zz^Ig0aigQ&)|#n|ZbQSONV=#J+sI1a?kT2Xy!BMi zse+Y$ON;a^w1i|c$hr{fL%ST*-)%g+#E1conMG!g4Mec#m+4@9;oi`M{25Jt$~w;> z9<8Zs$|jQ59}p@}9VylmcmL*W$(1iT?#qE0Pr0MV;LwPGR)wT~87kXkVbDnxY!-w2 z3=0%hTogE-N8K(2n}{sjjy)A6(K)rDUR$9IP-GoyS3mBAK&qnC%vWhy9YE&n=A@1R zPEum}c+|;1dN8s*Odp1AUk=4(j~_N7KL7br>#i~XJ#J;SPss7#eGhH0=%OuoIBUMQ zfRxr_3O5BE*g$hoO~^qe&)|(P37XH41iM(EOpdF-+zkGyx~}gPXjGaAi82#FJq^IX zk)fIRwO8mKJFbg^;zJ0*VNcp=C%<}+{lkuKi67TLwJE?Y*s_8YyX7`PfuFpEIYq!j z3FnTfquUsbb|T7KMn7@mrH#3t^Qp8b+Nn%bHrvA>h((H@V)a9-#?&a2)>D7A-I8PM?iO|}0ah6DgC(!{BDA9X z%5ECshck9`%m6Xw3{BePKwSV$hBeL4#=Tzw(7IrosT@!fP5Jaj_`6ouu&tZiJ@PYl5r0a%L&zTm2BDYdt-vQ}urT8pp&udqLNhF!}}v5Od$W9Z67m(?4$2WEJi z0|7Fm4G4mCYz_j+ZP2z_l%-P6DV@coQb;l*bU;;;1sZb7+WVH3$xR;VQg0~%^6~boJ4{6pj3$536}FrE{*rBLuARl2c~pX3 zKUm`ikxz7aW#^np*_LtC_VSF10|KptTYb#7dgGth|NJ+75=A&G0~e9Vm4KgLJ?_ZGQ0Jwib~iYv2S%MKM>@ z?ccG(8$V7vc6im&4?`8}(KQ=EExx_Lcc4P*=N*hKf4B5Mpo<4;zP!o%g^rOUkU8y2 zl6_qi@5VM4@7x#` zin8wbWBpGhng!R;cFZZADSrErU66tmoanp6;Xz}UInVTg|31GR*+(*2!WK4U02IRx zzlouOWhQ28bc}Cn5>z^nACp1Q9eMi{ING+oDn#cHg-jo4VH}0Y@4%EiLjxqiU*Y+u zOlRnDN;jwTv~DA|mQua2K5>g}%%~0B)gODMcIqK1G9{Z_{I(gC8Zo?MOsA1FoHgw6 zH&3Ij(a-R|!54AF7nUJH(8gpJniqiat#rKg2F`;xzWd{5N`ocrCk$k%~u|eRxXO^Cd}06a8y1ak+} z=;K=315rPoQGaaB3ehzCf$d{`n3$GI^3Jd@YA$jj`MC#+s9Qnq2rbdtJkKJwp54Vw z9L8-RTUW7PyD6x$b+lGJo3yEMyZg;b6_+AZNv>|HTRkiOA$X{y zOe<_tE_av7w3Yfxgu1_w+vT6g%1-DgIAOq8CfqG|A939=+FZLZ*Wmv?69W-M?oGCI zx)jf))Jf)W3VAM}Snh|U2Cua(DWX*cS_SPf_)oh2TpPUBdcfMeOBOYq-7FCY|M%_@ z( ziwXx-Pl0SX%_m;YFgjZdKZY|;7-A#=*L`knFf~gg_}an#RF^M%=0p=Ack&2vk;aS4 zS$f(gOyv`G)~s!2JauV~jSC@d=9OGHZwwl=9XMP z6BRYneNmOAOIr&55Q1xFs39G<{~G%KDmP}?N6O0O0$GtfNn514C(MymZlg<=@=Y`5 zXBt@hX{Cr&rU)Ca_&deF04fxCmlW-$Z>C#t+JnG=7r%GzzblJET_yM(Ks6*=j~P^6 z&XgI%xS1mL^2cFbMJ-94j2wgLRgSv?2_d-ip@c4@#LZF)?wBMfbRa2JsJ;LJ0*Tn% zSd!m_B*hyam6z5orFSkf1H z3Ut&Q$pXj3`8p49gZLwl;s6{1(c(H}m7#%;E)r)o78X_^En<6>g^1$iVMOsc1j;E##-L{epfao zt^jW~pBgq{3@6dTy~bp)H&*xshC+6z>z`N@4eNi9LV6h6kJo|+>{7*y+N)+++h0MA zzT5z@?xbpZYRb82%oFj;6|8OlQ%-h$IFaDWgtgIE$HBoi|8;U-QE~wzVVGK;8QRlQ zZ>5`6v!AWD-4kVXR>3F8%gNnq`7_H3@65&8*Ur`4jjPhK!dyXlwnY7FI4)~^W1F53 z3bPaW+=0S(XJ21iTZVK6@vM#n1tx}RKuLleRY^%HH#bJf_;H?CI>*}4!^GO!%XB6= z>abM?m$0xfH+QWipCG&XDn=%Ls@aJqbfEQO(~=%n?z9{kbNJi&#=^1up9}iT*Xg0l zrKPERG7aw9b6k3pDXY_rL^-NoI4A07zei3^mVPU+rG&C8nzN~3lv#6S=j7xV7#M_} zXzS?`5p}dTbXentRve8=NvEZL%a;)7)B~EEyZtaWGqGl>q(OZHVFV{BLZvL!tX$o^ z)YMZtMn*O=HqIg6fXeRX##Ye!e12SDpQs%* zoqj7mLdwwSNo@a80>>jzH7m|yRCu;lyz3e}`5AOBE-or zsSlMJrN#zn>C_5?xY;9)#$rBwsGyA(_=$6OWauw0@CyqIQLklE&5yX4^{xyjPs@i+ zh8KzH(|;e+uTo)u!&&8)mXanl4>r=|X#S-C<=l}m|A;?$SgwIgM!m!Ks{}MLQHnSt z;CJUlmDEaNzWh6;c{x8H|JBFK!_*XL?CN9kcD{Up>VGHj$rYV%8vH?*EYw{x#cV&L zpe&BaAmU9SV>E-BTV`2oH{vSYR}>T9_GjOgnVn(o zr>&r)QCwGBN&Tg4(3PWBl~O!hKfmuIv?%QG-OLpu_l=VzUdgcAsb7VQbb&BiTNBZM zoikml`EsQEAq|VZuA|B2a04qmHB3rsh5ZbK6^(gB`n7L@;5R&?l6ZzFk=*%wd0}a@ zy}7-xsM{zY%q`eD7G~4=OlW0ocX6@VXzz{#)eyuDlizGnGGcLpjc8CHO8v3Bw&m}@ zQG2v+#9r^|d_;ApY?Sa{rNVzUQJa%FzKzB_+sOHrayLj|05^mKGk$*QTV7gE5I+yeBs!=(OQ22$N`i+}gJ+RM${j94Z?4a3%1UG6lZ)C5!vaz+f z+LygOJqR@xYSvoFLMCBjWW|S%5MCx`8p**+ezNlSwFwL6POqP#ygCwYZIwl_5eEb( zoGd~kMj%1C&9!Y=r9PN-a(&JEf|Wl1A2v2C84nVEmy29mzpfQ>EAgO2P9WjGaz*!j?`4t69L0);(%%P^}RhJhR0oRH$GZnJI#LH4#}H4I=KU$RwyCWsn<@K{YH`kBSUo z4nnNz?B?^2A1(`4z+kOtgMyN3bAEq+@o{ljETN5+9hxMXaA;)Qv+gyl&>^b>wQBl5 zA2*=KH4h*pyDPsk{UPn`*m5%G`e|xpAZGrqq^0I={M91Yr-R8T=i_Lwq~`kdxLJIZ z2!8y2ula(IP!S2K`KHT{iXyD%V*umE_ay3rei_lwv;-@fz#`1KX{ z4$srvU1riDb&fAzk^5aZyA0#rNQ>F<4w)Knept>n$^v>wz2p;_PG;4k8?nH#dx)S)BE{p z@AFuhX@hY1;0#Ob&4J=MI{Nf@RT(2`MlZ}N$lsk$$nWLy!xnYJa<>N(KLQGB4HPY$ zOuDFuk|-Vjes*IdMOEUd?(Ryfvg*tDn#L48HJWN)YTDoc6@2K$j#~SBs};98HS9X;dP#*j4bHF^9}I+R=fK-vI_F@ zg`}lwm6rbE-^?tWH?rgC>gp2csJjD6g<)7L2;Fo)Kqv78Nc)1RU`v(b^;WKes?>#v z?e@O|EV?uD1=jD@-Y&t&FNqPFc%=y{0K>y^PxtTA($UtI*lJD9^>u8_qv`HWPexr^ z8^`K=BRwV@lKze1Ps1uZ%Z*-pdwoTpA8wAb*ZQ5E0Jilig7WR&T4n;wpnMTK{VPz5 z!O`j3*o&!!*7K*J;DwEi;QP~URx!Ptuf82u()#kYK0qtX@Gfam=C`3WtCPyE95ZKeic~zt$6Wy zAA_$%1X;O;=ckuv>&st}!UFqABqBf&RG*MhkWeuqdSPy1eQ~~_y#v$U(%Q-@J2yiY zU|?%wGj5}+WnVjX*b3#^)VjPpGyqPTspS+}=jU#pyjoIP3Oc-TQdc%Q+(H7?gpvf> z+-HlUa8|gJCh74(!llm6O>^o{3|`lpfI<1j#zl-mP_3#z&&SAq6|^Gf_GH+yIe8MA z02~C#d&+f986Gcd`x|vEoV>2henu`PUdp@qzDB5VTr0t|xq^ZMYz;l>8{T^=?$Q@S z(*fh-XJ_rjLDF%YORMl%vCpiG#-3KR=`xq=jir^12s7@cE>KW!VUGhnf{Fe)OtBLn5CVD{Nzu-cezbk^g}DJdPGHYePqjEGC*&6V+9A;U$8-c=o$*PlkfX z?{tjRM;FtNNP;^>Pq$ft)#whw<47@xyD5H5bXg;a-IEtJ`ZkmdK9xpZ;D}Ab=SdUU z5gXTax0Q+qTtZ+g6ut+qP|6cYi0& ziF@yh8}a_^A1l_%ojF(L$~kAwF~(84iq0Zf00#PGBn99P84XTI{9=(G6=Z{S^f8c8 zOP)&+Cd6Ga)K3M>P4-|1VS*P6K}70gHM89CRG0__2|n4x91fx*O9 ztpBOzh1##G8x(1RfH82p%V)MZb^VAH`LIWO4h(n!k3TTw!uN~>j50{XYnGG_cD#%V z^KifwLgn_y;0gQmDlzDEb!5(EdmXL1q4+AHp@o5tTBZc^a8gK$figThiM#)`mYc|& z(~H5NB#{JrwMQ54gVVoc`tjUCie&Z)`%rjN?Y#$0e);R;O6x;ib}wUKEERu3aDb3P z)O8_Do0~}pAJeZSSkfZ6wKUGqk4=mRDc^S{7kfBjAWRe&k|i+u0MyK+fyA>k{#q5T zwkF~Km_=j#vPnT%DD`?UhL)g_iF%>6(h?VcEYuN-*X(2V!AM9a1oKH^N02rH#KCBL znbDOMS_B!(D7h7$n+?xc1v4e{@}0MldG+a{%`+)ri<__kP}jvO0MA#r(h>X zLm7eNnx6#mlm7;0n;@b>pTBoA5}TdgO+0$!Z(=|l(a|sXZxS<`7|VrNa0gT5UpZRQ zVel%0(OmH6rDXP|TupVX7;+%4MOU3lvebI-w}UeIh{7_&M?lGdAJ_hyoP#v~9dZB1 zcT9N+$pSd7=7YCph$W$nqJY281VgZv($0Ar3ZzGA%+*A_kffuU3KA3M4b&!RXVXA}2W zKIv1-6ay|!^H3Ni9u8Oc=Qj$xq0Y>G@by$4sI_|17)uHdEwWXFeYuK~=tlsdCWQE$ zOTLiigBi_YCg4YVIFx395POvB<;1VvmyNzJkN*jA-*JG)0Ucsu+0zhr<;j!O6d`0v z_R#)-lD2s|#4FTh-P&n|Ng@LsvEp~W7X8SO)5r$0R+((jOjHFy&T2OEckYU{TLb}LuZ%(w1>SOj^iB0;$*}7H8?fHjQ2=pK(C38_ z%rULdf!ePRpfkjdoQ8hlSdE89Z+bgZ0k*V)>4Y(*$IDssNdI4{v&EhowC%jcl)pt0 zgPtgV=SZ>)!eao>s7)4a$VAi4DM+CCtfNg-y95YwP=U3Gc9@;e%kmzOx&2$MDvSVR zJY&9Z0z^TmK>LiFa)Um3a?(^;Q&ADDp{LES5khJV-@d_Dc4ZA{sQq400hy@wfE_EC zUtt9UU$zwrzPdgnDGQkP=SOACfw%65ECiNLH#@16SfJC50ljWDepS~GANfE0SWb?u z#9K=GD8z=aLi&hkb&K~*d934{Jead?%gd?5X~KD@;Rl~wkxCE2{O`cO3T3vQxT+HQ)m3|R|A$YOFQ#$iP%^d&=~+##dw4ltpP@WIA|Fu+AnJwlpd0#ddEl(E6Q@z>4&aD^`pBb?t-}9B2N@JPA9J2V7Q}`%65WN_-|%%A=O!;#cmpsiV70;3^^%4Riukq#Dnq ztYO*>G9wshYca*py#A;j@86w|z=B>@WtoIuuoQo;)q<5oXYaz{Fb_;^iQ)=HgkKjP zvHe)u_3z|;V>2@L)Y|+07MC~(EF|=IEjo@{79rkft-OM;5QT$g*$rI zhG45Ecs=tLszfL46j6naI_kN_rYD_fi@VnxAaWX<@jx2#ccrxkYyttU%tVcw6H^ zvYRs#Sm}YBgp`%1(~jm-^{f<#fL-SrIg}T}1&E_RBXZgsu3*Om3;jaG9f)KgL2)S$ zr~eD~;G!u?C7t6`HF2zO!!~XxtF^XOSu13->1JYqa=q6vNfn@dbH!sMF?QteLSU_r zcN1PN!YT}MQqU} z-|2=t41z}_`%eTWsC|F1A%C*FkgAFovfz_D@96+?eURt{!~A!t|nvWEI%w z55RKMUOsJ`3-+;!|DDnE$t9S}vC1|uGGF#H@b)Dd|)RF|pEkNJI#6-s9MWkx^_@eHxOl8q--tZdX$gX?}~aA@!c z4}Of#k|?(?_+2r2Ck3bT&7f(IGN-N;tfmnoKLaPWQ;kK2TzO^xWSa20mUlZlTrRJaT%1iE-swAnQM#9)=SGLOn5=q(E9ZNL@ZSp)ocRtAW z#=6t!OThk9ARRXZS%K(nMkA+2L|dmRg2(WFGBK6243L>OA~e%-=Z}GGFNeFG?KwW- z!Je!D?@{VL=)xHOnhO$*-_+>Yp3$!k2T)(SKzq}hhwAvPu!6dO{VGuHEp%^SB9LNG z*aQbF^^b<3EDXY3aiCAi=L+F0ZSaYh7xt=Njk%PNIAW(4-n@EqQ`3KM{X{&YH+{Ws z3%NeW?_=qT435CAtSqJ#fuSs1_Sbnh!Dcj(Y*v1aTbt`N{XV@!eOI;(JuI4RA<1HyHiC}e)5skYQf(i~m!T>$l&$!3T{ERjLWEN_ zQt%o3n24MR84k;?jv_e)0vw+_nR(VLgC=XQKj9!|;(7y}C z)TT&25Ou_jdQSLo!*DOu>O`}u%DT6YWoIVfLV@aM8L+5SvEM-xYX2%gdurVk-=^qi zA5If(#(kVr2~2Y?9Au*B3My?=Yz3`A7LLBmRbfxImd6Ow#PC5d#!qvI>%}rRv-kuW zt-qPxafo{7Qi}*fONr0JmB8(#+255t*hjLR=JKTh%-Ff+A|tx1vA}SW|7P!nehL~Z z_>WUCzwlBB5A_-% zwe-fA(EX-V921(Cs&F?Zcf|nmFP+uSVH!n+uo!8Vo^E0REf4huNlt!X=l7w1ZwqAj zI}TsDm;UgTX+-lciRqC3fDlgldmRmf(^_w(fAxHdng9l)lY+1kK?gN2Vuv|9u|)zi z9OYT5Fw*%>L#@QH-WHY>?fO#R)yQWz!fGj;R?GUJ)EIA}w0+a_GId zRClQ%LWE*>d}L0TG9}5lHM;cP7L0J77#=CkduXTOODJ0mzm6HP)0+X+!>e%8h){(= zSWHSx42_ZfNdz0~GQb~_y`0F{dnef?R4$Rao0Ka=#ThQ<{LvZ8z=&|bRXWkFJcnO2 zw{(G+-?|gXQR5(8p0Y9T%F83blS?iB&z5e}=3+Pz{zkGw9S=8%p-+WuYamHj8LWur z!1heD-dxZvBm-KwKa*iKte#=-On?KTKawDBJM$LUEM_RhtC(CM*?NKf_!tYIIhv2t ztQ$P;L00Q`JT_>;2@Vp1OU(wPnahar-GQTNE{QQwLnxM5q>F(&z#MmfBX}NDR-a%D zb9Zp`tEY8$fp+J5)v=8y=yY@+KJx}_qA(dr3;PktkxSwMR!rY7Eu`2o9ckw|BrQZ=B3@}jROpEs zjqXG_056#+T$qu_GeOS`HkqG=#rtld}09RdEZ@S5N3BV^ST?J9L4pE1sGj1y8~`G@6|K) z_HOEPhwm}FR>M~ehxlng`(&|y6O~n1+o)?$e7@n@4zF=*YHG5aM^v0wL|NniP)Dch zKM?gI6yI@OSU%>g>mky|C z0T*vH+XO`7>-X`-sY;Kdih4Fmws9ea0?#wyRm#b@>yC*pCVrFf!0_0A+#by>>`Zrk zXVorh-Cq?5VMF~xDgYVE0#%?gl}HBdBtU|c+FVidJ^y4GCg3JOaq@Z&NvTnK2ztiR zHxnG?40lKS&1y!6G)8U+w;dgrZfs8ePG@rAL0 z_`uw~Ijw9==Tih>j=<+tXo&zH2V+-9)7I81HVjk`DK?Ef)su&sN}pYzK6$?MRgWIn zgX6a{E!B9REP!V0Q3@->M8)%ouqt8%&9I;t<;2W9kq#q3yF)Nnjz4Fjcl+c%! zXdHCD#*VpBbsTleymwY6GEaDEVrJ*1&!VA{l&be{{~tT>CPuZ(^i>|HeIziJf;`+Q zFR^#PRBC#;(6AGUK=bt_)kP4!)olnjyWOj&?`@Xlrz(SPdvB=4dPauP1Ox@+j6OjS z{#1q$RFFHGYBnSL=>}y0wAMzt9cb&8Zy?89X7<~Smaq1Eb}T}L=}qALk2HzSl@u8H z1`n$w7Y`Hf+&yr?U*KE5S_0{{l^?9-pT*0+?abXr5(bpsRZCTyz z{dyPG5no*vq2Ehrus6t9f3?`l z%2o$k)55}T-2{bg-KVSM|1h`*MPhPAXr4*@9xqPoQ#4If} z4IjpmDr`IMdl$blic!qXOOqfCbH9gxmz=-m9v2srir-F#b27Pn-R<;^EAz@Kt0=Ub zCLP9#J-J7yHIZC~u+U!W+kM?hdKkSv8#$(Oy6sMG^zV{UqE$|4!t*~~b3R|!)--gt zb(od%67~lm;oE_$uSO3s%tT6iWUNxUs_>cb>(IO1^KMm%l^`&Ur?#uMwX692buwx( zIC%BZhyt%7kXmWfMyJie*qc;gdj;-Xvtw2PN~xRd0s=8|aXiPzVyOXm5_Ve^^0t(G zblk9pZb>N~SQ(K_RQxCGe7Wk7wIHubR^Ab)dtR2w z%+X8~?jMrM#pH9D^i0p@OlX0iKJGYQ`v$ei$iAfKXW1)1Lca=1bBgP7m+Wx6F&MdU zb5S32Ve!x0$~=OjaR9vUVDgJ&%jbF?e!2Ka<@s{U+E~RVQfBc9FP`pxBeaHqpNErm zYhmd}SO_PZ@6p03$M*ZqT2w{|${bq7F~7%i-^kuZu}@+3`n@=DQx+X+c!@YvKh{@e zGjU;?*TaZHb4HIH4xr_>_nnZHbzymF2?bF&-j?SAg2RDmLkU;OF|3}{lHq%3n|p=8 zXa87$)B7u*2F8>=%eD$J%lkVjMm8r+SKIS4(6!{q#52S4>zwej#7^e2_2;L#^2zB{ zF^8Na6|WJzsUWKz6YSrQfrWuVspYvcD{B!cMau*-oD#XL@xywc|4+jiacwpUYd9O?L8es6lJiFMlOo)Y0vah$ph|f=sIrYjSOF2iw$muGbHV;zsp={5ypm;6Z3{8vE zwRKr67&RHzM3Xf8S%!5+bXtHa0S|3&W1S`OAFHrgcW)3&*DJ5GQ-(-xn5a(8)&00NvGDfM-wl+TYHD=(Jb)JPIuN`*I*3v^cYR(HPp zQ$We(a2p%PZ!(>J-*6Y4_c@^?~@O{t1j#@72J&3MLdXawqrV+Co(R)D+`=#rCc$pE1WDOJBotVU-i4O9VNSNSD% zW+{Z>;d*U;eW9VQ&gXh$#hy}S`>)l`M-K=tm!=02q)gIMwDGh>S~2IW?o56>&bG>k ziqlU2o0JP7%`@6klTOujKm8?U*kSs-wU+#Q3Z-~RESf+-V_BXw&Q>MYc=m|6j<0$T z3ak8}F2sa23mBQ}1(;h~TU%N9oL9QCv$K18x>i?Ke(w@~K}#fmKX!k0vvTZbDxJ6) zbnM3=ydSbdhDFqhR8U2JDd#6Ug>_kVeKAeAM1RKks{~xc;+4Ro0V33z7}Cc zCdZM&Ug34A3&->G`l!`-RgGTz8K17 zd7rE5zR$6Ed#+VIAx~7>0J#!79`00QuFX5WZadVr7iSyce>=TSI~cA=Y%SHsj8cV% zh(JF*FS4=AO-}f}%u2whor?^uj*GCs^0(KfYGr4u%Utq#dA0bK7PK<8wsG=uCoi=o z0c%B9U#pT&&c-ez>2DU`dXJrxngy6@Y&D*!-Z)Q_RP)b#C_ zvE}Zig|)}4P^_oNN4BNGQd8Sy$W_XVgO;_ox6e={G2ysg|F3&2hM|lMwDZy4pMmad z^>s~*?Jd{{zdST?sA6~j5mZ40SAG|F1S~;28v#riIeRn5qr*#uEUMbYZ^?W3o8y?+#AuO{WR? zy~O9E2tRLz14Tr>cL+Z|NyU)*VHyl&O9C%1Y$#28VXiJOwd4wcOKCAiF6a7WD@lz& zQyt*`Gz?HzY#il59-tw!W~->9!G^=_WWhbKx5 z%_=>ZaFe<84-^ZmV`ZK3eH@bimq*%K$I9+R8mEYv4BYwSS0@`qJlBRxC<56U6p6ZyuZfy-W_j$3Vn~LG3ShzrVoYXsmV03Z>=beI}T-cdF%ST z79nqctmb?if4`i*W`y_;?&gX??~Hk4^pG)Eo2QrIr~u=a6kV@3V12q(-<~5~iG%-8 zaufZ`(-Z&m0$P-_n-msvPajtDskQdzX1fQW!0pPGwswBlEgi$(x*nbFAeX+iuG^t!m{;b|+KB1!_qYcK~;%(>puw3TLQ*)Q|;aKCf_jl;` zslaE7o6O|(=hpYa#s(SOfj+U{1NYpm%U|QuayEWe4zJ6h3W3ktoh102Z0^q3-R{r! z?@U!@-!IDVQ=aWl!Zzd1kGY7n#li2l?(g@UuLmrN!3B4C4=;Xe)&*Afr9KQ&3)uWI zi9b|2SQX~wWy;Lhii;{osv%HfHqmm;981l=S|+0!Ejh&KAGc4oIw>)ud;A=1JV2ai z_eXaC4ok%_1gT}xTYDm&PnYk&!mEeF5`uR7SK;5vwCYv1R#zK~_1`mj!*X~r!Folu zJsOxHI;=QA>Z(ptxobm80vk)qA=`ugh;%9-pPwWc7D!rRs46EXP&yS6$qF2bIocj? zrqE5}CsZIpEf|V00k7N6_19*1XHCo9HgG)O%L1?STJ+yBU$X)mo9lto&GFIo_n@c2 zvfVBMtmMFrKn_9o%jsb4(CqzcEjus-1xfUL4>1Z+#`*N(%)`Um#`yH^@w{NaKrH40 z8H${e;p(IUp~O~Giy{e8)Drl4{ovX5vhlTDfAnWk#tMv6(-fopH7m#O;pJ=F?3YKf z02fjyueiKYThV;oJKy%DZ~&=%urH9 zG9340VP_v|gx}7&uDy_5?G^VqpY^^7p}rr(-;cf@udc(Cl;20&9~ojX1h5bXeN(SGe0BmB1T6RbvDkPVQC{SRB#r&&O4v-=J*}_?@KnlI1FXXo$HNSCX$HPtn^Z%;_UY+=9%tIZ>W^5czr3Nc`Ug9RA@QMjP5VU)63 z-!Gj-udQa&y>^Nj+U#_jm_PM2!X^vxD!F_8=Rkq1Bg3pw^`%_ejx0HV+y>&iKwBID^L*j^)u^-ilic_dG(^h zieRgB9(Yc{fhS!E^+M72Lw`vA^ig$Pz6LUcINTkSecy@sex&%me!9tgtZ%yJkIg0Eo*hRaM+lUpc2O?=I=*Ql!)Ts;P8DN*Nu*juB^1RA)BwEs0v$jYUGgW z&{0*zidwX`se%q9kqr-!-=5P@MXNvzcYZ|7z*dF}YUf#-+*mugIoTNjI#pi0Y+RJP zsw9B%@t^L4nORvmnW;4h*6zmc1|9@^ho@n+gNMdhLAfpQ6xDSh_hpQMyWmdvo@^$r zse(i|3yN}H_Zi!2sX4Z0rQgHfFNBTFjrqarqi}qdq27_l%kitXgOjE?-n+UV3BE7Y zUxNY_74W*POw8=V)0WF6u+F3Vfx7lV6V^5qm~wy*j<*`8yXv(*@lFzA7_i7Y?zeRm2@dJ z4yPv)#<18QWbgn*8zUnlp4XimJUj`~6sjt!{kLu{#kG}1T=eFT&d%JF{fnZQdP}Ui z7f(}7c4UBvAksJ(A2cckm#ekPLiS=YiV{;SUC;Z^yk4Oe1pD76&er4=IQ91t2?_Hx zsM#551X-D5Wk&}K4|8|S2xg@qfuMq+WEBj^H7|+5z`gG~s{3}mRSOB}`)T_NSmF7E z*@feeB>&QVuM;$j{{<0HdP~fSDud7M{(co$^F8|9{oV&ZEh)rReSUv`-w)1VgMh@w z+H|owPYL%&%2Cr%(UO%QYLMyaXR!gF99~v>4tVl!C*@xl zBpkGuBM(nu2jg8H@ijCx04)x;BeVS^Dl3&_bUET*q=DUbyM3XA9nB4Obxm<2hj+WN z8(Ukb5q)diz?$LMQPW#Kb)kR?NluOVIW?>l;Ht!tg0s-j!EEW`Yfr{JrW~exdxzfs zyh(UH#9%_7B1;Hcq_yoq_j0t+XUdrWO-aGQu{0mnIC~prB-_t`OUlv+kJ}t62?OS; z_ub|DHvKiaw`bt(y=nXXWZU}|i^LxK#Frg3(3GBEHUHXM6LCOo~gx-5;UWSEqmoS35j*U;qpcyXr0LM?>( zhJ@eX1df&M2=B${0VFwjTT>eui$OxB`$u7!k^cU4Ss5X|y6`rDXLO;Sp0%l^dv#`( zo~E0vJK4axFd>6-=Ho zV6*o&S@t@)Q9zk}a=OaGQh!%j?OViDg^Z{zXLOI7;bqu=)wJX$qV0Blr6YHQTzFUVPO*oMTmqh@`_0u3*8qNaY=nyEQKSVYWuk^-1Re(VDcjn(jqVWW zF3DSpP)*iPMVkKhV6Q4M8wYW_5(1a7F*PHHfa}pln(vqAx1%`w@NasCsc9?vYLoju zmTBMpT5!)vt+TPDys)%GZBOLq%gY2J@gN$MzXA?H$nuH&d{lQPoam{5oFGtku5N-# zOOK0zetblxRcX1YiJsEh!k(`{=zxGmAVJ>u%Wa#RjE}Xwg8}N%`O{R@Q&aL)^4jBJ zYsUV()OndU&_TMojODWSp-WqANp{mSy3r^s{tXkvpxrt(`|$Jx6*zM|>a-WBpOWR>lyFS$9|5yA z7=bmdi@nftgEsB+IuO^HpWVGB;Na-hRsY+=3H%st*a^{kt`i~9Z+Gl zLO=IgLj}vg8PSkqm;_Xav5unzs{qmZ_OBMR7&G8-1;4)zLIKFH=YBCOM&SMsS4?p? zk_~OEdgncoth$h|y#Je|@=OI~JMT8<7x~X>%U5Snq~UV|Es7jj^7~{A1RN4w%JTWo z<9AAxRecpgp%AfCi-G){DM;U1_t&qk*ZFVYK?mnthaKl6|M_p>d19wQ<=qWJm>g` zDYLuGKA3+E9s(p#pwEQGJP=v5AhZ0g_y-a^SCk?xF=p(fmn4>m0ZKK5jSP^Q{Jsl4 zY_BZ2cLlZ(P3W8WoC$gAhj#vtu>E7KJzcJ_6qCAT}ghrP;|wg{-7TjC@v>CZ6y}k0sWXQMhjsBS!IW0bhzM1FC7$p z3rYbMp|g`pGTeS-&KEnX&W404c{iTgmY@5z^GS3%YU-*FpoOq}vGRKKQBIdBdi}%jUBNsP4e$A-2DhVl??F*nUzC>?iY+qZB*`$L&wyPTxCtcZOw$OV>QfuATU$u9!lbYQTrqb3)*n)4kw}{V zRi={Mpd|?tOeZmA7XV{$u{0_W^uq`3d~B6mOvxn ze@@zdCqvBE;JXNqat57xvVbZ?4)#yM8YGRFvC{(ju$5;QDsWV&Xf-p_qz;q-9}bL|Aut?z7Oz?aL+#`{a9s2e9obSeZnh=tREKxi zYKKr@ps9``bwu_S8d#8O$}n!nOExAz#@83&64}Iy-Cty>W+MWw`0#?Nk|oN@ll=iR zDnDHCTmlG&LM5(X_U5?<*sw=4|528N(CZLnk2>t~628u*bZw|(Vct?kGGb4NJMX|e zHFP;GHR!qggyn%6Yi8Yibh0pw;Fh z5|{6v-eefVzr3kMs!0O~WPm3u2GO!@c|>r32s`Cp(J%21QfET`2t*T}-XZ9o9mk$! zO=8Eqy$Vj}G(gs&g0>!TE-b2rVWt&#o4bpjx}t5B_JFDi(R;;S zSl?e8EMVLkSW^#z9?D0M2@y5WT2IL!N0#$CxBTqHW+~a${heNgOPTE@IWVmt%=FTM zi=#Q^bi7a?Pa5l9QH4q2Fd_I;Dunh&ZX3~@YYr3sFm*P#Tk}1ZY)?oE`k1zLwV8|bPBN&wHJlgoY zsO@{9-<(KvfE;;l+Q8ZLNWfky78hSGrH=Re=b+caAePRVS@>LVxh8$uyIm2DlmYJ% zERQx3;&3@Qmk4bDRc$^@_yCkxDGN9J)Chrf7+)v-tWkVKw9$s4AOfXSH73H)6p?qh z3pq3V3N-ypBTY~ij!)*Su{TT6sTQL=`NhA#BW1<$k`>7oVIAnOK=_>Ob4KK-n%(FA zrYtoM;{G}vyU_(!725*}L_Trd@ra|It+qfjXU>));hKKqJ=EQ|x-;^R} z(kReaZfO(siSY;R<{!n?j&i$rK;&qinjZ&bPK@Oh`gct|z@sDT$-X{N%z>P$w@Ws* zrhewAbY)G`okYjuVdgWHe@ z5TG}!NJ-PiM&-Y885EW|l{(OLMkXp7V%3CP8yuAtg&C0H;Bu1IyTaaJ`0C1gz35{| zN(WPi@3JSoOXz|rvbhD6Ut2gN{*&}ii>BhJmFf#vX`f&oM@$eKR_?HJdfX=Lt|TVc zkIaE<^;y|;*P~}8ltd39!jz=I3d1vc?cTP+f%t=m5K+^%h!7`p0`k1zcBn1AZ4HJt zwh@kn3H>xVJm2-l3H6F1OJ-aadj62%NJuuXMC#G4muJslFMUAo3YR8>^|)W2pCa{> z*>;C(Im252zyUeE8djAxuz2O~eoVosE6EXUKYb;{bxmb>#-?Z5jUY6&^`&rzVbvVT z%?i5-Z;O?so`KkE36d<|qflen@^So-G z>|lBvy*5UCN3aa_Nt#y3Nb<$cT9Ijlp{BB>+wiKVEuE9USF!(gz%FcRuT{oO90G>K zglF5<%xZX#AZW59BdX8g4*i?Ukv6R`{@W^z^h(5&j;>iQ3JwWr^`;rq^I{_YsWi8r)kuR4S`>H{!AP`{YvL8% zduxs?wSrNY&)1tRdX4!4Knm;yIax55DvBKdBM;5N#-Qo_&9)yQk`$+c=@S2J-ih5| zySIh$*S8&}ossTdVb4PvL<_ z>?5L|>mgeysJF$oM?pVAr!>8|C)vw?%2duAf8;EM&Kp~osz$`nwaJi&f!~#`&(h5}uE$e8hZ zny98W?&g;fp!Q{j1fci+Swv7F@`x%p5t6?l3{iF2A`I45fbaK$<rSXL_ z1CZg0^HQJ0xbyt{sZ7TzPQtKYjZ$E7@fP3BMwSgU}SI$37eEJ8+uDU}C62H>u79tH+X$ zkEgk5+e!6=Hb0i}26WLyXFdRe1nO5TMIxA`j@q)xoVxO&-q68q3iV|!8X~`84Th0K z_+a@5T=OJWE6WDCP5V*KK1FAa1rkefIreJ@4jd$Sop|QT@1pK?a}6&Y1q@}DA9qhE zbf`_P@KUHn@>C#?^dHhynj~Dr(z`dqhhd;xU?(9|KLNQ|0^obw(|%T^pl&@eGcB!N z2<0mO%7x5Z*VzTpbiwQLps3s&^AN=J6nlFV=~w@AgXFj~LX%=G9in`xJiSd5Ywj2v zRM8n->iiSKp{SIousAev6;HU;mhmGm;~d zU^DDT^AnJmd=AJBs|H<_2fwk?+#k=Vn8f_0le z9Ls!+JyDkOiI!5}!0xz<9om@xAKm$XcR`-|rh`@j6-m0p($ml1`UEOkO1Xsa^Ot1g z6(gp5KFYZi{ZBO-r8N~Im&sbpEk#m~jTG$v^bZ3Uq6HqR#U3%-!P3Y6r!6liF> zeH`?|wYeSzuwPpWtzFsGamO1d5OC- z#6~sNSma*-@wcPEp_%pnwuT474$9FO5rXtvtxOOFaYuRUGwW?^aj);)B5bVi&~T^U z66|>0&t5%VJ;CW=o)A$|q)_7WQB83p>3C300GW;<5Z6XYl^yf}Rg8Fc@+k@j^KACZ zKp}hAH%1bO;Ulb>$BL51YcNu3>GwyFL=z(~_U6xJGbT;Hbq{{f)*+hi@a#2I>!eBF zMG%|mfv24G6yVoaK-Bc8^&5w14d3wv!s3RoGoKRR4@K^Muqn2Pf!H%pB9>W~H&yC6Okp4JHD&js#MCq^6MJcSh0C9OA8t@a;l%AE4)m1?NAZGq`_S z56EJ?fipyYw(4L4fFM9T9}0(>h260neU&2y+P|Z_p7cqpS5e}u?^H!YJV>j~GypO= zB2p?5h5~~>jdEo4MWrBkDn}0L2gA62Iua@;_qK@MR4RODPyD3$%mk3loBv~ubxR2a zUqUUBXAffr(368tC#^E-0}+izJG*)hNF95#Fk-ImN(Qe}Kwvt$ezoH$3h^_#^`JIE z5)Z_3D~9C({>rmzBQOROhB8?767BvovZyz33{i@#5z~x2VveZlvaT-%B`V38>yGE; z=w47yMJa8N`)lB)f&s{J$0lC){Cl{lb4?SOLPxf{9h_O1Ta>R^XZNs;4-BQkI~Cs9bU;w@~=g3g90AgWJ|5MziRQMc$9 zo^@6K{|$K2fdV_fFA236B?O|iy8Qnd=N5BHHK@EnB=pSS=rlvDZwVo#lVmdoN={SlVlwo_Z`pz zyj~4DB1^x`?Y6mAmtwI0r=!)2P70yv4g~CC2PQ#q8k&p?Gh(a`B2;e|42sdvqC8u| zlud@=SrgXDA_C+n@Y_kHsk?9_*%hubz*eW+X?zWbQ~7U)_tF!LnR!GUp-t`i#ULAq z|5%}3Q1Ue!RR|U2hc~P)_;udpY~XTbwQ-og>h+&W1B?yS@QuETiIoy9tpCge`O}4s zIxkBds|!OAiY^=K+=oi{+S(ZZ2;g)ExH-Nq<&DsFbd>2}-_SJ&Xl9@SO*_a&Rh+Kb z$G$O#O?Y9Y4f@~B?1(0Hu`#gIv)vrgG&TIUb+p3iI{)uho{_ROm=-rso6eUkclH_~ zfDeffV|7Lp-hBHQ@YI@++f8U#~Q z)w)8eKcpITrpHQ?N#lqxRj6Miew6=iNjFQZu zwTU|^ziS838|002^m-_c`W}ZVSXvKf+0$TG@KvR&sEzu{n)5MMWjQfVp>(X|=KLb~o~Rhnkmnhu=l*Zv z#4a2TpfkAit`qzfs_B^!G7ZP$@FV!~E-({Mf%!0Z3d$wIEFuBv4%CcJC7O49EjpY$&;3 zFr72e{IFGMtp-&!AMmf515iPO^g{;$h!Bx7Q$=Ysf|zaOgaK#!cE=}(wJ$nBH$+z(`CSZ6+XE5 zug9zyqJp~?8=#i|t(&6t9;;CtG&50Pwt%LsWBI|3n~mO5Mw^uB_pB=!7wY5Axj3B^3@v4*vD*?X4E3S9BEps>}K>$|g z%lrxjb;dO6^D=tysM}WR3dL>e!{ZdD}B9!$veZt ziq|tg32-14$A-VL_li>z5Q%=xio_a697-38bR&1Oq>Y397-Zg-<-;LO>Fnq0-&Wr< zZ~3(NDQb0YUn9dYc^IZk^Ypa0`J|TFa2cc0IoL8(<_v)?9}7 zi!`ua^lF8m(oo~tuVBsCt{%oiNEXu+>hUsvf@VRqUM6YCt$`xpovtGD$2AGghOpE1 z)QR@t#nZ<>RH7Yby!gSco3xV1N?-!|2kfh0$^GfBrjY7_VqYq~>s7N9#Ym`29Cd`^ zz?6vVZ{*_o9lua`b8*1$F^6sy%_xF$#`(>&)@4OY<7Icr*v@?z5O^GcS zwi>o3(Nn>e-zdhQT%)2$nvvHR(7yS5G)ThZZ2dlgwy30iq|cR411uw;%gIyR6Oan% zgv@`i5z^<9pkLGlC*rVxpsPPIo$MjDQerphP6S$d#PVMYS%IN5ej^ae5X37&{`-m$ z#LEYF{IwblmoZ*YS8#;XUZ^^IGEl_pua(&AV#uLL(Fv0pbKyOPs;)R(U*e^boP{L` z-X;TKDqX0p1Gmz^aUPhlvgvG=5<1u>t!zgWG+DrlJZpX1|57-)0KzsAwJQ&9@XD_Q zvx2?%PD$l$^{ac~d8-ZhZfBf62@%J$=9%S9T?aDYO@7%Hv>hAKnpj{3a6+GFn*Sgx z=#QtC9+IksD&%J+-MXr2+;_cHU^@LRbvKd2XxevxCQeQR9SL7vIuEv@w=wem7FuAM zD7wF-Yj&nf&@|b{q1_QmMtYLB#;ep*`Q}eXSMzQjeb$7p0q~q68a(+U0Wvjh%d3$O zdJcOMde#g?tFB_D)QrfC+`>9|W0!bKCmyOe1GFI0k_Lb9SF^&WOeflzJe}Y4y;n6J z-<1#iIuQpq<$zfsc!5EHKTCUmYe|4sz*kuyv3;{HW`P+dP9a;nllWnH4Ygn% zc%efYT(NPJ4rD}H^OSx^WSgbsVEx5i*Ly2CK4_Y5ivLP-Ih#dSTyD9Ih1)~#SnQ=A z#0G#TMkRT=drSw7fhg|N5jT8Eby|2Yr>FsYe++|^rJ)H?LZyG0BGRLaLGCO0_M|e> zj*4?m0HqaFqp?53CtULuFnDUrq3Bv{VF+(%l5HSRZnFA)ORMBP)SCbR&?BG?H#d<| z36Ow#qihmcaZTwRf5$;U&SD;-sMGp~GE?&Z1nqt?{v<|)EW-9_iHWG|LYOYTyg z8zZsIkvZ3vPb?N+Iv})bOOX8}hCE=5*BL2I4Dt^Brxj7iPc^u=E7rkIZKecZ%4Z=l z{5YBs^PFPC>ZY{8;aDnrW136_CaAE0(BiLDP>zIxVa>*uvBa?8lFs);v@a1%9?CR) zXi%54=V%QjbB9w~GCq$rcc27to0m60lG-{(7{N3OJ*E!~WUgBg&l96n3i~h~E+_C| z3nQ{VsNMPi(@?C*9vdrvG4)h{mcMgC0DT&Db2buK^lBN6*uce`oQe!>n0AWe z2w_aDlxT#d=(cG`IKetBYD5o8yM5qDi1G_oUv_@Rkr{;E>wxxWT2SW%e6d8n-QmS6 zBKQn1&BhvKTQEQ#mLg>aL4?>1z90QeR_sydr<#8)C3YLdZ_!_bV}?qW5Ex0 zdXoMlNcz^e>4F4btR<&TXu=$?zvIk9C_y%G#nh2@iL6UP38{OcI~!j~4n(t6Ccl7L zOP}g6|N4j4`?~LdGT`MUKxORPAqYVq<7BY`D+Jw3j47`{Nw^X)IhqUz=?bB;JtPi0`)*S6s>q7=2R&f@MX8QgQ*o7@nO+k!`tOR+J%=Vo zWifJ7jJ^29hlHw!>q!VNFb0T6OX=~Ww67>aWWzHxgO(%}CP?J?rkdW{CwDUYj%?cN zWH5AjG!N4WIPV07+t#@Ubar2JWMRLP(|G_Ap&a78Bp1vU$n8stNUaf(z4twMnr&}) zdKK`r@KO#IybL|uS?WG7+nl+O)ncmF^2iWw3s#l^h&G5Wb9aS$~Lo+m5>IOsQXM6L#8Oe?EG1Fj&vM zp|&EF94aYC;DaOi3b99>oK%yO@Nhj9$TEg_{f!kBRZ*cIu(TnFo6A*6$%P>6)+No_ zH7L$_Gx{(nQ-Rcg>-Lymi1#sNXl2V>WjrHV*KjISa%|uzkz5>TjHuH>GT(>Iu}n>z zDUr_rUy%y@S!j{$=83@($AU!O40~&-^AbhVa2vl@%B1eV73xDCI`W}=^IwI5wN$=`Izal)>Snz zGKDHM>1rLd+imZe62=rq1cFF?XJ3y#*IXG~eU3w5h{E;y&5RnXwnBdip)!`<;>aXF zKclL%ytd|kF%@V@;>}Tsq+m9AUmiETX2+!FGDt;G-^jTcn_u3zaAN}5 z*x7!3`lwnuT$8DdlcBZnv)b9I&b3?G6DH;KeO+hAQbp%lOM8dE4rHUJr(au`L5qec z0_PgfX8?d=7`haf7AAbfIZ(S(?R)h|4@-ZhSLc@;DO9vS5$LoZoxP5oalTH(WKRN2 zr2=v+)7V}n8`>@sW_Lk!0p&6yBM0ah2;v9|xhz3JeI~}b>Ln5Lzp1FS+r5pvt*17A z=~C4iMA!qb?_RH?qT0@9 zO|3>JI&NZOCN1gJus% zR9}CdPlXoP?&CQ>{!GHnLOWB0pDs5lS~|Wyo*3x4-ola;%E`Ag_O`RLvvpOM+UItA zN%}rNmiG9kj)muy&ImS1I^$*c?p5FV_^{Nb-QCR`)aOp?&R$F}`(_pJ+OO6QYV3g* zm%ZV5ZFjf3;e|ZU8>4kMyP*exhRT(!p^ygd?3o-q^e-z8<9NRjq>zw_5Qp(yq*++@ z+TUJyMt43R6-Ugkxtq8K*P54vWgA@qMvU3xo+qQU)iN~3epf_BBJS&b z;=_WF8DubGGYLTwRF~MGf|UvEk2;h2J(|hwwRd@wo&R$TFgH*~Ieav@8jQ#8U1@W^ zlpoWy3q+}9^)@hYF#Ti9sO_+G|0Cpf+}mDwV1GQF3&ZT>;c~v+KCgi(PK@#PdXA}q z$Mbp80OoGPq2V@nTs7*l7yf<0dBEMGs8>7=kDyK%mAi^Xf2*UxL$;+ zg2asS$oy25@$`pUA4B%SKP3IFcb#U#v7p!*T`vKvw~d7*cW{yxUw}>uRueO8+tbAN ze&jPL8!DYfW;*%??)qrA>z+7JFdVtWd{!L@!RpG0>b@1)@9x4Bb6dbbuZF-{CNo5; z@wXc*{C1?c0(CLZ^G=Z_P25O=ytK45@9j~SrzaRip?qP(FtT(JpdvEIaAjkyK4Rpk zR+GDxy=5|kQ_Qpx4L0n#-x7%&qM>r){GJJI`jg{Xn}7`GRo8c9uJ}dOWmRoeZEf$J zK@41<=VDXYshYu>OwXB#1+=iflvHfezWzevee4ts(B#+T^@RKroG)1satv1WV7GUW zK?T~8Pr7V8>X*z&`Mwh_UPwA1Lt9hb)Y{Dd9BZ#&clHKoe0#d)@f;)a5sw=+ye|@$ z8!J4>!kjQAHvX5RmR1DC&jAt50nR;1^}xknV`YpHBbHn(cdgI66(>hW!}$vHG+LS| zsaooqBW8VkMjAyAQz;H1>l)lU~&+MDV&7h<}D zKjMYWF^PgczMw~me81OImPdX0^YI}A?(77_Gzi)cJK>kG*=}^yjB`z|`@EbqtgC5j z19Vj11Mq``ZM=6&b=F#3qPS>R9(yrKAeaix zqbbx^)>eWM7B0jvOuh zwzl@-aW})l?0k0$_p@s=tH@A!tI8H1Cn(?Fqa;$)fComNDzqz5m&o}zJ2=zr7BDvV zxC=<#AIp^4AFT>i>qb>pR<84;!GcdgxzYD_FfzmKnyM3YH?m?vO+=CsBSPh;TUuRh zEv-3uFv%=04WF6m5sC@ELJ9XBt-+7Z4vUKJ2H#QO0|_UklWXsePb_V0!bFHJsq5|WiD0^yF zLBABRo^)SVB#EfP1HL+aoP(r$>O$?A=x8?rfMTfc>1xXh7yv-)U9>Mb%D`{Ke>cey z4!cqPIpbV!BQ@jPTEY}Kup90PF`dCB4YHe6 ztrWU>-*ma-BuPO*tLM3k4@{RENVMwJ#R&TNxUfH6L%u-ijc0djS=|ghb{(}pJ8@T7 zP>jIkpp_h$TA%(J3eq$4!-BnaBn~G1kgz>^qv);=A{6Ww>Rwo0cHV~W@it3Nbd{b* zVk+Kw(9LSghl>^xgYV6)8_nj$M~%Jkc;cV5Rp|GFcuL`4ig*oYvHob$9H~cA#+gBv z2v*%HVEJhZ6??F%*o<7;K6 z-r@{m!#nzOd~8{aFq~FUEY4j~ytK2UNK)pn5?8~>Diay-Q<6Pj!j*jE%=?Tqs{MXm`*ljf!+ptke=h!)wK0oPr|0#;=EGuB!feDtuhb9K z>FH?(Hs_kE>?WJD4Bvds7Vq7|`{TA37~u*X5dXNU1UY}>-g(tF6W#pQSvH#Q!|;nZ z!5unT%>5=dC~L(dMj|??$sV;FH;7?eKw$KF%bWzDuAw27FE4u{NMBRi{O~7+`+GxM zZG9VHWQ3Z=#nIWRo~0y(+tb0(NYBmEQydX;Nkc-{x@3?8>59ct)=V|5+* zlO<`#QIHZSAj3^M8XTGwNweL4dnk}nrJS^;@3mV*p}6iyg~scMrM;=K*?o8E2Kxm< z9{>4V07iL_6aym(LnW46%l$!ucAsT$e~)y3o|%=r_HANv^k#JOC@Il6xPLz>LiR{v zocr?}gF!b7jJ2fa!EpPq>I$NJOGacEMz-24PR8)s!xb=nA-hez|g za-xIgN%r^t?bzlf!0VrxguWt8Z2EGf>xy#XJ(Zf4r;jHm2l40FUAeLHJwbLZ?fulY7F4+{uRNry#GXEP=ONPex8vYNQu$-d^uwbfFI z(u2{Pp1!`rzP|ER53D0|7IYKi0#XuCR96zS^Udwd&z{Xx77P}Lx{Iab$E|@sqIvbV zeI28g%4Q`I+HH<{&PFw*Ef9D}6puCUl)&3-9mDonO-*cA;bW5HAgU0ax96JG)pR=2 zN38^#C(1xw^#nokrG?em))pG7p)?X(WwN=6x-(N14-XBk#@tqeyS8qRC>+aE%Ouyf znyM;hG#;0-x83yzXDKNuE#A{28=Mxl*&9&Yfebe&5P@lKuHN~S!%=s=e9lzM$^lsK zFy6)mgM4~+^5~Srn%JQ zY;)|EIXN*)-HE9VOwPvC3~{dhbhWjChDyldaLE~u&2z`qL_@*1pEjmJrVq?`ItwwO zcN&6jYX{PA|0t(ZS2po`)lxy?S}P3uQtFX~!G$Q=Otz}le0fG>eUL2O!ovZsd@_+8zQRt**U=gKUr4w^)-+YTe#7S!-LFo{Za}FM1f;;fr))VA*KL- zG&57UfzD{0qKb+H-Lb#h-d1oz88J|p02VvP^4;ypYF#Nd%?nXwb`3b-E3AoXT_mD#O3IbaS(k(WcdY!_w}3xGhtz3GBPl^!HB?f$mhL5 zgnto~O`c+AOHV6;Z&_RW8(%aef1@JDOr8u4{rXoyYBLINE7hhxX>IT7$NN)M6GGPm~4%luPFYgCMjvwmwce}L7^Y4qZ`yf7kC7e z0b_I7PYV+Ayr{Nf`ldnU8uwS^u_b1FpGrzf3yehX6-c=mMd z{ADj%d0+>Wm6^9tET9JG*HACR>g!{|1iP+l9(Ox-3`^96g4GC!puz8~rxdMzZ_SqS`nHwB$USC7fL zKZxATZ=Y!t%?;N?Ow^ZL$+uYM=fJni19(Fg)=x{2j&ub6BF}P6q7Ax-^{#4jNMzy2 z@X-b4_eZO;7Qa#dwGO4GLx@J8gN(fzE+-p%YyLc%B~9y}m|VR|d6gR4~=Va2o8az^hE343kS{4aYeF>VMAc%n-#?|P>nd5^BRbW)R;b@1Fq0aN~P^Rsf<15u?p{)l=ezka5d5B=!hb0pDs z+2l1*Mft;cT2$&+7~mFW`K@Bv?tf}c)v2-Id@E4)2&3&_h-7^B@%4CSuqs}80u6;HKORd?~c8nxo&*f#&dq0ea8Yz&BN^wmz4W}b$b%txOHOMAis(n6J zN_+~;;XOFKFhmfx4m*J_kQB*bXUs~V1uGn{hL4ua7ymm{CBiBmIsCP+tV%RT_0REAX;BGjgJnQT=xKwfleg z6`)NOlX5zfip!KlXyLF{E%!O8I(Gf!U!Bl1qxie`Ldpm=IFhKcIOOjdtNx`3rg6q8 zSb$lx0N3;&a)MBUu*Akq_9yiC*u?>^eo87QQcr;n%qtt55$f|GTT7hl7vL>(eV8sn z5n%$kVm}5Q#XUJMR}Msjcuy)uY({SsL{v7W-EH7DNeaQ6M|K|-fE2vS?i() z5YgXlW>AFl<(t?GHb4zB_{fFr8@c+y!7Yl4DqElR4vPJ50Ar&jRmfJQ8UWD4IezSo z>$vizSm<}Q2a7!h{`t|y3yvYQ$CxgE8vOnt_>Od~)CG>{xJPX$9TMfS;Co4lw64&~ zW9HhTw!Cj9*+P(NF}D&4V&+WR_q!dsa-w3GNBg z%S>QMfg>yKb~>B$P?fn8&+Wfn9K(BwO_^*oz@rwW3NFWKaVq*VL-IwzH=C!u} zWuzwxKXGx2e+&P&(wDa&`~CA`lcZQ7oV%59kzZU-_is}*637H+#4y^QDoSazCjuGM zNDS#?hXv%~^yZc|_Q!~)$2(Z^QiBAtLJD9lu+?SY$yR3D@^pI_<>g*-)2t$MgAxSm0-JYO-nnN3j zZ!jYbCGavqQ~Mk&FJ zC-*Bu;uMcQv1oMQDpW=9Npq(ugw6R14=squX@xjFv=MShfJN z1X~si^v`=sTzBE2xwpeNMxoFmXe*A@tell^1yWszP z(ntrw9uf@`MI33Ms_c5Gd^ho3d5|%iK_F+R0DEHD(T;aRZeUq9Ft{cdK`VYJ!9=6< z13?`Z=Y4U&gx;}yW;E|M;s=?^ewd`rB~4FNoZIHBFe?tK(1gCSr0)VkmvjYnZCe4R zo78Y=O2HxHTO@CPbhzYl1K3W%#}2%*Qrel{Gkv26$Hh4-3#d?hiRUW7D(b=Mfti`U zQYvOLxs-D}qGKSLF8s?8ntjv52OS9HqTi=rRSpkW_s#ix`PNpL({S3vF~!K{8yCD} zOk@rg!!)nZJ4G{PR=jAq5Ea27tlrE|cV3{i1k%t72){{B0r%c_*t!g`^?9R)5J4C< zSvBj88{dVdFeK+S{rX=AkU9;5NUoe9;|#4VRZ9TCCS!Bu8@_;Ug}=v={d@>^(M%1h zNn_M^por+*I6JUWRv}tR)WQf`u zSt-bp0+ds*WC{KhHk2G4#a$1gvG^gk0dl4R)O*Rf$IQhV!Tvm!JtbD!$Jr}o)ZH04 zY~uczewqI?hV#Z;;*azVCDcWZHcnjFdOzwZ%}Bn^0GNtud=E|#`csfEvZV2bC5zpAVjtzVl#H&F&RG%1B2s8@C-@0mb`eYsv!-!$=ksmCzuHeNx#+)pq)Q#cL z28kS)wlyq%RNwq?Hd<&xlCK*Lk2gGecf5(;8px6`vurI2h3TKZCSjtHe*6XZwv@jJa}xNX)K%P z2$>}x2Tt7A1`3@jOSYl;V5mc^J6ySZI8!o%Q^Q}~+Ktx#ArcgXLbufenG(P+CCP4p z^Nk}}q6e@YRvB3EO3T17zEEOWqPP*m05rso)KVf2iqE>$Xm&$H zXK3h~7|!w&HCOA|jCU^|WCAApZA`h*`wkYTp@1IK3z^(&sS)Xux?#R>3o0SRQ}W5N%1PE$a-{xrfKz)OL2&J6YrV4v8-F) z@2}46zB&y98bznAon<>-8UpVtslPe9I$e3~+6U|5@8qaNwk2HO*QWm}+IHx4?vftz z`s}GMG-PABCQ|j|KM(2BY1SihnEAT!KsoJbn_O6pj~B%DI{i!J`=21><@RMa9a%J; zSgpXK3SB3a?De((rn>$5OWg7zfuG|EsaoGPBlwszs(rv7VdD7K55YT*HsaP*q%Q&q z4*W-_a-vbY7w393qVF$$HMR!NxrSh^Zy2nN;dQpD9l@YnoBwH3qfZtO1N27Jujs72 z9SJK0J<=CURF3#8FuYO2U}Q&?0YtcjcKoCdp?RYH-5)PTL$XQ8n`%wn$1-!B^+4 zGAYI$>IFVW3bC9Hge(XL4tFwm3fL@=FLx6(ojR!*Jx@@~Oe2BXw%GU>tU#DNY}AFSd>M>5>H->kxiNA1CeqpE ze?n!Ec$Xm=H86Jk_JVmnf0_uGj=YEV*W-nx8H&YULSC|Nh;f0wC;1lW-tRA^utTL3 zycb6V$BsiZ+0&u`_V2+JV3!F-5LRNIVjY$P`{QGT%YZ<=GnpY~Gr=$@{m3LDk@^JN z_ZDF759XS|D|b<5>?LQW`r05N>5hRgXf<6JY}i>yMKy7nI=1@crPd1C9tT2KSp|l0 zxP*$;StVpY%nJz{q%NNrbOD>M>Kh4bet|>m+3-ttbBBF>X zo@X+zQ5FcP?H9hQv(7=io661*T2`I=iV;MebSYJ@{tVM!{(*gfhl@co$|Wj$NwOm4J)&NOzeBCjBF@L zDrIA9u5TuQ@m5vfRMUSc2#QzCQQjs^cJJGZQ zQ3&hDbO`F(vOA|sA^0r;7|?G?z8a9dnH_mrUiu;s)_Hcc+*;V6A*e!x_n*P$N+*jZ zHH|12J77?c^67jF@42(R7e8zTl1Wkl%~i~w^=HpF--P{3gfrm9n9uXH&hK)nkJ?;| zJk5&J_3ioGmS#;iby7+UJF+N*pShAW*CqFmXbAI7f@xlo+THgj6le{ZELJ$4(b(=4b5ve2I9ea`u?#=Bp|2V4;NuY>F0lgbCxe^P;J2n-o#QWD4YgWT1TD zgz1g8FH1*ft?SdXau^Z6D=PNw-PAt95kiYDM$80}?&@>t6Rt-UbqSKz!~KoU%jGJv^y_2#)m3R} zf#H~BL{t=FU0p3j6A%sY%0GJCh*4^MUx{p3mcb&`Y!nT=8u5l@cI5FW&ktGnHzHSNx8S{BgZ~t?4miY}2=<3Bt+Hmb$2hD2azz{RI13>`m*rZ8g zVXDrZ&W!lwbq{+Gv40ROX1IXaZA~(dL2VV4l{-%KYa;Owec^r_wng!8nn8ll`2@|r ziEBmnr0GC>=3;=D5q)atECBGf-~Qy%FU{$E*wu?HlNmZUbG+P+{0i+l{NGfuoOGb9 zdIF~8{Ix+pNI&T9w|5qOMipBi5A`Ps%~)1|FDy@Qr=tUsy}Y(R?gu|%$z&YN&vu;F zrzo7Yf(R^G>A9QBZNbQGA7)4cSga#|{p#)UWN*5?x}z1@Dx2qVbFs3n%_ex9d`MLh z`Ah)%_Ii>lOGOmKe+I%@J>GN{U&Kf)y2v#2I6MeGP8DA{wJb&PJl!A2 zjMLCid7tFdLP3Tz)L>Imp80sb_H}fu+(+Z=1ZG{2!I1KBxyZ?sYjL`;qeSruJ`M(F zMoN!KkB!aF&CT@rr&Ya<(fa5y-n^`xy-bIsJl!7`T6w`FnUGfKu=238*MaEa8%l3; zW!5;HjBNGYz0aq1U3vE-t`!M&mKQy4y7C$Dyt9amx!HXNO*tMTFf!bqCqS@W=cuS( zET>Cv3vp4iP>oB?=bde*33bNO%;8N`riY z>>Re2=?y-1hnEjLPlKiQwSZw_@7L|K$Z-%=y?qL~RXHf>MgZP#nN`oT*-Y=t10xy~ z>=y5nbQWz8)X%_{O<_e-`?2@#)zVIHEk3{@b&=D}e;UE2i3cagZs{-~JoELj%t4Q> zmec+<_s+-ecIW`_`A~{mwx4)@?e)MVSoldsr}43`Ma5nnABstZ3E?awCu#R))(^XT z`tx`C3Mfb>P)1ySQ#0!akM)PhL~T~L!xNSMd_!>8f&jypOwS_HC3;^Y(a|RGmaU}0-o~o3Di;IMUmnI^Mv-6E3qp$$5t%}oz z96P1@;q7HiXXN*;wDhWbViFu7PKBez)BU?-cE1x2t^~cApb-^=WDEYrVI8hNiku7oNwB zq3fwGW94{((Am1TSCKb6C%qjA*rq2Dh9JkiZH0Lru7}A~o~NA^wzdK{hTH?s3D`ah zY-|GpfeppqsQ;Y_J1PYvnn_c-TFE#LA^*f+Pi*2cgy4`0B!5qax3MaSbGTwCEe(H2 zqi3r^iI{D0tfiur9F6#BSs>3wlRR`Tlj-`%qT{|MN}4zy8-!wdbnLddSora}HWKkB z^WnP7ea!vxp)k|!&w1a-z{tY+*3i;|JxPKx28r=yv792f;{8f>6JjMtNk$sEQbZJL&r3}rLvaZgChbH5BWzZa6U*heI!y^#rrajteBmF=0H zfqcsOIQTaZ+|A>wY2lM zJ`W;;7K}-P@)*y0jw6SbM|yx}_3u<1|{vG|uBi*I~juzqhYE*T2VNAI8qXkUm-vSAu(T>an?7 z!T9qbzo~dQshqL?%zf*D6qnukXM-av`Q;DA1+-WC|1Q2eL75)7!2EPY0M{*6UW8Cs zB!H&l$B~|$hd9#Ueqr{zvsP|L19RuSj?G-D(QiS71Nype*=?VrxZu!^&F$Nn*zAJO#&%e`}JoR@?3#D*aenSgm0p8z|_- z27WCE0gd}1z|;sZ8A9_?MvI#3?g)>x84$r!(jJt z&u}}~O)TdMN|74BMPC0C)!^vjcyqpEVw_bsHy; z%Sx+K5_YDrJX1qe?Zo4;{?eD7M#cEeR#IV?3J_OemcGcI{2;*9uUiRmY zf4YtrD0w_~K@lU^nq-Br8wyHjOzH3g)r3Jiskq3Fk69O1pKzpb`E)!?<>oo~x{ zJ?s`PX&e@k6u#Ya@ci76+i{v4K+BL5K%}N8*dUiWks=$3iVqCD3qCl*jO=XX{{zvD0YH*zfM@N=hzHW(n*y@<$^B6Y3Tb zyu1=gcO&0;Kfnq?64J{rsNv2(w^_VB&-&pQX9KY zt+Pz5^3aim|AfIleWiVye!G5qp7*&uqP0GDeT|mdeF^uu+b2EjcjmskoY!H0+&Vps z@_AqZp_5SP_!_^43R`QnUoTb}e3IAJ)GQL-j141ZLJu%IOAJdwJ~_nugPm~;~qpFr}LcDe!s|Z21gMPRtWJr z5V7Z7I$G}{QLO%a`~B07e2C?)peiW292AjE40!Kncvu_)p|O5LGBPE3@hiXmJ2l7a zWe{q1EV!^1I(RhYEamINW!#+>0&ad^(cE&l)t&{Z_xw6j2P!?kwfD9Mk9+yjW%%1O z-s>^#TXR!QMI+Gk?$nB-!RGO1+~*1dMDNYx@@Jyl%R|gjPjN7sy+|>zIW$l=rT}eV zpR;0v4bbt~-=E;xKWjw6!fd_kK*pPelkqo$sw+R#TuESZn#lx{QQ+gBBO6x}lGpCH z$2YLEns~`U0rc_D;@Z!V`v37%S0n!A^P$m`UtxZb_S;4G(ES!Co;RPkODD;Ko8#fx zKE%6=wXc)U9i**XrXm^RVc}koieoQp8u+$Vuk_`Sl-<~iDz{cK2|K~Q&0(P3L?k^C z3GuGhOoD>{6Z6-Q=y*bL2BR;5BmqNg?6n)WB1OPhLJL1Y3czukw$eR-9Ot7=aeYK2 zQfat(*wv_@sk@`0yWi|!oj9zn1@&Qwh5OK#aCj^SJ2SUX0RdFK`JI~@9p@JR<)}7o zgBd|hY2kugBZ~AZx5TIU8y9rBlFw~eNU5vkO(LUF& zw%_IQC<+^-!Xv_uF?=cbCG=%vCC|s1KfxqKR((iQ)_M@(7m_V}Sy>(;_>v$FG!4?o zD0H7^by=$THN5ju-Np@+xx@%~_u4^P`Et`L8wa3JDFFj*N-xU7+;wR55?;WlNgy{C z`5JLZG+*0di>#n>YBS}d>wdRUsyHGE?37z<#F$j%ShJ@bef&~1C?#lJVh$r2^ z5D0B5)EhY%YFDaUiTQJrP1%^dL1D+y$3;o%pkpGs&9Y`PjfIKZeEt&&HOCK(1kA8* zgsUpu1^rr&)^aJ0FyVbK|E9_j({rTjK}YzqA2#}q%;?)x#>+sDw!EB;=lpPt3Q#7p z*?FJ0exEF&ke!N)|E#E!P5f+$u)?e01O4+vuf6Ia;q*v{5&i_f5?ubQRLE5>2u@GC zw}>Vp9dNtY4nPYmzmo(1Zc8OI03|+#kmpY*O49`gpBPI?mO;pxk~C~Y)LR2Neo0T< zoPePv_r=Fn9vbYc%q8OZXT(r%DIwu0aFI*kFEpR83c?q_j*EEy-(*7qbV6j4bxiWI zpQy+ysgV18(J^6psYoj)qt`zhLp9Ni=gG@XV9Afg(MRUR>r!JtZDY!p=Pg8=JSM%} zhl4iHK?;lF6tAOiw{MhA$!M0pzVC1n$K?*7{5FK*%j%?)9qaF~&xnnaWr0}(|9^zN zWl$W^);1al?!jGWaCZ%EgAYz{hd>A}!7aE9?(S|Ocp$jDTX2GV@H^-G>P^mD_g3AX zUERC)>eZ`P@BKVWu5{8ipRPn7QR|;JUyqEQQM1HKsbXWrB|Rd*mz6)b;DB#Kn5D&g zfnRZ9qrzSzN|98sC~3`9-^MYiuCie{MFbI?lQ2lK_!ke!M~HR7f*Jy0_28lA4H_L^)_1xz`3-|kGOoa6d6^)2G9XtP5O zEK$V&Alt^-RFub2QZ`6JRC~d4NIrS?dW-U0^vAR1+gpx>u}TvBknak(bsp-UOi9Gr zwlJg^hL|t3))RZeA?NAo$*bd(tl40Yw=~g^JuZ_x=a$S9kE`~R6+bU07uR;C<5Xhz zZ}ybrWHIZu9m~mJZ*LMTzHKo|vdql%XvV4#XoRY8CGK#rU_!;fDO}tjT{QjM)E=Mq2p;BXtT$DrcvE>^x`mGCis)M=1M&f9hsNlbt z{3w?cKXYi-um?1x(oM$nV2gZ0UR#K$Nv}-OgiZ?IAD8n7Z>t`1TevZ2w8j*$GPNbo zTnCN03=ftCR{~YI`<>I_gV|maKYa_NE)E?NBUtC+bn0eZyfrESS!-zhvzCo3BSWzT z1H3%Me`f*L z#PnKCMhpT<3F)vvEs5i17pgF?5!2g+aI`EY2-y^~l%z|Ysa1Bp`-@BOh08=q_I?(R zLf$g561KTGgn@)fODQDN0onEmX(Q!6!E@=! z>Uu$|vOk?0sEYy{zx^kC=l|X-N-8;)50->fq>_nTTr{;l9%eB#-g@l!Mc(Ye4Yvq< zSvrs>uTitSOJ)8O-{0xGnWGIkdz1rkc?DN>w8+eb%i@*h9j?cQmp`OxZFM6g|Ih8w z5U#}JP%Y|>PTKu=sf!io0$5M`_?#_8Eat`ZaL(GQnTv`5W$AtCTe*$Ea9y2ob`G`S z(e&8A9}qjq&ma^bzQpLT$n4QY+oT_tFT^1~mHycUmPdP!GE#7TpTzWBr+)QGQM{Jr zSkXd1@yUnfN#-JL?eFWljCqIi0TD)uE;Z z?&x?KY^LJ;vq+tJLbpBALjT-SLEw%T2$s|uW59WIbccDOKS6b-@T**V_t0&zB{I|3 zxS>@=vL#(zU0$uSe~_{Q(6b!l5aQ{(AuDfQOyP)Z2Mh>&-AbKiprHt$B7aINSSa*HIt%V?-F`v zcUWsBCgC`AyqU<2zYhwh*DrB4)y*SgBSvNVO z*|=|SS1!KeW&_Q(y|zpb;FqyeTEMQ@~aJ+d>?+dU4UT|7EA2o(F}Ndm=WSu@}7y0qmL-@sDQ z3~?MoWP08!oR9YQMzLW@pGY!9O&ndd1U=c_#KU1?YQUC-U};9EQ8ikuD)0Z9JQ$pu zoIH3SmcWg%I52|lp3YwHwY&ZleWkLVij)hXCuQr#$sBRtyTTCHta zECqUq@TcYpiYUjp5gfZPll(mTql>Q|$#gwap&9Nz?}#Oa`wrwbPuE&cFA&zBrp~(l zOe;8eUy-m;th+zXN9Qr9MA2D?{wiW}$`!`m@|2vlhzIZUhv-*pFc!A&2Iw%44)i#5xnD+~ zJ;O+)=vB4X{t)k5tPZu5tgEW6_kh-DFL3vrnObrzDFgPZK{pB;pMUOt7~4N{yFtIk z6F4S-8j|Z>bp~WNO)12(z$K4`I3knZ(Q+YxM#%kac*f=mZP=TJ=lw}0+8|Ays)}sn zn&ph`ELG0k>x0Vc!1}&B98I3O)wogn=gy8Yli|Z=d=18ybGoj_xy_xOn-xA%e5DTy z#`|$K#jRqr!4B)CIiwjZd>Ouv6-G(Ni$&8mp?V~-ei!#0#e4Io@4-cETtlpxPaZL9 zOQ=^ZAs0EXm)eHITI!}bpE_Ji3RJR<^0bF`=*f3=NMC<6OWhDL&?7Og0J z&a=)sPSFu{lzbfnbmfEFmSuK=O^#?Y987keRbtodtv}h9<~V!W;bjE+y8j$&;B(+> zY;?&`EFVc3-{_ozW->+tCoK5_Y$5)t99n*DCHdYT)?${06UI%sjv60?nu&8(^a}C` zSPk1eAEs}TLm%=w$-n3duwfa!+&(|tx^?O68c(GU{%DC@7}x(kKez5u^5XWZn2a;4 zxUR^;tFd`F&w<>r0;M@Qt@LAwXsgqSjDoDY!h-QhF$-}Ln$g|A7=@!C6P@H;b50_l z1oqBywOd3Aai4Z}HZhU0+)Xiy>&i!km5j3x&p;X~{dYSO%*5%hPk$~t*hufk?>g_M znQE@1qR=sJFU0pZC&kom=CzH!3|aC}cS&<+$5aZ6^sJ0P{>nCoFlvVA%p)6zOE}35pCiPLhg%ZEuC9ubSY%nD483T} zk>;)|OL4V$nF4Y`(y&koZ|lysnpo}M$Z1aA#{Mw~!td{HR_@%+d|t+y*DF_An;P2O z*Lke!2$z@JDC;w`v&bnZhz`yor4Hk#ei`!@YAJLtI=v%8j2#LmN=~s~*KctiC@zL} zvor8ZJPiPP(7OFvP3y@IgysnfZFp_p7_)nnvgw^I+3!LOlC>I2L0*twd_fn_A9U+_Ow9fKl#nTY#CXj)SPQF^{a3t!bOS(B=K#Z_Ziviau ztWK5sNj)(N9LKF|(XebjdVE}%5x#C`_XXOceq`y~SeA=T-K!^FjDPfVT}X&7Z_m5N ze7CDx$fa%7xR$<#^`z9kjGze4b0OG-zJdzZ7POh@J;=j1$Mrh`Td!t;t+xH+xWE}^ z@~3q{5#H|L@R$E&v)>&Fyk74dkSZ*axkW-C)Lj@%5u#LIRx%WIpJn)~J2tMo)#X{1E%4-!pnZaA<6=ZL~o zZq{~Q-ln6unkoFGpfEM~5WOlKGdk(cAssU{%F8fgol!gU>cYc^kefh;25J(j0IG#STog`UC0zL) zQ54obpEs*n*l+M-p1>Fq?HB;??(B{(oUOSU}<+d5!^d&nC;>2ZI416EZx6Q`;k(aep z&F92uqkZub!GxppJw5qkE6rWk(+U$OYnp1=HCp=&xS{**iJ7AJE9?c#^kv`lW?5Lq zNF7`jBM8_;Ekj~sT=+;xLq1@1=&3chKJJYnx@$zE-+iY+LxrIfKWJ+8ZY#)dJw2aF zi6QlLR97k*tBj97;9Z5wHQa<}#r*}g4P>#AwM+idr=Nh{>|n!^l>Efm)(6%%Z29t< z2kql+F_2tU1g~|mXP&;BY8@4S@uXk{hn!E+bmD6d_dXksaEOGBr!eOXrK7Jxv zZ1{Lr{5$ZnzP`RZ!u|sjGK7LCCx~7IZ%tc(U@#b=i2PjNbikAXVlJN#=rVA(Zf8r51#`vNeGG)rtK%68YRWwCB8UrbBh2%?ANfbBXuUuWZqM-N)VD>Gd z90v~TXz19D&Ggd%L@5Qx{ld5-~y;#i8K z>W|Vl5h3@J#4^B7`M{JRdZn9Wd)gp;+xQWrru4}SJH0P9oqcM0s>VZnI%Jk%$vlkF zdRAVsYK z*6&ubwqaBjP)qLI$7{hV8JV(1S_NO-wPe8#Xfre2jyc8|-H0pu`+LhIts1TJ%c$b% z?PUr-90XQ^B(|RI1QsUD5sg zM2XTlh?>K=(*rWdf!jLi#Yx21Ec~j$fnsSfQa0H@+(b~3Dx+qg*jGth?f`(r!B-{$ zuyH=x5X81AGcjJc4|Pf|c=|UzD2^lEI?5zh0>q$wILoPwfp=jCAf;-Q35kkx&O=Jn zBxLsdP2u-CmY!~VJ*65L9%@R_{@6$HdaaTe>cQ=`{ky3mrA8(X4>!0C7XIe4j!<^e zDLM*>C(NKNA^+~9 zf$YeE;+SR`fqzt=%$cu=f_z~UQxX!v1)9Th=fq@YA(V88vK0)(PlRS32Oq(C=14_) zRak_?<{F&udxmsclofja=+O6Lqfyb|rRP%*bp0vuvl|}4Igt+(eBT-V?-h;Uph#0r z1|FbMs~G#3l(2Jf96EV=APGz@Oy}0(*yoeV!_7*xBg(^q;ySxRHyNPIE`0dI!qlMP zqO&G(i!BCZW9=stZNM7@5KpiCaa?|OVPR_UtbZc_1~0E?@J%TJgZPpu0yb7;B(AAq4;RfBu2V~IK6?Iq3tMF*j!z_>Q2yx_sf9jvsu!6UkeX6xA8+44$`k0;WyMn z-$980{HTOREx4k{%Sf?kdIMXYX}X9=<>+RE*~o8wl^*DhREs!Ac+DnnT?$CA+158n z-P31fkj#q=rr;ofao^n3lfbO9v=MrJ`jnl2p(SH>rq3HDB}lQS14`)9g(uvFV)R6N z7QnRTb$^86szM`JK=M?M;yAYyniPR}*#TFchHxs7KN~0085QGekVJC9bIfW zyg`FMLtxZOX0#Uh0CWvhVYntH)EX6*xVH0zB77ZPLZ<{+l2UvRBwKBK!yG+I_g{3% zC&N8uuuKZDWw0%%qWpia$0>2M_@xn$1Pss!SPh}bTuusED8bj!v`|6jv& zZ3B`*sQ4Ia18f7n=0XSFl)*a@tP?gdq`Uy|e=6fTvfjy$?Z(@Je3T*Ow(xbDx=QbT zQ%=flr30i3oKz#B32@nrwdvzLwds1bELAKm+F7{DKI5QMLG>ZElX6pRB3OZ8QPn0U zq<#A2q-bykRb0VS`LOm}LU;OXH6v~Oe~#a3wgrBUG1Xn7Z~D*WHRax#B1Dz)|7&;+ zV=b&exq+r(VM$8ad&F`#_+O-b_4R7DTyRc_Mw<8KUYt4!%bI-v&i@>XqxCUHcB7d7 zr>sl16`@R#sc@5eA7|BgP8`n{AM89d$Q5>BG%rfiZ}~m!e0YT!V~Z~R%RMxdzK{xkdrv~1Gyopb zgP%Z+{~TOQ)FL52T-xYR4{vj5OE<>OO!BHWt`Xc=V>#ASuH-dok3g=97h7%<8#FL) z^|RnohY_|ot#pO8N;b+B;zQD?lSn|jHT#WnAGZT(BD9gklInoSVVJS<(67u1qWvaks7WJ+^b1Z+|L$`4@5r0f@EeQzU(Q&udJ5& zB=%INQqW|N)_r_~!<}BC&z|Ikj*I^s2|FQj81FCL_QLQ_l_3VWwqV@goO48u62iEM z-k;-ermIAlJlhjs)rj|$jJ}}%@>%Q?%v;Uy^6#iy2k@n{us%zC4yRUPI95a#h(`;~ zq9luDkyhPF3*${7$@c=#+W#Xz(Ds(3P=tOF*|Q-F5!5(G=*rO&Zx=mUsd=O!iKsP( z2af;gH~pUWeL~CYohWzf_h{Z;0tOLePC7#jdj(kQx4k%r*boE;wc&St3;FnN;AtQy zb^?4t5jeiEuota~sOLzV>3t+vcNSJ&bNU;A5}9rW2*ycRnGV%pOw#!2q>TzVk)Ml` zf<#o{dJRTMVq$6@ucXJbZJ(7I zW27Es8E82f4)DvoRm#@X>BDjys0d=Kb7~t1eFI;BsIkW}B$a}z(K>puC4wpmcE?fS7 zjxA5Asl!MGvQR?>uq1wiI!1JPFwV@k6txV+Q3IB^M!Gh=3xR4aZ{_ka>da~_?6_d< zTJd3BU3*Rr_a?FFZ0PlXvPxU7;Ds73Z~UVAQg}#tp}o8qwsNsTA#JfeTLEv{{}D^Y zt!c|yzv@q>Mus%MK^0VkHO4`S4Zmyy%)8CYGyn_?9Fq2-=MQrc6ZsnWO=94rMiykb zo*|d;+1{ORjZ{e>;9TwM9IX5oFb^QUaO=MwvJqx0+yz-)vfc2y(XFXA0m2#|pURxd zoD=~70xe6&unfEOE_4%z^YP`%A>W`%;ZI|YPfuM<<}C!56%r@^M{6qOp#X@+f63?1 zD<&MzN@Wwa5Scxni@zJec7XALV>OuNVqWi>t(Zm(#a_lt6*oy{g9Ko>xZ~mSto~H~ z0b4?~tp59pInNds@RQt1z6sM39Wte>05=Ke)PVd#9zJL9wFY<&)B_QNS^;>FcIJ;anGZTn8}W+hDLi>q?Au#@2+Py>wE>VEV15zGXnZ3d$22G7iaU?H^{ z(hzfMBw_p@Dg*n_+QigyUeh=ZswdbH+NFEP$TvGEy|hrY$$HJ^nA3CWt?vJrEsp&WGBgt43m+^-OIN_5}Hye43n6q6Yzw8uu;Lyp)EJm_~UV9t{eH! zKda!iQ`Ry^2ybf(Z>I=N!7I5aX~b2#p}_8l4>I&;n)*^l1jQ*w{O&y(nzm#FZ%tow zW9Oh5kktY@Lk8squ;Z5Ff)2_7NrfNku`A?hHLJhkC9(}gXeYMqinad(kGd-fkN{J% zLh_t1RpMCYVSK+L_?GgK;MWXM2X_LbpNI@t*>euVIAqQy4Y8;sE@Y1^ z^@IWwEiJXCCG*KhKBTu2!aas0o7jh_zTJ8*E1acqjm#COPXqOZ`T^B|AVQS;E#h7~ zIh+jq2@4!udV}&n$f=dgtFAxB@H*B|U7_%)&mwS2TMUL&MI2H5t9)Ow8mTOEJZl2b zhNqWSVhpz1sXa4y=U})sG32jiv)y`C6LM`rE!3E?yLK2tvP@Z9(Fs%;%^7jss1KzE z-(+x5@1;3SeVSJ_pWw3D1(1$x7wbRCp>sOdZsk;wfy3_otY-PD=cXoA|A3S=K zK~^g_cYb%y;15p;IWJ5iW!(F_L{$$ORBGCmWktD`VxvUph_;=TRld+9 ziuJrTRV`xaio3e6lIajsX{Zn1n%hf!lNej)>#p-j_27oFlmNa_O^`4>JvHMZSTnh& zep;fykilr(X^2H^yn0wmB9I^umE6HN`InDbgPOCifxTydR*UJEztr`pI$Uou_t-QV zw9IZVTa&a&$uZl@)`oZ(gG|vuV2Ps4@FWi-L!lfTn#8Ec>hnnRhLGEBao;BdMOe;<`)9tX{-0N)jvy`eV>9c7_6^2wMk-``;B@^G{F0327xnU7|mb3PIzK z#fV;CWr;#=v+g=)4^EQ$@B?lUpWfq-YSDL#m3o>tJ{oREr*z)R7_7y-UTeSVmP~8f zmt(O#bHEM+hP(?c!UYKoVZ)N3NK?lXN)Hp#GA2lBHi{A!>WWvZQr3u_@1?)oy{>e1 ztuAjYElv5}g@UW-=~+y4HJIpBK_QvOG%nm|YToQ1R8Aln68Bn%JsSfDp%N)sq!+;| z&D*Z~O|$0QPH6qItc-=z)mG=@#i4YTl?YTaiP_h=L$m#HQX$8^p1Fth?qA{+((ZfP z6PLJ*4Qr$kGW1P)n;ulKv|QW+YH$=7e|~bvRD;0)?sRk+>O8rqI0ih9*QV_pZp?9= zks~yEcFPd|qt%w0_X3W24b9C(dFv!dc*)uanw-4EZ?@$@%EPpVsv_raks&ay&&{Mo9F5WJ&$P8@&p$E+=H0mv#&Y&{e71sWS^YMw7Tat}eLwe%!E>|B97t?W)CYzlr zpQ<&VpKEU=LApB+V;?BU+uHV9X!`nO;NNAQwfM9+RG*TF-k)|8_w!s|-0v0C_=<4P zY)zvQM*9AKEXJQmtQ0fV+Hh-&|uzK}=4Oot=Wym>i|twpOV1iew9DicEc`Z(K?g3wYqYfDQrqWrux+Pi7df@wdns{fM((ta8( z`qUrq(;0K6T(h960j+>LCCa_XCu~1?WSU*}QF}r~$SR{Pv|X)8z9OCQn1PW^t1NMW z&4Aq6;X*OS@YC-y-;1iZkGyBq6=;YOW;ELl-gh7HBayd!3#8R;iqBl57*JxKhA6y! z6w+R{tc+~oY}dEj7nWoQmEeB58MVFV<*36#X|e2Y6V&sPEfx+C3zrn)oOUlM^Ze{G zd=gtGQT@^ArP`J8V6m}gu~;2x)Xr$7X8qA)CUWEPmd}u3N`}s0{pnIk-?;kzwkQBf zkfaGTE#Y1~3OTH$r;|F^+uwTZf0g-KJ?B28iGWAY;`OU>1)6BMDtL4oix%7X?OSOR zV+h#s@nNjHJ3g;W08)fUrLAuEJh;<)vPZ6>L*G(Cnc?|CTR!KEo~CfV&A*RiDwc}b|<_7{yPH9IuUZV3C{K9$bUAqfvn<+1-n z<}8%lw1BIaJ&gEx8l6>Uisw(C>~?xn2F8uL2+YGnSNJBfh1aL1oF1;rhRVtg z1s1N`KRm$`okJrgWdpO}Yc|N>{nW(oMz41W$Leyj-rvm49Tohfq3}H)+AMT7x4V8? zG7Ea!!FRTr?jGZM$Nl;gG||qz>pa$gR=};pr>U*EdqlUNiD>ltNzLTl<#$C*uwiS_ zw?%XARI=R<-{zK>y#gW8F-pPhGiy~h6uwV=gQ-`G1pA?_%d6Y=C7ps?!e{94B3;k- z8_*)5ii+d>`&k7uGdWq0w&vziVKRiF1@PE<7>52j-X`6zJtJ%mE1f5O3r3H>+>O}S zhg358eU6kf47=wxT3w!wL*gA5!p#UmTLrx`YJ9!6G**J!I$JKTR5rdMbl$Byczu1K zI)1v0D z@^1`rGGVZ49!NKFg^Fe1dNqeh5x*g%5!yTfb( z%;OEwnK|J#(a$%RCtECE?mDg|u zp_-XrLu}Ni-!aIw>Bqaii;eB4wu_2CdH?iqD$*9@?4yn&$>r?q;*!@E8pq1AV8yg(;iqTUsxFE`pQIq?ffhqnPIvZNqcmn~s@5yG2QXh+w!3*VK z?4Y|H6kuYG8dIJL4V3thEsvj(ru*5mAV7>>Za{`$&$DIKlv{}O9$s2TErEG>&_mpE zk|B?bF}g25K|ODXgf9bBek<%}t*u#iu{9@zDo%x^b-dVa<4^^Z8yvy(^_iJ35AQD4 z;Xb&1Y!+^=Y5x|p!_9WGS|=~-wP$G%kSau&XU2Vo9_xD3AGrQT693Hi<^WYzf~Lc{ zAc)UlZSD3+VS;SkNDab9Ksbvz7!6_iuU}X&p>{;KGAsyfaT2Gn7%`I?HrVSWekwlO zleVT&*{rq{=~I108U~^&sXTI_B7#axVE*)PC9Fq!cybB;kG=tV6$>95Yb%nO;tgHI zlW?iKH?RL}E{+b3+<_{}QBassB7h9tTB=%V4GdkiVkM9x2IYd>QyyLnrBQ*1@+&mj z7zy?+tg2OuMfGVymHmQ6)?1MBIo0e!V)X)zdaav>@!tA2Wane^l5gQq#{wm-(boyFKrt6_rup#+(7&`~*)6 zr*8B1Wff)h`3~9Q^G0 zPgX}{pB7k+;yzZ%e4%2XqlafuXV?J|!JXn-Q-w@pw}BYAH(EP4op`vpbH0DZ^YMJw z%@|Uu=717vlf9Fx+#+G$lxk1gAyL4!N1%6%pB*Igj!ho|!<8n)3}o$b^ zlevTY*$oqcRWTjuy)>sl#Aiz8=#aN3WLc~!DcA?jC7n-qemB~$hiAUL#FmkajN`t4 z#%ne_o4xn1EL@v5UVk-<%t%ta?lrSE=g{C8uT7pWj(y~#9q6~yiX@#4-~`jsyWZB1 zv61`c^#HD$`Tjfw#AN4HG!wh(g_#f`3DLmZ-OmiXf7pp^4^%3$Xu^7X8T@d+kGX>P zH1RsJq3>WD9%!{R*^$g@CD-!W;^U_Dw4l)&h88^K{ze^(il(cerZGen_X*(_M=LJq z92PDzvAoo4fByIK-p7>n$4zJVFcy}^X{xi6(A$7KwJZp1THx?-=gWGi5IQO1!=LH& zt(q?1ovpM4zblH@p9Ds}?|@CqPruK+kD5;RNM0{$UW$u8{%PB|4+X)vUZ|3B=SZlv za%057Z_%Q(F}S!AS3-g&<^V#%ysl5HKqOYG@B8vDDZIf;xGw1OHdl%c-bWc$F@7(R zInUdfD~K0d<^iD|Vp*;_CjYY&O0|OFpr2Z6qY5n9Urf7SOlMUw9J#zqjM?EqPng%%Dx1%3Rj=!wLhwL`xGyI;G=IVik8|Ty zvwk{9sDx;^SY4d|tL)_=y9{2YEJ+Ot(+?Gne0Zm zsCGA{*(Lgr8zDn^pdmZmcH~FpK%9{P@9%Pkn(>8xujSv*@$5x)_;bf)%)DiC`891X z70yOrgn@<5+u{cI)R@V3nKIQ8g%MQ3P(red5cZ1p#?tC(_V<%t8eH=mE32Cejp|{b;7b8viLdvrihCnF)?5( zZRl6meVgA?!s{*@oU);oj#h%hZ<`M74xff@JKIVJGa8dG+5M7NK%s0apX}NZUCm~B ztI2`0TIt}HA1=;!nYlG99ew41pXkj(RkRA4S!R|_`n+&>xH*Lc z4-0L+v2V1RsoN;X-nqoh5~Fj%*A@JzM0-4oZneX6U15sAg_Hc8cfWLh`zuWcU_Mz2 zUB?~6!>cVEe|9fn!vYgW@qD?(<}ht_a2Y7}K1d?ZsWe~7o*XT8b}@b|t{StinxGJA z+`Rshl_%09&GpuvDoMt~vC%E26mJ=}faXY}Ug)3S>YNhO1A zuPO$Wya?%%=;DJKU*~Q}*Z%8;-y=<%5`hE9U!dF*0ZBH0im*VHep1C9B$^NVjs`CC z4O}+bh_wc&N(PTWHa9iV#51fl(J4X-1`6Pg(1+$FF&0r`aS!iVaHfG-Y50?Y=7|!@ zd8k$rQ8IVVL*!aSZ8RExmUsqp0I3zY4EY-NXZPW;p^}U ziyK`x5N?UkPn#+Po5%J}yClL&PiiHDpGz zCxO=J@-@#}z3_(IEG47AJSfsRYSZzrRVoeOXvBwd0T_m{n5Lf%^Sq zCz3fEg)?nAHvCqI)KsPN2a*awW)nPY{g&467P|4E$Pd%b$Z*=pN8@yqF7Ywur3Y5v$oy8`LTXhQ6DTOXjMBtrT$G@>AtO z^7<_Lr~=oQ;CNCL7L{qaMI99vntpBFkz(K;dFYzeXd2gGJ2%dPqV3_MDowq_{iEiy zR0843xtGyTZ(TsuonQF#A?>fCKX0$T#~)LUN}Bj&uZO)1m2bg|nRWf9@jfWQ&W z+g};8ML55j7Qa=$)jnsreFE7{UMH;m9AW&526H!z^8-@LRirR;$~o4;)mOdoh8Hw3 z6FtlFXL!L(B4218GchS*yE`YkPuHaA9)Jd$I3;J>%$?AHidKHv!)LlGLsw zH1WUkdjoFYVDOI;#|r{e-eny3R`!5R=PRx7r?d~WJ(Hb@_wuM*#gh$xkX_pXAHrwW8j2Ps(a@;jWAi7!B@CS^O%lw~!-iCAJ7==*yU==(O=}B;0&gmi zSg6M6>pW~xfNQwzkZDcy51N~5b(TLN*}7oGVO>oUB!Fw>53{2>O;7V=whf-NLN~F9 z^Zeb4MsY#@qBGb?KdQyI7I@C&!p8oTK3BYNiv8bCve5$5JO9{QTPr9=mk2wJER301 zwCq?9kspM8H>p@@&Xy4)@~FIqiL=mYs=v{>@~ExfRS-t_^20P72>VfL8j+a;*2&5B z@Dk)?!9uLXV~3v1Cj9`S!iIM6O4k@EvS0K+{3v3yotjVe@gz4{1<-SpfBp=qs^`|i z^H7zuhXa?(+FZ;?J*~#O$hbM3#%KT!;R_p7(%;DuV$1RCRu$?`w?KN$5D44rn<`Lt zl=1h?0rGABf4IUgb}R&4!c9zL`*`F8z$nYf?`>1B?jqL-6wtnm#_4OsImmW(GJM*X zpvMiDGD9f>(@F$#sVy=fVYyzC=I|Wvz{8;Ah4h<>)B=epfkmI_h78`=hY4NS+bBqs zyK$Jsn@iYQ_PaqUVdcTVfJ)d{eS1B;>0}Rw6H`;(dK5WVpbImK+#z;Z_=t@hM3d6J zY3KyXQ|V~(%a;Sw;}INoOMPktmWD*}fk+*lw1hM0l7{T2S6998v|J!RqY$spK| z*vb$_WOF>7oMlBA8_}EOOR1x&d+Ft{*MX2CDN4x?|2_R_PYX1_WhE_)NRCo7Qcf>$ zR%qH2kjDZA(V_L-oP^}lmo4C&wA*NZ0m`6E-nsv5alJmCd_9sJ2&b$i8N`-C8>cTq zXAVfVl>;gTHL{?G?wDjKNzV65V-rKnQJAOV02RwT$aK1jibLb7Ni8gT*}~>qCE*Y%ySY$8F}U;xOqS( zKofhAF|KWS=XQCvXMVN4t-Vl{RZ>z!7Ggptt>%=L3D;YZ1>3qjbcLoAX;MPV%1S+l zJYh2jxZ~n-qV34lP{2;4L6HNW4`O-r$G68fYy;U$$@xG2PT_Ggg}%e=GD#XU`k%aB ze4K0H)9YNj$zK(xn-60q;BLkttRKvm&_ydF%kNOl)w9+zM_u?X1k% zE|8C_Ch&&9rL2xLk}C7PRsqr!Y@b+6LMnlB??)N46=!GNnLU(*H-B=T^3kZp7fuoqbGm`+{&Nyrj@*wSr zvv2NSmwq?lZK^H`XzJ1M2ZAQ~O02){nk~Yv>+9Y`g z77KAO#CKN^T{UqssnfFC+(LKX+|rosJuVnCI4X!572x&giZ1dte|nq9ti`Ql6hHMV z`sjE?B@nX2bcf@$f_)_xCdAwKs{3G4_S!&hcVtm_S-8CG<$WjtOAZZoWlmr8U>;=W zL!5!w>*7jBM>*^%ev6n+G{ris9y_%dvKR1FCe9hDs%j{)gayl;+hkpH>N7OCC0$94 z+Xc^Ty%^CPG2LAMbZnn#niOT{<`E$=TlBESsQd*!#2#Q1LP~x-aLK<*j#eO8D$RRv zX=qQN{HEf_>4Ecj6)r32o!t?mFWKgZcGX+A%8B9ZXD(oVx-muKy_N@r6iMl7UWb!TIn#k3Bgah@ia|=JEFP{)pN6VJ zdW~z>9Z#*SSUMsVCniDPNwN{uz`aW(?bM6yUI-}Z>IrzWu1t#Y#ymHiu_H(ePWcqp z#b*3+DIP;t_04jxW6#y+PFcE_@5_DLeDE9rxP|^aB1d&p7EL&a{Q{VX63bDEry@2O z3K{)cQquw6xT2N-3fl6xRr*^e5D@!<({ae-7P|~rYxql4cpLYWOsetZ50&rm;BK?1 z##;T(kWD76ZE@NR!s+N2u16LIBog+%00a-2n_>zt$F1pbWqE(M?F`4{Vqsmm{vZV^ z9e-JGO-ziTX~uInC*nV>b(TtRTd3#Ambk^xU}fPV#Kn-Y#mTxQT(?+Jbj09C1+Yp1 z=rgxBvYu7PM2D^_B$gu(Nu=vz%mJ!WJ3QB0QEo$zqjuwx4i$m-+b#Q z|J-5A4}08tEp(--w`XuvNt6OQ?8?;t9FlX#L?^-_j_+Kj1K6(Qo2^+-)h> zUXTEK5uY(xS#(xnJH=ga?%`sgKznm@XWwv)RF+n4dT###n@$GfHZfLV>WRUb<7!hM zr?wv4S!YnmcQM_cG>^t#!aa+uiUV&$>(0Tm!rV91Wysx{DQp)50~2W6mi$V+AcWQKXRvQ`kUYQx=kmS3MW;?wZu1(d;JUZ z4YzL=ZQfp9TMMUS>31r{BFT+K;q+dMlad56Clm4eZr{2!IyukFb(^G7q1{+S%w}^S!&BgF#+K!rF`= zU;XB{%Zu$wF*hNWuszl4?DIMZKxZ;j)1LbJo*mma)z%ghLL};4ICl1iH;h)%TD@V% z-siW}maEX|Bt;=0@L|6{MALeUO(~Lp9X_L^X%-69@fF&sm1e! zz&T@tz2{{5`=$vpo55sdIMoW zt}z<4;z}6BJJJtRFWQ5M*ZyRHnwZ>@b_D16z{QIf!kn5VRR)Xg;Qr^zOY8{;CJu9f zAL;IB>+L`Mt?!vMDn%koa&pk;4Mk%XM*$p8;`{^7imzgmy+H6xaAy3{z0Sg2hjvui zHE@LZoM+FSseAs_s;Y8%)N}XF-QJ-YmQ+@5+OmJ|4x>&lV=-5;l`T-R*P`&=(jobCoXDWAW+gx5&EK0#KlXgdRE?+6MD$o~f zUw8M(<0n7=;zUbZH|iUKcaIHSy>?^N6%lu7cmfkyQ5wDJgWgd(C71AJa?h9qmviJfiKV?A->be!6`m|APDF_1aUk= zU&O%Sa7q*V0!^BPz(GlYP{=gKvZ^YbM$HF&AOH4uZ9_BYMgnw931|aEQg1YPX2|FQ z*a1g~o1~1QC^~re>e=?5eon4dQY@UD;*J%<@S5-yavdZ=mee&UM_?ffQbgxtvXk_T zG)qX+MM{sb1nurbYa=new(R<_?8xOL;&@Yoo13R=yJlaF|?pj>z$OT>%VP%znRup75etXDd|P_NP6 z8&@uVdH!ygB?GRBlgE$s^bM1A^s6sFKXv{FR3RSJPz!1vGECsei1+xH#~PYCKm+tO zB#NqF1(BQ&<2O4%?jsruP$yb^#k+=Q#=Bat-MljwAqcrjE+b_G2VFpdz2c1kU_W>T zl|i<`KiWpG=q!MyBk&lAi5&rd&|(@qGUM`Iy4)~6;Y3vkbS$`V;;Re8(=LkO`Z`-b z_}zQ;4b6$JL zCq~a*z3U2~flY_~cW+$i9qflb5yuZaz&XilUud+WEuOn{>Ef-HZtx_;ncyoBl)8i9 z=!+-5IC=g$Xb`K0!v~FXkQ7}FfCj#)vH8}m+Z@5n&x~FC{Dbr7FU&?n`NSxN8qv`8 zO}RO03f)G5esAdIG* zfXj99^0nSck2EbrgPzM@ofw-OgWYpqUH$yaQ}Z5AU}5(9u@A0XzB-S3k!iSo@fYuX zGV1hjwCBdvOUF-Nc6$QS)F&B`?HGCVfJvfN((6MtFk?igwtwflNqJp;Q#+8?5qRW6wc7@C^3!9XPN%&!GPDv(G>M^vio~T^ha7;jlsV>v-4UX=Q$X{;RLPQYaJ_i$zLl zZ}0fxi!Yvk{&{dzwgZWQ$?<3Z{Z|C3{KJ3x$JMp9Mft^LMK-fhH8wQx;rkz)K6i0& zc(k^zW_WDkqmNG(*o+26^w`MftNmZ6AO3c|-R= zPfs_)aaV6QR+g2YeCOvEFJ0?!#vqXLkG9`#Y%>;b5+Z>Q-uWfW+ePJNa9linJ@{9D z_3vwIHyI3i*bapw7cX3Nx!k3tB}=lWA^3kWK&tGx-!=>dF zaybS5T-wvm8m+CZ5F6TTR<&9KUWYTwjhi>`-np}5`}Vkm$YPJc$~fx0e!HP%$oJNF zzja{GW@}MJVR1!)PWH|}{;Y4-zqzh@rnl|%i7#YYRa4KnJ0wgGbX_`g($7#;RptHn zzWVjszpL-@kODnF-g&p9-&|C!=A*y)`QJG`3%p$M^S9q~&CQ?w;?tg?F++a2&7k5! z3!i^+{L{~m-)U?!S?o5O8LW_wh199_iN@#iojiGxqA0uFE~WJJ^c*{OZ2R`@ayk0Z zZ7DGU?4k!uU)7Zr6TQ6)UeAyJ<)7A8ml-Mg%Eil{eDcM$TlW-lWm&Odu&4iO^VsXJ zzB<{{eCDh38k2>M1itwA{S&9oc69fbRMqLV%E*=<)7bD z+TY#r?%VHOymD)9Ay{hDUH$6Vr^haL^^I~|NUl-8{lT${(n1yOI)3)@n2WA(XgFm{DG3ravC*OW z>)o#COW*&agS+dtR9EC%4UvHFvyVSJcKj50*kCjmEym-=&$l*rZ`o8D3Hks2=kMuN z8p1pG(Wjp^^$lOTbhW9eEx)M9kZ17CP5=C7e}BEGs>udKi}Iy5voF;g z=iFm()O>OBtIqz>vZ_sbjRFmtxZM)>?XL|bInK|YKR+=sQBYV2gCBOs#wXr==iL_$ z9+Yx3fl!3=4-QRSZkv4Z$e|*Wh7QbMzHmZcT3fkg=Wl-YtI^)xj;6bCj`lH%%94CO z6wZs-s8ux`ui`djGd)&t4dsoHgYa4L99B{=xe<`kd~luzy>{ z%=pNAzx(j?`Aah{Uw%P>Mx&-s2*h2wa6Lk^Klva2sIIb@a8KXu95hz%E3>LQ?q2%c z`yZXVbbV-gp{Bg3`_`%7esH{@&!3m4EGaPDxq0*Bk3PA0?KVd$O3O>21=M5K5kNE= z{rvMUc%Dm+{DFbN6DN*WRaL3g>TEL-z|V~ioI88=hkyD%?%usi8J=%wZ7bQnUqf-{ zkAM2bmnT}6_{5atn|z1OWXuz#GGQ2qX*ih-T^#_{b+uE7MqCpuy(7Dh zeB)a$9T;r8GwJdRB)YGbBpHDSU%YhV=Jm$CyS5Y-nEvh`-<_IWa88X}xOi!BK4>W@ ztgb23=yb)!WxKa+7jLJL9ucxQ%(CY<717f&0hhiFkz zQBzaXuit(<5DI}8E?>U#-tXQoEG&X;NXN(f3ea^=jiljpDPId~*rCqMDUXT7r_^p2=_ZkB-MT72u7 zM5EF1obb*&@3ywJfg?IPyZ`oY|ITiANd1(>IRYFzvaQ=H$H%&V^Q)h?w|5ql*OU}G z!n6G!fBJcVR~8(=5Br4g)^7-?AlsgTlw1$ zzZe`Ci#TVlT)fsYJa00YWKnNNXRj~J?%K6oMzU2kRW;R>RK(TT*w8=e85*6vbL*Z; zt&W@V)B&sNzxkWL@p!y2sa?Kut+l<~X0yffQivZvB%x4g&Gy2Af_#larq44KIIKku zVjo=(!Uo!!%vJx$fG9tMykd&kl8+JbflCH}2Z8?arms zx0~97$@i_F?PDQ7zW^efU;p~;g@py!y>b2K&wu`l;$pNIN|JU&zW7f(Xt}cQiFPeG!IK4GmA`+l@Lk_nY5-FgQF3U1qmg z^d{@}Ep-~!(|E68WX3-^<-C6RqERRFcwA?$)b|aI)|OjaTbr-kY>xW97mt5>tG@C1 zBd^%>s`uad)r2Q1UgtqP9Wf`MQo&KKdFS2V-mSj}zV7Yq|JgtOLZj8fnL92akv>%I z`T35bLZeQvQYi9a)n+k`_jdO7c5T|e&7jhJ^v=6C7u_|^1v5g zemOoLhAC@ddi0m?e&h=i&3Eozzkb$yTe#fR;pDh3`Wzgy*na)@3l)8^cGWXRaNWNTb-Sqj_PVk ztt%@n+qbnU;F`H!-|7p5h_Jh>tGjP(VSIf2*r)GX9gf4Ve7(1SsJW?C@&kYd!bXgR z&6_s=_B}W!e+VsbyS<-&{zXS;XI`E$o{h+;Nr2^y$2tAg$uHmk-DjVE^aT<1AOG@; zOO5@Tx9;Fw!)MPNA9VTKdd6E@`*}9T(BWHmnw>NAk@?vh*KYMp2TTTiZ~f&v_in-2 z{GIo{Xm9J=Qd{ZqI6aXl7hki%dP{)yQl8CGP+Yom$Cl@}6wXZy435vLYL8risCypR^f9gmHYq#&LtN!5KU$hKNMdO|Fcp;Z5ELQ8g zzj^Q4^&4Q`(9p;)fAwpaKokmerE0kaBt^nfiObXJ^m?N|!bc-PJ}~~(h4U@_GkbPz zV*}1#|MsIG3&#uy@{ypov8mA=4DH=nH`(8I>1G3!S6otDA?KOrp4;LNdd?g_9}f8U z?5S;NX}xi~nGN|r``vGDwRTr;+wE~X!$BWUQIZ{S_(Q#NAvQTV-aF&j_WaSB%F2rB z(!IN?Jnn_LS>N33T;E{-zJo7R)l?LfZ~pq%zVXj~^4*GjW8=lMJ-vO~4jeI>?I(|) zjMC@^gvX>iBq!I@)O`N=XTN^?9T?F5K;-=^jd;vqBOc$@#!P=5QVVw%{SkKne^?q-?@14(gz=Y z_|{u*ZQr>go}C?ZrALO2XA0e8i1r1Nr)eg}DYb3cmx1la4ezPxod}7Ew8Ss zs3^%VD=n0h-1x{)duM;1wXC8X9X?NGhkfm9ufwbgG0(k*hW7ThmtTIlyu1u$EH@Fr zI*gK|NrMoi6}dvK+Pt|o;$P_M>KdM$D}>{~ZX!8Wuhl+x=+Mirzg}c>wAa^94fXa6 z40(AK$I?Q?)7ab^L$~ZmI-lud0V0=gf9u;2`NL80)mP_#{_~&z;QQa-yLV4KTSWBG z;;c=`)qD5s{vZGJkIRbejg5_e|M&mU)Z9hTQJ#*{9J+ao)^gzo%EP*T4G4>$~^tw&a-DTFvN;cTj*FQYtE-1?H@9*pw7*^&PD@*J=$EZvN2M-jIWEVz%KI5{>t_RVj8v$(h@p1l;Ydei~pfdOY|Di*wR`=+CM*K2RQerQ|S z#Mt1#loQ=%&T^yxfe;^K(GAUT7LX}46*~@m^Xspbnq^Msc0L5`M5;OQ7&Tu}PL(Zh$19*Kow1Kr&ty`6fqb^mK`>^*oO zPp>8kMx`L?w(hDZE2D$6Gc!{|6Z00E!BE}d-v@z7&ZQocXrO*(=+IBIBYgseo=8{asFsq!@SGm zWl4gI(m_vSYqxm&=wpXmE_?pD{d@N8J#q5XC!c)!;YS}qD_(p3b+z~=__7N~a5&Gs z{mY;K$G`qR&);a?yLWGyksIjmnGaKREUH&b^y*97wr$oZVQ!2M z2(U(c2(eg%5eT(TFGDjTsnICGB3NS4Gz;e>h=!q$;21LGMW#@lbdd+PKVaNu{o^X>BTa!Ka#KM}4y?2N`* z8=FWjcJ0dflV{G7O7-pf=5Ux3M;sj69K-T?X1mE`D=sPh?zg{gGwUgWhpx337O6EF z1(;GsVskm2SFT+C z;Saw5`s=T0H5&1lSq>OkXmG_(JqSTkDL@n|SHQVW{NO?2+$3{s#-mH2?fF8*&aJ>2E_sYsj@7CYlx~1;>Z@p`U5zYx+R*9rKls59G-}QHufBTzxqW+g?@HYEzry%Lop zwF1%m=FOY_=#PF93Wcv;z52r+{@{%_zM<1<#Kr6_Z8by<;l zuJ6vxTlco?c~PHdRPYSs>U27dN&%4=%kew}91IPsK!e3vURn0_uf1x`Gl)z4rwW*n ztXA`Pzw_<7y3O|*8em>}>#a8n^7EH2?^1dqf#_&}XJR8AEq5E5g1n-js6a-+!ZyZ} z=u@@eZ{LDJ+- zrq!sUv`}C%7w1v8n%iA6(>Gr`I@{lTt+Bmg$9|(;3(I|_RuA^u&3ctmk@%WJfrv%B zyL(LqRX_US55N1;Zs*i^Tjwap@-jKe3p^}51Fl&JN5|&_CcE8aP|_UD%apKMU0K;QUN}P<0M%L2*Y}b zqho9|>~gt##yk+)vvA8|}HkXX8#|Aj|j~qU{bLWmvKm8P9{x`q-UA;~R>Dett-jOTiaz!-knVAel zLav2iG@?+-l`@irLqn_4!f8OIR#B9kg@ME}FuBOpFxa)Qc%le87-TMAxi>N4G@J7B z@(gI2B4MdUp|dfpXgL-RLyNt@lJ9u#z`h;Zwrb_zNp#{yUm^w5Qxq1lfuYe^7^5(d zXQn4_-n`}V`5eW?TD3M3il93VW$3yboccLB3PF+4;&9{_eDfP$uP!fsJQuytwmhTZ zo8SD#zP)=Io0=>Z%lE(kW=Tnj^ltAm3rH0E!|{9g@cvD8wZ1T0URGhz$YAc#=h=)_ zN8Q#f-~8GuFr|Rs3Od&&`vP7Q(6a-RXve@nR{1*;9 zzh}p024B4 z=RG|=!$U)`UV3idKBZC_&wlJ#YuG8c<~#$#GcUh*0^vxx=r@8VbZXLQe%5h6qafNoF~}XvHsTP zw)2;6z}mgCx{{EqVI3Ut%nl9?GiuB3ZJTHM8;8cmx9@+6kjdrfEweyNOWUnGt>fcU zMMd^JtF?0TmVkSnVqyz{=)A|TRmfmr^7H{S49r5`{`R;2$xr_T<|SBdOCPGq%3=nr z;Ly!}F!c)@%g)SB`@8{-S_dg`4(1`5kee;GAOGkrM;>+c>QyhTDJd$Z11_2)rsut} zNKmg;l$Muyyx!Z_uD7+dyL^6Fy_Hwg6q+>GE}XsB(lazZyS1jW*kLLwu?>!n>8*t? z?A^r&78;w|_wGMJkqW36hBD;Jkj4jc>46|zP>)E(?t;i#Hf^9?kFko zx@P;kNBlnT=-7lpu7af@O>$6Nu29>}x{1-gq2Vc&&SX-sx368gez$#kc3v*fAU`}j zny1%Sm6to`=VzTx^p2fWSDa-%wk%6ZK;(J&@S#8bXaDr~e(#5S_Uu|^g-60-S1wa& z@(YSeOA3lh3P`nP$M$X0gB^Eo-D&Kdgp)+6-BM9x@-0kUx_a&U?S@z^3KKs|qNo!5 z1}b=1F~O-E3T~}#YPxe9oZdUY#R8PH21b%_Xt4bq%~!8n`{c`0T_baQpF3#QP}5^W zY>ZZD^%3+ zNkv6rd6n1YY`t@%v9ZMyj8YKJhofU7gPcH;Y7;L|5D~#T%3fUTUvTzykE-&_CFK=C z*9;S*r#%oGu^M#i85jd=S=K#2d;RLw<0sEuyw_b-yLn4xzHeb}Vq#LEHc$#JD2Jni zQ0k0ElW%5Zd}5-YdaD8g+K4|y3!_s`1BA=*Ry=mVaIspAP#;L5G9WkZ9M~#7z1;H zWDrltKm$)Giwg2z*}t>l`h`;`PM$b@@oMAH=B-;Rij8KQ{iRpG)>eP>^cSCBym0Z@ z@l#H>mr|)mXJ-9APl>~-P${8%=okYHTl*yPV1XIw;KBX>?4SJ)KmPIWJ^$QuDkb_} zm^hD{txH(bR|=tl;hc8P%z2J{?VG#z>?$j^Tg;Z(IrpZrLZgOSpvg@;5A3dRL_Jfp z^PV|(D8Hn9-|p>n$QR+MZMzScwK6#+lW~m4HN~lQRhz2Nuwq&Ff=g}4tKMAaUGT^J zfp8!g2-CIOcYpI+U(YuirLZ$OyFB(TT_+IXSS%KY!vRY%=!@l!;RKM&F`?kJm#f&k zy|UN{D{eX(8X243fAkwgRy^2y1Od0*HYVoK_^A3l1dq^MLwQU009*?Dh> zmF<7wh0;Q+M$WpT0Du-D`L9&E%{7OSt@xE`odT5tX!L>BC&CEK>%S(nwM$JWK zuYdh@SP{xd$~!ydbo&XF@ww;rI?Q>=H@Pqn;h4>4yWK7=veOR-v)Q6E+cs_8F0hPQtKuS&**VYly$6pT-LFMo zHY0b>&TDn*{PG%ujA^)bo->tw`$s>r>lo+s)VUkYbv2uO^9vf2ODI)Yhd9fn(~wZZikp3W+c5%hc1U@BiRi}oU=2eO1byoK@Ef*Y}ggx zLSfco)KhZu(9y#*OGRk;n{T|HuV!c50ej7!>XQ7Rb8Ob>_Jz4^yZ6-9l$mst+aH?u zL=7snMysjaxx04DHUq)Vj1En?!zM@B*Is|6)UK1WL06dE{oKL*b!7qf0z(?U|K^(} zt!%*;rUm75+pAR+JGBtqRJWt7z$k}+mm(qfan4S=p!-5Z?Y3Qq4)3>_l?tVN%IT+g zV%L^(Zy*v33o03<(W%Qf*Hu>4>Im9BHz8=Po44&$MBP5u9H};H%!Sppo3>ZjJTv1H z&VV<>+X_lvfAz&eE4uV8veYr_M=qDy?KX?qEYEz4Bc%#yQ{cVx^HHUK>+U^PEqXHy zjwQ3n?46sQo12TuP0t-Xva_zHFi+<9OwR^_CP%44uHL_En^mux3q`B9@2RkA=BLK; zifT4**-~y+O-~PdXhEyD=cx?4wpEuDS>Wu?#pv;IC#>0gK0nP#Zr!8xZd9N~8Dd%m*FvH0aw8|JD9h+3^K zC@9eD(REH>aZ*a22_(?Rj}%(9)~X{HT+Vq*v^!gORdsOIK9 zH9PkleqndMEzci_dgh#YdMzhcmu=dycl#FJHx&r_Sw$YDHda(t?x-!+>QqznK?wYJ z?b;0M1lQEGXTi_N^R{l=R#IS7Py)pHa}(pyXfzn%ykV|z)ApBMdAYjCqN8ZPcVQtc zsC707hPH36+`7G%<4Et^yvb^)+_sH}W$?@tteLe&$Dsqy8DUP$Y|^6#OhFHl)Mzv? zBN+_(#rNfxgCxQM|E$Y>;N`EuGR8>77Chd9&3j7=3uyP`ER4$#U%PetmfDJtXCcDG zcE9ifCCI}IUJXp=3bm!Ua?kD^1v>fM+-y|P?Wn7BU_LR#|9L zDX4CJkk*rn= zOil5m2MmlzpD(cZl|nEDt?Mg=*801h0>p%F*Md1eU!~Q^37V$a$r+E$n5QJ7t{|(k!Vkz^cV+ius(r5N&Xj=oILhXUGq+&jO(_QxTA1<# zV`@u2EZbv2zs(LOOJZ(jE*Ofj3XRERv_U+-cmWTy4q!ZT;PaW8*(fXLWO9wc=r9}M zs0jJJZkH=e%V6bKP*kW_$w<}*3%G>{QD`%nv?_v)xLi)JFUHCgnmkjH%`5~xuo944 z^YgWGHte394_h4td1~Ih;F%3DR+CZ9hwt3HdgjcDoiF|1jUWEVp(37`J1QO|Fn5Wg z7}nO&ndxb{0ew${LZBBW$1Z*G>E+JJmw)=NzjLHUPlSK<^WQYLwEeID_TNNVUZ%|} zvRgGWCg6jmvIov!N{y~C-==;_Lzf2+91A>4N8Qf(Kq$&m3bnytw%PLJJQEE~O}PYu z)N0i%&*_cka5&7doWQVf^3YnWR;x)##G;|_+^kQj)j(X-*?8;ok3Zc0>hJyN4}Z_0 z@U-1){Gb2N-~O9_{Xf?@43t`vXSbVFGJy@w%`AjN46RTa&8B>d5jqafX3z})ggGAP zd^i@fmli8YHWrwlb48=P%%Iam!@=SbM>xjJdn089`CMpW-XB$490nQhaZUxpJgHLK z@*PH41H`;emoE?_bZQmPFgml*kf#s1=iM$(lu+sodb{1Ok@K|QIqPNBd7wh!azd8~ z73F0rD(VYFT_Lu_Zj^C>8COhWvYB--5AuWn!zAj2s4NPrZitMGu>RM`*l5^4F&j`Q z6r}}u^G**$zpxY`30`f0#iWsj!*qTg)|C1A_R##4-|v^H3>+y}=?n!1rQbc{_A_CQ zQt7mX1^GI3PpRk!>E+?WGl2!Cm!b6bLcM}epbw0*Of2S{b%tUBsn$a9ny1$YbO6Hd z5KZWe)^IplV1@&Mmd*kWwah&`#w+uTRx1??OwUZlpkp)!p5`qkL!LoR5HuHyP0YAy z^c(nuT%pXfKpX`f685-*UUxvQf{GO}K~`FnFK2=?bMp~WQ(`yESU-fFfd~)Le|~{@SDGvqs{zI!{gXfZe{ZYX_Rs(H$5HeNWLv)3Ame=V^TA+< zhJZF4i;^0BzRen%ANTnKGIbtH%9I*ykx2um`$=bzlq<@M?XgG*qMsN`QW~uTMz;p7 z!C)!vnw|0c!#t%Bg1+CFSM`9+e#%9w7{bARN0Ajk?3 zTf&r{r;B(!KL3KPAU_<6dFTBqm6E3fPOh@&J2YHma&nTPw8i;$fk7P_VJMkKV{2Gd!9BKgFNHFL^d`yU0PBQ|J_bs@aFA$ z$up_H+nK@A-|bv$*eN1*LE;Ji#dn+po*>ajZ^c=RCk6P6_Y)~*fyJ;d7C}X!6uKD( ztr^8n%_U^vA1RH4HpQHHHYNpd4mcJ4EV$@c0BwR(VGG?$MI?PL35y8m{wpy>O2@1l zaA|U=q7P}nW6|5_FCNy5Pw2>i!$1;%PC)76F@pLDZO0EE@og(!5Dz2i_(G*%g)%jC z^@_uV1}0 zHa_+HfAnMN8(G9M$i46cPE2aStQX0d$dS^_4_o3J_EM+BeJctr`Z=+S#Lxu_Ar_n- zzS`I~J|8^t>MNV7iq&LbVs!k&uNr^&)>~Ei=(|HjwE(Q}#9DCQr4x6l=oIk`3tQkT zDmhb#r&~bkr1+^>aw$wFQZgW(LD1PGQ3@fQtkH}lri#0;hi(lOw?To_*QhK~jik`5 zhW5orTvPH1C4n;7OpX(=-h{cLAS9yKlv5j0hU$~X7;2{seSB1$ap57A0z@4TpSUYT zizFLFiy#>t9dWBrLy!b=vbYNZ$Y=4hfB*|=$sr&VcaFF#0Zsr=qSV+#U7~a1YLkgb zB&9njv7^xrAl56rJfWc0i7agcWPwAVBcxWs6vOg7|BIi0Qc_a>o$tH|$??G?x+SSW za$PMCc`}h&4-1(tImcJ2L=+A&ML znVKT51jIdo;lsXpKTA_etHr27pV*AiQF_`Nvs*1X1se6KYE!`dwK5y;pR66R#%glW zv9ijn8W787JQR|(uWbFp=h3=ly{ziR+?xew2XcDGqf)7?R`k=*E0U`A!Fg`g);(c7 zI8TWr-SyD?_JAAo(}Fbadb!v3jp`ugGTf>_Vc4f zI$Z9X!~w{oH@^uA{kBz#V%*c&0I#4oSkc>@qHDw_a3p$Je6u-@lnSJJF>4|w0k~&1 z$Hbj2K1*bzr0*v8pxdNzF7^{jf{sJ)SW9mfNOC|@PlBZtVp3V&bL%Cm$2X!IGIVUb zekxB2R1*FH=ZR!`OxjCN ziTxM0H$9TnQo#(x(r#+Xs>Ic1)xM!5)r(av+6ar|c;(_9dJou&MWjlXt!_D2rX;SS z;ZY!&w$$nrR?L)0v*7-nu^aS zQi;@Z8|Z9MwY)ZD0QzWLd^ZbeS!*yW-ZY6dlv^{&TGDDv>`EyaS&M*S8*N)^y=z9a z=e{&NFgDB{)JDCU+#afzOg|%W!0t zk(rvbjJK0&vjFRWL`ItOmC8I_B%8flV^jQsHWP1%#(8!e_25ZNy(>iuN!I50q({zG~T3xql50fTS()cN9}>Tg-~T#y67bO9eKJ z$I@3DNvg|I{3v9cFA_*|9C}L0mUN(m#jR{4>sm%&<@&FD;VGP*ux+rBGV8tmi9*e7?Xx{Qb{J z@r${#g6_6PJuJTDgk;UC!bvf-fu!RV9t7D{9hR={0U#Ni7!0uU0PEUNlCE3DV6jQ!Jeu?HObUWqQn%NO zq+(6wk-70r#5y!QN+j#i_+G)}tW(V*OFba%rpm9N9UqL4V4<4 z_<~a)rQ_mTtCQ-rq@u*;8eO`UdLJHAqhOGwOy!6~dYoj|ViS^1fLBP(#V7F^mJVt0 zhcXhI(rX%06)B`DSh31y7=ff-eeJd9_U?M%VJA&99UUF<9SP8x=%Zx+tR8kQmXcmp z6hdRIh}O{+1vvlcy17Fk-oJRqE-Bmk00 z<%|AXmrK`F??WTmx^yyU)MP^+lP07({xS6Gg9MtJ+WO_;2~wxa+f-ZmD1Nsyon>rJ z?YYJLoE!KskxY%-m9~>kB5R4r@~v7vCo5USbJwxNu;ocrx<(@(0SOCNZJ;CotlXd# z#2%6}9#S<=J1e?zO+MbR4p~(Z?)uySKLL-(RgbjtHL^IMavNGp+m>6o9C(u4_NYj4 zcJ@ugnjEmXf3P`nPri(@<64NYBCy}*+NE(vL%-Vn~HUKCo zTTV`Ot(BzGEQZ_<+0>;qYF+iktwnE`t>6u*p5!C(k_AZ*dgm=&KuTDq(1x-?Gk}L= z#1oF>qAZSzC#~$`R3v|A(S%4(US4jIl?7HE!7H(9-4B@uWDjx#%*na;;C++P5Hvl+ zH**JBo!okOh=z(auFGGN)hk+@b92_^wr7`gU!{6^4USx`^U_#NsibTbeQPl8F=4Sm z8BJTJy-N~uAw!Y0o%)>axlAuEp>7dIHUt8`MlEcv}|6= zakeyS5LryhR3hGP9To;NK0F}d5bJ<<5+{k$;-$svZ}xeq?FBOdOSO)Ry_>vr>R*xRRYvXk1R-qHrfOC*AR(C9UGx- zMV5FVy~ee82TDqhG}1IY@a8;~2;x1;sffL{(aubCo~S&t#!ObsmNFCiL{^hurMkzA zq_vXe@Q@n2*xoox5^_N*BUzmiD44WUZ#8i;EgkSw>q%tFsvinbKq3Bs7RR*5U^sQFhJ5W6osB zRqIU%}0{r!LY2lCyZn}qy}c}u10QNNa{*enp*|y1I&^h7|avH#)h46d`S;!TOwn3IhGzg zSr4ZiwJnmO0+m9aXO;HiyNRtuvevtp2*T;|8_H^`GiqPOnDo448>CVz70g9s6%rcO zs6(_cUN-J=gp{&6NuiXoi!4cm1Sw4_ms1rR%hHCW8~F%KdMsJ$r`%X;q1EM+V`d{+ zqEu>csx?WGrCCoZIW!|fMB0^7Qqx72B&?bH*YHpfhr*(*uq8c`WbCek^=P=yDxYvN z4&fyZl=f27QcEm$X{wT(Nh+5f*+~iksdbBFFPkN4krgu^E0CFzsmbT$BR3WWmv}CH zcP&cSL~6asZK<{gQz7PQCUrPHY}OriN=75Q6Xs{^0?C6x+DIg40_nW?k_A)MdCv@-GS?5 zQAtAMYHB69#X*=OlJGJ`R_Oi5ZD7P(uuMZx@^a}?mY6HP#`h8li5+oM0@^M;G5`@y zdPyy`xV1LcRp{Z7;{ZTSSf&{n$*{Ywa}g#BFpOa+!cay76?`f^QhH5F$TEyYG3j;H znMBG@ib<;Cd(w-TzPP!#760UPMir^%NrM4pN-t>Z2}86x(M0hj)!SK|pAFCuUkD*B zizN48L+b0ejF2V%K?0c^ zA;bhy79%LgqfiP`4x0=|@Dw`IP;iVYqXnK6NDA~zI!RQP5eO=Ve#B5LE5yX&6h~5^ zLMoe5rC1$$731v;TjEHmAjzjH7cY~h7LWu$TfEhrm@T%HhD2yB*nmty4+b?K%^_ev z8TXhF4TWQK0a^)8r$BqE@)bdqM#Y+Bpb;gA53%;FKqj&i+OkwkG7Hks4;>-RU^Xdw zGD46FM!YzjkeBp8rkIebWi=AD04ui>Iux2FkBMTkcw!PzvKWqvqd-g|p(AK`fguDb zl2dq&p-3}69O2ZY3N0%Mg3@iH(bZcYN&M%q&9O4yKz*!=kRGYmMBCInU><>CO%>Zmk- zE=#;`5J(#JC(?)xjJR6#n${g+$BT0jOi(OMDIfsXKq$XA1MFmm;8f65WCtwn$c<2)fW`}s0^xBt#j$R4ry-POAQ!<#E z4$(79eG;6oWa)-cEZuYhy0!| zKl|+3wHu8s?Uwvvi_suNgAEP$PM$t<>rNxbQw90?P>Xmdp#ybxZf<0-KQB)Y`o(23 zT2zP=A{`8PE?l~F`rL)Sf#E!(#b7eZ2zGvY^6huutH0MeGB#CNS)o!;bToA5>a}y{ z&fluPXRY@Sa9+H0^`qk#?={?OZ);U*bS8^U zL4ir}R>WUKYsDrqp&$X*p@(YVqN_l90>fLwVbyRLO z>Quhz!S2B^QfJYF_tD8xlqYEC++A#sE=zTm!TKt$+lA3-k{T-|ilR z713yKk4mMydg&4z9n;g}fB&oZTH1RW8tx8`4B7Jw#)ij628OM6i$V$gi7HR5m0??4 zvk@`p#L(chTV=AVW#}v-k!WM$6(L-{c($*vx2m=d%E3yR3x_Y9JTd1Bn2JhNuwF%O zi#JfzA0IryNc7tEYgNVep`oD*ciL+=SEK$%0%B`L&0;z95R0QUX+OS`02RQ1W7zPq zPe1ZRh{EDRIIIPZ@pyeO*(p`ZNI2~E`Q$1!OndQOM*qmaqFd1zlXk(^-Uatp=fA4n zR6~+tAjl9`Pn~7uq~2;44}T;k7Kec$uKZweNs@hoea^XQyVY>Rgx#J{jFD^96Vo#nFI}jqu2!J$7DqCv0}?$W@p!Z)K0RKDCc!#4JTyGf z+BIHQS_pw2m<{Ri#`000+Y?|Ym0BUrxCk)|yc3?8nml=}HNUvDwc)x}PEPjsk4%m! z_1cf#|K#?~yZ0LJH8i)xI4G-XymwopRv8QiR2oiK;t?WNgmz(849rjTjm-*Ln?Xq| z%uc-f?t6FZ8}8n#=XfH&up}8jiWZUOXh ziN=c{@%W4QoPyXiY4c$t^z^i!IB|U2u6^h$?m2%)SO3^luqfXmMjT+2WHYppj)o&1 zcTlU=0sY!7a z@`#%J=*euj5S{94`SkeNOShYv8k(A$nk%ZSbQ+Cx!UQKuVafF?cMN))R;xsZipZiK zfenWOUz|E$-`u`y$2QTsh?I&Tpkmuvn?L*Pv&P2eIhVV*s#Z>sbij4_%C*y9U2JUb zaO4-|8THVQ&WX`aKK}6boja2=E^B^;P9rC|$nBdqPoFt`=Wcx<7%r=<1e?S&9Yk5I z$31`g^l7<5Sz1+I@QYBV~70Srj7L1Ib5V*wn{jB|SW?SFWuxvAxD)4k5# zL6bG#Y(Ne{Gb$R`Xe~G}Jmj32aoBBWqCy4H;1(N&rgu8*tG{vaW<$HKpbA!L$@d8o zZHD849`0>FdFJfZ8@H#O3#H}d8aWTeu3o!#;?(KR?p}pbZE@J;1n+UqeDv|BH*eo- z?&v8gEjQ>i935_Js6Tc3(xtF=rB#Nk)feMxxs$q$P1MQc64}PK1%eBO^;8{ym08y zp#%G8XC?;*`@vTbuh7AHugBvJL|K6q2xg$SHxi6^J$`>M9D`#VW+E;W4!FTEu$BYw z(%ymIj-cFp_~?r@77`4b45FD#hz0y!m&fP#fs{bGCdMZwr>l4Ee}3=YzNUKDf{P}o zj=lkpFL30@;o?HaKyO#j?*xxc&$z2LJ$LXBBpvOjz?BY9*`zf*p_ZhPU#k$tp|hl#PbK z4A2210gQ>S$_bW=dS+*5Tp@vGI4W61 zzhL%{xjoK-X_w0%nVFu2u(Z0W(x6iX+_SvOu=ntRLx&FU+qKK6)7Y)%!r}s%Oo&E( zQU5}~k3`s2xQCOqI_X%k(uJTbLl_%DU%YIB@9T;TI0%X;t7)INhL;24`Y{ zBZ=7b_*l^6_xXY_DMUE*mSl1u1p~obx9&uFu5WAvqJJQ*BJ?H;6Yx9RdxxKU;l(2d zw!reHcfuJZ$id!0INj_y@WR&GntNBTM59p{pUtgZH8s_T5AULQZlH6LVuhLUp#^_r z@BSk%y|8O$uw!I;0nRi6QEHV;XV8~bRi8O?oK)b5SN~0nF)oa&VJG$C>2H}iuS2L~cy~fIYhxcwP z)JNL~=e4$Kk`3LxbMyPZ_xlwkB?f`+>S`_BQrXots?ip{@WS4b5=U!mN50)=G3%9T zbzy0Bq1C|o=KP$}Qc^S0*Cr>}qc6RhUsN*VbdC-8?XIhwoSM3MyRo&sdt`LPV%KZ6 znk(mSYE-(0<~w5(lUlvWY*0^)58S$Sx3#mUtA8jT;&xT6xuxAwweRr0?RL4pzIR$~ ztI0RWI-76bx_hsue{k02DRS7SM+QA%=HRQZR2SQ3`dW!RbDksr{F!rmcJ1A>cb{Hw zn4Fo>$a$ki-q12sUAH^mVKSQZMzb~M58eCfa#Qc1sj8yLqMID*zIC_0qo;3hY^t!N zRIfspB$tp(i;=#&fkMulnVA{2+AQ_;oi84JacpF$qqEyuP^4DMDMFBu?EL5;pJ%o>@^4-Fs-URc6P9hR zt{fZeQK}RL`PSyfhKA-OK_{rp+(lBAqxX27K<`4 zS@I-$S0ipOgj|u4o~{L7q^NSUH%e3#St;7x(9qu1J>1*f+1%1#E-cd-baH5+5G4aM z{j))tV{>3`c)Y*4t*xV}rNixuR1_6--?@DD%8h{9T5QV;%}w0AE%sO6ki%{<>iCJ- z`C&g^6cr8b8|Dztt}&CW3YB?xN~E2Zo%j%*K5!Pb@)r%d-;q4^HstF z5DLWZH8fiCOTC^*aY3OuPc=L|bo|t*x%qj6A+M{u^VXf)QI@Z&u7;K0`7VhM>qpNple6qN>n21HXI@)&b+11lCFg`I;Vzl-*HCrnkYK!jdiSur! zr={`k@c5{;v`S9!{VfeQ?>6=ikGVYapsKRe(b3XMrJJuN+b zF|#XobBx`m8FFXvon{k z-)Qgbo*bLdXehN-e*Ic~XXn7g>}*9v#l1Us%S#J6CR~5--o56Q?!IA;loeT29_Qq# zb62_sMn@)QV5$)(z{doBa-xr>>0pqxm<=YAe0bawWsRGv?Bl~dH*VeO=dv8Y<&xZ4i%4;`nH#ByrG&)B?kwz)bOOM5%eAMuvz(lu)GFR_;sj|4B*lt!U zi23QsE7C|CpU~3f4E4FG!hDUirfyHDR>S@!PZTkH> z%!io}l~-WaD3OVee=kFj81uVAgFUWqeCrKIiP>(qY1InP-0Y33SKGTfyZZ)YN}bhW znVlFL?C+bMnQrUoV_5;jWavHtXd$dy7==PGX=QFkWhmYZ%Rl6zbYT9|<{4rAP*Ggi z+dE*&(-%1OO?Mhph1*_y;kgncJ2L5s$n(n`T8&IzyJd3;tbt>6e}CWJJ-ZY#h0T^< zT5N-*T4&ExRm~2wNg=NOS@(jsvty)g^QQT^39o0~1-($;@xq~(yV_eziVKYfUA+3o z6f_T{&jkYb6W#m;X(YNC26+6(&{Ge(?Vcj-4trHqC7j3C|J@}? zvfYV+u06EY5gDm)$PBE3O6^qcFpYCwQKjfdwALlSpicRju*kn z?&$6?yX@aTe}Rd(P~pN6KWM4d>5zC)C~&z7?+S%1CKHJX9ur0=a5CNUO!Pk*1+>wNg=K1R?^k2eo{#ro1#BC(%L zRZ86EUUF(_<;LxMckkSCSjki_RiIdl1G+;{WZ7+#Qn@sTVX0K9xv3LV2-a%n2_l)w z%A!Is`0B>o^yJWY-+i;5NK+xi(t}C~CTBin{ZKtvY znJHJOmgd&4?q18M!76Sk=#B<_M4l^dZmh1ZuWct1oSCB zF)5wRBoha@GCwx6=x=Jh_0?B6R@zt?mr{GnODo>4tJm({wULs zKM$jQ`V<^W0EAWCUD-&5TJK%Ga`nyN3kj!f-auKPK@) zkuOyQ(A}QSsF}uxhvzL8Ti73OZ2?;!7Tf zrSg?4S32+A>3{m|Q}lbWb9M4Z1hPssHB@~HIOjxcVR?hHIIrFP%3>xK=Z0CkslB7M z73L!9-CtVV-%mukdareLO}~1c&ZH|ODWPA%ArP`uO6?sS9B>M3X~pfWm9_P?jjb&( zCKZm`+uz~}`R%23oHlpg{yG>B4-Wi*bH&NgF;~3v#=WmYE;C=u$cntaxf5*y6K6&{ z9BK3U0~WecDQ1%U`vt)q$P}MXdB(z+sYMSVwzH6NSrbD|^{&r7hx>B~CJ%oNkwiz)UP=q2x>+ zc6B_~(rjW)2RnP}6H+0O#BC0L$nV@)nR_uX1{=E9?a&_|Rpjj6j@M2}a(27Gg*rRi z+v0>$5gEc{cjPk_wTIA&Pp03Ogj^|QH`iC!)>jYG2~Of(z8+@H?!Lax)|SYNCojc< zpp-bAU|X->zIE;D#`JhLn?bksQC*yXZ6p|pcx@nL@GDe?$HB6upg#=W)ZXfRsUkar zZQ$h=GP&mF7}Q{`W`ZEOOc5AHTU#tvqL|s8n4ayqa)ZDryWJ89*!H&92cN$-IUS^n z6;UJL|A6OG%4dOrrBo@$nqeMVO1TQHm|`JcHnaQL%3swC^rbxlQrAmJib5s7x-dIG zzqqoKEDJx+$0I&3Kq%;Od+av5)8T-CP|H*&@#Erhn}ymNMV6&lkTI}{vz%B9lTrOP^#f_~*Uq3h)tu67G&EmvmoG+9Wf}$*T*2E^0d$7jT z)vR_y^;^Koq8#*dc>wxR6D)Xig#?vo#6SiiGZ1IcE#hgk!aY^A=E(#0@Z#(ui>bg zDYf?`j?)&~U;N8|dHc?lD_1++PRpy|37n<9zL3}J4~K%;e6CQgm@F1(-RE&;(n)og zI*w_;$s%Z9kre_XA%Dx6g-diF7`Iq$p{5W{=`W~)^^KF}rsgJ?J)h6H zy1l=9kcXAg*VotG*#8{kO3aCS|mcC1gOrkkDw^qMy7X63s#o1mz8c+d8{Dx;mE@<}jYySXt}3dcC8o zr#&9ATP$FF(G^wn9HUssWpbIUq7Yzi2-qvoZ)DNd0teKfB+SiBn_V809lB#C;9TTz zijBm$J^|jdA6QgyWe)3EVu;bJ)3VUb{9sH7R0*I}r4Ey^(OlY&Q2_>A!pLj@#qf z+}wEf^oL@;ghnk&R+|k*jV`;0MNH-`4tIN3M_*gB#8pZ%gXYTr5E*aGWxuJqr=3q+bHi zIr@nys!m(2Zhs&u z3FUk)d8kl0nq37p6hcPE$pza4u#h-WWX%?h`DtDHv_O`%>WFFIDo|#rT%MVkotm0l zUt8yYcCO6lhtVKS! z+q=M1WeX%Gizn)k`SB-zXzlJI9IV&RPEL-C0+_oHO{~5)FD?ETvsPg&j^BpPC58o66w&fX8WJ=N9LAu*|R{L&pf5 zq^J_dBO8o>%u_W5GJ)1%h&V~(lFX}n2zrtW;z+1S(X={Wj{cr*wMJD=Is*h4wFBb& zpgkJ)d0kF)@mSqKWOOYPIknIVMbV;wt~1KAETC~IyueGchYD+iQ|%S)0S{}Z!33aESR*8f1dWLx8gTHmYP|CB&4)nshWzV1GLcYAqi0*oyP4KxZA63n#7^RU;zuwX7I z8VOb`9Bl2SZNZM__O2V(dUsZrxLgjT42s7vtj%U^ZI0Wm7T7~T2uQ_o5e%mwfnHL` zLa7e4irP$m7J~T5IAzAG8DRH=5q~V~^>|%i3}AJG;E<+;(Dg7Ig=PXdMNmUV1_T90 zb?npx61IAF5-4=sSz8<*9tyX2bzbRZ3Bm?@8qY)cT9&X%01IJ8{hE^Q4M0!MOYudS>9o)bxx*n&+mL zOZk%D=TLidMz2088cYSrm|WpVC>o8qoeq{%)azK32`ROstGk_HapcbM>a8~!!cr6q zRkitWm>_E{(EtjU+g%)=S!DbWxb~W93Bx&;4?Mt4sKe*;q9mH!Hn3Yym|R>+IK1)R8~1E1!5wT7=;}GB0r(V*)h1CiXJUwniRqcS6^fNdCkG0g z?DR!Zvs&Zo_veGES|HKYWTyi8hi0q$+U+}c?%eKcZ?>}MJkM$1M*!HL?VX)WCbzej z5US579_sx^1G01%M71lh5&5t8b&S4#{NVnhA6^W!b+nqyM7f+D9~*x1=;@1>Z^{_! zbok69b)_f%@c!=}K6)`dw+-M8O7d_CuZ z2*FKx9Bf-WdjAjKe0TrhtI37tu4^{N*%ArnlPixNJoxSJ?^_)nUoZq+NgX6#eE;P8 zA6|^iZCcDWw}ryR%Ff2x^z_uk72llqNC&wlxCT86J2snY2Qh9R$@tNBygdt#bQte@{!k6!V``vdB z9t{ppaUu@Uvm)}q`nTUaDiMxgAZ*64dpG)KCSgQ>c=7TTYq9x5O_EG5%}+gj@Q3@~ zKABtDzR}kOF0V);F92L)v@tpCOA8C*<5P3ucX4)wXWiG+j%|~kT8zOUIl1bI+M#*#JhLz{Lxo;?)~DcfBj$l>xs8RCK+=v z^wPrO>Q=&OvkQg7$jDTYQ)Ee8+gM##-$|r1;5i4JR&Yi}-VA9pr=nex&)YwhXN`Y!C|3!<-P?gLMVvMOurp z(FGKYusB`*-Ie*Zr4?UOjHbxNiP6#V$()F>COZitlX(~^T88Ku1WB*=%-kc4mKj`yiFp1p~xYA*sga$C;MnKs|tQDWHms zI}mDXX)6_Tl2~>-OkRg|Xz=y@`wzc;`oq0n{d1PIIcyf3%#Kfw!17sMTKM77x6gif zHZnHpbbBl|OE~PKaCvHM97ZijB*i*pj3E^nCPE@$10pDeaNDh=d}4ZbI#;RP^3|aU zVl1#1LcqzGuUx;rGe0vqHa4@dkCCheUBu#6S0)}mdhpxd zeQR@jZEknH41o=3IDF7`Qboin>Gjoxtqgj*6M`aU65GH2^>3!<7B)84U%eijU)iJ> zHX8INb~Yb;_wDZ=JoYtrI_)-G;vaqY;Kj3-+nbwj-;T`AEsLVeaoot;fgheeeg1qX zmE)Sjezb)HaK;vFfk<|K#o4H>>MwF9!zZmsT*s+}72b+L(Rt?Kk(IkK;7k z9JVV$<>e1gzyJRGz5T@4@c7GDgPf$4%cbdwH%}fvdiL_QAjuAw3#^*jIOVk4y)JfR zec2yuA{i@1o9}$}3$Tm5y*&;q_?UVRkBs>9M74|PrUz?^#+m>@zZZ4^y}-bygUMuS zYio5nY^|*=CR5|*`#uIP_evpEg-CGGy*9H@%EBJZ+FboNuDe~})QgHNi=u?lwqR>- zYjcZ*B0~-~U&zZego%OXmPiP^JPU)74D8$vw=WclwKla{VYo^W9Bs-S@9Jz1xh)JS zxgEArp@>r^n=jIPrPpRM+f6isaXjp9l&$ajb$`GEdmlrSQmLfiEMX6~wsppQb{i!T ze2IsEjxohryJN8!7=JTMQGAA%2$Lh!+S=qWGZ3HpeJ*eZt!{r?U!Tuyb(z&I6jK~&q&5D_~tcC6V!u%_!bZdgdgg3D&RC(_;v z&WgomB@`Lm`87HH;aDsT15|7bX|}Pvq=cH=W9_XVUNDxRKj^OAae!8c70J|p?Yhee z>TULzNziq>FT$`6*vVWr8Y&THS9^05!cFzb6PQove$Zv6yiU8<<0lDl^of?{CdO*Q z87oFvVgYBsX+jSIK~!mVb#!*YSa5<&i2%S5w4JiQp(({mntAg^@ViQ#|aj zGa@G_f=t26Y-w*XGbYw-YVYo`S#2~S`yEaQd;IaR72FZh+}_$m;*vs`U`o4V9vfaN zLiobi!(a=dQLoE^A|A6v6lm7s z3V0lLtBGleH@V#|0X-N`lI~brduP-Qh5_??eNLAR$6@_4-TfVeetAYkRSkZu`LDWK z^$qHMP%mNOtkv!b1|iE9t*Q{tuY1M_h2Aowpjhakj(}%!Obk&-qzx9*o1t6 zBnW#T7K(TIeIBoc^4QI#0?#rQm(xv{ZN7MGQ_x{IfmxfU7F{i@>I~KYiVX}u~EkTckQuusI2|+wxojZT3MSfw zl}M}0?h7*L&kyVPBqRS6IBlS?mt(9e4BL!_0EY?o9>Q){H4Q>TcPJVSyKNShBs@+V zF9`}s_ujbU^Sjks$2uUP;23ClTRcuEJeJ=bo|wk{ZQxzNb_ixqs^l{T4$O-KydK76 z^#*{O&4RX5Nt8*mqxbqPpW9B#;=yjx>kaz+J__d2<#)U6W-|k!ry@$=o4JGW{_Zv_ z#9*jd*levdf#nZ&*48((#S-Y#ZZhqSwRVByq&~v*c}}ioo9g-o8L&B1CbO-nC4{4> z8oWEw?Jz4s2|X!c0i)gS2Cb%K8yJ0D5iqvx%FSrl$B+cN9J>Dz8$4JStKf3^ zH@|*#{n{-WJOi~{afG$`_X+N1--$~^PWloT`_fz2FcDFT| z8SPQ$&vYUTd_hoT^c<+y>y9_Y0s*u&>jkF(7S#uNr4U|5*D29sW&nZb%_i2WUQIa@ z3MO*JQc(~gQlcz2@Xs(@DRUK}!buWNQLM>|emf{*0+%n8d2qdHilGS;g~>vt#7VqD zL3{`6+F@pKndd9{iU3ZT*=C~EpAU$NBo+$LGZMlIu+Qj4fwI6?iWMG%aLx=ZQUr-f zvLsZBB{16(K|{|`w5ITUxl|D(5gJ9&012*}ELFHNG(jm499W#}) z2%9b@mP!?g=M|Zvz~f{{1(SKMSmb0vgjy`aAZK4dug$5Tje=q=5b98hAaGoz!XZYG z!4N2LlF^?;gQ!dfH4HcK(Gqz6;9+NfrR)L6J()OEX$mPo*cE? zEHK_PZHkD=l}be{3qS=iByKjF(G#P{1LulmaEmE$9~cTV(O8+opsy??L-?03iohI9 zXN8v}8o3?nPJ=8qs70|@1RoLoc{j0K<}sO7d#(svxx{l|8X1aZY%qnOCM8bBa2_P2yw8y}PV5ZO?nMFf8V=gL{5(ARQ zp(j`gW1K9daCz{lfdeJ;#X?>L!4oWPv05nt7hnewd4+`i3FsFEv#eNiaJ z0AeRaS0hR~_mWzR<25|zIY4mzI z1uvu7Pevg~KPq{XE zo(EBY=+tcjb{$+GO%B+-#A2x|fSzL%4bh3drIrg4m_oCS5XxK`JYXng8T7ac7+BcQ z`T9}AUMo^I287+Eo{>9s+nQoJ7mC$wctQ?7?6E?W6zcfBAnv=&!mHxGYvG z@O;tQ23|Po%aIDaZgXwNT!&d*27Zc2CewfO*MH-5x@>mKpZ(cC zce$K;!6|@ker;{LDHcM%PQtKEw($JrfMz+a_IEeO51-Sl2YB!03I{q2UMzBC-!<$6 zs5`5I!Xvau&%K+S}~e^^xzVX8TBipbHEBWg}vCW`6+^<;=rJwur&2_H0C zl!=P9BcR$S9DuiarKr>{RJ}G*L;(r4zbAUGHKZQZ-0Hbr_e=mSe2|`~LqIH4Had@52TqP1zN@9R zS|@=-q>ZeOKx5vB{AULc1$@v$m-_P3#d1trv@{}6iE6Wteoj+2DOJ=sp=w$!R0YBq z9IwqadK4PwMyEwj;p(i^AG|@L)*+39n$-SRyQHC}Er5EJ&@<4Nn$|KtGpPCrM}4q> zx^8NDdWI@J)oy_N^xdO=ygCClN6XZhYt;`~>2v^=ORR(=nX{>&Ni47 z4Rr~wfeBPmPYw1lS4JuSsPGgbyO^B628!5=P0LM_ux!cmHe0h534JRR4nc!lfHNh zO=#gg6e4zd`Qgbi4c7`aAOi_`^_fTYp$7FT4|)xO#s`PcR9!w_7F3a_Up1&J0%x%&nTd=TvH?Ei27-~a8}wHq57YyaK9`)>mQ zpI&eZz_@&nu=5?27%f_8OkE}F;(-saLg#1=p=<<=4Bb`LGvJ8GVCCu5hneW0<*2o^ zj-hQGEmKqg|Fz5-rFKNg!vkWjHc`t&KrRB}i_&OOBO6hxp`K_RQ#am2GOa~afYR^< z$z#mbF9cLk19C^8Euca_NK`4*=Bgb-)wOd3HF<(lr{&L9$mRTQ3$hQ%fGE5kYMYs!+9EE6{UP)Xvd2 zI?>Nmb=5seV5=$;fz%Ne+aW8pMRcs5qT^AG(z{g6sU>SPx~^)OFv|MrSAmv+p8Pa` z{-F-2GC-Zv4oACrBty4>>PwZ>TvS@6fG;RTKW9UQRc%+9Yp4=dQ|O~DdQ<}yX_+bx z^R-vvs`+Z>AsJff+L>MeIq16{kbS(CmIJ)u03RKPHLHX_I_eA>0CiC7D*_THl2Kjf zP$9A^$iAbrT3#d2My*#-zf>8bCiHxCrm{!p>Zt)0AdEw?sFR{5tKwCm6>1;#nI$c| z4tg0%;iSbHZEDiqkEmr;C+OITeuV#e8B%Ga)tYA1GHWFIp$U&?mmOd?zO{nWi)np)?mTriP%ndNn_?*k_1L5>8y+`}+(0LF}1Ni_S z;G}Z9i1aQ5#86M3jgzCO5}t)A3; zq%Y@HKXb-a2A>p{Y`&3kXasH4KaRFvq?HEUR&$Q${}}x}2WJiEloC|sB0aATw!R7N z-jRM{;1qlqO(r1fL19OY*9BKol?du-Rey@}bzuQF6xxL+h(wX6dbe4vaIsoIb-^W8 zhq``h3B*NB7%=d`;PJTs-~XTg*T4PCfAe4c*MI49HU4Gh$G|&;ov;j!U3qN1Wm_Ck zw=|5qdvJ#Y*9`9N7Tn!kLU4C?2^L_mpaa24u;4a$@L&T39bBF{_kG^$Iv?IYuzPyV z?&{jBS5-;0Fm4Y2rWQcf^HW&)iV5Zr`z)y5Gk|vlJsY7}k+T zUWHT#iY5>mVmol69l;#E{F-tALdh(#$ zBESLQ7l_syJ`#;qz4Yt=;5~S3*Em+FfL@jb2BVZ*7Xp_P86t%fWaJ@=>aBJq_)dGm zYH-#2%ebEqv2Kx?Kh*6-p-kueMn@Kr4ry@{IQ-FKD*M9!$tV%;5lEcUHk%eL-?)>e zJDfgljsj7LjH+_OX4RpX$R8Ba?(j1z@kQ#Q5=uQm)-3)*UZ=CpZ?Ro$*_;PU%BU0Z zcZ1&elzr6f>DV;GJNN6*F%Qw(`ghZ3=0Wru!Gy@E0yIOn8Ek6SWoO!b4tDCz^$sEu z9%RVJF2k?giY*4-wQtopSC_Ys6|bD(7>l|*54Hze0%1q3IjQNnNy3df()GDtgAq;; zRyHbZKKztv0k~-mrVy4O12=Q5>Dw;y+^<^u>~_`g5Qh>KnL3?@&+l*)9CrTl`bv=K zW{dYToNum=kmBQ&{v~(}B|pxu{dO`x*OlvVqf;*UeE}t)2HjB-%P`l*eqP)m6PU02;(=CN#go#GV9!$MnrAq*q@r%L;XnHRtT?L6 zqAiDFQONs`0MJW>QOsyBt-8PojPYwsRdy9<4_Q^Z@*j*P>Vl_oBGThB^r>Y@-QI|9 zT&iyo(~WVOegLR{zAT`@A$7Q>6zkV)O#PgoN4vCG&Ub$#XQYtggR0&(^BI^9bTujc zWuNGO@?;2_PJ7m%QW!?CHyUAL@+zV%2JiNIch*Ezv*RH(l**T;*Nt7ngM8+@$VnTX z4J8XRWh|FU1|&JTNp$xBtN1xATGl~0#VEz*m`IkQ%}!|OyAmSy6#R+OYM-BlS4HcpV8(;5*BQ}`TkY(-@vs0VJh$4`HLlaO!spqpdXwbYEy(aAu^%V+Ze$5oanYM={v>@&E=vQ-pQi*X&KsQ z;D8`ZdBs$T4BXS?O1ggM2wv>+1u*M07(9hY#FuQbAfkw)_UNymYm&ydx7|R!TvoxR z?IP%`3*upqzSa9h@C|Zj-Ux?F-vq$JcY#V^#b+2FE+F|Z2zd){4>Ukv)+(h<4d7% zY-CnJfS5ZZBrR$_!g6?}Fh~l7iw*paAYU3xz9WNkZqSWJ{WTxyPRDvGZK6H|EsY%0dr?ea122$cjF)!)ibQtHEdBX+qQ(LXZq2U0oMS^EP0I}m4@39&jh?biuPT-RU%y-^=W5;i-0KUhMVM0}v5oU6Xt9`4{&rT(v_UeQlpw zugEtuM>#iw@%nWr7;6P@&a7TY+No+B{v{uAQKWVc@jdHq8~s@Y$A0> zU4wKTwycB>1-ouQKI|`9+KDJY-`0iz6}&cQ?kylmb(AO^H5zf;moFPS*%I- z)vK8%x1k^XF@B2{Cb?%Y*sKHlPwcn%6S~;-&_vw@n?KbVa)}ZPFfE@yZ_{^(etfX= zk*-qZ{rRW!F0nlzFGkv+dojB9pIu-}AYQb~ZXqge0x#2!kB-V{16wc-W*y1Wav+U^ z3tY7~LWT~;$)g9n_~_-1yhjl#T6<0nm8S6;c8Bm_+~4}IPT;PU9o>u}uNqaJq<8@} z4Gra%mGupk1*{JX`EUakNcRJ%aF`Xe)V%o%wHCgM+6gEdHR~`2)cBV&$;U z^;Y=y(^esrme{Y>N{~;KTXMxD_^z*A2T=L1*kL)d^QHJqzY!%-l*GlYJ9w{l!Rc4! z{L1Y1>)6eNR*cBW ziiKF?`YfI`UT<=%7(%UH5+i|%*$?{-@zKe~`cG>G^boLOo-TQiSX-OkYvWsCsC7AL z&aqB%tlFPOEXZKz{nEknV#!PA@-#t^o0pTFpJgY#j`_>3KF1|@<)^SCe5>o1jkCF( zj(Ey*3^|xMcE(izUwX&C|JB!wkul;Dx#G^v{BDJ#HX&?pXkTY+OXA*az@S6oS;2hE z*YKT5{bUO6410Z!P0JIcp-#Vx3^p;Z6N!k}jrv&ucnq7R4aucitDlNkT3%4cCc9UJ zJAtv;4I)g(P-($T4$)Ad(wfc1*MA2Ax|PByR?Q~gJ@^OHKF~7vfH%~AD%JJ808akz zwIsF+^|Oj~jncB0mU7y2?5d~AT0mSk5 zdM?X}QBOBFe`)st5Up-q;Uz4sox6lVQTC~|K(x3GUcIu>xtsGdx%!plbr`31glHXf z4u5(lQZ|t@x}4r;3OfNjQSMQzMv{WQuk9A-7wBzIgGT9=I(kNn4*Vq}gm<*O4zByE zY1oZWy{LCh(Sc**pgy-R#DAO?EnMLN8{Cc@oe9saMTF?-Hdy~)B*9^>V#Y)$2iH|h zdy^+GeK$fDj=}I2aAzJkin38+}GJG<&#Yy5oBiIp#7;Yxx~(k%7zVa0i6+BhjsqWx-vOC~NRP`nmXao;ik@B3wn^!y0S`|2rDBr^w?{%WEo?~rn4 z-wi9xjV1iT?hEN`Zs&P+GGV7>ikS>@az9$Up31Il*yznb0@=v1yPi`kVsH{oG@9c8 zg359NRP2JS9Yf&#el~1u9Otj**y&>6&SDAk>msBq>nMm|^b3=ATp3Ji`?;m0f}oiIor@0JZaZ z@_q4%vr3)u(?bilAP+KwldI$A9~1MuLR6gds&^%bj8X-K#i3&SZ9jTJg{r{vG@|?` zsKm1=XEqH*-md_Dfuey*Z$~p$CFzImCyky>O?~4y=6(CdQCoBsnB=O#9T1_0-yeE$ zyeD0QwW+eZU1~C!eLdFsfSm5<1CpQUPGnIaM^&67Q>90VSq}1zVFC9ImbgPQjj* z;)v-jf{etY%=?L784ye0)8c0{B`|*XKh}lfqM{MPwJ^>R4Rg1BTEfF?lXPeXNZjGR zJxKHi@HDlSB>DS!X0)|8!^VAJv(We{vS)&r(TNF~uhpTC)v%ZwwJAy}X3+Se(ekZr zH{HeYM)=R4%hozuAy2d=Q)+6-TcH;lf3ED@%_WjA*H7x+j?dqARujW@tH>~g*@piP zTnx49yO)T6ZfoiKvpFX&$n*N~?O5V_y=&l0x(l<`ds}Jo^T##F8|<+46zE}N&$Y2h zkUkOLeEdLTmMZ$Pb9_G(VDBzbW41d$T=t{m)i2=a;bP_GoZ7?IEx_U8XC&&xNq4VU zZ?f{+I6lZi$w5^B>-o6?r1}Q|_{}V0EvL&&uvH!dim;E!B)E)+hPww&x)d@_^n(v`z z$CYi}#TXJ20*@uH|7gr`aDL{jt}e6NmCvrKf4^J9HcW_bs z?rw*aH>D;JD;DTaZaeG!x?5W-7)Y?)|G6fJE-z7TZLCgE{%zdq*&s@NdI^zVZ`6wY z>mrQE^Y=_-*?66SaIa4N3xM2a#4J=Jz{q{GoAf%bC!~MuSe;2{ouckV-`&R_s>%3j zXR&=dRmfe%72rpl)FO1NB3ClFL=X?uuco^qs@Q4o;IjLlAVh|YVZS>+`BC}PPnjET z)sDvg8t(kNX|_QDZs+o$%a9>W^&$7y%f_`|ecACJmn^`$eqtf_VIxfaTdwWGG8|N{ zYOj-zLHSKjR%+TcSGQ+{q0rpWcUaL8AzTv!e|9mtLaHo8?+V{;{NHx_-)Jf>0l8eK zE)6%g?I|g$d`We0PUegR9^E~3{iz>lddSEyOrI7v`uzGcinh4s%5Yc`i}!OWxGz#> zO{fPR>L?XkS9=yL8Nh&sUzaBo#zw;y1BYJ1y0v?FNLoZpO+ir!6PstcTwmYsYdb-w zR&1QN&Kl2e^)SXdTAk(MRsXrDr}Xu{ZJfUy-}SExDO&P=yn=KpwtPGfS%iS5lKRvS z?qaJBY}fqnZb5llR~N@BIDImQJ__ z1sT)zb1=5tkjm4EGg}M8eCXcv_#aAV-i=pCU2#M5^XvDb2^?%3`88p;t*+s-Gxiyc z1Lai(cjll5vHp8Vt>#L}2A~P0pkTc~M8sIyOdn!#zHK3q%N24RiwaYs#~3lrq~i49 zJ)HhNm5zso_#PHu&!|mt{R*nl`85%J27>yIuP^ySr~e)`t)FyWL-m~}FjxQfv7%+L zn)Z8wDyqLYdh-=3f!g@jU&4+3AJqsx3W>^gM)>zVjt|eqpJA&LU`G6z-+UOo`;KR2 z=MwT>Yn${yKjL+uSmYy4##3S4$!gH$<-%ddzdzlc*H!eM``Tvb(GlNmNig>dmm4>G zeL0Gi++4m_Jo}G|Ohx1L{(EZTz7Q%Ej-+v9p0WM1>c^$>R388G&s(X=DG^VDeMl zZoB1rJRpDe^O7EN_A>M7 z+VkIGBMz6TZ#VxwzTFg_mxz~qHHVx+28M$UXkk-tPlLD;&xfJUPd35|e9X}d<8qwT zsZCf1*Q+qWMGNinml1`F=;`F}8RU|I81oOONRo#?hL)tiv#$g-r)}*u&9)}8vCF*f z)_nj@1<$Al;g{5Jf5=G{rlSs@*LPh4mX!A`;FP{ z9)kRA9ajlckR#v;neB9*L}i`H7CbB8>b~d~{QA1Tku*i)d?$|b(l*dI$z}2YNp;)mzME(~k18m~ zP~ss`&9!jK zj?AmbIUK3)eN5Nr3pZf_!RHi}YD^@@mV)Aa<>ue}+;Z&M z%9??d9UZN`OobDi^(+I#rL!_>j5oQAXi5aOQ2&qS>;npt{p<8Z7oKgNKpn(OW>2zF zLzu$_yB)}24*k32`w1f|ZlyR<>5` zjX+NrtoO!j$c53@21*6zxUi74@Y4H=5C)|LFDiFhELkMe<>2dCSS)P6hT*laP+Ow? z*@yc3KyPnuLHyB)HKwXSG*Q&VDt4H3cyn{kvf?M2N<@-=K#{<@yUAH4caor?k#JXc zS73LyFi}m`R268y@>Nh%paF#(&h!J5QqebuBwE&ja4t#)RV*b7dNjj~0l+x162?%) zoMIfZ&;k~jF&>+mmaSQaCxIPaJIM{A;0ighVH#5$qo)rhrJzLH7HgiWCYE~s0746q z-p=gF8pKEe+ZsuUkNW}Wn^UPM$IhJTjs1kZq}i@_E5KXG#y$}Q5f4tWC+(lZvzy3%7LS1|dol1(B` z>dc|!y=$;^sSjOatWi8v{4V3U{EmoL`+touScw8ef8*2``$yC)(Y zqY5a*s#dBw2Hy7e`lC<^v1p%^iLu!>R$cDOtZ^G{xr5EdSLj*e8{o+M;4X)|3@Kda zTTNwuM|FSen49HCzt*VX0ya|2Y=j%Ge6{Xi>X_ND;FpZ>9?HM5M=UJzI;^D29m@%o zN%WV--S39~c6pur)Av7zNyC6vtL&eYho$kwiYADZ^Jb3WMt!}5If9!~Jv&u}BSoZN zmLJc}Tn$Z3r<5dZ-TocH0P*%RG)-nFNR?@JpX zP?0RJpTCN;ioO0ah)ti>aFY4XL%GzD_j8&)cdZF~mkUYk!%^xC7TJBqC5|P_2{tH? zwP=E+6}e1Pt30G*GCTLcPCh24s><$`5Y?>_*P315?aw&Nt#W5jL2TOZ<7*^Db&=`H z>u4+C(OAR~v`-mNB3vae+(H7NwjY!8^$Y)IKaqB6J8bLX5lj!X%e_D9MZyTwCLhD} z<9j#iP{%=#oTWV$RHn)NE^|?7k6$yx;ksfVEj_`8*^^J{^z2{tm8~INS>Wtpdi2%J z-=V+Y$u+a`8c-yo+Bf=zBVwr^NefZ*48kB^d{Bx^8v12*JxcbPi`2Jq{e+sxZ>*&! z-!hWo@h)0$Fqs>&P*^%fWAf8i5sZf<6XACQd^w{2amfLA*m{SA~zS6*ZqgzJ)oFBU@1tY{Z()x~4jRn-h@v+xBpl zeM>P!{_QOfEsE=VbEVN`3rzKOy;JgI(Lw3$4{N{7U|&9~lm*=>r4_0diBe-&Rn3go zm8-mdtbV>8(d&+%%<%}NCHK?J)|UEq%Auw;i{+D?bC|%phy786tUOO?xM1&7qClqd zur+>N{y1@BWy0?XGTRoAz{f8pn%Knzb+=7Db1=wa|d zpMRB7t@+2y{`{?C3ZxjLl{rftm=WKr|Cb8}j> zm8JWaFNd^Sf4qAe1V%EV@&!8oaE=TST}Qt_7iDWT(>Pv&^?$h)qBowphG`T|k^tO+ zmHid@B;MAo&Vm|@+jfT1YX)0u62G%Os=D8lhiE+Vf!cx2U+hV%S}N;0dRvoiRM`i= zwd?y4qB6~IY%Gv^t~)~0c{mREpD7SakV->n{$@*`-};MGdeIdtR|>^fsxsg3iAocw z;Hi_0BdF(}!CZ5tt-eh%`T0-uFmjW0EbO!!G4`b?F(uf_(HWX^TUa_uvr~T4iEaU= z*%eM4wmZ$tGVmK&q}kU4!on`2T?~J5nDIrEE;zO>O1HXj7Pb@^7F2b5J#24>>9Eej zR0Wen%%=yk9iy%z4_0NGBa?20hQDPlSn`X+rFRvRS`Al~JBt(#kn`&?KQSHD|1?H^w2^`9>Ab`nyT6tZ%rn!Bb7>bGJ^|r6-`G*08e>Dl&+g zi7%k)j*#D$FJB!73^myQ*}$oo=!1VZ z8rrrZM12p%e7V5|IL!!4D}YsRC{W%hlr?whYNpWd9kDC~rrbtKHIR&J z@!@Y1X^JdDsF@yC5&pt?F@RA`QsWg7m09uV%Eb`-vby-eV5b^NaLv3u2E6`FT??F& z)J%D)5x4zOnUUgPD8Cl3YHztXy6Kj1fm4>Gs*P?OpiZz$9{DlMK(eMFbR}v@>9;f$ z;)iViVEku&Lwc~U!CtjH637lxHYdQ&`yUF3A`VD9iM*xqZ593#GK&M;K8hA>a@1=L zm)@$XO-Z}GKTKE6ny)P-w18V}qB{|-y@|V=Q_ZSdir^;eioEsUsP0PMtyO{JkTzn` z|7g-Sc#_m-<4}QcG%vZQJ<}Gk$AAQnfQ_cir76ZFn^YTalRArtc~&uD!XZmZi!KC& ztCYI>J)>19tB~EV9MwmQ8blrJRGSZZUJ4S`Mc-e-rdtj0#|jtQvDZN`Yc1W3f}uvvxQiomLs+% z@l~lc_s^p{Hr8mxZN%bwa#f)Jy?6Q`vnEF|-Tb@K$g&!qYO`;?dQ6gtb5~k^(DIm1 zK19F`orM3q6<|Lb!534<|0}~f?ixHD;@MUp4qV0~>T4ZE-KRJ~0O9^V&57D9mr>beBm)KU}c_;1j$jxM< z@9>BvVrk#|B_Je&3VNZ|u8S2;chf`BaVa~d5QlpnmfxBv|HH(%FEU{n5dRp?KOa>U zgl7We*g>ajZAI_Px%id~Qxn%fz$1ejg5Uzr07R&$zAG(X<0) z1>&pEh{^|l;FP^#DD@2G62^#{m?i)3v7-cTP2BfK^js zQiXJ&d-2glE87(s08dFL_5l;5$R@$~Fg7+B2D?gZ_qt*KkCfe&alVU(?P9f3!Lr4V zG;p(+w$4D6k9iN?Svx_dHO&$w;Qyt(bC<8{I@UNeFb6)1J8@0t5~6dyn8c;v(bd=Y zam!)hDm(MAN@oyaB9r_X6VT87>}5+e;n;RV&MV-7l>E19&nJISOJymPMkjZ3HD>c9=$8F z9%k{h$`nr5iXJ)CbxX#Wwhf8cCL{0gGi#VZu2#bGBFC-Asa|xA!{n~d%vTQ#hcTb$ zHjm?`Yg4SLG2v0K&FC8VwDn_@6ZZV&&70&f>+7_!bs1@RP$=jEG!_wA2q9r47% z>mcF%LZLG3C7iydW~W0jrYa>J>OS$m1*9x>b*grA&0V<;;RMK79V(wBb+LF#@lpv3 zP;%N( zr^1XL{qfR}oc{od9s^A!N3{5+nHhY|oilG)%A=AAHm%Q?R83LOA{Hap-TKF3O*WHz z{ghu`YDXP?iy)bNO;?vWWzoXQ*iju@Li6n-$&y`;pneSLG65dL$?$*aqNGew-%|~s z`aa`6te!Ircl}NyG6wO-Hjq=`enJJ3nA-r4n2Y?N9|}F+DFvo6#aFS$l!15=OWqUV zXDW*r7b42+B~Ca4rn+31XuLgmWvniPKwbY_c}WS)9%gxm@EvY(&NDEjgk z&_CO{2KzaRvot4fd`n8tVX4p|H#R8f+aOCNF(W?;i0(hpE)_wK%~Th$%ezmAdq zx6zOdok~tn%tC7EZtQ+fdHLl}wCac4DGiOO(Sq`*DhE8NdB0HZC87lW*s`yD)R-TK z8T12p>2oQlimw7?!X--R}QX_6fKyj!nLjUKVdOD0i+9VLrk7JZjz#EfdGRpI>UHe%<%JIxwp4{u&t> zQE&MH>gX<9@#!p{rHt8gkBK2NN%u_P?v(!N0KjufML7fSTn&Imeg8w=|357MOlEnQ zi&oSm3{&a9!-=)Cw_{;u{;+>_`WHL|CQ@49n4031*HllPa$`HKpPrfdT)|;icWq%E zYfGm7_Z|6(L!wUJ&=_D3eZAPMaoyI|kjRhzfVV63_a!e(bRXnaJ$UG;^-cN%eZmAD zI#M-&jxg+o#VJ=T}yF#S6rN5i2>o7sW9*K9oP;Hzx|JvWw zwja-yg@X+qmE%8i*gfNQg|RL3USl=Uu&Nyia+Tw~c=UIop~zARq|T{8A;1 zLONB-Xztt~i7if+FE3LB|MSWfn%?*H^=bF@Ym@l$sJzXSL83;YoDtSp*Lwa~Y~0a! z>$}Gv9gCYp>~<02~ccpV`X#epvbf- znW2dvdG51dC5thu>G%R7F5AWk0)P8Yd+xvN4P_Hoe&vA)Vbmtb@iTO%LgCuG)hu>OYHIdy+YuUYeACCj=V=s%ho^J4Axkjv+~^RmO>n(otRidH z%-??!LGmr_-FI%iLD0dEq4#!HR+OW}7UH79w>MAc3JMC}@9uQ??JkWP)KBW{xs>JL zSvZK`E-RHXeDfVmMh*^0|49V2b+uS^th1A_IrGwCP}&MAfsg(^{{FC>AE<5XQ4C|EVzFJJ7!k%8Jt;;YVwnf+ybWl5uh~FDL1Eyq zwY%q2;ksMv!}BXF?j~$TW1-4o;N%*hX!0{ENT|?29qq+GgxEv7x(Am8Im!Jdj-4bNc_oCF7-3|2<$AX4bZn+&y)Xpgi?=x5T zaRWCva|Y7M{(E-%Z$o%h=0VcEWq5*E>nD*?^uV{pIZJi;HJgs zmC3jI>pB;)pduL5-z`L~SCdj>ooXqyce(1lIjJ`S zEvhX9=_s~P6Ilx=WK z|CsoSr6e#ff}Wg;l1w*0;Y1>g%n=RwfC}2*`;+1oM(*T#pGv<=UWyc0JFZYy+8z-( zRGSS|gtB`7A6Ufd;eu2UA({)*S_z9e)XMAUMvv~b8l2hJDkCm2CyK58`3DWiQ~9v! z7)q<-T=Dv3;&54=fVl|7f0thUe*l994~7?n;g2pguPatS|Fa{wJ;almu2tks$)f96 z*8H(aakIi&Zfh`~Yik%x^dwUXKCcWZkz-fyhid9}>qH7>U2FL(=*IeOmM;JQtW%AI zmXtCoPnyt6zIVf2XLLn9xrLbP00kU7YFto9;#>S5&T;{NIc>>ue{SD-aYz&jC|aN8 ziSRz28GiC~FnB6wpL4e6A`_|sMwcB5mTD~>am7u{hoZ4U>O!aSBb32Ff6&K^TEI`m z34pv8B_wl_^-bIRQhk=9cE`Hou5z0`L*KR&HHiVLV{EX6)8bRN@ zA49=c*ZxM`dMJaqokL@hsdXsi+P2gK@g_6%<= zS71U+e#Xrp@p?ou=EM@-Npr9K9OGB(fbg7GwA9KCQgrh3}8Ts!LdZk2R1Op z*!R%_Y3*=t*CT0>2`+X4<-79!p6@9`^NX}5pA;!bj)od~{e2or$FFeo;#b0j0x_^8 z2TN7#U0N<fx2tbotM%d9v03)XR#Ar>t-srrn?c5OJTLz(wsuV#pn(|Bd|j#R%HB`%h!Yqi)eRf56GJm~W;NGF;l{(P zuPTLW%llBiap~xdb}u@`d3T4_Toy|uO=4BySvZ58-zUTiT$a-+fj}W4gydA)jK}Zf z4tEVq!87tM(+BnMBSWs>XPa>hwu%cyGUM5hO$xFpB)VMZ51r-P1PViQ^)FQ|VI zt!ub>OxxFK<#E7_Ex$2qAbZTk!7us*e@#I#%#H0b+EEd&IDs}4NmU^@I5XO-XzT@2 zOHk#~i`SW247DUdwv<7OmtVu&OpCO{_K`;sHA!i8qf-U>lczjUlD%j2_fp$}rs-pj zBC3EGvAfYKyV}9`iZV|~1R~+M3#fIAM(j>*1b7Zv=a?3{ze$aa3s?!B;g|~9zFzr@ zfH;qnzdm;tlcI_6B<%&D87xw^se(@f`=AxImAL4fnkRS`>?hK#fo|A*I}#X!ZAPs6 zQi%pXp^3pqCxF}q@mM{rJpk+)GypkLlnjU-OmCk=8!-D`@lDhDkh%c}5p zNrxWFof|ozr~)w2qWfgGy><$ngXjh zA*I3A9~ElC!X{B##^fLjrmBg?fwTZ*9zYRYJoMRx4{Y~aVFt!!K!Yhg z!Z=B_<(Aa4k+QF)Ip_cmQyH0vL>+`$$8VjFs&p0Qr7GOzj1vWZ4E%pfvmwU?$F+q- zR1oxW@CRMCuTjj+fs}@2O15`tuxIANFpr5fDyG!mE)E(QPNWW7T0f#WebShe?? zJRJJK`ypXSJeNA`Zkr1<_Zyvvg~N1)uMx&2v`^5S1a^Q`TKgX^ExVMfnCKd8muzXO zaGf3V)3jTC)~iDt`N>l}G&S1h*B}6C4}N$_M}Ux&$)M+MMSLLtH>4u<`dly?E&S|) zN2#K6j%|~Y9)(9#>DQLBc=0h3S$#f30R-12buZvFvowgvLs2t#iB-$UU7BkSSMSr> zH(KE0>}tMPV{Adqf0hA68z_if4!?&FEEqsXL0OkiO zCBqSf>BRYh3C)WLJUn+XwGlYgvCs#2b{7n&maN{P>xhUXnMei^p%+Vu?_V2dfC{z8Xa^NAH{7F{w4kfK{cF$U- zN@-tjAlUzuz?8>>8iM@Aa;|R~t7y(DSgSXtf5zyEXckpZqR9Uj{tkFgHk^|WN=UZ7s2v89$5ng>S?omevae_H%(~!-2hjrs02w#Tg}u{ z{*+IZM*RSBf^|MJ^B=?Hbc}F^y26ZIcn`>Bmk5+Cb-pM3MJgB9;em(u2)}0K{P4#d z`Mk(id2kMSMPs)ocVnW{&;gSY9jG+$K-}7w&oen1XHW4Fk6O#s8iR)X)$M_Cm}x=U z4o;z3`^$3{n&rJlC|Hc=IEITxL|?saB=ZBKP5wbGq1&V1h8g-2`v8|Q)K7nrn^|dgZET6n+vU> z5ZZ-%{HQbF$N*f5_R9YDeT@gl7f7%?8%EU9rh(1kWJ+YeEWA1!J5(7MBow-b02n#< z+7pe|o#;a)8KbE0{tD4UxVBvUlLBMa}Or9rLq5rO>8kl+3j ziUYkU-EgLrSU#dd-a}a#`WvrKY4TCPA*WeCM)Kh2NS9f#1`P|dT;{Ku2mm`k+3P{6 zld^3|{p=Hi!w^lkH4SBTBQERgxDO8)e<@)TKbOG8)H`q&!Bqwmo1*5wWqCizw0JAC z{ijJs$ER`$6nNJ6qs7@K7UmY=r^<-!B$adfu=2w}X1ok2&gO6pEE5k#h+RhEM9J2L zrl&T+WU*WJ?f%TAuT0KnJ%{HjmEPfj9wTwia+1}-{6$)FqdT)WIw;eFT831nUk}lG z@F9o)$^olMpB{)vd?z)IEjXUYVs*$~>)~1)SwRa|CuK^nnh9O)MMTarQXeOuhh}4f zY&4+&eR>v;qM3c6XUbCa9DWAcx)YwPFcGeHv!u1y@f8#pkTP zxegE%Zfsl*yS!Y%omRIDdB^W?L{$1OIN`q4jQs=WrY$z%4F!{&9A$gNn`Jr@?nQwL2zIsqPLXcLYP*p?&vl9<@8?4o4{ijV zXJ<4{el{=ApweuPQ|dg|^%dm9eogL41`$kMSx}3zoGp?b&mdL+$N}ae0 z=!HgsYa+uC&MJ25YeZvI(#+r#M9_MiX<%A2V(~DPPlM_C26N zQ7C7%hYF;BJt^J0;B)t|gIOgP$WIcn-^9A-ngRzW1M&IsVpA4WaKZylo=<*Tp3B-F zwwt1IKe0FpP_}gTnAa_e8P;*?oT*iC>Us943fc3f`fFF95CaUcy(EB`;PtWfBWbnU>B@L@9<2m$oPT-fBdpp>n#@l$c{v z1)m$ufPU!=eV<3TOmD84to;$E;q~p8h}20eYy^~C@uM%*61YuWXYskhaMaVUCdNBU zA6o>}aH#tU`veh$wKY5D#MM@@c_I(ArD2Gy7+02%3w5mh-WDUn>obdfV-3~SSSnsZ ze5}<&F6CBI`HLOC0o)}6cZ*)K@0UNnZ96A(^I3j z+S#izI6Z9@y`$I#xZw=>ARM{~W#5&tL{;bHA4~QF-Em+^D#@#^;~!|cy|sm)3V>*% zSN%bepc*+9(9Knv3n}^DCVQ{CR-0sjQtCVl`CY$-%#twFUJPHK;ZYMOyKGntJ73 z@9VZoK5FKsM~0^Wm)G#xUQ1B<=OH%msCdKaUB1_7vuG)k0zoyQNIybQa5EM7QYS40 zXi7=-ydlb1WC8AB7?Ez33!QJ!(3h>Z!O;8l^S&=>Glz@MG}fMVmMlh^Yb{-QUNWJ? z@Zv3uzpiRu!>RFgWK{_)4;v4_h_#Z`D^|&>nmQlekvY^9jeR3nEk|(dYwK+_CU82z zmST!bAij@DkZ$1Qt|hu9d_p#RYW;nI%yg8RcU;#=9f#Q1%{)tG;!6;Y$7_4T!h_q5 z#Dsx*<54?bWKk(~M&Pll%PSjw?``2(>iatiLN-!ovvz@>KaTerpT{0nf@Q7Mpt47z z4(|hNsR-H+l)3f%cK9X5rVX#a=*LlAP=nZ2zARTPYpNFw_cne()1_azT0f5&=$@Lc?j8+8C3cL#I*qno>WvcuLa{b83GVfW_ z1b^v-M-51wXm%?5LYms79Hagp0Omj$zv_QDLkiZgg<6i9P)DhVWl8O#ntu$ZX+_mx zX|MJ28=3Mm4W0)ap?^sB2rZ1E)aK0q6jyNEJ;9HR9R~0>Saw zRL|fGX_~07%^GUm(t1|g40I;7f=_}&2doCjL0VjAg=&BdlnsXlMQEW*@Lyd5@K3~q zvLeAeB7td@pt43F$*{8Oc^qR2%NAK3I?aT2x8o!C2^7C-7Pqgn6W0S^0q zbnFO63^mk4{vDE%DuEMFy#@GI1*!{EZ3;Pn$SFC@fmx75QG%47sWFE|r_Nwq_w*u> zFD)*wJbv=z{{8PJCMP)_dB2B>bVzN$z!?BVQPoXXY)$!*A+J=p_4Q4Xr03@s%VjWG z8V*;-M*{g*fA#O-038B=wW2ACVQ8)F6oA^x#a#LizyICfz?<>O8M`;&cG#3kVRU5V z(c>p?hQ?rV`2Bv8B-BejFk(EBNUW_cIc+SV@Xw#Wc>MJH;gL~Ml0%UQtk{+L>6Zg< z&F-L`CBA=ne>+w1g<>|A#KGlI0|wxNE8N1=$hQw3y&f9fNv7j1Ei56Ga_JwQe4i~= z?7oPFB?+{6g;J^b@afyO_GVJ=t-eW%TUVnH0(d5iLCrZ9RkRqTTlG+)>4FIPyUtF3Q`S$66Uh57#N*`$R`?bjt-AJe)xENtBO#JZtXipib7{oDWOjdwXLY<72fer1!e zxUDQjs4Spi9OILTgQ@Ywa5#*URdqh>`Oz~SkST*Eym$Se$2B z_SK7L4hylnyYYYg^*>C_Esl+jtgf$leE!X~&CS&fx7SJ0z!KHg?yRb!(;PM~vAwdg zm!q8?mcUdkIt|M6?;kEK&NsJpsT^dfT>Spq?-KcSasBySBde{m^V{dowJ#+T5v~LX|YxsJUpfM_DM1P~H6Xg8@t|e)F6EoGxR*a0sSM z7KKbU3tK$Hu;p?&o6CV+BM1^%q`FB#vaT)#BwHNIrZZ2UK51@mBX9y`iP+2gk3|Z% zx*ZfMSIJaV>p~8`w6d5??s(nS=TCnq!kTe8XcR61QEh^N3bg|V)UKkGQt2YclV;P- z-rlq4&sv&WC}c1Z`|8?+wB7`qsq7HL8pltBIsqI)!sOEG+Sb(URx}bM(RziR((FBF{`ePyBWoyEoV-7VT?{`EinX6Vhx==j+9 zHttiRpw}gs#y@TD!={5-}`+&i`Aq}yFPbnp*ATRt16!#8?|=p zI-o4fPyONBZ@T)f!k&dm`I*_}jh$l1?UB|N#!>KgO49SemgRpD-@&gW@tiP9ndi`ok~1@{0LSkcyV^SLzJY&#U+Mi&30IN z`Xc)50ouzaclZDHfB%n@lT*VJqw|Za4wnx+EhK!^XoDJqWms8TN$&6Yyl&N=AXH5( zEOUu3W=CFsKQK094m8`%V7^X35mpyx9zK5ZYVhrDA{CCt%#;Mxp1*wc@X?dGg(Z?^ zU0yGR$(j9~-~8^Ifwv=*vkRe6#AY>1d}(TQ=+UD`;2M^B+#3ipq&B&zYq^8n!NIqg zLfP+gyPS4W#K2|shr%Wk15<#=j%tMg17`yC8a-lB??L4A#aFLhIi1c5SH61niq&e> z3r+#(Wj334I&6e$k}4d(zOkh#Vld!yIUOq1aR`DaiV_I{p$hPWE@(rbIqd^LSMmnm zj4~#7cTZ<1=zH^OSmBj}t)0YvGTPSF*VZxhaxj(2K*WHFm0bGZAXD7gPj2mQDO`SQ zer!LLjdb?+bv4fpKVRS5&2rN0(poZ|v0B*ugY@X^B4x5NG`KE&F_TQE(&>DWQ?R{* z^uo%D*XQl)?n)gbCdY?yrI6g-7#*5*I06hqN+Ms%?B~+^*<5B~W(9d^Ql*pw4k_SJ zhI5LI#@o8OdwRM%a0)LJ@(hk=Qkk9YM6@Z?-4&UeoXhQ(Am-fPTAp0oZSTDj54w{3 z+q>xkc&lPLl}kg^lPN$XikO!-SLdgvr?!%r)fBpF2-3IOT%DbLT|FHwu@Ll~rl1AJ z9|(7KcXxHRx>zhzEGZDfmCMr;la$ln+0%;^^BZex6$$xG7luf1>4RiKafUm4y4&L6 zv9Xcml~qL+F^S8gPNq_YvLJ~NtMlc2A(w&Jvcz$N!_(;EzrYpqIS?rt1%@#=wlXoE z0=E#uH&&lB_7%?WGsbo~)+w91KG&6>>1Ose^1$f_+=5fZsp0wzHQhuCH&(;Anci zCKgNYZ5))PcvlxpL0e0+%|zR6W{1m;;ZnJhE9MTespLVvqF$sFVH+rB4vOhya&LQc zKT%S9bruwPYkuOv@Bb;0F9Qeg6$$2963Th8n9XO>$%9NuMAu-BEv-+1hPnsdY8lM(;>x}tV`V;H%BAwD z1guST`;5y?3=a;DFXk!`9ts??CkF@VTnQ|J!soNe;hEK(fG@8t74sQ~!|rmLWw|`R zvK5SV!?Nw}>I(b3CYp3XFwc->u29aW3m}qo9z7QUEF}&t+f*{0*xlUShxqm&lYji^ zF}P?wePADhdt0l+qYEHWt_%hXX@Mw-rAi5PTjHuR=XeR-xZp~;d^Vc~Wxxr4ILI;- z%q3)IQm~Qbivns9lR0g24{}Ine#}WZDf*+Q^1=SfcYpZD*F$4G1c`EacXxYzD~Gx$ zmhxGo=SgHRVd#amh1nzaw+k8WQwpib@ldjwl%-{;iXXKV2mJ|G}^xNMP%g_ zshoqkOJ!0Cq|_WH<(3zw2j2`O)QQkc<&p0Fm~#27pm3%Am13n5XzT3gfi1ez%u?Xb zfTn@M9nWM&3PYp9ABbWVV+WPE11 zwWGhcBbZBW%x@(*3}0GU+TBmaJG;X^|JxsasPGlo$|ojf{C;n5PqbVpE=_OaqO!lW zx_6Lm?&#_7impu$ukWSx+jI(taR+aP#xS!#6pXrUHm}X@ciJ3`G(9)7ThSgR_}l;; z*FH5s8uU>t=8Nk~sgBkjKxcca(`v?Lu97=In=&{r5_+I%|6qS>W2Kx)q|;f@^ST{h z5-ZuIxv|aFg`HG7QP%vW`c@F~rSisZ((ZJFrAh2;9&9b);HPXXk1g!AcVCIvm6gSX zjTA)g)cD(Rr`y}z*8@T1t5?q@OoW-**-p2#Hg$DI$A`u;`xW(y4jK!`2@8wsrBb;i z?Dsg#Zl~2^x4Hv?hYz1>zUFZp@0S4sH5^*y`j``7vsv!lyB&!HZr{FXwVHo4HM-#4 z&RSm~QRa)O$InMP`))Nwy;iHuYV${f9^m2j`J*k(KC69pVzTv0m(6b7T3&ws{N>X6 z=HA{8f#aP`frZHt%o(};M}N}Y zrNyaIskFRP`sx=qQ`;M_Up}9iU)g|eIE!NIY~sfGRhO^?_8`t{_W{K+40tSrsU&wGMl6OC?TQiQm_vVb|f z?m+O>)B9e3BwL|+J6hKlXDEga1-%nvqhsTf3k!?Id^XhN&!h{JLkktYJTX0*&KBGr zzlEi>dk&yL9N0^+vEcEb%Nm;6$l#K$&dux}!+@dkG;uGBP^`2BopzbPJDUtJ3O*bI1witA7R{Lh<%p>V(p+yCy)ZlO>j z8DePk?b`Cn%u{SY2xw^5DN+rhL4sIq=c7K!2OrCiI z_GbtbExdU<k>2gyf>aw$|tINOr!?%fK(&=>0%uK&}{Yq4bmey82pL+V}{^Ih& z`qmz0@i=X!&DH6_wP=EE0Ysr*KS^$n_t@6PDUM`xwj+Uwt(4Veej3J z5ROcY53g-)x+BdbrYud2433N~ZEPh|`wp9_wJ9_|JwrJ|7L$2teC+M;@Z92Ju2}K< z141$L{iFK}OY_TXn>gcO1^Lx)e>bwUYK_HBCTf0q@>*wWHkJ6{#jBb5h0V=%iYBdY z_r%EX&f41a%=FmAq#!flu%A+InSKhu0xeF+MRoHZecHTqzafA!{O&d$W?ear4^l@<>Z4DCCO} zYO^l;#N@_5`)B{Ay*(NZ`XQJv6|!4ft2T>ees*qg9wujTXmZXM2zac_-qyzVFJ7%J z&!u)(OO)Le?^>OnfFSEn|NLLKx3@Mo`S^-3y|CTh9G@8{EQ`hAA?Whd+|rti6CpR7No+oN z@^XGqw?m)e6d(4mvN8V;c}46>uFAOcDDI9S7!&_49(3igFEYU zJ6Njp^zqBr&u9Drr`3*+&#Xt9JFaxMfWT;$4fy?BAw4`iG%_&-Dhr`Y#K}yL3@q;^ zM<(VLrspN0Xm?W2UJMKmO|e$HKNvF8>R%AA$0yR%PY7ux4iVvfBDN3 zdl1lp(UWM4_xg<+%>n!J%8G0cd)&^2sWF?&_sc)}V+dCUzkd|(>tn4}LLvIEbhpNR zJG=QpiRo+$VmRjsMB`2Ikb_=aSoAdayIofF#EnwQZ77Td&duDqd7Z!r zx7*v=9CkU_$*Ik@_G>N|r9OxwLRdU8vDDSsnak{@Gl_##;_dM4FMjc-W23{(v53Ql z?n)i8!bdvw$$`3dbd!KH^*JLXzv^=rdXa%o2AB|t`4_{dSP?c`OzRleuTlhr^NPzV0T6 z#Z=4+7zR!Oav*ls*LK#IOT4(eoh9s6Ppl~zg^=6t3kDrNUq?sSL`shzzwia(J-r=% zk280Wb(qX7F70h^t!=DBl(o5&5D3Z}ior5(i-y?B=JMJ)*!k|BD=aP)g>q5B-j2># z?e5;bF0aGN=W^&rogikZvNSacrXt?areL_$?g+=5D4g6_Tz2|gtlJ7Ee`R4YlTD3J zPfpLx?IiXUid3xwrpq6*P?R3M5JGEv zXmw+`C}L}S;@z+QoT}u~$=w_-23+QY*|9__?T)r|#e9?Sw2(T^FC{z?K@+S*)O-`w0iNb~5|yDAhMmPLKyfE0XB3=_ z#hXlK`stGg(7O8A4Eg{IS&%kX*D8eqBr^wzt_S${n z&fb2moZ4QTlG2Ig#Z^nRy}h@WRXB++YcmHQy;FLs4q!k@>eih*TT2T{K3Cb_%4gH= zrZ{6|6p4TSVvsdE<4qxlm3i}WD3!`DZfw&gb6;FtGJ zHJ{!m(EYB$?8F>|6n38nN6s{8FuL>pdT81oi1l^&aWOZtw7I&U-`dZ{nwomM;(RGj ziV%90x7X(n@~N$4c476PDc;)G(;{+ZzQmWxqQ~zAT?hL!JhH$t7OyK535NrIXGP#4 zh{A=+@T-@K&D+)68@CFpi&L8geq}e4NEcdKBYoZRr{6wRD(Ytb$)L5Zt%;NUP;+pi z!Yi{&>mq4t>+QoaZfSm$vQV*DCFyZ<%P_d zl;7Xp-{0e8h3Cq9+Z!93o0~gZ6+tRiD%(5jrCe@vVU?4KSa-k8V+V&A!SdXAvRoct*rF}Lww5@92}|?yg+gg#V`p`1C)5;oxgB#eqs7$L`r=fo$a$iz zfuIkpo_5hq6~d1MFij0N46uG8&bGF7-sx_d8GXH%D~ULb<3zD6j!n%wJbuvgCZFf= zw||gm+8vDg+|fulZg&KF+rkH{qjS^a;Ep?dA(^5!w|7_9HX}`Ox7)EeH<3@R?`|)w zCbDha-M!J^?C5YFH{1P@XgCrN1uPU=CO@(eK5rtySqAix>`ry3{(ne$I-x=%x!I*PKQI2Y9q1IjM>@K*-GQ`8d##d z5D$7Jk(W#+r^js~F^h??P?CCk9&hPrH=8V}okXczbjJfCiP>F&Xvnj_vG`_asw6WW zr%iVT6gj)M?Q>9yl3&jhye%zFu@F~E3p8PNxbm5j*2B+lrjIQM{S@|7u9V&01T(Uh zN+)@#GB7x*;1<}F1763gr?13E%e^nTt&caz7|YjbE#}=OB3|KWV4V2S>iO*5t4gPDZ`64USW#Tq+i_7)4sMg={G7Yi^0AlQ~K;MS|W;W*0i5 z_2e^~1x+!~m*y?ibq_K`p`2e^oSUCtT-!;O1;df~^vLIn_wPS`Gd%igV6a#OAN)tc z#ly}T6bNsMrAkv%OKVGOTT9F6$Y=$u9(NHK53VDKlu)-86EiSKLy?*=Zwf-B| zug0T+Ae4oodwYrHrKM7#;B-1jk`9HNyskiNJcd=0f-E)lTM&5(itdw6f8E z<=WM&S8m?89t#IZWQ)MlFAa^1|MKgvO^g=V%eYuvU)x+*Pj&V5xLpi}%RI-~?6&Uq z*49`kn@z9mB-S=}1W|Uoy*{tU3L$hJ;u#WrEF8TUptgQsm4V5U78cgP_kvOA!c|16 zm>rv4jP=~KgW*B)lO#!QYKnJvwlg@tvA%Zf6-pNXTHA0yW(pQL3bt@cmJ8V|X|dZq zJ`+h4b7=(^6_O4&b#!!evJ_S>WQT@_d5moDY=_~ibwLG)NIbs3x|G`501wR{YYDjN zxw*-*$oM?I-Q@)srp*`d!obaRp;*KS%5L{|c6MC5e#PT-6w+x)5K-8S#7lsSqoz=Q zRPLysxr5B;_+&bp+1gx(5D@IFf=e<%`2z9Y-mWX%tuu?u!eQ8{0bLSft=7)&&Kozb ziF~C}DnI}c4uxPRgaIcH(x7Y}k0%uH<#TBWJN0VS?`rcX5XF)21v!wE;Tx1y#z+C9 z;%yyQu3n9VeEZw$JZw0bY}buzJ^fc(Vqum>>Y*_~&<1!M;N($(U?}LYtSro}?<8QW zYH13Qge;2u{Nl3H<#&5LUXL3ZOl30p3g6P+4hji-5{rI`3(6x&I3-~uT0iJXMG;32 z4AZy*ZXDIz-re1Q)nYOEefDeDy1X7&g}bbt`~-p2y&j6ZySAE49)Oq3m9ql_&kxEX z3w{+Wu;!*vFa)+E8Vh%{#!NJp%jC_h#pAXy43*86Qkeo6iuTT~t5>hyy?xW~ao~!S zIY>@Vjjj@Z5)AqXTKz$fB+gDvcU`@C z0Y&1-85YwEi#&VX(cJ~Fhmb#gK2O+yR`D+{FG+kY({ zkL+%*GB#5z9*f3f;Ok}f_sZpp1MCTU&V#5_D#&!{UX(&$GKC%`#w3D}VQ)f@1fgvO z6(at~LJ%0?4@SEBu5|bH%+JqYTxES_wdeZH-YeJIn`2fpi>e@USm|OupUGviilY4r z6h*f%Nx%gT$Zkvg?DUk)>vwv69)}f^1zzA3l5J{*SfHIIfC>{uc|Um|O0wJQ4fwq< zO#(039Uhy_YBs}WfeE6Z4ngZAK$`_!8b2DU?GX}2gNeR!rN?D8%}q>jm5PMpnS2RC z_l~Y^*beXBx-m5|CgG$n9P#@D&9Nqn#d@W`54Kv^p0+kOUOazU%$N5Q2fQe`Jzl@h zODKZG6<}kuI6Qs*y*Iksg>tE^&@O+tDH4fC!xjeZt_JFW^i5M>6gu+U+{}#C8vsr7 zI<4RW@Pb5;Y$O`*ztVs6`c;wRa_Nj-6@a7PMXPmBQzeKKNfHy+m*>Z3R@%F-Mcg(@ z5%kNhx(_9uoG%o>lTe2Sb!iwisYvKm80x4Y3uIS6bSNU^%Ffmfdf>Ue+voEkI%IBC zA=Rb>4y2sT(lL8)qEDHpIIh;_l# zoQ^~N{y4aN*ol*j#o@3zTOm-4Mp~LiV`l7{7L{*NGQW=`>HUya;YJ zTBi_Z39x~~rYPgyK(M*Ft);!2rI?PEFuKfE=SRYVgL6<)f`9-GxqN~klu8^g6QtD} zYi@6EYja!8U9C+J7NA$QsPwQxMFHJ41c=}VAfE%HXc|543Bu+1O1UDVmxIZp(@Tsq z)YBX@qgK$(&&1j+ggv&Vs}Mt5NU*n3I2N_pU2V|Ikc+^ibXmqI69iNg&Cs+7VmJs& zYdzMMmU;?bJXbC}dpp^8^J}MBk83fR-<_WV!yRbvfKfpWaD08fP$<^i)*KC(#>WSLK%J`G-TDm(a2kQ-(CMU*3(Pno9X$n333mkx|xvR%*F;mF&iLxqr zLEupWi2$a8q!@DuWEY79JuU`WNdR)!C#NUD#jX^}T(M-fF!M|E0`wg0D8+z4V3R9V z!1=EM*rAz$|1@wRKtXVd!3C)TAuRy{1TPXjzzZ7!%rNb=+xxn@)N02?sE!eLxP76Z zJreeLV2ec^MgL_O6~mCQ)*ms7Pm! zm_;xWgD(e#ifnT@U2Zp_5ERlb&`?Ci^IWM^CLru!m~hyeFXs0SifTnrR@5TRFfbv= zfg#9>Ajk@#stHmU^ov2%7FuNp>N1B6_!NtIL8uJB9jO#~i_Pxwf)kIplAzk^ON&%J z1>m5Eu(Y5Ox+tY7IYuxv3(dhQkt-s4wn3x)1W*N`qn0=ZBnkyqDMgbYTCl(r#i_q+ z1$9=Z0%`=+MCO${MdYOlB8a;bi}t5Boq##+l!!!>JRlmfC9%usaCfRNTdiTjasN{ z1#PT5YfBTO!~W*Bt}FeZw^kfyc^<;oiiDNQVp$|zb{m69d}eoKc%)(ucJ=l9EflG6 z2iq$f+X;8LxwpTyDePR>*nw4wnB$nk>q(bnf^rAU%lGpQF}A zEpcqrpBrHFWX$eR80<*Y?QpQ9Oo2&-O_{csEw+xXHku}2BSzaj3`LeDa040)3e7?_ zrCF*vD12^rX>xXn^t4~O(raU64Cmcm*UIW9@Zs`#*zrv+J4_*0Ob-lA7DV>mz1tp# z3CH-vUUGRk>GU@B-Mnj|vC6?Vfv%o|X0QxvGTUT|;>`>(H9b4Kutu@U_|%&sC%L>4 zt>xoA`3z9)5;`939vE+$wK%)`uU);`-`N~BGic{E@M*y?Gz4)Liv_+J)wTnEghj2z z2A2ZM*!|agJ0}LefBf*t^H*=%+FMK}qEgOGjE(;A{qxsvMtGcY*ga;F?(d2}e)xyS zPhZW>FN+E%;Wz}M`&*kUbJJ4`>$u6;*BWCb1>#FJfW*+%XgDh1SFks)bw7Xh@X^Dk zFJ2BL(it!bnPg&Rd1+>DE|)Leymc4HD6q*2A%LU9x|>WCF+K3;;iE^htGnRiSPAS( zSL?v57Y`mjelak(lgfgbFJum8mR9?3f6dY)i7bei+}nM4|KY^=(_7g_75;)G2U{yoA3k_8Fac3ntKZYz5{2k-c4l^BawcC9tWLK&H-v&S&|yZd=xa!kXD25~ zlclw@4J4}xw^FJstZl}dVqUvhTaIRzqocF^?eiZVJbbjA$Uq!!g`ud#7XxaykjqUC zK6~`w@uMft4^o-l-d>C*IH9t!wzjdcna&j;uu~KU3?+eH>kZwcOjgIOo7dVR>>d ztwgFC>CpshYi@3TGdS4Y*}_t|$6+m%N@lB*ve@I@ePXGwJUKQxHJ|4(r_D}de7UeQ z^!D}r?;h=?GIpPjP#@P--80H!v05z_GkR;NHXsR{`LWsMzxXfz+uOJ9eSP=VovWRx zWFk{gfBuR7pa~%y^9t?=rDcMuiA2TG7<3a%=6gfkP9xF|+Kf&JZ` znaSzt>3Lruh7l%E1zHx>m*1kA;7vkI2%|PLwB1bD%qFnqu<4+lB5|nBF48)5VOfIx z$?bNz9B&^z{QmLxbLb@iN-f5#`c)e0(@4Oqo8G(~`To_&_I^TA1XvHq z%SKK(nm`x@Xc=^d#Q1kuu|Eye%e@|%OfFp(Z{5E2)twu+?%n!V|MFjs4~>9i9Sps^ zxV*M~;IKQyLSbxtrpQ5j$gORxEpP6nvUv*U{Z5OWp+<+^!b<$%<(qs-k_pD?_Flhv z%WkvGO-*Jq84(mvH8h~5syA5m5h(cw36WZO~Pvy{yUJ1+*v>l|AYs+hr_Kq!*zH$5Z*sC8NKYaLn zVwtr%qb@5bv#O&cd{Ed7&@{3!kY4M_9}W7_0Ih`h4MZdm=#IUrx~leq>SBc1>GJKa zEUvGtdZST>rk1D1$ET)?GGQ{?A(o~UfkL$i87D=YMi=_Q?20s*ff(#~_bm%@s;*pRacBq-jsp+X% z1p+bFlFjATmzR>eyU9dKjb3Zerr^h(1+6{x8(A|2Y$ic_0^zoJbFq+9 zM46&lhm3=8fHemDI7GIf=PsMIR5+NOpUqdaKd|vL#qlY}DFHV@oM|_+HrNYIEXJDp zu3p_)oSUAQT-Z(#lnJ6gny9R;PCb3{_?vGZSX>^v+jV4XK^hLGUv-UOQ{yrlYl}OX zqG|0=I-=%oJt1(%-eay$nvn^z1wdUZ9x~Fll#t zY+LLE;ekMS@9156S6RNU zdH3o`{nYB|9%)>EneNt_f8#BE=vlM+pO{v!9?gt2YU#bFckjEZTfQoNlFX#{o(z)V zeZT{=4-h1SWYA@0Rx+#b%SZ-raLzvG?Bn(Z5Wx58Y;JaX_Sv%$Ni*s~V`_5rhabLw z^8AIS8y=4v%4-&zf`$wEnAFx9*fs>|APDyU2OomTaOKL7+kET6I|#vWj;@|wAQ272 zD$oqJd3!i`$9wng_4f9F`@q38wa1$t*RSvb6%tJJfZHKf3$jKq4)2Y-w*x+&rqCOS zWKq#cF4BFax2M-hkzo&0DU~$JQyb)_pF;3-&i!Mt#Ig3+#Szl$-%x@&L8s$kSFOoapTA_B(lVMgxD4a5;IgT2XP*mF(~DAMo?s{$zJH=$8hD zqQVqKa1=w)j{d=+p6(8Y!N5?{k$2{Fc>~ErEE*0Pm?IjEd);6wgWu+YX*c91bzS59 zaTjl$ae|tVjKigq^u7D8tqv@6;<5DfY_&>1AOYJ`9qSqn}xMAy|sJnC?ABc2{Xx!;^>p1821wdo_+WzHmNa=?WWQlU{J^h1`aK!C#2K+&}u3qWxaFPm4 zM$S-I4E#4mFlcW$p7gm`1BW5&ae0Crv1E6`=b}|XR3#PXJ)xfdUg#AR#|~b-?&NtA z)52~q%g~YTxXa_kadx1$3tS={hiNZ-wKL>0YG801lrz@Rkw_+jKChuufy6*G;BgU+ zTBD(3Y$VwkO~iaIMmH4P<>pK45NZ$sJ`w_zuza8i|C#ZU%Yo< zFzJVZs)d6gug`1hrP)IJ8r@J?Se=BFtm5ea*oPTkO9 zGL1#S)pV(n7V^2{$uPQq0p=5m3&lH=@em9FlJoX;#&|-Dhocvp+u z)*0#T>x_EbtRidRz;ls!A{>n*Vlgl?)kY1PPV7>CCfh+e-kC)7IG9SwP5D)L0S1Ln(tbdrj6_4*t%t2GGT>kda5@&XTv__?E_lPTVqKNR8# zFqmLrBcPXRjXFV4vCIIOg>@P@CZ7)jRhi5%fqQV883YT1eB>Kz9#;$yjyg z#ndbj?DM!R`%G3F)oiIAiFdhOPJ*PI{&3LehIPX*AHxk}@!H+@!T~pFsF|&_*B=aq zgE&FEyuqN~!*L9lVdxGt+~tdO-n`oHq^)N?Kopqw^lE-LwY^)ZH=r-)ij@FZTzy?$ z7RA{w-sQ$zsdbWJ_^!S*sAIvBZ=-D6S9Xze0 zhh}4Zw6}MlJLaQxsgT~~+@4T4Lg5U}IHJh}Om2i)ktE5$*;rR^XJ0QzTZ=o)iMWH% z(z(J`rc|p5s-~xNm7bn~EB###bVK_)(g>}bvV_~bCF(Wd>9ePr0ltmY*^y*f<&i=-m|Wm3q1%%*O_62r_sj?Bo{oWOQoUA_RDys3~Df$O3uDWVA85KVIq z7fX}iLMURTD#&P2p zx*%yPxQtL5^9EWRQ!!l<6;dHN@ET3GQ;`JGV4Nh?d?pk$h^nhF0kJf=$yOLRjhe2Y z7imIiF&2uC?nu4Jcr^1B6iAOeHG*(B91ME)i46XHt%00loCK9)4#p59@N6Ih9n;lH zU3EKo+-L~0uF)!dFVb=1>wO;qp(#`-wY5NayP5DY`>a=ltnzzif=7$i=bz?CwrAQG5tEE-~74%alj zA`{^M6LO_4s4~exZF!m{NxUJ{d6x^alf*hh!I;Hmh0wrfr%uuKFA+3`RTZWfasY?XGvgve2PT{LKhGvCmsH|j9$z_?WC^FdL;h^gl@nYFE5SO;Mw)I}xPI}{K5Ec2xW%XYXd6A_fA zr6{lmmKQEIEcDN|MI_M(9gONx(3TdSvvx=n--lRw~yXK7M8myIVJ| zbay4qSVyVX1woW(2Bs&(E4!Tlnx4=NkjRz?L);26?*}nUyf<{AoL~Y#K2|;8aC2^e z1ArL~-=8mF1F*K6QBW4>My_UZ6d67!M>AwEF2WLN9%&{(A)rIZ9svmjqn zxn>F!8EwHgV1}WXu&J8|tPu2jQFJ~Ri2_=p5#~?BP*a&1!+-Oj$zC*z{qX$|C}Oh| z2Wid*lEVj5G!t1n`$}!e4?^~uVm}rNY*uYQ&?@C2vi*_$f^apqpT?f3{2Rz%8Wol z(Pd!}fdoU~UW;4D&2k*bhmE}eGtSkzgIO?k`8tteyZ^odE?kj{-=B8G^71W(sWW z{MJDTfMP(+_L5#Q%!WWEx9R}26tpD_4Tk2irqawIiK^GsXA^VO9LU()LZQvgJ-L?N ztZmq{Hb9g$U0ZFZY3MzPG~QLb~Dkw0dQf=Q%{f_FeU9J zH+P!iQGRHv<%qdu2JUadm$}yr+(*|nO-4U-Y_9th&48f^aSksxE%M$r?TUhmZvAPY zski+Z#yp5FX`0LQLEZL%cyJ6_%^=Z}I~vPd<$=MT1OL#BV2at-`9a`bTknTJBDA*` z6D&uF0)b6oW=sndU)OY50s9;+YETF;+^vTZyz}hU-{$SIwYBp<{*V9nuAUwk-T(4` z`0t|8Nb|r6KxcisZYSbLcOFXs@OnESh<$Z|KjDaY(^;LV-q&A%^GbwxXqJZ0-t2vG zUVrI-6lfs>nx?4D8{vdDhv3#lza4E4n+D=rZ?ZE=ZnMu`d+q(XD3JQBeqwRaCOI7c zqN(35R%wCrsirOaGWK~_YX5dP(0TLwOwhS)LpN`3JCf$yt=1-DYrB~TE?%(9#krO7 zDxlxhsye#e$h>vy0-RhdIC6?4l+H|h+#j~E1OsoV%CC(>8aTbuHa`{hdgIx%XAHx- zT+S<3t~eZA^S}wbF1Pd5jsDlcW$b!Trk~x2*q@tTfgh9hWST1eIcXZzVM>8b0Yf+zKEK@-z3oepKnsNuT-#02h`#XO{(B* zlGMe0&Qm#El6CaV+}^eJde_SPbH(Z8fB*a6{pwer-o1P0OrP^L@}t~N=sZ8V|Fo6y zBPWh?7wY6pUabTdN@bw4%Rg3s$8&56Y1J(XI~KV$LR+lpZPT`LaIlTU!^v9YoSFM^ zT2jA$&JccP-sVL!t43$WJ%LwB^h@HDK6A<;1di@mJEUK82S4djr`3c%u0hU}v47~a zl3!v@uifhgWo5M&QrD~I-AsOZ;=M>0pe6n*q<%F{*1_4T*-vYg78Q8E+(%PeagT-` z;;iGpK-#KgFQj?z@@rtf)y|?#L@UVr>=*TDoL1Ua>F2{4b+c5}MnPw)rJ3?v#=zbqa9GhSFO|q616GGLF(qgS1Lmr zUY8uRVCU+}uP?_Fc;gw^9O4vxTZdjpgPbYj=ho`y8cS!;PDb-4&;u@_xMKp3N^9M1 zmwS^_4qYZ*Tc0xP3(~C5G2Rh%ydhqp_IpY+zm4WEGum_dQ4@&JjB`Bd!LjD%@hGjd zYu#g<1hx!?A!p&N0m$q&-mz;?TiUg|Q%?TXYUuM^9CNYv?^D8r^LrzqlyM+vFK{p9KyhcYm-Ya(-4bMNT6?X3kI)(oacJi)&_@5~=ESru2M+3csHS^c z*0=TdL~%b`ES2o(q78=?c@X;`{Pc%}Sx3+BjkLzw-);#!EiaRUf}O(IG2SNUs=}GH z(fL`8aKT*Lh%=k}Ncka}^?4_0E&7p)+5D1uCAV|G`<&d54jn<~l`l4Oj>SGRdD{r* z%eQSUE;2;Ukw=sB73drsF5bz7JuSDrHLqEy*LAYZ6nZgHkmTel9HlAx{0UB@S@+`{ z7Jovt3zhq1UQbni(U`4sM33zo_VsX1+2=39@q2(TF{qp;mDOs5!%YEk&s{Z?68>9M zy;W2kOB*hn;2~IW_W%Kc1cJM}ySux)OYi`}9fA(-ZiB<%?(T!Tp4oe!^?&EDi(Ydv z)7{fuT~+f1vUpGfSHZY3V8?gCNB|e$(y3)`PSu!TYf$x63#Z+W>uUE zhx-W%bW}`0Vwnr8ase~CGl^R7H_>tu4J1fK-SITl-b!lcXdv25Ej*WM)dNr}7|Tjh zNHKltj-$4X#5T^^4F&?!Q0Q~5&pEBM8|w9d>)}xGMZ@fPNtdBQ3y!Sp9l%5uL^dGc zp{vz1d^syAVu$t!5>v2t^)~TmzRjBgdu+O$rsP**uvl|pGD{>}j0IQbcV%!~N%Xh; zpZfJRP0;Y#QJxM%JYIUsefAk|P(pE-<&qh>*Uo3F{wfS?2mtX+`5l}?EOUnY z(TfTv1>{8`WjE(4q66@BxG5WZMt#y063_Q@x75oxgpf6g{g*dluGv+aU{8xG80vvG zi!b_EbUEy4D}q=nYIm5juTUI?cav1&@|0<9px?pJYN-wAy;3$EF(57z;>q|VS3DX1QbIe@w{BX>ua)rwL1yjhwW`rTmD1R_Lk53`;|*NYAZj18-mM6OZy3ziSAYE z9)XDX=#dH}cz$|iDxbo-?%&M6bYUcxv3!Qu?5^O-ZFKr_r$wj7EjG03I$sF1YLRjO z;M2C0U>$wkXYbn5M4Z`mv2r#u6H|-H?#Wnt^+huq|6IZACf^%TALC$Fwg8m>1A44B z>*fXLfhh`uNkKlt%(7ERKnBL|y_72p3-XFCD-YC8S`8J(3fTRVe}V#9R^@)%-TmsI zM^daz(PKDxs#?2YUaV19Jg*}m0i*!5xmSGE!zHef%WPXDVCm%mVIc0_ueNz@CXix7ceF8LgOVqzV~Iex2a1~oG}ArfIS z8}tlBBgw?YOgCahzT|j2f_9$EEbGC^mAMR3F25eR)#lCm1ocT!p1hCQ)ZE(G$xLsW zsfqF7Qk;aTxwfN$mz|}`8vPewXso#FanvI~w2CgAA*eL;bi8lZMOTIV@+=R)-rk-! z(tGg!_))SBjUNqhwbglaIAMi=j^%n3S@ZKC_j;RmieQx){Cc3?eC4l6#H(X7FGJ&l zCk20TR+C03tMuWTC6(68Xa5_zFiWuptqR3T9^WewrJvy|-p|1kK0KkHlS*6q=TzVZ zOChlMz>eVwXq2PKFzok464im)@thPXTC?LbFZG0}8ynSt-Z5^WAtyB+{Uy%(y7Xvm|P8tCE&HFWjm>ZETcgNYsa#%nJbBkXWf55|J`q45k5hO5+3|GZXUp6_Y!UXmuH zQnoTNKN+ z?@9g~7fUBEoIa7ZdkX3r(`;Iec}5h=hVScNy*j9$d4IA9JzIHrYuX$2<|oUFPn_6N z#OYEsvhWG8P1CkA0f5p5(Dw_=d9{5dg3k;%QSp6sQHZ;T z!C@TW7(a0Eph;f%RI9^4Khg20kW0hDS(=X2)BbD6X-7FYvI;P=eAQcrL&1on-sDyX zL4@)*eBW|vwKGsV36wE0VZ>}2v{W&NCzBvKtxP68z{EW(QxB(4Hsv=XJP3K+wf)0` zapBfMNRXQJXs%LAw!UV1g^D!_d{bv1N^57(r;I*T4m%zze6>7sttE> z|%}-l=S4$DCeC=sU+vCw$j_sqy~K45s9D} z(8R~9s`n@T9-JRf$ifS(>G`-}jj=?9oYx4g8gFk~7Zu()F1IeC7+Lr|l)ZT|OQp4c zeJ(OK?goNpfb#7TC~+HfNm1{QsQ&CvMwAU1*Wuh)qJC^IyCX5&O?KsDsV6k zLg#&chL?~Tv$1~%=5*ovGOK-Cpdc%z-yJl=4j(KE&*6nc~RkBxy|);8WiX0${I z)Yc98R13x*-{q`M&fgyfQo22+UM{y{+#6w zCc4$y0@!!@Ke>3AQ{&vtglWB+xi~f{m6TW3O21`PAjmY;LuWUQ zM*GYg_}Er-L8Y3!=-~EqJU9vwac5p z%HCL{T_RB=4#}#s6(h|1D9YmK!ay znjYiRvm0A7a*HFxqH;XDM}cQQSF*kK`tZo%+`FsOxgjp;2Vkj{W&PZc*=hnpP4T1? zc&AGN=*2}bRXs!{wAZB7KAEthUwQJHl^4)NmX+a4CWH*bR=Kf3@ExyWh1cz=hr|QM z_lIzP7+<}FK9k^pqnI5|etEW9>ryZ>9?`vt~l?uNv#JE6XYZYGGk*t*xV>qm@;;%B<7xCiOP-`MGtvjQ~(;I}W~uH&~ClWZ+AbHUFU< zPrMp zWGiD%tu3(daVpbex|G6=+SV3OpvjI^+9iJumFOOI8b3Ru%%hvxVKmh}KRd_x`n4fV ziPb^tWJ|!HqzRxfB=fy0<+%51m388GN5|SpM(G?VORV4y%&za|=1RrgMjNDnf${_= zGhZlER!6Zuv(i>mR~Nq=CUC;l!ppw02x%`jxQA{MWd&9IQ!Aip%(-?2Q6@S6g>Hqh zgM3F!m?%u(j|F=jpv0!z%=f^Zs`oWr9ae)?HCH=${;Y|Fg zLrZs$3#v|wE?r6vzvl-AQ+xTUkI7gdE*%unpNOVM%LY|(EcT-!O;n%ulsx^u-QOJT zrs(^$G}P=HOr5J-J#N2@T;0nP`&=II%g9FO5rjJ^4NAgc+hi9@_;{HKExqGyx51(O zq&$*ncQ$bN?H*7Q#qdgg9gu6c>dlB5GZ|+16ZzbQiaUYlyw~A)8NAZzFw|4iwxV4l zfshbr3fO55K7f*|t!-;<=%_HzkhgE*$E9i!$gfN3`BOS&-k?N=9uY9$nBdI88=bd1 z!>tZi<+a8$0)30vu26Y~DYfBqzqSJzZTTOF)6O~cXw{0S_Qk@)-*(>b-nBJ#*fOGL zRSpHCS0uSFmzSTc8jI3#Ds652P;@52BKz${wA*4u-Qo$umE$6;4=-C3GOFCIJGJya z*N+GKes2d}!juTAiiPo0r5^c=OH;#~i{LCwS^NdK)yvM5=1OUy2T$MAGthuTeY2{2U%d zkNeo^uQHwFn!J@JzULc1@!76~5pRm&KsxA!DwIB9KNz%L@m2ZY6(X$_AXc85jowg*RD|#bR$~a4v*3!mrmm zxG`bjKXH&Ruqd-&aGjr=o)kN52Yb7#;~aE79Rv9NFI7d+eg+w3t)FFQ2P~MHL7o>4 zV=X`Sg50_qv?3!fS3ARqE6VLl$~J$*`APgBl`_0QhuWs5;y-JWRaGanSW-wYP4C-N7sSRey^>i0C(e>~$ zkpOi^Yo+X93f+UYOhsb>EBu9^-$oY=^Lnr#EYQ9Pv0rI#Um@YgHPdzPSJ9Q#aglAJ z4&AJeBdK1@It!PTfz~8%$L_w+zR(>+`tJvfyRDJjzR>DbvHWjmCll`+oV*nl>46w# zM-^9E8b51kO^vS^90i*&x+R00nzP2^HoDwT2Ik`UpO`X+BZ6>|yzF!cWcrM@OyqM5 z_zABPTgfFODFF>yz@5vR8#iZ6zS%YA#SH?4@ZJvJbr1LnZyKEx0#Df~WZgu}V8;i9 z?T|Jf+w|^MSZg#{CWcfs&M-0wIG_Zzv{D#SY#aS(KK=ahoCZC5oT%a1S59`Z_*61( zi&|Pdd^wENFoH79n7m;CS%h3wct8U>wMV4VSG-r^KU>W6u*|xwRNb}a`?dq&t9a3l zMwFl*^m0Pp@eIkN$SrELUAVsSjJtTTJA^1%q^=hthCQJ!_(i`E&s}Ze=3HUh)mN%=g*_*MaLAf;K2_* z`Ba-(RMgeR{L?@y-CA1r?NHY%7LMqfOj_cqwvLWVAN1j(3&l*mydX7M{Wjkj@U7q< z4_23xCj%PHUjy4y8s?PgvnHI0!?XAah*Q>k608tTQqFppzrTseYT zh)Bf%3Uo*=PJ~D;!3%9&^ZD_#SDzu9_NIldh~k*ZbdUl(Y!EajFDGY5z3Y48gb^8P z;8A?_{Zm7r1}nbY4NQV>p1}vqjP>fL3uNmz23=9>&Xj8e;X%H9> zlskmkq2P4F4bg8N6L6Q&b6b+qnGpy&gB`D%H7l;#& zLG8f{b=GypqfysOK0v%f3f%dz$$iY+Zw^2o^z4SzG+E>BKZ6%8^!Vtoic^lOd(Pe+ z^P2K>P(Db}9}Yl*R-r~Ul-&v90l6C8fO$G=x>0F@lhHz>=DNheDLl4oKQd_cD*g;~ z`f@^01nR5c`=?(;)=CYnSyF-bBTguUtLhF>n(Ky#Eg<@Vp_P5!eC9@tk3V6bIluK>hZ0Cjr13*$qMqiR0s{$y(5c{RG(8X`PL+=^8C zwx9yNv9zX!)pOwZ+^&aT?A^wdB|%`+Y%V9*b0hqORj*_o!elrlL?q5ttSbg>jsu zLpGW>)2ydEcfQ)%(N*49{#JqyO4qULKHzzppK*J0Zcx)*)3BbEPGw+_nee@xYx2tp zH(bh+!9)6^MYUEQ3mfzB4!Cv$B0?^ zep4TWvs+~%;RhHFVjZc66(Z zf~`z&l=VF!U-zwfKx}98@~R{-?y|BzI0i(;Eok)LPY2#ipx*Y&N z>qg{~EzBz&&4FF0)Q`_j&cSD!G`+)98QKJ)PNFK&67+a?oYsZCS7x+H<5*=4aeQw~ zr`Lk4y5$v>6-ABiYk?1&a{vZ-*Rk*b$q8bEXN$1a08dcP;k~2D*ERx4N`tH+)9GQ4 zvAx@Xs;17YZ-2@*^Ig9R5z3w?{{g7O@%~j}P;(ToZlWkxbw09LB9J+Z+}us=9Jdoy zgM@J@AC*ff-k9GaKKZcfN!YvJ-f?7& zkDbY>ix&s)IPGc4DiI_g$+9hGAw0ZtS97RYK|?dA8>e6|xVit>#2VZdTtAXYnad0O zNK&B|i3R+Ee=0etwqhu1-PbniMp z+Vl!Gf!v#mOZY9IF!#07=$_!8mXQ;dj0K+s(A8XTalS{{5y^w2*A8P)8$k#EqHN2g zl=ZP-mj3O4Ht!|fKHhk=M*lUmX6;VGA8y$A<^LKUTqRe1-L0du&dJI z+5WPYl{+``NyWw6^SS5?v1sy-qiA+aNjFN%YZMAu%+BYx@X9=EhGL8qYdXN_$`R|q zjed(8@Sq4;HC5M3ILu+SET}SpZn531@r4V9` zZ&k?GRG&7!j~qmdi;I}I0bKysP~#cZJ>>a44%4gf-VHyjj7FOvBcEOgDdY6mooO@r zSDFvAdKo%LybP5fLbRbKW)D~eGt`j-7$1^hUMS{DomdftK6=T!wsy$oDGW%GK5`M8 zaq;KaM}_M-Vl@x<&8?jeapHJLi3*dv^$|5_H*{E*Zi$`&yKxY<*bJPw^}^7y9%pb{ zin4eV(|x&1Y_8EQ5zkkQRiG2LVpk=!A{00Fsb5L^@sI(^b$tw&9rp}95@vM>a_8(IF6qGFiiC}iYg(u{^W}a1#y7jkNoJCi>}8s$^vmHiKg_8N=5aNJb%%5}Gupx|AzZH--Qc z?AMjkI|~M@6e>}FV@sE5%|anmW{Or~&g{JrVoPL9>h>zIsB8mdkU7e#mhJuMcdR}O zmZ4OO$4N^KV1 zNeBH|9v`aRzVr&(Vv;S$`E|BuZG7!EsXyb*t=|LY>1J}d_L=T+V4D2IdxISK?9Ndi z)#z@)kGU4q<<4>_*yp<(zML5yt5?%xsmu+uT!Jq;NY5NmAmKo#^%sI|4e1gO}~XRIsL_w zrmgXck#crmANjgcWcHxF;S!AUc&uT!3TWy-HUf#}` zJk0ZZTZ{9@?t@kNh6Q};#u3SGnAQahnVd_s!%0opU=DcRnKB9O91ITPb=sHmXq$hV z9%^wphd4@>yC$zKGWVbs;_1OG0~gGxf4VfA4Z+}c2Xy_s!TWOng=(t;a{QcAkcRYh zXrbomFc*U5o{*5O&H9(+j4N~Kovl8yDV~6$=0@XBL{`Y`@U^bfVAdKoaZa{ZGFdig zeaXbbd(|elDsz54plF|d@k!XMtL5Fo4FB(V+yj#4VA=7yH{$*F z&n9gaI1}KCsm|o{dPj%+yNx`vnwq79q&2z2i^1o1EQ?Se2md>(yV0)jQl|1c;|FEx zWIL2u$2rF%jUz4dkcq`AvQQ@!DgcCzjxSwwkc8SZrm%``ZZAc#cS{B{jWMqb3vHS2~OjV zRi|kIA?(MV_GWVj3dQOG3$co5b?XB{QG*Gy&7~8d^_wb+!$xuqy*l(j zICOSm)zX9d48P{8mQ1EWDb3n%+LX>K(DFoQ6OW)&wVq zUSCB*3M6vBA|RIRlpuku<5B~oLZ^GjGA%YOa12`lv?`SJqzgfm@K~(UzebGr>~u{< zH=2_O-&jKn6p(PPmWHRyTei=pm$#4ipLVycG{xc>UJfb$pUVsU?f<&)j@a4l|ItOZ z;2)d#lT?tYDA0whsg0Y3w=H`Fza9u=Y1PTeCe+tmSscOEMJZOSIy3nZJt0mou;1G* z7*8q80FwRA_}$)A8tKG=OQTd#OE)uHU$;c!>LM`>^=zX!%~xG+tSH%hUtRggsYR>E zGN}7vX=%xTG9TY7Pvv)iSa88iX-wf`OCd-Xivo&Ru3R1a09(23C>=t9&ZjxH%bsr- zxEYINL?ai3p)ykPV@aa@rKLM>G0(|zx!r%rG~7ZFU#&G;!}T)9c5)b{0?%JV<$JBNxacr#7Hp{TB*MU zKw;xqJiB7>pXL903Bq@O z{)c77I_i3quF$HYxr39NSt+GV`lK`sYgcXGot-WwY}uzBwG~Ed3s4;fRa2S0scD)!BgV$c($lk8p)Bc&G5bXUqpZbg@8mq^Aj(w|v#Akc zhy_98wLswLX!*!_Ea~Vz3wO%-xwOMWNy>JVRwV`#=e8KHVTHZYh@%_1R;6(UdiwIJ zvw7>7mL-V2v3kiL-cf(?Fu^ zC-y!SUNOVb)qtEMMF!TVHCepGIR9?KGlyE1eM+UMozk0St0Ixm%GI{(Hvw`OB0(zp z357u|Kz* z-Ga}@62LkXQdZt}N|#m|@~PkL@@ z>PUboT>_?1%+}YkP7UW^VIE87=n3$p#6HUa#vMBVgvVXdpkAF3!pR&3y%{l8hn+_)|4oSbqC0SQ?*3MNxq zn~v@T&`N6a{d<)S7&nsz8#y><=uwE6U40{4H(eir8ZL|B{B9Zl#Nit*1ik%1+_T%7 zUv_5j13!Ygmkj=VGJ_AZIozs%Y_pkyI8L1WO@c-wp4HHR(nFKO?sYtIvO$W0PO4UJ z`ge74aTJxJxe*aWE3xUu<&D8yp|!X;E>}@lr9))o004Z!?fFqY)5GPFyoWaec530} z@rX#LH>-n<-0n{K4D<4_3qF6f-FNVOTM6))WhRP4u33kerg-9{2ycALf!nh<%9x4p zY5^(Q!Qo+!z@1l)t&OXprbcZ+0@?g!b4aW`gh5`GVGfY60Oa=2Q>zhbDYL*Yi!~Gp z7R*_JZCG&ZCDo+K2{v3Kgf?wllluS0)C`iif2IqCgmF&K`&WQ2S(mq+WohO_46pz3 z9h@=Iumfc|eu&`n&erdQ>?JKdln^h6ae{~e2i>TC@=gbw)|2(RF-K?gTj&D8e8w?=EOB5U+H+jV2%h+z+pnTCjHbVL!6C1JQanRVb3n^ir z#eM-q#p-N#mBIgd83iw2_Y<@uebXldFy45ndf$J)wXn&iis%^pB$%?vmGDW4@omNb z-u``O!&lRG)=|kUQ^a3?u|5JJA1bdypkZ5^Br} zDY?PI$Id=Kqe}y{FJrBF1{0`Pf2SkCkEX5Wboq!>XWwsh-R@qx`@dbMV9c=KM_@EF zUpnn>0jV*RowGW0aieNJhPh40`Fqf_n!p{8UDFR5!bEMcisLuugC?T=U)S!hPdIPJ zD8v3r5{h@}75$bURhG};_vPTyrTLT9JdO2<3YaI3N&>0qFlO`kZrzEh1by5{5t82$ zP30%#&2kp`cYXGMH#sKHazQ6Bc{`Lb80GwEoo=sEJorc=P_2Sqt8W@S(+e8}pF%a# zw>Z?*-vv0Z;o!%1uD8Q_m^0ZikB*O!;VJakClqOioi4{AG9zfB8U)yNGKgCb@fxhO zF%0;V7?X@NCDfD$4PgX699GOAd{|iT)-Qfc6WrvUPvL_QyZsfsxG75T{i9Jl>8Bs{ zt>l09*#S-G?_Agha!>JpgG1j2oX!mBvyos|%PKDzP$9O9Q(Nw}VGJzgqg%+G?^EFp zf6QFhPmDdxk!q=?c)O_JBpu%jnpv>75kko|?f*JMU=7O6dk&%+38Z%AgnVAR2Wc;% zsmkoPGZXsLJs!JpCW++xzU`X8H@~pF)wf)T@=OA%wC8UHz$f+py;h#=%z874HjaWS z$YYZ-n3`@5$_iWUk#fS=Q2r+iEk}{X>^a0^FzV2+j1^N-fAH)Z>gAhnb zMgm6izYLYKjs~3Ijt~z72B`+qUo?NZea(8jbGK$vax+CSTJ{|4) z$4eJYB*F~$g6HEiEbTeXq}66|{E(p#AN2=+3xr|>!p2SGM!F|Z!BI5XWSiI~sbD%P ze62vKL?)DGQHEQ<;|nR`t}sc<4_3^G0Y}2!0vA$Gc|M&&JLOwQ%(+X9j|5vtoYX+KHydN^DSpbA|T zvDKFuBs(XQ1t{1vl4_|S;-)t7jP0NI_ZU55+Qa{w71^o+Syts-wDUoxMOlM4Ub-~b zr98#AiFZq1D8;7dZ*Ov@3+t|ed_eXvHbmdM?-<#KCnxVdLbxjTD2;KN+Z#!x)?Yvv&`_rh*6x=pf8=F(b zi^l4o@7Ohe?Adz?w+}XG&X-%Xy#w06+koEN1Lk=O1@#^Em>^7O=eysaVGU} z_mXyg@A7?*Ik7;;SwboCg!k0z&->ooj=)J*=o!$x+w|DFG`7BO8R%rkgKiOgrB*%X zS6ZF1Q(*vj1sff0*o8{>PqZmA_;vD84iM5r$j+%<~DuL&KwRMaqwGL znA5ANM}eo7OsEuQNDiUUkvJ8l==xM+uVZX}No!=89@GO#g-@HDj{aJlq<(T>eig>* zHZ^1~blP9G@4|I_8`j`Yd%y@3P5O|@a`osLjPFgP8Z2;Pfst&iDmqnvjk$wtc`77; zw=VLLL8W0~&Pq)?w+j6@Eo)CMGLv3eqn)^Lo-}wl9~fnlV^^u2bnp^kMi7K4 zR?fJQs}2F%H^ofiBb=UV z)yu+WQf_5_8JC$GNkiA->;e2HHfu-QxMhdPM! z85hWP_0GALuz<#A;Xtw0b|#skec>^hATi8IRQmYO7gD<)DVk!IM(Cno<)X)G%4s6L z$IC}sI!)j4*-~WkQ%$BLaxmom?DgABtB>(X(17fI0uRGN))gVW$Z(iRK7?qi*&#}~ z@65hSD`Y3IA`^4VqtyB^uIadO|XPoCJ?8;MF#>$U;`#Rd%B;KK5_zBI?Ij5sS7C`4t3eSg2wVi#^Iu&ji@w zz^S??P)D+RKX~-xoiP-A=~!3A6un&JKYw44HZ`{U62^EA35L|iAEM9-e61JIRunk- z=K|Enc%uJzYLCW{>$%EiMh8}Qq^Bkxlj#0pY5VW#qz7K84yAatCSrOm@IjPfat_?6 zm$Y^V#1(}vN1kmh`qQX= z$SuF`09qtRuX6zgUmUx-q3c?C&#xtLeP%k)W<06^v%?K?NbUdMAz@iVKGInLOdH`< zUZ&@W(s!KdhpZK23-6NY(!~W^+LJTa(YgYr9Punwy+<48Vq#s2*nF)g4D1Nre>(Uz zT^IMB6|z+kc%Rk%J6pAI95y!Z7lGsvOV(Z%kDEMgbH`1%lBu5(z2UAij@?owAlNOT z{l5co7t;D<%qPf4ey9~(Z*4-QXUk3qs}hee+GwVRXW|#1d41Gn!Roj=+n3m{_2P*j zg1%$>Mp0{H=TDYIsa5v_Fy2G@2->>*#th5NgJ4kdO|_+alA0fRXuUJkX;`(V>9T7H z`$U`*xBij{N2Y^)-!gD;U-ruD`!ag~?+3q@mxS+c?Cea8ufMx=7LT9soO=d-`cGKO zNzM1oJ}ndxcJ0JT2YINQ6HEJJn$sjl?$dh9>m^SIj{{hwi zIh_CPXsdwQ^|}GLKLaSAkjyOZ%3|0eSLe>q%;Ow?!ELQru&8-c&9$voL%aD6<>L z{X`LApIkYZyoXKfludUPEfi~$!1G=aX9A`V%G{E!0TGtvy}8uNokdIKqv8Oc703UWKu@ z0OuXO3k}oqbfMQ?6#whi(seP!2tHxtClRJE5C0E#+_d5-+$L_U%bP`7rN^&*VF1rE<)+eY5#+h;4e5`o{E^x)Q6{) zbNx=-B$clTB8=V4b=6nQb+ulf6UYf}$99S*-rfL%7#POaEQ#g7ovSCw-bi;siEoiH z$0YAJx%Lj567^bzKe%|%5yWxR|3tOR>uTso-Q5VB4JML<0>Y3a0XFiCwki&BgOZ7$U@9iFzhb3I zbDG(GsL~(qm8u{d!)W^RW88QxO*4!AqXKwh;!*RaH&E9*uy1vHcQNV~Bnq}k`Gqt6j0QaJ9<~Oav}ytH=t45ORy?m~CpHyZ(S3&$ zp*BHUifDWB@mnUW&7C!G9wueQUEv}`*CF$DoX`rTftI&b?=OS3BCzCShinGMs#c~< z1$orJ5;Uw;EF-B9pwi%q%UZN(A(mq$1;vAz9ZWhu#X5ceCcqqA2P|SF;9C;_LVcFc zop~SLygwQH`k^{bW?sawW$>;FvHy|MRl&?Obz@0`yi&WlyJu9@b3q+{r#5RFY$1Q; zh&6Gf7sm~_1yy7%7242ahgj9Cs13T*=mFGJH8h8WDezJ78f?t&0r9Z@tbFW0Pf2TL zude3rxDJfow^03w@rVg>a5FNqv43WorA1ug(2ureRsz2xaPN1LNj=`qfrGXYnk~!q z79a25x9s(T0xog5#Gdk*C0se~)nXS=(~kTf+WZ5CbKJSK0bVW4^U3?2uV)$S0QS7j zW;IP6E$PC31vJ;8WU1aF+9<1vd>pMV;5fILfaQ6?%{M50us+BAEWHgkm8s1Q!Rc8-Y1*5n1)CD&e#2;>v)+O zLTM^Ir5UWP$BV-hegB5qb_u8UmGfdGU7Diz8UB}}qr=g(&^?b@;P6x!`F9x^pVwQ6 zY($(j`WBu7bMd2DkAn^XYi2@RY^FbKaA${84(nuxQG6%MmonzGrsMQW_-B`h=6cv? z)7mC-b^@4IuRY;=Cg_8#DCc9=`ivVF5XUuv_b_)dwC;;?FWpoa#e_846G^N7VAk3tG6Q)LgY{i=mmKs!oO+=6%#ZZ zj}HVz#|K*Uk)YI|z}J7YJB&myIu4>_7@LTiBR@3q^!(@!E0O$t&rN+H`SneJ2Rl0( zcLI~Htn>s!!GXCgQ42s|LxX+&$TK0XUuh4{J^9m$h$WtsV#1V>+f7>{6JWF;lJ~SZ zTmr?{7AA>4oivwCX(rQ&3!wpVh1pjz@I34T9+Pa>x~B<7Gcv4c!-B8kxAB9@M&OE6 zXbbz7TqP%S8EW(M>wJm`>-;rxI;yCuznw^dPZ-~Mo}AhhQt~to$w@F}ltffk;XEGp z_fQa0YVei%)kITVWRzhfOW5&$f2rqF1KIHVKY27w3l!_Q!lu`wgra?&Wv^eh^V;dZ z+E?prt!*!&E1Ll4fBV@~*Pb>GQxK1k3hW`3oSG!$Ift^$#kBbOrvpYaPz39iP;nN2 zPs+>I*t{4~351v#-O2HKbq>iurCSh$%H4Hq^n19@IY?2%XObiRY!M0fN0EuKO6wJ- zL9TE;H8ZV8CD0gQ{vplNeS(Gyt0X$edCNvQUS!lZP>;`?7B`!sT zsqUb%d_-WaLyJH$R8L@L+J+$4j0xVp!QXFRWVmHY$7LZb*($`t(?mp;gr7MUhg$gx zv_&Mc^w_38hL(+b<5%=s+utN{sEYSjD-Bq&k;My8G*B!f-D@#Jf$bkbAE1tdN+@^( z^f3RgwB94~TRr^}Eh&b&D zZDu;$P8iY`H93MlMw_~UlPigDCSxJvOd0jV3Y$gTxyexOZ^|cQbMsgJw{ZV^CnGHu z*3}YQJ6nc|6ajg-8%mWaIGNOH(x8;imd2-xl>_qA&yd>CmlARMc!Urkeg9_xG}U^8 zZ{b!IqsSTof~rg^tXQ0K*4Cpt#u!OjM1LGwW-r{B`cMn8EtOAtO~V!ct!ZOlpb|wIa>yt$gwf~AwNLHI^(y}1a)7|S)us7-G>t&1-8J@ z-^$w9l$*|&L*r)#fpwt4FVn?A)SO>T&jtezQD0&Qwwd+Wa&q)m=UwR&wd8FpdxCJI zM5&6X8h`ZfOPQCX>iBYUA=SxptnWczlOM{5`M^*?>Zr+IO_b`L9;xzu4Ql^b7jE}1 z8qMN_T2kVoC?Z9hBBdE3SK}Hg4&>>ZyUk=|oRH(==jZ1=ovKR0%iCMJ*_fJ{@HR9k zi!W5g&6KFKEu z_q-$AuN*rY-yboWJct(Yk+5~pj;n_dpZ>pyZ?g{X;f5!YLNM~AP~I40*0>NzHU^RtY5R=S;i z{2CZHHHrUN<%iq(xNaUC9Ngm|Q*an7vN)*{x8Z*Mlw?wF?BZgxxg4+n9<#0Bec1{R zoofKE(T7bz6U7$}D~@G6Jly+xdNZ|huw*N9q#txWZ}a1fCdH1Q#WW-xP*6kzz4wmi z)@GHMQ}nbowKepr$~0ytFr1F|7I#NeFph5fby~#2o-i&AI2%~6PA_jxSLKRMuR?SP zI~zG(FNW(1lWwhqhq0X8&vYv=qjo45A?eM@DL9<^LtAdP72^xmdmC>B{z6VKZk4kn z&I|6zYR=Q*UC+h$_IF2RJU?1oPX-h`&8=Clxd6x5uHw-P2VqD|YP9&LJGPM)aPqz!P?RYK*M-+&HQmEi#su-7T0u&g?0} z*xuaefSH20Vr(KJb?^L-C^Nd*o3GFJl{c;sV^W@3mc#qjJUo=2orV4|9vw@dcC@z3 zj17M;_v$w4tWn$I#>%_?lce5-jTfe-=Guk~M@~s<>bS1dv`n4VwKa$5*SH+eTfeKKQW}D+yliZYEd4lR zKn+eL{7C=E%c!SjWvnb}idF3(i7_73u13}n>*?gS2w~=j@X)Hpjvr0+Nr>*Kw5b4! z)a(71gsl#?zdUTs4V&b|Drx#bH&=Z(H@kg(GA)LEz^$~c zs`m#_6EYtrYU`fR@zTX%-|5Thu@?uSOU=lyhu)WI?`_*Henfs^xkbyA)|I5YPnVpr9m5;M| z+i&SOe*g3lRl+TX?0(6=;36l%gW|C-T}Ubp#NDCJ7lAT)vl}ye&eJCVh)Of={kNR? z8u9t;>}-K}+}D`H(<4=@{`1baiO*5a87p`rc$XY$H~TM4Nb6~j4d5&Zp1g?Zo88gp zdx)gCvch(6hhd}lFv`Gw5^vl8VPBCE2*eZIm8-^ZES3?8phWEMWCdbm7t5eexV8p1TI}q_(S6q*@I0|WQ zzA27maV$r0AnQB3<(&f7+Z$h47+IK|S(uxfUR+5g6M8B2@Bia}no2byes9E~Oi#}Y zznq+#TLNb;7Ix%HmEo20-8;9_%P;$)VM>w(TqAwnnd!~{@~{5+^&0~{Jz#hRMX^@Q zr`$ZZy0o~sFh4st_hNcJ5{tPVdLh02{iA1V3p0iEW|i`JItMowriCsCp+SSNG1UQ{B~-WbC9e<8+krHH@mu- z-br+Jtt_l`CF7V@8yg=R9-Ek3SY*FO-7mj=IJ>mIk;=qk3642_nfh&EY-}y% z3VErHC8GhiQ(xIEimLZoZ#cWP@MQS;)cnH2%0@UGV2t{AUw!w(_b&q>591`pCTEAP z-MoG8gTbLIsv>p7BDzo-AAdPKJ~p?quHjV7LoZD}U&|DR$7U9177at@o%r_;9zK6Q z&N$uvNP?wd75GJCnOdkP7`5u=Or49|`SpK!W2k?qx07e}a&Gt0li`_}g`MpT>!LX~ zJ2^6gN!siJTEs}s=WpI3fdr_k+7KmgG`76D_WRF1Ik-x1PW)yZ1J+rLU_blxlYy@2 z#^#3P2n2$@naP*DH}IGL=r8+{$>DFl>bZWC;T?(~-MfG1>QHAoSI^bR!M>=jNd92x z_SLJM9r5Ye`Ear~=r?a1GwO}>(&X~`wf8?=S>FaPxsgdtjtvjpzP4RzsB|doV_U7m zOT6@e+bNavwT;F6zxcoWAA7EJb-`-xbO?p)@T2diXQ$_vRw>Tsb$hZ~E3jB(bD8Pc zW!0el0Ut@4wL)iVbV;fN7_CNlT*<33H^CsuaPXkknx@hWd-dA28`rKbEUvqGJ`v%^ zoLmo_#Dj&%mYZlBNZ=A9ld=k|sp5m?8eWVviM7K?hk-mRUT-Bc>Q zvYgB2z&r9qqdVzc81kZ|&QDGlitP7$x3;&J*4B&V;>e5PU?>oa#bk7Gw2mp&<(0+V zvJi(CFTU$HeJgJf_3Jt&C z9|;7PXXXlpqKe}%L%E&Kcsv5)r=}LlmCC~645UiL6X*<9u83hwL(sO?R%XV=M}K&< zyOUB4d3=0Qk&JjO0n5v7I*Svu)9LYeyner%Bq^6K(%;|55XQ#J8itVpujj~p6vu%z zN5v^{@Mwm+aeXM4-Ne;Kqf%r!hIhKt*}~lXjH*gLOd8QS3@ z_V1h}l>WZN*2bEo=u5k$4}Sf7rCux+igle1dfbKOsm%7e!|n9@JdYng%9hKrZq#cv zC+~o!+1%LJ-rm*GRV2VrByl^H+DfG|xxB3IU9W|MsxtEQ(R&}>?;9F~>0VJ4T&vB^ z%@xaHBoZVs`N@k3>*uXz>?S)qskOCvzt0&@L?1kOC_Zu4Fq*Vo1PjIggPiw zR`hSbe*g*5K!NUV_IOoM7v>j)N(IE_i>1w-;#MkMEEEVs$)>kAw>FEl%JUba6hp`3 zv2-@GzPh56iYp5Xl!Fh(<1n1eAKab|bkmPN{t)b78A?;kmP^HOEaBuiP{#8oPjp3t zo(b#MqbDPUa%FXGURK07_%^yONFu~3m+~)X7OE1qvbtEULeEjbIZT?Y!{LJ| z1x6PFrVwv17=jtEUM)FT!tG{rg~G(lTB%ZBSeU_aBaukJw2;l^a6^@)#^U1Q^3p2J z@i>ec%pfsEm8%aPK7ko39`TmTg~`>e?QCg#V+#xynBPj}GP=3IP?i^`vxPz?Us_sN z^?7_SM)LVWy)HIt6_&w09=2Am4!@YCDB8F8XwZ(F& zurNDUsg%R9uu9-hM@BGNo*5st>U8liEt3?LOvG7T6U(*D zwT(B_rc;}ng9H6Eh3{;yFD=e_!4{#I z$?5rOVP|V)dU<0r6psWv?y->(Xd{Qq?e#$~220(_-KGhwLzPNxb347Yoi60ExFXEF zc;1jipWj<4=H})XYO+?X)eIQ#(MTj5divx^Ly-1HH_kbn*KXVn1Oo&Py|tyS55_;m z@xEKPZox9XyORc6Fdhy`swOi|PbkDvq{l&f2%}uBs5o)u#x36EE#%8WLx@HE7=io4 z$?opnovpQ(&mR$n=JoqvSwXT5rMR=^^*d$4Sl!xSGI*~qU1~tIbIr+@ z1F#9|qMX{^Nu^TdQqE9?m&4Dch8XaB!A$z@!4p{MC7}WTgF$~d;D?!{T&*=Vj*}$o z?C9z1>4;D;MeT9qLJqW4XICE>a+%#7No)jtURaL`*=+aVbpt27E}ACra!CNY@yf0D zyk56hFE7o{4fGEXI02r2vac7+kCErkeO{N##hGmYI#z16MzN$iSZ6t#iufIgm~VM= zSEu-nM6{gUIp_tK6r`i0{lw4}S=>o&ZEdA8`J#+&9<+JORI9abzWMgW=*yAe(MH4i zZ71S%tMVMzJI~-kZYSghA5GWfd`)zQ6VXI88uCs&9ahopQ&3PCN)$tAgjN+r7;4Jw zQuh9bzxnus4+r~uI2H$oxAW?4%22mvC+DZ8B=n0Nm(%C!7#Qpw80hcr>getccXZyn zd(&lJ`U*wjAAI!5haZ06V#(ZACbg9D1*7*q{rK*OcftV<$HhinTwC0YMY}t@x;^zkQrL}e)idCzv)RtSxhSzz{Dq6n0pvn5e4uq zVN`&DV(J6@7xTtk*rJ$VEPm(y2cLcPflIEJVgA5r!sQ>jef6VHKDpA@3nocElddW1 z)f+cI{rJ;gfAmqn>&GbHy-$CC_u7@dsGljP*B2%#T76+7*FE^r#~*)s@9r(9lV%w* z8Sm=r?j0KFbvjsZUvOPYtt~yDn7{Vkry-9Eol`ukbuDuZVv!`ehX*$dNf1KOSUl0e zk!&enL^s{yOlSY~+qZAJXkDvjMxH*YV%*@Z8!nb^wmnWHy1O!~3&q{E%tifuL*5Xv zxHP6JTHF`hnOi1tGTxQ!>51XET&UI++~M#8HO5dHGs?-9Wdip|XP4Ez2^@ zu}{=!+>`HH!J{?(TXnmxj11Mn{tU?|*RT{kucsvkS82cDD3(6~h^) z`{uoSzxvfDQoSTMDxHbWp04gILjy3OZ)b8|pSP#8qc@pMZ*7|AXV9PHV**@ISwaO< z!4tOR8yI-(4UHVUcITsyKkMpuXhCKB;Ry^<~D3W6|r_3Eded^FV8%b}mxLXE*? zN3OE@qZ+dYX0sX?sp;h4jeGBX@Uhd$#bf?YKD`$X1!Pb^$`_pxJzCG79aaU;uBIWD zHWxs>TZJ-(Gfy9n6h+Jtj`t1q4_+C7siCtg**nm4>-vC`!5cy&9E~Ot5g7S}Tsc>& z)HLN94Bn4E`OQZkhTJ@52!&kk+1MiO@LV0}BAdT2hISzogB`kd?W2!wcO-%f8>v*L zX6S(rKlsf@AKZ_}0we*wOT(dO8I3%MRXq1U`Ynu+d$+H7c=XfiP&k}S#@udKE>m(l zUGZp7e;>?wahfJ^gTNJfYIN?_d+&ep@%tZKPe@XAt1QX5!{v+KyZ_#AfAz`w#5^UK z4S%`Oa8fYnM0Y<--GlvI+Z&4x4?i%}-#6IT*%{C6A{KIpQmrm)3eNRixqau> z4VFMNs-mjf*^HuT-CdnM9UWR7-Hc6e9Pi{q;Q)9M=0b4@$l@nyr8b$s)S+WAVdL-L zAD}3CYIa#bHw$BhTB9H-*KghZ?88s~;{J!zPoF6i9qZ}ui1orK@p%GwZr{2(*uxXB zo=!e^^sFMtTbZn^sXgG2b|ejT?7eGZz1V<31_P_Ff2g+y7U&CE z5t;K z9Q9;tw;f2|Brd17*Pl(V#CorHhkT5#U=-K_l-UIh5^Ne>2N5Kpl#7+gxg5uPuk?i} zBo&gQ`;i>rP-$|mQr~j|a9vh8n$k4c!0AXl9*@QRZYQ`>FrG-7hQ5wuHzU6T=o(u3 z!6?zyhOSm;=a;>K&SY0_XJ==Zw20z6NQfL1tE zUGv94M--sv)A^b4`L53HXf$Fi>m+4e6-E;mIxUZbBtod>r^ZKWvVQB{J?nBM1cO=$ zlG1cV6f36j0{_vOe9*tF8U)RRqv4KZoaY=+ECM4Kin+860Of*$!yof+YcXL{6>Fub zu@^61yqsOxXrSMz*t{LgWe_2X!tCr^I-OlySQ16B!CwRW!cXBsiv^4m7%Vi!x;+l= z=3vi2U)Qy3SMr6jDyfz1ZhCho6ieQH|9zOxa)mtPuBw_jd%{>nrZo&llBJT-NJkV* zzkY@f^mcZ@C{|6Q8;wsK(@=@v4-8iwUGX%l0E1A|G*wZ|Dw)F-M^6Vi=-UPs4o8CF z5VGG(A-8w4 zAj~|23&lXw3~~{`hXcFC6oUSknQF+rGC(+FfaDW|`HWtYVYsV<1J{QJW1$dwng$eJ zQz1UOB!{MZR6jK1m<@nZ8d7R=V|-#d*4cC8?rjnk9mK)^c9=EB!B2+80A0eC=jNAu zzAy+J9T}-qt2D>CTyDq*G9hS=V9+fY1bT+6;q&`dMJN{YrVJzooI6iAi7V2}rw_Xa zt~lJzc!-&rdLihH#}@|Go6{_`9X>F0#p$qqa}3EKXJi^8p-p2Lrx`YuNF)={FT8Wa~~;YuU`ARxIYkx$2^I6INHwZ?@NeWD6%D_pDh7GVZQ2KKf?p5t!(Q!OQBy&qTz@PCJYui^uwKz;TM&1jp1mw$Aumj1v3SV zZO93YM)Ov2*dqw9$K4Qxa*56yCs zSS*o@g5k@cr+-=F3C03TFdP~e3|((jL71XQs0A#Qn@aDD$96W?B%xlb)~3cMH@9}c zVP|=c&_rEDqpMV@nR7XsLy%y@aQnPqW79NE!h}gXVDf_56)h%K9QdmnEX{Owb~zl* zU??&;G^iWe!qU>p+A1n^3syDX9_Z?^)8oEz{YqwYV`X_6v;)g9L4YTNv;_SeCUXs^ zpzDKw0qd+N)`doWaG-x^5GJbL*}0{1RWR!ewZ>4bJ33rE2dZWqE(m8ZnIUmO2MIKT zDX?f;8QUCyV{VTp9uFmBp+GQTb|RRHP;c}2eX)3qp^*1yKHU!*#ac;0wN~FTJEgUS zMg;^yT6AI-6m2e)a1{NrAiKN$^2L}t5V?K#E<<7*EUM7yOGQ{mL|LmEgxkf_m@ZYy zFbYJC8oF`K>t(?bC}p;CnQS!Cb^Y#pu~-~BF-SyN;-oVWX$T4j^A1DI&CV>Xu8BIi zy0RlT#HgQ#ae+#V%J43LGSzu60&p)z(^muG6eIv*#Kw_K&^ltbKlhb zam-r7nu5+Lm;ok+TFa$orl)b%edEqu8Y~u^c6)v4%~cp#bwO2i-R(wqCToq-`1p9P zSiAq>`~H9r%*jF_pHA&W!m+#eKZKIx3ORG80pS$OGEN?yKp<#(Zh2#AZHL0uwZ*A= zL+}NosLNbdnhT<-t;3}>7?$ns?d|XHi^syu;pau#{FIpM00KrqBocNwSoqua5u1l; z4vo`$-@fouK!(vp0Eryqj@}*UOpQMpd-~+%*i59WmtiO|zdJeha(H5TdU-=5d5-h3 z6g|}CAAa=h^O51Dl}%BG;^^S=6pDp(p|)F8amszYFUcZvWUoH(zqtv4YCgOBV&vKL zkPgaTIYFR-0yed`r}8Bo{YR$ z+TLwojNu3dJkHw6#Q4)kPo6wnOJ%_4@%wy2tvWkByS}~!-V)*P_>$e4EKEOt`sB&T z%jw0t@7;tsicqCOdS_y6e9^1;itpH&z_`GxuL;(7{L~^xiq+Um6D*y z;L2DR2~72Z-$;?J=>3mA?DApr<1cnf^}W+gEXn%2I=Y7+{cwG#%SCEQCtb;xG*=vV zdpifaR9W6$ORcPDG@SFfowP1UmEGB?v8Rt8Ks$2&E*zcML#rc9lWtgS-7dESjDE-( z@|9J&_F{VVcmMRiy>;X62e)qgdZ?qgvr&+AXnqvIoWvn2Dky-QTvT4O%w|=a^+h?* z98FTx^5P1q8}XpOTr90`Zmn;n;>ix=%bTgpgjRg(Kh8RwZYLCscc5npHdl;hc6%6v z%J@i^ml=Ed^u_bB)y;yUG#C8Sfy@}(=nlDxh5UR$j`v-4z>I5vtH@u!+Lzf~PHnF3 z?xr0sPtX_e()7aY%;V?73oGjaI6*iGIY5y(8h3Nl^wiYI*yMH^j0Oltjwu{$sSGO1 zLG6xJ;b+Ny9S^E~jB-WZu3>lXzW4s^E4T0V{^NiA$;%fLq(QkDYHKUCm8&^<=7dKI0fkxxD`Db_#5)aMaJTbZRrTvbn1>ywkx`x`vx~YFH^OIRHV? zJj^6+r`zp<$;66aMmi{hfoqsU>FAA&J$pRzd~{)XR}@hj+#Kj5g{Wp)XwJm?sh?9IH!w-=kj zPEnkLb2!k6#^(G9jR6xE<#BRqJ-52PT2pM-v$aXk2%uRG6zO$298MNvjlmm(nbh|B z`p$MqW*xkXGAO;Vy*~G1`00a(k8m!;`@(zOySYfUG_i&$mEE1qY*jM#4C6|wmv%q@ z^H-CzE9l8Li}UNdc?V7RxY_*n)`MryzaDct;9;qjTi@JR+uSu& zK`f`nUyi<*nwwl$7j+!wtEM3cE>o<#E|G!K;gm4U8ueq(E6Z7Y?6MVVt+ToJQ7o8vD=et0@8abCC6!yc+* zb24l8d_$X?nU_U$3Bf|D6~-QaH8M7u7Q~rl^b`{?!+QD$)2nmCPaZ!Voi#`*9`g`N zeQNl-FTZ=57s%{Rc6Mq;(WOeIIQ?>b{N=>_;;KQwAhVvB4gMJGb~yt+ESp^mg@cs_ zQ4+a3w+6+^MrUsi=kXqzYYy$aW%l%DX{;64qgmcNbp7Uy8`lRq6AtD~C&%WE1FPAc zJGYV@@$1*GIykNw+MYK3j35XGO$iu*y>FMq7?d|~Y zPE%x`)0K!sR9#mUwYQ^#XVGg9IF_&1#k!|ps&}(QJSpm=1L7wc6oe5*9LuVx0iPm@|j9Q0DCGLiT3q$ zF%+TFTsYb3CiQwTyRlvH2BI{H$%^9hhrMoeW)XnaJ~V*Q4w$K0xuMns4OeADmAbkI z2K)P1C>%iuIu32fGE6)cOhm(?L`I`=zlSz-qbAY!-@6%fQ}u?x`yya8m=C8Rz+vQQ zx>jp^@Y$zMiePnFC7d0Dw_^dGcd-pYYc!Ce`~iPYXM#Y_aa0KgD^v=>aI$Y;$mO8S zD@IT-JGfZxSc8?t~NM~V;i_j+8MqTvMV z?TQ55G#-hBHBC(>V>s;~9l_2-6b6TNF-w*;-r@3x1JK_Gy1F<9^)#5}6P-z%WV6|_ z3cFr^DA^Yd2f@@jeK0lZ^<+HZayn&jiUY~pL;biSu>NQu9F2Hf~Dom6oC#z2zO;DG&FyFFdpzSdLswErXcwOkwhZN zGn5RDE=5wbGZcvRcSjjoh53ksj^O4AO}^US4fEA*rci5$B*pdg^~ED$U6O(UKTKjU z=aveMJMY~<54G4EUFP3CqX=Ow45z5-#{!~HkdCh8z^nmUO~iw`DkQ@ZzZ-h2gk}=S|SV+AWM1uzED(^uz{W~2Lm}G zCkKWzd`H4@lB7d0w!Gl;Yq}!exHbsGIh`rVqKK|TCi>8?4BV`frnWOhh(Z~vPSG7# zZgoYy4qPiXlYtiFnxW^@tMQ0dukwMxI`)3jO`PUawox zuqq_ev1lxs2>E15+}bUWG~;wSuU{PucwE-m{kIMjLX<@Z=j=@O5G3j08I5vr^Crn&_(V9>-Xoo)(<0$juzR4T!h?gBzmlezz35H`%5gB&|?sz`}U*)~!S&Ks+Ou^ z-{6(*&NvumP$l@76$KMZl?Znr91n6ju8V*F_g`PTew$`d96)YVcT<}x<)U3aMOMIV z1)B!Urba^qlheS-uI|2$ju@+p>nlql&U*tf4W<}OOLRnOj1a1g0<1lf9F8RV2l`-{ zFrUOoP%xSdB@H%qt&S!hoR)-IvLo3)c!hUx<_VxZ4z?~g$U=m&qT)8cY~D74AWlt9 zQRbZ&@kE?ukq>zSsL^0Vv_4YEzzk6oRay4=yzyw1vTGr(c6QDw61EUVo_2Qie|k2FgkOgDKJ24;8tOnlXvoN7mOb;3-bBAX5cIbMdBQ= zG~s%+Du6SI6S&vwWjPiM7C{s+9o;RdXd1Y(ZXTvZLJ;au*oJ@>dmgLJPIXzw8JD4o(Bd5DfaRiGEW2HxMg!*HhH7|SJZY%q z3M`v4K~m;Dyjbr-%eYoOPM}(?@El7LI2266NWY6$8Wpf%X@>*)SgDwo z6$K}0x5wvTX-$E?S_NZ*aBfZwzZc z7#1{5fdz;Y==E=>7wMM<%vv(EIOj0Wx2cA1fE(%edtg-7Y69oX&H7Y`NHU_?s_&hczRsKGEaPv{7$BD-9?s_KQZz_W~tr|af2p<%d_=fQ?n zRIS|5+-|2VRCw_D6-B`?lH+Ps(c^McB&rmc?J7(YqQHVpj2=Tx(=4lKDj0SlpGQ;G ze6gx)3JfulbJ9=(0wy^rUnuFCjOjwLCgI+W-ngHXgkrU>YKFtcSaG>rFiTb&uM^mU|f6+vvk z8V_qo}8bd0SHLY5$1;7*mgCd>!;_>r4 z|Kxucaa+b6j0Xt>qF>K|stMA8E>b&8!$1H(23#zEz>j=MT`Od=8Z7GsVPJ%VcY1hO zLcokcZ^nVN49i;9j%f_QK-Psu4ZWXjbBAJJxnZh;(lKzeGv;Nib_JRRy|nEN1%nT| zp}t;~ygrvzHwXkvw_E}v;zp4*?DbTHVyb3bwLqn<-SG z^)w;S8rc-pl)e|q5^n{<=O8yT=#Z%9!NXzAq%D|bu&}-lWFAC4mg@YpEyZz;<$BI^ zr*ly5ef=NT`2~3m1#8@lp;0Vwf>=CqRr?Dd{@S`E$QGqW zZDuil^UhUJ#aVK}M29GCVp)YeDfwOpfLQ2GF-b7rc1%#JPB?fMYd!VS#^!a9+S>kq z{7?T=U*CYPssH_d|9?df#5$EDZYK&s*OfGaAk35g?Rm{^=W$xiiGvCB$jsV$sFlOf zjt@>q1%KNlJY|SmsmvsYj~)?k?E-COG&x@EVs?YKzXw?vyFUT_GUpLTNsS{xuh*t%$zC(SUY&pel~ zNnnYG615iTT!lO_QoANK|4sPRu>b)7^hrcPR9>oDzbl;HotkKxs_O)e9cYTthUy~E*jxg57|-*lRH;hn;9xAQ!_aktZAe;^%S?SLOWCpIzV>}{Ll zu|??XAEc)g8xC0;d&dt&GmjxXz*n2}%_DD(b7|@|7t+cT0HJ96)r`VcUQee&{dHeX zYa!2MKQi#6i(&Jcv04YU%fZ%3oE_tAUe^@&E^qw)QT1Jl{9mZ z=umbLyuW$wV!SIHQdCP#ZQd^CqnlyvGOQmfnsi%p(_X$u}@~e^Op` z0Gub?X_{$ik+#v!m9}jutfOdtKRh`=IKoWxsmh;mL8ct}X==2784uc7zL=~kB>g1`v^J(}MH`rWzO z=0~mtujqC{o~LJPl^*`1&jrS38@VtKv}Sl{oHn-)MKG~)e$Ai^ta_Q4VI~JTx5>9P z=whmPRW6iEYw=FR61b=1z3+3=CiZ@wDE|}7&?cdkdGkPPP0?nX_@}ck%Ca6?)1yM| zA8tqMK@{2ioXUx^tOLjY+MEEW=NuZcVwp|bY#Q_Y)Tt@YYC|jae#dKmTREAShpbuI z>Qo1ZT4Eh#|Ikk}MZ8hYUja~1YwMhfrJlq3YuRgQkwb=~x!o>p3#aS+$kF}cqHyz& zd7X1F&WV}4F7~U_%Fzm%k&XtQ2t;YA!AYE?hXc-$l}%fYDAR1d^U#v+XoBN1&X9Vv zHCs4Ryi3R#b!$f(-I?E~%mzmeS;@}Qj8(L~ED$X@@6j6LNbJ2m^!M1IcZN1~wz)(c zw9i?63>`dWjGTv8zS{Z5`hT11oKizeS=Q(6agNO2R{37Jo!X>oQS<55IhyuZ?86aG zE?}E%tU{cS{|Uk8;MG%JfDf*Hz}XS@(C2)0X9v6^T-vmhudmg3lx2M_$nQiGhk; zr1wG9nzb{(F4S=k(zfIHA**O-WYK!~gxDzTghMtqKM|*N{e8}yI$qK3d|kc&^by>` zDH&RaPKof^_>plOP;=a?#gBK01+0=CB~d7pCVXUqj_{bQ8$W73|;8xeX2ZSy=DxVL{a z+~)0rmMd%3I&I-<*K8<>brJitlugX0Ka@#Rq!o6igdcf9<1MgPrSsIz!ir}8H7nb; z#_eUHP*cUNoRsakG~PRhZ?<~7mM+uC3nHfM0=)bR>#Cv^OSzQ4DlV}^`j z8qA40d^L|~nxa;#H3)@3GYq1^9*VFp;_OP;T!bS{ezJP4rUNfkhtJ+_6D!qz+Jgh< z;BYE4ixvs{8|W3Cn4)92dh#!jj;1odtg`N7W_OYR8yg!N8=IeqgQdt&;RCxZ3l`W% z$V4(QTx;H5ZUKRs^?~&m*2O)02|`pu*I*X{_maTJz>#nTB3g$~d?XAuEi(*lsVLt5 zdJLwQV#-H_*((yV$I#nZ4nknJDFKor2`KO#p;^jE>G7^p7=uZ&3^7P4= zCm8O%I>b`uJJWQfxVx=#Zf79CV#nTmZgT<5`4Bb2!8`;3fVtn?Y(_b@3)7w?NhC$m zG_$$64!fNlog{kk4jgZjsu^PJztnDj#cY1<#Xxba4fujE0=*_%sfilzavo`J+z=F@ zGP_yn=pXb@s57+40-E_+=S7fs18dY8>0Gv>w;Ljx;Z{tPm$k7c!N$hM#>VESrn!2- zx86vnHm8^J?|=N6%K-}(EZK(CsIM%{8xD8J&=n^Es~%d}kWZn@)najWZb8rpZ!|gB z)8%9-Os&n⩔AogK>8D4<(~PrWqer!$u*!J-@Og>a^P*xp{4nBQT*}SY4hfltmrq zd4Fi&%2hXo5!MsVbh((>TwLA|H7c6yOm=tk=#a8FJDtuIRmR=Z)zz7ZD)r*}%51*e zP;gE(D3{y&@ttc&?X>2qds&y;riLsuOqWu-rL~OcRzCR<{ey4BnYk;QO@tZ?J`hV3YAdVDnOsrBa9Pt-RWeVVqH}5x4TK<> z=2=fOee(m$mpR>9^5GCfHgkva!1QRwL8oz1s%CZ|Rw`$njf^#AVLCcZYi;A2T+Kco z8L3KU0xLceF7J0OD+zQq)PFFnRH{!+&#TSbh~W=(Lg-4(GD8eA+{VVn#>VC+16H2q z;sYxrtX2kibn`RI^9x`6!#7gZI)`eA)zaML*wo9>x%q`UtX&XIlM2O(Zs58kO;1eh zW()OdV{LX}JC%ato10rp3k!`#y;3f|eECwWS8%mfZ`A4r-A!~&+uGP1e);0r#N_7g zt{Fi$bmiHj2OBHv-+ul`mrzwyRjD;82FQt1QtxWT9rgW6RY4KuB5V3qr5RYwv*0?7_MvBmaEl5rJQ^6a9Bfkf044JLL&f-G5($b=Y zE_mD6{7fMK`mg^Le8JcNV3g7n#W1vW>;#b4v7Op@^ytyd>|&u*jU*BzMS0x*NGup| z(`%{X;FX(6kM`$3{qgJ3jZjBVe^+34Yvak|M_Vf^nN*4jM1Aq7eYNvPpsLlv{KDMA z+S8k?BNq<0eW z@Z$2qAO7J_+nItt6c-v*OcTNZZ#J|0?RP)SF0ACsjYKqn$%VCz)a2aq#N_1a+Iph1 ziz3lumceh7is{AW#hK;h(HCQ?tS&Fjy?FUDl`D00bdp+qZDr}$1f^4D%&rEv3ni6L&UFa7Y~@yx>VZlRJ$CaLq>cy423 zV`F3Un%Q4`R2*0G*^JBKe)eGIx1ary!YO_9}Y*r_i!{ zcXg$9)^$zpN+!}f>0G*W^VYqd-rjgL0&(`Q%auySsmbYEx32XM#HT0Mz0PJ;il ziE`h%c`NSFmR43>$swP|>Gyb}v2e)m9UGtj^pju3LLQI+#^KT5YaQ9WTr|t3>sqx^ zt14=`Q4e|DJ&8DK8cf|06%|ud4d(Pd@311STFojP&-gZujuBXB4J--E3XbU5Vc7y@|@koJhNTiG(gF z4<9}L%YXJ?fkBdphMf-1w3`3}la#;t|NgsA|Ji???Cp`N)t&9lp{s+nN{x58`i44^ z@z5Xt@ZjT*KcyMU>2gP+(V*X3$Yui3Sa(kkOT3x49opEO8w112<*L`?BKF?6avl^# zRaK27Ny6lnu67!tRNWbVF|Jb%uanqVTbS8Q%LK){eLjCUpUuak;m*z&Mqw~`Fy7_% z^J1YeJ2j=?w1Z*tyD6d3*gqcy8|K}jHW$HAjq2{q^hBzn8YDM1Jd!UK7$-kA_M%qE z>-Ea`=!m3aJm=V+U)We(C|C2JKX_Wh7@w0^Tbf$kEvl3gTAro|hNiOV?R0v(AvC`D z;%kcKIF`+9rsk$zDq;bgzmpq2Y8gOA8A-TRROw{OPftJo;oGg$uA=WRd^pc>K96g0c4m5foTM2? zz^fCaHyF8h`)1JZ!!Wkdka@_Az@5mD^XGR`U7a1hy~$?T51dS^rmdB|ByFlXq9^DvL~BtW?TvZmvyFf?YN| zyR@pIOd%WdLuxl~4vvn#n3-GL-pwSE9Z;G`EZ#df6bgrBq0YH^gT@Sk;GK?upRYF> zm?PNNcLjRGL9J|T-f>>x1d5p7n%gNMJd+(}LDAh`}_kZ)-4?g|0BOD};4j_9#T@;nns+z7v`tN=E>)(-vmgwyK z)o*|2cXM(%ua--5GqbV2f&Tt}TCDAEt~L~Dx2_J|z4yD{yq^rY=C?|oc<+^KS8m-H zN``&9DyW*YozCS-^b~1as1*&z z;#co~`s;tB2=%_f!QcGF@1f1*N)d;NK9+=O)Zun+Zg15^q5sO2NHX!+XLndtn4g@w z{^4i8{_Sr+xqsUm^y>scu&$eTZvFn(@Abyr%bTg)a$|mZGoDBe4D=bQytBEH+D_*y z4UqrYuRiPS2$Se0UJK|pR3zRxI5_0@yYsnJArEe+fzHCh5xY;>*x1`eWGB5*5(U_c= zxqI&}&Ai**4vrJh3@i(tzkypn%|Z9rQ4a7z!Mj76L4YSeI56b#_~9t;<}gBCSXc#P zYB=g zlF1$xrdq=wND?Mf0>=ym{f>d&P`FIlcQ^OVejV!d%1H?3eD*pg>t7|JVQX<+)W{EZt|f&m|n;ho@pUbzD9tJ}$UL_*1s z50k5~XWOhx%efAMP1?A_*ehMN1y#J;N^?EtL6h8jC#5B;QR00;ppvqcUkm^BNfwy+4*J08&4z> zXsta|{&y1OUgGEh5dVMn{_{zWElcpkT)RhjXq{RCnb5$K^-6WUs_Lrl>1~qB9iuRs zkw!C;|3%w;r0xGea=vhP$82nNhO^z(U0qdA;Xx-7NUgO9t(Avsp6ebF8JQWG$b`mw z_lH2n^?T1fSBv8+Ok{aBw*zgP6Hrv8P|7!C>y;yVeSKwqYGLd8r#~Ht1)-&)y+h;U zS42^CxxJB|zHq87cdGy9L9&U$(;-@17PG@$$$ zWG0>|l}f{7!yN3RI$NP>KVvW-Di<|7VKQWWpws}KC4DbwUAlB20grCOIY6Rb#r3YODXQftw>98 zD_&d*#oaY{@B+czix;;d!QBHTxVyVUad)?q=l#CtJ?A?A@2ov*?a3^gxqp8QM(oNf z>RO0Vf-?gFI9#Lr2vf|KWeD9;CN)8$H}d?=Ezq_`FE};U*%9LMSb9_YBDme+N-Jh2 zcki6f7-}96{a^ieY9;cYk`SBgSDl9n{>{xHja~*Qk1#~+)6kr15@R3*d1!G(!)u3k zXy;65G>l1x(_q$f*S_Le?AVy- zC_ZA(zwJLNlX-Y}YkMO~xh%4TeTCZv`Fw+n_dP4Hm>fS*_}$tvrb*M(>V$QmV@U4z zjO~UNGDH-1myQaw()J2`6fBr$kSNiL^n2d(8{EFkOZo9dG897KWW;7Z&*LUl>4RW$ zqSivmr70)+Ij3JuFPUy>I2917tDshyI5#)XwDT!-Ux2L4?{zwR1)Qa9TdiN74ow>( z5Oue8Hv??f?#F%)9B9xt)E&uB2&Jv4su1+!Ik|a4m{dt2{jDgR-R^eg3nTPd)CHGB zVy(?2xeKZ!sY@1d2j2YsE^c@KCy-Sx-54J|?Z>)L!e9z=U!{gDfjBQ!nUloYs+`wq zTU&8s-4oUMOG7F)Ik7KMFv!!ZumAD$;z`p^(rD}VwG*d_U>zn|#V}{!-&ngghF@Fm zj#S5C)Q8dcCX*BYy2Hkc3ct+lfV|QzLF{a(c24$HBKsyNp)}6{{!}Q+*}mk34xmn332c0GA8$Q<_Gj1e*&c%o-Rfqg)3;v?9YpgLk~xCFIQ@$a0V29~>?*4xty7h@*2FtGSaacOl>)4Sl?0jFC9o6lcNGzhe+Maomhk zO)2a2gbu$Obgu7h`Lwt_b9L|_TF*N(t%TMl%|{C2fH)cZ`if~4ysTCrCyevn{-Yh7 z!dDrv6^3PKcWw_Alx@9I+0aK1hAEX|E>WUk--M6To(XyKmF%14`~5N>nCZM7`IkFb z9qG);S?8SQ^s!cb$l?X8TwjG;4|ch(<~w7k9$U_y1~BmNUqJsT{?x-R=?Vi|(aurQ zR*aSgx%G7kVIf-<-=w8InA8-i4=YhBurk|O)4m%`k?k#_qoY(}yH;Ac^jKvUgW=^2 zv-K+WczHDwLS*?9d|$68`%c?Ta0Q3)r^3UqPsc}?`7#40!NvxqBcp5v90Hy3*-kOC3p71rS{dGsDdNy+&N818&#zgnKye zqAEU;PL6s{E_mYVr5$nc_+BEV z-_%D4iy~9HyZhh^wL-kbpRC{Wdqg@gZU<7}yR5B_<2%IXa*1|l8Nut-aUqIpcrT^EVp{X1wOU9@7&g0HZZg{5dy&h0k7IL|3DFj zDL?T4Dl;G7y1Pffg`an9DEn2Z;jC2mJhZ}_U&5OS<6i%=r<1GugNOU;Mk?2scRV=I zH^_eskCdEz|Lp9>Q@>ifW2)0Rs+;<}Wq9W{CMsI0`vcuLWo7)?i)VNzfIXFx@b-pl zn+kOay-b%`x;wcPLh+US3^i1;G4hK{@{X66*Mv}Fq1434#{QS~^|PA}MaF%naABBS ziCE7LdMFH^{Y#Oq|C@L9{#7}+EURh<*F|V2z z3;0tR=7p@EOMHHbKl-<|Ghh=oI|>I-b19&PK6yPMPlj8HcqaTFaQ>YDu!X}gZE!)K z{<_rbrBuy1%_7&pAgfBVL)iP13hoJW7+Fk}S>1(?6mB?S4<^sxAoOg$Pb9K4*}Y!Q@0z(h(16NGW}FG?C;FwP$rImm^1n zAn`k`B_x{13n?`3&4r;jtaT_sRF*N^1SLp>)?31xtNJ(F?iYW?;KKs2XRP|?^f-Bt z4YpIa$dbPcwnhV%1)2AxW*)I--tT=aeiFV0E`Ra+oQA0i-U2<$(li=e(JGQ^F8}PL zM71M8Es10s^@s2$*&Z=G?_vuymyu^jT!Z-A!I{w|CaDEJT@W z@Oh4*EPddi`UybR^KV&=8YO$4=tKONV~6U!d|1wYE~a5EG>vXgy1Hs(XHiaz^vx?W z7#ETGYvL~-lzLSJ+jcB$j9t5TnJ$)e!V{FH`?u=XCNOT5^#F5!zz(XYk>9tvs~fo6 zAN`;xkB>S05Cey5i;RSS4}22$;+|u0%!|8S))&y3{}~A94>9E;KjE}PvqmopN}MmC z6GJyc!{n+HO~?X8U0RBF74Nfg6RZ| z4ae<#z~YaIMOXx}8j9YT*OD243^4LH7ATGdZFZT8o6xkXkr01~$m+L-flNyz0g8h6c%xx^>AOmd0j5t^Q=(mT)50?z ztg{BNV(|aWTNt}v_~v!zCHM8q7LGRcb-drcF?UO%&EN}~);UwVta?~sT5h8SJ#2JX z?8T9p7jQ*wJk@mAveql|OTKeiS}cglFs zMWS=i^>Agjs^)$CeM6^+NePfv+`l7MRsw-~LY%g=7oI&*xTcZ^tJ31A<=f zTaau{XXPd!xXe|qx7D-%iDv)vYzrgoIpud=103PD&HMQ-2y=KGIl3m9+G2F3e+EAY z?fqJ2SRWapb{#0uJ^tGtSkY`L(1IN_c~#K&&7o2#`*)HajkUp8@BeKMz+Q#GBOsz4 zlP*z2`eP4e0#$8zFCz5CS#1w2abWdTQAUdnqeO*G>u}bjRb?7=mR&z3H*w*Q499(vjv_kabsCbPX@K-k{p=gm0IXJk`-DTP*%2M-rZ zQ(u8LBkrlBLtpQCgt9aG)ql9wH4Uw840+je_U|oSN>$ zM*E1eSBD91VG4S@*sfU>XBHY=a~@-jH~-`0{~7kw%89pg>^H2o2{H@7S=AA9_fK-0 zFyl3~j$@8(6YBOhNXCenOu7qN6qtLCm*-!&8IKV@qG1YSlX%>RReUj;J2(0zGh$CK zOH02us%)le@?q3JE5C2=Zf~)9NS$7mo1H0r9#Q)jd6Uu$D~UJ;D>6@P!P;dq7~O$) zw{yw!XPokR>I^ornU;h4Jk71m*|N0Mp~GLKqaROi#duOuxM5c)#kGex#M8g$8@E_v zV+%V{)x)KHZQMk()Z|>E30BC4>#n9@mqolA*u^(6)}Zbuk}6*OwF7f{&V)4>5nO>r zjf?FZzxnlg(dcx|<@OdT8Q17nMW~Y#uU=MZPWryP6(VnK+_z-=C`NIMimyb`Q1Xi1CWj?A)#i=seh39>p}MGMPI+0nZ)wS zYGRp3Tzrb=JeKN%6S%g$k&_RX5g*;}bxSB>lRiMPsCLJsf{tcJwxoR}o3e?&Qzd7G z3PWN}dhFna?;{0ro#2zVsn2KPqqDP<)zr+T^+je)^lTVdmcpSA4!y2R*+V+KfPQ0sIV2-=Ml44~dtriZ@#NrAEe1em0{NZXwOb;g*+ zwzh+kr=O3TbA|o@oh_;RhU+3nb%WIxE}e@^)CuB92G_` z4uP-#cd%0_>8gg0dw3Upf2BfIBPov=OL0#Q2v#ZB_kiM&QlHyIrQ>HF9uU*>tW{a! zM)Ic@Ju5b;iWmE1JLMyF6Pz=gU0LsJW0q7ufBc1C=- zyuZ1)kV|r^F=VnSt!-|$Ne#9jEwGkkOyMNUSX5sk!??Z<=9weh8hlAF@8K)}$4vrh zhMe_T6H2v)j%>>Q1Ua~J#Z&XSl{=WZ1NNr?enuUuMCf<7y{yrPxutrR?sgbZl^% zm-V=eudlxw*r$m79#l^+T(r@mBNt@)sc*#mZzFv5C8$-MJ8jVZq}-$RRGV4TVL)xX zh}sRQb0Vfg^lbp3^p>>g+vrk)_upvV+4AW>J_?o=JEkPP^jPUNp-vdwFHMf3bMB4b zzz+%lXjuOYz)3YM2s*jBxdEL0{&D@0*#WB0s++UQ%6RNn3@aP@LN1i@gv5q<+qWXv z?+*@5v!VXf@1G9cTV_}Db5hoW&Bky7R7<9k3O6v@P1qJ)Cx zvW2tbN-=wU3p54auTM(i+^iqsZR~gE|4AmB?by|;>w}1#m1mxI%At!69qQB&A1dw6 zz(Dad13vnJK5N-wq2lGMvaNeg*q58klfRW2hE)mXKph^Z-rW2l=6*+JA}ju{`qp6>Vm9XAim4WFAZ6ppvR&W$7{Jm!8@W;P<{kUb?@h6t=5pC`4| z>44(rJ>u`aH8s>U?H-ck{>hy`qs92VfgSi|Zdqj8sYyX{?$8`0$3pxQbCHKB&RAv& zUuIucVIJRr7pC`6NdjmpQSF_G4lOsY^9Ku@==1DnGswj>clN4NPQr)> zPpXyZ=4oc7>72X2)Mzg-MDUA!`=}_+yJFu6lRJ>~LPAEO<~JL+HP{GdUTWeRzZ+)$ zZ+yhq<*HtMpcW@BZEJvD>|Z3DoY+Ma@+IH>^(H$agL$atTyp3AXOth5+V(s7R=`tW z;>O~*??c^95~SJ4@9iaTFQgQ$!Nh2w@%8%D?-~1ToldF9Tw*@Mf==Og%$oL0BInxy zOzZes#!;2}b58 zF3`>g;Y49!azpJ^3=I7bAF=u_>ksO;Ouzu1q=&2dSm2uT(QVS;px3(3)ydEhqgXt^ zP;q=zDAN;K(?EKS1dPCGA^)r#dnyudruH+;$1uD9ges?+wl_7sGBr}JES5q@cww1Z zCf?#flb=>bg+@{&JIhO$GkbgoD1HJ~m{f-}I{Y*?W;!zW}1N7RYXaz;a=^UI{8N$HtE_EsU4B9!%Vs$a_L zDgDd5>>Pp%L|2illR71XG`+#_uSZ&a;FgwQ*dg>sjMsGKA08mm>0$T z*CC#X{ZB5&6uomqkTj*HkH}}N<7Y(KRNoEbRYxIq)bmVLgZl&yvEKt}fqe1#GDrRF zC)gacixL@laCA_6OUT#1FbG#eCqM9M0{=b#M#trG55f!JBH93oAM>61E6zKz@-L`< z9mpiXuAt>*C++pbpgYW!HpkB!wnD6nAAe0Y94Lp;$RK56Sv@KPzAW+30iGH!*O3I3 zDVV82ZY&|?z~&hqO%Y_4eGodm12XuE)pmOKd)Vz;-cVehtG&M|_`jbCV>g7nd8vdC z0n6y5N1Kc7c(J`=itA`B+KQO|Q!iCs)j`;Qdkqk#F+7@8gj6Z z5hh$T(y41k|99W;y#FosTfm5lZS4Q9eu*&($=Ln|djyneFI@i5X6S$RBB_)lW=~QB zDZ76x=sZi%+VpV$8{RtszGf{OvW30q$Gvk*AQZffC6b39MOmhC9f z&>w4}hN0}$U~{EQ%9Aj{i3q6#v$ zB0@gBdvWXL4(C6mR{M=Vn*mIIO)G(x^S|siQ`Edj+321tXO{elzl-@zaww`ql=4VG z0Zbx#SHnAmeC_991%&S4^AF@$VKY9e@M~qctuX7Fha~V~wpz-bIz^}EEJmyUqSed3FilWfK6C~MO3!Q%N2$MF64_XnFWy;{(c6$_zAhpu8?}PB zEQ73u)hK=tW|$}eM}LG=%n|NK&B|y6C}P^hpwyczo{mLj!gC0ivkQQ^H;O-x|Cq@Y z39}aHwT(dq6+U%EwMK~2*#&&AnaH*%=P5${Q!(dC*~c&Ww`@rfa}_Yr>>;C}mSOS> zYsU^V^T3sMa`%@g6HGEBeK`T1O*8V9ywBPO=q$g%KF8p}$MCas$sQi|U_D|?kGS8M z^3hL}IjnI)VYP}AVRf&F^FfdRcl`n5PgaQCot1SnYCSh-N~0s0UykL`nYgS1Jo+`D zTl++Cfl~<`&mw<%WDIMke`ZPS$BgTQMvj_9#%K5n?S>}|NW+uz2?K0{eljyrSk}=r z)391pazZ;%0-L?dMeC!~>T@X!GBZH*BDsVw-_(~GEMOLzjS0ZsOaW;SwJcYJqJgY| z&fjwghF!D4upXBRN#2`5Gf9_z2UDS7mKZnb!SAUqySiyTaYzc_qQ87ogIUN5doQe? zU37^2-1Rki4YNz|nKk^dM&*NKoXBm?Of!r#4?Z%1h1{rj)VYn`n@b|w(B-Z~upn&~%`G~6qj|DBwo=WN3ZvQth0N6!TCnWsX zdOiF^3m&5XH?F`APrnqktL`KIc~fPe@sC!59grEGPgyRpSD{osxMA4`-l46KpOO8Q zTx0qB`qlDhfB=YXX!xdu^IwbYk5Kn2E+j*S%cFc7u`vyPJl(tl?_QG4KZBW!psqK4 zv{ zwBe}pfku0K?akp^je1o`9QoTKH&*ZUCu5_1=T8qa5aV!-+9i6N_MH^Dw0UszkFh)J z{yitgRD`lzRRZpQqxsRJ8?UgZqEseLl*7s6>EraYA)lW1%~?vyTDMd=dQnA}TnI|# z+N~GE38bBTJ`~q-&?CQ=u&b9t7M5Zfr8W4}Xq}g*YHN4CerZGDQluySV};0HJv+B8 zgR-xSf_WmkqR>VQzf}6V-Q(9jh;l3B^C|m+Q>*msX8-FU1(?Kj05ujn-c{m{YI0rB z(yZm1)uX?x7YaliyJnSc_v^X6q7LEc1JY}wx1oHqmUiiQ#60Bfj|f<6TYJzh#tc;h zi~Lje)lMmccaKXT=RB4?S+U4|#7BsG{aU)g3wet)%0Z2bPJH2w1lqvjrIi4-P#k*N z(7+^b zawv92<E9!t z$v%^wZ-sy4Se?&mIgB~EwKK_fwJf`oPDPtl_&F4$Kt=pIMEnS4 z)OZdQtXcek`~!==oL;L0>p4A3hA~Wh12we~N`#v|ufcP$vY~JT?BEeZYn6jyH5ECF zeoN-}3Ih*;JQ3nKM7E1bCd8zOv$5OSPi}e4dH92>8~m-ca-6(R$%uAIamgH$$87`-5*p72r z{b&fT;IZ=QrhFpq!}tr3^No>-NhK?UF8GWG`190psOLfDFtF$@~l&gT&K zk0f+lm@&EL;1wS`6%iYH0doH zrnzb1wIEO#p*E?y7mW6CjrbD4qcBvR4A;CFBgr>p99}Ml=|SrfIBdsb*8sj{L~5X|FRY_>w^nNvVXRpzluO`0d>fde+A@L$Te>wyd_#i2Zfz-%9VI@lM!JRr(E9^zMR!j98a&!t zMPUG8@L%Bg%JuhkxG6YiV@ACp3sq<#B0PAlO&F~(@3RRdzNp!+4_sCg{!NJ z=`vXq^bb6EZeCN1LdcV=vEEu0R#covPkaj0mq3jOF=6ze;^#}BvB**q@qIQkHc!gg z|H+QB#Z%M#m0L)T-^VZ@%l8sMr*kf8QqrR+Q3_q9*e_Mq?N};dx@bKSc|LNR%%YyK zAVnI9E;0MGaR(kmluFaOQG}0hV3&yF0l`TO3_|uX*jh^2xTLTpOop zapc@Zw~Y6zhQv@nyaT16k*?v|%EHD+*2$Al#GWCf3DyrIpmR*-9reCXWW_I=!av-zB@Xm_S>obwVcus=l(Zg!y_hg(EEJCQZo*@Ilklqn8SQ&?z zSAbvxXc+6!O}&&j&Nkv;=Wus@6T}vNtcQ<*X!k>Ey|7esnyfjTlp!}bBgs^Y0n{v2 zpvkH8&NZIiu`Hbmfnd5=%!}pJyo0H=y}xGUy3SG&S!bZ=?IPBw!p^>mnXNwoHCE(z zM3Jf&YV3Hozh~m7!)$s?f#v;J{h?#JOWc#oYW(znO7C+=ojI3IclQ zbi(oXkxQgdtUfiAPOaroGEUDx($(iNgN%tK;|iePIhn&PXl5?pif1+Ra!!c6j~ih6 z;^SEgy?}rpbVd_Rc@K2s7@^w}%90-u6|9nxW(?;vKL}#sA{VI69qkro$YHev#y!g3i=a(Z3op8i*lcT<@3tJy}RQa!fNkubg^5Wzz zcw9Nb%Ki;>wl-!u&hd=1Ht|xOzih@yT)6^&UpB4eJt!El*F$*Nl)qcJ3B<|NA*tKwttd8j7=LW+TrywbN$SX?_To^IIQiM!4$Le)CPcw>IwQ@ zx&yCq5u2uAT#;~fMYQ{s{q2&Z7mGPmg`^};gH3J1p}6q^3cXOxP@MkO}fr ziLIQ^GmlS*^J#x@W~i@01jmuzxPoh_X{K@ATd4hSDvPFIKx$A>C779IByV-;QdVN} z(tE%$U8)~o zM_hZ(=uJ-C_~94zR@PI`&&Mxeu{?KJe2VApLWw2wOfZUItAIdzeM2iz^bLxjjrHZ+ z5-ha_dygmu6nOC%6y>9e8IMGew6e0|&7oH9o4)?r%*Df;Wof!wTkjP+pMW2zaf;5< zn93_}`Lc&z@b+x<$~5W(6Z*zWVe77Uc*>p=od_*Z?LBe~aGby9M=mY3BIU19)aj6S zdzS$TL8?0(8S&;ZGWL*)FLi5gu40mMeFM07D10HF%P%}#V@n<)9Y`-NDJxYpL+c%_ zz-(0+IxerYvmfLdS9#oSty1e1H{hLbbi2hvRl%2?J>0$~@8u^BU0O4Yq_hR}*Nw}*OcC+587S@ChG-R=}^;#TfNm1Rre)ts|VA7ocnV$b$ZY-?$u zh%M5IDbZjY&l1!k<5*e{@8edOo%}YnyWrhfJp*WLXsT(*NTJGBM$i`d7mm+N{2NnE z3uMq}jghD`KwWk~=n zClt00_ViS?2f@c;GSmmEUz@qw%O#S*`Lz7umU~U_2U;@yP-;Xl#minEvfmy$y9dSJ zf5EhuP_CY}1UgEwB7Wk#cp0z{lvR*~u4 z4wm|w{}OaU7fI%I@Nej{^b^yBFMbKl-JGQs4`|`MmKptHHoH}N{)PzZj;g2#h<)Z4 zy-P7WL444vI(5Rrf=KbFQ9?S|g&wZtY@t`Sw+lbULDKq(%fjH@Zq2-NvofBp4BOD6~RBJ0&U!tK%3pE2;z*O~*-crX(?NYP+FhbO*$`%#&V4R3$m7q;rhE>-)K84zKsuR@Tl7#C48)13L6s7h4}V|VJ(R6M+?KHM9t(~BCT5hpfe}XBE%$TlpDJAex3d_ z92L((UX`v>akspcz8-!cC$ymucppZqL7eO=2RTG+(;MR*2~S+2=<8e?db<~SZYNBh zpCn<+YlA?Vpji!F;Ln}grb?+l=?k!2Dc7?DBhN0Bsp;MyO;^A%gI3EBqGGwYY`FdH+=u151)dsWV#PCtR5 zb1kM_^n|-zU_wwYW#I=P5?ZvIjY`8IIisbBV|8<@7!Z@IKeuMJZ-R8^rr_XVFLqB$ zGl9Tn-6>EPR>@eS!z^(#RVIi2FhgOb=~VLKr9_09t`&JvP$2oMjO@CuUuigrwA&d* z*>G~gwTLlegw+0hr-q}z6iX>j=!`jhE-C3B{W!Nf_PS=Mv@pL;MnQUv`J*es-q-Ce zU{cWW@twcy6v(xbm{RuEFSY)NvJGP)QnNHkR??npqW-$UJ-jRvlQ{bAaWo-T_^m91 zm-XiQTD@#(A7CU=Dj>9$k?qYd%+B}l(zB_mIZ|z!i z?)J9qC&077$-&iu?hVoXMOj|-@8AYfapJy2dH$`bZ>{gqaB*Q}ZFyOHR$+Pvo!H54 z_aLaLscGj%A>KKp#qe9o%8K0D!{yyPn-S^Jk+T3pb=aHV+l^AT@9PyzvRqQ!SiI=b z#8|bAnUz^MJIg?S5zdPq=X|;K-w2o?;pSSgfui-{X#M41UifBPW^0f}u9mi15b_X`*3=7?`u?)E({J>)mEB(XP2y|2Tv>j$qELpO zzTxsxtfV+rLtBb;Rmwn?vi4v>Xc!Vxfj3{rE@ufT(M$8&?O9c{0R_pi8~=h+Nt8XU z>1Yz9cXW0(B%}b+>i#Aw@}qb#=%qh48&-C>UFR5%8H$W7IRt$>o9Ua-%35V39L{>Z z(54vx&hEg$FJlBR zzXM*#!K0%JNBEiY8kLIrE~wiu|Mh$5_meG*w{Ntx_dPwmTOa0!B`^Y{lg?mqcIfcX zmvOiWo)tMm!5(Ho*866fxNs>`&sHAZr{}G4k+tQ>vs2p7xo!`G(;Yv*V|Zi}p8NMM*F!b98y_&gkJPZ!K`%S^WVwyzbh zyq%WqB<-BEzMnhzd~~@ATb9vk&5^hIi+W2^U z^?~yNyu18yVV}KjYCzx@_9vMym45bnE%Eq=yu4ODJ#-s6Ii^S^IlX3|R+WnCC(5^J zzpS;gF!;6V1bqV?k4IZiEA#hrO~0}S2_s^8(Hia7W2!{RVkAidXGk&$U=9-0{`Bok}rq8P7`sK`(1+39n_7xSteY(u#uo@zma&?-Kegxfg zZjiZ$v#W)phm|RB-0{JY0!5FPR~Nev3oEm{P=?Op$`>8h{eK0rw;9dYg!2t<2@{sN z@aR&GUVb;XOMBX~?C*l&S{j?{8yod(CW79#DvGVI49cckdUL5tpD8LTj&=*SL6Gri z&GFlxu2vmhIXr)LY>u|1BT4T!;|nz%cYf)u=jEURvn*_gnff2Vn%af&{{TRd7*q$dJDTa%Iofa zZ?6JWkAP)m`(I#ni~fB0t|CuvduDG(SbGq%qp-gx9NXU(FM$gM&ob?lcM#(qIo~LJ zU*)naJA=dU%FL}aYQCKuB_lhs$?fR*^lxP5igEdB{k7`Vl?G^gyo2A?D6&sq$mu5h z_Pl$d7f2=O^LU@2>3t>q*O{yODE;jbY#!gPPZh!@|V&(OY9l5-a?XiRsx-99Q12eJ9 z&X*D?2_kLwA;ul?AS&Vru!}}WFNKA1x;YUq7JmBNH)MVW6cQ8dXi2vhb|6X79o7^E zoj;@w0)c58Y|2I}={E^}?fhEr^Tdj{s;wGP5Fw7vZeFD{zU}0ZX;QUH?stE_+;p(G z+WL~!X^4v-WKFud9m4AJfvYx=zVw|Vy5y8{eE90k4Yy8wK9oiS4ZZFv0lUqQ=cc|e zjdYMeR#j4!IBR^5GxBO2RV`p{Nr9ll+H{5)dYEdHNK>I(mL}C|IOuaTDxpC~kR)F; zWfNJ4O(~d`32UzOQ_9`lKQFJrw7u!8Nc2JtlQwO#t%jZ*y7?qa= z`}9)N37*osB-eUi|kZ&snLLnSt67j)Of{3QUxVxX(iqkVV~t-_-TPbekjz$<&_dK3=#6EO&9i~c5#5E z>MVBs@$xW9c(DPu$q;*&N4d_k~Hhx z1dnG=oidh>M*{}RnmX7x7(14L$=IdKbyO3Q4n^J$Doa%ab)wHI#!vF^u5O}7g)}rg zk_QTK6AN)IOs#IM1Tz!~7_ZRv((P-b-dU(Zrs$K(W<8_1O4HQ6ovcIHfyu$q{Bo0K zHJV=c_a92;U{y9JJ4_h;WKF9{1!;--V^t^R4#%QIxu_2?b-gil2bl%4S0jr+YjLa=*&<%D^fx<;i)I?3 z0p*(LH%?>hH%T|6;Wmw}6m0b$NBNPFks0z-*;3{;H36=HAJmKSQ&RR&TWh#pYFtO+Hd#4>MD{#J65e{`maiZe;t#Nh07|4-LJ{T(-hEL7B_`o@|rT zTSk@3!Wsv>96w3=p8Gstq`mIi%-oSDbI|WHflWF_j#kzA3LPplW1SSTxaheFuz7eG zIpi6<)R*wQ-SE{Y0%-zBLW`tt_Z7Rw)+Whci$!e=A*zbB)77Wjm*2#b2#c~$c7`UV zWtYp!n9wDonbl`ibwZ8b@jP!mVb6q4Remknf83rP&znS%1gp$m3&FEM-y1z|b0*WG zH|f@BMsVol|CG!%XV*B(*@IWA6EWSDjNJbzA-zTcMw!j zQp8ESg>f%5y32XZX$}mu5AxPGEn$#?yzML=TwwEfi>vYZ0(uda>LWdXKtD6 z8T4Zh+>3j$nnbOezU!+dP$^2qXF1qf&8Ju{)G%RqCw&Ml(TZ77m_@6!B14uw)Ganf zN&n-CCA}G^j&=76 zUGfgsLi~Ceg-k+$96$>p36w1 z=bo)?h4@>ZFU89Aw~K7;&#Ojn+*Ps# z-j(1Iq#p!_8ai}`F5x`*ReI#4#1H#(6=is)-Fc?(eS+HW|3wC@6)P%tN*^CWY`{5< zhNBEl-6z`Z?v^(}bkjpvC9hj-ABsn$7$JO_5 z1+a7-KYuz7#?@N}up6{F9^H-}&FUBGBcfkRf<}1fifKIz;p!rJFb!0sXe(nB^j$8* zc{16hHMkFI%CeuYBeS6%vXulBg6`VMqs!Ue$FAq24Miibo3AewvnD)66KgQRK5Fb% zNRvA6fizWhJD1$om4#>lH+w^kqaE9K$#QcCXugjJMSieOp}MbzfR>c0hv&RYYzQKC z4W=gR-)GTRMLXGD9&oYolSO;p0^0u!1n_d*{0$>qAW8y!BJS2m3Po9DaLESmpR2y=(+ z{BN3t6-`Es6658DfqAO5QrngL{krwnSBD>APgp!Dv)-&JgFcr>>(7Uc?af>Zk*t6} zVw}I#Wf~j+6OyDQnI~rCj4R}%BxbT#DcN8lM|JkF=Ha~k>SM&2P z3uG=^w))M~Gj-0Og=gwh@L-3oZ+W`EHAjfwn*_lcZgDxM5^_Aq>ZqQ2Umn29pP$(L9@H9xsKxYHIk_K#cY?#o@DhW95Trp* z6>G{R%alIP&F!xT`v6;G8$UXo8JW#tBfp3F_E$+}{O{P#=>W=HFJd*AmXC28tepDw z*1^~7s854#oIc_k50CH7kT(5>(874v$TvZD*Ow*8h1};TmlwE^YD=Z8m1kJB?#omA z!%pU~YC*M8`4A0^((Lz8mi_Xw{$hWy2v4o^^7w*e>nrm)l+`F8{B3Dgu31mcWWs0b zHrj@_GBy^|;_kLXy&3c}mzlx4?F3e3)pNKP*T7H??p(N|QmaQI>tcky6{%L}CZKwQ zKn*I~k72M<`Hc0KZA+sOMJ3$YdT9OSAe-OI&e`kkZVx@NYL1MGMyRn&*KhL@YAb-J z6MH@=so_=}h$hNwvL8H`nw5@$Z2)z>y8YRs$Ffseo1eZitC#(DT$FtU>{lvIcf?V$ z;deaQ9c9w$D=YAB)#U*hTzmdtH6SG+fxkMD&S;sf@t`q>W0ud{KuLdkAac8wLS^=r zl-yH{AYjlc^?qL5n;7@ID{J?3KdT&cs#cA{FoL>lC67}+Zr|Pn6f4=!>=Nx#3VZ6N zBnEw#Rf#_0buet@c-N}JXo({6Pydz8?H){pElemjHn*?s1oJsxbM7Q-yt0*bM617lFfj~x>%W~ zm@UR#5PSAwdOCd4es_bWoePK_tbXRXDZ`Z6Aknb<%`Cz$2+JR(L=EGL2h$Tv7_b6i zXN6N8QRP+<+~J92P9M==^l#!55~$60m7!Ub2R*{5(lFgFXTe9L zgc&aSR^2jlOJ3aU*PC_2r~5jl6gG37xnIzk5(-y590DH716vDcw?-^y#__NC$IO^9 zdsRX2+_#o2DGhG;_RT8u6RHC?H{Qn?UwvYl15(R`y}y*wKGU1Quc&FR^Q+ECCYap} zu3$52tx`cUIC<6Zt0feJl`9hr+Y*I@P@Vf(>HGiaB zD!&B4$KOdIrOGJ(o#eV&GZDGbit@jd@d{B%t*)yH zxLAp`tLYFFetwq_ugPj#%UYA}=;x+v|H0kb&}OYX(|P*ZImW8pXOnTnSnkCR&W-vY zI1anBH07ZS#8(NI*yj=U)L(NAb) z)U8OShj0dSc$;YU5C0G}7WZQFa4CrbD~sc)95Eo&YN05RPrEbDxBgw|h^W+N-VtLe zkE($tcOO-bJvj|(#sk%2e$cN3{*RiO8Sjv;MT1^k#`g$3Al2<=o2G zR&bHvDC$?NS6JW z8Mp8V&A@RWC|3B<$2!He9W8Y+Cw{;4Z|107Y$JS68wf4$0n2q=Girw|%n=Y|Yt}>% zv{N7y(`8%yia;eJnNDq0lN;S_e0gD^wJ0MvKrirOUJpl?O(WNYz@~iTImw~~SrBJQ z_J?RNZfO-JGCiCkJqL#tR)qm7&D+=8R-rzt_fO2~5gvF{mT`lul-6fJ`El*)b~CtzI02e z(Qf(+83IEBryr>C8AdV905R9s_w7{gAB0IZg=v-8boP6DNz}5cVFgWc`6UAuNzzl= z1A4t2m8N%*ati(l-u^!v3cy@VzxBA5;ekTU5<++F)QM`L2Ti_8k_Acmi2VwecDDKQ zyeLb+t&0wvG9D1&MnU8Mf4Galb9f#o;bMzp!kwoR0{pNNcs%FiBXO zf3;aDTXkQxb|CH&V(q6Lj4#xqREvX}TwW3R8*W_t-nFA~Si7c(+1k1~256w1psYKX z>ELmgQ+MRf3glt}@_bX&ci*>@dSd|St&!!<`k9eoxH7L~>#=|D{AtMjOU?S<>*+s} z@SYqg)5-$|!wThEof52-LJEehHsQ%}$ka;27d_k;V0A;aw`&U2Ry%5^@BTg)Dr1xIsV%@K2<5>0o`#QgW_fS0DcyaRWpN5?ogIJn>YADzZxKokTN*OBA&@m)oj5uKx4)py3;L+YEa>sZ7$qrubhf+y^3T)c z@$u8{>}`=sI_Q3JWr2+_Cb}4695r!>#U=l$34nw=<8gfQjx)GPt;4!h89=ZhXru0W^wlF*8vrBkA|P{%SuL;>EJG= zdecB4RN$JiTI5TIWY?Kbt8B4-<3Z-4FMsFL&e`kBxq0!70rp@)h4#Sb zXwFc7NnYVS+`qq$MYnR;?|)A~hH;(uKGM}_z1!*g*-0?hd;+jSZ*b@8eiL@i7_!*~ z0(Id?YCITHzFqND=}`bjOK}pPH=C$4`*D9nmh@T_duuPZ2vMoV;}F&_DS>nEnl?Yn z&1Ct!Q0^$o&`^TDPCbit`?578LT_>7F#&$b!U{E31)=u=Z0Ve7Y`Pk-BV1n!_J)QI zaRG_Wy1J6QIBLuZdu`9^u;i`TIeub&eu9J8(lRb8kf)QE+mS{YtG#wZ*$f$`1Y+Jk zXTDx4F#PbwkwBjl*DQzRex@q${^=ge8K|B%TFA3tIdkB47}tM#ia-)AGW!PV$RJe* zfS@c_XEDKR0~SsaU&PbLQn8aR&}4E09-=B)%SIf56*#6C89=7mfO6%?K&iUocel;h zMdAVioz=h76sut$}9g$pxw5_l7?dXxe~f)W;{%8Wm+QY9U497RVH*&JkC& zM?`S}aPsfJnKH+^aSQJsOX`0xDBVTuwH3suO>vQT(k9S_zK$E4(2k*9D}!5N=`7~+ zH@gOEdz6r#qls|q%vqEF7J24q{@82w;Lm0y6pCNl3Aqn@Lr$&ifGuN0KT(y_g**T& zpWDO!CnjD+e9K}7cXwg&{CZbz;TY%nJ?7??T_V>g#AbeUno(2Egp#^U7lU^^r?RRt z;BiJ@d%XC|1cDS;m_n7uy_&1@cN6g(Ry64Mh<;_tR8#NA-?p! zR5}d0G|8;*kKVw`ZGF&;g{Y$@!NmhY-^|2Yg4P)aXLomd8ygqbvp0TeU3Jwq5ut$* zbQqev_eo1zdvaAXO_15Q|Kg8>lD&nH8?>UB3GC3Fi`RO`OzzlU)}>Z{5Fp!j9pU(y z=BtFMP0jCIC^Kb5-bfb6;etgG_;?;dIBNINtop3(JGOH;?zJYvUj$_@Z^3c1M|c085hgZ5C=bpxgBlRCBIu5B+ohzP7M3^%z<_e{=;yP@)QNX9W&=nJKIFkX5gpU>yg{WEMX-3Kv6g*~) zV0zZ^US%=K-N}lD6?2S_2HcF^VPl&X&zr32c+uy6_^YN-jCF7P8KiQAJwil_*R! zkhP?HycM>t$c&6LD>4`(K04KW?JasYpJ_}=&)Y$`RNCInF@I0QAxvw_QP7>Wv^@ASSE0!WCzQ=5WQAcG*_=h^SsoSG`hNc-Rf3Gz9%8a)k3K(EA>gMevzT(AT}!^x z331@Xjw>1}s$V`NFF7qWf^(92M2CS8{T@YE_mXdGw!z)bluK4kxAIrLz%rWdA^yA_ zGFf=2oY&LkkM+%wTC>z4$glAacnMX?6-BAqh|{f#&7O!x+*K_p!KbLTaNl5k*SLast#K& z=bSxNf9ui1j+Pwn2MjM;%O8$}$r+ZT;94vRVbT2yVUTs3_p>m%OrFVMT%V|mYmrNf zXm>(<6UVC8btE;r=GwsHi&AMrbm4)%>oOH3X-xm0M7M1a^Jm9^Sltiz(xaru@qXD2 z0j0&Yi5(VjdZ8MSL{DHLK?1-{W_|6!W;*zuElC|aKK3m;=g?*LxVWvMdTC0&S(Q#z zIGVpnV34?etJgCIHhEVBLiXXT9krnvMWIJg%dT6ql~{sr^^dB@M~=IQfcg}rVtg(i z_xzHQ&Ui*$!^%Odg3R*qolen3g{cMrSkC7S6J4`eySMf7-VK9yV|0;6U)ZW3|0ID! z$_PR(C&^_GQ&5n=^MZzWG0c?s{PR&9?unaTCZ3a`=Ep+V9C0F9k@%0(_Em>=dERT- z`Y(Hr1u*UUdw+i!Y`Kb*Xucn(Z7&c)R5q=jN_9d`0zw}0V2cGZ*4KR6oJEqpEW9IDRsYZy2=P*vUuY^r% zb{8k9`CacSJaY?_rSpV4G?xmSg3kTq(IUn2e`qj~C9x+40LW13AqIM=50RoA5e%_T zOag(Qk#{rUDEyQ{BbmEM{|7oMXwuTEIE_65>SgcFh=oK;T>fZG>#^gOFP$5f*BBT3 zw9qJ!15IBKs`8-8#W-C~3TA?!EU z@L5sO&CQ7|csF4?(@_VgoO82kw)Fe@8y)-t);@;{SMYMrlrn1(Fhpb$Giw(o3;9CN zVf|TF+tEwyZJ1>{2RIkQXkK>0P_dW+I*~_FT^rU`=?59C`_!1Aw4>5PFc%?@I^kHI zMTS>fJY70Nu3rTVlh)C$QyD33oul_)7d|Rf?1K}ktRqFbxWGkBHTeP**FuH`@M1Xc zeL#`>eg8?vDxTFZPi@}Xa{o4}`O5CqkA&yllRu*eR6s$gguwIFj?bfel357zLa?9k z#xlO#keO;=g*%0eJ5Hno55FkMtstzK5kNHmg~HdBoYcdPtyZh5j9^Y426g(OsJOVb z9o_s%t~B)dH2x1eQPNK7;xDor2RiNV-&JE{aWE>V8S96Ov!a0$LI&NTI9#80f?ft( z2RO~G?sucip?XH<=4pJ%d*RBa_&-k-x!8q!l{tddxd&BUU(bsmB(92On00-b+nC5@ z)=GLeIl+OGn#vj3s{GpQbJ;IkEm?m%98uZzGYeDvcv9_us1`u90FDWw*Cmcy1!g1} zEY@(~4}vi+De3-<_2JkU&b46t08xzmJaL=ad+gG=OJ!Q1gB_?1B9aR>)g_GVim|*B zkZBDrrnoMe1`ZV#0vVXY{4LcZ7;YSD3|LdUiX*$R>WBGEVXwxCwqPN%o4_ zUtp~k>Yh)w7bl7GqonxjQeB@IvEk$Y$#f)LSt_1*x5bDL?H;Pb(6>#|p*YB#R|cA0 zap5ZSlZ@C?H4r4fae&$Z3N!m#q`5m4KuQK`m>H^id_obC8x-z!g(kyngyYRCZO|QU zR$7uB!w5UV$pg`SW+6SdsK9rdnfFc@{A@h5U1Lo9L=&9x(=l8sN?xXWy>=R^h1O7D zicYPjE+7QQR}7)*mjK(ni87D9rmTaGIm6rcaJL!rM zk5*ySOX>oP?8mv0JV`2yqwZPSw z0D0Pa5^B5&392Gd(R^N%cJphOVnk zPY5{T$!{{#o)8Ez9L6sCr=$EJ;vP^IXzUMLQMvZ%ODf;yPSCL#cv8M=RYnD zmKe{0TC6s@dLUB{oQ9iVUZV4QNWY}5Qkw_6)$sD`N zVI=P8u|~=^SGsYam6xweNBoCHs{Bxh4dG|t+eg!4pdyj=pA9eJ-^#3O--Uvo8l?vXO}#N`4hm(Nwn0M&OGOmbWv0y1Hb6 zxeB`1I>pEzV#euHREj)m*pq+m--LX5d-JoLr2DG|hpiY+x7{Fy9G7}cLKWH*!gqWA z&eGuqqXpV;aV>v@eOEUUbop|}ZxljX=t?$O)dU2!!bSzyK^)2gDGs7Jd|20ApBoq5 z!qEC3ky28W_Q;atg}%5X0rJh7pnN=0pG@ibR*5cJO+qq8KIAXO|2374+#tL5w=??q zzN`peb*Y?_1gqIzmrcf&i)9rwZ^wXDmYJ&XW;BrVxW+X_xgx(bdX1Q2BHm)!!&=Qk zR14R!%QF3=3Wijzw5xe+35drf<&rgSvrm$+Uyd<1SS}9a>&kWPBf?UFgN>s1OP*_0 zlI6JAp{RWLzB|BD7d_3sn|kMMLt4y8iV9X3sMF~cexy@NIDD!w`jw&HzvKRuF|riJ zTi=5}vGk~rDKBUD-7k+yJ3FR%wo)Zj{|8u1O4dY{VrJ$Du^;`rYVYamG3qmk*4w3^ zr9JBjU3Bf)!r{PDMNK^P>{*|GdA7nN?U|e@BSh6Y|J=$4Mw3$@y-m1a14WppZ28m) z?)^_J$R8Z2p5q_`mJTO(ulYk)GN1BmK9If?XKKuRQ(e51B#BqD4vop3d zQhycQQBfP=_kYIZgarJc44r(Yp2pz2u>5Ln;3526n(fBp6Lf{!Smj-((aLLsnNkzV z`cUPf#c>M;8#Z4b*Iu_?pW!|DTj4evy3Lv6r#)TVN>a?EO>@K-(S^{ItDyk72~vS$ zGJ)`^QXyt|3BRP12kDA18RG(~v) zK0Kh={qc679YSyWTb!m`zPqmHQI0M3@%8C3Xib0%w14>eaQ4bUg2j)dj!<5eo&8TT zsNBnD*JRoO-)X|&JJJY&FM3^FoL6MAQa9CdPGC8CGEAU_v6n|g6SvMqR{-{ziNR&a zXa(1K)q>w;ad{9kzn+2J@QvY*H0h(&d6`$7cgWGsjIuqdRx!as4k(aP1mYIv!H34n z@NHx00p4UA<=-^G!q@2m^g`ogaiRFXD+L?+!?-ldddk{cTq0AJ9P1}a`%FfhHsnRN1zqE`7oY~R; zg<3)cdh$aIeKa6%RB#=5z?DQRPf@3q4U;1IXi+}CU9|X8TA7h7d%wm$mT%{+!XT;C zf?>yy)&rwRZ=DhQJ~^-N`T4+kFW0{C!?0aRri>kn0VIv{h+F5}sHO%=FWU9DjG$-x zMx3Vx{L|j|N7s#C){#CpE+JjIq|e<(zV5?@zuM@c2qTxDyd@k`->KGG+{%~JjwiY^ z2n;;VyYl{}tZB7CHEX`)>}91hKDgq5qLZN~w)AdYvneE#vT#O2STgndbmOEXn-;a4 z%MVEqPJM`$$$5m7#rPXLml}UW*x}xKHPyas^l_j|BtJ@dfp@wjs}Y1!IAOs5TlT$; zMeuj0MJey#u5eipM({ngoMbBct5(HQ4}uY)vTO5kt&ioAeT!4(jSV$@ww-q^*#v&$ z6L~ZoOeqZghDu{4Cpn+p?O_x{82y!u7@otFyTb6zGdHUb_*j%Szp*`43>|%V91H#{ zNo|Gm$d)++VPNssd!L08Tx+b0;7Ntt80{K|kJp5I0?cY;BG?7#Sm}ugv~s^S5U!Ar za4E+@qP|X%_f*U?s`q2{`_)@XUvFGHz)S)-2}nXcgS(cRtZD zH|gS7&DRZ?ar-4#!PP~kcV44_Mi!#?Xk<}Q#T3C-knURWKEj(1y<}vI5H__)jXb(( zq&w+hOoLmt3YznoA3tG}#td7bq3lC`_YZznNoqW@#2HyT1insK1$qm46@L zWZ&vnVUXR*E{LodUND_NPPY0TfhybmBdh~O%ts$Oi=|y+XEcRXHOJ{zVOuRuczkKN z_I0PXjaV|~_>B2A_w_kQLYUviZus@)^)l$YJpE|3_E+^Mm(ej^doMn6{}36RqjR-8 zQOC7Oun&kCr%n3defswLT%<&u^-X>aWf>A8KBxi0mHP z!Kh{mV^RZ3C?ETn5yw^Ep>$Nr4^V6s$p>TCqdU|#%>qiS8w&Id*A!}a?;8afaXF2L zR_GU_y5^3mZhM{z3cKA;30u;hi2UY6ApTcg9vArSip*g_l6+vPF^(t9vR20xFrXV9 zB{O(+{8&=JApfR{zL(!t<1fAfj)tSjd1NPZ$nozk3m}|CaXK~KVT$9q^dzpX;BLm+ z!)8Ikm%8~mOj$PKZkTkgPW>Z7_b$Z9c zD`N3feYJhzGmq`;wQXG5)WD!he9qN4@vKeFfjGwSsxf&xvC`i(lrHytA@i1DBZ{h) zQ=;iHr1OyLMLCh6f}e#I$buy~-e^a${M9G0%Mh=fpDlIPE|$*t9P2ccM7%#~qTta>1wUBRqfg3FT_BuKr9s zxBMN$logk^eLrD$Tu6U~2a2bA9KT5L^nAHL1xvjZtV+_~ql;RoJwKSG*qfbHvfYuM zp@bg&XBB#4rW`S|JGIn37#Kw&2mB_`^EwwjFA{$fLmYd@fNf4uEo|~X$zZBS^<7N= zcO?*~86E)fU*QX(*k-`k86}SpSMfxtzuI>+dWlLPTHcbbydA(7BtEkuJ4Sr9;%Ot+ z)+h}wyrj#nV(z|6(c6e;uXsc9-tB2v&J}t#JdvPXTuMM@v`}w+?%NUXMpxN)kGi;2 z;_rg+i78(V1^>N9a1&&@;dV;H#gGCD0^s7d`PeflbpI-*1 zWL86&{_8%dF2R_?eu96L6r=4mm+I9sCNmx2~XOu%QOlV z9P=EVO}O3>kY)`0KHq(v!Hno`Gc^lcSl}kJ7zC3dQ`*lb-I^!JHZ2;v{B_(l;LU4s z5njVG&3xB(JRV-X!%23Okgh`XU*;yJM}WOp$EDeP?EV<5pYU9ZmA;sHHEPJdR$ODL zO}Q00??|A(7|Q1!3Y#UiSkwGsX11?h;QV8L=Jxo1;OVc=>oVFEeeaZ(eja0;;@F#$ zNzne={6X>;?Ju0+v7*pl;~p4>BjM!Sp(K3t`t#-~dUPUV(|ru1=Re5P-N+%#v<~9R z*ga!mbN4tgX8~`Mld{5#N+H|T)^FL%-W z`&1D9)6!2{!yGjn4a_ezB`|U1mg&2N3K((&U8aIL`{(!nd0-e4(P%+acsA9k?tjoM zpD};d1}v_YaFm-Of*4(v04J`F=_s$QgFZ+nT?uwgd@vl5{I^3!9d_-FR*)V7{f*;L zdb2ZTh1z-c#GNIKYOxm32n~1Zm`IJ|=}$?F0k#J_ohdG?5er*f>$eU5#=kOTL`FSJ zqPqiV{x8k6{9p_K&bB7`F7n7cWYI;U+}_br|GTp@ca%7Lm8M5?Ccx&)mlK*qMJAxX zzkB!2F3O|zTBhDeh3lEFQsn+Nj8i$wh&wkU!~FJMhTZ>o?jLtmS7NCXH5dx&fmzE% zq~)=)Whm>FT9;@S!d%VFkbmH|mdr=F94hP1vZe`n(gGV8 z$1E%#FNZLb6dPuS=$dL1phd;q+Q+C&Qg-}2G4^lDk^)o&`Q-Y^0TBmK~NXx zGba~U+e!P7LJAII7HF!+Q5JbC8d|DR&(WPWbK2sa@8<>|hEe8r_H+ak4cn`uR`)b( z$`H`=te~$$tFegj5>!)gdhy0UP5wvqfPtBTpx`_w;fT6Mg0&(r)!XN8mcJ=^2y0vf zWqvkaxTXx@#Ky62dH9fDu9ZT4cCw0b)8EnY2nxUBza^e_s2lD|n@chB^0v63$zaoG zOke7Qt(Wxs_%t^1Zw(3dMB$XYF{?FMgO7qOER^Ye2$_;AXo}@e?ggz9aVh>EQlX5tqdhOf`1S6WG!}|9*u^aQkT z0W$ACiWN_@>@gAh{CO6Gm6cO7x(+~x!=HoveiM>qxz!iSV0=)w} zUMJs{htFDCpdp+%S^Wnle6?FM%lzhr!ql&8SLaS39hZOh^#T{}5_#gCKu63p`ruT- zJ}Q>0re6eyyQ8UTMi@b-QRdxQ`@%C0MxWuyu@WA+lKtz4Uey54zz6qcJx-m&A(NsK z=3y;A89i{4jpE0ecJJ!;=K+Z?d;v#RB_rK<9{i-{KQcZLd)`a)8zw!Ah2qSbc}B@s zw2AVPY8i#yc zQ-8wK`Zco8DfPJ>foFOVrJl#;P?^8^4(wv@;I+2peG`F{MqA1*>QA^973Ar2P&Y1N zV~EJ#SG%0Yl1z8g42Aw1Yh=((x(8+x`pc|dt`1){->Wv8vCn!mduRmVj%wZ*VH;%> zj|S|5Z0#RT?=bWI0q;Xkew%SH<%+hTjb^gy^1@)jUkBX>?Eu))$vG>Xt;u6)WJYZI zOsqTZ_qgy58U@(Wq z#~q%#v$faVrPdfsM~4EYxjJ}5QG9X2-zlh)p?1@q_v^o^pr_l@cHfq~!%Ta&dMFVO z)V1^RHtXzEJlA{@(3f)M|0t5od$sl@=&rlxF{xDMgYi{MaoSXtql$)&O~=DSR>RE9 z-grsJ%Wc+>Eia3gX$0w2maEkGoujdTsZK_=-+AZLRA+#vtMbgYUpqjE?|!stO)NSr+bRuP_99T&3CS!b;V2R!L;AUqzDWe5bEJiOz<_L-y^3@=2$&Y^1_fM9TCXN%4CW;|+aPwm-D4faq)mD9 zE@lhHS>x}OVL5eIm{GEb^{gJ*mRLoQVO?y~1KB0|m7|Nmr;Cbc9L?*kc-K1=O8A++ zfVxO#!6kuZ)_)v!z`VHBl&fevd7#QOL4ebL%e&|;FbcPb)kcRWVnA(*gDMR{TXltO=UnJGt_xK)0yY4fft5t}%=HeHN92QM#Ye=FyqU(7k;K`qtU<;o33MGH5fg|UlN!1S5r+o$8?Q80ftr}%Fl ziHul%hn=%i2{zqQn}VO;&j?3~z%@?+_7y+JSsOe!^vhL148x8eJdImLc3SG2o2l0% zG}UAh**uE!r$1a>@j9X%M3*~NjM?IgG#FWX2ii+yB$MAn-gQ)_#OxS3OQe@Uh-Uj4 z0IUs7dLM~PfzJznEa|cwITQX%o@LfXM2JhO-B_=NoUI z<)YNVMXd{BETutiZl3TQv#4YN6#*6~;;8PtBf<>CyMx92l-k&Uc^&%g)9jTzqFzRsj~ zdY^+UQsC1i;myq(6B{4&IUL~v&9Rn3MgN7%-fWT1`^ysA&fkq$w|7`(&E7k^agJh% zd31B+*sM9D#|-$L5Aff3?lX^j=(*C!77Hw~8-hTnf6|FHDj9-0S%02+Oo?vjU| z!Kl}-Gn|1Fx8LJ6!jP!Gar_pom&vn`uo1hq#LrtrXtaWA&M%tq@`Z=jYqjA0(!%-( z{X47v1ahsK_*Dy9PC)+fEu<$yqXgKRb>on+o}Fa#6?a^OX8r^`&1StKdB?@4a^B$? zAcDTjaQ3ymL{Upq<<=Pp6R#J*1A!tPGH-9^_HN8bJ2!9s(ZG&;2(TJzQVrI`{~g~7 zj^j;q*g+Cn?^XoXzC7y|0qqAtUibno%liih;d;Bskv%8*_DMXn=wCk>bhG*?-~V|z zbrDM6GaOSVkCLZMiPwm`D=VXiO zmdzbrvi3`$ULjoK+c3}b6v24~@tyzfN8`oe11=i;bNbdwNXfGH0KGH;KR^Fx1OdOr zF+k_TZeWdx#Aja}mfJC?)C2OG9zZZ%Up15=r!;JBI5|9UV!Pj#gg zd+K{0pT9lfntz+Ypvys2q4uM)Y;t$;a_prWHd7Yt7Do5$!EtUWYV>`z%?_rResBGtxK-Yr_}!%%9*bAA!3b zLfTLyQ{8R=im|=j^=0;w0BPpxyiyXN02+;o$t5+IiK^0i!=6^O@~{+j^F8t|AR|08 zSh(78kV9c=BExn50Fb9Q5vQ{cS%%AgBggePR(|s?Qd_dL2MK!HgA-tYP|%ke+D-{c znH>OwVcOE7Ft=AKSKMlM;*yUzLYAkGEv6Web%R%fiK&tK<7idT^TI$=l_?p#&9Pj@ z`3TkE4-5ltJGKqCnJW^-LF29e~AS?kQ_$5LP2RG01ASBKt5ze>ZWqSrDoH?0X(UFwZ9?hkaNM zfSp|`UWIKhCOn`6sI1JV!NOut<;bgeEiJZ)JW_9eY}n-&8nVv$FW)|!h7~`>vBAVU z&}D1`e0zN-B1V;MnXsbtLs^d2kRI>07#9b0xw5<{G%un_%fV8^8?kCQcCK#AwN0mF z3XV=R&|sJ)zxH)V_>gC!v>Ow*i}dFkkQ?4R*yZuGzOG5LerAGLA^cxD>+Z?bCgV4T zSo!wLmAgAWB7WV5_M6nlWXx_w^C0$oXp4LT^ix|CGk9-oH2ySz!DCZ1sMBQVV--h9 z^h^(?-B&NhSim-1t`;6{oot!kjzrk=D_Yv##xKZxX0(MpIqZFm+{$X+z)`w&)O1nY z&cV(OQUAtmgnwJNW&;rCVcDbThwAa3N*`PTUh`q@0JB|myB%ev&dC)QX4dDCM;%qu z9$mC~c?g82AZ7732c6&Kc3h$$ZV?c8DbZuqrHuSu*{l$uHof1*RHzofzvc}Sk`Qnd zTl!q<68pT;(7eE!w1Kz*msc57q$sxMAQW^;4b>L^8kRJV*It)NG-%M%p6Op4-kcp4 zR`cw(tC9ih7m{s&o@md;4n3ec#%opoL|4B(=1cH??QZKdY2!`iQoA4EjQcB^+van& zF@2R$wv{f2X7$TM*!b-=mck#4S*q_0S4(Tpqr?)gWlOnF+q*YM0vyD$ z&h1%~Eb2uy)1(Z2%inj0G0EU@G{tNg{L*V$>ZzvKb2o2ww{rDy^>XIT`GC(b!W%G1 z@4?lVSx)0CiqqexC7yn?PLnv6=G(mk{w4--3u5;>TWxQ}r9Mvcn3K4d1^o;xnF`Or zg&0IG(F^A_lpCfo8KkqcP!=j_hb zqt|0UG*xn_X-NEgS$%qvuBgP1o!WCR$X%edTSXuxKr(Z`zFZHqbannBma06(K!h3o zK(|rVdB6KoFmPb01#V@n)`hSjccXt-1n3PC@7e5m$$6b?%KB4E85sUo6to)`@_w%P z3UA(I0wj@8tth}fabOrZvH>+EcoA1i3JE3kna8i0p5Q#*eEJ0 zYP~ykIXMn|nc~!>s~G1lcl>rX&a>nYLI6*)6%K5G-2$%QpEW{2+`#JVA9;8h-IJo= z!|?VNG&}n@1VAO>D=5%eUa;oOH7C$WC7uz$bzkn|%f9Ya6L#R$^M2623=xGRKE@NM zXPsvYOG_s{Tk$_XzbMRy()WZK72G~8fSJtQKR@d;Rf_$-dxjfI=9;_}`sL-)B4pEv z)2WyJ|2?-y26jr2#o*y=O#a(>9=&Pxp=Lk%^x*IJ2WQ^P>%fBKZ{%QKpd`wJm?{8d zii~KX0uR?O_#ZD5ruRZ2<~nj?CQv& zhtR)|aTlG_iEDlXI(Kg)kv!YAVU6tSPTIut&Dlci=K9bg+97G01YzxgXu4|Pp1C!f zbac4kiOGx$KfQoR+F?;8EF9~&$f6woj;`Pc8iQsgcZ#{SH39L!3>$b&Jq|U1Di~tF zx`iA5h3Yy+FhQ99Z6yeH7KuL3dY-6A@_;pd(XBbXamf>6_akh4i}dh_^qag~x;`FA zng8Lze}$^E^pH^L_PRGBQUSR{fv~+D@>Nn>uV4CIr!iQNXeQ5&A1lqx70YQ;lMBeM zpRK-k4tfOzxx)4usEsy0BeeXq2eOZtlTjYU^#8=!d#uCy56*sfpnE7a5}-uZDA|t0 zP1Yzh>Sj>un=Y|^=LZt9F~pgb%9Pe<(IIzmeNEUWq@W=GkFl_6JccSki%%Nd?7H%M z!z%`hIZT>+0^yN`%SV!aNXT>|$L!mmgcKG(!BvD0?3{vd#0M4jBf2&xA?7oZj7vIN zqXST8S8xCZgPp_PjMoH%WaZ8lXesjrMFGOoYg>7w=}QF}gi;d)J@i}Y@?C<@d1=!e z3*jq>$H4sHuOs&4(Qo8{)mkCNQAt>|ZxNmNK?)cVfkjN%IPro%)q}TIIBWqF_+nJi zUM!iX-qB62Yi=SaTmY+yUrQ%0d~7`zV{YvG;H&kGiwBlWZEQqucKT4Hf>5Mli;zW4 zmN))enu12qS&LRe95h#xP7IN>ubgl6s%`KnIG2CBi@irrBs?J$s~(T|*8b&-Re@E0 z*CO+CYkeQujOY(sGOjn~Be=g3fHJ%m9<`c8DCNZeaYV#h<~r86oYm7}_q_R-_7S7L zBYrA&F51O2lWSL0@&tlWf9fJ;82_ty!Vvi%9qZ8v%DQ~X&2gh+UoGGKM4|+!Yk;dF z$HH98N$HQo$fP6slKaQpwCF~Bun6XpLMIf<-ATjvkB2cSZx(6jtD@8rc2LE30uJ15 z-H19!qS~$3FDxYmbDa>`(KPx$VLT%YW7_OZ{1irgTFv_b%le)c2kD&ZbI43BdXfa8 z+!4Dkt*t+_;r;yg9hgxJ?n-ra=&zfSgSnLIR5+OcZTU8516gnWQMnGkyfYGPLwYz+ z8gF$Ha)|Ikhr7M@&?xg3sBlItojU!l2enT+6g zO5;b|yyAKzjC;z&e$Xlktjx!I6X}^d!ev~Mvsf>=FygNVgt2#$( zUtyWHBhv%_ zUw7O5`zyMcA)oP6tBR}jvMxo4Po(LMMa#{-waVi8#&q>Ro}ZrJks>}Yc;OOm+zA+ckRWzBYGzWR0^1ux^XvBh>hbL0*m7Y_{`P$^J{7e z8m&0S;*=Y9d&{50s`=%zFZBpNjP4?!Udcc_<^8#T-*swq{jm;eu~ai|yjng%^|;-W zHi3D_9Ev0hGB(q%j)o?)dMPbcCVN^Rnn?fm{erhrZjN*^FNx!BC+nR_$pwWsgTHHR zqZo>)?Vg+hWb8)@WCe5f0>GvsnQEb2M7otl(YiOO<&vSAh4Kx* z4wD$>809!d9Jcz>nExjY_{{wu4VJxWTwSGhqbfbpPrWx!H5?X3(u#jP3SQG9ckGeW zvBiZUa51lmE)EhqaV_e`5o|nv$0{fkRYYssDiaR{Wzk|V-0llKSekXpsuTnDz;EnBIlqBE)L+6l3ZOcrkFEY}!AbTZ(Zxg_8TUIMS(HTlJ}4Ddd%aB* zmf6sl8o1;m4?o`gI~Bm)&|FvJS>5!zMjKeZU9tH8-X$mYGw$p8**fO!>{rPDlz#eM z^(kdLz)hOOk9y!tA2%$B%0>IL6Gv_tKk|2GMyL)HsLt$&*QYa?$C^}B8}$qpM(U>; zb;Fa>c4(e&QTNlhKAuIwljy@Z}0}Rn&Wv^9KsDxbXMKX$JUI1n#%oH8jnJ=A;zR3aIq$XU{1+?d&a`qsTkg4 zWHwH)!THL~a7xYNQ*N%;R%G1Q_= zQYp$rRcQQI#PfHh|E()crJyJ!{AYhmsIoTIwzbqEFqvoUh9%6=rh4*D@g6vB(3k?I zBS5oh0!`T)2>sK!tFL1xMC3p(8*h&6QQOG{`2wowf14M*o0H0H=?R4ohsuXBoPmEX zkfT8v2SVR(v5qb5qlc-^-$-PZ#k)ZGKn94t7hAA|6HC`BAAeGZibLV5W3+ zW;9f~KFfons?$(Yv_`T*AnS}@2o5yq_2K1eV`PgRn<-O%zn0;se*Ha#OG%HAgjjQ1 z+d5_#>Z6}`TKepqo_4bnoAD-cXAJLq+ni$x27+cfDNly*&ia}v(^7|_T1B6 zwft2NNIpUP27Pz)bb6|;ZY2t-4y9L;netlMxoQ?OYc|Tt4OHfuF%jy_D(%NC^5q^O zpPWoaBT79FqeD<$HS_)Xm$LlWmQB?O>?^vttz)WfH(gfluTDPnX_tl(7Yi#E=O537 zZ;__9wX>J?3>Vf6?5a;w<~%N{`e{?h(0Fx7!4m0RXD;2gj-L#x z?d|M)Mj5o7eKWlf`hS|`K>=VlaDZFh_}O>l_Kj-W!g0spnE?%(?)TUz*?lH{j$S3e z#P@S^L{o1S=-HK~m?$srKCcAZvH#*%c2pTJ$&tu1H{xyZtI#u9T;v$pU3|!~CxPVc zuiN(kn(pwiXDG-|i4B0E`%<|v9B0Q)l_iH4(q8UX$v!QJ5J~9IjO;8Pt%l360w2)& zq}y57=tc*P3>VAz$LhHMxlY;$;rsOsw^EY3?4Nh>b48@e4Q7mhqMxJuSd$01C~Y~) zP?m>hmw0-g>Y9$4cZZa>zs1N^FyV5|>jxyWbYsxrj#Ci?`Jul`-J}yRKOlmfjo6n* z*;8h`+ttp9!GL&M{wV_TD11@&P0<*)h-ii8l$Xdq4h^2H;2c(-p{wWwM=|^tE>+ z%pF~PUI8#j@ov~v&3(j!&-v@yWquFyM+^)yH^=?NkUPq>8Rf(zv(F>7FD$1;K@@e< znvGaN$N*)_s#mX0v~#iy2($VIE~Y!ToZn+m%Ae$#YzCU9$)zuCU4(_a$hXTU6ie|i zZF#h|nN3jMM&n@M;{N}F+Fib{cQe#93&}P3rWii22uQ_;eFlS0 zgosST6^*0HjvOk5rb<*+Za`?cK?ogdrZs8Wjw~}_1@j~U11lU6R%V6tPCohNI{i#1 zj>|rIV}j2x9nN<>N!E~fzMj2tPb#8q0^v^)PDlU%Jkw?A$&N=y%`G@K3?sD+pW4ha z0{O?eENLh_qc|1;zV9dbC_z!e+3g$q=UoZeMPnZ__f6#+kvet%+sg2taOE=!JVcLUUeMJ|B;|TZ@Q9|lR}}m;avyY`9&~@Wq;Oy|%V51K z6)v+X@x&SAd;Z*G39SU0fSnN8JK`4hwCgaVfITOdzzC^#rOwTX03jZVEb~>2Yt`Qr zIMqfP-h2tM|GpGC-A*JMM);Vwd)t4u_qMSKdkewW1k&QqeHea07;*dLj1PjeL{k&`xgjZcJ|?*zri6 z+v!&1T7R#fmTqgitFPbm6#Pw|hiN(=S`ffL`d9BsdyOsZzsaos#2RLQKbx_J-L8Wc zy3E@i10`Te(q*$pJ4wCgo4vigprGlayX_dhOiNQ2{h**%N%N{?BCPCh*x#?QZ?4$k z|6AqofC8qBpD+o*Wyh6xHhtbA#%t_6yFi@STUQmnYUyL)gcQlPjy z!JXpn?gT9ww73^{xOwjTd7pdp_sKb%vyfd1}H;PXppZwecfYNz=iZ<-Le*?PQLaoSgJSS7?#) zjAfT01zELok&{ipQy*<(5I2f>vSo1>zhHb&>t2a0Y5^*HlRI zeX8Zhx2;AuvJ}tl3TpeiOrhV)^D};y>yg4CY@MMO16y@_&X;;W(;nr{emgaMKo!R*E zn-~!dv{w{wOEvz(5TYFBC}nNzHwz1PGGnjbyhQ8hnDDO;X;k zr2QbcCiUl2A^~1AKD8-;B&-0|IIgzDv=++f)O{4MjONQlUsQl6tPbPwV`YaPt9NLY zvzTRH`81L7g^1$$C@`a6E0~$+Qqg^kHKa>5zO%Cm@FPYge=!d>#tSJj778rN$Hx7G z_XJ8CXj%HNt0HP@Jm1-nM0gm-ahH;zCdO+9$u3)Erj-eZ2LC>BMFN2~wV||F6;kVc%g=m_<4HwP=gBz7kSo`=} z{9zLofH)Q;JRCoG_|KW1Q1ZUMKq7%6++Lj;e%2;fYFblQCQ#G7VZ|05#QA**e4_RG z_tTJcAZcPelQ}(A=qOk>Som7`BW80nQs#0SJU6fRukzHH2)_o`i}vWprj`^Yj`8p=8L#5VP+rL((U^r z8gMlJ9_I_SIi!aHhQYp;90;g!y2s4$B<(2(TFyTYrPB_2frbQJ|L!e+`mdWWKz3ql zwbs50B>{4=c{br(i-fR3`UvVp1O+_2XpN6}4A#FeWKw5o!Hb;(XQ_gy!ST#W22jYL zVx2(3)m^0p8+_TxjMvS7*TKF{@BhR~`2*SwlRZ((ng>1YUL1vBXx*%oys#7AkN^FTDj;-#aayj z{8)7UUx+}~`H=GMP9$4GY0-V9&1?h3*e0X2ahOQ#0CDw29gk(_bk}{Dst&`T>Sb9Z zb3krDk@VSr13XbIbyIc{ibkMaAB2HZNYn)VXeG~43%^qF*_OF zuts;Q=--NM(6zNld2H6g5^JL$G|0hBNpy@`PUW&S~DqFHx~ z8*Ej1wi{~O=Rdi*|6&`I)IYMI%cZ)Leh|f-s}4cAnm&*l5bt8+6coJ8Hu11+cg!~R z$h7R*h_|>=drJ)mkG%wSu*}F$7o4FGA$UI5f@Mtp1x=5A1fwkke}%k*DiPXI;S3g< z*QM(^y@RxH5ge}UL#oRkZnTk+n-Hc_>%<*m9PTgaL4DE)?Z}WE132AmqF-JDL5kB* zPGX1}f-dm3ksT$>r1up5`Lm3UNNS<~hd>e$t9y<-7WBsTGoWB7By0UNP~ulTLVoC!vv?v-*o;^|x(IO!#w!Qj1+~Kz) zsqC_jGe>F^-h>pm%fdRCYzf&0p}8Y&2_^R0NQwt8jLk$B^lI0}Qq-!Ae2S%c(glcX z{m(@Ugnk>FQ^w%$wF=*I7WFOm@~>4@lN7;p3m)Hsb4;N{27jh!wnTQ)FrX7<3kAzs z($Pi6D#p;^jC5+mHs&EbWG}9tG%6OFRf(V8gb( zjS&X;tDnBq|GT_ihhu%gXCPmM8XYR0_VyT)}`po%CJR z*;I2G<(`;>!v6)XdOvrLWA3-uFQ%UbXVYF6#;j8!Vqn9?m+$lc=t`d35pznXYVoalE zb1uhq;ZN=R<6j>1des0k*eEJ0p@>^KKj6`m_s=R+r(~Uhj!rjhv%K?*0a^ziDPDsx z#;YPS=}xQAIDrq#tN_2-Mb^H?)DvlGR*6|kumIZ#)AU5PwbxS?WDm4DZuVZ<#@1v-a@NhS@D&j08C(U$eG}=90~R{AKflIkv*F z#U)Ao@0C8#2e|H>Zfh$?l`bL&7P&tr#{aV^D1)EjJwnZ@@Z*RP4m*@Xje0MC&iJaLjZI@ zY8g+*YVLh3Rp^mseNw=gDYVf{`61%VKQC{$o148OmO$4HU^mK?Mm^f@wnqIk?Zo52 z_O~YZ{u)=B?VGpRDv%&HKsf2k{G<1~*PeV=ZIC^Tou-Wj)l1#+PN>WDw9Ve(_kxrs z6+<)f4XleF7#zG#CO?g4PCNN)np&C|cgyCqH2S{j5 zH6W8uR1D=Ksb6IPPM7aW1xvN8xptMe`rY4&i7OGx>P6SBy>oL6(^{<-A(*-IC~ zMT1fj_u(b|8Y_7!P1({=UcJsoi`ns&I@0bpp&ob-TFeHYei0Gc4?x6~T;5cYquQ#$ zsV^k|L=Eez3dP@(W;22NC+=_&Ihp4jr8d>MquXPKPjjIkG|pO`ey9H6&u++Zs8b7_ z)|;i<`?{y2!=K6OM*^QeU}SA3NQ-)`J)m?`c#k@IfY82cqN2!p}F&w7IJM&j3}d8 zB~(xi&-CfZKRs4IQ~syP@iBv`k1mRCYjVm{hNHlaBexx%nEeD|{rE`kh2JVToNiwmT|XAm&2k z`o5nn;A@qKx+IAlLFT!9rR_(9(){gsdoIk>KpSE##TI`yj53(1&m9byA2D6z#p&pW zue?*xJMI7M62Q#EXvengm8$VsS65xUJU3TA&R1`)9mt!`#AsKGv>UxwVW* zNUH+KnVn$HXkfzYp!5}eo&DlMiP=0N^O4@J-K4j+-j9W51o6gKs)Jox;6{XEhFdug zWmW91YDkIt7euH zR!zk1Rxhp7`PJ7B${S_c0m&WY@|&OtFY62Cqc*ScZx8ZvNrp6W#%!!&gBE; zEb>Sm%5mAUuVUrzgDqT@N*}Bu4Wq+a8V~wd+DuEgWw+KC;RBe_=__eUYac=Va~63y z&omCyXX3W>>HR1?4LSouBYx~X>vWi^qS(11v=Hx4O}ei~^QGt$K5OR_X>4e)o9O(p z>uIy}UMx=a#qZmn-^k#5uh0Wk`Z&=?>Y8tk2yF{Rgn8PalqF9rPwxT692#{SE31RY z)0g34UYR-88l(~-LXvSc~-C;^0JW2T7-JFW&aJw3fz3g>5k_Kj5WZ~ckT7=5$>-A+=b7`GgZN>p-oWq5iL7Ud3nhCnAJ3I zvxjXxF**Xn@&f(U{`mOX+T`6i#*Q-@E1mh9_9RYYzk)*L{z2-JE&PdxKmvHFC<<0X zbKlZRe3pK7hUYbtzG5w&Cd>pvVO?X{R_SWyU^g&yT>c8Km*rGkY8Ye4m18c#fzmBj zRv~(u8xtvv6uEW|-sKgaz^an~$$aWJ@bprra?DBPYIk)D4rQFAi`=|U$GP2AsuyUU&C?qwOmX^dt zJZV9O+K|{=2|a;}NvTo@`CYHv{FQcT@qsl_sdE4XmC=Y zYw^_9sKWpr_g`YzuI1Y4hDxn|Zy_L_SnB!+iR$>j@E%uV*SAe)XP~OHE`y;j^kFL- ztHwl{Sc-y76=i$C3gub;xDZ<6lzwPk_aaoDyM+%u*yG7RzPvETl^2oFB<{1wrH@}{ z6Dlbi52 z*FNTCrgvs|Tf@F$&$@d@r3R=%O#RH-SVbGOS{&18o+!JLKCw0uDF;xa(5lZHF#Y0ZQQ!0vM;I)%l zctfPR44kZqQpTV1TKN)t8@S{ueG??Kte#zVGYiUzcjEit!PynzFRvJA>!ZRqdy6^ybmpnJ$f&gR zleRY2D%0Z<##a8>TC+fH%bv9^if>-xsm~=SLpEZax$p5K{3%1-N}^B{trxt9s85=EB5 zZ>u^xdwhJ9pp-g{re)Hm#nxgJ%FfZ*+&~$@ag19kD>V;_L%7F3IB524mejYZ6Ql@{ zx*XJ{>1k@ile5&p&#)#{i<0VhG$J9alO7ppDN^I!V0LYL`SB3zfG{Ku^gYp#stHCLsc?<_z4&*Fj= zOk3FE{4LBBQdIRyT=LC#AyDLj&C}bYA9qTa>o8T{?T`QSemrfFymRxnV z$c5Fel_Oc!&aQ`BOXr#}lLcbBI(?y99?@%hJ!bPfaocG4eIzw=WBc->+0RcEH7W#+ zq3K`{_`6U6d9aSJ5&o-K>g|*bE+!8sQF(nGlkr`kJ3HG@ds0(O-<+r&wOi7lUJ|{o z2l8v>V0rXFEYsKT;`95!d(C+M=bq5S^~*uc?d^!r2+A zp%uMLvb7auJLn&ABx_?cHDAR$j1x%{AI=NWhww3)B2a(Qlq5eMCy53;?Fke9{qTD( z2vnslgviL*cDlN+n^I2EqVh>IiBJ9XqTi@Z`RS>$2A;^BK5}obnC-Ka_$Ni87KP*~ zjh651gfI|Gl4t>pu!0X8)PohM$8ZK>>jiBjID4b3`*-`iA(r_6;!T(s#1UnG$(G}* zFXSPfkc3)pkszh~ZCyiE$9m5=Au(wLW2-)&GsGvT? z@qXlR*NX5q>)o5#*zbAoc@xd*5c{;MUC>vfz4D!50xp@zA(>M=eS$jCZQhQP4Nc#| z#e^3ZV|LFJkoEe|Ajs3)?aH&euv>+e_W1PWF3i5AR!}o(ElnRZLiwZ&lepoZk&u zvzYc8CMKe`<;8k;C7j*7p$LrWaLUW@IIF&}1Zo$TeG|$?1ICg?-ez8p`Pv7|q`s8B zP<;_4f@@52k?(tQWp)%+ho*Jy^^I8QBd0lccjrNU8|UY|o)kDn21Ygi>Y;FZra;sB zQ2DE=-0p&T_HbO(Jw`ZuGDhK-8Yc-9v~bFfjt+48z6#+#N<9omW)_i$m&=!L>G*hP zC`}2GrUQWnTB{q{(eQAOJwl1JjrUUkf2Uqq zvgg3%(W7KKK3Dm}(~G}LV#TfB^hFd=I@}itF`5<> z`{gCzVsy0kaMYMS=YoVZi|~Z5&#w}{Me6`Ah-X}MS%hv?N?f7p@&A3PK7 zYaPsDg;rN3PutO5mr~3mQj?aLF?2N2I`kNV8L)fbG?6^z=$X#$XtKYJ)blWOxZBp3 z;L@>BG@zYcvrmw=lxj6zye9RN2$VfJ!t2=rJp6-mb)rleQ?Bo>S7~tk6 zXjJ46B1>eZ?iY+BUt3>UVQokpJBm7W2)%3m@m9H+lL5$;wMwj8KKy6QVN|Q*;I!Vk z2HAf6d%5~=&^rr8&`a#=*{NB(KGt$f%mT1ZR;6UhBX`Jt%PyrYL;6x1Xkx*mLGSA? zVzA@O(LBD^@w{*bN$b-yTwPvY-N3M~LaqPJMcmVQy|-kvnc`yL>B;uzZo5m6B#UIs ze%Ah;BeAow+pBpb0~tZv*HhZbi2-!-uNC!(+JyVc~Cqtf< zZBh!Gp|VF#+VpbkY3+siMk^*opPWsLX?j{DR&oGJD-R_;Xi|e*-@m>8=+rVEi4J6BK3C~z1#HeD5fk%9!#J1C zLDvB_Ay`o)Q4{y)Q;jjv_t7z5D<{{UZT;O?2qSe*4G+Hn2(ogGv<)GXTIpR|=XwWW zedicyF5x32D8COG)~x?rAO_b5Ch#MM8FSaS)VHG>s_|xpZD%rQ#^hiKyIcSCbF#T3 zkx%O%9=C1k4^M1sP{Yv_{)B<}1`&Oi6UwPyIhC7`GxER1qr(QR3uEhb-`^hS>5*KT zFB;!wDzty26+!~lcYl(x@N+n`Zxa#~^*?(;NU!&xVyGGG4tTF?n6|rxq*XOWUu)Ii|GItsU}GW|mHN9(Nq*l2U^X&bGBF&qhC* z+nO-;^EQrCD^3sIZ$*`AoU{P|u%=vHI@#e(r2g&f%^DPDO-as|9_MTo4ejY8s3zr3@shvRboux~2 z!IE$DKc1Yf`w}-T?)841eKqz7@V0Zy8gxkm$y;6D^SRX~OYnWheCV=-O}piHY+`0R z_kXC|%bgdVqF%G@FN^=QjF#%2a;&iG& z14lE9`{OUuKORr63D__&@1bt~*Dt)hGX$&aCfZZ>4R~^)UCO-&b)0xl+ovzb$5M<5 zym~i)uG(%y3#18l#Cb_t(1ray4rfPQn@B@#Z5IJ0I%13Dhz6?Xxv)NDBZ8Jwq{m2_ zth4($^FtOaDY$EEcy%9fB9RJiotCVjD~;9d?o!N1fFL&qWB^5dqDZbnUemw+cpTHp z^}ib3aZ~o$?%QcYORF~WKNplY{h%*Irwe6YH}?%}{c{Pk{#+L5+-7@Yl^hvoWx1ru z$65Y+tYRtS*U*v1H|mz=w8a))ut&{`sjWVI?`(0E*W~`i^6I+p#bV4895qsWD{)dO zlc?W&NJM^)Gq)z?Z;={bi?>fU?C<|ZL`e>hJMYKnsMOSw#d4!1YYaPpcQ4kAY6`nW zvwh8|Af8O-r5Xd0&m=iHAkPP=AR!VnQ>(sNL&DKeN`#!#-l1)|@^6d3+g()~`5Rs4 zskO}=4z+Kc!x;xFFqp9nmWN$UH=C~mn{nA>uO}Bj*V*j&S#nZfxUhVV9qE{@LsN4SB zP*fH~tgvrpkB<#JxhpweBl@CIy3|T0yFGm8k;Z|)+Tna#1+|b2@V@l@g+ZHNxo!zV zVyo-f-_g;TG^6R;kJ&DQAK{-Ib?E1B#{c?Qd9o4iwgKtWVlKkwtk~9HZmyN+hNUMF zfn5D92~IY3P`H9^K*r9)cWTq-bja!p)qprS%U)0O4z73YuD#l$-ku?aQ8O*%sJQ72 zO0FD>_@o;C?1MyCGL_V3X-WTcfKLV7IpZ+SPVe2rM4Y1$;-qV5!JvoyACpC#X$|f5YeXBsOW%92nuF# zD~u${SbLG~a2^eodLCT!*aw&Z(&R=tF&(`aQ%#ssM4_?^K#sJD;&YKs9CSy#1{G&* z&%}jcE!CLW%hzvbb>gqX6Qo`Bb-w#^XP13%F+<+^``$T~4D6&M!2_yh<2+KyMc-I6 zBG2}?W^cjZ&;_jM+@^)L@8)qOP`qoOHRs3Fw84f5YwG|L3bo()yu%i-NHn3MFV~;1 z+f*5HgK?}_GG+Iof)*_J-Hu!tNMoWX+p~Z!cVg5TWBB7tZc%Me#mmv^YA1YId5&B~ zNl&ykFJr6c?bG(r2-O&q3VA$clJ=J&kYKtpL_d3d0|ocUl$%gn*I=A$a&CO?=?WGk zXTdop`hLqw_ow4U`IW>EP8@dcw`C0R{>=E#LK2#Bp0~Hjkg8tG2v%lhHl#Zb8W{Tq z+u~s^=H*5~J2|v5?)c~92|@W{MuzFE{6Be0sj5NHR6$k67fl3)6ei1Fi%CltF=*4; z#Dv?Cx}W3I?BYK0L(EAKsBMTQy2gQZ`XcNbP5M0NBc%asrGvMd@98N*+K578>#R93 z@gZHsf^J=BGyMFw@4dA^XxA8b)Y#p^l9md@P zsKz>7#F#hBH+#$?xNdnTbPp8-futMh>B$@%YF8-Jb8UX@`22U7bYTk1`Q=z|$xn0V z?+sko4$Yn%V-ODh0eN3L${7yo5Y(?`i(;NoUnb5bX4Zy~8$pH_@AmH;i&bA|pGDb8 ze#ujEi$2q%&1*4pG}NlHP`41APqVP>%IyIuueVNoHTVbk5%EE&6R6nj8gLK$S$|{T z+~EKUj0?JeEG4UY3xE=GO4VLQ@3|st?j}?nc6~W;+kkPl&HT5-e4F3hR986jQfoDX znPt@LQ;cVOJK#Gk_`XV^qLKZul-c9r401t;uHK}|h=0Wz4mXv_Y2*9=sge@U8u%OE z3afwy@BKLJP})yFXZ5b1g!##TRkReF2j#DsXFDlb+npwGPI?|L?xE?Z|mtn|N`^!}lTq{dLU zP_b_QlUH7XYQTyW3(z&~z^klItM>`{?^V^kUw|luYsB~3LU5dkgr3#X!=oEQduu)a zg~uw3rSPHFxy07Ckb;$W+yDW@fM<&*B(_Jei~5*s9rUJ8`Fq3f@(ec3LLQgVLL$XP z68LDeL$Y(Yg|LL(pj-9X?_XaEQ`+{lJ?~On;9-8stHt$;BVGM?#pO2!1H3Qp9wA`rXW~l)Iqsz$c!PXH}#|LarN_+~yy@ z#S)lUnqx<-#sxeuVUZkO&?2i0q8E*MU+?o^S7OQgnfaSgDK^COD1OiGWN+aY;W&0B zl!>lPMZLCz_!KVe)D}K(_JJ(+R@zcNcfR*I1>8egHoH;PJ}}ltXGJfP@HxJ|-T&Yc z;%%*O4lG&vMj_si_$AN|n##dukxAU(_CBgm4DSZ6t?EKHbdwp&<#~C4Z~IWB+x@a=c@FKF2Vd)>g>)rD&{^hqNiOy;ny`$nhBPX7uAJKMZ> zSdw$$O5_fFb^vZrh|X^zeGDrq9656W&-$b!sFK9?o7cC4kVh!pmGX$+fh&W(yA~%x zES1u+jH6$#W%G5f=EwZv3PzN^fj*3aMm_yFr<_i}(|qpBU!Rhyu&g1XtPz~C zNA{v#7q3R|f03v|&x)g>COTgI)p}mR7e8*Ja!=fq1@}Y*5nu{se*-U%o1jcRPv!yn z=#Q`aOQM;Xq_XB*`N{>VTWkicJ|~L~V&*tw{5N^@pZI?K>zfvR8vR>Ks~Q3QY+puT z20Y<3tjn6tOxSm8N0g*PN8i%({<`@jd?#V9_Vpa`$Kw;^GnCmkl?~F@(JMcAo%;em zxjZlUYv5~ybW&Y3wTyTO2q23!bR2>-zk`#u*?l{;;%0RpEEoX<=!_b*`W-*H9zu7Jn z*{^WKAyw3ObC33Tg#d`)#b%opo{Z7-Rti)NpvV2}bayv{3nz`$$m?P~i#JJeH*_Lx zOTG)bJ5z0&1GFYnqn4aHZ~34vits4#eil_RvsypH6-& zub^)ib{$?vf16Iy0D^+S9V#so!T`Vhx#9`6Br`xEIU;snQe1aVx9j!U=IdJ_rlUMA z>XCE)@EBs&!2LXwb_acCkB$#}ltwN$MW^F27hEQlM0SyYjk(`(;pWSEe;b#eUZqFw z_3CXUR3asGd^kiU=%A+C{T8I>w5NJ$T1U^gW7HLcCo+S^mCO~0GiYD^VZ(+s3lAaP zFy2QS!&{Mgg=rEzTzs>a`lIYW6OOFU2k9?xD;+RI*EJ-vxE2@zE z2iWrYtQ((%9hH+H*P`zX9CXtn>Ewh&ZSK!ieTGJWq`bb5I1y1=j<5e-@6mA?G1>m* zTT3JtL!34{J&t54KrE?;rp2dstu^}H!1I3Z^x1?8C;ZW?W&IQx_^#&dS5H=g`pYU1 zJ6*vTjb3#q=So(~<|ALv>$>#kmxq%czhI)6!UNXm7)65)AMn9RtJgMcHrbH67s}ex z(IX?%Pcs)qEXRCZBi23Fy>GgSI-r%yS*L(oNN!Ks^q|)`CqJ+I?bV)L8Y^J(NzE_l zbsceSN*-fv>RY+?Afd_S<>}1fA*99W#=T=cLp|aXVbCcF>HFbQ&m$CN$V#+Qa=qds z3ls?KMZrc$HZh9Rvc3^a$AFjojt986HW@I!#_)Wim-+Hhs%!R_>R4jXpiU|RU0A`c zZm7{R(;i2^pPb6&? zc$xkgfO0Y)xi+;-_SiOL19?0=rOFAr8d59{GQ zTMaVoXaakx47N6hus2_5>K$~RQfL0=wPp$qTtT*% zM>&-WE|941>}aYdh&5{WQ1Gt7$_$e&cICzvSL)j7oZAVc{)Nq!$dk&K8AC-Caxk6a z(jlBTZOh3NC)2e}N=A!CrGEG_8RC0?zHX$ySAy_GJ3?Dw3rd!|sPS-wP>mm1;_Mi*|ih_nRA|o=5y?jihpFy6@<5N4NO= zY~VwLHYsfwGKV+Co~6Jbr}7qle}7>I$_LVDbMDnVdd*6i8Y;YB6ymbC*C1+pB2TT#78P#gZpg!OxLuB=3>$*`ti!m7)dkKp zE&dM2&_*fNglnugw%{EJ{ef(|VtkD0_IzFhPvCUY52B%4a2xdm?CgV~%X&8t_gYI+ z8|5XBN+Qs*89EbdmG7YRw6E7s-^0kD3_cr|@!P-||Wq z7=tkuasCDOxg|+j1OE7M8*pYslbr=L9VG(~)z*XXzkEjp*Pd-Zs!gyw&BD|u6>n|?N*te$PK=;aBv{mYFh&5jWnI-jWxYALA*|R<-j{Yhz z=U(|9LZmMU%3(~2v|XfAVO!@4UQ=us5)oK#=6?4Q)a8a`pOJGh-zN@=vuGwGI%bFyWk%tbDMS7Ky#mdW@ zO^#MsP?@_RnGu%u`Ht(^!Y2^4iEK~v_fsvqM}c<^JEK#x6oJW>{s*Vfc!XMVUcMHb z2=!vkASr3M*d2Gou8ly$lWn&)Aq>H2n)JAeXyoolYDPJ#qA(>=zD!Uux!)&4=`l&= zpz56CTXtHGm7~U_!s>r;xuf0uj@}haijYD%N`a)7IKB2qZ;N?rqHx6Et z8Ri-~ot~38`|2ObyE^#ufD|vZ-m-RE)nLB5p@a!^-IbTmp520>8VNZ58dyNf1`I|9 zGuDRCsy~Dg@x54K33L;%(~#e(o}1p!FT20yO?eXLrtCvlWl3^HE;DCOtyA)w*^1FtoL5Wpm$Z|ja+*?cC=j{wQ0FKJajSd%{}k=HQ0( zhasLe3r+J275Yb+Uqd+Mz;^YW`SRe=OT&?TzT&ROEvb;Uu63m5$N?DqlEHpX^eES$ zeSQxwbF32DKOZ$oFy@72h&lL&yqgjhcE{;f?FPAX(Kh3FNm;1;XVv7H(g$GW@5_U>{w;;JTnSNSWb|* z4M{jPS+y?K+B%w>1%!ps3hT(hVI2G#Z=KOjnlDh`ynwL(bWDD)4q4=>yZX(}@|S9Ot3 z&n3->QU{RJ=_Xc?FwYTS`@Yf-ptM4416R~c(d14b4sccmiUbjeyv6fbPe@PDU2>SC z7Jv$iq-fW%)ZW$I+<}7{Hjh9oGP~&?dfUd>%=#=I2)%jynT6TD^k~igFF~% zyd;1QZ&dkvQgnF(8XBzRPyAkA7b65Af<(Gn+FKgx2%?twZ@LrfwkgPh5CVf{@*c=^MGf|sCAS7APB4(TM2(o?BTu0HlcOTx8TAqJFmalC@b>~PsE=MnE0K?KYv&W zbVip>TkVyi{Y@J(s!kPAAg|-&3#ll^RjZ6op4zjcb4PT?R#A?2nn5FqPad+o_c6J> z$yA^PN(hA2SI5z(+fxwu`*tv8EF+)VpMSM7m&0y;UuNgzBf&3qJ;Hbscf=}0N}4hs zm`M57q}iYiB6sR2&@3lTlpY$swd7)*-~KXOhmDAcrJXMoo&bRuV!$s#5o;?OlEHd< zO2O((Izk_t5~tDC#gs;=9PVZ|&TS))2no4D1eyE(*q)!+)M(5s7(4&+Cj&W_&PSUi z7&}8x(R>Ob4ZC11#4R`v&66-N!|$5Kwr#)K67L5nNGUDLNRzVm*l=fl8C4x}^UE9x7O_a60|OiLV?^l9B3#_HQ1UB6Lbe;jQ~@)#~=P zsRJym94&-1S&@Ivo?WhWavE0cYBhf&%}y%YQ^73r&$}UnzfmmJz~+SLF$Hxg3uWL? zJI5%GjHS<7au8jbI{VUKEod) z{EH0@b=?g(8__fT<@b8-)a`X-0Npd6JxBFocqi5}FY9>5QeIpG8!q#3ory>Na%Et9 zl~iH3ZuuNbZ{FQ?GBqZ1q;_G)-08hbFW}(_iF(G9O#XSE2N!ZTuaz-g$)PfR zW~I6$7KoUPwRq>m?!?!3yGHcQG{7e(_u=qRow^OJs(-M8Z!k_Fnq@tHGUNCFrLBz;U{Y};E% zX##(Zt>*6vaQ3DQR%-jYR6(kwyXKgyptPkgKmtKKhv(&OCY&{I^j_F^kR%ET z42;+_r z1}z+ElJ5mTD@QE!&7;P8$FEd{3?`Q(qUNb0zO7?H)%Shb3{ulMMOSxL*0s?GadNsN zBswj7fx_fa-K{()H2!=(?M}mVDL>vQH2t<5#n02`eLPm$)m?=UbIvh+mfUEhd)O1b z4m?;&<8|w^F!9oi^k1|yVE>Qs&PN9qiqlF^x-s~2a6<+^R0^iJ@k#oSoaW3hyg#t!vA{}k!?4-eehV9PXxiexp#Qaip( zOj^5;E{Dr5nhuDCOKV(g5+8~>ZxfU*0FRSU4-jez`1gkNx%0=~8WFqTi8Qw%3cHJt zgD@*hdb_;fn)I#0*dS`Qm~3z$d9;wH6Sm~#2o&c02Ij@ z%K|sgMsV>qto%ah=zz4zhVDqDO$g4MjaaZ^$@lxEjp45wzGp;mRFeOV?AS&w3r6^y zow4D;7Atd-)uFSikEg(UpTV`G2uGn=-v=+u9kAiRS8#$r*h-u_HFb{BGh&-ZZ?)9B ztR5cIc({8DQl>EaONg;nn3JF)TXwalUp_vJv$Z-#z-H*73pN&pADFf0RbyNL_(DN* z9rA=Y8<5E2`Z0U4!7?TSw!Ysi$l5~KOuN{W+*o_0BxFax%!YCa<_v_=MRT_tlFzlO zs@2S>iLnf`*`t`C40aN5iv6b~NzF2j`nCou>(&9yF}lJCZu&Ho^^}Q&{J#m#Kz9c{ zEAD@kxf5CdL0|b=;sr<>Oog>Da-OhE#ol!Ws^`(`y)@#}laCLwObK=0fyWTe<#ihC zIKR}qWP_pT%z9M`HUb5CT#m43i9Svgv%5)AxH+0YYU8tyAelNZzPT4%I)f%$s^ZWD zPZ$nLO%KG9XD;;Sds=RJosVbD^ipcfa2OJjgi5kZK}QXy5Hrw@=V7|MacI-3;aT?a zs;y4s9}-TZ{q;?Z=gM3H*ozhkF=oU1_~`huP1x2!TWl2XDr9}#qk)DrHUblPr!xz$7|9CaL zKRwFir&FAYI7!Eilub}m($qq<`;Kfb&Tg>n1+e8xU1?Mv!=C#ez6?Z`qk7o5V%3-z z)JdcyA;cbDeD(lLMo5?+_j@~UU9SMG^s)vVr{@z__HR3G56>%o-jIfe??05CZKDz# zavJPS8MOLY+BcStEX{6ox8sQlaJ)x55h-&RRi1fdt4iDyipT)armqtQSoj2x=F6q z*O%|5%E(A&GK3I*8TaO<0f}VAeKLa`kRgGlqLk^jIV}@TSZuXnv>8I|woCr-xKxOp zX=`}=k#)JOj<9A@ceYZlD3@sqq}j8d{V2uO&&t#3hmw^*n&--yNDtb`7`W+QjGorL zk?o}=1r$?L{p+{&;gJm!-n@ZG&&UydDr#*bI!14FKH3l}c~)B`*wD0>zcQII8k+n+ zb+8iP&`6|{Mr!?5&{6dfhkDH34U3kx~e_)?Os3 z-PI+rsH|79QGFDR)aeS?;(mK40OnNNz!>V)njALe5hLydR<(d-79(fnDa5rHBI|YK zsY1H&8w7|aQY#PL=R|VncN)#-nsRbrO7S!aIf!L?e_k|ZMHS0-s~5}hluj({c;dP0 zXq%d=D#f>N2X$lA$X!NmV|q2MUpETvnsQ(kTGakPKR#sNV#sv6i&eb!Mh=S|o{x|h zNnkVV4rrRc2$gA4pX?tu@q{Fm+cW1(7Hu1KS9KjsK438`l`R6B)T;$ZryP5_wCNAm z{mBAqV$G7;z8xGAWyO{inUPj|J^*5H>oa>IXuYlzyklAa0Lhi4<6;Ks_4|=wUNWqO zw4^Zm$3=P|2lab@iO3@8xY)-N$+`-usNmXPH>ba{=$N(X^SZg%qILo55{+~=@fFC! zhw}UmrnIhB1Thb8q$*>nuMjdhR{+8uXu~uOKx&O&2dLsWJ8Z#w8&J9MJxG|BlLKX9FyL~7U73lm8A%S=SJ}3VG%~yGEst9tbp?&@0i5l$zdgP~iH^Df3RG=onc=uP~*9DW&6GOH;;ohBTQWH6rxVY(t~c zrJ$&V@03R6R{;IRBj9k2+Z zW%P9EmC`k=m}d>>=i7`O)-IElTTfox=A||M%bqw1bq4-hi6 zP3gr-x>i-kEJl>aVSs_AH#UNu!8ic{Ia)V$dl2wH)WJg5kIbTMw9Ak|V$vC1jy*C; zl4jfI-G(x$^%>OJ__T#0N)7xLb$TWiPa>}WgqBMq%a+gBUx56>G6kJDQ@sLHnr`L5 zjUyYkRrzv>qG7ppgD&}U+$d>!s^a;Kk5XD$OT+4}b>_{gJCpc!PEKsJ|DdXz9UXFeiy0oV(8XgQ%fxNk6c-sJS9XE3e@ZkBDcWY01#{uw4q^EbpFL^^PexKr!1QiWLff2exPs5qYV{Tp|O;1=B7 z-QC^Y-Q6`f1ed{GgS!X!z~CAjf;$9w=DYiQcK2T|`ph{qJ=HT^U3banzOF5Ej}8+$ zoGdvLW~e(DDvdkM?PYe><^AEwNVvR^ux~*Q*~#m@PAU6OVhi|V=g6a6{Tp_y6yIAG z57`OeUHFIhbaHnpN`7eYrOqsnMYW5H8fulRt;bQZs=+#0J9}rUHYlyXk>AUjKa{x? zyLE~j>txv9wU+3!z1WdyW85dAv`02zlQ&{12=M`eY;4d7iBt9m*rH;_H!kVZ=}tW| zEay>qhAj?VH%t?ht=Uc;KwVrv$@-|lc$sAQqHTK$VX92Ug(F}W$3ws&C_<}MMKmS8>jhd#|DJJs(^ z%7Ke#=IKiqKJH$OMsV)r1NQXyh8k8GzvA6F9O z{(M|3TO>jhX7771S1K{)$iOH}76(R`I>4n%;KGPMG_KL7T11&7lxLZc07u&a?c+E&+q`)+F~jOCRgr0uD*S`+}FBli!ngpZw%BoG+;x%0_f zQ^hpAEH`2E<7aUNoyp3+r?(HFiGo6X&48(5QI$BDIx8_^T*?cQ5+xP>N4jN+=*q@Q zLO5&qc5+Ip>ooXL8p->g06}}*%3o_+0DuD({ds)anh{MJlR*zuGb&tV@EB@8cf7OY z*Z#P|g^#7Sinw%Tq4y;lt_{cKIGowA2~}Yifgi=YgC?~V-2lF$cJl(6GPQ6`!-|#g zWB9z;i%sc_K|?zYg}U-CM_%XjsY(aad3YIA$82Z8? z9z^M{Ot;gVl3~<|td<%@&8GdRq%eZcr|d+~XYx^TLD^M``7u7S1}EXqsQ31B4(c#h@;4GGjrJx8tX5*2tC>x9}lThch}X zwq;qc9u-BTc@8qw6}~zXXjI|-w$<(-&949~fg;dP53lo2^An~yANlBnUrZQZt{yQU zM)FXwuDoelIc~>Wpcf6Xf>B=l;InOs8qJk-FQvph{k-b`e1Z%Y2g;q6pavg4_-Tah zivV7vIsnXgl`Em>emc;vdTuoZ5YA zgSjmK)*{wFk^bs*x0Ij4n$o~lE83}j0u`t1%5U6*xtA77CMvXx7+MuWOb44k{Od0Y zgky+PO3ji)91uzIZ;MvYV6&{F+dU`rI>&a{Le3SURbdf&g4E~n=SwgV5uj3Q^79(? z(@?)#IYw)2n>8HqC^GZ6SD!5V#GYLcioFl$)~EJh8pZ0G9{ zUdbqCgHdg`va^EdLnWdZ!`& zud=U?%4TygtcCGM?B`7z3fog6v2RnhXKk@LdH+tOqFaZil1=4sV7UPB(SQaaztl*4 zztuHQ8=kdc6XF_K<@=JR;}GNI)iasUsQ(V&nHldjS1*I)a_8rL zY_GGXp~D+zM7~+Bf&R#pMpm6RD60OhHgs7FB&)a8pB9-r;$+@1i85I~4;DL5%RCcP z`T6+9sHCQ)1erj2sulYag!Sx60N$0IMN!hYZz@5*B9x`V5$$tpzqNbc8wdzXnih|{ zcI$8O4+_SYQZX6aw7sN#A<+_R)SzKfm}4U(M_0>UR8}w~zHr|&yHF196IYXpPX-XL zthpaE@C7(~`m$pjy8OVZL_D7JZhh-(ovMtN730I!)ipGQZnSo33ier5h%w2SWv-Vt zmnD(}2|_&}-HU6cYl#UHs552|Z}-o|6b~Npcpo}uX8*JwDSH5^8RiUl9?u#7Il1PD zC;1Vv=FrvA)2Ggq&d0|$I;((>%%^76&b_h%A=*2^$HF1By0P}$X`*XV{dBce=OVB= z9QMt>=aOEVxe++@Yttj8-n4Yk%zG=~JSVZzGPM&nNeeFar;D$RM@M_Zj>@N@Epo!j z=#*a>+RN3))+ZFK1+*-dCsvv8k#*=^UW721ln`|sFdH_BWGfhy?Ia$PR%gF@+@u!p zm1r%{=V>bGI2>^7^vsxL1VW1MKmQ7UJmru|sPj%95S~1pO-zz}3=3a4MykJP2&A5p z2Dl!^KZA&&&h}_F~CfAVyaA4_|rc#8z$134e%_;>MKTa;gf?ub2-& zXTU~B{^apHx~yPFj7#xg%3(^3N6|<2`3ms4KGY^Sr(f`qVBr(k3Y1dwtbA5u^8dVJ zF5Uy!I2_lUI(k24HwxA0$bL3_PJK=wYOtmMrtEa~SPF|v`h1;xIzHZ)#WZAO5bxw>2jM12BXa&);XG-Q0h;|q{d}Epq5+ZAI;u`rBvf!> zzj5=>25XD~fIyeyDGw@QS<8gJL8pc~e5235=iT(7E*v@Otkuqi1P)H+qiDGD-(Ff< z6PT}s z#~t2|*k`g$^eTV;E$|kfPc37M0|*97MISzKwSVpl2SJ#Vrzr9D3I$t7*8^`~9zCN+ zy}@z4N6aQn+rx;AlKfzNjL@La36*#j=K0+V)-E(c^LCRCCtsAWrhDGEm6?q5Jvukt zYkkWL@J;IMM;(v=MAQ{qN3 zT6551$7YQLlz|O=w<892f#&Rlafh*z?JKaCG$Aml<5FSZG)4j`O{)OD-o&bTdwRqa zoh&Bpdn;)^z!C4LLj<0#p5B@V-{yCfwROGdrZ10O4V9SIxw?;!QEv5QL07Jeve=VD~%+Zv9<#MW;jW;{mYRpJ#>9z$M zUfj#lwi8SCr5BBFyc|CSREdCP>sKY?xkUdF(Q8BK0cJ#(ka&y*}R z9#JZD&kdDvo=aXtB4%8T%`&REIyu1?WMAHMM=W*xy*Xk;qDxzv0Xebr_hKheIX)pC zi7(Gf&MZ8)W~;f-M6i|d8;A*{@gCd2@TS&*futDH6VBtCxsAAMY}*mPw29 z_vjmmLIRRw1A`Yb3O?f~FkKTceco~AN4hB_;QRI}na!9^38-imY-)uuI!OwCH1(bn zNny%Hf+^7V+_Gfp*;wBgrIG@M+(Y7xy)}_PW;bES-2)HdPffOM=BO!$|pwvHnA5MKA4(~O* z2#xftCo@lL?XB<+s9iDRqA`;ZFdR>}PnW}^`USy!gB9uubnDWXa8v8kV8o8)i^X!C zKDfy1ae0}(PM&jGo+6}dCNu8zesW^LLXjq0u&5@JBP~~zJ~|Y$aDCjqo!wq`I@#-u z*4N+7y$B3CHfq!uiLevET1C8YgdS$M*MCu{&Wec^PqE>MmJe{TcJy_mB#d!(fGQrO zVKx`gpP(L|u(`k4hYj_qrjsceurqO|#n{T#H$WL>Bh=T=>+J6)0NZh+PN}>W>&2ZX zhe$9 zq2S_f?#PRaLOr}E{Jz&;exgB<+bP^j8^@*< zqthMyX~dIZI#t%%Dcxv+fdG?ub3YwlY4`6T5f3LuK5_*E*UG^2>bT3wPnEHfNKI^V znO<~i*(gij{FPIhSP6OGDmBc3qWO*Ju{p(jJkX8`9xXaH4_@kiRoD!Wl|w*?gM%g( zxHVACz`{_9)96Cx=>8@pH7X4oJxGL5J8kB`q|G$tSR#mNJw`nSpSZ{N1p+64Nl7q6=U%~7*&d4_e(i&(}n9?KkVqGEWbR%Eb8UvkC$>ub*QMRT8t zV8eX6o2myApp%D<>(o1!zSA& zbm7D012F*0z%Bdsv$*V4KNi0Wz*B=!|D^|yh3Znh_ysv4kFvI$r1I15LvH&N$Hm>7 zbMGBfV$7i!Oe$r?44bRf(Bd|>tVL7j-+7Z@fA6{0b|wOstRqvmVJVjcEoeo6^kwcMkonqROu3lcE(dSg7bMf&g&JIqczpB^_7tWD! zn2fL6J9~+zE-#sw&FCO9lhkPb1 zIm(h5AwI4n&kg$4oW*^hs-I5Fz!@D*QAw&P@CL5EUfr(a;I*;3+A+L0wW8dYLK)^kcP8~hYXWN?5rC+N7JmcWW; zU9BOJ;@%p9F?c}_SXq!y+_j-<=q_fS+`UfykEWKTjUCVuri%gu`{?DpD`Bpjr10C+ zF&V6&WgBm=qmgx8GD?Hs_WF7;w8w*%_XZ*@m*fzNfzMnGwI04jLZ42;oEj>I; zlks4(C~Hqe0?T->!KFYm8l=|%E?bZGwH`;}q>7nyF7<;x_L@+99a4|o5AP0vpwtPQ zMm__kf(5KkQT4;xcqkpxh7I`m}W_5HoiP5gC$C_s_jA3=qXm7%?;tz3UavK z1t<4bUjwTGL+$F26i8`?E?p1ZE*afF#05L&ZjaAB*n)m4qNm7tn58y^ z$dIZS_gLV%Ei{>c^QUmnKEB+3%D5a?u`wosM+$nJ4AbJ zXCrJ^A;Ng|h(KLUiHdzrAZEnq%jKkGLB@zZP3ezUuJf+NZj_>BF=AjAcZjCKn#612V zWO?v1G5@svs8M$?di6k8u>mnLv|_M62)%e8(Kda?;%_6xt_3UJH$x*;H}HG_dMuml zLW&secoulfwd>2H$4jM^aoi3LD5<<${OAY9TI2{@=zgE%^Y3zkeyX+9)z;hZft=?k=H#~#_3rQp+|UL(VuCIwSv4ub zVQww$b$&kPJYnx3H!)=l{=GD)DEhzBGZdlj#7R+C0(uwtgd_wuE9fBnN84GM|M_S{ zZRYIUYZWj*G;e8QI=(AD*+f(LBoKq)#G1XEoJgTlUXCp`1n1#gbjD7%%aNQnml=*23<;haZP)) z$RTk4xja<$tr&CAy%Rv!L4)8S^b`)_w*yWm4?6F-3gXxt1Au90olqeLZ+mDaGn-4y$ zDa!-km^kv#>yklmM#6zsykeipI%w89RJ^gZan-c(VpnERuYt#;URX1e>km#y<=v^r z#Qr6!<|f9&Xz1Ps!}``BefH>74VsNYkeE8^MyqDc${Ps@mEVx~+s_5=L=_dl;*KTN z&(7`w{$Apmsd5|OKhy4cA8@$oBX{iEY`4CFrGtcv@v`Rq2vV(+fM8>1(5~L@JR1G= zA)8@MhVUmwhNOot2i|(OaPPsbXCl(WFdqVn3RNyhA;ACqH60Y|Rv8lW>z&FCbao7s z59NglsJ|dCjs&Dzay<zgCO2Ai!%H{Q1&>y4871ydBTTA&XIV|V&cq{)tc zr3rUbROxsH4mJwBd;_g+PtY3CQpk{T^9$m{QKeRC@Z{j~v9AHaE3l)cYIW%AB2M#* zCcF^K!`bOt1iASEv)JJarNC1HlCzPB$>Gx%8v($#QSrw6GJ9vwE{B(`vi^Xe%uxpl zB}#JF_6;jf9*EqHNDsF3#4@)p*XUHET^<$JDgCMAJsJ}i<#dVp@a-w_4$f`f-kpM% zAp6MeS(Ikcew>(dheQEGSFm(5D6FU79 zs*;CJga(HiTAlT1l!qAj(Ql05FE*nWH{QMuF}qGIIkA+@oo1bCHTnG-!DVPu8H=Y- zRovEYBPty0JBy3J<-`C!h1oKU+?pDo96}x7n9D`EsbYINZBp^*t zfOD1q$!2E^I{DW#7cPt>EuF8*+KedP4LjLM(P1eP9NANghaODc7j-q0;SWEu5P0<0 z5hTA)IPj+H>F(qOoVQI_#5mTb-^DmE>0(V2y_@$s1(G#sn!bPtA_NI%Wo_2f-;`Cs zHpvp(e5T3IAT^86L+bu_{e~5Idw9M0lv_V``+qGx3m^kI>_YBfFgs!CwK?!2p&0=E z@3V~EveX)GgC;!LOn)Lu_)>ixI`oyz{EH68=UKF-g8!~0X+Jd)8|zbL49E`IH6N*` zjC5uz^kF5IxhQzQ{DGp%X!e*farg8kS^y;2uwlkhJ`LUEwmWqKl*G~&{rRhWEc~tK zPVSMF;|C$0PK`g7SXpXIzWp>J)wY^7=y6z1jU667NL^?knLR>0G+}|boH;naBWH48 z5Zc^^m%_CDLB?dzq;qMYMU zKM`XJDf+X-G(Vjmoo|>%jKHL3xV+*A~v%iHUlQzvuoHb?MI1e8-<` znXM-MTd04|f=%?zr#Gm1CR8;_tjcVOpnLuO9YBOqK``d2P`A0Wa&h~5`(oB=;Mol* zF(QtfB4QVQTY;_B`23*hzZX+Hu zbV4<>l=oPWnSi2dO;8>TX*?MhW4(Ix_IOHo7OZC~XjZElXrhzTQTA50=BI0$G4<{? zgrbT?QfB}Ol{^JKEJVY^LbYQu*019({wuaM;M%T*u`pMQ%ePuFu>0Fs!c}$r0{LkT+u9Cj6hlb`GgTenXhg$-i{VkFXSv$e)<%!RB+_^;M1Ae3 zM_5!Fp;XbXGo2j}`sHV1W6Z|~F_G-+--{8oG6OnOsD%|_9zKCx7W}UDjTtIL9i9cB zrru_P&hRjkrSmTSjSDYW>eLqqMYMy~n#@4~2=SVV?u|>2-+bW<7Im6<^V}>fJZu6M zr821tpiT4dr+I@WdAJ1Upq)pbuleIXy-wXgD5{jji*rfg!Prp1Hh+#X8LrxAOa?kcf*YOJnx4&?LXI{TKr9__eX|4&a z+3-!&YT`)d`t0e8x~YedLED3hSXz6`P}_;dq503QK`xZ(2`H@DY)vq#>8UE2-A=AaD3p z6iadMAJ|fPn_Q(fZq--m6Gp1KR1}a-&SE8jl9>fs*(QP6dAE(;L4?$Aftd)L!T(oLhGo>3)4i=05XM^;Qmq)(q$Oo4PN{62g(vGX_y!4x1gtk|!gc7c z*SxA>fwIUV7d(f-f>OvFIS8!;qI9T%Tx4I;f<$7{ndwRA|1fJR#AqBOk5vaS7X7Kl zC1ErmbIZ1AYZ_}T>)uypu^R9=nNNU)qZ`D@X_`GZlPi&2a%W9PqTOQ#`}(2TQZ z5bHWpKp#%E1XUEer3iDXRvRlR2wpEF0D|~XL7{;h#(v^yf-=dM% zi=D5F441O_-qdDx4C?bit=iBDkk{frG_YGHFz@bR7DW?0t4pU3+9PP{FR?jvRe?@n7z|+e`=o6UhA0v~1^Z4+23@#iPJ{J%b z^3a6z^OKD?%D1dQk|uHPR0j^!h#h#W7iPu6Pn|KnE7$*+649scF(UABjGQKWIa=D0Qc&A z;dt?mq);KYO%$*+%dNrMknnN7Tys~a71>m?ka80)1nfY5d=izNWNCi9m=c3au0yk~ zdQXN9OY1TDIu$CvP!ygt*+vlI_t_0iQ=Lg;yz2WxcH2pKM!)Mx^tW<#cq$)`f$PNV+BPNhJ1r#7(S^yE! zShZveT%G}^1p6jj<%`g{iBCDUI05Hh7}O|pHO_-aXj0I(+RE)p_$OM_db2~GS*D2ikg@ft&xm|=Kz9aFRo zw$xT(N}?HX7@1cRtO%i+#*JovKBPG9Lt~CsgG^FxqL^uWY5V(CkdA8EIB<9jfd-uN z@5~GmO$b*43&Oxrx1AeF4fX=ryxxzfO-$$|u=SSNGLWik2v@Y)#ne}D&EcZ&^q^CI zyVIiF>6EFpW+_4usgT1qmk>)F)@1hJ zb&^DZ1qdmERYfMKfpgYk`v|A!D8Sc%M-+=PhBU39X+b{FNOq)L^|^=_W>+hzKYt6s z7a^&3QO5{F4ppyqi~xd(#RzxW!IBY}Qi9b1b&B<%=eI*Ou2&d9&OdY1m4dxs5~3YK ztLa5%@I{%c0Mh95hv+)*=hX1=Tk(7~=C?5A-Ur z+EI#Y_(4Qa4qc1w$f^Mz1Fim$RT9pZ{_PzE;SrUDPiTw`}e6X?lUPAo*aIUizE?FiS7z@h$C zWeF2nj~rc56LfL_J~9`OXB_h z0mGRtW{;OM@z@M{Ts5SjO&V+i1Ub|3rF@GpIEz*LJomJaY4nhZ$>$y14_yokTSw+o ztmq^~V(e7QB$kKm3emM7;V6UpgZF~fpLJU6hNPP+7qNuM3Ss7>={D0MOvHE7>g|?kD}Lb-z&*3Y+OwhvXoFjl)G$3XI|%xV z4vw{au2+EQW7U2)PhO;Wc4mw$*NQsNFi1c1#1Dgy58H<)NEw?GxOA-!%x40!yJ>6` z{rNX*w2h{>Qj4iItQG2v;R!BSWU|AA(t5|elRq~bDn^%!x!&JOM*Yp!rU#yo?@GzL z_09)JV}B!&FIce3URkKx&BH-JzB&_pQhK5$9|+GYB%ab&rS`A6Vt{a{=Mj8dd>2Gj zKm{=+Yo+a(4Kj(i{Us0YqWJ$EM!}6rxF5otj=yTFc)Asw9Oo~)3gk?2OEvR>@&*3Q zPW`jZ{5E~#^>NckeJkM$#FvJ7L9cs@&QGyU7D}E-AuPyNr}771Y9h{Tz<*lm5*FXj zi^>dWy*r2!G=yGy!sGTCl;Y7CNS)F@{)Q$|8T{{2+`o?B%%|_E{aD8Ee?^n+kea_u z5RWe+yoB{l(I4eH{66;LFLGf#T86}KMpcN^L1lV7ExSM@Uwa1 z!G}$P6ODMS_&+|ZsOTo}_*CjcXe?)bOmAh3VB^hbFosa`iHtC_BxhKD`oOZVZPs-} z5UVcZje!3Bt_yJ1&_|f$cLD_-S)r*Y8?13+(MnAx=<%cK)Rqz&pDcl~Qmys>siEiw zD>3U_v0Jaq)R5#yLxF_@iJX6kxLiSWi6r0jpg}r>usv0DnlSTR&ST{!rW#rMrOK(Y z(i?@~!^NTxQ#)o_aX)6xqivnh$~+R$)WUNru=-YczWk_!SYYYLzyj`lO+&N>(S)I* zCxzaBZiBeE==Vms*77LL^Da|!5_6g1ukgdXNaidGwPOGW2XO>&j2JcwiD1}f5yDj1 zrh7?+482rBQ7sh08AGjisOOLtWF?wXG8%EmWWH4qSJjhj6}NTitw1|Fw2)%a)bWHK zpCth{I*DGwYj9Xg^s_L8isjbGWkXJ+0?w$3L&VALue*h>PagRn-2hndvPxGQ4g7n!ZpjVfg%NgIZeD-vu1R; zy+rxt>WiNa|D^-_GDCa;vj=yPL)X_}RjX6df2_WNE%9XU-N*=#FdY01>m_bF(8;j)2bRr(9>^uo>s#phQ4Tfr_EPbe5qDqrlcbI zap$@Q$>Aa~q2A8U5x9=23yNe!#Q|1I{T4?o@V2@#QPX>pPS3NiXi>rtziPxPjS0+T zRAL+o5lTvSABq#2YQ`(OuZtYcNk54_Xp*9cdBCDA@)KZ6?iQzd#y5J~6!?03e&8la zK8lHYOQXu7vml@zp%BK15EA_VJmo*nOQ{Oo)gKtpX&Z+WSn{1tOjo)4KdPcT@cTQ^ z-==yK`lo9N{9#~wVc27}lEffH9uU!DTbbbqpO`-{3QG2D8nfU>ewFqPAGZn2lI$UPFGSANIcjV7Z&?XtRU4Ix@3M_8Mhd^*QGebm2lqaPZ%8$R8*J`No`*ya zNqU8oeBM<+cYQCj1t;(Je`EAJFcyHU>pEwgzg_Ejxi8H6>Bun0I49KM9^B>lw`t4? zo@r*&pC`A7eo&@Z1V=i$%QdFJpF@zlJ$VY}k<4{+_vF5_>Yc5XPNMP+DEH71{7yj# z5DIx2QwxIc_s>Bz@(;Y<=h0{5vF)y4x(933 zYZvc(%t0@?#(gFG?o;~yCSxQi{7}z6mAQ^8^ zo^$`ld4Z_p`+)mxk2XKJjkW3H!oGW|bvcv5D_@uJo1I@_FilJAm+dVj>ag1JbX=z( z$BOoL>zAAThqCPLzQ+pyz=Q!$(W+hi#)1!0*Vh0AqN_IV<97{zs0A%xf?5ncT5?X~ zBzxr0rwuobT2hw=o85RPSmls4b>g5!k0rnNX+`*o;#Vg^b1yoJT1S3brWQ8Y&A1Vd z)af)|UjN%6^@Ku~PSrGX!}>*=oKWizo=kcR^O)MTGXs6yFTUG{ZlYzpZB$K7qVtG8 zRlPg!6TOkSSMR@HJHJ9o2Hcpuk3QVZqs<&?zZ|40(|&j3G2}_qtZ6+w1O^E0Y;S7` z*ZwyQ3Pv$$dwY>LF(f7;<-~VY2s1|$5^i34bOJ6A7dpHx{)CaV*F-16@=8J}d3ilO zd9_bD1O-ydb^4FJy+?I{P2P4?yjY};uyL^I(J$=vCIGfncGd_0j!ZJ1W_Xe=_}_01 zhNTfP$&a5P{JDevCQg`vafk9$IgwE{4sM58{&_Go+aTPJLuI{&yi-!gJ<@1MDHw`{(tyD-%KUT;jSOtt^{x;DLgZ9>+< zw13oBp&3F2??MCD+u!0{` zOIdGEBuHcSrbU8DZg~qv=tfz4bypUx&Zw%b zVtDWAHuk~5V+-$l1^et0jC8iGd~b$)GTpY2P%fy2^SG7FB9xTJUo3pgeFd`_*Bq8h zvWaLL$F=Vk@1`QU{Y?tz;@u&}$fS=ZXeLBiPwnp>lDrNPZvY8p!ohzfDaMFA3G{6J z2*2N!le9#Wsk9W|;p)*LF;-B|cwLjw>V{-UN0xd(7|TX+Y2h4gdEvy!0@(nw$K*E> zZ0UX+?EKw?CcLr_T>1gC*mcMQGd*4xw-?^q|FrVh5i>z8S}Vb44y8jcvkr>XP6t+^ z#DI@XVU+l%ThN0AIA%8J@G&hO`sUZXVv81T&rUd+kl)YOj9W_o>*V=FCb$C68ZV=W z!E0nc-BtI84kJjnPEj!t`7IF1&_LgqUB9lD^f@r-zKJBy&i)FQfS@f~(e5r4SIF~H z&0G2S;+)&8+y6W1Ndi^quXALW#Ht9gy~e7El*SZy^;DzG+$yc+wfHp$GPqx-_q#kV zv;6II3W?mWSd(CfAxbHh5SbFXQG=w24t4SB8s|T3yoRGmKC0W>k8k#+je~rxy{(^a z%i==(DhHdndjB&#A8jWB>e_*?oIa3c-B9yeD{7EPkKSWQ3#sD+qcYdjyqv78Xw$k~ zE{;^X?^a>?&#?oDL@nq&B2WL2_`db(gAk)9l9?Oj)-B8I#IbOHeh8{)^F6iJj@DlF z{RKdkG+hu{-pSd;+r!TL`#+N2pWdHG!(#QxQ$mLe0wep$cCC6c^JKdt|)L*`9hM9`skf#loXPD+f8g}jx}c;u8r%!y(~hbL-h zZQAt>tzSWs`-{SlNyy$wicEE5GL!3DYuh_VY%ygs53OU(@{{gaaG}S)PAwR6%miVg)C6Wa>9;n7VYNHoJ*D zY<H-D{^Up)iA;8P$HD|uwRlfr5~T}brdzY3hLnvs4_93JPuSw zGz;q=bYv4p%#y6F#RpC30Bt!6*mBVbzBK(>q>T(Xw=WKT1Bh-+nGG6r3UxUXM?Cc( za8>|nTaj5J+7kQJ6K(0owq>p5HhH8y*DlI(Ei=pR3iHZt{@ibo!@Dk8wN`=e+_L#n zb&~=?&(C|qurO+j%*!{jrJvvc(o zUH-2DDEkM`8eG}{0q=#CBlk|m@OOZfSp65oc_hORluF-{Tnkkb^%OufVh!!DgEJzZ z^U(yRq+uF22k7*bQVbtHa&|J{`8E;I@!uZ`MEuGCJD(uA^=_vOu> zSEr`O**bdZKDIRya&D)-2M}lVcRJhE^9gQl{q?_d)*ZY7tu|f7cR?Z(l<49cwN8YT zx63tC>nclu3udIWpfbJNm5yf4*M!rb~$Scpla^rW{my5aqdfqi*-ShZAVm8}#^?It2W=U4zdp`Y115 z*0AeP)plWdAe$TY#<|=Iem3Fd;^SK0TP(3S+rj*L@7Ft0S>du~F@JvVm-j1I5r$~3 z2d?6p0+}aN)helBxSHDI`!s80-2>3yn$ZX)3@yZb5gq*gGeRE;wrSJk(_<7qVbR)ME9Gyj zox5X?VKMakEGG;1iHAWeb!6``K|ui|jnzN4wzFZ|jw^YOSp?!7`1n0XZ80*vbME-=jWxer-;pa< zvku+{NPt}b=tbig4a#dLEcf<6O;kugtrFf}JW)T1v9ccM3@1onkxPR3t&9)-KQ~+V zEC?qG581C|Ep6h!C-I@f&~yL!N45b@CQE$%O{fZ);Sn7a^v6iZl!IpQdGpBMdS`Sr zTGQ`PL54fK-)8K%^ckEQ=JwlEV>RMV1_KG3bsW8#@vxGuyg#o`BCAv}V=fgOA)03N zmImPsDqwfU%-Hm2uroI}S=daLigpNXRRd_gtPjH@Oj@<8kXeDWY(OmFeb>y%6TN1N zIe5XBu_8XLxEKo8xDf{y+=06mJx0FUYx>XvFrKrBiKE9hPoDU+G1EdMt!sOp0s{kP%9B^k~%d3Af==CcGePvd*GXg@6pTZ)ESP|%?yXeHBp{0FI0Qr-6hY#v;-k7kj$VyPVrDB9fdIFEiM` zto`%4J4ny_Yx=FjS08M&hL3OkWT65HT@+Be!FOym2olBJI-=!!{7au{<})qd!r{Lp z%SqO!Apfm$MMj>{u;T#xRUEI1(PbC;2-Il6NF(>jhmb0)z)C5Rn7{?kM=5NaBrZ^#Fzh}AB z&zt}`4-&`82RsEv7i?yTAg)O!2-Epd(zH^7b0FPI1?CPOdSvs82MEU+k*u4!opA#B zm}f2|1Yc@A3m@y) zz6zV&fd|FI0+JEAqV@@IVDX~+(uKpTA9KX|$s8(H2*el~f~y1Xk`(Ve2b$I+yiJpz z2EAN@3j+20#hgXl`mw{#@K8lf{(nbTPch_FPd8F;LMHX+EFjVl`*6%lu@V!N7-M{n(!J#BXlN8#=U;T*VyQ&R@=>sy7k57)m6^W(&qd^#GamXK zxD#A_GyhUu?l-I_9Jve`8M?cuNqCF01a-ERK1S`F5;Y7QkQ2P;-alPFV7Oc zVDsTrR5U!=oF99x@H@88a9{ooWxhAE6PyzZmb@x#@A

#-rPbU1^rgnZ4&WPV8uA z7wKIU75Z8D^4^%fD|_d?Pdx5^*LK+@{mEhCe=YBxV_s@|g0nr2Y5fjQ#8`#NJr2Le z;U<@C!lRBJtq6@f^ZHZ#JoWp|rR{g8-;#QBb6p`Q!Yn7 z(tpBJbHBn#cz=?-N1<-?9N;NUbGz=Z{MV3f`)s9#Y~7M0uM9FIIgj&pH4CXP?AW^{ zt@4-;vLQ_V+xGjXKQjNicS9oo&;2I)i#exwY2FZ?vcF*A{A0$UuPQpHhiu#BUb#V` zbi44*IWL$WR~!+J&n@YAtiANuHW>@IXA_Qi+AO~D(qh#f!vLf(jGOU%!?XD(h4Noj zFU?~ruv*UGRT^|Ku5=;)XPa|pPish9OzLtz`9A)2$S3s+dMOL5=33~TEb2|nHfuKQ zpO>w1FHoGQe{#cv8Z+55RSk)*o^0&F(_B17Tp9lgC-^U4%plO@{PjA&rhFFr>Z5jM zHJcnJKll2ohA|&rhCY2Bt_zwz&lU$wpNE2#-@=$a-wmGPj>10M4pDxU>HLgUQ!i&$ zyadnpi#X`1IxKiSeTD*ujeY|+XP=7aA$iXUERBn`=RPP~w0ahYXITE>Pyv=emw6g4 zUP5fguWY}+sJhU9QRKe-8Oxvjeycm<+LHDkcIGd)Z-26$W36YrRn+9V&o%9{zub=g z6y9=eiT>R8#gpr*z5jJxnDu38anZg45r)QRtiDfTgjD`47s(gi<9CBKWV&$eiad1{ z*7ZRy;WnzCAI(?;Cn&CHu<>Jc-H%Aoz?JIXr?lPXyqEIVEQ(={?+5*f>pNxqnC|%f z;Qy$weAis1B1_ThLU(hy|BGx7{>z@Hk->UC_+n2?u;~K$7y*#+aWCu6DO?ZY4lS?B z6^{Ly(=aEn<^FRMW i3&WE8xxzgE_cMm1%-@#kdiNy*5O})!xvXA9sDS&`L%!7b{-TnXrezLVT69Bw`Ix2_?fK*T8o&gIGru@?U zARu)yfDe60U>U|vOx+O#1YzL6H|U6MsSyascagXdzml8I$^6xPHZ7DAMm#NoB3#ZXb>dXoD)g?yrV)eFzrRd@$(oZxgU6Yj(v2vjee zuZV|jc}4kzhi#4P*)}_}yY-fXwXY4~*Z6oOm;HX=*yt!5>%;MpCg+pm&)ZDUh`zhp z)O=cg(g2cz_aCErp!~sB)Gie>dh|T!y=;)+P?e1Qzaq(=JqYJomKJQ*rXP);GhoV1?gMF^++~$ z9ZiBA`{L+ixfmJ%t03cg^v%%6nkE!G(1xdmRy@g8EV0&8TO}W*_BooclSMQNtPYNH zDbPhm(1cm~56q{THimJ1FS}!`xz_*K#cxbM)B5zdE)UzY=v~g-p=zpvnL1lD_{X98 z{>Xi5lj_rB5eO?hR80jJP93q0UV7^c2N!37S4pP4$N0_c#uBIUVBY#c}zNJvcWc<~LhdiLq zjb!w|#ilje*3o@mI?c3bv(;v)dqkxrxSg2PwOoWv{NNE|Jv&isLO8K|mB-KyC1SHG^%0-@=DXqyes8dBk*U*qUdDV?z z8_*daiUiuBK%>@E!#(>!Je-7|LebDe33)qcQpc*%?(cok7=t#b4vzv9M$v34VpE_C zV<|UPe$j1E-@cdzpF!oC$A98wO3No2)UCd)rU*& z-s^11{EbO4N@%fxg9@-u@trwyX@dp8?uP~DliBeE7r7ZxkS>h6*TFe z)-aPr=}SYo7$zrH45lZHcCQA4yomQl4p1H|m83E%W=y50#RIu2Ck@|7tt2O1rVY6uob{}N{} zzsDYRz#Nd^G+m$eC8GDIts+Fwu5zoGh|=t*i$1O|bBAQF9{o0EIaP&`cxG0HA`7~y z;g}+ed-j3O{l^fFI!H7vvzU(@I0Gw$BV&qG5@S&6m{@GEz3?a!SZxSD5y`?}A(b*A zq@;0Om4HNOp@MvnRQw|;G4tGpUY}IbFJ@?21*lSu;{Iw_sPWZ$AwH`(>tF#1H&%Fo zCj|jHdWNFnObtHJw%;arWkwjgP6iI?kT565l78O)szfN$@?tQ4+RdxYu#~^zC7P=G z1L#%@H189U*22JGIuRi^oX504%NLc) zahE~7ExoLQ3qouZ*N$0d(OvvN$YF00QU()Vd6&7bcczJ7gl=>LBhmJ3up{fZ3DbAI z4;GAq;h|Wsx%davf{>us7^e5x+Bjnj;b~mp?fJ}fPRC+}JpxJ&&6NzpLnnb8r-|3; z+&H@l;w};+RwT55u`p>QIUoY?>^VF?2besp6B>rVp3IPyaO(*!(~e^)F6yPUZoce` zv08ljv<*xgiVP;>*BMnUh&t!vpbUZU(F(M-;wJo=Gnq4}pF&4Cm2+iBEd>)GO;tq)^91ywRHf!denl5}_rFBB&z%@J=pNywB&CUB4gl@e8ZDZ5%5-JZ#- z*c*F!X=)Ri6S2u%^tg)RUG3a?*QCn`@J{Q*K|AO*$O$5cu@tNo0mE(svty79h)Os$ z1DqX=OjwBUX*|dv#~IF#M=m!rwPDo<#iT#IeJb@lJ?D3Y((RZS zEfF@3kBc$0efmxwg8ciG#2wP1TpFGl{8}ReTa!t`4h4l0rRNRTX{DI3A`uZ|EyIKsH&(;&d}|?j<$0I+?D>i?Ii5a=^Y@r z>=n=4IobSoIn7B7=0_5yhcdtCG}K9?Agt(aSnhe7ZbWB$x$3bGDXZLIV{cxseL~w# zXxUjAp)$RHi{^`}{xd?TAGAl`>>rZ>qi8XQD=l>80+VE)*mkgFg1Y_>9+!W&HQ(zsTi0i4 z85tX~?)Ze+rKub7@%vp{+UeCn0`#m!&VQye-RZF4o*p05+A{_guz{l%0w3Vmrd11% z+JZWB6RBVk906&%Xq1wwz z`mZ(dl|xHmRLNzmAh`1shfrg@rl3S(2^ZlQvdtn83BbC{GQrD`+nf+x48sibRd3Vdi+fnX_eq`|*+B&N;nd@WEzoXJqdlrYGZUtj~Y=e6M`J zO)|+QsV2%wMRICatI>F$&Vq(4>^%oKrnZOMaG3Jp-D*I#)fRVszDzXtJ4B^SvVmm< z_U1q2AKs$n3Tx2meviN{olqzw0h447i9IQ@|J4U!aaSlH0V1Fi z3B$VRvIy)3JXY1kMF@nt6j=#koNQN^2t5USZa9c1u>LH`L^EC$iXK#&$mBSp!XxY5 zgj`lfD$n2Uau-EROHR5sWtCq@f}JUn?-7n`nMkWw47YOc9wNnlEEbojCQJluuvEYUUWegP; zdVupZv7B7Y`~C3ka<@NJp<1og^|z?1>k5$btwoQPo|QrR@bj?e{oTq02;dFzNR3z?y%e1kS~59+?gqW!UWmI zmI0=70+F%xdkkaez7u~W!$)ZX7N(4OR1)C1=$YEx8fbbMrPa>cVsJC#_{X z7o;oAzFU3m@t?{R^1$?sfQSZ3d#bh2DHCccDu0(a63RH=30^WFGTqH{JejVdsZml= zNlZ*cLvsTF0PxeZO3E`Y+2s>QG*mQB9Jm+}LlzBw5SNWDP53-+dPYWY!@6d=q;bA& zv;80a_v7KkeYlW*xP8Sd7jQq+f7s6;7U>yrS?5XHuv5i;}V7;S+FJQ_S#y<~+HP-Y%2-+^}Y8g6O=j zUB7$2CvMoli9ZVz^`{I@Wl{m3y5EmGO3KMuypAx%f^4vURP4XfHpcY09MCY(KHh4+ z|C)-5ii^+f_Y1f_cQ-dT&(F_yX=}qrJq`&A6BihEI}@~dmTcwVIb5z9jzr@_x|-UX zm*wWpo@mn1Q4?TcIdS0ajt?KOch3|HhWzFXKj+M7k1mbJTZF)MhUkP$m+^BXLh)ty zJ+<@bzX0Stl5Wo?T$_7KwJ;^MwFR?7Y=iPu{<-+Vfx@|E1J&j&v*~ALIrP?1-;CXhg!G;~px4j4^j276ue5|VTwW=t~-B#mq^9BBH zFn7AYk8-#=zv*;})S7jIuKYQ*^D!0U^N~cJ%?2tdC2D#^!fheeV>ry zcHL%*NWjx+>+{_0_1OxrT9a9a(T!fpW@isweAj5? zfxv^kkqsU2iq;1;6hINzxtxiSv`qpLuxn!8*-_qpJloyemIfmj5r3R#?CblZ&C*Sn zK~IVN$z9sFT)a@MeKb!q!vVv)AXMbkiA@(00 zT(3kv@CyG@fSTf{KkKNMHvYQYAGWkcMDAQ7B|JomufWtFOM!`YB*I*cYCcegBfYJ^ z9D<8F%lC^^vn@(#k4etfr+9qmvE#C~-k(3#Ct|uj8&+)p!3*jZkwbqBP%5c|+MEas zpY`j}#FpJQx*82%?2{T&)@+lRb>AL*_88xCtb$3|rGuj2F=2 zSvJpgy6+)1?*I(gbCb;?M}O2LNGEW;_5!#QpzgHGt<+3 zFBK&F+}thub*m{oAEp6>dyAk($d`0oWg1SG%bzzb^RwaBL3;NqP8Nq;Bx>7TY_EH@=H=COSjw7ec1@gVsr^7pQoiJLYOSlw>u4w_ z@0@Mv#$Bp}j?QLt)3cQntWrGgC9FroZlb-MI9Z^JCt%8dI#7x?-a5`(wdQ-aRL zEUyV5O@GFCYw`hgiDr^k*0d6KLn(;JdRgRtT^5`DF? zvb3&5d*|7UX=Zg(ZhN)5vD8*lFl3l=jG<~|3&}j;ZI*m~{`S^hme<#N4*N2@8?3U( zg2(36Sl86nR@7FXU)j`TJd^EGBCMvZK4)~}N32F~#!zBJ11+E|eWmTu{&aoTsNUvA z4{qA^X`}&3;Gh4I%FW?!^o2C;V!|C8K zAq0J(mQ9jVBO`IwfGh7b6Bn~;3;Jm&*~90ht45bV;~4Tx&h=nigRoj69^<*Dn&o<} zWija$ z3`V+z+r=%01czb!YZX=2*|nK@MKvrKMFvY+JLK6VASit|9Wk=EZ)k!bppNwL0FzOe z$;i(Uk7M&`ktu2=WSHyG<0Lo))6^u{cxC51tEXiI|9x1s=MRn;7JUm7Z#{p!E9Xz3 z^GDRd(0izh@w%L9*)A_DOUurFUBj^*JP0p0x3s*tqmVJL)@pm(1kh=<+UY1O$HSIz zlhkroNlRDJPMJ<;cX+-3(F)4pdJUuqZ)j+so~RfY7>FH`@sd%~KvF(!2P$dvGU)>&g(T0P3ZbuS^9kXe0_h-oR^==`kW`I`5J9s@a*h(eM9>^nSR43 zf1ga~eogdzOf)SmC6LPspf&0VyRXIg+@prR-KTu-1HXN!@jR-r*}iOZuQ*v+(aFik z_J6Wl!@hubs*7@A+q-P9cgqTi4b6%ef(w;>Pi7*X z?@h;T0atBFK~>ij6c|lB8B6`J-x5YN1CtUH5jg2MpLw-ghBrL(I&v!8P2a0y1zQ?U z#@fg++|OglZ|CVK8%*TSiRc~zdqNxAU02ZU6X)mI-q%C1yoF^N(t-s;(LJ`2L8Jr3 z>B*IJowo+sVbEOt{^iBR+@jbSPq@6ZSBu2mrS`W#zQL(+Srwhz$FqkbOy5-fBu;QC zsoIUEvdn-acd$T1Qgotk1fjo)uX&>*29LJN`t+2?;U8ZJzUCawc8ShQCeCqFUo5DO zG8?ucZTp#{0kV@H-EV4Z3kxko5lGvmFTpKk(!Z*ruXiIIhVsN1=s8};XZ}R4f|`b= zrWq&*>)JLIEvrZgvSbkk!d?e^1EN)PLe60)vvt1*_V&A$Vt5}LDJ-Y1mPT^eun?fw zBDxL+7to`wqNc26aj(Eu*pN01mPx?rx}5$&!O0vC_J^l0 zf68TmZ=sXoOCO!%Y#?T_dG6M6iy~Yy?9b(c$pTTBmGdl46f>SJmVdQF-R|h>t)~`s zrEQtzwbhnmZhrCg7^>)_8wFPQQj?4NI8{4>6TTHyIFt%E>0?z0K3%n~+fmzr3hgDp z9=^&WhG0uk?$V0)@1(ZkNo6_5+lzgP@ZbGAuPnT%3%}N-Gf>;E&f@%sS;Hy#C@qNS z&~pB5O&4LP0f=HhBcxrosa;~l1k|0kb;Rz6CR^_Vx-SO{8%ioQ+WL!Gzk&lK2Bsj{ z);(gR|FQuP)7n}}%3(tVkB^V2s0n3s$o+h^_3it2ZbIVYUq4ZPm|olX-5n~*KK}bB zVmL?lF^);6)6UHJrx@q0qeN!Ss(I%nYRB#R)ihIvd}*>a%`)@)A^wz#W^v3-un``B zsg>4t1%Q&Es_6P-Z&1pMt?Kl#itQ(v-ID8znRmP4Yh(KLp7&35MvM?S!cJnbTr}LO zd-W_Gb#$6 zn!4iPAmNV9TiemW!NT4iX46ZN7zP(ynst1FIwM1qin@ZPzNq&Ck{xaM%ASDN-avLm zhaZgvZwDFlfaNqn9w*0Ufd!2Wk@k-34jOASJb$~>-D3+gP>CdOO~Pmjh>aZTWt7<} zvJgsEE*PF+q@$wl+%`vF@L!;M?a?l)=iiQ_hlk(#N0c9mEZJn@ z&f7YLX{TsUcDxVz*O+)cPCR#Rm6V+g_1yQ~(pqG*dN>Xu2)r*tCx;?$&x@#4Wp?lt zNy}!brKO{w!Q;BK`^v`Fs=c)HA%jKa4_f{2@B8nmv}<3IO>MQ^Z!k@((Gr>0mG!;d z+`P=acc*v%5;|9)(t%LXRla==fPdx>+0a!}{-*xNVNidH7?fPC)9wCs>0C0gwy345 zt=rJpX?Hf6HlbQW3+0ck!-JG{fG!RjGT?>zTN+^pW=O>rAv&{%g@zNiGuMT{N?jwZ z&F*^hm3qZ1SWRVvM54LYC+}pv zto#vPJuV|$d+u*_>%U@LQAHCmxU`UBOQE7^?X@)j@+f&C+w=6$km3;%UT)ci@HOvY zo5k+)aR1nyJS^d3#yu*&JwCp^jA6G9UU3nE=p;hKBU5{yuce}{q@tV`e*ZFRHZvrd zr`PKl!4*)4H!C~J1&M*xX`qOTYP!?L#X|4BcjYQVR%{sD>a*iFJ|7>!T0O!tb*Wrw z%YYR_Yz{T~S%Cp`#u>VhEP=aFK3Y6Sd_NO>`FyqPd{ymKR+s0?p6RrE z9zEuC*6VwjL0e{V)4YJXbJ-#sk7iE z*2`%X=5JLQth|q7vdKxw=|uO&FpTT@oFNC0R`kg5=?DJ3<`WMCH=iF%uG`$)Y|Kyv z&|$t!#biY7#b)XGj_Cu|E$g&*LR!j8Vk9Www#nYoc*CgKK!@&ipGF?hb$xV1>cb|H z!y5)6*j`Q~&6n#3H_fIjoF8;D|ENYGiSC>byPNs|S0ZpVy#3 z`(<5B9ad{Yk)A!vwsh^%`+_S=f+h_wN(|%4#6OQjHJ}Wufpk0!V7xZ33@Njev~;(pS>pY* z>`^i;HBD>D(No`P(6Rx5g&niCF-N{Nz{EtMG78bHXUW@nK&$*y(KY_dQJ=Ri`A6l9 z*GY#@OD#6n%gdN5&s`W%$YpG#8gu@|+xYtW@osA< z_%x*JaXOLld0Gh~v_3CS1y2v8rkq`0=jf@GQ`LQ*RFu_jciS6JlKhW=W?|$a3Rlq7 z+_=3JvzLd_V!cc7kP@y@OxuIg^Up6s{w@!_fhGbAP-X9!QnqOklYUfQdW1w}+?}AKb?(J%h?XlUr}hpZdVD@)z?iW+b9qy|p!*`=?9B2* zw#)TRG3V9E+#Dv*-c$535)?#)<5mn#I}CDV1!HC9W6n-#(fK|sKQyOyF9C0tqzuZo zv>XFQczk@k5mIU+&&)Z6#v z-U;ioRbox6kr;gMvsY8YI6GtMs*2J@~*d_$!k#Yts&Y)>gR*;iuqb3btWM4Vuih|J^5oYuo{G!zt`S4}I$B_&gZ8PQzg%%q*&G}v}^ z#TKV7%T1T6&e!C;pJRwR?`wZ4sP?>;xCl?nMF}OU7jvbg*^OuAxz--YDctDHC zUky#oY&Q4%^QDUaAbfz((*Gn>?vn(N+a>+t`feU}uCF>APh<#vcaC&4HFY&K-l}%q zsuoIQQDu>)9k`|xO*^ImA&6H@27TSzob9`_Zfj@vPAn?#DJQftDO1thL` z?@+LpDS%wFJ1sG1Cv(UmP z1rhkX4q;|{IM`U6KdQ=lNQ}25INzMDKaWq)aT@Jat@t!|Vtg-}dcPXZ@VdL{zJDwZ zo=LVu^SqaFOG{Uv8ip5JcIKXnFk^gvVDf(7PY_hl(sjB&sC@UDS(?6+^FFhSp=)G) zPrG`nsjDx^DcYaC(MBvZl+^vT)^{KT=lRtz73Dlj1J2#Dyu89< zW-4Dnsx==iocYfm^4t0Cr#DO08tLg5AZh9%p_yB33Ytl9gO(gEv(q;v^~vF&-jd=m{zSq#!|L*>bA>e-M z2N3w&1z|qAT`m!Po9VCZ%q||+!5k11i)Oo>7p3TWpWg-KEgh}+d{|KA<9j@z_WYa3 z2>{z^wfmZ$(sZ#sOYwei)%D&RGidquChOhUh!I^TU@EB2R%_Q)!ipt3S@ojx_f@gR z^D>ASy4_3i!4*m*LxWR*Is(A7uu@HZ0z}Z-*&g>}kW@w!|%NKa4H%4og2bF zILWZcXRXNU>3z{|le+tX7MDxb0G!-0G3VCc;J5x6pL3@;ro(z@T9h~gPjMP2KA6tg zP7BRSmud^JTb~oXL+c-UOv_52M z5(5H{vmu{bMDG*XuS3~%&2*o~mF|BvUrPk=h%o~F0yQT&AAL6|Nvayjepu_6mIeKK=tMSX=Q>6;8|+Gh~Mq*;!@4UtI-(qZh23+R^-# zUzTBNT-f`{+p~8il1e)Bw;^#y0xf9wbe3UaN>tyQHJ{I6MSa`UB}8|rytx({`kJZ> zs534(?l+h79}--+a(a;mmz_qmPaOY**zo_UcN&lAd^j1o>@TOeqH^UR2_>bl^Vg~e z8pLonwj(VRvYqS-7u5EWlK97ov6ZjsZ#LY=rT!iyDcK6uY@$eI>7_jo2+kXEN}&60L?*03>T3?HKItWUf;CenCB#Y$& zAc$*A&6oUFB>FN8Hb%8eS6Lb#hxAV6hxuSDooDzej6zipd;RT#F zpW?uF$?T<&77aB*Us<>$Nb>ft0IG4z3T^qE7zMC`-)e3d0|&d0t#tSjr@@J_Ru~~w ztF$$A(|76FyOl88=IH(P$nwtO;EMjjXhlRd+7ThBzjPy0(C2LA(ZyA7F^%I>c%cj( zPj7`gB+3U0hncag^`w0Lhz-orgL$_Nc`}0Sjo>|i$%#(;gW|RkAeG`BS^=%;xo{pg z0CZRe_Vx^y!2^3hPngZ_=;CY*FY`e2Jor&cDHu<3#%d4_eBIyQ-__lTG3N(Be2qP8 zf$Zz0Ut=K?#{OnXu-aXx44dw67L-+X;(=l!{)l2oC=`d?&OW5EaI1Vif2nHlbVCVB*+)f1b#7{^sy|f-qnr2`wbI3iHu)twfk#NwhHHEiT^`fWQ@-i1&{oe)7jH4 zX~2s)1TnN6#*Qi}&_8Bh07C6oF(i<$HDg0lx|=dP4O(VpCRsKef$|WP$HPVO)U968 z(Xt}I$5mI?2!J6Tiw1wD!+;^*hq*1l#aGo2Gu3zbYix}!33vQURgguA6a{JoN)o=i zHrMjbj09h`_ly+Q3?LMaUTPp|nU_;BSz%uya06@PX5$9)DpS_U6G3R4v zc2rJYpp^^<`^Q1J?_yAuneR#m-$|CQl4Zg*G1aQ~{%%v^XMyvSV9j2ldBNcPP?!8S z!5>UIqNMb5=N1Z*DOWE{4K3K<9)rkkf*xQ-VW#Nx%5tk;5C#Ezm!{*H23nd&W`Yn= zJ^wt^H|JNr7h`4sh~4=Z{D3fns3bfT{~aXt#B7uyAu#(;@oAv2|SfxY^@ zI+dW0dYU{t<)l4ZH=z$r)=yIejB{RJUnluv{+m0J8I@M8$?2&qZrAIo7H@HZ#C%Zf{SCA9IitqxCWQ<0S+@s+08qc89~%`xA0fy+1B>LD9^$ z-C6#RVSI`Sh?T(TY+~=`?O~PUT`%ls-F4O2jf)M0g@Gf-`o#r{^a9IN^|_2NEvzUf zTb?3IW}cW8Db=vWTQyx2ob*{byO0UW4~Vz-cMMF-y3$S%$Aazc4dQ`gmKygXc5{o-9V{?9PpVfRE>CWj^ z`Zwd_;KYm=*3;BfSMRhhfjf3QI`33zw)C=1I$v*|5n$shBtl5>A0MCCK5u4cX7&ef zG`j;4EHtb=XB4~*xn6b`TRfTU(IQ8eq@eh(yLBlB4u|7vN)kO^A$jDjctZ7r4pS!r z5q8jzWs);<(Yl!Bkskc$eId!|}Lr z-9KJwG#wO2f1={>cb3VvN%w zQc6NljpxG5-(+Vt>Qp?-;x1_L{MD=a8hSp zL2v}eO}sm9@ogFCkSlC@y#K5He4)W7CDcz;J{KvxEw7895mIw2F`E4nrd1ha;oc^jsre zM;2yy)n`o;)JHg`M_`1%CmOF6lpFv$b^)ph>RlsUEsg#LZg4K!upE97P_7ZmvITZg zpO#!a`nZ3zf1vN7NbgBX(%5Oy#6P_2)T{2YiTsy*8R7#$88cBvDAkX%V#^o1mLsCa zGW-}aDD;L4f275^2R%pN9%!ay##>}T%i|A+AgoI}OjDwv%q?$Cd5$Je`%C=<>Z6Q6 z4Pj{Lg?j6UAYqqoy&}1!aLs7qZvC5b^UI4SG}kCNB7`~?EE=fiLa_m){odb~xBa72 zX0vqX8ax^9t8p7?G-Te1x|?(IOI@mQq;{M~a)(c6OzY?Euk-yz>~-E)#o`I`R;L|g zVQ4DMe~v)o(`^w-t8fLryc$B0nF!gHm^c;s^t@?!4yU9oK5Y67PbHx z!xeY9p9%w;REuh{!{{i;9X$SByS9Z;!i0@5Oq3@!O7KYg5Qfz1^ONAiq-aa5dL!&y z(ar5es zGGw({?_eb4SpB(R;ZKN$jt&$>ZnZmapz(8cTmdCue`g(^K6~PKm#ANRD3Oe#DF<%` zS}F3^dp6RD7DVb}aULeXyPNzb`|tV3qb5WY>BS-Liq$V`A%x&n zg&Z}Vf&4L&e#4rCq~w)LMmg2Lw!ef2g~4$_(GX{LJijJa2(9rUH<DD@6X4A}JbE#j*rD-WTn4_D|k!QCTJ2G{cgBSXISRPr}*e z+tomBsOTpsJy+lIFq<)7!1k!Pl}w09=kYz zU`-McQv4SlKrTCpiaj!I8XP`BE?V7>B*>>eMS;*HEVR_tSie93B~=`(G6x{Ul%i{ zijVuX5H;O8d6i}0OsRAFAVZ5@DxcoOR5_rUq&JUwVAO_o_Ex)iT>$hDsTC8DLCr9fSfYRnSrSX=(_@0m^s*wYm4kGyxJ@Hchi9 z29)WFSPZb|(pvc+TxO6zK>p`$vj7aj*F$NQ0s_Agc-J8ZJhT&ol;PpZxfj6kNFdhD z`3af?4UMPl3ZlGO#}Ux?atlKK74o?Gjih=N7l8Kz3g|sIZF{en1qqxLY8GW5ym@@v zhxAwJF$21|ij3)jhsS^xKpGtp*Dl}TgTkT0vEW4z@LA5MbI;~*>`FzTfPY-i@PB48 z6dUYR1fZg1k68)uMr~QcWT|sEbT~X1x&Da7^#6Zlz)Kwq<;=WTj~}{`Q{Eopui}Lt zHpIVQz?e~(^Ef^TJ`%o@f}4-8H7VYW<2uNg438Zc|F4OVOew@r@`^^{hhI+Sf0SUf zTD5)>$dXL%CT})vq>bAJK!)bUAvFZO;sJTc|JUNMApf{u9_X&%V|+|Qa1kZ zrQKay7l|Px_5Vz`9DHlS01xa5o*=HAzeXm(V;eI3F(U9N{&x_8)!c>V+hva1W2^JP zh8_+VOC?Kfi?*QN|B@kjApiM)e^%5FGWy-!_V6*{QxE{E{2BY69Y5NV*rCg_{CLl! z3Or`^%-^1c2%$3 z`>0dcDhknvDD-&?yVhM(H4{PN0cl}^d`a7N{O!1jJ0dKe%8{Q72^j3x*k!{U;g6eO ztL~Ko#%}*_91%Hp=RQ&vBEG+-!gBk~I|HXvem?vP{8B43E44{`H>F$riZHDRwG}m} zJ-&H&(sM@RI&6>A9{$I5(P+v zvrqF&7lK~VxMDo%%R9*|vDLPs$J!Ktu{1ji=!IBtg3!Q#nI_#9R~Mg!32_;tZ-6j? z_AS5iUv{Adk(H>+T@PuHJ*(A59kPl=bSGrSr?-;sP04_iry2k@D5u`#6b%5=zMaKp zA{oc^#!eG>b(O3AaC!ENL047EU`SL7ckWe_S{IldGSik9384{sna>(#* zt&Lq+{ulZnY?+i@Mq?tgxMWarJ(HhCtTdyGqZDA(u?)mAd^kSrmKek!bJS64j@eva zVWbi>Tx>lnHt7HZDd6Y$i#X&M*m-OmT0kRPS-J7GAmgc`i53UCe~xP`1xlPMDNZEu zd8q`t`CUEg+-3_b`2<|YU~HN1#?;ht?7Xy~FbS;)>CUcj|82}%tL)N`UB~eJU6+nd zotPy9Y4k^YkcC>`EDzS9|CZCRDEePouTc0Z;!p0?R05$@0MAj-Aq?OLKt%bw0p?Y0AA`?Detcyt$%eFtUttUVG*emAVnk zeY8+M#}lQL3BJ97f9hPF;7>PGwSzj!Q*!9m)bcSBEMutVJ|(7&ST!OdEqB%r5Jz_azb|pRsf-(4X@%ni3gLyrnVswz0+Oo8QOhD<8Vm>2EhzGL=EWW_z z#H1ptllFq)U2Cy9LWm&J^`~ia?mF-^?tk0f9&vN2DN*O(=9&?XDNt$!Aa%6L|4gHp ziX8Q7fcu5Yki~wCP2ZB?ZxX7(!BFW4+e|IipSZ>)H^Euglaxeq6BV+J2cO2-VQNSz zwzoTjG zoX4rf!zfFoqteJ&L57`l{t2VxVU@da*#M7*na~?YGc;C{8pOr*b)nE|q-HSGAn<-^|!JCJUn^$z)0P>-yY`FbrHB>OXa zA6x%$Pd^a8%0{)~JJ2$b6$D+tZ4+3)oi5qzGG6uQ+O z7J|Vns(nwI^0@C09ta7bo9QzRh@~EguwT1&KR@p z)p6{*4J1en@%PbZrr#YE$bO`kU_Cqf;)*%?3vzbg{u?=Sb!h-;XfF?Pmfs@{NU&0o zhd9}u6>4yE$`Uz%fCPr^@}>8cte6)eGS=Gq zb=C!j5uo_jW)}nV__-nNyx1#H3sFi^@eq;-eXxTe9aIJ4gb0UI&@jWfjLLoKD<$%c zSWx8ILUYSt>wmM;`cwUc(U$LPjc$qVYr+7@UNA<+PQS%pv*xs zT1AJ$L%@xR83%mvk>ve^6dpPZ#(f3SVTl&c`y(#3a+!>eCQPt{ zs3i0+k;y27aw_&u)&0BwkFm1~i)-21H8k$Q8Yd9k32p&`B)B*3fyUk4J;B`}xVyW% zOK^902=@2dYww$Lb*}p9eri@%%~`W*RE_a|qv2HtYYu@>kDFsWT3mFqTHjA!j1#tT z5rs2&W+Yl_da(yn(V0g_H)V0lHo%y+N}qO$>LsUY97M~HOeyN8+W*rGI|gf}#uzSE zI1R=9Q$+-1DDxhU?e^05`ua{FA$23S3j%M=N{*Qr1HqGJ`ZeZsrr;y8B0SeGxVU=- ztU?@NW+5EZzO5+*|C&6fP|2}oKW?s+)dmv1Mq9GG%TD)9GxPC!h5BfR&c5ko^2=6vS+FAH>dem`c%ApF(Mcuja<~h(D#|^TWANbEUQx>ciMX zQyQTbGNZFH?$8Dx9!-2r;RN;V@hr&abs@dkK`r?P%oY_SS>4rbq<#~6>{n27ejmJ* z;}=1}aMF^o8Yu+~;1+PctM)?sPAH{KkB8SBI`O)TC(6#y-9&r5iHggkYgSyYouUN{ zsxV2_^Kj{ItnqHEIQ?7xMz>b5S;qf6H3fH_;Qjh&rqySNi#Tk+Ff4Y4ttLJ(J~5h8 zM*&dRP!}Js)cE08rZj^Q{4Gn;c9nkc^-^xKWIWgRAw({zWKi@tL903}XlU1U_ZYW- zs~Qhjytx&l;%f7YT~G(qIN7q5FCsj{mR@Gj?FsZhIy9Aa!et4CXJLlx74o@o^ianBn{xdU z3?ZOLYMmpFCs2wZgA&K;-Fn3Eewhtk081uzC49o<0LFJ0&b!$Pp4EuQb~#cK21Ocw z3jh>t2Xuu+3oUy%>=$Eyr|78OT7p~GF;Aizo)X3$4IpB~SQ77CYGX3v5+X%6jBg>+ zyckb=ZT}K+1t$Td$}4Efz8fdD(J&VO4Q;oc;v`Kf*s--P! z8b_es_1_i{7>2>hSl~;+(?(Sgbws*fN;a?jM#PwAUZ#L{07X0>RCr)W1x7K-`7L~0}7~kW|P8>E&Tm+SIf<=Twj%`&H;+k9;V})V};a8_xcI?A})h#2* zd)G_jjkIXXVHE)O>Nw`Vd!#?;$<1^wV8e^M;P4YIb3Q(4dJB5`HRh#sg&rroM2U2M z59=<&J+Z>QQ5$W6%iZoz$Ie)IvJ|SqXtxHEXG%zAv$4CDP{4FHtXO28+WulirH>0x z?M<^z;XifEQHNs3CmB1Po+4L0>+%YWJ;B2YqL83Fn=Aq>F?rF9xI|>%Q`2vCtW_xX zxSg@V`}(qYC8)bNKRi%-JGY;gEe>vb23jWCb4w4UCab2K){SU#4$F98Vq_ zN?#Fmu0qN8hr2h(p@Mb$CTYs*6Shu-kwJ)-%I^Xj*+D2|yGB_gSkX>FoM<24E zb!v@ByLze#dts(utN1AL{Usk8jmEs(Vv%M1S7Zg_Uoakw9b6ldI4*9^&|e}1b2(az zSL}cv7S+x9dx_!OKG#a~m%qA~cq$PeXVzrt>nOMcjapF}XLqjZ>Ko3FPAR1kG-`S> zGS2di`#;%HuxIa$({ndvKunySw@gm{rVO4vTwZZ`*ybEK3%h{wd}>A2u6BA`fs{}Q!(&eiB zm3;-^1BAf>)Cf^$ce13Qr=XQ~QDEuXR#jQh&TPk@?QJ&K^p2us2NM}~;)_f{m%~Q` zhDUn7^rPVc$=s3>%26(Y4T=&AcL89beHo>>=y%265}T(m(z+8VeP2M71|_8zo2cY0=?#Pg%-p<(S4 z+(HuC@FzY2zj@;?nCAw z=lA-riU~?vC4LR=bl3L>1>MziwvGz&u+?lwL73MOcTX$G;$0cDUPj zSzKnxZX_qv|q;i=)f;y1xG7JEiSkG$$)3D|5qwnzGY@dW+AZ zhk}kx^&N~@+MV0StI|PYWII`%gRaopTGz zjF&H`r;aHr#|@VhKYqlq-=ND^Q;x)R#ZF$N>D`D2Kp)!7-rST_Xux{AZcbd6bT)P2 z>Smpg5Zo+qv@&h?^!?dg%^f{!xSEFeI9G{v%1f-Oq+39{$lBK-gfJs3<5356$kB-u!OQ#~6bNObH^r9qvyDc-H+q%?)+<;DHU#oe?!3*ZqT}^C5H-Q1Qua{q#lK zm)je5JSNf$cd@s$i?+Mt)b~QuhPv&-Ja8$WTd(!+ z_~N?T>#EZtU2Cr&@$S zhzmS7%cz$f{}D3yg7wT%`uGMxi--X^I3#$ao=*Nd1g!$LD!_c;iL=O!;{Py&2BS-HEoQnwFMm8z08&H9;G zqw*$JFxGwnAaWbNxIvxXo;pztt2$X*D}Ng%-t;T$?WD@QwJkp#7|1tR9B1AOy`ons2?q%{~0NJ5={6r*yr)@B!hWs_b&|$@gGP| z*`13!HTURp1C9*o6$dQ3RoNFb?Ot!@Ao081!^>ZpEB=a7KB-3S#MY>=dMiG($c`BeEzlaI`8D98bOPH{CFs4XJBV#mA`T(==1hX`N!*7 zru0dv^jm#>^OMG~;nQ2G4Ra-&)N15~*MZGR>TzMx;&U(!rD&()e*BO{K!D4D+I+xZ zCcVR`^Kf!z>K3fq#oH^}WLP@6mRQ;ve5S1v2;}giJTX+S)t-}B`=I`?JO@e3z-?o^ zbdfoeiJlp@KI?6lGh~+Y%NKTj{tDV@3vQbT;PYPTqK;~sw0wH2V{_XNA4!d3(QQ$` zuFEM~(eG+Hq5+HK^YbdI+#GaQeM>Iu8hScN6_pcX;}WV*7v6tWS#twblQ#Y?mGV_G zR+L5k9CJvuKX2Ew)oeRhxRYMA0miFl@_8r*Mq;C-^SdnX*WIE0wDbRAl>M;W&)zRy zA)Um+1lN;J_ImrhvYF(%PhnC-rR;=9)1X?L-^2al>US*KsvOfU1~XFyE)XaqCqK_o z&sE2P$Jczl?Vr{0W-WcQp0?+$-SUKRm-4c6MH_S)tr$nf=3CI_uOOfF{@XPBJ~;* z$xJt~hRCErCe&8gwTYDc$AtBi&7R%m-MQ6UO9(J~$A6P!`>6l@Zri-fghyLRyM{wZ zM;q3<@TNRXRQ`)obW6rt{vL`KHtuuQl1rY~mpl-U6*r3>FE`J7|Hi9~IB2k5`XF^A zBcL{CIQw7^FDfa?z4LBo7D2Af_Il|HgZGu8yq<&fYr@T|;>6XeNoE*ff8*ca`$aWf z9+w|{Rnny-){lI@_XkkG;P`X19Jl+P$p7Kayt5-o;C*s zZ$zZk9$dUHRV}pC^r`GE^mm79S#UUtK#i1;{e)qW)dZWO3gOCC{vxSq% z%UU7_^-#sgWrtCD3a$Z3sEYfixtJJK3=wo=g)p_y50K+51<6FPI|2rwV3S$>2yl(| z3fOU5trkhTs<&OoRQZ_rQZ12QT2$e6ltA-vez9rX+);eKJN$e6?k?v}LZD)V>m*J- z%k}gT5&<6Upk^({_)U|)CDVOd-^+OKW!KPTa2*2Z)@CzazYN`q3{|Jae^af#*Fy5~=-dEn&KpKk6QT$w!vTfN z+Nc)ptT^~tx{f$?q#iHD2btbIC-&jN;H@7q5}Q&NDi2$6MglX#TY&d0PnNjsoAlPE z-N&%ONRs0@w;$_xSA%m6_mMl#E1oFI_pu`rFbFGYQXtNK+9KEUeEHL(V`kc0Ihn|W z1eKQ4%;3N7*EzwMq2GFg4XR@*6>ehJzzmMIC!;7g(j&8z-lu(G?bFddVDqnA#2y%5 zp2l`2#TNll8J=zV?Nn`T!0V9k5r%9&kJJ%*^E9pdtUs-t9!5sl)zw?<5TZj_S(Fjy zZu~jdAiucW%17-PMP6v#<7D~pwyZJ#c_?m@RA^a8Q4^IjcQD%eDhytP7Kn1v(jQEk zPL7D46c-V^xWA9}xfks616#tscc)I>7{4-S8n_Q8vF4^32C#_uIPzwoocM8y3)${g z|M(tN*SMhD=|9uhQ?QE=o&ab3g z&VPRKxV8;Y^R5BC(fC~K)Kig8E6_8bJg5w>_G~|{u0Hu~xvaOe3w)^-=xl2mlN}2x zqyaO(Z!eEM4xO!cD8Pc#+`mhcsPkxAyOhM-6(zQP6j?gfl;0qOad?SEKDc;YD10xR z6eQAncn^7hS?p|bAH)zOV>!Jrw`7cOwOG>?-Nw?kQ1ft;{Q5p0!|&y?kGDuxPkWeQ z1)3+7diL0NZRoj_$%@m7!UgE2bIVgU?sT2`EkZWLP1n=am8;_FU?NIez{$bR+1b^TddF8l z*i|&?wn-G@UB2^eHXD=Rjlr&0P#gy)L z#F@h0vD3jl<$1mNjk}P7`(P%6#z;aMQ}=TdZf8qw=x1n~EE_x93xA!ajKQdn??N?? zQTtruJ_2u#b`S@_W%}nF1d>VWvgCp$>}r4Y9!%vX34aFW@hegn8Ec}gN|&CV8+w+0 zH|B{IQAN-usMF_6%jY4^MJ@vg9tNIej=Rxs<$j{oY2GYc!U;TXj(F zyk}0YfzNfAUcIc;!do}`RIZUs%Sw($UC877TCMYbJdN7}R#6V$&_79KxM%0bU=08bvK03kH&5^F^Z-p1Ld$sVAqYJ}-zxpRY$OYv6nc2Mc$?TrGQRo~HYhrM zDDVAvEbo2Wn;)c+$z4UfNgoFMiWMG?f@Kb1TYzOfwB=uoHG+0QASPv{JT&*w^HCHx zHjoU1I=YlzQHQ?Gn;rb{P3$XHpf%mTT3gomQBda_s%E@S0P7_1P4j7K_J*i#B!~fW)B- zq%2Hm+>G!x!bH!9eT7mE-TbTNmVj-nQ-cy)R8-yZwqE%%uV#I}`cvF6H&U-{4~|Fm zF_CO25RYj+7fUy`T(y;Q^iZMDB5324a&Md1nTXheHaU`HVjD$FJgvU1X6}e)A)0G?m z{atOhUd++j`|Y;*29H_Cj)!=v-c>H*JD~FY)MVqS^`oq;j6-!oykUn`KPdtKV z|B>woR>zz~jk-bEq8pMq?3(BdOsqjyWzB{cE|)P7p)v2$iNNC-^aPlTxS^dexi z-S#+eG0pC0;3Qs)Ip z22mDmQfs2+PwiP+o1dFr2)JE`i6Wp!SCXb0O>i~>h&Pok=H|53w{nRO7Mn+1_9wMl zU>ro1G&zba2nhrBXSyE{5Q0Kd@La7~mlDw6_8VEN8<(xl&dxG2JTiIgwu@=xP8ly+ z;V}p%y94!@>W({KmrUaChMFI|ujXo5P=AfX`*%m4f4R^(yU5awymW^63B%ZuQ+D3A zCp%vU-}gt~_vAa6DYs(*2soaKx?+`?b>w!v`pZ9Eqzu+W*(c_#DxNi(ArnbZ(0av} zvnIy|r!&8x!0~*vK#%*n024#=I4-t;l--lWzWGnmJo+ibF(JXZjR;M}ciYS88Hudi zxbxple;aWl4a7EAA_a$HHN}i}|G7+G<|g2EIFkc;+2P2M%P(b$4qB2{jvV=AfBgFg z!V}dVTvm6)ARYSV%})!+>k{Fj!xkJQ7Va!ZIc!GhV)WOk{0S0>kn%?$o&yUza#Dm6#wS6SAmE!BR}GFCk56D zwMG`}EYmI_64E58ffDd|TlrRqmN62OR0fiO#|#WB59hc{zzl9j#rjrDhSC!x@gR6w zXZ2L6wb|dI6ch>@|HvCad=@L()?Zo#c-eRa8a{wH(@-Xe+1X9m1YVk=xdyJg&@)wx zqGmZbagaG0xi}je{C`LOK&4|n)W?WFwJ!9qtMjooG&FQ)`Vbg{j5Pyi6%!D$B|@tn z=HYDUXliO?X?cG3!0hzpEwHeqsD9pIXSw()thl55%0cb#OAalnrd{{?>M~u~WRy0) z5HGJ?d*Q|XRNkny^kY&X%>d-sGNq*>_R_nYU@Q3N#Q!;+}gn*#Qx>;EIW@O3ti(7@S1tg zh$(go3?P7)h$Qm6uUjhXydvt%p&i-qx)`+SxI#&qgcl>&uCb3wNfeRhdKD_I^N#Q(21E?na$cDyVod~C%J#EjW_$)-s3@cUGc*rc7_g< zN#*U`q{G4Ay3WV*74{Qy+zp5^yXgx8)+Z*pa+DYKkt)V#`{e%_pO0U1O^J*6q9_~D z|7kO8)6!3SY_^n9L4^4QOs6zej1w=n*gPHcRO$Vmq4(3_OT^6FOwGz!gCB!g-i2xp zmSU4HIiAWqKl0j^=_=Ve8&urqWTb@nWoap7*y(-d8m4Fe^a7)n41RIemR7BUeYHt# zjrQuUc6R*Nw`RYl`s4%gve?|A7TFOoqF_?_d9uktt{de_oJ7qxXE>5d@Yo3C8hLw{EIHmY&iQQ zY4suVJqhtRs-SpPHI zml58^88Hcw&%xRQJVFQpLI`|Fund<`9}86S8CYbPDV;gG_3kSP<4cH4#%C2IZNPEe>+OnFEraFE9d zK0crZ_IUl+`As2;veP^6G%rso#2D5y^U`y=8!Em}PaiHV9S;BOPBR!nVX%Q6MPiGX zsxw7c%0RKzB-?<4yPV+4dW`Wi6164$zA%b}zDgRRme%{5B8XJ&A(N|doXxQiqL|pw z)TgDsYsXLGtZ`ffTRF>DU&Y48X1H}HQt2h{@mt3qJ##j$8jVty>HbeUx}q8=YZ4*? zCwWx;QsgU_MjAm4e}US9Ox&hJnxT7qMubmFjEL}x@X)Zrn23^8QU2_2Ret87MP${s zEX3N@R6`ney zO_IjQzjC4C5Jz;@)TpYe>Z+&|mAKR5S3sWNl4Yquc~g`2!VXokQ}OKHFRD5%ZVyNy zX=Id=(b2(!{Q;W7HfuEvMFSnDd_%+lY-Oi}J?1pjkcP54OS^HOr{lZsZoiR{<3Txr zEoUA}fX~_fum1VFh5Lz;)Kmr5btS!n5B2$bL6Ke_^MM6@@v+y25waDG3}MtN6PgMd zpcKT4-YGRTWiJ!kKX`}{{^bn~=mNYpex-GJJQesIq3+qO9$p64M%f#N)d?yp2}y~X zpuO#W>E}!y^LmX<1$sL;?d_70nv#-mkk8?DJyC$mIYgN>%X6O~WL!yUGd(q>-SKXJ zds|7(#YNdGL#AWKGNv3i-#CdyuVZba@M!f727$1IA)V{wSLRzx^)O_A?zOg7Z98O8 zJ*Nr^5mi)-A03rmTL(xs=(RdSsE`G4y^31mph|lU{6`E@5)x(X&%^Z2j*YGD;=g;b z{S#^L`EpQoGBO+@7`$LabMz0J4>J9Je?)@kUtX?WMXCp&BR{Efoy8SrnpLZFc{gGU zsciDLuBqy&b=I^1*7t8Fg$|r~kKlsy3Q+!?(bgbpnkBik<)DgB+=A%H?7_J`{#RjF zTU*dk<1;FtWrg!CY{6tq*S3m;`nw-%3H6!l>p>}3=l3lX<$J$4aXS=t zm-o_6BG?gHQ~5MYL~@Eo&rK_AdCC*FArsVMrCb#HlPWm!<9P{v6|i;H0fpVG-K(R& zSd`?KlXwF}52NO|X2dWF7-XiBS5Ps-aM0E`+qNC|WX|k3pU1}QskB_c zuD$%mS)ZOal#hl*8SP(>$#~|whX&_UlGNk|zO{rqSv+gBUyQJy+A;)yp(94WhBx&R zAN~CSQG=>V^9t34?dI}3e{vl?^qZQ>YFf$%6xCa*sBh(-pZ)FDw1jwC8mbN%=!;`V z=nHxpj^?2{luR4Z(z^#PoUe2m}b zDeLN8Dx@4EFKZJQJ`P(3S#1WpkKRW_*jBkMO1MjiOy?}5fn7n@76TXD&095 z>WG1$L!!+zUti`aCOC+DuHrCNE;5w%`jgBn8hX|?hok2^GbJXhENCbE(_9uJz3`!whH2eB749Mg`#T;aS>c_Dx7LV$wn*RHGr*bNkIX%r))LpvS$ zq7ufDO|6kBlqwZ<4qBw(DxK_!)WrccTz+9Xd{jo}a?@S26;#K}MZ=gwg$$}quZ`!>qYD;H&Qk5fejEG1VtY8%nWQhFfnwrf>X zR9FdL2*z$K7Ys_tw@mM;oGbCMq-5Xw5S1E6`$w46sW8e*KU@$d)8kI6!nbQCL(xED za!z79#km~9RCKIV;Kz#ojnQt8ncXD&pRjLag+(zNWVl_QFuVzg{g;$4bYALx9#@SE2C;uqi-SN%Ena;R{?Vc*9)>ox^3of6Up-5ukVc zOe??z+cAYN6y*yL=I+O!wtWm<#Tg4oB1?dhbUd7D363(^iK|bCPV8#RJq8d2lfl(d z-m1VYXNBCy3{@)_Ykd37R|o6;7ltmUC#5NUVtLuz!30LZk`(}5q%weM@^8T7VwYop zvQyJ-FGr9ZzHLRaFN#nHkN;SND>NA8L!gC=$oysvL>*<011H&*+Ln}h7~tKFNCTtE znA07IxUW#vb&KTK%_G+R0yH#;F)&0_rc2Mx@z(BN@<;PILo@kKJjO}J!ZzQ15xFG> zGa7VydX3@0n!M9JhkhO0gVoEL;jew!s>Yh3pid2tZPpt)h`nner@*%!&aRbC*drE| z2qc6q6u=Ve_JqK4+_e~WFzn#uxo%2HoSX!GV4(=6Y3oI-D}AxH5LQb-l38r5Z*f^Wc|PYns2@*%GB8h0LF zcD$rN&-)JZ%5e=7N0Q>F@AMMV!?PQjN+<8{*r3`^Y3VN%@>&_j4Ca5^>6SpH-laE< zz#0>P_WXi`!MQixo>O3(19ll4*f?7aTH)=i;@}dLOq(ymRzZ5EIgf!~BqBOt;C`}m zQ^+;*qa7T#U44I9#+V#R-w;{n{RyvBFVadW=7O14k|2HU!|Sj)AZMJ}ASt<@O7Y!`{u4-gP$XjdiFb|S1jjXcx=|vn9}2SvJ~ce@WBkuV z3JlgiVig5{&f}k485^pa@PBt^`co@6ck%dleB$fa?U&Be+KN?`>^T`3gLv>BjkGz5 z&vRiA(3?-Qqkf=q)TcCRh_Obek^YqW#z=avLzrxHE}*@QLlxlt8fBXLCCw@r=X|m`fCc&@g0D-)W#ZEu-epp`={j6OVgX z%jqF*{6`VWf(FON-lmWZSWfI@4a!-XVKW1cWRf9294Mx(r!Xy*JdxVx99~E;b~Gh* znub{HJf}rgaT?B^`pUo=r9S2u*}qF80(!fOiJoU;3!%x$fqB8bY`vwGl;9Hj(0Dka zebBz(IAACa|h!wld zv()Ev-ga$0&v0PRlm;mij-_2lJQ`IBwyqMtXrCly)8%75BRfFCf@;<{%z5w&#H|#@ z4QdGVhW~MHDd)eV%6rZN@A2;FX*&-l_a^)+f^Q;MTPp=;rST!^V`<6TMhkl8*h3^W zavt=csW}~vlDu3# zk&)@i%RBaGNuiR7-_@oLmJedMv6Ld>Fe^DRi#W(Y4|Wkz2v@cn39ho)PRt6_@{I%#i)Q5J5E@>=dg>IYL9kf+(PPZI&Oh^5h9!N z&lOZQSp#JCoyM`N9U*!d7|kWKm^KmL)G;EsXq72KF%%L#g+SKxeM-qCa!Fbv7TmAH z>$3E-pqBDj`@;j>sKOeycLd3Q84pq<`-2MJ8-L4&pQ~_l6ZhYQF%ANohCwtn8OzOC zs|NxX!)Ibu0-tQ+n;6kiywNy6gdya*o+NjCjK@hxG1yN z(Ahef!v_6U&2!&I+IianfHmmGd%m}Dzk@C>&I6vk9M8!+&ogEtguX8;Ise7r0XNE$ zq{eM|?f{79o*O)=LUxtEVAf{t9O>4_Z&0MX1Rx1cVt zeK-LM5xY?$Bp*gRB{%(deiLr&!!X{pp=h!0y^&}3=KtPD0{eplo|v54Z~=uY>X=sj z8{(R;R3)unGZ3%E1x(M?f(dRaJj&rKi6Am2T(yLmS}5?p!!!3}thrhPLIs+wOJ04K zf>zukNXu8>FQeytz9rJ@F zNi`uEo(t}H$8Lx@O?(Q}J>?3c7a)~5b_tA#X=aF~QjV?m?LMRftZVzJcd+s~B_py%vQjRBTugayQO0RNW|YX|(E6G2(1c3zuj>UKxLh)l zL)aq8neH=k{oy*;va*_?!NN~PH^q3O7oL9wk1Yk3`CHRwxUc<7e9xXeAMw~3ghPd} zcfb4Zl|!E=5n>KhS0An|xwlr38BxceL83}LlAkFPdb7sZN|&dJ!ak3KibfWNYMMkA3pDsdB~pvG>37wlLmEQnu)3Ve z@&Pp&A*c=@jJ5}3D3LL?_AA?;V2nEDcpdlJzqkR!8nATAvtjkmmvfzNRB)V((*?3y zHw0zWhrjtjkJzT)xI%(XR3`4(iv6Fd4$@oZr$(E}_mf7jL2kkhwD)87JcVH48%rkh z`@_dd3P2pj*qO{8GIUE`_ST$1j)Q?gp$m9?j?itZ1ih6^Vrc}m^J3QsU1t(?Q|zN& zTLfo6cdcO-CBskA4fa9hU|hulpq;qvnVetIsSG)lOvq<20&;dNUEsVIlbcjB`mARo z=ud&Zi`ung#|nL3;1TP%i&ju89VGM7k!LZ$Q3CPeGR5t`{MP{ZWw;mu6YYzsV5{g3 z3GU2ok&^u;&wdz4@dK#ib;*V|9t!#w`jegAqVSL7`ee2sPW#rQ?M!@x>DTwQ^6$c zrPI@M|@zV*u$;NARFlC*=wb&$~a-nohTa4+~$x?W~u-im5Jx!(rGQ} z|JrQrOCUH=4CdT9d;7Dp7&4e7O7B&6B^p7Fto@_DL(U zFH6}8PT5NG+MEQY4F&`|3-tD@46_Icy62tzlZ@=&z6u5!$vz!TeDA@K=**!m&AbR$ zLAp09(5km7`9McSzeG8n2$2~3@7RFwj=p~mSKBcJ2u# z`$$r@ONDw^(Jz=hS&2+!>=VI2TPWc5>(`rC5wWHqIK&e%TH$E=XgENDNcgErQ_^Hv z3K-$(6Tt`(t}P4h0F-%5dz}d1JT>q-EgvW`#`Pq~8iYZ=K|-gnMUDK?sJlT$0wvC1 zwbi8d0+RYoLd#z&LpdTm_c#?E3+F4Asq752t+*EO%z$vUkZ6{=#gnfn zj>8ms{)p5XmY%XCnxW6n7ouLus*Fjlxgti+6v$*LfvU)AN?(Nror>%rYldkGB+EgD zf{!h*P2g(P=s2KXj#ZcvqgyQa-kHl|y37#;=(h{$y-$jK-FLZ%&ESXD7lgKM>+8Z^b~ z0!byy)Y}LM18WRf~JbUE;--D*tc7$*+7l#V&wb)`VH=O{}$m#T(6WW292=7Sc~sp zUYwvreS%TLt}xv@Ly&E5o3q?uUdA4+Zb-r|p-DMXpsGpGTZJ&9BQ4K8; zCe|?6r8e$jP363kseR(>^)mgezC}7M$q>hRhRVwXZ$Bqx7CZJ)-NYAncpLKsmH&$u zS!9`nn*_2lL%z%ckrty)eLOWHYodC{9?UW7oJxZRVRM)UV%uZ}c@#DMs)dP!Ie_*P zAeEkg%Zc@;mNN8v4K8actUay-B_^0IuU2>oehb33GyYjXE{0m}MZ>&q>q1Fq9DSK7 z(NpH^Wp&gE0TvdFp%u-*#7hnk__@WP>Fk-Oex@{mR9QgTTL3kZ$dRVG#Vi@(ODjqa z5lY`zml5Htm6n6$1vV%Q(Lh*vYFOw~s~q76$!2noiobF24T@bH>P7|t0(!^VWU*MsZnYs(+HRmE5=^l4$+CH}AZx%;&=2F{f@2$e zi(_8}E3biIyMSw)IT_8AbLGA9@t)v7vu#wjSnXO#MbcW8PzbJOU79$_7_D0H?3PeF zo=awy7-*Ma7@)CAu_Zeu;%hkr8XaODUjs4CTI%jGjcvp4(G{iCv8@%3q@@L+A7MDN^=7Es`76Kc-T18wb#K;?*{Nbwf6%hBUAEdLL{c+QVTNEYQzf`fb~^ zq_tdAuvQpypAJA1ToL|x8dw9I(Hv08UuDFxu@z?k70L#Nv;-5S!hj`XGJhTVT}1ZY zr=TXuU~c&Yf(fNAIMGe}+?C;*T*_-dg`X`Mo31k#Zm~YG)*hz8{7Ufi@w#9hGuWZJ z0FhN1EzMsf(N>QE1B{(Z8x2s~X2TzIdxXfcgIDU|cSNDS4Dp{%*42m&HSEq>+3Wg3;EL=xWU}9b+IWc=;Pjq z(2a52?_no&$euj0UC-%rTO3;O4Q|VbLi$6OP~A!S-RUqXsuJH))@{v&d|Jl;Nb%OP zu854uwoamb3Asw$8k91hLWS6qH6vWKq5251KTgnomMm#0$YXp zB__K*QWm>!f9ry>6LJ&80!^#hO{d548 zZ7CXgSVfLOUr_=Th$NDh!6e`vM~#HGH!p*0iOo;Vi%j{`BbZx+X*Vc!O@uryoo%&Mqa^x= zvznz=aO)4PS}j_mntw{g?YBDA5-sKK&OxqB*^S>?A6E(@u5JBf1H>3&{P*IFB!iGt zj*X18wILu?A-GZDkG}`EG;Y!LS`2ptf>EN#xOGnS@Wg19sBG%R#JIIlM67bH8?Fp_ zSXbF_I$spYPf<7eaB9jH4idxjQ>c=}n#81dItOs4=xkuRzp()yP3z|*BZgWiyGUPw zf^kIKZ)0`EoPEhwaxS#RtnS%l}1=_q)Yfy1!2p?4PZK77KS`@&MX-b8g&y$Zg6eu7`%#ls6VkO zuDDtCK{7~18lX|^tHM*9k^@D=ifB)O0KKAolHa{fxIP3oIj2O$V@W)`f@c8efO9+{Nk_I{`1l)6|*fhYe4P( zvrKWIKv%T|QA1s4G~$<$Hcvo(zU-`L3wvdC3}zY=fnu~V075;5K$f>HW`3CP?rUHw z6v+F%G}s{dJVJmbJol(O85t2**f3d~;gLyTRW@J#h^qIHq-#JWyVi+tLIN&X4(ASQ zMud{$XAGr&qD6oRUj#86Ayk7JBv&ffwKSGO3>vnsqu>Ji88A5@5wZi0DX>@$ zH4leNTD(_*S#q;HS0D2$ESo9Ya?7Dp?n=tsfROF1;gvciF&qX?%WpD$7MkE94MwQt zA;TX9h(~O53>@26fw_dtg-mXwJpjy<#B22-GUd?qYGf0@AU`ozQg1MUu_nM(Fh(NU zrgR(qiJi&l<7xUOP^3#h&6MTO*Af}t=-*IA^asL$u0P45m4+nY@~{d5RpgfX7@1Yr z6Of09)@jF3K)w|KKP#rZz^(;I0$0Wl6Y&SMP`q2edSpU-RL9f&2YOKoO zQbi(vBoOhV!o0Jwb0G)@i81Bhx&$?u62D{r5qp9uA_R4Dj$Knp_Lz_^Q?X{<4L0>#E@P z&)b3tNJ0MK3kT4mRp1KFG3df@Su(EdHBW%;o)V5Pq2oy*RD?681S$t~BN9WTwqxa0 z&yj{mRN*62f2>rMQ^k~>#3j|sfNh=Ts!Vs? zVH&foWNynb8E2AU*9YGqtGEC;DJF+@aXJ^nduCT*updTSS1Wy2?^N4I*Ll)tjZIPQ z`ivXX|GZa%eV`TIDAoVx=QZ4qMoCMlA!tCn4%K%52Im!e zCs`+Ipz8-YI&86|oYSE-IxpvVX)WFUnIL1<@cGOJ!sVlMo9<>+qPwN)Wd~B-Ur$DZ zbLE#e+fO-L-_ef%CV(EDge-cZt0rXY!dbJ?CWExaw*~!k;p^Xcx**(31{9RGzE)Z6 zNHI&UR!XYLgjNL9(~9(>jIxa{2i`7IfDP&W){47^yi_WmMz-cs&*J{u5a_%$<){DY zz0`E^#ul7Ro1#*W@d_I9U_}hzD8gpV#-HM|Q3Zsh@G|sr)@M9aV1WGH(kT5`%;a%< z(w7VnVT!&sNUnFL=w2gzr&W^ERhc+}{}@HnCEcibiXM{iNa4z^viB5pcd4m9?|Lcz znMpE>*Q8&+1Wb3L;s>i-Qx45p5~UDA+t@vW%wOkLi5P4h_k>*8-X&#iKwZ1HgY;J$ z*>^&l6R^2j@O&80r{P{ zL9>Oa?pzPhdF(pR(bPuDdG5ha1=`nRlCyR}xS-o(1ThtE)+QF6LNUNoDo%A|>~ow9 z1BXlmS{E}Tz8uxW9QfaD_9LQbp$rc%GHefep>!9og?q*BO-MIhm3rP-8ei}e^@`On zM-YKx2-9BYUI3o>I*hf+H|O|t0?t$lW+pqsMrIlCDNw@(!;P7zmMS(`eA7wi;kg%{ z#beF+dPdb&&Q*MKz+^GE#pv?WG#5FY#1E{9KA}7|^JuvMXq;2jsk{Q#WJ`ur0W(yX zDqq_J@C8y4iDM#iV}1`+n#PaM-QVR~Gkh^4eP=6>{#X{*fc-^cIk*YMqhXpcn=y}_ zThgcUYpg54hKWO~>}e1UGRYJCU@}C~Ms~N$DxV(mTLi#ngh=$MAr8|`Lvo32+Kh z6%u@jg8*`ex*ox{&r}IhuvNi2pU7SMU0hfHtK}njx;ut3Yi+V`X}0$9lQj(w>f_r4 z>LF={OU#nJ{c>h_mv9BQu(3n|2VA^ltZU_ppI#P>xPt8Q7Tygjkpnl@#-W;o3cWdQRkL5&9|JdpU`1Hr4D#}LH`RT&p5yq;O1*Du>}U;*|X*MOSm%^ zEaf>Vb5m`gmqby2Mta#Z0*mC$;j-cuy$USy)deylrSjbKZn(Uha%z# zEzHy_Gz`m<)$bG*xF+cBv@dc*i=MNjz!XS0=kr^yaJ1 zb*U92ykuPP`ONH-mk|1Y4{R`4Ry;V49vR11jg~s{kwQb0$NGvWx!2%_jD8icCB#X> zCU=9uhMGZUXYjw1s|oV*+QNP*@*}YKu}DFVYJf%-TxMpPz);F7@Nfe&g=+F2f2nR@ zr(Ie}MhZuJC-l$!z44Jx8(T2fqzh{RYKb#@l!Uiy3qgqzR8uO4e1c?jEo)}2uP6yp z&>9L9V#yYv;C7Akr>{i%m`RKXs1Dr|>9;nl!H22*$^2o|BHO5#60p;f4YW>nO8U4p zR2Za63ac}oX2WKmYqPCd*<(}l&UdGJ{hei>Cb~qT#p-VI$iBl8MU*HU8hl#DC*zIL zq5qv$KBP+4;4)A2zY&uctuZ}8^UZxfFG8-GjmnJcmoKAa-vY8q$kzbK1yURdi)gUKGNvEGDe8-|DLn%KQwg|IN zN&7XgiLAwW;f!1XC6+_Ilb}`~yQp8!lDYM(Cw54OS<*Q1&L<)mAR!=E`$3FH9%J(3 z>9;;OshhQQa*AV{BsCAG#X$#N;QOf;79(OBaog~o5-Al&hvFt96CWCekfx+Rd6PXM zERV*QX=T(Ut}t;cqbn{|8+Etl4-*Lr;Xvc2c6&Ljii}ESt{%MUwh(FJZ1brhrwCox z)1#JBZUQQ<9@gv;uJ|3ty8oL2>2r@S-!vKy>xz_q{$@pDDwdaXSuHIO@L8b$4nj{8 zXkY8*Yx+EIxAL1e6XR%{nx2Z$OAoPGcXL3v(u8aJg|0V|%+c&Klxtw9f>;>*aSdUh25K~-mRG`z(ni9P#Z~SdA*3_$G2&#N#$l*Zmt|- z@jbd%6Yb8{%D7raW;MgFe3SLHxYPK=${6|-JDaUdJ%YTv96UT+JOaHAz7_SZ(sZTvq!zCYmi67L zSggR*!n{!t_ZFzK6;N1DS1vKp+G6cL=sN=@=Sjj&hlpR(>>wo8Al+n2XwqihzoRvA zNbkfaDOyri%am+_h-P%tC{(bZKIsOPO~OXWG02?zGtS!h$s$g2NCPgN22krOpS{(G z@68$b#JWkrAzt;1sDj^YU+GL5-(6oUW^Fg*DNIr%q6Onk1PQ~qCaugc;hf#d5;QU_BO!%({}6j>ht?HAdb0j;efRmikKlK6M7_wUf||&Vf!vIE~nv zH#u%2?ekN+O7H6Ks@7pOhG7JM1ShBbVt0CDMrq?XY5j~lq|k7Lf>O~IqB_jWFW+wp z3ZSW}sj;!KDw&Fl+zqRX3!9rO+rQid8-ECA+es{6KW}4!g-v|%{s{XV5k9MfR& zX9Pz+qdgh$XX2PydDJ<@JSq}Y?&4~+qL6JWTX8+reD6Y`X_!_y90@V5_nT1}MiTj| zrRTpV)F+UMUfN^2q-YRB{ZH*%1uBhUS5!7xZjRcUsgS624YV!Hcp{=q9p)G`3l(=g z+H5`=sj}3jx{w~Xv~jFTe$GjgD6*{m{ZIsM+N>Xz-pv#1toe~Srs!Fqi3>#JAA-rY zjYW4kkQ&%ot_jk>ci+f>L)E#wH|0mQ3Fh!hA_-$gZqDB7TSAco?fK*RTXA`x`N#+i z89W8aR(;EEEmUbU`vJMm)yvkHN-0g4T0oao=wxg)WemFnANLPcgwFv>>fy=^3QEft zpvd7NeEqL&TByw*EF2|;QEUYK%`v3U0|{qzI))FK!iz+^I^~tP<^UCazYejpi!Us2r6SJBA0! zB`|lT!o<+U*YbI1q5b>!FB0bEJ6XX=clRR*1X4)ZbpO* zLSGUV5Wsae#ie-GJY_1iI4o@gG7V`KI3`?yA8<+yH-WI}vjSNbN8y5B)J|h82WwC) z?R-adcL}_EGV|rBVe)~=mi(yD5bfej^*{5sG(^Iut*Q*XJe`MNA&V&$6&g9)s4hVs z0b*VjP-J={QZY;b%KAYPZb*9ZUbOsA;n=g?X+Hyy%Id1lY5+|C%muX%ee*VIN!CJ1 zycFR_UFzZ_s%sZcb(H@LPT(doH;trlS;mjxby-E>@(Zw+4I zJwBa62mAuJiS^Yml?*}gEacv#vZY0CCEf8vFN>fvJ~NsUVqsLyIsWwn#^=5+ZoXC$ zS0Z0&fA1OiE4E#wM1Dyy)+}~@Ev~6BMdWi&a6i8SwQ4PM@|wvUWdB!JMGt;8{3Wrx zPy4)&6)1KD50&4#O_RXe=%BMzT=S&(oRsS`0^PhMZf1gm_rRy<9SY-*#^_1_ByE2x za1ZXX-zZVc)&n(?(yoTBYXn(B)zHCRFJ7!vY)E*zXY9-=c+hmpO=zHv4g1%{rvm*O zKSkyN&oZwc$c*-BzX53qs~u${JVE>xoSQtF5P6d!C8=Of#tj4EdHtP!SXuHv71TrH8dms?5s8W6>7 z&Wb2|R?q&yzgcPd*Q)sUbInbM4Ya8*_b{80_o=ZlS_sZd^uFrr<;5>IesWOv)`9EQ z`l8P}s%~-d-t#j;3T1x8G4fb?ObO1>bhhGDP0d>{8?J#?2^Bfny0>QZv-4J0ZwtvT z{^jjD8r6s@{7;)|h^=5^|Hqmn(Qxwo1MVc`dGdj3#B$GtRZ687S~AW2ZBlpyc34Ri zm4MskW^lxJT9+6To1$Pb)Zs85IS27Cu+KnbC4`}0t@^#F-p}4bKe!RpOh9(NAR7-{ zRJbzS;=LOUmNvsBRkUs(Fx6GOH{gJTf5rD9n1kc`MvY#=1J^Akk(`Qj)s8j$i4OlaJdG#AHDb+>T_ESr3N=Solr4y$6ZsD%&9 z+!6A-du>ItW*hc+2e!18Uo|aW6hnr*Vwaz@yQg)0w2-0eU>8`T1yJn|f2_FV|MVrC z;WA}GeAkJCSwSf&qiFf~IUVeKIhvmy-YJ=@s6m?{uOrQ(* z@AgPBX-&ywbW&TNxLp;1G%HK1sNb!G5F_2svF@Ihm;8kSA;uyDHAdkQWR`@S^m}Wz z1${T@^?TvvPJhGq@5&iPiyFlA$f50E@W0u2Ta@6vLhWIJW_?>IIy=+Y!KS{Z zfrX9LWn`#Wb@<8y`h`A2L6LN&d{m{-*IJijlcFJ3@%R0M;T3UKmTrpUHf;C3%3NJ^ z_Bs>}E}YhqHy1&rpmTlX86hZSmFo6a>sf$y%_0-A4#4pI;!{qJVaoY7Y@}zPg9Yu! zwyxfk0mEMJzUmSiSKHIkx`DwR*={#|4q_N)t5qL;`b|3cYx7@#Fd%nmqD@_SEU*Y*xX%)Qqr}whV>z0O+ z7RqDeJUs(G76gU0po@j@w}Gnc&a#+lP8l_Sd(nzTPBAeaZgy_|cbukHpt|lsQk)Hg z%gtcfUU70++0h3NzuYmVyOiQPUx#<}7)@1*)k7h;gBe!k_*UA~gT*Q4;@&@x?X5iA ztN5dzlcC?4OOIAw~1AtzSiD{e!Q#FkblHc!|$MBcNyC2CZg6KN$8bW>vpn@ z0JmKZlE0jCQF@^$;lZy(G$!9x;bJuo4kW62Yi1BHQ3H9@9$Dv%1@9i7r}$*)h$fkt z9eHgno%UOGjJub`2;yH@&7NlXcKUo<6Wib6rK&BG;WAUc4iDN>WuEJzzvw5DgHd~G zNkhwf{=^m%X)jL_3Usyk{(a$bw)B~A_c%JQa?f-gd~GRd+O#5AJ*GGQdz0vVkHJ!h zfI3yZN=X0ZPeXpcFBCg}Bpl(1%rM1p`(l#;7RK9uzv?V(w^FRHp{{T9%ykW7|FbZw zFgy3LBmbiH$Vu^%d~CULo2zld$oOsHz>vc0M>;c~o?fGRX2XN=1u;pku{*TR_1^*; zATh4?SIUS@eFIs?vKWVem%I1msf)~N=A2P?K!6LNm?7M#J)8>>331No6Io6U)>wMU z;C|=C=|tJ`1kb;jH;&nTmK**<+(t-Kzsw+oFQE<6`e{@U?WHj(8F}pON{z_Syt2JrO|5oge>>axW5etW3k%B#59V#h zBGkIF@hH9Q?WVKj_7^ODo(8Z5Xwd6+uWjn;>Zxo=O`>^VDy8vvfRbL9q(<@n`t}_b zKndVNNYJ_YaBD`C7d9Z*(^Om8BThk1Y>c)?84{qYSj);5uQV&gj-#g!G`OZ;DtN=u zZCcgTnc^fuMKnuZ`@Q53`9w@Xf;MJ$#IrmAd0F}iF17pHeg%(ST+)`4SdWgibu+T- zLGLIV_a{>uVAx}@zVt4yIZpa>I6`|xPh}B&_u~tVv%kzg>g`otPcz;>F&tY19{r&s4XYT0tM(xT%3iW$_ zQ_S$^A3#IpGL~o!uI4?taWfnz<9-q#hC#=QxhsJLnmF&F6#aiQX%YqB;aL0?RM=dj zShZ*kXFUCK>~gCWpw%&$ZJO;m1n<@yLH9)urp8YT)S)C=#!?rtz(2Ld>3>stcjo%N zz8lY%xQWh%ZC-@Mhop-497VW0HKoEITUR$-q5;Xa>yH&gxkWfR2p2}Yc0`QdiPnHR z2njWGz|G5&$%WgPeM#m-uCEMjhb~^{V!(4(#j2)(Je?>+*t_<~Q8O~WMt(8TZR_|M z3{1@WpW7=Lf*ibF--95|atH4AJUm(#p4%oSt=1l{b`xUkg6amEs^^|D-hSyH6#?ZY z))v1Oe(x65zYIzI)6?;DFNWF@_(X;~S2OT$YJzHeALL}iR&8lxbj8u+5nEchoY=12 zSAqd@5lddZUUp8MU2WS=A4LMZR%CL!A^K;YtvZB)K9)8%W*!dJjf2I*aI2TodaSeM z>Z`l+Yd`%hMjG-uT{>HuT1s2S+neyw5Pk%4E-g?uuqYA%45Eh34>^Wdi(1#y-U~%t z$CWguL>dRz@3M?&z`xVoeoiIIDu{(Y@0)6!$hO$6D=$W$xKfNvJkq|I`B>%F6E)BtEI`9f_6uc^OZ0 z{rDlK)IZ*4u4>8SBYX2IUzJ0|Xa!jLoUks|{VMBv%Q`zl7F%1(WQ>O9@~)$S{6U(^ z?D*t@*)<)FWw0+IuEw3|JV7kQ?Je!??L2%un)>jD$M^gDDT9+a-Za?2kH)~eGf-zo zPgBRZhK}L68*r+I#6er2MerTRhluKabS}#yJQ6hD=n+b>imtp@+F=%#_?1+_!hKpOP`L%i{Xw&rtI|jd3uD`n>(7wPCCV<$%#oAAAmWzxtk-)BbLj`_wo131lnpu^Va)3 zY8kb>*8;AYU5!a$MP&R-KBo(1S%dL2tR9!P9Isqxv9T!n*;AH}8@NObhVeHBj^@@f zmbAyb0)owivBW7`2kXrhy(OjW4S&)AFSG1tUvNqCz{hAnOBCn*kR8X5gdxsV0HGB% zW8+^T87l<-NDi1u>^QLnf&p*+ZzDT_|Kg23DENOh`n}Ze+{%(`i)Ri9C#`0 zfrF;qd=HJFNMyv56pZ$vHo_RgPdTE?T!8@=P8N($+jWgx?PC$v89r*adbHhnqQcz> zFC4lZlQFm1>%=^#(4sUDZh^j@ksE(Lrzm2aNPaDsFMRN)M7bshXFFS`D;ry<%GMu# z@x;imfduM<-BteRWD>6=7E5NWEv>;r$Ds!nt-3eG2-A3VM1pl?+D^8tZuXq2y84do zF3C3YM7l4UzP^5Q zJ0z{0z3-fngeX^k6z9`mt@oD8!biNm8tOiVlaSb_&#FJ5xI!4ocUu_g%@)JQgJBs&NAtG zJ3Kg_KQf`K>>+5VB85VtU|~@izAyDlIMS2wsjBK76QDP9cQ|5n zR5CL)>}JZY6?j-xRVC^2cKRK6?ZbbaXXtp>D=uGbc4LDL0L6WMeYGtu<>g)AqN1jf zk__RM%$($MY>eK)0kNRc=F*l!=l-|VKhs;nJi{@iN(d{jSLy|)b&3%EPiQw<-K+ilZF5b9uf z%Hyh{XM{$;^?e5Ifdun02iU1`luyDpVq#`9MrYeb6WWe{#kj>2Wm4;L7chX`s=C*N zq&b&R+c$w~4wbG!nuc-LQyiv-=|rD56{O=w_hkU~e&Iy@Rh{;nx$w|mrxk^P?_|3B zjfV|AS+qRwc%Z>?OiWA`jQ5u7n|csY(MZM^UYGN8!brp8o4*1-gNr}gK#Ipmn+S7j z?RP~cERSflYkDf0oBR3(E8at4Ky0hto>@BwA*B-Ygqy zOB+iY1@jn&@8xV2%O!NU)lN@gRGCAqR}jlrVUV^!^ZCz7#If{TqHgYFr2gmk$Mn0={L*9(w2^^7arE)_wqeJLoFUT5WG#o z)`8mF+PYmox{<5XfbiMC-27l^7_$GWq$RUl<)za9@G^InqesL1@!O5u7?!V#d4jKeeG^{VE3a-=-oTy#eZn_-QSA6R0vyBO{r{E2TXm9+u7wv%5W_RPKbhZM4`-B|GPzdpb)zW_xqMxwMx2e88Q%I;? z3waf*+5|X?;6}gveY^L}yGqt&&6mef-u&VCrDWJn_|Nd$&cCa`dkZh~;#x&-S&v+w z3|oYta%|%#*gLnhYkz*+&~iTZNjw&&=p&Qtvi&} z&RgVAKj?O%VycGJcHps|h3)>?f51h0k0w3Sv<}&ADT!#+ zzq&l+N+MnUOr6pMIaKYu?b5mW(yo@Q-<_1CtgSC&vGwmCK_+|qgPTe%9T}AYg+=bC z4Gr>F-3F-Ed22>`ddtNY)?1Xtus?I``(xO{3ncnHtkE;l_6tiA6V^wfsv!QGOE}-z!KmkvmwX|R+$<=) zmzE@^Aidb^9)s=8>EY(teS9ALkrFdmR@NGGyRZOjFB$!Ie$l*4K)_RW`R=>asF-`) zCT3!)s%>D&&H2b&SB(Fn977g}nD(%f6K`b+tJgpZHSZBQq9ZQHV0;z+h&L+lvL>TkAAz5n6Uzykk|g zAi)(EFzfjF)gujZe6_VyR<^7fay#AZlresPth%~Y{`+-bqk%SsqHN=6`>;m4FN2n1 zLwwSs7G^MYtVWgXW&06>}q8|`ue#dQSzk>H4SAh-csSp=@M@$_UR z!)$No&CE!D*z9rryYJ)Tur8Pi3LWIb?Mm6)L1p}=Ivq=6#FkCyx)lsv8=nZvnol0J=mF2nd`enEGB;{CHz~`=-NMmmLT~ru6%-hT$jZ&Pl1ne>K8O-Z zi5yBP+Km5CfeL7g++IhjO%l1a2;zP#KTAhIRe-qh5Bjs8SPbj-K1st<+!8MQjA zQLu+SZpSX;u=sHur9MvUXF}}khnhL0T_I?FzJEhwS5qk{rf;cPNG7S7{OwePIeN*p{_Z9aNa2)<^v9k>p`j zpL@Sgh1K=;?D&OtQMrt#8<4|={rwY)HPQ!$Ct`i8xX1U5X`E@GXBS@qo)~djni-!&db}J>_0qye%OfoQ2chO^HzYu!!TJxM z&27KBoDz*sRFoQX-jf_R42KAr56GDkhjE^#k$+)lr?IBBv3TVOhc5-CVeB)_@4eIK z+2Yg4jk5&a%p3ZY8BW`M6rOa>UD%NZY&SESy?-NRKd|aCl^jds(wG$0CHW?MCX-ht zgKl4cL{?v8q`cBe^ed*|Vx?|J6+@;BSEl z`JC__cjd`3k@4Rn`*Z?=Inh53wz??3TtebaI;aV_(H&D~;i>Uhq#p&pomLl7>oUoiM(^)$mlQ%3zlG>mo*8h0134SM-Nm{KN*JG$Y&6+lEk8U3ov8X|8jYwlng^#KXE?P3NNJ7FntMl`Dj?I3 zzYx9gcF#Us3j3d(j*OAUE3 zBee1vy)i|$(XHS1Kz^^(zs)6=i;69~s`& z`hPVWVrCs6vX2E%`#>v7SYw}yqV>4jOZ~>3m&RVI7+_9>WM%xcuVKe|nqi?9Hj-O= zR$VIPaO8Wn^n5}Q;NqMeXMd3YeO#U4kdNpNY{ZAY9#x?}(HezV1GIr-Dd>gCOje@h zX{kAC{XUHmbI5Bs6pLT$$&e$l>Cmty1KH&Fi(Y0{CS-M{hF3c2qctAWRtQ5yD; z&lCZ;P$bg+70rZIw0MX+1XW@%-J7;&n?$*o4ut51=+eYoxyq@S(i>>YD|ZMqdN|s& z^)xk=lp_Y+e!)LEA>t*hNI0(+npY=EOJNC~v77>PF?Ot^jF#<<+`%n!DdxIrG2b&| zomU6!+32@^y+wUu7Qx*8+qrLAQ8q`W#*`i-{r$||9-Fnbtu6H3W4PY=%xCmZ%hK{* zr|(uKG4eiH>Jw$<5LF1L5lm4?QalDwo4gI>fh7ix**UHQ>d z_}Yd5zI>YaXQMeS4kDoMYZ%-|Hr-34LUKzYZW=Jg)7TsZ<>@Og6Xm{pwE-tr~d5XK$_ghqjxBPFC8xmz3pOD47HBp0fm+zIol+nUQmWu=?(eJ&wkyC?Ab^Zbor zcdj8KP!hA<>}a0(fq*&D8LvoRE|@UrCrU~ZtgJ8^sMcLP9PnQSn1cKo6F4_W6lZ}9 zsnmyrFAi6~{OT--*$`|yBrwe$5ycEARa5-3N*Ht%PCxi1j+IAw?NivxjGaExUezLKJqL29ka*328pw8As1oH>DN zvbuaMwd!cO)j}as%hl2+dX?53d;+hD^|m+w`(Yc5CT?PHhJ3PHWJ-<+OVf$rj0Ix5 zqy#~7<99##A#SZ*4x)#$=B1%_jt}I}M3bjUVU7!=7 z3(cSPEY+YKI3AAE+-f|=;-d`=X7d9pYDV+Xn7YUn%{RQ5V12-3ekquT;VX)Lc< zDcmTE`s+lDNYZI9Ug(g-RGtil(F5(L(d(5nr-P-C9%b|kKm}T#Ri7#)OtVRvlGHUe ze)&@4Mn4CHh({YgFt|ty+j-ihM{6~l#!Uz~j>9!;M1RZCveShpv0P&uGVqbWManbBZCtl_gc|OF^sDHkOLRYY5fpP z>(JXY*#*spLCqnt-<#@PSML$+##JoNs^<-oXFRxKq**zL5ZirZz+QBv2jdUZfxk~N zAHbtoHReD&p(rz)`V*u%RX90CrYx)jK5FcJeD|~9QLFA??x=HVnCajFFA!A8Nbd^y zjL84!u?#L_u^St-zdH2uNvWdVbPZ9hkLBQzB_zqK(_-z*TC|B+W6s`d>{GF#jUa`^ z3%1)|DYzI>i(Hi`%9#zw)!d#_wdQJnAg+x4Wl!D{qwS`lcDT0Ry8? zg1fn!UFSf|bxT;Oko@|=2cPT7VDdDo|5cnP7MQ6bYOMAB28}gs1#nRqeC^G&2k*I} zy6b7)Y=j7rg!AJ?9ChqzcfJr}4knK&Pg{9$7AUi~^iVHQKarIZZOFY@L5NzC?~?!g zP-IqcyL!xsAeEz%2kwm8g{bY;phZ|8=nJTrl0dS|QA4&aR0RZ$B*0KBT7 zjZ^>GaF1+YrhT-}K*0ef!{l$jrvT=F9tTBcV2K1xPPbiq&lU$SUxx>aoRRAAVh>d< z%{R}dNtOUs2)?n3F5QEc2ZeU+5i-7V`%EoT`YEnMxITEpzljv)=v>DAuxGXH7Yu0> zac9}O9;DGCnV;C;5S~LHakvHn_YF_%{w7pc;v!t86ni2?^e-b z3T{g~cJ2O~r0Lmf4A^oO1CsZ93P$wS{f<4qYJ0j>Wb8xmH0pj5w-y;xYjPI%P!G|e zsLZ`RSSH(HJU2YcgmAW=lW0X1+@kAB#7ibD9&pX(n86Dsngac=p26P`kFkH^QD%#e z`J#+DRbwy@FKm%l)DrKuZXvuDW91KP12fg-FqgqOwL~+8pSU4-D{NAy-!YLCMqnX$ z2{KWsRcIn7aMX)%AR;>tZZX+$g8`#~0;pJW^XPK?WP!v{xSX@PhjulwLHj?H4hL&m zbfp}h5MdSx>%0{^@Xn2)D5DWs(dYRX%4`oyP9%XMW~Y+hqxdK>`Zc-AP*d$8XAHjC zoMSQ9 zRQgb58Hq4<6=n|rx#0XO@{V>E1}nOdO+^y>7VmURYbw>CtxDO`RpD_fOXh3&iMExI ztJ0jA^TVX`0=fCaXKfFx9+l|55G6sKg zLwFCf=0<4jlUA>O`Wz(jXcb0Zn#lg6fualf-r_1}M0O868)TuaoayNx=~!lT;x<0z zFJxMl?ScvIuG7Nk9O$Ep&u+(Eh^7IrxVvwOM9MY7vst9&!O67ZRd<^ zb7J~wC+omzN!~&q;FauJ@AsGrM?G1%JIH_D&6h;OX*r=<+;0wufGwBPsSHRc^dQBu zr#0-0L$sxnX?CWOD+ff-3+1S2a)jH|%AhTyfHJF-#q@JN_-I|<42D?uXo3IdqHWvC z$hYrO!I?Aoe2&k0+t~Zj_$|<|9f$?&U*sQ}KJ(VQpR=tb&W!=KAUp^{4;Tr)iXH|G83+FY{h&yurqF<7xIB_3S3%_+Bc>cGA^ zfLKL%%9MuOW{j#G6I|D2y_@rlRM^+Z)NeVo8acWS_7zEdxeM4->?`Uy)pYiD)fU9F z7;*8_DB&6evG0V>;`lQ>WT4V=e;t^LSC>nGkXv`af!`rWRyFYgU$7-#Qe^ZQ{nN%n zF~xy@1eW6;)kIg(p~$v?%Q1>DOLi=44`oF<4M4kM#uF=J@R7+lr8M=8G&P`Ei<_l- zJ)duwDG*8A=l3{CG!BUa)g%T2TpO?XN(J^1`iw-d(L$>xQ?}*-%JP9L66{km$>|d+ zw2=Kmd|K{lLShGq!R*bSq1mZ**!d*=qsV&^e!)W#3(#0 zvV*(q)P-mF38Jto9Y*VpM)&H{!OCW5%G3$-rFoi}<~B~b9Sk=o;6xQUL0Hal#<56Q zH|>g+RS)?{;@ldN$#j`Pz_L%6J}os{OyGgGkRdYKmf%Dl*IDC{m_0gOX+qio!`#uT z@0Td?rR#{0xSjGZB3neu0=Jys`2Td{h8dqZ={1EFPYMo|*(|xOfBXo|LG0Heg3~L< zs2yG7NZ&LOax%>nZ839N=QR(OQO3d?U3cmX(Tx#O7!rAnU_-1wM3iAeTx31J94O9q z3Th@A;`NJj@RBC^m7=b7fcuk=ay2dIT?=AXp?27fV5E{myv&jz@HdqH^2wIn8(-BXU z62_0DOwg>dJ0A0&H-&!>`JVF3y_YTgG?O+MZ<|3YL;?Y9;f15$LU(O~a|aQxL+kgl zdp;QgGIy?y9)ES9Fh|n4z@~KJ$d~edKewj2IWz_I2QMVx7$G9G!O7;u$!tI{`Hsb^ zfWx>cE=B_%Sp)<|ubb@89T_eO-8|2+MU!^JoxhHk?B0!26|UBd$N2QRW&+1ig*Zqo zEgOk2$cK2XhCxr|(kh-kv<9{l1|L+dmMs+aP6r-&-Qu_q<1RXQw9c(q80z$t{2uDj zK}15hH7v|#G5k_Cmq=pO$?F7oMO!P^kU=em^OtUhu*Y7N>xlOfoW`KZ<4*#r5wf20_; zCT%k~MzgU0JDu9mGHNI&y3fzj5be=kYT8Jf%3f-nvTROSdQdyZ-}AM}ZxsF=Qt(0h z+WsDK;|@EGdGW_qLLi>SE|{Z_$uyVoS0%OIy9@8{q4PF_zHXvIkq+Ab{04bn1D18Ez0`zAz)Cf8!}QaWw0Ao& z-`sW8kFh@n8m98;KV3^~vYL20jv#p1j|BPwS)Vb&j9rF|(EFIzxXy(_z-P5{05e=P zA{IB}5Mz7I58JX{y}6gKB>Q!P&Tza0|6Oy5P4d74dxyS_e=}h?G=A$0AE$Qbs@ZGH z!x#e@!P#9qdxaMs-wK`Iy7Wy>npg8RO0^zKj{e`q?ZA*YDHijoU6?51X#TA2hSGlZ z@$*z_kvrQnZo%mP+gO>!G7tGMf5$$5rMb!!y)u51YU>e-@lq)N6SycYR7dn*fv}<9 zc3fV5vz&`@t#vPmp^baVcIm zDw<|EmAI&Vx6HmPXCZDn(FfL`FaEMQ<}fcB`py%bHPn)a6HK;Vy_V99p^D+A!bn*s z4OjkQ8fNOZHlu3E1`|T*ea6C%50+E7UL72NdR>Odpu6WQbox#>Q;-#Q*>(^do#k(0 zMWyC<^Du1-P6w8_Oc~^Xrl5I3T;!m;kIC2RIL>^u7Gco-;a~J>OUQTqHH(BnD-)fP zoQVgf%jc zE0;3FhAsu@G2vA#v*t1aomlXlfI8fIsn@yzMP{~)i1PmncjkxhGX zd z`s(szDLlq94yh1fOfXofPD_;+&X6-H!=%raDYeUSz^!FrNU;m8!a3a5h%c0pVPxS3 zd`EyT&)sUufAAogf(Ks4P5Qag8TOeQyR8SFmf!cw5Wj(KG% zkOIqG3XNlkgVArw6UrU9%O`mTSh|Sd#_C`d zS-c_i0C#k3mO_rv2+7F_))Y{z!kQH+Wb}t)-+zbu1Cqw7NIAEwvIQ%HVdCB$iO7`E zHRaR^={X_J;%tYHA%ToGVmyxje+_~s{Oip!AiSG`#Jfe}vKfsm@_@|Hwc{r4FA8}3 zt~|+dgx_isvkciCgW0~tydKTqPEB_Nhhv%*-zx%=y~%4X4i-O^1Q7!~eEwmR_* zp1C03aNbGD)rW<;>zm|9R4GlV#S6lXmO#-oNC0A4xc6D+RDs3S5@9YRjx z0t2=fQwMbxg?x{M{l7MwRzpthMv#A{%nxO`0*nBnu0q>Zy@VPq*mDR~ zGx^3u16F{-O#x=)eG(kDz$H#<04E5Y2v?$c6iGx{he4|Jn`fdD2AfpW2wo!)me7hn zF(jtjd`&ty6E?s1)-O^kKcA&+8J7QdejB|b#@6VBriGVDScce>jglgcdg6#*siZBD=tCQb^6_qBj?iqRfO zCo{xLi7vIW5p9q){ptd|k3!M1ZYxin0SXg-9juLfF5;SL%6TJ|!3w85pY9>DvHuLG zKcT}<%v0JyY~faSp(;MY*@%2hI4LQ@HvNhX@4D(j(x$tHVKOvIOPUJCNtNfpjYbHS z;N`MFv=&Z|8{O|vm13DA4jXjItsT7{2B8WiYmwklZa{yJ|dheMvNdpZ~ zZDXG>jt8E`S;8FUhxS1lhYkk`1Uw~hjgr!>1G`PIz%t}Pr=b++NY|a2gFM%S_``3X zlyfAxs0J^nQVY>TDc9CQ)QTIsv)IZ0ihi2gm2*JO2}AjkTV0Jf?e9N+CD z4L_@cTg2XC&|#E4)z-Vq#t=%mYR|hVl)H1C?i@#wr`G{PhsHl_u*iUBR3c8*ENxVr z9|pK(;vn!AbQx=d4s26w3wK9QUJ5<^8i^5r$s)Km|HUtGoowmE1Gj4RkcAhVJ!0x+ zy1n)?iTTy?jD04P|5YnV(x-CHa{{I=+mw0Ao&#-tGJ8^p=5H`k5E}~|1(jd6yuI_6 zxb-5yqF@cB)2#!JW)pxW>Q4e}7%~sPhlOqmjjoo)>3UokmYa)etQ1k>knThOc+Y%nbW()!TOrb)vbJ9itdgc90e7!xOvFhl8#u88|* zJl-<68TKtq0E;~x7?;Unq$W{&JDwq`q>-1N?W%1HQOH6>$OJs|tYe_zZ*&FFsrD7c znk|ys-z4nGIDMy-@Lyq%lz6y?qm|A-M_Z_EwAMT9sk4gEo#n@DWTC|esEZQG2F2C= zwU}`bs&qdIcGo5@{OgEcyS&#So(@$LZ_LIf8bIJg+2>Lz4jItKimE(VB#ZJSqWn8t zM;uhX<2B_|5f_5cwEBg*gX?c_@84D)U<$EW&7#ur}`)cq<2EG6)N3lV#p98k+1$WzM?(M8dRWQeLp-zPu$v%s}5Y8o5aZu6dL zVY@eZA>Pg35sF?SgB-N~+?aGiJhW3NFZoPbn$LD@;lX?35oOs^M7r#$HzAX<4#yz6 zug%XxOCP5F5DPLVROoeu+_>t#9TkszSkJlUxd0J1%d+zqdHq&Y8q1YEqR0mWq@)}$ zJL7d}qlB47PzdO2SR}AP4*v!YRJm#0?Gs1L7A}y!oZ?_=<`Wjc{ zDF>FM?mzOCbRJ7*o`L_~Gf>D@hme@f`$lKM z>D-m#HrOe#X~u2riYAkwRj3Mff7!LfA$)&kw0Su38e;sgdAky2*JntBPcD9>Sy!M- z=RJ5B_91}ecN0O6xHgB73Q|+}s>hinE^FB zFUWgH%>Su|y-kUM8by6Y{}j_@=iHg}3KW9!=kkWtBwlt7_=nKRhb}PN&y*eO!o)fI zhMUlxVWOpS%srVG%q<)Z0K#QkWb6fjR2|!r9pASO5-A<=nkpFol|1vjMr=wrEbEO1 zKNlvO^e#O-s*ua%6OWwvV}Wr*=j5QC?|?^X*mTOgYK2!M=j>YDT1#F%p4P)JK^bMt=Px)wl<<{q&}B56#vXQk zo8jn-t;R9;RCIhx&edI}Jul_dG*7QUXN%Uihb)GDP7LOB(5%<`Hd@=Kn42S}-0n`; z7zK7mk|&0x8jP2KK53!Mtn~+E#fxB2(SZ zCqYiqIaMaajj}%CGh%91Q0>v9*CB)cY^EEUKwrD+ zA~%&LthfJ>F)sDVD_UK72JbZt8V6NBCy__4hM>&Z)~ng7m5gMuI{v+mGPmfiGVV6} zba)vY6vt|0+M0c;qz^3I(`+r-7e`mQT)m z3Mpvk)dWAEhzGZ9(tpd|HX7^5DExHY^~C$JfK6~Efk_*E8}DOIfmBf>Ej2XAX3)8? z=;Gq+EU2Y@a0Q1$h0xko)_u9RNk6h^e=nMhVmlQig?E(=xP1_LENd%V%aKDxL-Ubi zGD}A);YEn<)eGHU-o(!Bx%6D)bC^3~aQoZ!aSb>>Do$O_ERUK_EZL`R9va`+Npckn zg&1lydwat@!x5g?2-(9h2CiJ9`0pcTv6yypfa{iQr}0U$e`n=XR#XN-Um*E^f)-nI zaSkUeY9jQ>PRv+5QTK$$*NBsHob zlfDPZ9KRzQzPe#tzg!CfX1Vbb4>9GOW#3E*?Gvj-D*2Wn--Apm-mwW^DI^vITPG|U z5sk5`g-?=^F%LB_++2vypr3-mW4sbaVy?ppBapWkf>08O0{$mu(s?7bc?SaS6+e|9 zMNLN?H7)Rvwe&P*f$0<^mE8;k7kOLPR;G^^C=mCCD32fI@561ocTh?+xCUj^*YOE* z^w!u%8G~Q(mys50mJ(3|NgctIkuR{N7zxb=SlsK8Qh)4u!Ds|Ck|@(Zcr`6*^jep^ z{@8eWG8bEKC#evmJMn{XV3VOxWr^3nbzc$aWUv}Z?7|OTdqQDph)0cVU!`WII)0z0gf%gDaJolao`PqN77N zNPv0pRm%wy1JDs5&*rfZX3XTovBrtr@!dhF2}l1+3!*EKc{?783;?;c6mRJF4!J9&+QR{yMKJmoo`)!dh%M{O{ZbNU6$!Dl$Vc@)ek&EN@Ez2 zu=VyvHRp8bu01KYbmhba*jKR*?3aLEGy~MzY-+nYtetSb4CjyS$qiE4Fv(|M746(G zC80Kq_TMsBwa-a>F~`=zmP)q>xXtO(lBbpE5=omPJhm1$z_2#dit$_{P5**Jn}%zC zkj8_p{3%Vg?#r5Xwh$eppn%~e7ni!w^>kh)yI$QNX*73>ucVAoEj!FwhUw7FbuQ;Smw)qwYZp{}q zvkRII2JOP%c-reRJmBPCS--ZmIaaoJ1$g>8+c(x%xw_at_9Y)YmtqAu%9df{mL-9+ z15;NfWeKOYvl8T?ua-Zv+H{o6F5Vrl91reGb(68rdhYF#-U2bDQ;4x5i?e;%p{)PSx4^)rmMdr12BQ+>b4=#G;z6bPTJF>TH7%{-qCYy2YmF#eC}C!2Zhf z@<17{mj2J<7<*P_g>fCS)QB2US5l} zt6{5k7~TjZ+G#Q~aW?0%FT2R`v#_;o>9p76BCNHtRxwR{I*O9{-j_{4$;B=#B!m?; zDCD0Z0yCVGsjIaa>HTK#DkR!~_UVwth8DP<78qyzos#hExMQ1>wZf|cZOWDoKBBmcIKQ)d=g?yl|GGR)Pn%Hl$KB^l~V&BHc74e_zp~ujF>@0~J zuNs%W*;_2si(;zSjB#EBxR%t{pO=^B+Aepl?qQC}hd6XT^sIsBdOZUu+t|PIu>(5@ zDy#?y4%@wtY<1<&+Ali!_;`iB3N>N?YSGB>I z>q~ms_(wKnj%Il4h%E6+2%$2$7|>fIemk5K{(-478C{`(NJ z*Sd;|ijor8*`}VBzB<)8tm$)`bl3O;575Z%J}FpVQm%Y`i4wF32=`FsIsO0BK8p0aN)7hffH43gSAW6aZ}S? zQ{L2S)$(HAO*0;gmc!>^?dyGg8dll!gCOPY>YRIn+6EX2HI%zHzhXeh*y;adeXxggGN#%P!wDK4&0hCgZ1-NoD}8BWJw3Plt*!NV#kOH! zkdaGxs<)&zMwnG=c=20b=j8Z2D5I&hAc&-$+bUb=vjCI#kU;EXxl-R0VESq~bwHAZ z03|i${CMf?rgu%i>2Aes8Y|M47S|%(daQ%9A(^Oc2ITP&rkcKZX(#c^+n%D35l3wE zZVb;NebI=7Pnf?(O0%L*?qSPQjnQUvUQ2tYXSLD%%$)PLQ8h*6B(bMzMXl%;qfMqEX~JQyhMaA@bLZ;e>q%l zPEHIf02+VQ6XyGtt{2DiS1rKzI0ulryuBT?o!J;l4|=%L^)_+w@H?yS;hWZ^u}O^I zc-q@p(^{-1lI>x!zJ96g0Da?JSa)-`b>dvBTf9h=6nc91Ayd=TXzQO7xBz|S7V$ee z281#$q&+EvJ_g5gbD!o@WAu6bSOdiCOuS9%YBnB5o{$!w2Yq0lsiqqTS1xrO-knX{ zy`A0tjlHU=|8+WF?Ir@JgSNMe@5b8(HDJW$d`hpXSx)=QBNza4y=!y*VCMdn&rQO} zFR6gW;&^34r&eEYN)GP!d}t=#1>PMZ8y{Ul{#rfKY{QVd?ZKIy;~85o?aR?|5bz15 zYmu9K#vxLr>~BT81$k!Row2;SS7z_VB^4yU2{-yLVScBFh^52k8Pen9r)pgtFJS8_74?jOix=U zozid5H zf8M4$P|oShk|EsvgEc#QgRm|`qq++vJ|;hwRS;vsh|9@pco9=7Ar7djWsQ#;S5N>e zDo==YN|X6tMh%hLmqCD-Nb~cH3p@+F+^M3mOhAHJRO$w90YNM1E8Xw=_2!sh&H8`d zN5y2fcPLx!U&GnCg>J?){rPx#Ayx$_E;)SP>}^ErB7R~K*<{Da%jvFOC5c+OsqbMa z3(jfnzg?!1y@+qe!Nt?4-6cP4#3`Y~qar`rc!Z6O)))%2_@wN|#ia+_$EeiSm$us4 z*=;8?34JB`P7h_Wnif7P#FAQw>vu#~EBij06dhfE?bvN|i*g$`$?SL8BW-QFd)TvI z!Lb-`=;debZuj^sYB#m2bI>|H%h`di38U8`b|L})R3c^X=El>++wQyZzVW^tbS`fp zVsBUOus)xqFw#~6R-Qz8Fd%Dja&|PUbD!MSf4L|4ZsOT;GBZCreg=3?>K;GO1qJ02 z@v`>+fy}0aqc+E?^~zXAaX`nzZzm{hk@IN8YaWgca8+oNxn0*3%!>1eb4$bBk0vTu z#r-Sbe{+Yo*3l&GgaCH~5aFz&U&e}7F5x*55mAPgUbU^j^;Fa!WuaG5S;^{V>ba>o zHC1i*{7wS0;YLNfWmRHG)zZ?|I$DBq^F5|ZPfst{j54vqaeD_sQSaSW>DnB!Tk>S) zNk5}L#YWCs^m{BA%6*<$1U-VOYWjQQ1Kt~^TldNbAi1NYFBhfO&&_%^5PRpGpO>Yj z^~aTk1>V9w9M(Mf6B%hdX8c zyy)h$^Gl{vUEG2*TOOspjjACTt`o@0E@J4|{ke$a>ErZJ{JAda1sO4kZgg4r>D6}` zQus4#yYg!0#HGcrC39+Am@Et|$@=Hl6{A8V?fTww@)bcwvgBLU<&}1JA&q~ETFkT) z_1Hg~s=xYi+aiAa{hY9f2ni05Z$#|GQ$iOO_5&`_K#1a}#bmFL!o}lj*jT{B1KZh3 z;|bB`W60BVTaBLTh)PvQqr+4Y%1f5Tf43$3~m(;k@eqc8* zo-i>Wc%0g!gav~$a}}(owFL25f3D>|Key>Cx_KjZaWW7izW8mFl&qvJ;A*Rx4X`k= z;swZs`7tAUd^0`{kGx`1%H5BmihTLxUfkz<2XJ_QKVP>C_;}b93OL`{+8TZ^d@d*< z=z3{4T%TVV?Nw^ZSbC~63Xz|YOds1#)4%d`R!oN0SC-__&`4X93a5J@5nfqYn4Vr) zaXXWv#BlQIP-JOm>Yaxet+uv;3d)}s07Tg~i6iCO_?TCzjOcN+wQu0}scC zjgX;uQUUkJ%bA(c*WQ`awbSPnYXq=#!DR@VU>(1})52tcYh^ndEU+mu{zi<(HtxHl zPBSKf#CpOP8ukZLesAQ(2zgUK@js?xwtk0Kux~*>bamxXs?cCEk|i@bjnzpQSrYZ- zylAS>R*TgzpSkc^@18mVisN@~>PhsiW|C<%FkLjzl|~235l3+>nm`OsVG=@d^sa&K zFo-7Z1K{BMr?7Bm74jN5I(iyQukpJcIl_W4n6HP$Gbb@@2b6l1e&Ul5y&R3zR!Q$l zqq?ev3hiRKuo}wX0;r@(Ed?%(tlZ??{G`QY4|i7C(o;1w<{G_Ujq!cah=n@>F5WAS zbq4U}%xdMG+G&XM2tC!zUW-~O)Wd_T_X=(_pEW`&Ac*3?jFhkx?OKHF)SQxi0ARe~ zfc5qk1v9^>y_1b+vU6AH~}~H4s!iO8iW8MW9pFL!>}o_JSUvYW0hzl#`-F zzm8W_thN(9Y~kYk%GxkU6l?+yS|@pl&->=Tvs6%LhzgT0%i@DZ;$UlQN6+%pwXwB) z`*Ip<9$;7eE0x`*x{9@|d~WUa`gLaT*u1``nlIkFi0G}gnIdcEnd8v5HPNw)Ooir5WN!=^)TGi2Zu%q(N@DqQ*?dA zObR`KvGN20-gjW30TUN>PV5ni+?IbqK(GDNCs0ric@>&`2oUf~i!4oZkqNU3O?UO- z6s;RN;zXPT(aX@inU5C{4k<-kjCkaxpVl%l zHs;Hek>Fi`Tm{i&1=>F@9!4@)g>kOn{Vv_50!?UPfMl{ z3DFYOb`pC)lb-(k8?B>j^P2or>Lg&bS{qJo^Nr2 zGzQhlSn1?%5wBx#SS7Db)(WZrZDMr2qqFJLF4{)>#yrX5Eu=VSU&AWBxafXiZ)I)g z|Irs;VdLg&JiUDwj#d0(Z= zgFWE6cjqBLW}^xOG>q0p>kRacKRsYQYe9UlteOh>FQB_xW zb7tmL^Y3)jw8+Qm1&PSju%n@ezTMg2vw80nsi42_mPT`aiGk;SRB>w<+50UH{3Ny5 z>C!svm5VFq^+>s@PdurWy_Gu?YwZ}0BN5x%R&o5K!2-?)m9jA2E#pPUbu#aUug5Rd zx1IEW(vGT~+ja-g`wdx@6pzrJn;i*U&F}ZiWV8(dkGlmV!{_ViJ~%V6h$oH!A#?v^ zJHiYVebR?l@Y+$lh@jguxVW;JAC=Vqv4H9q#RK^Cl&(~%@AnZ>>ZzSgW^Pubug z-0)MRQ}**bms?!3cDA&AR|Y-#9M255J9JjI%F&veqPSJ(1-wrAIJ}<*e4KQ(uW?^0 z|Cib}DX{Bda2yMbY&vvq;C!S>C;~#Xk1p_ky`pR6cC#Ot72$uqJ;=)=Av4t0^L#uM z6PNdYsWohy@tQq(2!9K54)An$dXM?o@_6xq`}nVe>KV!tyaM0ElM1yob=*D#e28b{ z$W>;=k*uwHJ-;n(Ja6e)JZ$gg2{^rG7|Lx!4K{&#YtWx81eV)k-B7?h_L3`lx`J-| zYa^-_Y8!AR??Lt`P`qaYiS2h0sok4n!3zJkoh8?^nrS& zp9cqpUiiE950+<3m2$E&v^`H<@+#?3qO6hAVs30OeyXwRx2WJ=PbkFYb~rW``(3Q; zyiP*Wiu*S>Uw^iDLzraNYrl@%QgLSgS)G2&SN*KmqbrnRSr9Fs4D zzX7R@0JG7{mXz0W<^BkC%&2j|@XBBoBV$m~^|f4l72SgQ!k-Gp)RfSW&t1BawY4lP zEn|d2?}3_z>uXy20BY`$3x;xc0$BzegeSjfYBq3HYIE#a>9pak9mj)8m%bLZ~tP19+F+f@Sb+gnbv9 z^2gBvfoQ6SvN#I?pYtdQpGUp9ve>EPF>igK44U(4d)$TW;q5hBs6##IlYsMp$o(r= zK~fgN2TzH^q+-Q!B6v?^KR?rPO^ur2`Y%8ycM;=g-h~CrU~+r3K6XeqKG-#SCpZcv z>B*s@CqFyKkd=YqrsXo?vjPiPLzWwND9>Y5Jk(9k)s%_>5j3MB29VNB4=JX&1dZl? zPX3}^(RN>H=wI7bu@96MDQzE zMyhG+XUA4O>$B?5tN(mR4KpPosxNsi?k^t0lh0b!*B-4da5tFHLvRX5+AZ_*-_!AVIrs- z>ggaqzm<%_eoG21%D1no9^#>r8r^$<^oRMlGT`Xz7=($PAZlu+KfXfjFhj}HxV=%_ z{G29q4UX?e&-)=|IukXQF=4~9Dz*3ux$ieGDks@UU&S%>wgI8-pRf8`zyj@~-Yp$i4ok8%to%%#d$Mad^o&i-u1u44VEmYx{6;%6UkOHUMKS=J^< z0I(kM%rsOQG`%?q-@Zm7?V*Yi(^o138hNodfm&Oe2sFPJr>5?mOSqbPxltu1`JMkz zOjTZ7q}BYR^ZnMdFZJCBAJ^{HMT_V1ow5dP*02;o-uTdkU@;;QU};TNf)Krf=H2Vx zg?u9Zh(`Y9t)eBQZsO(y0S7rmSd#sAzR^-`ATYHW?MfQgh%mnU1BsM|7}d*6R;FKr z_Yb?WkKVbOAjW;`otmv;>X(9qBssgS=Q`wth(~6_XF)tq^e}S&)vXhDt&H*(b{B@n zkQ9YU=LWi(amBjm^xmD(aMPu7AH7Geu=3GQggNUr>|EmelMC{XG3gAi0ID7sJ7YG* zFHpYz$j++yL3*A*GSKWc8lF(XP*QOIwueUK%)f4chrtu5@_wqp@NG7ngZNM@9!g^g z0q2T#C-)7vER>8Qn6#(XI#jIYru58BJe$R=@DbZBEOaywq@$9>x4@U0;`2rOa!pr8~p2Oq94~iD}#fSIh%9)ahmTIjv6JS@+Vb; zeGeH-7?c^4Ac=(xGcp_+N}u5plurhwlN}uFH`C~k1yoe>>QoN!Y0z~*qe>CKc__%!aju~tA;^SkWI)xy7aLB z8qN>0WiBp;<^|(_!`uGTl;7Wqu2)Y0E8zk&yb!TPT*|E1y!{)N))J8=l(`JUoO<7I zaOfg5g_2sdI}de`0IsyXO4uY-l%(Ltk3^#;GwxoIQ_|lQogX} z)zCh^EBF=yKSU{->_a8lQu=ehK-m&0%xPh)7-9G-pu0aBLmi6w8h!?YX?F@R`Ylje z7OuWnh({NHjhfXXL>5S1MH0xla5wM%Y8Sma#F&yBHN$|7%t8=V&33ZEp;^~UWsRBL zV5?P3a_-*ygSTh7NA8>Hgnfsg%a6bCX2v%&91wkn)MLi(ZY_I4*KA#~-L!yiD<4Gc zI!g(RtZMNU7SVM#3$lq0t{%1KqBfeQvPqn8+-rpR6?}Fmqa?m;M@ijlpwV2xJ4MtC z6)*=Uw=N->XaCzcMH_w#C~+MPqNtluz250YT~)cz|^$2`T^GJHEgRI zhp?6e_>Addds|eOtjKh1ZCKy0rSO!^QI@$%;x0a=W#`C2>C9rRIukUdadUQKXE)Z5 z+Dpa}J&G$^k%7N904LLsa|ePb>x7Yao~O)B6s`8Jpzifb%&sUb#|OymwW8lPjc`me z7;?w={?6> zt}h$l=y^oB;qZxinFL;wCp?4#O<163gK@MwJ7tqm72yxz=D?1F+4AW%(kC$NK9a9k ztbN!Ku`TZ8Uj{80^Oev0@#K;1XnAz!JdcWeM`9=VE??@IBSN+V7l%a5P%}88Kt|lX zrHELP^qZxJBpFDyjXE-g}n43)ygImz*XhT0ETOiv_26N(1l#>Iy2068u|TV|_thIuko3)u5kbkmi$&O4!lcg?!or1S z=~+;)gR2584#$lk2qwHr70k$HI}P{HW|9nU!`j|U%_|Ygqj%k{?Zd?H4r4cy3q2d< z5kz`nMP`Oc9kwN0R9CQYS&?fi-Ds!=W}?}die>TTnTMco(aci+kqsfJ+tpcvguBCF z9ZS`vnom`ql-}ybb#XYGDybqj{oMrv>+5Oj69S;a zF1rSuX4MBVGo6~<^GsTm%UmH7P#ILKGE^#B&B)WW+b#UI;T-DaD}lW3F<>H8H?+p# z#�G5GxDBQuUu=wm2(D%X7=$YD&+cg>m?TwU?!{g6_WH5zsf#XVD>Xi)4StS?!)M zGv5-pk)4gb`EA{_ok;F~(qjSq9kJv-sQ=Xn`WI}X-M664?{_$(^~rlYd4J)7zE?pAK3&;gG>qk@SH(`t&xo3guU$K_Vh7ZK! zo=S+s*5Ll3StF6UU!TTeuzdB)$OPYo#^axMWEM9sw;LTFawSHyLXrd;@ zIF*rO@*faTkq*t6A4HQHrZop;w*5?_TKM1@+@ENTwJCydY;vi z$~I~^ek_(vS^lYOGXTI-a{x7NVA#XVM3o(@_!&w7mDZM(W3Pjd&-;gn;rosAx8#g>7w#261sNe(hpb{R4$|o!{%)jN9sGETmtd3)u zzw6tpZdLmJm7om=9ro%Yq+HN#rmsY2Kre!kZh6U{ecZo3q zM}uYw{#wUn2oN+w{2Q8CLpy2YTu%6OJ`g8Jzsv)YdY8u zY4wB_Or=mA1-o&KmeqT&!a9(+qiU0vm6K`Dq|##aOQ_>E6+Qe-?BRvQQ^dJ3 z9g@1!pi$%JRQIWpzj@^79=+dBynu-m4hmUfY2=&3FF@=X*^el?q-jgN?nA6zW%?w7 zggO%@!4o??`mR3|6DMQX7>z&J^M_9l0zG7EDhrq5A;m)~G{_T5WkhQ7nL17;!4xP# zS^oU?S-W=`P|dhCDO09Hoz@+Acu!aJd%BCHWl!kTw9QQAW`h zm5l*qNuV3kV@iTl1y@_$&Po&=+K3G3P7oAYR?G#pXuXhZnLm&>t+%-p>ZoQCL#8+M z3#X%WDck2_YogglZ9yTK8*T@!3>tgGt<^8)QpLAMt`Ez~WA*dCnySgb48km*96jWK zmE>lr5;IndJ%w0R!y*f_=9XV!LSQ`5L+tIPcC6*xTYoxf4#jiVH=oVxG5bC-w8)`f$jE7l(bj4z2rWeYZ6S}>&=4m2U#+Bb7;$+hd%sr`hg+;qKL>_T?# zcJ`YfVzhro;U-2=%Tg-pyTF#si;!iMBwLJL79$AI94H}}n?R$DJ^s*7;zy}PW7cp? zvOHr{S_dWJp^@#0WA&&T%EzcGnlGqRC%zxo!kzx9p?Vur1QZ1?G^kbvJyMZ__l2+e z9|s#UQO#$F8mcM1zMHuHb7lHi+A1?tsdqDvO!N41x2#pVlPRbBj~&`cme*yuJxw4> zh+wn(^7JQO-L_5_DBVt7@2z0{{b-Y7$A&Onna#MM@#+w<0u>m+Z}_%H1qougtFg#z zK66Dx6O-24tOgBqcZ zXE#XCn<{#wXkrw&Q}snLB2|wOQ@%_#wf5BC#RzM5XrSq}lt=q!8()kDn7b`)n{{2o zp=c{7-&F4+m&tJt#r$|J|9MJ$sbLLzR*6&#_0(~!4jJrLWXiy`=H7>o3R`9d>yCz; z^7F{dh#MK@W_<;jc)eF-fnCO&z>G+Mo|8k~c!hfLQ`ldzk`yZh>?)5K@dh`mCf#l> zQHn|O)g>{j5&9w_cIJ??Tl^p0-3!j)A)gsDgVv#-eyQ;jXrYMr`8M-FNjG1{b0a5d z!!8e^j>dvjGR)=Bf7To8?97O#Nj4AdI<@1x0vy3+O>4!d!S<01+z_J+EQERb_ed6| zT;22>78G~*6YBl>>&#Rc-6iABUL);{U=fX22G3d`o=gc4yyJBEH6ceC5iwz0-hyCD z#Qak$c(mu!JvcgtAx)0Ri2n@t{m)3s=x~)p4F^>N_Ct3aGRGZ%({JrB;O=sRF({qA z<{lnU{rZ=Z&xl_C_ik3D9kjC;B^=<=8+EH>@GzJgJ#>o_q(a20eN*h4)#KgMEUzx7 zGq$F1#Wa5s?D6|J>gKa~>f{P2biQb#j18OjO$BD+a147OWx&$^BhaeP3=t@Ub5}qJ z!Bk!Q1f4PDE6fIx4$s5yrnKsY-jtNL;ul`VQ0}H2AFW%(=~>1kaafh4n6djMoe8C8 zRGT?AaR=n=)-h`va~i8}jp(SuGQO_^51hkfx-krA#J7WGdx)zhjud)C1jQ02SW>?R zVwX6qescQ3&lCF-Y(!)~`~SI?Ty=!u8eaC}9ANTQ79-wa4;x6p-u(_U^pbSzjGLO&SL>?+cra1@S5JUgl-KD+a?E*>H)WhaxDr z71Hm(2`Iw!(jhg$_b{Mq&_5cND-YP-pY$BZR*5%FzClB5-FsSxv5|re|yqEeh}#cAC~h!egKfo35EW@Hb+UD)W*PX+%59IyAVtt2>-EE^W*W5*qsnI zOB`%<_&?rDZ2gX-rlG&E?ECRLq#f!Xk4uV2m1Nckn3MsC)ajVl2+1U_o2BEVnf7ntnNo-)do#n}82daz=; z%cX6=EHCYOMI5pt*<>cotuuJ9LViNye zU+r=|&9a~6y=a@7J1y0waU$b&{V8hB?}q9IHVaRLPl#t7kh|l*H`kSeAD$q0#Gn`w z3FY8jvWt4J*z}0b0!{TOrZk*zB}F%87Px^(&5;E7ozTnBEBa7!D5`|ZZE=C z;+_3AXw4(UaatSyXD1*{&9L85;OQuG`#*&YnChV!ml8M!s#qv5?Mu*TV4A2jOyO=x ziz`l3vdsZ|#8a3+RiMvb>l>n_^s5oKyCT9;sUe}8SH@(id`(c_|#nsCZr znS#*|6Po*tb8C*cyqZu9TaRfK-K2xvUnt_!r^Nb~dNyN?CnPL0D*emGSremc*|Jz_ zIGMsT43T4ugMJ-Jsf^WsF21mhXg_p8P|Xp(RZ-8Ry9wCn@RF_g$X@c=6Ppuj8d`{S zIg+iq6#3^(8;oIH@9s^D1iV%Ou@v@E&cqJNPYz6PO8$1^6wTE3uQl_bYOZ#wiqYHG zm@r>xal?#qY$GsI6sg4egBfv=ou-u7DS@8MiO6tYNbwvDN{&;PffsKBc{yaipK?T= zx&*y%e=Pk`OG&FAj(vfiV$sUNDR7ChU}sx8{`#yNd+w^t+6 z&P0qGRvXrZl3?U0NOzW~x8_Y+{w>(H2%4(3qa*7&t%cgl)a&O0w_{~%$gg>INEz9# z3ep6A6fBP=7+&@gBHT=k&_;?HMy)-#pP^nic-@wdnPy~xzRQ0PS4xYk%ox5Cb{`cU zw_baaojpBLo;j`sS%hu;TiDAaJ_b~6g$wV|=bXGucSA%L|2Mg%GjEz_2A&Gv%MgOS ztk25Q)6%+xdG!mSs-S4(;+b32(Dnb%tDr?$hE{bXg;t&e8uziNntb$QfAck7a4pbQ zf6+`^4I9~CAvQE2<88jO>v{3xyq49FKj64e^MzJ}F&kAQRIe~CR$`~Ze3(@-c$kG? zIhGDH{1Agz%0d6xu{O5Etv0?EIW3rT6)9s^RM~U~pySI?0HdP?1($)@c_5 z{=2K!?i!rM@q?@H`vd6u{>34{`FZXS9cgevyrgVaffVIeZmX8)I?06b3^$6M?b?9XTZo)iL(r2>wmk@&ievQqV$K8Z zYTpME{Tk_%^=DN;>nJ$9ta(T0$HdvcWrl?#seJ_4Hd~g3czAxEYiMek8}fN|R)BT~ z%O7@_W{Zs%rSZJm=`h6@zAk%A<6Vy#Jfu!!=V&@8#KwIe2%4FCd|cX#Nq>eL!YHL`W4s?pTc94SOMjL{SF zE3axj51JJ6z3*+!%v{FH^;$sLj>Fj0)9-ZMTNuyg-7g(l7uLQX#$z)S@wpGqSnBY4 ztJt}bF1(64sJ*?7pJ1&{O9}mApgong>38?5-2J2L5%1$cMf~I6YuHL0RAOpab~+m> zs#3qn)idK}@t6hw%aGJiDQug4>Jv;ezV44bNAVMx&FUt$J@V$?+oYB$)oY~W7lbnED@0>TMwxpQVRdn2Mjt9!8 zgK|&OrAtaI7AOzc^z;o4Y-*7GuX_Y;PEIuKT~Uxx2Y5AV4ZrbqcAS@&kq{BKINgnI zZ9T3WJF91&9N*bMVcp~`whu{_R>*hin4G=EPu}06)Uq+ZA6I+$f8@Q+KBw((Z*M@@ z1tD-~4F4NQ^uL9D{z=zCEsJ}}LjjwM?*6WOzeVc<)>x!Cbp_TXi$pOYR^->XZ{U+? zp}t;`b+%OYc-$O!ubd8Uq>av!fec8oC-qxjx91C@qq7$MACu%&7Sc6?{X0w_kK6H> z*HhZ~xXG zO6I%In}m>{cxSO!4^?kaLet(Ax_*h6Sh`z3PcOk1Dk001M zDQ)x7SLY6R!`r-*v#)LOFZY>hK5&^7b}cLK7vbU9@ajA`I>=jHo!-HvfylK8*hHND)&t=Gn@NC?f+XaDUXPiW!l z;A3x7Sz?DN@p0$^gr}ctklW!_VKcSZ63|jB00cI%bAE($eVovdZGQBn8@BS-V**N8 za|PA+7Q=mNUvJM;f1$J=NYUBfq5AGAzen+I9k)9*Rn#AE^}zjaC>{BN;G3i|(4G_C zZ|_mxGK-9OdET z_q=WG{EP?jm^Gh_d*r!9>LT;J`|*eYuvdrGHQ7!Smpgb}u0?jKGE;bEMG_b{PQe~5T z%9?poBkiTA6zyINUuW>h)>b+A*F-w&{zB$Gg0l-!;*VEN(AC_HAw3fdH?l8S(~v~O zXS=ZWs(a%t;>*(dl$=`MnCR#COTSNF(Y@cpEc_n^CLiw6n5zfUuyowS*JtB}*#)>; z+sYT_xEmWAC2$A-4hJ8il-FyjCdVKl(cq~6N}V6CJ}ag{6gXAm!axZh#g8NYDy z5qvL5j9Px$lP2|h95eJc_BY>O0Gv05>dflB6yuR1q@{7W6Z@QJPD<}v%#A}>VX0aB zaR-pLYH{^c6vb4-=T~uiK2RIK1HG_1Dnqn|i7S15Yg4XFS~JOGPVJk4TQ|25kMH~I z)5?C+0qFIWDqffxF{?*df)RoLMU>$`3Bdyix|)gQ2x-Nh3@q9r_z(b-uO0ZsfIn2n zC7H9C)exVMta^EUfqQDz>&?3EFBdlJY?AXgE$7F>p0xersGf7q16F3qyP|D2q;&PP z)aPHXC6tN@m{|oUSy6`tNsM@0P%HFu?=#Vk zk_^zpIvnLEk55W0iRjo*hkbOY7gnj5*$_0t%IWuLZp=Rlw4&Xnht?d4GKWzu`BD_U zN{FPgKV$!8CCJIvd)TSQ6jM{-&Z^14Raje-26%d?%Nz-MfGR6_Vc(Y)k+@H-{T@dw znm6ojnX|(Hf%XX)r9#X_RU=Tel%J-1zS6G1-XYN*YkC|GMyC_ZGw3MrR(in zmn;WFEI)dgWX21sL^>Lv9{SDUd|&O}>GDA@tDo_J6VVj^ULx?bc{)b=)yK zMu(k_Z5u1Lxnir6bnJA;>e#kz+qRvY_3ZuhyZ3jUbDdw`&s8n% z9vw?m#@%FV67nTW)Aw$p-KplL+4xUfmh8m%Z$95UwF!M;S@%JznnPLk-n-bU?5QeA z8Y04$si(~Mw~mj@_ch&*35p1OxYqY2)t#i}*c4zHt$3Z1qD zOiWpooGA%;^@DsXb)z^XC3K)sgF6N zH;tU~aT%1iu?OGFuDdE;R30r=HQM9h^CVt*p2_EFy>}+xkD271kbx4a+}PeCx;M&v zlL3@^x36rw0-2s!2LLgo7L<+yi8v%lPMwg$5E4QmW1s@j5CHhP2$@KFr*7AN*YAlV zL|Nw(?dt-(9$u2qsR|mwzkj5&lon3rb2D)^Cx{ZYPxL-2*)V6q`8f9l0p3P@pXZNm z)FA{nx&l4#Pi>!uP<^k6KYD!ETzCE7#8CsCgzZamu}#(T~Eg`DHQh{aZqGtsQgTTA#GoIxm2DgllkfO!v8wa-~r2~ z2t0uoT_8c4yVA9N{_)o@)A*sU_=T(=!|g?GhFzFbNpfz-<;jbP6+;rCsBX&tYJA;d zY3Bj@RhFSF5_xVYzv{dsS%nL;+#($y$Md|I5!{Z5A?+}y?Cz#lw_x-8?6=SR(FC-z zRq{k;>EU8SeX0gvJqGK-lnuD4?`h($pLg>7`f4dcv$UqwQ8LfU%*@MkmQ{E=VmCADWkOstuI8-ZA_ESD&P64uZv(S||_`HzQN*(Oz42FxRsZK<7B1TK7E@ z=N+jsn()n+n@Z{zV^h~i^fp0`B$Q=mw`?#$5Y(B{4wYN{M)DaqN*{OEWu z4%bj4Oypo~?IUw)-s1te5nySIa zd;NXy^XsF)!l4jZeh|u;9rE*PGLx>$P(X zXWK|wrd|El)A;zX_dxNn<%`{#IivD%!1LIYs;m3S@u-TIcW!;LgDvoSEA(MK?RRp?!)Xx; zh-Sh*^eta?Z>=E&V@kzEwx{>@aS8)gKArn*{^f%I=C;Q7G13=G9i30|ziG)qjy`X2 zn6xPkvRH{G9Y*-hjU6=i#V~pKZB*c&;)Rp@m)2G&VGJZyuKPD(hXXyyRJQE}SO2;1oL2#qij%aBb6x@zOYAq^>Z zl_6xwh6E7qo}E&n8tH500Hxs9o-;*biGest28+haf-Gt%V}LqFF|Ab`S<{-WXn+Qa zP8pM2#h-wR(&kli{7D_*DT*Zp%uF)G5wPJv6Jm&viWeBFdt^ z-F%#UEZN}-iYENjShYuFjFy(oi~FkRV38x83?Mq(GS=y|g9S>Su7iTR_(H;otFbWB zkOsugf$O(^e=qmg8#`1D;Sc8jg0FM+HGeynUrH(KBPDrkjV zut8|e9-*_7Jl|L`*aLZqJWna4AdnNV&`F=l5?8%~Nc9<2HfTg57;+Nnk8EJQEq&Yl z{>n`W2q^4*J0(u!P{_~wpWc4+2RAU|$p|us+UEMnBMRR=o-n>Gha3=+cN|zbV;7Q6 zFJ>5RO!nAGA@SNIN!?X_Dz$3#Nn$IvxPTOdsHtLcO9GMA_U`?Z<%oga!kvINx~Gv- zgB!UqRG=dOFJ2;a~`$oJw|(% z6wR20@^osq$ol0cp%}q;^GLp{X$2Q#KNLZ z@v%+X6gUt-70#o(vQISp>wRzBVD6CvHYlrIp13&@`LivybxqK+w2O$UU2+-xz_UA% zw#ypO*@S|Sd!98Un&g`7L7UtVr`{Te@H@==<{gbiOy61Efo`UulW(Ed^7mi=)-2os-++qV z{fRCULNltqK@gmuUTZ~hv>pQqppZLKViijPqwb1OKa1(Kd3;7FYQPj_ZP9{Zwq&kF zR$bW|w_3gS`nsws%FWa#eOjwyOA`Y;&cR(>OV=y3;MdvB`vE@QQ&GudsVp5}g9WF$p-G_0^;E1|aF-`sHQbD8h@J6H`WcN5~U!(HJ zOG@*Qq+2Tdwk{dS8~gU*Pe`u|4w%si-v+jTN}137H9|+%C7{5@CKzo~$_VI~u#pwnm&4oEFwe<3GECQ4fEHY{E##bS$GBBuS%Cs)y3mUWrz?!8RQkp!I0Yp+jX~bF z08@}OVri9iu%!xS9Y@2$Y#@Su62V(@mBia3oRf8lBsj;3lT7X~w&NNRVoniPrQz!8 zx={8jVC0N}#y>y<@wW$gQ+2gtZi|_-@#M~(J4BarheMXrCW0gb)2L31gSVGy{|?>N z6A#aXrPTWpXa4q|<>}MX!#lWY2ghqC%BKN{lgZJjZGkxeoQ13y_=f#){BTH##$co)Cm zcfS3RMP=ur`}T6thAC}fRdNCf(|4Fgv%*jFV$sMi2ee*t`o1-!k=TlG%4dAXk~Xi4 zWMCW$r)4K?y1Ei4emmV;Ao6Yyw;Uj1T;}67 zxdJ3+LvTCjtv>$#h|{5?8+}-`dt%r6wWhY+b%PH_L}!vqo#}1&prX{aU&(Si-F00v z!t#vJ1}!5$S{g%X>L1OkI?nZ=^JozxrjKoQ&3m>64uAh24mkCLt6L!*^vDEX?!ld4 z5&T>rjeOjX;++Zs)k*+We{tAKNMq=^yQA#$F8Hqs_}6*;o)wX0`DrUFUZYgYrq9IR zqtC{m3Rq&ZKgpIdJxow)J)ELcS7Hb=@qV4zaKDsuBRaTubK zPydXYYH77`=0cYf+v0Q5;#ufD4XiuPI1AMjoKteL*XX!iMhZ_Wl*anmNn{7ICJb{qx6?H2)t< zo2$?sMm6l>y>$`NCLVTYBYhSH-5u9HaoFc))0~(4I?qY|{To7kZt_cX7i{n}tj<(+ zGDuGDkNv_5arC0ASbx@o@wH>Z;xZe!;MY>ft9#~(Pky_@!%D7t74$8y{(eg{m(hCh zlUTK7VpMn!N6Tg4u9fBWw8ra7Gm%s8?F%3WaB|0c=s*&(uM>=(onA+SjT$eyxA1b}T z9I}pXNdPz#FSc|)yQYeLHbd7kAQ~}*KwhdEX2b`OOhHYFC~5wOb}%kSMMZT%McsW3 z4W>8%FS=h<7TCR@9V;i%AF0HWpe!5?ODjT z^w7IwMQ2sW$FtUcu^BJVJ2$ls)Zb`VCeBo&Fi@8s+nv2VngPWea$W8!%L8j0&TTjD z`cLfG=Qvf>lYV{m%lO^su=iTl6&UUPJ{20}db;dluKre1@!DFxqu_2KF>lmd+#e?< zrN;INCEO*z_AsO|JG>gnK$pPTQU@n{D~?f!nLs)ZDS5CvZSQW*s-d}fSQ`JNm{g8K zg&l8!A{j#0nEX@fX$$-Ji?S6xteEcn_v8LGzKVgKbAd0a4A~>!gWeZ=BB|#pO%~%{STaNJQrK?l!_I*49xdC_3psyx)FxxMq1jyw5-9 zZ~Y34M@(!%4c^2&`XtNFu|p&5&?S)Y^YHlE@M2ST82FqAMo&n1NXhj1+{R~id~6Lx^S_$AyEoMt`LZ=Xb!k`p=JtKsnNjc7-P)$Q zpzr&6-Ruz^LqK@?az3%KHdpmAoqvNrQp0eE1px4FymZNr|K@!;_q<3>T2M(+UvG8Z z>h43dc|oP0ka@eb`(Ux8-iwT+ySeeb2f5usi9BVJNZo=&n_U`akhrU0N$$0E_+0OX z+o_0;+Lv$uoEbj%scFaIeiQ0yT3R`cd>$8NJJAHkr=N*ZrG2&{m}XTHp1d=ztCbqI zlaQ*ivy)s4h@vyN?_$x4Jr0iwX@#;$Fqu#rJG+S)kweQfctIP$_wC&yRvbo`q$G7! z^+$4iI^U9m)K7O*~m(Z2OoRYF>lAJzO5>cx-uKy1QkhSSj(&LXS&Fg94Wu4QW-M{11cFVb;m!|8nGse08@|ar!@P2t9Msm|JJ?-uu z=hI#sO8gb?-9tB2+%_;^3y?0Y;CqTsC*L7U{Mf*+L#p~JJ_((E$i&r*`gVTM_Li@*f zU-o%y@D42AGpq-HFjqtTezxKL zF5GtzAdA7dA<1`hO?_(RWPNUb8n5%DNYdd<5gAYPDbaF6=3G%ng>4Es$sUmY{;9cbcQ$1&*EMu7)t)*IW^8NrUw6{0V!_v`X=7fRY zZsva_db?dNc)7F{+pFz>%r%PuH}BVZuSX8ZN_PcHetcZ2!K;x zpuk$_J|5m*wstOf>7K*)Bzl`(_?RO0zIo_)jmUgut8dk!JW=j}jHp`dojn}h-MoC9 zt)^Wiz`G89)3uH>D4#SK*v_&R$p2h4HfBz*GKI$oUsK*I1iQRUUNd856;T4OT55Zj z@Th5^nXnqo^Lp9-=E>ZrArF5O*U;MBJbGs6Iz%COmG1WH^rAfiV&tlL80UFfO@6=1 ze4n~{^DOteeD7b@QBt1JJ+@hMxqN7UeX6!Mw>R(JL-l%k=+M$ry<4}c;H*7=+9&?F zBKAHjdhG8$D)E+_8sRy{FBz%kyuIUpj<@r<>B|jW(fzm#=xDvq4viw@ceqVG$S5yi zh^QE4ET^Y}+S-{(W)pmx;eQ+Oy@l07DNL#W@YWsiU!{U7JOD5R8e`{ZuOn|9tZ6|HhVGTd2b3o4uAPR<`?R| zb?GsdGSb_8@eEClCh|VLk>}Cb0!FU2QZ@^9+(hzQ+JK_CuG?g3Zee|&c|g>)aN6B_?>)3%-SIyL(k46ZSeg-_5CH;x zTU*R|#pniwOoS5`cEZX;L&d+0>$Ts{RrnH?_f_!RZ@zSRFpwpm`yO6lfXET95GQIm z<{8V%-2?JJb~E2 z_mQDkG;=U7U%ZL#o#~yxtjuIFdHIOk!1Up&g6WFz_%a{DFb2L)q)!|DxPm?Hv zba&_8wq6%`=f(pgi${pRaEY%0Jv7-(s<(0;6;wdQsaB`r=m?Z_b|0o49v&I7v@G`4 zO(y#j@~04LYqiOWD$1w4t*tFL_fEm;segG}i7h*9y?_6HKWQIe({g-b1%k6^D$7ob zr=!B0rRg_ry&A3#zMyAfV~KuERU#d~ZEQQT4J_Ne?i|`B{Z4iif^W_9$Pw&LMgjkQ z@+4L~WPm5*`t2pUvx?u|Sua%{7mrX8`cJXp#W}zw5zBUnvY>Z={yr%Q0N&tu6(1d# zPl;dU#*+btot%UoM&XtilpwE&!tcgo@gr7)4LhQOv5Y21Nmo%(S5tRG<3LG7bCOL^ zC-OMH2Jr=zz}CvjYGc9URp4guaj}5WJZ^e+6{7BRZBCaMrEGM9YSC_Jw{zL<2jkM7 znse9T`B8{df)t3hX@P_kPrm*6Cc>eHl)XcpnyB`qU@?Va(LCJT%hdh zYl%I2Cqa5*#MOV=NXZ~LyEt#2XN^mM@Lbl`5mSm2jmGJC z#WwuzYhoqrva~AUdU5%uq0~{`rb%3W)3qEIMx;2lF28E4yWseWm|73DnMLy3eDulT_p~Z zqJt;8<+C;GZx2}KO(HTW8Wp^Z-e#guR>-@!&$FkP zCj=qX64jeuK12b?S`6jk!9g+a2aeO+*b2Z!5K_58>T0qX3t#roNLqOK6Lm${n^0!_4D&Hz zZN>)Z5gneLH_y#*^6Je@>u%o-otFG|i>xscURz)UwA(iox|(|{t0E7b&!bWF_(`>a z=;xS3$enPQbicV?T~9uSrx9QLi!|>o^dk&Tue{!462UPMylrqj)h0OoeTY9xYC9Pj zHZ^Yq@`u} zZ$he_wgtu;od_u#ISHT@pLFMAQC|FRY9e9>a;hi3tf_8IX1~2;c%R=)bX?~1dZMy% za%@r^>VLAms%+YJ(ZxHdI>?sYBZ8fNnaxq?0im35m7U$K} z33w_mfuBH%}SI+d!&dd9qJSQS5YbiwVEIv&V!=kfU z(pF~bm4g!{q?{j%CFuAv?1k>r7U@E_pubfdd5YQNRjz`LA4TZ~#eKl&3G6^&$RzXsP2Iw;`V`LgjgbbFH!7P+TAvFUP8-14Ef5^GNqw+#uE2>@7yf8XxjQsN9m=Vw*?Qx`1PK8 zkm>n884D{#M`r@f|ARKHe|Pusa&R(2?`axCo=;U-ed4@RIF!07Qued3p@fhK%`>l* zMQ0l`cko6OXQefhaLyX@P@<}r8JU_RtMJ2JFg=;J&)s}LaA<((FPYC z1)97%(4=hPvUhZl;e92|)V!8ave1H#28+{AEBCLjzQYvwoG7$k?BQiv;A?)kRG5MK z?A8C=-C0(SzxKvyyNZj4$5>>;d$}1_$*-V=9?m!xdH8#(sFw>3}QOXK~S6Fz#GYhtS?f6VuqRWi$qp#Zj+iq-7ua2Fa zo%+LOHRIc-d+OLB z|LpgS4F7Daw_KN&2OhU9QK{mN=eeehHxM0qbR|*bJu<3VV&a*lWzt?kLioeaaS+3r zEDEyx7=udPIk0Ijwrd?Qw>9loQsZjqLJs2&Vx*36cyN;EIh17FIQ`W!$GM=yI5rW< zXt@WAdd75<-)yUci<{cW{_Sg1&KYlIVI2s_H8eta_Hu$h;w*WHkN4Bsn#b!F_vG`B zqtOaX%PQaen2f~~JObS*%X^{|YS)pe;PdP&D^5?l^~R|=?natWkUK*|*+ev7K8il_ z0VPuB;<&{px2Din;$DS--+^aW+E*|3Pht{GA&4ayHe~a;37BhUZv9C?_zUtHW6RAD?E*g?_qPfTg!Li6hod!bu|E2nJI&J!OdPz6cDK`_1wCC{(kke zv~(2KHMEo%uJtYPJ))5B`{g95oyFyG;<+17eIqm1_wR+4@1fDIjfuPY%79a?ZA7}gO+6*uAcb6I~a|>1O=gFQrEJ{E+&YSLq|63^ZT*@K7j$A)?6#r%y zs-w_v!e5{9J#ThOe&G+Tp{k?QqEu*21>*1Z6)jfNJH_iWI^O5Ep5jFO$M8-3PluzA zy|bsMqqC=uE;||Cgf6G;9gwLpbE|)aWZSlFU;PkPq~bta@=Mc;rPS@k!?b;S?3eK_ z@BIY@!s0}w^r%f;-FsyvMe)WBjMTcB6-7-?o7v=vdxAe`AD7j8qi>#Qi;t1uv5%EH zi5KVQ9S$$Ms$+0`TZJ*-{1NObuODN{H|3Ldr>7ABS6y-I2Ui?yoGz!fH;t>{6%Fm> zq__yIp*g3Hp59yg_mD65wT)Au+t7i>%f)FS3XMvfBBF6`@00$Jp~qIzCd{r+!Zy0jKjk#u{Ww^)p{~C1I4O(@ zqKJaj^_8SfV4+yrD=RJMzTS)tk3;iGVAq(hst`@ehIZ^cu=`WQgd7YdS^lR~5}pyB zpX8{_&f3<_4yBQol21=q)<)K*h7o#GL%2)8Nm^X`876TG?=~pCJ9SzBC&5sViw+9g;_@B_z>Q zH`LZvH#I2*jDNyR-ca9|$Af#sRHUUTOV}L#Dw4UdF}c`mrLH_#==QcAa$jG4UF^q1 zk0`!-K-QZYwy?B)6?i34b|0_8~%YUTF2gu-yGT%B;AFu zbQtZvsWkg;w1gN2QM}iqd!A=6DR(O z%@*fSP||iCZ{vG(=~Wu57k692Kfn7>NwE|Ot`>K)te(V@SoU73^lotd6gEXL)QZL@ z7y1+c|4vN-*|93V&;_LhW98B?fc)vl&jyGtnCc)2p1nIa%+E6ct= z^B6slV;fDp48m<)5jWJc2gY;&bYG@71{pxjeN#@-l`b z^%5ztAA)H@@XEjBHX@n5a`#62 zCb+_;8VqCAj4}`koxOoXjwk*6HW~RS2hPoQ2oLw*ygoOS0F$$Q<<@2!=n{qKA)b&E zlm8_<*?7rDVD;Q3ObkIzQ)teMh#tj&^wB?y5?psv2NxnJ`1Ds?kQ+VxR_&;v341Dt z>=i_S9s!GT+VcfZ`UE4eLQl{8m`<-a7K$^2?Cp#5IFp|25t?~(6+RMqY|u@?F%2>V zE2<9ctF~wMw-(2&?*LBB27FY40QRJ0n9S9F?4rjhWw@ej9-RjL-2Avj1>_3T%n8(m zp9M!ldFOZAu4;k@-TsZMw%=+VH7X7CVgJzHh9NStMB|TplVL-G8wy{dzWto=>dAyl zhh5X}q=ctp*mOM!i4B?@FZ%)W2y22qPN5Ue*r+c89)+|F`39NT`4sRqtMWp?&}LyX zhTNeNR+vx@)0svEESZuISe|cq1y!rrUm<%`JA0eYIo6lsTj@99d+F8gYMU9{JPuE(g zFcDb3<}gOJ`a0F0cVfI)wmtr$2&inVW&6&Ow4ndv3(4+~E6PBWriJIaO2OtQ^CY58 z$tb{(iDx%Ga3 zrG>}Mp|g~;LY_sS_t$%Yp16#9Y31RK`>!;-ZiCjdzmT8~!E?Dq_@rirLzy1+iOf%! zqLQJc@WN{vQB6>K)TePEHE#RINqCvoi_Vw1S2ZsEUge=fLlu;yq-PQTjow-pl#9-Z zan&mem~ljuqwOlzzrHL_(0ko8!9OJwAlfbpYMA(7p&3B5<(vdao23hXLjCtKv?l|q zU`1`ejySSSoC#V?r|)201rTdOek4JFJ1 z=`iSHie{!eL3s2R{T~^uI0N|3kD|3a)sCa>8xD<-GH)XPZkI*y5V&h->;t3L26o&r z75C!Whb$0Bj`;o))@(t2y2`O{XN~@(@s&&TKa%FVLIwxG%JUt?T}>!#FH?^};LYEt z=^rn+2;2=6RKT3Uze#Y0unLQ*kv(r*Kn$i6KB6i@w~l|ONhpU7VFNP`OzOYC1y@x; zMZ(;E>LbHEA~@#!3!VZcVml+&!ijzleUAK#z4|{QrxE^tBB%ea1Zu}PFIuE{b~0Q4 zg$0AmXoS>Q3^Oo&mPZp&H1_;!EGS)BV-eoqOHi6~^nY3bBq6oPw?dQl@wd-N;I=us zvRLRUM}yMQ9LO+T|0gQEA>y;vGGD7j%L@Eb&L8|AsbBu{ryn-CCn4o0AjQp)v_O3*5@179xS)$}6xi z^`lACGoVWar(UUYQ~5c7L057D5@w!p`NsR27zjuuKQN+Q8n;cg`>j}=ZW3b$k6GO+ zyh9+JQ5!@cL%E^}6V(qiiTWK~WX#=S((WKO1WXbXvom^0>b#FU8z$f)RvrQZN4$1^ zP7ksSHbBvj+`@owp+q{-yHBG#GACM_eg1~GlE~%AR}go0n)Cz`I<7Ppr&N%5vSPJY zfk-<21BF0yk>ekn>kqIPPyv~s&&im#%VO>FYrT86GCdJdsNGt9*@0~^mJ66q2r8^E zQkD`#Y(WoRIfBj2+=$OA95wpRgo*fBBL%O%28o^&7W7b(e{R+Pt8P;(i|v$^-bTtp zEcB4lgI)iWwrT!b@!jL&S0xmQcsp$VJ7C{I@kp{%egf*S4QK>ldv@n}hMSnW8AUY5j$UTTC|p)W$2W=WfN@ zY?@nJE{?POQwGdqqDC*+prRIwU*DMpT^~>l1#U@A;{RyYf9i*?5kRP%%CYYk1L~Od zt3I$UBMLk{fOe>T+}gef`_1r|UN<45%!8mtl?5fVS>q%&HWZpBRk8e8FnV!=7 z0fgm2MK}cvBb~a#WVyybAgEJ2RrWO@Tn&F4!3#`Jp>OtcbJy~44WMrhbDw@C*>L-n z1jhN8K!At)%Tckx%j~l;k8zDR=x<UM^UNdvuV6-buvw+$mI1@3CA zzh%B@4(~^l&^Mu_)yW$_CO;R51c4c}z1km;{CuZ}1eAfSr?a)Dok^lL)5fOjtJlW0 z_B36Tiw4)m(@07BXOL(?tTsyE)1QKd)ISELH<M7u&0fWVCZy6IarSmec?H zRU@4B$-}XN)JmeHl$|CKLNH0N+&Y@Ax?ul|tX52rSo{E+KDYRekQA74%QOm;3l+d4 z6oy1#ZW4^qiBdliqH!H!RM7096S{M%hnIy~1=K*R_m^ATBP2Vd_~MY_Ml*3|^ns;H z*068UEVkE3i~p#N`?X_i4m!k8L!R!S{x4W|>OEgdut zB~*jHC`KDUb>7~T)AfR&2R39uHB8ZdUq6a1UisGuDw5;gPK<8pADk|a13+9KA(CPX z`Y+H8URH+nVKnrqhzb}RPLoj6Fh1d!ZOoq?*i7MDv|GL|I4MAxG(Te7NF3z+MBn&I zT6U1ql;ofV1S0w#4Z#shg@D}h0&4ivEDs>U4&Xge4>D(SkFYe(L~WOhSxaySHxJtv zOb0}k<;B%~yqci3vbDu^7)-%b#__f7eili(yg z0kj4o4QZN2d5qboS@a>69sJ|vOp(AwLfi+xqG_gtvApNsj7Gvs=lbQJvS2u_IWEm# z>jd)b0g*s9Aa_p3Iq_&@!3{e*lw_%fUvL5U>Q@UApKL!-p+?!Bt%u|Kfgxl-rsSVb zkLnxjU2m%if*Mra`M5HEE~K_KUpr>1f1hI^h0<|tdpv8JZt!&zN2r?8%j798`Xkv4+$bZ3?K zsT$Rw=}uFkzETG~Nsv^!({^-^A(CNf3jLpiQ*&$e{XwoIKY+#1y%ILpFhk^75*P&` zgFk^0h`wkg5%dJSMmd-?kgc8$aR@t!t}_l%6QaSudMGN%Zw~=9UmLZsh>ur6ok~dq zZ#Vxyo!51pB|`Y{!ZfHOY*zOr5uN(2D`{27!#eqxIrjS@`t1cldPo}$snL)O^sKQ| zf__*Gf!2|H(DZR;pFcLgM6w}FYM0a>M<~4%BohU&gH1^KvLTGZ)vxo95&zqA>^KH` zbwAKN4Zn-)v^2F?UTZ8a-RTJZzpJb>h)!+zvxNDevPOdj^a(S70hbI%lz;+uGz{+2 zsGtcdHaEyPRw=3)U;%rZG#%G)8$)hasFLkJ0o_>+RgDbVhv;`AgUj3m#fR!pf`Jw( zYFz|sL;b3JSnjM^wtw1`WMl3=vfHDnq(klEfxa7p!jk@YzEkX8UY-g6_C`OEhL}01(bKc{!A_xY7Lj8 zwy_?P8p2zpCbrXbQ!lW~XSXfsK@W?f%BcyelCj~VuphJFP$Q|)$v$tfdAcUrIH z#znU<*aiATvX-Z{sayGyYP;|d{DS)8W?>|JeHu4(_?zEA*d*k;)~XS)TFNtf^W2kK zu#`H}{A#CqM8qGC`0;xP9~cK8M|oAhR#@oofGc3o*D{1FP7g!;f6ij&m?SbF98~sW zo+h|AP^xWvb~u$mk zrtNX9bd0-NPE;jsvua;Gl}S)?r{E%bf~VIYPCCAjF*MR?yqASdfVe4Cy8Vw~db9r2 zH$Y;xrmPXYH%4-qq@LRp0C7yqWd*9y`!+)=g|*GUaFeh8azWcSFkoS@>AB(ccm2Xa zvewA$*V0*(suz487~uR|Dq)>$C9rC9dAtK5f$LB`7|&}OF_Q<)ieV%fnMtg1Te*k< zDT~I;wxo)j5mO&Q4{5Eok3x=+A?_2JahB4C< z_22ti9@Eem?q=Gaxj`_Q(>><@+mnOZtxvS1gS(UDKy`DsN4?KY;qrs@MGs?~nfk64 zYlK5P@!ja2BW1jRZEOsH4Frhoi{AVs6x6OMl4xF%Soa#IJm>u-v*wB#np=r3XVYlo zh@a`o{IGopXSO&O+C?6P4%vYUM=nofmu5iqDow#&zuEh+j111d1mBPFvQG-9o=QFn zVx3eDW9M-)Q^TDsO30A-!oC(WS~Y5eguBn&&1>60R#W5$nIRMVF_3mLiSlg%bF|+v z{>qhev0&wQ$eJ#GIKdh(*fQLzg-h$0YtzJq1OGRIr!`(b8>14A8EQuGjxg*`nLhS& zP>NKeRm?Nj4|ih(ehh`iqRuU=r&fd)eqJJ^iA3yY+ipjsb*{eFotn4mROgIZ7FcE0`$&Lpken%T0Y4A#B_Zl0DQwI%sA zv$fADK%4Hg7g3ELS=sB=DJ9o6&M?dKeI0 zW$LU;n7$p8z$~YJf1)fmkq`Uqlc_%BVKTViEBA*_&Z954E4-SdoUHS(k8)?2-?)4cntQ>b84v5lu%ug*1_Zr+K@e-N?`*so z2Gmti;ih@;)~O>6qo^RF#HL0lf6p0^hJ`Vt@iU|;e60b?r8YODe$SQ0;*~LQzN?#O zAb5qmWyTgCfTm&{vDC?Zm+GnTdPO_aG(*ZNo5AsLcs|`_3tj<*7r&9=De|89aZ;N8 zNDsacM?XRo{cD5(D2vbh(9LG$X*WUfAvMD4;J0Eu;P|rY&-t@U=8DlV+3WnUF@p(f8lPXzSCg)}$!bT<}qL&(l_xU1a?^kx0X)Y1i7 z*6iS|H{3u+IsoUs^}sd9Pf)_?Y$F_3(nGhK^az3ew~=rp$kgE9%vhU_U1yGa@36z` z;+*jfl2-*-<7)$)Ebv+P5M0hQjSpi~EJ1Ev3o_yv|5(QepDKk`YZ|~Vsk+_16PHNv-Ioe+{3aOjG-&mf)_?i` zs2(Ou2%;o9bn^DLI;LFpsiv#MwzlW1Qx^vT;j#&$N}9Swe<%9;$0lQH3IQb$1Ep!)G|nGC_ycsu-^%<%rn?;UgTkh_J_AlvBqbjt zbR{U1qcZkQq^4{l4r~h{1VpOy$y(l;p!;)P>q&JWuZVnhaHK$rbS;7-g_`_Vgd)<9 z>uwdZiOtPLLjf=+JVY8RsITZ06eN_rVrA%z;67R0B5_b(N!2`5_y@?p8weLLlOdga zo2rG-qNvVyM4^eO?ITTVC?+=J1Zl%KRE*^{*7tSbL(o`IhG#;VLQwJ0DU&P)JTZ_39qGe-T1-4NXqO9| z+sLQ27b4DV-K7eBqC6r}-)Wy09q|V~FsfPzy!^w@ z06Mjc0FF5MLwCQ3>a<9-n z`Z4PgR1sh}sqirB-h4v2lny96!i@3?By5%eMiv{pv!{!X6p}?Mmh3E^5ct<+Q9q;P z$3~BkOqHP1qzozDw+KfV85oP5n+Ks73rXcH{3!*R=td&e6R|)_8h6mG?<8U|Bxv9A zIbvBPN#SGb5yU^47KZA1-ic@Gwj0!#S-6-cY9WfLOCgNJ*8EW9Vw%kRfs2Y^P;g+r zu)Q5ld<$PiU!YW!S01&CrMb|{(k0-lUYKcei;d`!i<#mRr3qyCgn4x3)>@+5F>&$m z>>fv^f;r@L9?bPYs{l#lJ4k$qfxClvO;B1(LxCm*UqZ&KiNHVg7OZ3-oGZF%KR@9J zffz?A=iepZ-e6{KJbQ9uar?zz$c(p-l=QsEQdk2MMc{?mrOeztS_r=Shvi@s1fJJ#i;O|4Psmv(um-h1X4+O7)6qR z>CsC!YKIzYkz52j5%a-t<_G_z=_Xb+qAh>H^dGoMCAg=6NeX=rt|%9#7I880R=y6Y zTy?<}grA)-I7vz3VgmtPSz2bj#w`>auuw72B+Qeu_6G+Wo+jp&WV}>}q402cB0de6 znBfUvy6#j*)i7a5G0rdoso)FS-L%I=Xmn@_1A( z02YqEX*lD9ZAyfW4P_{1{`E`kp%xJVUcQA|E++zoB{{A|z&Cu+AZcW3BCN07qFm@$ zpTHe7DL8J)4+4l6v&%e)EVICqy>LNc5?U{0PBuwCZO5zVrnE?>XhIzByp^k6N^ zFd-To0R|V`mp{GH(KeXwbZYe)j0LAJzzC#@2)X(ifBxR59$Rrvs$Rpc{P@rR*Drtk zi=2bUQq#0m)Ani~FR7iO;C zzEM$bOS8(P%@a|ke>!2lv{gtoDGC-e9K$fY0K#yJ;9)TX3u=Lq`io~_g+tS* z`g~xh;p0ym+o+5(ivgTg7GvG*w{QH9AO8HxwHtSDTpF8OPAROj=x~A!1fX*S66PWh z&N2|jL3a`s84L^-0aDO}#fCtBC=`U2W_douFw*5Epwoc>hmp_$;^+@SABLb4VL(79 z3XDG#U@`uOKl|C>V3!VezyA6g9eqpHm6aAVbiKT?5r5YZ9~S|{2t6S~1aX|Z%Pb)o z&K)o(&k5Kr^X7==+?+X@A$jKHIRWv^;>tG~vfC-GwqQBT^BUxYhzo24P6&B!HeC6^ z55E8I`A^>e@apB;_vSq-`^t-8Y|^muLaZ#yp|Oq*e;$S}hy&lod;Qb*UjES!&z=AD z?GGAm+-?f7Y(ch@6qq2GFZ7aJbSTgPTKozDF9MJfP z)`&qb&br=t>$Q*C$EyzP(;?|-dVxa?9Ar=)R+V56z`kC%cv(v_nP%qQPcC*Z;wgH| z8$bCeLkgz!R1hp%LoVQIZ~Wsw`yXwKSb1rYSu4yAwEWrs_3tlt&m2B`QU_KHO*ASM z?sreL|MJa?ygJivH>%L7L{J$jsB*8aeDLx6i;Ig+r&D}}3>1Mmj`Ih=`hn|)Of$v? z1aM{-CjaAKyqua{mFX}L40q#`OXuGCbvk=*-fJ}3EY`F%G*#1FOT+CS|LFTE z>6Rb=9X{D<6JzwXn3E@ZXoAB+=>1$!1{_E*h!|)zjG&8Vu_Eg3Ok-fdE7O z{Xh77^>yV;z}I%~&iL>^5WGH)K7a0Ff5&isVXo1lZ)8aN~zEf0E+jILm%z2g+^ZdeMOIt_(z+lMlOEnu- zJ?;zFZcdC(jrI1m^z6=L2I?>37ofBt+^Q)eVyHu!SJ=e_xI4n2%65YP>VC8 z_uASiz3JBNR@dVEU{|xBVf3l#{uNJmYfE=e$KsMpYfD#aka=BPUTEoRtt~Go&UXCp z)eDvNPnG1FVB*I(-`w=%oz~8Q;c-}Mq!`tV&wZn@sdsRU2?Tn(J5o~(qZ8vz?LDIt zQ?TSRn~dP}xu-|}=l}S>|IxqrSG9GAJKMVF=cX#F3kLgodb+!&XIw^u4G*neyLw@1 z#oON9=UVZnKr=4P8cha`R^52JX>ee~JvaB}+wXkwo8KxaDypd{G8!zs1Cuoe4;2;V z=_tYONUh3DfA7;PxyPRS#+N@=kcyxG^d5~{{jRZzp?2^-SN#5l#^#mP71zQHOffAT zT>}F{L7(4dH7zeMH8tPs9~xd*@f-MH`zLRGe6P2N-@F!ksE>Cdt%4}JA_ zzn1TGK!4~gX=z4ve@AO~SNp=;jLB^D`hpF&Tiq^qZ(FO^yF5HL+}=H`H>5CrPe=3Z zm6gRi_wKC(@yYRtfsQsxrQ&g+yQ{OSw|8`A(PXxUR$R?@Z!Ngy@3r>?1WlSzGdJ3Q z{dVJ`&;Q|->)_zN^xV7t9TTvG3Is#oJIY?C zfWc}?tyV|5ojf=e29qv7Cu4YIj%IaV|J^U{uPs}co$GAxnwp#>a8{?qdiqCt2B*h{ z2gZl{b(U1MK~G_v!Kg0Gw2x0OPkGee{qFDWtIS)TpY7@D9vPj6HMiZW9vvCJ*4W}& zTA3Z6W@#@Ia>J3{-9Iurznqqqu2B<0DA;`SM#s?D{->Wet8ofv=9ZShD|6b+4L2@( z{HwQ{+ucFTKw+28y`@gEne2|fzJ8rn>vg+Y?%f$383@rKjnO(Mg>(eRyzier_Jz4ZVidGBdBAyD+e7EOMkZe)JBj z7G^xI!Qn}}J=367;cU>`*Ye|6-x?37Yb*1z?V69?{q4K&zrTp3KL5opj&?NnclXT9 zxk!Fxa;W9+esdMmW$i0*_?M?{HMMjPjCi~Ou*uE0Z!EdySA8qPqcdi+Lq{<^oh_{$ zEz@%gIHlK7aPp;pZM}ueka{x7#y2Sb!L)*)xP%DzJcL|MR%&*p$4A{4-WK< z&rSqhe0HC}&j0vV*G|9i^^6pZ1UHOc85iji7fp1FME_T(8_w@I+_YRCt&8yW0qd^aj*;rTGFMjcN|KgATBrCt<)}3}}9q3$`H;0CY7Ca$K zYPx4`=FY8auGQt{&Yl3LHfeRMb2E0kl@~&nuQ$%jERFRJUAuAPfBOf&S6Y-`S5dU! z3b}&R>C?yTsb)|(D?200q`7qC_VM5Oy)Qg_(n@(Q-0I@gsdIzf?&%RnM(XtZd~0X_ z!s23J#pPOFYHsfw8=s{}wZ){KnHg(px;HX5?)9@|aOK*$SDS_x(#j4xQ}k+_pYHGY z|Nqy&IR3&{KL3R;q?&Xi6Jz!a2OkV}wRH^k_j^}esi~&Pnc24Pp{eP)f!>~=&(qi2 zF)%u9wmM*_&rgkx4fS^Qbo())y{m6>e9mgo27<2k)|S5h!I^oF)ta(6Gv3$JF)=mT z)-_0~Z6+N))Z5(HbUP4aUwh@9gZrxL4`g)?&dxF!XHS;vW1N_{Gl}cY7%A9Guq?;& zJW0rR%7K9-|M*Y-gLu~jhE9~BtDU%f@00=s3Z4kC=nN?%KC_L^!6tS)jq3CaYeQo< zh8w>7?Jqb}bwB>zk0*zFwYcY2Ys->g9PghBxK^w773=imJMWxVs|-!ITSf=kb92o% z2j|nOPS<4Ub%OWfx6V7#v-+kNP8>fz+}nQP<}JM=rLw@zdS+%Ohvw#I{_c&72M<5f zarshIT3-6KJ8dof( z{N&x@OvmNR7vH+jkmAS&x6@5CCtv)$UBhxKQ*VBHr{ciL%b#3KOL6|gfAkM>v#qK8 z{H^ADUX}4)+hlRonHOI?U6h+$QczHuWz%}b{_d4m<~hx>JAm=3?5qrp3iB;ZzxMhs z(h7=vLFW3^n>a%cb~FV83tGMKgI7P!D6G$Q8dU^gwWXQ$hVJIOTATR`zxTVn?d@In z?(8qNUAyr1jn;0HBkwQ%*H6t_+&$KGx4U1LQ{K{eyS1UgqGcOyUZ0|k#pMNB40A2d zx3o7EIPKXE`x_rO*B^VX6uF%N%rp9%-@bW!*u^kH$Gto025g|?&a3ZV(xy1adivgf z^H;UiIlq1H{LoSe-A)@~voq6mYHD?1`qkH8edfzwQ|k z={v21tTyw7XHRF?^b|?j?WyT%{@qWmtHD%Smzzx{6-Eq1rP`{M0hArR`m{^^R}C+Kud9nC>Zc>BZ49LpKl z)$jf7UvfJ2z3#!jv4tFy`omwnGCaTFS7~l{^g1)_FFk#9VcIh|uyo?Y5pX-D!y)W^ zA}A{q1zQ4^P{BYDmR8bmLDwI7UaeA#H#|tdae^`!HO@3`N9P15SibeeLuz{FfBo<^ zz1i-W9=zS~X=a}NgNu!yHVl}_z`d*ImvD1tWw{O~%|=~@mFyjynf6=1`^}e}2H&-7 z4NETHP~Y(758pp?wDgBR`C-qrS752@A6~-Q<eYea;j%3IfBw@yA&vTuq4B2fk?a)naK}BK!h41W=9iZ%YHD8l z$#jGnw6zUr32#qdr`KHY^iwBI7&ARF`t~~?+4Owdt@H0(yqQt5 z|NXb$6L_p^Xkf)NU7W7D)Y!eMDX1%U4&1vi?{kMR{DV)gYxU;pvO zi_@+)TJU$@JCCcaKFadcQ_o)i=v_7tY`NP!JvE@x;TLX=Wad;JFEhXS>i2GRjS;4_ zj?PYl3Y#D98JiqparVQH?-+~@f?fK_kN$5~FmH(Lel`|E9XKtS~31 zATJ{`Mg8GhZ}+r!>9vNo_Rhk}8lwpeSODD4iJ_%qhYMNG{r1J4XTR`uCvrQ3p~d@h`u3-{J9W0~wp&dN7eA^jN_p+gH(Z={abZ9aD^RirR8 z-2cG`@4xuFU-Q#kS4UrFno-TWM~Ax?7iWL@ZbMbwspa90zx*G6rb)B(jm_Tc9JA{U z%@;4)EX3{GmoDGwGT5?*x(22fmcI56zgv`=k}GM(Gl0O@8X3!*;d0u$L-00s;K^SuEV4uu!d{bE?&R+|NGgJ!hhlXuTq?8{o}K*{Q5(I<60Un4Gwm>SC`L!+>oA8*nI2K-5Z}^ zq2*7mT<@Oq%`dFpZMbc3!I zqSc;JuOe~5>-YO<+F-V*pm3M`uZbP`572b?>~OpW=>t2oC|t_gFOQ$ zPaLhO+cz<{dgS2I5~s~QJw|(1FiMT-Op9J$@4!IN7x1jC9yoq_-=RZ`uDR~6_RjY9 z0|ySAI(5cuwqXJ(Zs^8u@zyx;2oZZa4q^`}P_Q8+yNb@{i}p}lOGS?wAi`Q0(pdBm z9)_v;K!4lqiP@!-&z?Pdux_-wbzpF4$s07QiT*OSjvlYJxp58x0yP*m$RL+8bP1o}28t-Q3w>%qp06xt3Slj`XzjjC6ZO zrX6Jwa`OwHeesLdR9j11OIR1do@%bF$eEg$`0)HCz1dv7zd}s}cs78kjbO#R9{2Rr zj3v!sw5Apm6k|;A;)m~7??3d^b7zkoJ7UymIX|18?tJF+FBrAD>7mi4JGU1W=W=p$ zGn|fP&s0oGe*`TIaLd~KE4U3TxCh*+c#7Iw1cimCwl*3aaLtSmnH*Z`k zC@DYn)RF9r%$cbv2Fy5`gO&xDcPN9{6fgmkEW_Tuaq0ZKZ*qjXwyqYMU9CcQx%Ll^ zx;#NY^s3K$^7Pq5M~*BlEDZJy&dxXGno|62ED-$IhMtM`US!VHSK@Ciu*A$6?0t3%cVc zpVn~f{NxynVNy-04aTwYshP=n-?DGT<2&>Gv&BV4^CJ`8Z5?y7bEnUoK7QhuTBAYl zG7{%eu_faGb(J~>AcZ4Q1$%|CeGo07WDLWt4zsP;PhxkWB&9zTD0t!^9re<|kB;&L zKsFl=ewdR;fr07R&*EBx*=o?SEXNT#mD-?Ft1T+7udSi2x1TbmnRF&D#DM3A9_klG zfa#}kgU+1#g|jsuzxQhUsH^_i(-sZpUYu@eYhLyH^+pRPz=WqV>5Xb!Fsd=07lIf} zSQa%&uDabEC$OwK+nH6G;V|Gl9ijv1DM?aqHkDOZ!kU1gIi3W)9Iyr;U;!suFVTEa zIIcRducV{>R`1ZL+wJS=8wV%0q_i|A-8$aiJUcb9=vw&b(@(G6X<|&NRR{JLq#I_Z zMs78?EwA__^+60zstqO+!H4uJx~ep7dC7h0a(j7Mh24%`uoMO=6kK#zI@T2A+DZPx z^{&xn&FN!Dv{;bGNSFmpT7qZ%EP6793vr~*oR*WFU!0Yu5gR$uTw)A8^FoKf31b9? zXILD#O(rABc)>;F2r9@ETBCzwX|&GK*~%*_tFvvZOLMoH+ZUESAPg2OBu?zBD#`-0!#?Km4wFxn&ntn@>m@>2CE?0gn%#5 zcBfsV(N^uRQmZ9zJPPv20iRoCv}WYwWTvMWd_g~~kO;Lk%bA_7CtxAN;)LE}s;Dm0 z5!|H@-e2*tYGVqaQo}r?*XY%1wN9rIFTL~543oodY`A%6+2frUXuEXjqrQo0FGmR~ z^t=-Ix4}S=1-DRbb~-aNQ#D4t*6u7wHCnYat723#_O#!* zIX*E<>TN2WKEyCEoGFbdHM=l9D^pF;0ow0pSPDAGWP~7^|3rvA0qapTk|atrBvOI| z1q#9thmK@m5nvxV($@nd+UQcDz77rNbnPv38>sw~fN>Q$I$pttQ_&k&)vYQd=xFmU`R705A=IK|K` zL21oq2Q-pz#gB0sz0u~(&r3Dw)geC@V!eJwtuv)(ILb;hc#I1OI<3K^MYqKw?;RB> z{ot4-Jw>fi^>uVFyB5Yr`UXeFD{AU;vq2Jh=U&^g+cVmA=fdTy!}G!XvdXf`B7=r+ zxOTC#e;9rLO733N5RxT_>4^rDL!*}gusmikTJ#zn_+&7L(x3-U7>#LsFaUi?SsgWX z`||9XiP0f&(^q^j0f1^MHK{&aTjoqpBXky=(sZ>qxtEvq1{3Ito^8Yl0c^U?s8eeN zpI2alPz9g{{S2YfnQdtttOwp&*&e=@nS=!0G|SW`>}p7Dhkmc_IfY0Y%zr=oj`^^V*uqd`lc zXNxJqY{|+^OGz^k`jqU_8aOCHv+tc)HDC7$T z7|ftI=)o^%S#-`kF+jh_CLt0~@PHuNLv)b920?jYfv5@;D0o7Fqlrdb42cndWCWss zrb6%p1f1nynQu+|+|x%ceEQK3e*S)l(HyC*%FVP+&-C4HYg_U%Q{&@pckl2d$>1uO zOGxmBxBz4p1QnVW3F6S90|vb|116Ay0um-hP5}R{y=!p67s2}dCz?A`JQ_> zfBDlN4~fG!~DwV z&wuj6zy6!=-)Ow2FTG-U<)6A%0tXHsFD@zZ zg^0cpS4ly>O&zwCP)!_4L}!jE0W(@PRaJQx8t&wl)~BaC)LfA9dM;kR^^3O~w0g(> zva)B6@At1xe|X{Yt>&)W>}-vADUB3ZJmeV}ofx0@!j$~UxnF$mZ~ppwKYV$S)z%(3 z(sJqiFMswjqqmjR9y)#YDc+Cq{q% zy&rV<4e&TY@PX0s@z#Nv>gt+8r$IVHjsS~CLIVt1J_OZ<)`sO9iGx@I98O$-;&~ND z69j2?6jqm%dc^*kcA?9dD<02a@6hPbs8O$CNnDfebgz0k?%edlG7HvxnYrKmz2Coe z@%N_J-E{i4Q#NmD3rLiBp{MyIYJHPhTuR{$eECk9i1O=l5h7*CV{J=6q zeCdgxf(1N`8H^AZlHzdE=l73~O!Rg38+2-PgE>xs%S}RO!IB;0oK8o1RoRChe*D&N z--ZPbiQWq$T}P4^Wb)w=iwzSLC~hV0S9sTi42*DxdmgX0aJ|Q;A3jbYmelo z8GinQzy9%W&*xR{FV9P-=+%j#{$Kp&-NxSOy4va#6*9``Iu(viSW!X%>~w%7&=aBe z?xL6K5R}>BJbvoby_;7Xu3mQgy*xn#7HOsnzxOwP z^Zi@*I++kh2pAmHU_IdQ22-X2GcCXot=nH;|M?eRxbV@1`HAT-JbSFGv+2W&wcA}EaClN_ zCPT_ZXH$Q7dkBtQWVCS#2d^7UH{>TngoY-x>6v+%IXRXTb7fh%QLP~bfe!^{M+OGF zI~i7>)JBay)owO4eEQA`O+Wp`FWl{x{|7() zRhlE?sb`*c78HK&b1z)~@Xa6m^MX6Oy71QPZ~yk!7H4j0&HgjbJU1~ibpEY# z^GgdX0oD_npLY#(56;ie6Dkb7{0yu#%$_P;MeU)d&OWVSS9{v-Ex6nry~ESjzmQ<~v7L1Pck@1nv)>b-%26kaZ<+IN{`~GiU``%yw%`e{iXvWPrbIXp^ zm$%(K|5rbFc`>9rbMmZOpea-?x?@MY!-y1b8WK-|fQ=_$G*K#ng~?HXp~&+qZf}48 z=)l0J-D%^A5DXX45XZoYhTfx#3UgCaQeS`l&5IYVvs@5r7Cyux2c3dP3-bCCI{uHu z52)}kgM$s?d5R)c=sna56exH?04|64N+C4+fJx>#PN&mJcR)m0XfWltT4O3HDK9K4 zP;1or8D=dkC{hb+>yPiRt;|W$*==fjeu1;FB0ViLKP$VUx~8?b&tv%8T<- zaLQn{=T#ioU*}ABW@Hr{sw-Ek1Vd_i;eiun*_pWp+>(-+TUu9IUYMJkV>6jD?e^00 z>XNFe;*vrGxD+_9vt(6PRu$)_RdZ$gRH(9J{nU(tv z?yswc6%m0`MpH&{#lC~bj^$-q)g&yw$ka6ZzS=5{Mq5#L?AXD5CN+2E_7JPdcBG&H&(0oY813DzC`S&C_73t4ou=zS#D)Z~wu*($v|p(TmsHU-;Y?(=+qykDRQj zC@V@g+0C%{v1jC!)$FUY7&XuhwBO~L84R$h)XcJ?g2I9*i%xS z7Hy`(T3A|QbrxjhmekZ%R96=2aN(`D-uj)deJ#zAS$E+0!F{zEDVBnYvXZK5hb6^f zHkXxG7L}LP)>e=>VYE1E_w9GsOrR&!S6)M7nBL|nMYqwKR5+_OrI(aeWIA9RX|hYI z3k%AeY3X&<#Rj7>&1Q8P)s_@zUTIxLS%D+nVb3VcFDR_4F0Cxd%g@cyreqFj zp-=9p)H&HXR)f}Ru{m-pY7ZPL%FoZW8|_94*QMr^9C-G*ryOai>FJsKD~q59?74;6 z=sbm~w6GvIKQkjYqxQglmDZe*o>yC*Z!xMe3W|#>YaPzKoa}rUp4DZ=W%+pyr?afG z%AnDv+f(bx3ySh{w3ZBeW`0dgWled$mhs%U(KPL1Po6qzvl=#9v}{0Dpa22ZQ-L6Q zwo`oJH2?=QtI?>@dsWu}g9zOuuhClb3rq3}bF67;IjLrYnlfgUoH%o;$gaA3uahHe z_4Nnx%c@SCJdt5Fsxh!{=xG9t-j-chQC{qX3}%ZnGd-)Kva+PIbpN4hPQVO0n)3y=R>;)0+eNke*mUd`d0%=C)VyqfYtv%#E^Q@+3EK$gW=l#^XiQBzh`m0w(x zk(%zbnoBG5^NI^iI=$6oE~%`muB>v}ZFwa{&df}c##~xl3=B?(-Dq|=ocYC-^%aHL zIcb#MV$Uk5Ev=|KP*;^=f(F6WYPGWg)2i24 zt*IG>HFXE}=Vzyx2tlvX8qTj_;fdj|f9oq+=uuO8X=UBPqervTO)3Ic zlPX76cFob_He0IGtS`v67Z&EFWEA8V*VL5N9Ih<)%#2^Ya`B~ad>st_;Ui~i%1bg* zZKc)aB^706V@i68qoS(1tg@uKJdYPhXHIohRSAqP@%~fUlB-F=WX~$CJz$4nLGUo9 z$|@@DR<+TnEvY-0o|T)OomW+nZM5i9Y-y=_eX293q^7Po+W~esExV+!xU_a(d09zL zrqixT$;!$v$x1V;2#nIIa&vNwTCFX`o>5e@@4(^w-2B{ht4)ikZJE`FP9Hy1XVM$8 zvkR-sax6x5PEkR2ZobWED=#h2%+4q+DJ;m#(dbfO^c82N*-g5V%A&&3qO|maoV=3# z`>SB8hvAW#pHoy?qE{JmGjnQc3$rrqV9B%cO3Ta2YAf>QC%UgR_Hc%RXHHe<)?94` z4;j+4o#>7FIQon{3`RT{;?T>40OIQ|wOW;4rsP7qjz zPDxE!d&8m(4wgjz0D7IfL8rlSPN03h0K@QVwN|6js!8-widAq-2}%?6g}_UtRBAy0 zi^2O@l2hxAF!x}r-%G1VN~Pg~A%>+4DvIPnUJ3^r!vqA2zUcDM;c5z ziVrUNX@Vm)CLQ>#!b*U(nhXTGzmgVouiN1rq*jU z;&(e&{TQXufiR8<1OhaRQG!YXiRdeJLWl|af;7%zB%#(Cv}#HS1Op-T6*y2;XAr+A zfI+)>y{l@iDoFD@r6rlwtMC2%wGW!le)%8$?n@_;ry6!W&?im;eo%qZ=?7abzV?&v zEvifY#lQKFrH;_;YYqSEzx?uVzxTb&RJBH*CYY3Gd+T5&%bqvSTp-|9A^QgbfTAZf+z7V>gERdL<#IzXeLm%JM7_{i?c;X39 zF5nL^91ztyty-<32tGjjy+MY;D78tifhDy!$XfJTEaX9_<+VmWNR#MFHy#LjVR=Mz zxGyAFbZS22L66RoYCrTKPT&*)D?L3y2I-L6V1y}-W@sbD3mokW5iE(WU&BZk@49vA zS_`Jn`}$X2%1pP27pc}mK258*p9&I!7qBJQvWh}amBV0xB|gK_W|I-dv&jWx+mb^dJO%LK&>SFA!h^ zT*YC8N~;AcMhLu4MS(1>$;_i~K83XCrUIH!foW6ue2h*5E=$nw55eKA(x}mgG{so} zj1Nz!SwaoA6eblAjxk{PaZY125Ih(+Ol_jn8nEChoY!dxn#TN$fZpNF(Kxz|R2>Wk z;g~XNb>N+2V6hpDhY5sdF*c-AgFR#X45iWPX`dH-H4;n}g;N@W3Gr-*)tkT*2crQK z42Em<2DOS02En|5=feb8QXteCfe!g$_Ta$4X~E`VLeLcmfw|L%cnqB?qtMf3Oo#!a zr#2W!KEwuAgDk~CA&?4wF!T?aNP-N9^CZ|Ml^V=a$dA5f%~OO%YtU=NE2|;z((>Ze z9H!OTGMofXKy7#oop~@AH9X6P&@%!Qr8gLg<_O%V(cS#`<3IV&|KS%OzC)?>8kkSS zuaBwF-6sOf-O!~lDf2u7bqdlL%TszSg&yJ*?HAf3OAd1(i|fof@J3m$H$;$Xy^i36 z-ep3k<8YY%1hZZZ9yJ4YGl)imN~bfaxS-GH=b$4fg2eTpEgyosFahh;=;J7$J9L}h z5A}tq98Jq=FupL-1OA`@-n81HqiBZpGq_2o;X-~M7f6ko4lr=YzzhV{G=PB*2?1PZ zR8gGYPf%dXIX?|!R|U2l1`mmDCZ}P{aWpT`0t{h>@%b6(RxQtR1if%EI{gKp$Z*$tx@}l0MI(r)AK!e}AP3mL(!j zxGbc<1hG`GxC}U(=p{?im-R$Iilhlt9Kr+^46G~;4UEq$dO4jfCoi)kHxu<@w65}g zEpIp`mk4fYU}gF4z2<$#PwI49SOtqczg~b$T8pni>`xpmE+AEWlatgP@FVt9I8(T? z@Ec)(f0T;ypeyQf5pu-#7PP0i9 zKcb|86d6VGxI&{^p!uL{V01aCwv`uVL>?s%4`ASw%qc)Tm=GD_;OKZ~#wUkHX1%=H z=x~-5IMa-Jkxjfvy2gsQVUvrLMIne3^b?_okYebViX2c;hmU;Fi3t*sh^Q6C50Lo7 zBrz^QPDSjXAT zl9CX_j7U~EEKO@@CJ0k_0anlGR4w{mXyhF#B4jzD4gwA~cyVTMU}|B7Caw0uf~>ss zRMEhJe3?_cB#8j=upkJc7-}KWbh&5ddj|XJP96hS9I^wOXlEq}ait@wM2bq5g0Pcx zMLj07BAWOwLTnR6gQ`WMv8k}3$9uz-7Wom@vNEE{;CI;XqiUIZH8U=pC zxquYc%b-8%5S|IR=EhgSOEx>x(JeVLe;A?|QMQ5y48I>;LQtty;?g>Z(^op{M_0nq-(zT3XsVw{y23*>}K0F!8%Kw;(|rdgl(N;Rphq z(T~t$r1O}-3g`|J@o`6tff+C)P$YqTruAxUUp@5XA$VJ$hd`;pVpDinlWhT3!8|8W zXfED^Zr`<5PXba|fX#}FRVbl)5u(_GXvIvS`4GqtrXC8OEJWN+0zJNn4mg%&B5r5G zAs7vD`Od@Ina5NNPN3_PC{r?H5e;A{p5t*wAOwm+cRb2Tn_)|pwuRl5wkt@e(mJ9< z0PMByFg0)jhtnJ`sKAnAFsDF~$tbxNg%I*{d6;1!CVH*AgM?~q54#{D0!bDC#3d;g zHH~P=Nlvun8&7l5!WBFS#JQaWjz`|)CjnwHaRmw#JQ;vPTRObAd4%uGAUysy9lS_F zOA!Qmwn`?guNEvZRXC+3(Wj^Y6y$n5O80uw;iA!gmxA`Werd!Km|Jlm{(+B<%no)lZJRT2Mh-|B!pV_Ig^AqfJt;8 zqgG96#S>o101ABkZS?(P@7qA`NthZmIHgvrRhl)QbDOpX#{~5DC-k^5Y}*=On_{=* zJQyU@7MfF>i_x4{iHws2Tn6G-=A#WJE~pvMz8fp}Asw1sy` zVyzHa-`E?#c8bKhC##yIN@5u?kXRBjN@Z9_ zz!%4g2A?fpO)Ei^<(BZQDrL6p4rl8I!^$O}dsO$wqNh zkZ5aU8oJw148$SAAR#&`=9Vc^c!yZi8->J)>HZ+;v>8wnpno~K2_#vPxH!2|?u0Uc z4d&jpMv?s)X(X=Yh!d#bK|t&Qu@6w&OXuh#SnC@F3KTp!kk$ccL&tdX$N3{+pdW@= ziYil@r(#=TE0v@tQg#lpG>{Q5W=pX$!yffpa$?shxu%q~C4qz$-Lm%g0ZFZd$|a|< zg3mb6=oCk&WNA@o3*6Vh+Qz{UE@xK<@_johyN|uJ4;x^UMuKn-o>Pg!g;xv{WP^smkO5Ll9DcA(DjV`;L$yrGS3KTrf*!(DuO%2=XSeu<3 zw#)-XC24UawixClb8Z7s`XbHH|3<|~tVz@kJkRx9TV{;_T^CKrnpmwU#4;pbVi;Q% zuqmY6>tuupI~NW)r7Z>tND34@JfNl2x)GW9AVgy~>0>ii<_^aEHm$(skjvjlrg$B1 zR||{+YBo6-4T+p6Wg~2dHz78uVd5mQ#BFN1*8ok|D=X=^9W~eU##2y1o3vQckYq$O zj439*%yp0$wq#SV7l>HK*sGli6exJoAztuIgx#1EM3bJBRZp@si7keCcl6ur`I{8H}qGUPFllyG2@wrC_IA|xOwQ1Iv@Je-rVn6aZgnK8em z%%sfp_He%<#r*KInVb#kF12Pd4HL$8cy|Y4iQCljp+M4cJ8G`y-NQ;o)RVR~#6%K7 zV%U=HQO3@WvHLwTcNKANr*hR(fdU14fLOz_ExZ3PCW-qkb2oHOAY)6h52LN(u}%jd zAli23mW1_4KupNDJ5Z)V1<6Bvf6SMiqmt-W66eexRkQAWs-9Pe@S80Q? z_s|%8_V9=|rZfU$luT0NN4#R29{@W$Y&XocO+ks+<7o-rbcF~pMCEFy0tHVv65jW< zXNaB*pww`|kGio}u(yaF7LNy%5v$;Sux|M!SwlV?*l-iyZ?#w3o(hk8|60Or>$;;2 zJ)W?RsBFsi+1U2>2#wvgS(aqP&~J=!iwiOy`2Y&>@E-4SlwE&mq|(W&N%|fr2L)JTJ^IEUDERf<#|G;RT*y zXsgAdQLlYOlV(`gvYVHla0Anrz%BwQW(^m`Ck3Jz)-%UIe7bUtK|J*sCn173u`xh- zATvxIG9fX-Y{+Ab0*Z;!(GNsK=^`N>(L|9;hC~F4#1NM;niCMs3{I{T-b5^bh!VRw zGf-fY#71N9#75_egd>P!h#*=lgd@>NAR5uk52eKb67zP&MwlZ=C{`jy!jUY|%n{EfOSdRDIvjySl*A-tSPzLgf=zNIDOO^5Fk+*Tq=Yy`i``O!1c^C< zO>!kER$_<~y9w5FCM+UaY(j=Du}Q9NiItcm*s<7XA)A*Q$0;#Kh*Drpf_Sb6{?{17 z2Vh)AKqMCs*Cd1?6G7nO;$lv=Q~Y*p0stS!u@t#>t_`5LoeC6uwg84eaXS?#P>>{~ z#mFOW9TF<}5H(N6?F0qIo6|tS^*ToDF7ZeKK*I1w5+VpQtmR8a!g^vfqKnwb?F4Kh zWXp1Q#;_%}%(XLyJrWy@`&VpB2??=Bifs!CB}5ZU4@zGJaKk6=p)5v=EwQrGD5 zaYTR(2of!!G>IV&GLgry@$u=L?2Jv^PL|_TBq_&5C~l_$1)nW|AyC{-1&<2ClN#&+ z$`DlWWB}aGx%ownM!Tuoxdw1QxA`@Rgh$LeV)*#l0!gyPVVk+)lv}53EJWcu(@TMZ zClQ+*F>6WT<3<8dHpvx@B-vsBZs*w8n%fDBNtP3E97n!nxa?%y&cr^e0tE^bC{VD= z*xod!K*5uVZTg%^BT2D4EB*d--XixNHHZQQPXZ#2WkNiJg9m)h<>i(B{-MdKsSwS` z)a0PJoeC5v*js?fl(u9b-iMYHlIH~Mme{z|JrbKdwwrOs1#ONPu}PEw^W>wj&fKy! zHfM-SO}=fD=iC;yr7a+avL_nt2|!bM6DzP@@y**|kC4nO9Pa}OkC=F3q&1Rk0g)g5 zB|uUFHp6<2*Hu6)KMLy@6v%ieLt4R}W3yh396%CNG;1U&a>zs|Ye}0TNwy8au>A1o z=;ZXw_{6k(*&|aCwjQX8+o?c-f<4E2!+HOJbzZ{BI3Y3lMd9XRvI2#ZZ#f{ozB>6n-~q@I7kY zM-NcP_-e|HBehHtjeu{^@muFa!o`0%o&>hlYfWu!F{o!~IK02oSqRk{>B-S;NmlBdo`|I!8VB zl?XC_qNdua{Xj0yGNEO+XB)TJq1TDXK@kwyq8J4VK0A;O)=dssbT;k&&fJ7E$9?E1 zd7xt!@`4r|$3YzYPo77CSA0{`GhUy6Zho$AU#-)buDs0X zGY%M&$`DZSBq6ys*+xSc?CI+7?G7;8&Ls}iKqXidcrfxL# zA2@U(C*48_%FPB$hGVf$F5J$_%B-y^lF3O!DjJaBXcc(g=X&p> zPo})s$&)8*igPhGIMCJJH!#HTID@M>OeGM+!2@-r1zF0$u0TPONHjTe;GzY+{_dW> zvGFlh5YnQ$iNpWFGNg=R8d2ILtDv_MZD}@v&Q1C#Z(`&P`ofezfXfo(@+MQj5 zh%A5}7wnP3JH9t&bL{CIi69!LtH{R1MjwR@G?cbI!X8O}0E0nlmbm76)HX@UHKiW| zphgXO-QK0y$>ILjfBB1!{^417z!d-&ROSFgDixuvRZ|G?p`~{}_~h#C4rl?4366C( zef+@(qb{137!V+ZrrFTBcQ3cL3`jWgwNYv|GWzn#!$e;W=82MUPEkoc5I zNs!pY_>%+`6(*xhEIKU+NRrlg@T9QGuUuD?frKdwY;o=+tzppYa`nPt2~09}{g9xL zh>Zj-q6p~(@+e5;M6_kPMx+iRBOyS_HkkniX0*h+=#q3xss|CI!~Wv=R7)W-{s9;5 z9oy^&GaVEwW!O*<7Kkt$>;Mn;5VjVYsTR=cE(?% zMLCK>g+;qZAhtAE1_SV1I6`&@5W(woi994xSSipdE#h(dxNzmy;xJGV_;7;?5W#wa zf55a0Jq{p2@9wy4x!4j7ZK*74rIx@4uNm37z=m66tqdX|K~z4X7qDd7zluieO_}CR z7F4KBc%kRh=NXhRD`3ibOz;VT@;iLKfuvQKoRrX3z3|FbtjpJbLx%)jwl5Q7k z_Bem{oc4YHiznb!+nZ;co9X`98B1d{%*f4En35}NzR)!Eb9M4)?mFBVxrDb@ICbG! zo^RtSqnH>C^EMq4waDWa4HwZA>||?c_c?K%drdtN^!wLCo5qM3A7h4o;!u2}S?8CY zXFS(teCzAPZ8_O^8DVqk&)a$?Ju`dULwo!AqM62^4+wW%E&KJ?Wm!pgi1#+9&!x!G z$&tJ*UrIix7LQ_{HupF>tT0$3Q=27rt0Wpi$`+oV#*Y#s@MyI?@xNOR) zG)yDa-c8Q$P50+a$WGcV)6vo7ZpQGZvZ26u^_Z3WVFstR>-@cL&Ubx>zrOPf(8Xfy zro1|R_33@<=W@K5a(^GW93$6a5M4>do)X05_f$k^@#`0EtOQiJ$kX*-cS=f1C#S}g zQm+Rj({`{;*2Txahz$1?BXa`(T*Mt0wx+i%{pU7NT|ws9c6yy}a@;pFZx^_%oXlF= zns@Cj$7kn=)Rt-My3y~di!Fom^x7TTykBpwM@xC#W2hbOoCLoH5Np}D450QqI^H;n zG-v=eCMzQ&Dt>6W%5*nRai9G=tO_?1J284%}2N?+nM!J9%M9P0zzwsLhsYO&BD1!)+ ztxOw&ix@gYM45_P4~Y%-GsqB3g8-y_P-Q7J3p~G2j9|ilAi)^~Tv#TefV@Garhq}p zzZe#R6^SgcZ6eAf5HPH9ekKW ze1O-3V+cfW#0(^;EnVoGryf44DJ>tV8|o9zJTgfShLuAka7#)%X#Ts{vrY(crKFMQ zuof|r!S0%4FfksoY+!I-f09m)W;rF*nZUA=3B~feNjx8r(46ffh3-+h2_HY}{AZ2e zE9KAo?;U}LKDG37kFPeu+3HG}hsA-pE%%q@rMbS>x}QBmYsZ@@L+))3Hs03Cud&^? zi(V5-1OslxJpZpX#=eI~!Ji35b($f=pRpeUt<0~M+isWVgIM*nx!feD`-_y*zULOw zvAj2nzMne3)8X$^>ly$1(UBqlpIyI>t=CEaw=|Lc0!IH+Lf?lb!nhY#d>+q6Uk`;8 zjn~C}K;e{M9xE@sXG(01sNu)OTHMN!^4`e@ra-UDrHQGgy5r6CFw*Zv|7YCY-p|p? zKEK19-(UNA-FI6Pc>J$rN_H5gr@#FjZWIkW9`k-Kj-%*;bThm^S~Rg!SF@&LL1oK& zU%e%pLJYsJ^Xf7mF5(4TZx7=!^p}1<vprSomVu}Ul0-02nE~@mYGpQ3xw;4 zV1D=c-ki*2{e16!@dgX~18U1JIqm(v9~qZdH6-!jVRG>T3M7_*176_t`2h#&{M^s^ zb9Y%5HOE(#i9QDh*(65SIRtBE4g zj>1p!tu&5ka1FyxmeXxMNLEzu;z&*lE}aL;^{=?;`W7Q{f7gn zhyauHO^}3363`K%=(A}tDrWEk-;hQM4Dm#*M2e9DBCuhKQKWuu;QjH?1Ry@DXeeeH zba=Lk0wUQzT8SVAQB*3^B+pQjL4}EhLz{&sp-_t$o;4)lbg4skxf%CWpgE*FC6VaO zv2}FvQGxOtdmB^+^N@LMog^h=s4vrcl-SF?q6#eo{uAh#kpu<~qwh4nI&pURO?44wRHU z$Rnd-kK@f&MOv@wUUNrR)^3kO)7?>;-)V*DBdEMPq$Dk3p6AbuViVxJf6k_{JK1mz-5hzmKZ9tcjF=b!=(3yvC~cZT8!*FM?mE+HTPrfZUWn zMv2^<>&_*vCmoD_?~1-#Dx{p|G*d`%sK28;5C z&*h%qT%6ngR&?fqk(G^_s+!ga#tEz4Qh+f7JmeG<^n0B~_UrrnzrRq&;&1HYrud=puSYFIwWekna@!ct;UoMg7Q6wlC#Q2Uwe|GNFD)?3h#wZfI2 zl5&2(ud0ZzZ1ddb_mw<2-CPMWv~sf3T-js@Fht7z+a~7py_;^L={vo-*4=%l{MpJd zU(6T9tjUR$NFFiqyxo3ma&{J|`?09|yprvE;2tO!_!WNCjKUA8?AzdF61z&JQga-(nKckFOFV@Z zi8KR{l}twHY)pO;L=rEOn&d*oi*5KY5kX;H2q5;YD%Fp$=b*)wibddxuc;QFo$x_Z zFSgRn0|%le3__Jlm`sUTKa~qDG7>ugzX!uIv(21WS8!y_n9O_i2!suJWHY5tV^qyp zx0HkBBD@ZagaU(jR&TucvX`te>e9Oke0wu|zgPqGn2$+>&*cg3E^(3| z;5gtGtmjME$TyS}Z^{v8!iF)?KX`EUXrOmE3kRWv8G@klF|55I3Sj4@&pK=tKnx%q zK89*3NXg4C;JTPM5sYya4ZKbR5YwNnrl~2}JfC-IXB*lX`&G3(?S7!w_q9HAwhRB) zAwrEc!204ORi=6)_X!t32G5bDAo_+`rln(q^}bodEBHP!r&YJscQGQZFH;GM;1)&n z=?8I&9R%w{C))%9OCjDI7$Rd)|I56DSEa=)ViYTA*-Gt?kPZ7;X)ctSb!BVo3E}6! z?(NkTpZiTto!>F7#au22*3-gRo2}U`;=|UX6z~Q5h6!{RXam5<143STPcFtB@xgvm zgG{N2(ozs0RzeA8A~%jrOU%)VFJ{vrirf|ZoRUZdy`n3*o4>(%1q0p%yZl`b(yUVh zARkf#S+oao_my?6hu%}eOMYFo<~}%Z&O_D=p;wCz-gqx_RD2NV7BN&I2#&JJMyU&K ztSoPCZm{mtP|-D8I=~ZVVqIO^TG^kU=?$oJSYUL<3Qvbytx(Qp6I@+&xwaHEmu{w- zJTb~6BF3w{qeauhrzg}=PlokumM=cQrEuBXwO#VUH1H;$p#p z+D)h-!kNED2>-&}eI0f0eax}Q_0)NSMDu|VN_hD!d?>8mnfh(`aR%sretS(j70857 zDqhu5(~5w^$gGBp3x!S#xPpBTcjh zxGb}c!ndko4m`br&*#LLb@XAV#oT5y7xA4}PeVsVjla=d|Na*`x_F3B64)4&y!_XF zQqsef%h);T$1+*&!8i?lRd!YeE*`eK`ROq?Ycq(3S^}`2p^U+O!{L}lX*eYX#TB;iZ)$7Y3XU*fR4lPN?O_p>h`Ziq1*0Eapqz_RDx_+W$YJk4pfZ9)f zu$GiMMSwTrx=y~KH;=KGVs zBq+n{=)lN{GU{P{%zgWnw~}w1fmFcC)zml|HmWMe<6UXIaGYVNvvRqNCu=jq(X}17 zR1kTu{F^C%@oaIiNhOA7?%?V(iFW*fr-+@AQ&Ch{+ALxzPIfm*4^GSA^3&Eul;rPuhjs~z#!c$o8d}0w59Vb4 zwz?i~C+maVpE5y>`)(UI0W=t^W*rN+IEA`cr(ft)uhmAuu4H((c&H{A7<%^cxFil& zJS>YXU~|rJcqt43-6B#=vXh=&euR}Zxro4j-ctVY%_>Ve&s;;Ev0a_QJ50Tgi~syM z;^~SGe>5gO_5+KLmUpUfZT#34oXX4AmWPrzILfm`>C>IJ&8K8u)RFh_FUG;8yc`|! z2!}~>y#Tc|85(XhnU)C=HG0mkE|eR{OIiQHhFZtAh0VX`>GB>$fBA_2x=n7V3k^j5 z#fBfb_F+=mn#~b**bHR`I*LMJ2f=OX+D9$UQOTXZFoL;;0&tUHKM4Kun z$eQ0HE@O^>uaH6-avHfckNiP$)!HGpbR&(jp<`EH+YSLTsm+JcR zf>w9*AQFPjba^c%HTI0nQG#&hbuuehGAb<h8kI!tP=wLf@EuVCoW~fy1B{P?Kw=O(e(jGoffl zku}+MnFE7E;~agF=QuX`Ac^%-<(@qA?!0c^e_AgD8P(vW$UHXiTal&hHGIII^)Mh9pUYwR6&@fIb1v^bbp(bVLs&d(c4u z4d7g}#vYvplW`@d!zG*P3{i|w$VHLLDBmB)-zP|&X{tzXn(4^t0X_$BhzFa!Bi;2) zL6}TTEAYhrerHZ$B8o>dRjh8>D7ze>s`wM3vV%6-pqMQB@T}@U`Ya%wIZ)Ia?vUds zZTt?_r+>N-=npXla%f1Yk7E4^O-M>OePu7A1R@o@O!$HFoZZSM2`r8{R`mYak`c3z zh>|`MBFrP-oTHSjSuju0E>j`E0f)k1MSO=Rr8Sj1ETse_PnNf=@!wZD$B@Jngq&&y ze^QIBkE!dRk*wq-P}I`sYCt{H6w)drDP zb5m7qNo!b_0U!^9kS^Z3v%Uf(2#c<|oSKSeIT?EE*s_Be>U5i$WKxLNvrIDlx9e;v z4~rr}t$3YTQu3;>QF}^9X=^REW`Am;rb^SU{rV@lH{U4u`(NFUu@kM7-h=)`zB2h> zw6vD^s^QMbNiZzna^MlI*S`jTL;qxqh*Z_&6cwq~W(K#+(uKbO=M*N;3>xXxchy+< z_>{W*7+V;WuA@2Wn_MC=V;pW|5gI-?nR(58FLpnb@55GrjIv@4(b3Ji|9gs;SMc-& z1}1fpa8@t?1mM)HSgS=3QJ11pU` z*tedkb6sdB@_#>E6#ojme+Er3H`H`Qt#%eQtxmFGNA{Jj?OOturD z`rRl`pxZNnVeDdiKq>e=;RT8XKj8$@YMfKNVGS$BNKQaAta>IDNtNTSVgpdrU;|uz zrj5IDK)D5e^A%sxCzU0@86AIyGWNQ>?)gQ5%{eA>ZphdmYTp#y0i$=!h&eD#%qq%d ze{5Vv`}HaMTr$w{L+3(=TH=tZTiZQtLSL;+SQzp-eWq)N+SM0FVGuyfgE8#sYQsBv z6{*)1wD#>_@IvY{=w4WMKOZ{NkD!12oV)jdJwi*#(8VA&I)m2rx%T>+Eu7K$?N9CQ z7@BE+a4B?W9z3({4%#sO6r0-SE|hdXUHj`9W`HM`vkey?6gdk)5Q!<1VXP0uNY>Rt zeBza?*}(JMv2n~hum-#mo#?+_cL5R}CHnwgAkCFjzJ6@{3zWh16~vv-y_=jDi@vw* z&7l@164H{Q%qii3@##gu_c?#&xde5?_f^*LsX-e_se}I0r>?Z$>{}OS=eh>k@L`r( z@I@4%zdBX{)kPW_ngrZl!`6#3Rl)2NXJ`m!i1dtfYvx=B^-Y=GLpUhbq*@_LSd48v1TL)XGYp~ z4Ol3CypsPGc9Rc#O7oV|lr(gHH+u^bdO(ezvLesm$nIuSqQu}j7#7^_amXt=6p*4A#dZ4mOeDwGK2_6=pLqq zg`w}^W^C8c?l)zhVOQUBh~3e}EjS2P)5EOIZ%&Tp-q(LW|2hv{=h5y53}fMhUwes<$YZ^OwN<=B|!H73*4D5ax>oXelWL8F^Q%!;o7pv3Cqa6$08VceC-W+d{!W#~ZnD zTIcOuL)mO@EB3^=M?~ndHt%_eJ}}x3(Uw97FG+&U%;Wmi)xq#Gn%FW;VRP|#{@NIO z*n!&(30j*oBw!O00(c%J#{8uw-chL?f`CgB2d|dhQaSJ)Og^L4^%{j(-5gn@Vd;^ zRV!iG9JPLfbT-2|t$$Np|6=`1R0mKDP!ojE{T;mFGrsE+_|$iI+X_i)*z_7rE7r)y z5`q*-{T|u#I58~5a6KBRk76Z6U|+qz))p5R8`myR6J)VK>z`eykf2_*7RsO&Vg&af z!GfPUQz1_Oym)QNM$6V79}6*2$(y3+hH&3_!3}d*xit@JR6Wy}Shf3`m@G2pH-X=i z0Ex`AaxU`oiP+Tqk&!1}W4#y37bX7pz*1RbK`zDGk2(@&;?j=^_lk|sGZRrNs-$WN zgf*ghCWW_8$2a!gP0P^Gx+7$H2(42~Vu|+Ttskw_?!AI3!l)5tR==Txo1Qi>1^x4D zNhpT^RSm8rRz2C+OA^8bSM6B6U&RzP?080QhH$wlYBi>YF;s|yKu+SeWzByUt*Ay%=7@{O` z8E_#KF;W&_W|I+48ELTm=yNC(#Sju`U@;gFE0iIx2FE`UNJ4nxC@7MN9wZ{GnD~@n zNCjd}k=#h&J?yf3-1T83irL>N@nVr^Wa5Fsg<{buA!3a{{Ba;cBqk#=d~}@`!65PA zMoLoepa&ONR^{!ZU}5cHAhydc0bEgJWN{>sk!a1mXY#`mQ5ep{k>Y%g?~;#VFiC~| z{n3vrq=*}{^-NpCLVBY7B<;7l++@)-ijKG%w)Fdc7Yr#S|KWrLMpVUirncD(Gkhvs zo`8aH)cV9gRK^c-8I(M@J*GfM##xTtF6ZmbSO9;b*XwhB(PHC%!zMq&7*0~g&m05o z74Ds7zipkKts54TJk-;MQ)}3>Grz?yG*ts$c$V+p(N|SeuzylQyT%B}o;zMFxm>Gj zYj&rvmBDNPQ;xU8HNhy8YT{>PR2^gd_v}^&c4WoZo2F%6UuLt~l4NLLvx2*VN9a0$ z3Zg`~d6{Wt)9ZdHF;p_8$!GwGvYQOe;{5&c67LaAXG!G*tMs>27oHO*3scWN&;XzC z0$_#!i+%FaiYLbOn_v z(EMxXrIo`nc`A)TuhV7!y~T#!ZX1@ix!Wm{Ee2@TV7`lOcVQD|8j}%}LBG$d<6dFu zXp6)n*;t)i2nk29nT^%$-%CwZ{xo^9!qCjOSIG04i#S=S1QC<)+~D?V zt~jBA|IusjCQ7t4A@3@5Onyx2pUp2w1-$YH#<{ju_nLR|igK;FL0d^(-2_d1|99tK zC2tZrIE~@7Fy0`PR81>xcV`7#S5G4w=lg-gmZsy-R_*-`z>0?M7N8f5Sn`;4`n?WK z`{uWM>6{U%-ni6^OKtq~1mMGGaXLzHNMH!HJkp5=BMJ`PoR#lk>&d*ol_@6%u1R$A zVpm%h_$JN>$C6_JD4LR6fF&_6Ey-XL?K>Zpt?r5)JGhae?qP%VMb9AW5)>}BOobP& z1`CaGSE<|IQfrpnns)>kiHo z0k^yk_5B$rx7bDO*sPq)PS+13yzW`yqvoG}eSoBH9u^)x7M`{%)$?g9Y6_9=PjN`S zuWQcEPOsBc(E%jVyXv(jzP5U_{%7=*P&B$|@X;5zeJ~YfCBGtjz{+Q z69X3_(Q(=~tIc~bqR_LpIe7(k*4dL&bA79ONnVuuwV-15^lh&QGALE!G>)r$RfisT zvKM*6#pR>?Sk2HMNmOqQGrL@`FGA7;KRz+_d-$6L)m-k3DD{8NMWR?yFki!h@F30Q1>#iEn!^5in zYlB=Y{BwM4(6Y>BES06|MNkV8K^}LeowWsz!-pDPyX2)ufxfw>3w&(+yd1;jEZZj3 zBa#zS4ZtRP7RI)^96I23_6Oy#H+6p~4@CR>%W=b=U? zQZ6R@|KAItg9ykgPPCs2#THD+L|Q2UY#2oxm?M(pUUFEb?=lpKe2^5GRQdIngU@K! z7B6c9je(SpnJ|o2AbAZS zMXTN<=fnMv))A8MIGc030pbg5>K)mTCG_7~->hmWB^2~LSUy*!RLtS= z{B%g&=G$8FIX*!>QZ0GliZRD54y; zFpMV@bZjiG=4xj0dfZGYxaW5Hpok!Ac~QgIT7D=KRGkTY~g3MOjsFXgh$zU^gC!saW{v@G#8nNpE}ak?J9 zdArBse)DxXX+44j%-qW4b+RQZ_Bxot`(z;*&@Lz7`+js!`pj+}WBByO468tc)-mDn?$Q)9`r%Bb>L{ilMV~oN=Q&i0J zR|>Q*@vovrDa*&kOy9X|ZVioe^3Kxvg22F?-b?s@sXcnziOFM%*&_IE2V(M`4Zr=a z%!gVUGD^lt6dpiJl&-$-gO){XIweW&Y*=udog15)SRWspTsy%SWq=7L2!PF0(owY8 zMT820$Y6w`Bs_|#jA*0qAZ$r6kT7GRwDV-+Z0W?102}R6u@GAlH~x4uaH&6*4a`nT zy*bg~wu7YNq;NoyAPI#w+WEha_e_E2)fNefl2?_F#@%pW0OiPkiXlLOJIo5@HY(Rv z5yPY~0@6)cqyB&si6ax_&4P*-3>-6iirgaa06-qsMSbkB!CmM|EHqVln^_&L53k^|>+zUQy^MISFKYMQsaPFM5MbGg;i zvRU{S-7eRuM+nN+!A(YnGrgea)LsOncpKs^AC~}+Ru#=`5<@;T9_ACIR87bG*%Dt_>urpEp0?MU;Wk>HfaEpSjmWK7JRcGc+`v|V~ znwOf<`by}|_x_uDcXRiawNiB2ty#peqtEy)yc3S@NyVvv|JBjL<|fU2eQE2>RpijK zxYblsvZyI*AkrO5x{hJzt&qN}cI8BW)yz5f$Oj@GUvnP^=XR+`nI3n{^LDpehr2Ct zPx<@wW1gVXCl#BX-FELGWxVfOs452f($3DpUqKoSgaC3MB7c zZEb!3v%Mxo!W!Bs_?b9(1cZ*D#SDidw-;CUt#d54;?o?T{YObfyt*pjD_)nQ@zXqh zWz8ghfqD0TZq5nGTWY|t9^RQaypW^UBOiHQ_wI3cyn2xM+N!RfT3@P?m&?Te2Dey=vv@q7-Ibjv?^T6fyBn%w@oN|vEoiu3-MZCh z^fb>>rlQ-_QEb@H8qv^xhYG>sK(yuoc+v>uM)L{L;%JFn|L-K zASH;Q!-%mmd?N}mRp6^u70ktjL1JXePEJS_P7IQh5oH6keJ%qpNQveF2}kO-S6D$6 zIl%vH9&tdTkekG4u6EFHRlg*rh~+Q83peMw@P%B@lZ?V3IjyOSW}S67h$hy$y9!lF zI-Tm4mS5KP=q;EEDmXn7Rj6MKF=|$UYxzqT%YW3IQ)bl~e%8}^A6AkjUrNe!gfTj2 zw2Ii%>B-4MXVI)j`1{%$UoutF=UW#LjW!&!Nte&L$u}xS`>*=@_Z(g`RFFX~GYN1r z(}`7BU|}Af$-;wC!x?TvwH;J`J7#k|FKhNbr1-9&YoMOhDp#%O)a;lmQd3VZU#u+2 zMh7BEiBDVC7*vVhQlB`YgCpZtRzv7tfT(Q|%lo%cGs1 z6Zw59{Haqkk))e$sIOhlYB_I9-Fh$@Aqyutpl^#;5w&fG2c}ivZf52{Pr#aplqYg`wo4uW zcqJlYhXKU~wPT0QGt|^RVGzOH{(SX0k#EXCmH-GH6VNC7mC)XuAc6iVqYDRyaM(?o zTS6{K=-XZ1+`=UijK2Hg+!1W@aqf3>6*L!8CQj;`-vFY*f@DJr9fzUV4Br zii9AMytq=e;L+o21{Q7(TS6j6zqfM5%*$q!2<&;E_pO0Y_nd~zut-5DKzR$(PtNsHO((I1SHtY#V&AwNd1S4hYGAekBEqege~VWtR91m;I38helY z-Ah>WBlJ^DGcn%}v^V{bQHQ>2YS?I|zK z?ZAZM`aMGf9DMAhEY*Jfwd6C6eWw0>C5t1ow4>s;RLn4nlLan}^z(}IQ1P~*jO3i; zS_nVoC@vyul_G#RAtfshObl(`u#Ke5Q~1b1MH!kqx#d&>^-QU(InXy8k%@K6tWvUh z<2-xD2kG$*CV}|k#=?d|(`y}pB$cvoGd(jSy--!W1f)Xh&q1W_@n|3gwCvLmaWl#P z5adR~F~FX>J?|DR%h^TCL1JfN!r9LdwMjdSHAQu0@+c9#Dc-QKuHO(Z+$K)!WxuP< z%cmt2yu^2XeT9=i(6bModO8mqqP>jHM4KHC;9mxurO!1+vn;|3`z=#F5bVt zce|f&cnQ0GZ;GVXWS~ehTJ*}HxYNPU;YdnKP*9|aBNL(I^y3lc zk*H@LG&=Pl^h`@Evvi^nAps-_TcU{G8x}zhmgSvQr|Sy~yI z5i%KUY_YjNDi?==j(&!@I;|fB)OVX+er84wq+fO%WCChp$qP+GBtOE`82eRXYkb=J7@9F`n~f4ga8M0UQv^{*80q2A>0IB}=x+n> zx6?Yd=H^E^qhDS}Go1ckhnfbS&uzcGzXmE6zW?p`o^E~Qx&4Fl*j^&^bGRuJ^gbS| z`!sQI!NZ6KiO&TEsY6Mn;Zpq9yzTeZlGpP&sW{j315HLJ2iNBhuo2AqZ?3NP@USws zG2sul59|;8XDZS(_@1cqf6VGg+3TKiy}Xdj>;5^J68s+MIu$g~(-!%(5x(Esj!o@F%fy`E{??R7Xms2Ls2?frfW1y3Rx zSfuc&l5Z5^E|43vY)eZ`foksiGHCk5hn^K=X5SV(pO~c|pKvKh5qP0+z@p;fb-p~Q zSp(3{hTSh!?tqfahvO>u+ihGdyoc)QAVnIlwfkrYHIZqVs4)+FFQ2Hv3N}d{TURm$ zDtu}nWNyq!1ho5`BP^+o5kmq!jta++&=PLo!>yZ=FkJYxT7B_=oOb;VufvPytmvJ9 zQKR8Aq;X6zp0hIU%zEwWgXeKBq;{Pm^$PVt4v6ygaw*JW!NALAoHKzoZ}Gw?848dK zBjbgZ5F6>HnV8y(!mJcm3Vd$6E-mF$g@v6ow3K@Y-3IA)&>dOtetZt6W1^Twd}?tTojbM({~&#HO-QI_Tf zpYLHSn$d6naqhGfTOEX+JCYa34DNK8Ii<9*l|x5@m{~@q%)D!bPe6&IcLtR}Hn1;6Gr*bm0@?w*8 zOfiq&x08-np1xDR(4INh(L^lML6%6Fg!L0Cos?C+Y#|OI4m<nE&Dz;Q-~c-mjsY|B04ke!2a{+FkGp1;5retKL zb}pY8Y~UdRPub9{n6RKgI5T56IyN>uJFF@=g2v#zdIriVrL4`(H8RtO3C&Eo4Tz{> zC(KsM*?QF#srFW~;5It6H$1r!Byl2Pt%;BHGZB(DyF0&9TG(CH(T8fj(hZ5&I;TIo zH#>Erl~JGQB7RdR5&yM!1c{jrGGU@A{SWOxdvK)Nc^Cty42Q(Y^ty=4mS?s+>~n9! z_1FRgmMF@$RYCc?`P@p4?thB%bMLZV^=A^N+FT9pdPr+TSG=aW{Sv{Q$%| zc*r#DDd;nZqzJ}~B++>o?1M*lljmbu;&f@Q_cev_>pwcr`QUZo{r$Z$>LJ_3!8Dl< z8~8BN#hjNrFefW3-tb$thS;m*0St9?^J^qBP(}G3Bsa+#lS!q9oq$ix|7yMA5XHzJ z?hBvS?O^>LRWhD{W@bw0x6g>WSFl0}vfdQK`9vxf6rWd*B2$05lq55D*6G=%cQ<;jef`e4;3#J zrIAnh+s*Yq!H&fhPB^^ATCNh#vSZA&l@&sd_Y8|(z{pQ@48LmEVy}Bf-d)El?DL7o z_;N&$J3@{AycQ5@0MHl+$2kTCJ)%NnqWz$=k+9-SS(+MYXlSUDZ0+rF@Cn1uaVe!h zO05WR&n^iG2{mn+U!LIj9`u!5Sg^6z$=6JN8@A1zx^uBiQ=n!JIF8Hjfl$ucA0$Cb z?uL^yyM&{A)zJq&g2gFY2Z<22i`*I>iCpexeSj${1Flmbe^AsQRMR5&OdXjj>q%M} z5I?7 zhvg`ms&X%XUwvagfJ=pR#Dw{R-CD*-RQT3fs=xfh@=Z!(-HNK_*ugh66|S|#osPkC zRB{Y6Eww2+iZ$D+^6rbnF<&%rqa$O5$e`s%&QAW9utMsRaa-mBtevqJ%qvKNk)=NU z5Fjb#1ud-VLH2<=CMP%j{^J-7d;Ho=-+8IWcPP0jS_+YwQfa{+R*KIfj9;~m9Xy!$ zZfV9m8Jp-^Yk0mY(sn#WLK_W3as?j4Q7UNA@zcYfpHt7U3)?v1# zkVqbdc%t0GPFlyuseYVgW!c_z6uq^E1FmK>+SlmPbgvMA0RtPwf``Ej%zvJ#nSMLn z%s4Z*)3Xg?U}Eb=B|{Tyn1S85v_8+zN36tiq!6tZcNi>uM<-pg^T&K{e1evSp^Dq- zY483*FXkR0E>^fNG6p#x0;!D>G0{u>IsQL3%;yA|TbUZFUI&_SbY3Ump9kOL<6~7- z?=iZ2Kmqd|%X8SqLSpE7hf)8n6a5@LUAv~{Jc{K^qX?9R_U5T8u=y#5W#+Llh(vq6YdTvkb1@gab-}-rlrGNS94)Pwgq0?)9-nW|Vh|sZ*@b9SuX3USmByG3 zGw`|IKfw#yYn2uiJwGA8E<9SHK`JNL88YVW- zt5!7h((x;BLl1e9h!$3;pDI=M5Zjvi8)EvMy@Hi3*dh=RWF!f{EP@YBi&$^a5q597 z2r{p)J3JbUmCIOA(@Zj-^*71G5%k0&^fZszwpceG1czJl>^TM+ z`|RvjaK|&&uL1$N6d*#DWgKA#9%3aBQHpAi^p%gBGtQwhrV3JDT)Ge9~dUA;87a({-BUEW{#vPw4VxRTaXm20wo+ z+GXyn^0xivVCXnzEDe(l#Ok`xv26EyR9I_gAb-63#wn6`ABFrx(#h(%*)!%Ru(oS= zxHXuH%8SLZGKq#JUb{Lvrsbprpj`-(2Eqt9f&ifczr*)Z<8XU*1&PuR4l?J9hzbSo zx1|rtn0DB)X95!ZIJKQ3fl^PtW5a8|=rk}}L4d*dY)D;J0O0Hp5T?1sIoD=;R zUDx(pN0p{MX3t+E6%G9a(}>2#-ac@t6rGEru9=3PG};2INyGQGA2@~$GiBwM&I~q( zs2kp*lVEigH z`co6WkVd*J&>W#IXm9-Uu5m(ayP2i9{u8x@Hz$e&%QaZkh>VY)5s58gxL>-0M| z7I!3JX&Nv>sM%`@yG3N{<>AvZbvi#|)G(-;Hn%sndHF<*&f@a$0h%^VGFHI^1C4;= zXMLEiU8m!Habr}mT0+nvtWd&xE($fpW!z>r*AN)r} z(q`${hBI@s%a`pzNtxDZdhp6;?#?XXgk@3X83&$ZjHpr_mHqt?HubpF!rc2EA}m}o z`0Swj|NhEGfgucKt!&ExQWF&2nmuoG9flM|QAcz6R`!A149%9NrXk=udmk@gv!QuS zRj^=~mPC-$@$$3U4ip7M={}>AQz8bqXN zB3EsMA)9-9%|^aYKEZkG7>oNEG(@Ulo}e$U5N>HA(gwX>p{ZsH8*1p7a+DaSS5{YV zWn>8Fe>kkUq;ULao-ht5;`7P3sd)*q$n)KQibREcxvi_JP-w$hkpJxJAtC>tP$+!>tU65QPh?hq_!zVp1_t$Y7ms-~!!8jdu5y7yjt zueI#FyqvB5Tnl?z%gQ>d%1TNcZ2j7sTHepK%beu+o`1$Hn8GoH!4#+R+(IDZvA5F2 zdn{BF*>+_}TB=wDL)n06e0a%Fb~LitF)U_XO>qfi+M>aN>JyayfgZ(}@}k|0uE_Sr z;L1hq>cU;MSGcwZf-eE@4Sn5D?S?A|&q1wqfK#=L5ARU2`lq4{eGf86pr~{Qdn4(bv~H{SbyZn|IIM zzl#`ra^NYq6vq9fOB^q@SPH)0-QCR|)g-jT!6}A)v#s~^^lEPMzK>TqaUueYONLG> zsY7FMzjxs?rg(I2YK-)sPi&BSZ2a9Hl=}4=oTZm|m#eFZ>56de$ zZ|HCrEQ7_TT znHw2NCBJAIhqu+jm%gbSou7Cx9WDd(>&2!YIq*AN*3M4zvkg@Lc67=k{0PF!(q`eg z_4dkf(}yC@nWmsrL?O7!!scwsnX~8PBvU|(hQd#TBfm4CQ?y+;ZekGhXU3~mVocFG zffmk}tRvtM4S6fQ6GkUwSD1@d6t0o0n(Z~ytY~Hi{lQ{xj-gbDN0>tw?oz8-4CyWZ z$!w;p$$VFeSa^&Ml?02D1XmHIpa`7qT>wjnnGzRci zM0b9i{ESR_Xzm@qAog4&$S^jBU#&dQ=3G@208(J-8ZEo&PG44(BoW#`KM2>Fw_X;? zAY44enW3Dh&GUB2SfYHrr>8d?UnIG(vckhizGJ|gk9{I&kC#(iT%4baOI(OUW4Obz zEFn)c<)Xf_gsuh7c!mfaKXeqrDZtGw%FP8C(|W?LP|`Wo0XSGNDci{62soTVCIOGP)ZKjU^~9&L`AW*j)Pk>%)+Aq&+J_ya7i> z*&CTyF%FM%Gon3ro?SALNoAvrc}rdAKx8iS1BIsnAUSHz|6^{Bl^-(OB`C16{XrN( zj7MCYi?8Q=oTcXLY5P$X3#w{zCgpCMoQsM&gh+Q~|L^hj%*^26!ph&KbrNP~mO3#X zGdp6^y_31X`)nbincRi}N|>ZUbJAs>r)TC!8@Nq7KBD$^iQ7-toC@o>DCiel=@WAk zc`VljjTY>sWEAuF_(cO9sDZTzXh96yq;UMxox8APd<@XswsVJ4#)H~;Od@gEidWZ zBFSdQ%svO_RqjBkfcgNosDdXo$^MRvaCmr#kDp19DK-P+S1hzxP_XB*6X)&YoUM7H z+?Y3#p4Mk6igQ;xF~z~w*##|`o}8b5p&+^ZN8(fPua%wCQxs6^x#>Lul2Qqe)Od+7 zgxk}oX$2e40)F@d7d)LG1l5gA4@V)>%cNR7f~%$6*J#;D_B%=V8J-3h92A73 zBZ5qcWnGsj>pO(hDXYeHvie|me9sD0PrBi7ptf|f3ZMAv%=D(BS=hneC}Q5ZAq$_O zEHg8M`wt3Rh299>deN+e^O2dpdJ=<*kS|fi&KG%DBiPe^)=n|^Smk%KBy%Cc2RKC{ zv{IeUO^cR7oIy&8n5zt4OSYSIeD@2vbv}i7nJuzdIoJ@Ii zAoZ?0eV#XdVR-ZRC+jbg-fw&#wa89f11gyU=93}gQ0XwiGpCiAS`|A%k;QRE(g0#4 z{Q8J*@y{Y``HX@r_ZmJ#!`V<#(I|(_xnf{uMvAl=GPKA~R}zvR@`)2^M6C~c8rf`0 z1BSkK1is$cta;{z+e#b3gf7sR>_Cd0UpSGzc1O0MQ61HSDkh@D6g69dk>KkT{seVB zRQQ3Q8G=H=$2>sA!6KPSif$Y?TOJ?g6dE4e%A1(c%ulu=3h}s*oTulUF0&HD*ohD0%c*8G8Bg8Lg$WpqxzTy{Fb)#A*T{}8sDS;*Fh8qIEL6aM+8lU z)MD>&{;1J|92R{a)c+6R*@T+Fv9z2QS|!3&>6Q zLW^p!fpviMxI?(36X6D`-;EZzytE!R>;xN%NQs^X4-KN|Ka){Lgn%zbi`H8H!i+O2 zX=sK_g2F{BtM$7}E=2`7=_k8B>7Z~Q3JH9;t1fktE=;eF-^A;EBO^n9FdZf4=}_?aUY zVR2d}w3#3%6J@O(5h@4*?n>cJ$vs0~nFv(*+9*a? zpPj6<7zB2mmLF(8Vz$~C@pHmu*y+k6|0qmS$Amu&!iD_kHIZa-(fp?AjGJh{o5r?; z9ci6BGzNb&^K)c2lJ@%Bj1L|sLYE-vBGgzoLgF!kQQt8>Y)Cn|g;ZDcUKOEtbKS+o zrGH}Vx*bxhbV?}nX@cn!f)EHDp&}8C2%9Bv4JAN~Hu8(MP(9f{niwlu*7+y_F?53l zEE{IdxWvd!=!*BOA-7;A@y-S=RFssFkQJA6KFY)_Xq4)S4ulJ8kre~~r@jdYPLc%q zTIg>~AzG!iBF|8iDtwW}Lgm$t6yQS8rYo5R+YlB~6>=lHM<;0wes;{_QHdlp3IZ6m zU8b07pf-1~Iy8y>cSh@EZ4e-GN3FVhMim`DMG~AAmLtxOjGSqY;K8J*BNbC*rxQtj zG80OG$bz&W5%n=By}#ozOo|x9QM>v@>d%gBrnE|^aXD*>mYt_xja;bDpeS`NoMH%R z3|JnPaK?YTWPvlcDH5z0FXyO!<2-zgUsqm^t%cAud*W%&*YTHSG_46eu?~;J#?*{DhG(W;>gsAdyv3STCBY)|7adXhvMTHTdgRr4td|IW9Uo2osi428V z5Ik-aAwCmIQWlbjpcJJWWTWz^%DzSTU zACwG|f}GZm5%RCRm}5BX#9YB5}FO6&=1^+gtAGCfuvAlsk_Li zyokyncbLlx{~=AdqSQ$0>4~)bhBei6(d0NP9Eua1(S}QzRBEr$*n#bMqn(M-P6OOv zEE=)WjD~iBWhpgTWg;fr2v*nIja&;zbxKSFsarHC$UHS&lGg55>=NOw)@XfrxNOM< z>6hm^Sz13q_JWZWERpIhODG+l81M|vsb8R)SLvcX21oQV6dR5yT3rq9fgo66mQ#Ks zMR)=#2}~`cwW19(7!#hSg?68!Ac>?+4L@WDb0>(BWTm9T&O~m~G+3`Gi99H$$*(2H z?$>1i1y>Xz5lk(kaDrt1nI9C}rYYKB05zxg8+(A8e=IyeFO9bBLuFFphZ)T!@$N(@ zH~4)6uxYH0mI@vdn2=IgGiXCC7ZV{_9z|Iu`Ln7cuIzAWD0GmFqHL@tk@;t8i-9iu z;k|vYkhR?*l^=4+bSzHkB3qrp} z_%tvFgx&$46l{2&?(E-aK zz&35kiDE0v8Yp?7Q6<>mG+{L0E+@G-I2LLU}RI+i^0?I5R9FO5938*f1)zWk|j5^^Fdh=q~=YOk>S ze|XTt^@!LyGRsX@0XwyOv#2?Dr)c>s{OSu$+T>f@n~w$Ia&;a8kK=&e)C2AP6?nQTW*x~i$=h6o&T0N z` zKQ{_^>9EDLwPOH{*SoIlb{tgZ?MN1aMy!-n($xmdMym6_%Qi{`XNrk_xN2Dx_hZZ8 z9Jp2=&Y4O{A;59vrD2$Zn=&b5<3CFv;S?tuR0HbO!0U&-rVP{144~I5NunATANIy# zm*RKB0d>@_Z9`BPT5hz-FUsKFiwyH-g~e*X02mtpaBCcwr|bhr*TrnU*Kp?j1X z`S6(fcMPh$<%kwsJ^prOR9Msq^tnQ>wL-ZsOjvp%BZSF;cR4`^gP;{>L){ck@n61u zf#}j%d-UNh?F#IJ0S}SJQt^(La|l^yz6fkn@1gUNC3^X$b9??{G{e9}z;&B?t2@EX zNM}CxQfEGp?6&2LCO*AM=9uq4^2w;LXfa~UDg!ju{R}mcSPvqw!XRiIi_IKebK+xE zxB+zp`VhT^!pKj#I4$}HjM+iPL$*P=NSv6>AS$DNVi30s6Hff(AlM2wsX?-Rb{7f6 zBcs^MS))gS)?b8DQLi|N9%CS_!^V%*84-p?60<3}2u_PemdC0wz#YK1C?1#vfs>N{ zzeBy?k+4yrL=%B&tEr3{tULgHQBaj$6<{mo=Fa_{u@wi(?^mZ*S8qKpsJ{BC965sRKnOKnuNZnJv~D%LcZXC!*_M$}08 z?Ii~&Nl>5xJW3mYLwWK0%NG%IJ*-cFks+0^D5AnjDVtHQ0)KA?8uFKa7T$W!ydb3& z8lXk0xbh--#kN|J5;5LwtNYxvvL9Vps*@_bu6wCNF_Twe!|AzreglLD6M7ah=+Kp~f`7gu$ z+0cim({kY@K39jkMo(+m6+W7gQsfDae=kk)NwwZ4mmsrScaYIH|44UP|J&iSqu~Pa z0RBasTI$HgY)>MTm8@B$l&0UXMLfN`_%oD%9EPmqA54n4%<})1Uv=^yLK18JVIy__ z+sp7*S`x2m+w+5ds65bEFSlyh*nHidavPFPX%uPnB6*yR|EPC7TYWPS^!p>we- zANua{mbVb{|Emo?2sPi(aq8sY(D|i!ckP}8Xbo~{^L22uH)>@1;`O=M5MzZf13eLAYwqEP=7*01MRq%dc+K+DZ@msm6bLS@2z)pz`d@ggfL2e6D{EMd zpF3HpRnc1xNKA)>h*Bz{Y3d7H0jp^4^}-opoK!<=<=gI>pA#2`Ac@Uru73$BwCz`-eKSU%e=Mb!czSy3I~2~M^C}ePLLtGBPECEe^m5MhhjhAM zZT`$%|2Xx<#{0dk^U=%NMo=X2*KQIVatPL@gm?30<>{P}L%vZ}5|Qx6z+1QV;qD0) z4>t>h88Rk*a^n1O`~6L&t-bxNpJoG(MkSo}fEKAr4vGh?RA0dHA)KGv>W4zp*NLdK zafUHv17pP@)^bpeRx&5NNjbo# zk>#^d=n+fS%;H2gK|l*BlRt_9%A^dE|A`3#aT-t7D^*Z=*c4M4O>l*SH$r3hBZZ#w zrXcB*b_iiCTVXEe=JU5?PR8{+CRfTolY8hpLKkDE8G z;K81*lzAcUQObD0Nj7!$8Rt`PWAUv5jE6$rM7yU}f`UQh;D=51(p*kyS{VjRT_{@k z*QwVyVrctNYgIfmbaNCw7>LqTW4V&f9|qV-4^xRoy*Ng`{*FObh_cdnT#_3T7V^9# z^AGLG!+5No;2%^|(J;}CI#vvP%DT2$LCs)^3yq>Vj7mf5BCHSTDA_QIvX6(9WnQ|F zAf}|!;&!ME0SxRW{Wme*5}$GeJH#fH_oO6ZrgYjbughCR^_$?H(~q znNX-$dW&;K4(zfrG?o+abZ1PF`9F5mI|N!-+cJZu^$4Bf=%pPTss_yKs&4&6$rW%D zn<5&bJM$e#G;sl;X$nyv*E%eP(z3GA3G*AXHEblfT9eL)A%ago|GmHTjNNYeUtMhX z{Cj=6wY0QcW%Z*u%9hL!5ng+|48$03aaw1^kEO1|=&}n%<_OSN@zx%Nd)Wu$o@O7T zBiyeO%UJY&_^lIy4lDd5XtEN6^aq4rhOeMP#X$>tsQY1FZfGeBp_Ia(B%y+qO^FOs zpiaRrp@XMal?5xEAp64GXUL$$&A2us(Nas<ba+g{#lX0YkC)>s z4XS7fY4(2T8bUmr)FOjH*GdnFlUePTVMT?}E)+4#IJeR;Q4L538#8EX%wa^(c_F|k z%FHzuM;uG#2M>-SJdb2v>SqL~!7=y6WXqN>O-Vc^gprNcVI6f?7tC>Pn z)gs!W3aAR^rNQVzW?CiBYmP&iI5(AGJDx0TiGUy&$V76Xe+8L!25p%ph_)VTsS=Kp zMn-CW=Mz^f6htMI7@`x-3RITF@pOxLG+JUiC}IrVBu3EX+;Ve{waCtC?8?MWh|gB4JS zgW>D-=z@r-KufN^qoU^tWusPF&j|11*^^~pW;|io`ALGTwIXQTtn=PWUkHjX1WwZ> zD=zXj-ExZPr$*o3@e$!jwB{ zU+MEEi>_tC?Edh3$9v1SvvVN!X)_ct_1$lKN9L3K(R0m5?-i%gSewKP|F0jVW-td; zdfp}jJ*~SmZ-hqsN0{MbL#xVKt{OlVJ>@v_Mf}@PR`!hVK+|2sdU&e02Hu{zegS z-Pi7Z^Hs>>)%N$CoERBu zcVCMJ10ZypM&@|z4Tk;p@A2EeQHJk;gl^@d4#m;ug4>l|O;6!`LZRW|VR1d71r3Y?jeW6E`Z4HX0`WM7zet=PK z?b39NATe-^AYxk7SQcTK+8A7TUCXT~5PS?JhlONgy&!E28MQtwZ?&9cG7Ke%dR%_> zYX~*8Y=uDL_!?vzi;#&y?XqU zFNiqo;^?s|qsUE9;B)k#D`3ElyGw0>F)PbC>)V{-Ll9N;36f7BeL7M97IS}n?aG}! zkfoKnd2D0ugx;nU1+9+3+RXBgr zns09U{u&#N?Dx-RQCbI@wyI$r_M02`{bDFPdyN-PU9{p|^#lh`p#Tj_f}|KW7008P z`}4mrC`J$VyErc0+cwXOpvN)1MV8TApXN^P1|l&5;=ndAzYqnSH=^Wt)h!1V9$?oc~TU{XL|4^JL{=48v8~F@bh>IY0sDIa$5=#b? zs)y+CSI)q$YX$~;sdd-Z#@6pH*XRA|Z#R7v?)u(c^;HeC>zf;{dt(RR-(EAzra$?f zIBYKw1;(R0wfOuU8+Dg*4nGVg#W*5Dl#b(g=`4sRz8cFeWMZoy&UJZ@b zDi#Hy)t((0xCew)NBsFW;2!>++k6ml+aDPm9Bgd!y=DpNqnsfB@Rd~j2X&2vp*L@~ zifOwWd;#E(WMBwCwHChlyTxE)QZ@dpqobp<)0kbrmjva*3@{CD6|&ect`fh!cCNQL zt#k)Iveb1qI=u*24YhsU%K$Q!wFdVimb#x!cJtPTE_GE7&+jgQmXvB~N6bo|=adRlf@^ zEgi0{Rr4vRajIE$Z0SAOCujUG!oZkVoREW5*}O%d=klNX-#l%0wuscwtBjss4zsO$ zb=~!EiLJK^kEGJZ%RxNP9wyJ0y;IA=m_~(w$>Q6vz~|9bf0cgpcscZEqc&gFvtX?N zA>?Kblop~ zy!v@N)!Kbuvux_`bbB~?jwdGDdn@XGIPv!KnAzZyrwao(^Cl;MY<1agcSjVPxpCh?@GALaEE>*#Fez|Sdf+!Gq+g7q5FwF92^CV-KG@QM~#vJ_qu?P-=BTF zQyj;&!Z@JKl_-pq4jDE4Oq)8|(9kgFAB_P)*(rnMOZa;a;B zzV`fE)c^E0oA~warRU$v_RH2I;Jkd{y&d@Y>%%)2_|w1VWfBq+JY94i9v;AzM2Qxp zly}=CQ7R)RO`nP!F@PU?FhuZ(xA|x-ZX-L5BeDWK0)lxU6c-D(<&=S4QE^`FHev*d z&+M&thGhSZoZIMLfC{~~jm?oj_f0&ox7h3r$FF7DEGYmwp+rRO{*UaWL)3fhnW*AN z|EUNQdhY;xy%ws#|= zhczP>BYtSsRrcF8oXpYCJmZX@EYY@1>kl4xESZv-;(}@AX%6a&A!HjpplPXQ1jRD~ zk9*wLxbW?XYR6SD5zouF_MW=tnC&fRYICX?7-66Hr=xGzp%gz~E<61n&TpOqWWQRn z0R#N>FFp)}HQRn?H3bFaotvgstM<+Pn}G-E`b#w*%c6M0q>5%|HQ&Y7 z%V0e*Q1sp1+=R1Lo&vUv*}eCcYCMDoyee1&;pVQRAX}$4k{81Sp8V-KHE99J3>6tM zqYnJzF-AH&Ys$Kc5Wj&&7sREUU#W$Dtp*E{AB)8GluGuSa{~vb>enRrR+NvHxE;D) zfw@!DSdN(H`#a)4zUM zKD+OJe?A*2nIqE~+4b#y{WJdZaN%Es^|z{iV*AG*kHUv4D{dhkp846?_odwJl`jA3 znH?-z$K^kb@pT{wUn3)=x;)l?-^gHum1!46_nTq)9O+Mt?RMKFJ4pdZB z%pv0T?L?rH?1<_4*|H5BxOM#*WBGQC`0W}K_33T<-+!b9Tv3+@$U`4=I-Q-DwY86r zkA)-JJoSJ@!5#-v`^m}b*4F##>gwlL1&eU&3H8*~Mb2A;d3TDfUrQ)!Id#!qy}p{x zvzZEi`!h>e1<_+@19r!0*vH`?v6i6P5+3gEdM86aJ@%t=@bdDq?*7V?=pu*MqyoEJ zJtJ(YPFw!9(A(D@>akE0qn$`zetu_Wb6{?>v9T%pcVpY!7oqW~l|iaHSxBSv#Js8KE-hB3eCne-#6QwAKl>$wQwK3hT%U2a4QVBKX3-G++ z6a4P)E`u!NPTTO3oRV2;p^r^cd=oIT=AMRB;Yt-)dYRPG#B3=LSr(lE*21x7f88Qt z_7sAP#Rx-*^r~3B^8bDlT<8w0$?DEC#-HOJRDko9lY^wd09>-yijwXRAHbb`^?2mAj{vH1U-D)yn$`~qBQhZoZi zd>Z?JFB`l6e-FApFdibFj&IH;kKJh4IeF@_mY$!d3q|i#q`^pt*3#0_vAKUxlT?l~ zX3P5w$gG`?B+~$Kt;qP@Q$Ww7f6wD(=amsFzU&VwETq@hqYobf{?>!0VZDDR{`;Hw zc)l9S=_Z*O6e=trfQX3a00r;!)3lDjxorHP(Wqu))cC;che8Q=gTaOs|Cy&BsUB6X zoxOeeZUP;V)nFd42no>Q6(eU!LsRS*dU^KAzpJxzUIU_xlStP;Yb#oiRZvj+LDq|) z1h)}Pt85KHCNsDgn9!f~IvG;Jk}Fg|)I`!ciQ6={q-e)u3OWUaDNlyL(=Fm*$pzJ% zsD+$MT)}hCa04Gn zyt^Q`bdS`z;fq}zYIe9f$w(ndrnjIMKfNroxz}p)wJoO2BX7HaSWD-J`eg> zPPXk=-h_>8W>ouLuL|fw^eRTFj@eR}gY?^%rm;$EPbwc7csL0>c(#}%XPxlIoS=~# zOy16MW)|RU%sM*59}LRTVv?Bm+SncWdo=OJ?3v9d^bRI1{4&0!L&>a2K31Uco&-qY zfs?k&blK~&w{7w4^-U#ks?zPaE-o9#fWtPS;HBSS7HGsW0e`CO#HC@{ZuLn#ebN~d zA!O6!fRZUD=UefqUq4tMf(V ziy}E0+1sf4SGR*PJlV9evNA+xhS!fC2!h$6p`qTF8${&f2{P1nDAh&VD;HiXSC^Mt zUH$?~*B_n;9Q4@;kupxbQfj&R$OHoq<0kC`PlgBpnRa%Q?w?2Pn=b|5wrqLLT-b0# zB(b=TRa8|I;}XPsyj@K4%NWr&rt;E4B@JkbLCs7t)JsUk4(9RNL4j0xCzL@Ov&z^( zFlS$*q@tjBLO4@w>5zI^;S41uDCA(v!Dh%}qYYh2lnqM`{KzjUe21}I~JRyO|`2pvB_ix@D zHP)>-3(>=^{FkqnQSa7!4KGK&>+9+hFAfAEEv*!n|O(U8Ri z$27G)bs$mrpMNODBq(SuA=T>`ky*n*%VZ~~jrw>tep7ABcWH5X?h17A@v!QaUbpKm z%9>INjrcTkAyZ||Z5VvVrNulq=*ygzQc<5TyE}(#R7AW~I;W-B&a12G6OL;DWjnz9 z8LtUnr>P(8noK`~vRKcbo}o0xXCJbbjtwO{W@N6J1y|o-#JbA*q5)eQnq#cVs8S-U z3uSb$#@AQOn7IhIR{umzxk+{acf|PE z!h)l|4U4zPce{)ouiq)JJAI)&&s9Bsf3J(E$8Jxn>fRyW9;O}n*GEQ1hGGd^wtfon z^W(=3t>_w~`X&C_3!ZNGzS<%%^(pG=%D-a}uJLu$_fumtqcmt-XF_Uc(XS&DciV5) z{}lLika-ABp6(IFN*wxk_V4t2n{jjCwBAw)Pqu+5cC<`nMCA8%NLf*LZFy+9GebY& zvcW&|s}$L+dzLu0Y8>i`(uGPm6vvJ_dT6Z1C*E8M2T#h87;tDuem#^y8QU1ra}uS5 zn6AYSd}N-Gpd7v`Y)7dOTRXW*8NLu#J2I+;Q;CobcONfcYJ)YU;zUnjYV>YU02 z)++3NjhPGzb6zs-2n>x$n1}pt$GsRZD$q{E%Zk6E*L{7{JM+b7uP5U>yCJuq37ilY z8p_`^$#_v=bcriA(d(sh6;tHeB&NUbd}g)1m|c> zkejvr-cv7;SqyG>k#B8RXQsTa=F&xmSzAilvFoF|)ue(pU;bo72<08X6rWyS%hF3L_~f0pa`@1M^)q@}jtOTmbvUu|I4x?{q3eHGL$Yh@ zZFXqjXv@OI;5l$9kw;Vcp(N4e1G_5#2)*vo^Y(W2?H}TYztBrA-A~r~`UIWxx^No{ zJT_As9iFjoZLzl=W}Jj;>+7bz2PMN12#P832m?zsxqvRMY}KMvX{m>%4vQr(u_J%% zrn77%yv-<(u@4wZi*9~r`68Hi5Z;+T4JS*0AQ<`iTZ0hLd(XucETOGE4rNE-a1 zp#I${%1G+eP`n+>|CbGX%Y>Q6F;@W2mfl$Bga!vwrv4oxTuLbq@(`SO>?YLevi`hQ z#nJOHrd-$aKE}e)v#_<5(?ir)k7>Aa1F$0v!@e!`?z-ZKb=HwiL7;#Y7dgiIYdU>M z2xTwL{Zqj9`vYLzc9efq;9px@Tnyx;MMcmFw)*6M3|(Z`(Snt_`ud)sn>c|@}iqXd`kGP~vfZn^>+4RWebh5kXU zDI1@l&{kNo4wWwh(#!hKCuYDGf5-WV2az4*rDWLJXASAA3b>sVSYKP)`AGany#PwC zc=p7@d86$ncl*^^T|JR{5eulBc{K{i2P;jn*-QpYyHGP?Mp}v4B>&3vMgUGX8xpLu zaN-6E6q1COXNwfur;rq4ICKN+q$;ZyQ0kdym(f@j{%Fzz|1l!h2XoiHRn-E5cDEyHVAzCq6uDb*G9$s7-zx% zS5s~wftRCi_m4E%vu^fTFs0g~$0O&Y8}lBb9w&be{H1YDad7R4OjwS(v8-TnVj@e$ z-_CD)UaNYZPqyDCZ{}@^Z&<@D1DCJv&`YwFm24^o2BZl%3KHd3E#Y@_EQpDZZD z1-ZDA)k-|HtUaubuNxqSe?|g~wO!3MYgv^!cz}DOCQJx3W_CNdi~a^+x7_L0WxIdA zM{QgL9QKZ2EMwPm;&AWS_m`ZXoK)<)bLXiYm8#|v6BDQT6aX+3AD`}XJ@pi10vw+~-eT2olk_22|EsQq>Xg425rW?8rf&A{J02dNU#}Y za>P;8V73)2D1LepPTIXeM{Vq-(a(fESJ?X!%?$v-UWVgIh8gIu#C^)8^>_v>wSi37 z5o-wtS+lHl?ZWi?xZ|9%l(19`Hk!<#+n|=(*k{WI1FR4QMiy(Wlfh&f`DeuE#_X_3 z=i9%zJccIB*;0KT9p}cZ1$esuP(~T);G@Qw*6Nz4CG!>v!=7 z4rGJnMx&05PffBPcXK-A@FCzOeRZ^3gZQ#2FFx*5XTa|D>>gsbu-EOwrm@@Q>ncFY zFzp5yx9kMp^J7&QJo_~6#!f655=cew7K=!{{dmC67LI>cc43dE3trE6`Wzl9`e$R+ z&`E{d{#F$;Bo=gIMVBr13FISfc6*%;&V~YJaN_K4n7*tnvE|Y;AkN>^OEOHU#eWy}JzSX`AYeB^E_FlJ zj2jBo;^$xccC{Z}9GO7&_BwKNlWmxvhk`(_1}J;q9q(HHN{EZY#Ei%M)E02_cQjQR zr&v)F32tD|QX4S11Zim+B2kEZb)!!TqY2pilT9O!8R&Wb_bJ!g;slKe`+iJ_bjnRy zo&7f{p;2dN%hlFFqk(FQntHcZ&uc3>P%fT;-ky`y{7sxCZ}fo2B%8&=TD>)85p10B zjdzqOVgmn;a1hu7B4IhpQcHi84XRjAKX{t90=`p5Y4^o}utd1wwLF&T>IRq+Lk=K?If)fryebnxvfr{9Z#?A^Sc_Hq-Y6=iQZmy4t7_^6hzT- z(gU!VzzRXY`ys$Kd}lKnNzlhXsU{t3n$@5M}_-%X{{CWmmU{Ukg}R; zeB?kdi9oGz{zGjod+Ms&10a-(LrzW}6&sG4qND;UOKymCoK2yhRy<5afRBAgfBWhSnF?0FIOXQp% zqLv{8oj}`5Cn6#Yy7S|A+`j3bGU+5HHXazjycZs|YH0OvT5Am~@8rS;Yj&Y8hqqXslhqo_rRHDcvDTY<0u zRKiX&?RMQejM*ax0Nj-HS+C$Edv!NiGfC0r@6TWWv(--fJ~)~^VSGKcV{5X!l&vsk z(PDK7le|;i2eqw6jZsh?D`Rmz<^gzeWQOX?zkU!qbfkyPlN5?oZeUf;cAT

bv00 zscD?G;v^n2)*Cz6aGp-c7diJjn>ikNi^R0cu(Gz}r-7Bs7`+mkx9f9k#4biC?z57{ zFRfN6P*6ri^KP1TXeDx+*Vb0Z8%G|X+2hasb?Hj;g7#)oPJ0FcE1;-w5o_{}T5%h) z>eVf`nh(h3Z^>9$5FZRTQ)Wz{G>%$u6aHZ3PVyX?->J_fK4aU{?(2jtdU#+jGqjPV zD#=@Q^jyimsByY~_p|;EM3#g(m{}GUF!(HD<30) zi@@6pGLD}QYgKj5j?L<5Th1zdOUKnkm?Pgn7A3 zt?>_^ME&+}r6YUX7CjdPyhjJgN_vKs`Fr&ag z4JfV(dE8B0AMZb-U--ek8U*IAZ?4XXit>5@yTSV7LEk@r z|Ee%nK|DO0Oxt~|9RuVRa+C6B8NHkQ8Km6ZwM>e8MvKOsE{$yXvRpQQdOluu8PFcO zzodcw3rb7Ol;p&-sZohQxEXI1q{APcQon_xpTjU^@}wqK{LQ3YM!SY`+3pq-6l9D! zZLWv6y%lvyijGs>%c$DR*{NeP{Kn#i#I|Bl0mSH)f^=N`w`P>@kMvED)gIy=%gxS zwU!j(K})QaVc|sfpgD}jsi0yL_a#~DW?@#81sWK8uGsj(RKyVNM;nH)MKSUfI_bn7 zUrX&yU2Vzg^k-cD*beqj4(O;#W5h)lD&qYE$yOzODPGLyTujzNf9to*$2EB=mfOOseG)q4zTsO5@~GwQs=8#Z>jC-{&kaz~i~p90j&YqP6O9ntyIrpd?MGy*jmXbexK^f&)UAT!CtD;e7ro z8ip7tepE&ON8!X@7oICxqgIy6o%1F(twNn^#MS(PdX0Sn-twVC%bH)rQ|3vEmLNFsEgGR;r;yy7AfAyJ>1_N_$tr$+xn$J_M3G zpen}vmQu5Q^$#dp08+N^E9?(>Mm~+s4D{-Tl6m?0&4xAT@#quV^DwPA-xx9d2#C^c z`)0nMWXaI~g3>nkY;fDNsvn5{9zIj?D7u-;cE)@>*czk&4Mgl&X<& zXkny*qwMR@0RwPB&`G&|;7y7DBs zRW;`|6zxVx!T(mnrWdEF>Q*;g#tKjh@QG6d354Y$Cr(xu`FzI`{F;FAtj+Lo0@6p#EA%enD75KCB&|6Ye| zax*Wl-EUlI7~LSu^QLqv38?;WLy3l@e2o8X8KwnHb7mc9uUn~@O>APH*~*&Ya;J7F zwa+Y$89& zME0*AcIHn~(}Sr{v+4ty=z!GjmMe)>H)Jb*7a zyn8Oe4GA~LNnVZvdtW-EyUg48$XNLg$ONSX^rf1M(g_6gtzxy18OHBAi{?vybKB?( z?H)OZw)hwj3Ov-?YxelmDcN?WU%!^g#wHTDa1}1t*^^nJ>I~dEuiXwoF%Ih0s)49X zd%6^kF8mQ-iT!)NM<4J)0bPUPAdiz@uod5T@)?Oh=L3G?e3K>%K-M%6u29-?c0-_8 z-qLcNrKfNYkPtV39uX0w4{r z>Ji1W;Hb!CNfxBwJW?~q;q1*%UBFF5Pi{yfK?kD)V4A_{xEdL|F^7u=2kFa92t>=+ z+50Tt%YVGgHL*n$67UIvK6%`bC&^y5kkcsU(z~EWg&*@os#9kOzDSG4%vxa*P;QxA*7HHKph`=-L-uMz*YZ= zJb`Z1|M1_TTOj@|^8O(H2@`+>1KfI>S<_tzywm*c{jBGwjW$(epO+Lt<7~UF>O4>+ z03uHYB8!~*vM%ym2yH=?W-a&BT0=%GT5|L-O_Vl{_M3(1B-4rE7i!7|6vDXrA0#xh zH4_;*K(=^FiO&#DOPNkgYQ{rNWaa-}yk}PZw{PF6c%nBoOl3(#JN8;sszTlPsHYod)=bo2)X4VGg+mS$c#IZI0zopWbrqEu@b^0edi{I&U*p5M6cVWvj}+XU4k zE3|7m-XwDqccQ9pe5Hy_01Z;9^Lw(v)3EQmf&WmdFG0LkyvF&_4Oruy0|QJ7r{4#@ z_XF*wF|&N78eddHYE0vfkzW+!e7(FeYhH)Jg4(@Wd?*JYQA^}eT3#>k(hP=Jj7GLr z*ui@NDlb&pY{!@{jir8S>KE5!i)!O@H6VCw&Rtto%HdPl(ZKa&0IbZL>`|KmS6g5I zfvZ3hYW2Xt!0PWck7gJ*J7cVj0e}fWZ{GgC@*Hus>h@r?)bGk0fm&0^o|_Fsm}OiY zUhMISjyHVz;oa@k)^y&M78o}U@y-$)NX(3W^URkiW^-5{eLC{8Blx5|)_{lqnfpo! zdZ8O2ci|hlA*NeB@ZgFMDgmn1h*M->#P`6+@2<~(ZRHABgeg3)e(p?{`VPot1jcYk z_xBKS#OH6@o+D6+0`Qavkt38xj8)-+8EPL=*LM5`^>A+*nDql&eV*ctm>kPOYnA(E zFH&)Y(pKc+QENixqXxJ7SiF0x3MXTcL@WHFMMI;3SbkGr5wn6L+wICAo{JsMD=;N< zBPhfSLj@GAo_FxcN;j4m^ZElCTtKlxEzh>%(fyAU=nJ@N*k#Ffkj~V^K#xjHOa#(+ zHaDRlWf>%VzL`VMD^O~KPhM75_8(*#nX8bNfNB`@LTEeKwe?JbOES_c`C($Zx`dZs zh|}?}%1nz}GB{L8f=eA^)2cYFbIB?(5$7o*5NpX+l8JloF2vN*t=bhxq&Dj-eELDv zsT7AsbV+76bMNDmy@7nQ-InNATB4B)>s4;Sm@@1=%%U@>~ zo8G+-EkB>(<`#b{Vl0Zh8!mz%KWT+OB&te^(F185Se0nCE$lk^y7ysBjW<+&KI*F2 z)XPmT4v1`8jj$yti@zr63uP%%)sWzu#}2pR87&W294XHl_qp*_s9M`M#UxX9#PaZ( zNux&T;{1MQ)S{PTaXP9z=*$P)Ndm%~y7p0}a`0Q-UU~m#3vnX~M0H;Dr9y2^o<97V|!s83ZE@Z9V ziO1|Os7Goaa~D#^8R4g2RR~C%uwBM?=f;M2=i0rxQ2|swvbYOFcYJ(DXHJ?sa|jk3 zbjcN49d%a@uo6wE1RmxAZ!0*VQS+9sD5+;~^s36Doma&o|3kD09$s9NnUZ}HrK*}i znJaLzq~AW9e70&UR{?z?O)%Wa?KZ3d7({k z=U=NfH3Ll0W>vU=^1v(Df*_k$2o~V)ABQ=+_KE;E*WrvH_$CzJ9BcwdcyItKt(6F30M@2~1D&esouvB+9ov=_t;@Obg6FSv1BToU!}04*`N~PEpmp$R_m0 zHy?w_~vnuo3z8x-{V`zCpa|ZO$ai;@SQ*49Df}N;eYujStTpHCU0DFCj zdp0$D_-sYWk#M`;FSqTTgrnv-A6n0QP53WOR zVmAB{Z43$_spnlw2p7mT?@G-W)Zhm}Dk`k?+7R)@HYkX8XYM9ZS`Ten>dXemNG143 z!aFE`b$^{{ZlOo8a=Or`yL40Gs#kCuffCy=xhZji^QKor;ZuZE*J zJ$&GqL>E-WGss2^3u8a>S`$zILIE7W@}od}=|=K3F)^quobz*Qx1w4Js#}=vx5yOU z3v{8^GfsuE^V=LlHAzApiBiq& z5$ek;HN1pu9erg0BrMVD0oY?NQ<51eKu7bJR*!v*A-GJPV?~P~n>5$Ioqal*-vPMI zct~gb}?;s(aJE_w` zWoTieJ9$doP`0j~<7Hc&lv@ZuNBoN#X{~r|JPn2gVT@>-EtyV!>yNmb4MRE~=<+eF zj1nK`f>sSHjte>T3@EtCnlo@RbgYNJA=D_jxxKZaiIS9ru9XcSQW5+YYPd-@l*4!m z#HoB_)t@Oiq2x}DtrS$h7JXyiEk?xjzaQVM#-k+TZ+8P&Lla>|ZT>@>sV6+62XeDE ztw9JO{c_hHP0;#{%tyxOvzkGcBXPkrgV(_aQxzFZ76KdXer46vcS zqrTsrCL}Fx6UI7DhrYB`b*PNyfXO6!C@wb%3zEBuylx=mw6tM8*|P~YXHdj z@3k@!oFko+Q4(J?%b#vP{k=EvR8HoGA730@33F9O0m~(_N*{X0!pa!MKdTnp&B3YD(E}@g8c~UnjnmDAzHU(S4pvE4RTRLN!Nc6?b$#gWGQ^IZl zdl(djXXcD%iDmA#`AF}jQ`Qgz-ikC!ms4t8qzW%+Rz>A6%ixoG;zp9r>6s;NXt@lh z*6CW2_5OXa5oal387(ur1i~vplgyNDgJQzn9XR=p_59a85(M+-)5nib*{@^@w0jxPujZP3?Rm56Yi z!RV8PlvvpDlvu~czw!%7ZH~Ei>BHGtUZzZZwQeSrR|l?7l{x^XAX%Wt#ZkB~0niw758;xaAA=%fm(6sZU#GyUnAbRAmgDA<$&RyhKPf^#$- zZLURlBylyL*~%~DJY{5I_@mZEJ*BtgAaZu0UXBZTfv(8rbZzmcg;!YBnbJfON4*l7V*SH?RN*N^a zP1=x3h{8wHmDtEG0=GL;=;JmZpFBk)Hwa8FfWdEMNQ{J{V|e_YZXU&o=WycIB+fP6 zg+BjvQt}$m*|4e*)PkNqXM;`E3~x-=3}?XnZ#2D5o^}fnIGk>zYUSn`65%zHwc(=i z@vR!;WeEwaJ79V~44!1nV688RMd9Pi!EvEK<56Z!8p>YCX7aY^6n?(AXNX zZLyA$R?n)uVfN`ZQuy=vU3}o$JAC7TzFUsKJ$HKz!uS+51I9Jc1`rTH$YS6`!YC!* zA(3rdRen~EZ6fn>EB{Pd824>vVKtHa!7fB1XKQ>Vg(icWmW6V;TuZ+v%sIy%AkG;Wh=mBB(+>86PE&V3wKY^JX^?5)=%%-KJ|Ca}Us3V!TTvHce zQMdU0&XiyJU3u8Kg9sVT+gq>J;N5Spx;XJ^`8QrDQ{rlawX`eTh~07UJ{DgPMHgo+ z`8v)QuR^V$FQM07o}VtMT?_n2Nkl0NS`IP!>?STZEds#h!E;?+gJC98v^C zo9H|7-jlR}FDL76HPOpd>$rc=DS`3F8k}&DEZW-Mnt}|s=II7+S{6icV`S98MA)lT zRAf@rz-&r+Z(=Z3V!8E^=!u-T&^icjwr*@4r&w}lMTUt$t1*8b*lb3ajbFo^O!K7u zoT1>uoSyF{4!#+M50zT8G42ko=Am6Kh596)>THcFcX@`fsNFG(%>7b>|4d$PQ$0Fi zWk)b(JGWN!XcMbrfVRIlS$nHYMf9SZc|}Qbrg7#<=1KyC$Sfg;e6vLF$6C!4SC@vw zc7%e4Et$krLsL$jKl_!^VNW5i;B#AEwI~&%>}vwGR4xC7?4vc&tZaC*_DYH|uF;EZ zHRmsNAf9GB3`|q@;~Cz45;Oda*QcH|%kIAk232czLOPaUv ze|3A}wF}ed%X!~5rYrnBJNrT&osTRo_;WMy1-t*T*zz(Wn$LG`AqXL zeg6LLc-k?Y>E}b%yh8uIjb`o`*zMcO7q(xDe|{vlK&k*!_n-Jc#XmuRHA=%Hehp

z+-IPtCojvKW>oy)AWB(82oAr$=Xw(U@TDMm z{e;XLS==9adO}?qelzrE9!rB$xCz!?py>vgJO9b@_b!Y0d*q6&Fadrd?8DBc(J6%K z_t|0k-1Gh-mI%PY3$<$1(>X88SpJCda&cpCk-QWshA91W^j(nezqyc)NRBUg6Bg7# zD?rw$Bf=*vbP!xZ|r74~BYI{Cpz~#kXF8UeC z=l$IS0|WiN4p#k&q%?XQTpoLGpO6a>Mm!6G|JZst)U@i_F8h(bKcd?kKpXsETgR=T z^52Zc=c^DmU}2w!yWsfocs6ml9eQG2;@y5qovKTJfcGy=89!ys1YAeG{R*hDwS7fl z3HdC=g?8&)5KECJSJrt4a}sA|ep1?3LP8DH>%pC!F+S?M*OpQg!Ueia>7Fh=A$~nV z3Qxn|Moyg7eP3I}uHo_nxXBXQVwxv~I0SckTkZj+!>At(Px9K8Evzb2g?1Pc!zjC8^e6*pYmuln$?j~jW z_!w#vsH;!kh>FVgk@umLenTitDNK`MU9?*<4T6V`!{I3d-@3Zg)2#x3+;KF{zl{KZ zaC+JG&d_o7xC)WB>dsD7KhVINnIeDsh(ODr``3M5;HSNM^2){c#-enk#kd>tdscm2 z+wLceZHY?4OThP8+My{%<`*+?{Sllrl02&d%h2M?%wV7&oLNGqx&og<<{|2b=iA|r zt%@YK`A=$OBG-TFQZF1o>;M7invh58>Z zKDPANQMZ%798ouztMV-hkbiqxoksw7b_>fl%?5xU(f1Yz*Ea^WVzR|VC`{6y)j<*6 zSpbPWtv{cV78ASto$Esri_!6bqgn#qeUE;k;EW2^y5trWn=M_?hm6vej6LIpN{Y?l z6>H)OXs6hUhxT+dypvx5UuBl?h8;>C%g?-j?`6!+L#@r}i>T8X=U~aBI5K1X_;uCO za@}F+;|yozButq0{Y3S0fh8}84a#*Lf?DN2CxrKnxO8s2oAyJr6Mep~?OI5_(wm=U zQ2e%fcL|m&$c9;weJtMC+_F5qT~bhO&$(0YTi#t<++5w;ThjLwmzA5{<>a9)4Fas% zfD0;QI)l>FdcY?VwgmHC=_|%UE}neu|9LUZRC~Yo^&_=j=}SVbmg&jYDa^FG0evI5 z`4(&A+I4PRemd!b*A@)~zCc1??j#)Hyj+1Dl7SMd z8kN4kAFC361>ny;kIs#&Z|`cTO4pN}pSbdYxhBc;TUoEaW}>7k_YAx18-E|0fsyN41@wPZksm zx^Z86dgKz^DbL(p8Og*rr2z{qiE??NN$z1RGHA=2%cABE?R3Bf3dnx8DuM_s35ghx z)N4cq2|Po!32Lh@Uqebdh_(=IA*v&BwTVKr|aY)b;n5LTy_+9+?Le3>* z^%lCn*>5|J5BVFXi*!#+1Uf|Qyxx9_c0E^>CokB&e7=0{PA}PX``VxQ)Bb?>#{f~j z{HD)b&AMN|3OkAx$a|FT!nL^A044#@z;$oSAsKhCno~c@m|rXT{jz4yZ8N*PAJXp1 zhh-@Qep*R91RCECgoOhmc|J=Y(p6PakCg4E7YISF_IQlEUN|y~ydLSvNA>PtAtTDZ z554T`u4OB~61rS2V({pz9Xs6J*gR`xpF^se%t;3LN&0u3&z`(H;gl-j>@S}?R>w4Z z_3uPQ4ZRfLcUw76bw|#I97ml^r8$iL&)}cQV<_k-S-`()?FB5-*Jvv8r{O59pYPZ~ z-i5NrwAI@;+B_N&YBp6ZCpKhQHR{pXeNT$RXbKEKw@O(8>9p?jw@esU^Jz8( z{~kX-j?0oq;D1*6l@$+%FNg|}p+g>#@GEx91X10t_L*nt(i|bmwM7a4^T20X_UFT_ z(rY6^w`GdM^)7t<7}`Oi4&uWjtXJG0C)}pss6ug}SY8a5_C1@1+xy=DO&MwBt213A zP$bWkKIG)z$3WD$cz*M=vm?O2t3VekZ+7p!r`N_V0JDB--MED4S=l=VcCUYIx0spz zO88ZwbkQaz(EQn{cW*Ig^2m9;r>p1o8}I&IyStF^&ywMP;=XJ6)dL?t}ADP-&xQK<7b>#fXtYqJ+Q+D{*ucnQad(ZdR7WWqSK6p#da3(LG z2dv)*UhSRx_qjmpfsaj%nDKjv7I_a(xBn0SHNi?7PXVCcj7>LQAK8O$_OY2i*v}Lh-&7}@ zuw-$XOG~OnxH;XL468!}9R2?OxC;D!zeO$KXJ@WRQSkd5=-a$(t5#)<4X53@ETJ(q z@OZlQw`KpAhQMocBnt&~Jn`J!;{SofrLeXC%q<~~r#eh(pV>(<(9&vGT?{_xJ=)rY zg&Vf?iEn;iTtyxFRHv(%V*dYt;-0dkOYfKe2NVbS9698X!HvB7rv~b!h#{on5;aao zVUAqV@&E?TrbTxDjW3|>;6?MM;0=L!f7C!$mXeW(nYmr=!wG_@K17~9BQr2)=`E{+ z61Z(gE8;HC^3tL$tnPso@EVlt9hnFdp zf_z&KQC>N|9ouKzP>X1hv}q}+kKj*eZY zX=BMKH-5{)G+B=lQ^S2y?#s8FdcMx7!OQ77Ng+uuv-#DVdi#(?`{kb#SdAnTAsp- z&eh;zPdrrCGe892NOuf!JiVGq*_i<3s$Qme;2%o`VAg^eykR!*A7SF9ISZS3fia3* z(dKs*Qx*BECpzdW_AFUrTPT4Fm)G}~WnCQ%4YlSj_0%Qfu6QY3i=)OJ(OZRjZH8Hb z&MelTmrXdgvAlxd*kP6-7uRpK z4DO20@t?GNnJP9>3q(Hu01!zdP#)nZg1Ab+wg?Xd>&~(x&X;%`B8>SIU)u`8nUi4| z4zF9Ca;mA2$Imw`dwT+o;V`u`hk^&H2J<#*3$}2r_XgAqm?7gni)a3qb@e)J$7B3H ztERktD-H8C4^@NHPwg#K93SDk2+UqaXMgRUbbrv0cj4&v^yp=ja629GVuP>Z z{zUZN!>RF%_{H`n$0_bo9;5uWuCvw05^AW(g5rOh`{S@T&1_tg%_tI-7>y zcqt@8uxl52CKUg?>;AqHxUo_jM&kcdRp8qsldrb3esfh>R=g_e`njw`b^+Uk8?jNv zk*~qhqD1FB=yvKBFUj51v{3QSttckITqnmi=69a>>8fu>-pan+XQoXhK~StbDJQ08 z`BZ1_!Ba{bo}y*mBJ2J4=g_ZpL(VG$qnRa%s8~Ea)pZwyA*Pbbo$lIgNHv~B!D_J2 z&-JHnf4|L9TX8G0T-%+d(6}fHmS&gGs1ZXx&UV%PR(bp@$%uxGJ}ZU{9MD!yKNa6h7erO^qkjyi?x1 zG1>fj)|Bx@1;uCn7#J%v=qn98Z=eJQ#!Bfk#_n7bx8fze_*wNV{rdABzv@0$D+^b9 zgSm=~5o3BW)fu8mRq?YOsXR7fyP2cWk78`ysz&W#raH}Oy;2V}%G~D>-wNhSU&yG$ z@1bXk$RNfQ5Q)+T%zf`kC&|{pnkOxqX~;Vk8qr`a(N1+qZC)&$N8u5t+XwyuW7P|GPBQIq{8&$L~uP$jm3Suo1QW|Xs%{R+*X!h zxSQi)&Cs45?hBVYRCDCmG>rj0KIc=_nHVmcTyQ4E^AtX2LXaxJGom$xa< ztft%Z8Bh7{d7$)XaZlFHSPz?!exSco7hUCi2cu;o7oc&*=vNTXS&wH@z=1eU{I+x{ zg(-=#802Q5^ALo0%gNJ>(!5q3=wO#7%!J*&U=P}y0yU#DaO*1}LdRt*gmuPE=&Q#y6H>!X!pYIl1x`yU6i^3tMv)ivA%Q>8gh}M;sq2_s zXC7f=Yn<9;0*hEW$)}PlEcOoVDyO#jv?G&M=r=#qBzxJj-1@DvtLyR;6QN+v zw!A7gi0+xVThtvp@()6<@lXp57~oB(r~3<8L3j z_8F;H*C7?cDZ%oO*4Jfd4@*tJA8`}r(p}Ix2$I8nnhX*?_U&Lza*sZektJ zz*wVUjzu^&T18n0C9BCU9IFX&e59`R&CHFd=y7K>7KM`{ducc`rWX2sArrZwEi3a_ zxd+#If8A3I{lO<9jSQ|8#ukpu0=OI@Wf@5{EG76RhO=bEh$B_16A{tB3onclhB`Sp zSdz@z*40=sSenJ|CTuHT@!e|-%;5OT+QuCBOj-(w&%%WP%#y!U`)uRQImPZxafY}qh zCRb#g<$@2_ybT~lbxWUIEwIP%PsIz&eaN`T6m|F%Rd_4z;jd!YMWkn*|>PW zFg4?0sl2onaF{i%2sow`#ix2EQM>?42%>9<>u(67oppg0LiMeJV`ri@n&@KibHmUu z33@6k53LxR|66ua{x?fO_=l7LR0c$%mOR$(u&iD?5@%H%-1wNO$Z+YrUgp}E>as%h zFwBM5_yf40T)P7g&_Ak}lqbB2ZYQV5TINqO%*GXmxyjXt1vY^EK?iqg6 zh>dL%Uk;U0G^RmwOml&7%OJ*W9UgyE1@OsAtF|iqM_%Hr zh1J&EVPf34$^*fj$f(@t8kS(v1VIU%3gh(4+E5Civ~m%hl%rYEPzo0+i?u(XjQw%} zfj=D@sb?9o$u7=lSDnU>Ei_xPa?or>(6iF~Gf-8{>4?F3F$J80(~AjyCrCi==vIce$T zRp>Vlu6K+l0Vn@hWw~V=VL+&R${Rlu&NugMA;`5lXJzulDAbJFSJ=$e*eFsZzN^PZ ze9ps`3K#cSyY3T)UIkY25pL)0VGUKcSmfnYm&TaYyyjy7hT}?ucK|vbt<{KatvlB@ z+r4WF)2Dz(<)Rf0#VLFk--URjAdP=?aNEz7bmG+d{>`KE3j0pYl7(`$E==juL(H$X z!|45XR9kOlY)nEr9)DfY_e#*AtKLFGt{?0Eqrl^~)bq62Ogc%MaQ*}SYNPIzQ5R>= zM7!pQ^C$;yx;almnvQOdHOim41O0BP1eux%jrd+MsoZ87He6Y7tgN8ZFV0*;+~Ni@AO(FBDJK90PPr$rW9T4zyT4|Lt6YnDfIqm@`M)elj!AoC5KLSLdCM zXnht8N)ppxbg#ka_>9OnSK)v{piDzxVxEut=zfqacnCN76_Y+QMM`#aE7ZU^`#C?* zdZ+tIN5CVzgiNl1wb2V?d8IaB+sM&&5T#8tj`ve>cuv}$f~AbgNaBk}@V3O3f-2rf zmDGz%bHp|!2-hcbw}1Kxu3+e_D0vIY9l`)yz%!M-uNLrUr)(aw6z`vHyhmUO(+U@X zkJMIy#4KmD<$gCw*RuTv4T{>{wXf;H-`jDo^}m(1iZYWAPndKK!{0?L$=N$k+@vM|6s`&r8^K=uOY zXnEn&Yj&WTsVSP%1#Qm%UHR?OowhMXpBv-ZsP=T69l4Np%RDS5bMXsUQm0WVf}iW8 zsz6CN3nI%v#L#IhN=c+asQz*i2FiXjiW#4P6sC+9j)?D_7|}yE%-MkT9EFPw@IAlzLk;Gy zgBgUMCQznk6UM{c+}=dm2n*8>wj}~fNk2}qRJv4HT2%ifjdH<29TtzNi9Z!Kktu6| z%Ievoszt_T_AK1Nvz-T>Zd%_YSI;@Ykm4A)fUBd1Vp7?0K>yVgB@too zxlgGdA|Oe$V+@mFuTRFC_nA>?XPUW0yi8VD-+n$ObusxvF3;t&D8tJNKz-y z&Dw@MK_)x2(`IclB#%`tO3Uc3#7Em^ZK6MACe^c1aFZ+|PlU0{#AlM)b~X!ZzUm5~ zr=uI%`gr?+d%y4d;PdBClDQCx6gxR!PS?&&eQ)Dwc&F`#qgII&c~;iB9~NP9JDNxy z%DidO>EY9FY%hY3zrQ*i_V!A5{2l$lE(e4PF{Xi{hrGBML<+&0_~~?e)I?7Fxy;YR z`b8KLD+)hrc_+T4yGYYgd?UdgqxguD!St*Oq4mRaR6fWj-rFyXOu^CD7d3L=w{hhZ z1#CG7%c`enuxT?th{Hr@@w4h5N|=fpA-#;vE188YhAyI??KFOU;Hb89Pz6c``gxdI zq!n`em<;4I65!)AWgBS2AN{vr5+^?yraz=fp+PwAdPSt2>?4~;U%jZk?a|!z&nWC* zBm7TbI8vYJICM3G_hEGOsAN}`p6(%k4C^He3m=(~Xu$+L#!HG056idL((`%g_~D2f z4f&`IGsZsFtD4(eX24*`P@j79B(;=7Fg%2_06bKn=PrI^HKl zCZF8*W5`->F_8fYc6{7{31og|P@o8jt4|yzh~Dic$do)b3)f*MWBDW=wrHbI66+>; zcpJQ!d+BHGFhh+ycRS-Y2oLP&>gutC1g%SP*e^=QkBCT1Fec6&G|j-;qm+b^q$d?^ zuVtQu@aQB*L_Z!~1Gi7r?_L@6R_`fu6HDuPH`p|<+BvqUM>B^nbGjim9+=u+y5&%~ z)^PwZvVG0Y4`IcPBW!Y3-qQe4-8d$XS~S2fpuIb1ayQEdxS64JH1}ryqLe_U^rtj@ZIJy*7L}dS_-K3Tmwc`~L^@HBa#q3#_ zNNr&6&S#yM%2GmYo4^z{`;N>@Qmp4q^-_TuYv$x|`SjQC#Bsx;FY#lCy{_!M>tKr@ zz0XRBw1%uj#nXyK5UX;;EjJFN79V@Uu1yOeSfWH5o5GBxnt5KJB%|tag@|b<3a4O_ zN^7xmF$vHVK(KRWd6iT`S&G2rOIi%y!Rj=0Ot|rvJ zx&w#V{5P(sP|`WtwvwJ*W%cfgH`XJ_UlhGej-PLRN`y=)y2d2i}o1l6dJgR<#3cmvnhVVNkAVU%hlfxd8^2m zq=|n`p>VNd$$(9x?d9;>f1qoPs%8A@%j@O4WsI+tG2;aCK^^z0NA~EM4-6(-;GFl7k(92i6ql? zfXVsD)=>GhcWFB-M<6#rh-Y*zkWwO5Y&d~!`(@z=k}ogf=Gk@iGK_msiS<~WTylcn zuK52Q5*k9RnN3GHTwP-v$ngkttern4#CrUtSGs!}`s{QpX3tG@?N>Nf|J-2!bW&9p z)B}gqj<`tLlU)W33HaLp!A#f#X^`AInMA3|e9o4x0*e8;4M_=!Bx&!kurMDxbW~7} zpkOVzz@xVWM3VKf)^mx`la`;cPNN$q4>27$KjrME!BfZV$jQkoxW!l2SATun+AfsY zvT!#QV^C9`07KH~b=C8>H#b&Dh~g_2xgW@Dr=wKiqI7G`9|3^;5l8KadPHYKo>wOO zt5hOvNUj5JYOD81NR~nRm~A)R`&*Ld>EW1~JTvxKn|4w0i3qN&M3`KZ>Vcn(0322H zO|_>K$a_Fa7ft5RVzrDrcS8>>E2rw%8km!%D{WUFG`lgb2+fLRJ-YjbuD=J%n>LQ& zzTG;#RF}zs@AH0Qy`{t_2_maZ@nPL#hmze&6j@SGKts<~^Bzy6lic5%#otIOP4NSaX(x#nTXH%bB3JAcH zlp)gr*-xGopd4FvduZ|Iwe;>_K*8I{=?6Z22Ch=vM~*&=3H#59rHdy)tWm~Z8dieT*$0z@j8ViSi690d z4LPQHIOY%Oe6Eow+g>>lFA6>e!9;~iV+zp9;+6LZQm57^ph%Zwf|&8ZtH!Xtm_4-L zdgd3DEI?OZkW>%7Lvk%EODsyitg#WG-bW7e*l}OIWj>iOisV0v(#t3dkjhrCWMN1g z6dNM#fHrX}H1H(YaZ{*21p-xx`d-QjY3CkvX!Qam-|*LnNI@=EmfxDgaACU1+X|Q+ ziHqLn${3Jnq5@oW$XQaRIN;8#ajb9>#&4Rel<&myG%vSGU|AGe|w-fYSA~xm{o#^M zZDx~>=tuO|WDUo+!A-Y%Q~Ia2O{YUoQrOvs{?14KxP1QbMX|Kxtk3_e8*-UaFNvye zzk*t2=sXQ6b#tKS7Q&O8yCj2ZY5rAxB_B6>SzXjW)RRHtUnKb|H29ewKZQ)> zv4;$D?PFD12~qs~{q)=4y2zGe`u#sw%@(f>&?7zdCsQxWE@y|J9jr0E5E! za5UK%G^-hKN;UbWJH}zy%ewWN&(^I~=?><~M4&!eys)xjR!!4X9IV---%i1_J8b`g zNuSEHwbivkMNe9y2YDn_zu<^B%fVXy_d4>&+223oe;blPLDq7Uh(99}xiyZ%A? z)PDoB;{D+ySAynV9ZROhlbm6qXJ|*vraxybIJD_CoY7xfBUgfy+UA}Zt(i6ULi7|n zdyvvvkm}{5p3IjV^nSop^KCkP?$6niKhz_Y#Mk@1KMw=<&%>pJB^ZN`?`P|S&TjPm z){|STa?Zvh;U&}RTiw(qeO13zkr8(Z|p#s-P(Z5%k2~! z!+P9a4>UK>hhn~_ZcH+<$1|Blm`P)DG`U2R#U=@0@p5z9*5Eeq)?u<`=trp(7>k3I z>e|tV@jJ|{l}SZO2~mRxixeKGSd3JkF{(;i6^?&9!ffa=Lu~<{p-sWtMN?N+7Na9R z&CA~`=Jb*8{41^2!td+9C)a=bBERjMTOm@U*)p@DwPb$Z`IWT|>Fq+`Q8nenwGIcx z?7@}+c7nu!P@vcmp8#Y2%{J~tPd!Gd)d{_=y9Bm2{)P_Mk0}1Ar;}N=oZVtvTt+-! zZD{>y4JdwUuvvYSd}ml5B)+k`MwiUFvbnr`4&LLBxfjOIXkBwlM2DI@O^$S@ z;xmw-dzO>a|05EF`q5Hmsjlp*>`HZD7^@+k{I?yCa^{4xHLH&KRokE;vwGJp)eWwh z8E!_-J2z-7-joA{rm|+rR6&0`o^}rc+91(V7K?Kp7la7WY9T)^{xpPK6tL)`o00wy za51S+p%Rf(&}Gp)id~JBxcLwZom9!~_rTsn#si@8910T)9Y7q`#P1NbmLTb36HVRc z?Xi{>dd()UMd8-%8OyY~a4jka9!Jqa7%p1}I6}Jm?ngc%cY`3s{4CNzX`paNz}p_^SqA{iX#!9r%_+>p^73m7q6)U9sk7zo|?+% zQA*%nIq%r&YV=MX65?d6Gv^x8CE?8z$|Qko%IIT#<~HLc6eHjIr zSrTGh3~{~TAlH0sppkL5oDoeY7y=dfzf0pkShF~%lB(M`XSgQm!DSG7wX$MVZVahh z>#!*|vR$m1;;eIty@K%@7vGTJ-(ek*EkCPtS=8b2m%S&S`y7-8$0%jJL9&D zpy|B(^-P;w<|MhQW8f7;J)J}6G|uUvnKl$ zr#st5;lfM#{~ZfLP48|arB{7w9+W5CTddb^mt{ocSZ&tEG)*8h{D9uDg)#{?1{Pa% zv0LL9+76Y+@hPG!RVJZr|M^7z9R@1N%!@Am9u}bujXl9))MD+`P}0TV0227!;@0hxeVMe5nO#{`cKb zh4o+1ffz$+-fvgh%f~*rcSkuPN59Rq-#ogx>E|d`#;jkdI8rm#hvlf>Ha-lnBGJWN z7$7DM{@G#IuMlCMKNm)M!X^kw+q&G66hzw%{K{$I;MnhTE zJsz(!bQodIhHKGLmJv-=^OJd;?XE{Fy-R`D9N`CA8TZf*)JhHs#>mua6VPAjxaXWagyKlAi z^$*z_d^17k$PsIMf1I3W=Zu`Y*g##6VU?0YGly+!Yf|#l&(Co+mol;l`FQAo+$OJ~ z{r>RZ@0c3D5%7Z>5#)%+{ehppr=8rb6%W1n9vf~Y5RugYRiK1CW1%hR54j3p=9KK{ z@YrfY?Ky~?OdBNz$tlQ)zIOj5$zlDt`ua-z&t&NX-=)$q8kQ1j5(fP(Bn4;`B-oOA z-6VB5AN&0n`qw_Bfmo1XE=vV*4CXAFE1S2w5QJf(t#ej7{}G)!Xp)3M^E7MTOI@6g z=JnY07SF;ZXcM`hwD&{1AHQGk;9$T#_d`jv;DE^Z0JRv*${+`(K@*v%skyz52Mfus`31ks@(l%qx6k}5Advmnet%vPD`s0Z z1Fbw>h)G@tka6UyMdg5eK3&ExKYqyusnyH=dUb_V=nmgQ6IyT>Ovooko$5WOVW3kc zRadWt_4oHz52a|?nG7FH01XiuU&}=L`r2<|@u`u3z{&?+blfyb9Zwv976Jg7%?_X- zfY9ydy->vc)5u@TZ-1Z9N8C?;e`Vbt^^r=@8+J0Nz)}tLZ=P_-{}i2}T|i0XNXV@C zCXkJSrgQs_mc{qWyM84p-sJPdFPVD-@sq}Kd@y16*mRz%tOGBl>}n7%W$KtO)HcAU zqPtr$b7qN%cw8t;6Xd8`evp}2aDHw{beatGk-6S~`&2|a)kt-Qy&`jAbYJ+8Mny4Hk^Ee_cQRN!%Ef1BO{4TF97}2`Bk`-guFa;ydE;!cXP9#{?DI3 zL84j%6I|2veuXC`(_EY!bNMl{eNv*uOn2EM!91xX~@)C%?Q7PS}w;; zrRP&{Up6-KDE*C(jsFi89`ptuzG;_mM5TCBLcyTcYQ?#^NhEbdN$Qmoig z+@Tcr;tpT#=YF2w@f|OJZ8jmBNhXuY%ypfo{+>28EJz?jZnp|(=7V@_#S&Ocia~_Q zAwknE$Ie}MOLK9Cy~9A?4$*ejiD}<6c~s-&ywW+~`0(M{K_B!qLLy$4Db-~$IT6^f zv0vEfU87q)XT!kAl9(jHk)u3v-eM@Yc6(pBem^*`N7RMPpHSv2fEkn9b?tJ~{dqlL zvjp$@=(5u=A{=B?0gN?{GgtTA4zRw5hmQ$_>5V9C{PQ4$5(8nljS=6m`AJnR8h=D# z(Z2h%&~6Vr&C}qo6Rnjcb(eaF=eC2a{&WqV5tm>9FIj90@7<8U^J<_AYr34!-f{H>Z_wZ8 zA=aZM{yEU*_s_;WHx6y2X)oj zx(@jATugiz@Coy??XEjPPiw5eAUhjjm&b8wpHtL3ngZZ`dac91r@Nk?5H0X|(R$hI zh>h^ljm4U4r%J*@z}{}L?QkcHGpBQ|>+i_uT1Us|d`*r1{PsToo0za`l;H8xfkc00YUO*v`SaU74kdfHIZ zZ0ZL7(S(_g9+RQIuvHLDa$N1{wfXB;|7C8I`>r-r*)>Ta4JXTJer09LRTto(x$PR& zR=ZBS`}69dl-!GzW-vTLsN7gm1l%9XhN8@tIIed{1bG&J7qd%;2jCJ?6n;;;fYJiv zGJ`U-R+P-gt7tjxcJ^ByZUJ@Bi;01%OI|D#-9PoMO_)h$F{QmyF z`z{RN!OhLyrIHj#DEud08yGjhtDL=myzmDy^jiZx*G^7gr$IM@%F4<^@g!t~q@)BS zg1!f1Pw%?`2hfHrS)kkVV|f0{pA7F)(W7IM+oKEC3B$JAfsFS6iz9S2*DR(_ch#i9 z_xVTo1dw_GFy#e8*=e`o@BM{I0n()K-d}UbrpBg@%mdj<9x;)h%gf2{y*&q^z(Xfz zjEm9x2*3Q#G%0+#wEX}8JfhFc+xv5uR$I{3(E!os2U^KE5+XyMWw1To+s&uGO$ZH0 z-!OFDV&-tmgNrQ);$2){Z5e34y6}BoDOYGw13l(&5ltHzS%5^3oCs6fi_iM`FC&H2)}->3Bc!VN@_Idt;K zqtgI2NMC@o$lL9&>KuxEa?j(R-=XijGLzv$3#Xwlfba!7-EpZ1so@Y|Cy1635Ln74 zdMXV!BnXAs)LiHY3WrE$urqnA3xlxKYc70*&~|_K1xI#;=6D}@br2_N-;CF-J89#M*FO8X;r9*;kHP2-!M0x@}Y8`Fl*O+wR0D@;0j(In%1w#%wtUV@?Yc2twjXB zJ`R2s9%eokO(2`}lcKw{NE9ZtNc+=^+JGDI`rX=1khQt@!`N*i*J=HS@NeM(_*&D4 z$~2YI&Vk3$RFAMZb!=bo$e;}I^wfN0;>hr8AZ*TAJUbAa&-@WE)G<|&BXwru9OUBe*`fT`^qLZ139>QWw*aX#5&OdL0riA=-Yk5bCq!oy` zY|n3a6qBrE;IBb{#g&@4n!E-m#0w*g4R-pE%CTrq*N)?;r5gvVep;3|$Si)wbQAIN z@bq+Epdw<@{RBhQmAAkXOFO@VjgK34xn04kA41I)C>V7P^9c&tzjpia{O(_!^30Im<9Y9uyAC1z01{t zJN#++cb>QXFgq@<6g(m9jAd?=@@sldNQA>{;~X`kr@h48P+$KuxV78*0?pW6_Mwzn z8THvJLsw23QeWrL-0bOGmlX%^mh*|{!2Rs+R!I)JQ=D~2tI*9OFooKY9k!GC5snk-ykNqz77+FZ6$|Ii>* z-S*m{T8Ns2CBev=t@-}=@KD)nJb@++oo}=tA3r}64Cem2e>h)b+`Smn7^PdA844?# z*EisKdRopD>W2oyGu_>O6ioZ@J5T9=Wr{$>C<&tR6_( z*Kab(SaX;e%~}AASgN@l7Il2Q4y!Pufz-&o)OW;2plRox_STz|*%W9kHJtBeOB~O8 z|GL@=?P#XxKXEy{=%kMo)z#a8Np0F}QV2N{+p$nj{gyJE59ks;%aOwfgRkTpaNVc& z_H1NjALf|#QT!wYC=GgCr_Fe}&Iac%;h(Y^cMlF9driJua0Fgd^DYbOVMT={j%SXS zULE>pXXnIbM!WMR#ORUIYvMwu7k~Y7aQ7ir@iqsy4xg6aJUF1$PHXh|j?R^q!sjf` zEG#TFo5l(F0{F7 zKzeFmmVg(J6ci}yuWtyR|Ga)sS=r~XEN2y&HJmir2{Fx83#tW;?u;KZqq0DUj$MF; zsrFQNepVe1{k?SvqWGL8we9?MHBm>Wno4Ki^2|y|h%U+p*wA1pjaz7XZd1b~(oIVj zY}e66-_QxVxMS~NyWVaeIjzlxZ1qdS(79O;z`s8}3j_)O(R^>%QWk@c;uqOx%8}ET zL`TDKlwjYDmv%`b4~?N}M31DA35hZpEaTOE(k@?wAAK{FaVq zF`kYX&*|{*aK!aWNeu)QR=p0S!(Qom*=(6>IStrt1^C{(!SrKLIywD&IdXtgWcHQH znF+QX<}l~fC;%>LRR(6zv)^rM{AVr*AN)^_N$es&4Qh6+DbPnmYXkRDQntNoZEh*m z*l*lrA?5dT8@gr|y&7d!jHHT=Y1rkL}VrdQYG>} zQ5?p4phcSsSC779T_emJp6$9i=jr4~p)p>jtZ2xCNl1fXVHRvfv=i7_MBlt${vHpD z-iDGbS&-DAYKqrp47Xy)FBv?ZFQ#l_l0zCtXdd)yMc4Ow$1uv3*`mXhA@cA|C`}7& z&VxNk@2GTnFf}wojUD+CzLr99J`Q)d_^{-C^=@hXUiqn*8bM%HM@PuNQdpRg0SL&0?|wjYFw!vu`uyq@4pfh{wtGAHnrU`cHkspTs-^b7vEL5W}86CI zp*GBz+e*LmCc|QorHgJq7he=c&-m5gWEI&m6f?sb6mS8Tcp=3_nK?|zZ9oWXgCi@ zPWWhCIzNVgiwM(2{++Dp=V<;zoj>xz;uj436Y5VLr~y&?<%vwOT`q1(8hbDc?{#(9 zkf!rdcr~B5A(17rk)n=M!f-^*btwAGhPE$co0-kn-$+v#0z0Qq!I>Ve#L@7|uq#oo zfGcpK%}P%`J-+Dt_|LiYb(?X+)cZ3V->2)aA5^~OdCHPIzJ;qD`Ik2y}`4$_z} z{6<$3%E7L*B6M%+n}>cj>mtW)3K=`v?tVzXn~4c~7~v~Co|Z2Sc*E+26%!jm@=Yhy zo%^~|+%bNqA%?9@t@Cdzw*5W%jbumRDejv(7c7ai|oLTepPpvUD%b<8b7~% zToJoAfd_Zq-exJ6b$iPXCReA9SC6?sg)EzHIxyWGnu2{$)>EH$YaUQ(VM+=Z380Cw zom8K1xOIXmeWC(l_^Ty{5d79OFu3+CqlAR>`*Z`DuBQ;5255jNSpq~#yPz-9sc^fy z>f2CF#u?9Mt68=H6+dd7SEU+Sj^aebu;_y01prDB=wFy(VXDBKn%C4Uc@;IxA@(CKU=db~=Td?|Ey6iL9NWOL!$n1fTTCVpgCPkRBctlX8szk<5M_N zxWv0AQ@AE7eFl1LBt@JNgng?|NDK%WBcn*cJXQbfEk}V!n|Br)=|4Zhqz04C%w=jo z<0Q@f`HHqD7#4;SJ#YI{-c2Y^q4akEMW(7U&n4!aLI7!;gox5x>S(wR)e_}2YX2M| zlNQSdyR?6gHbBa#LD8gnYH;)_`Me`H+$ENC}ob4XVjL{k7qxkJfdPpucOu3Yd> zp>!(@sAm3GKsrmD>bhKsJ8w-or2mwVGdj!?N0Wix#uIRZO=;>i;Wh;;n0jg`7lvR6 zCBIqK)S$y;DJyW&EW~BdWHH32We+mLR;Ehkm;ceG5b>GgM?>>#PCAqZ{4n+lGqM-+ zl5FV$Dy4CCL^`OLPD6;oVx4x`f6uKYcY!oxRjC+n#hW)J|1pl$)BQ(p*ECY1IrUG$ z>gfJ0fEBl8w01kTv>dPAxUA-!0zg2Zq?jKi z|H$*~(i!j&n@9fr+`twgLe7|YXDtvap3s(SL7vFY0`C2WCHIjwSu`qOoX46gD;D03 zH5Da;~q1dxhnoHr75gqyHfqJ@F}kuA(-$k z9Fh!*98U-egSzqinDTM%#BX2Q6QAp=nZ>c^U1((Xb(U2|1E)85SU^^Z9s-n!I|F@6-v-Y38 zq%vS3uF`EtATwP2c+4^|%(69uFlYj%JIm6#FAX#X+F1Y82gJ{6b4ZLpg#=DHLn1yA z!Q#CA0C8ysK7QOQ$&Xg0NAPk2Z+kRpJ{xKOkzseB~N7MDs4qL*2&pk@BLAOcUb z%=M@Gr!a1Bc(r0R<+d$ce=fLp>GkqjaPOkWK9uD(;9byg3{HJYN2{_>vE(tYv+OKD zGZYB?VGtdZ%DOH0u93kkW(>N3^owbR%}u+2fC1R6Vz}5p^#z-;>eo*-ed}N9F>k`8 z-yV!h!WQ!n38Kw^llbDM3d>x!{qFE!Ag)gBGU+4y!IV)a>THWMS2L9)T3 zu>d%~{Y*c6x9zO5&Iu1uMjYj1!xK~F%Yw)F7H@xwB=jLf4bw@QSDx0qeTGFED|8&a0M5M@s{Y8Ve6I^sm&CRXfHyYV%`?0>y%Xe z_)%U~rZD?aUBqZEyE@U%s4y4f7dBD_4PyC_K*Aihgk4NI8(enk!PaEy51BaFXtP>v zO5U}fUp$dZhq>~O+ZBBxgI?Taoh!#qI~u;qo69?DEjmCe*Ih1Sf9s@Zq{-TeHI zpk$JjZJSt`ZQ^5kfnBm%JB-a)97~(Nvd)BjKhGCesYKll3E+rUsM%{P>LOc)n;;?~ zB>v*yE>}p>{XqRj`V)bP_}VcQC&Pg+#n_4pPneky^;`QO9_bYo0VsteQ+;N>3TCQ_ zZmWi(ZXs?p5Cg)PyZ*VTfP=NTP|r^#4lFK>V@GeE9!~0Oq1MNs^c60c!V-t3ssvN) zcqEzzHO-NoS&=g)j_|*iB}TXID~AnNGd7|^8XnuI#I{NRb2P`QP!jIjW=6(ruBIvG zQU-hOV2a`#y|FiRjHU;wW-+E1=EcJ{Kk((>OQXa^Paq;{PuuYl3AHPmYK-T>#~Y+Kqtz;PU=|Q z&Uw0_3HKv+POFTS=*+N%Jv;%%--!d(lv7c*pSr3l-rE7PZgM}5WCiK}BjF(yu%_5# z3Q*&SG}}CQ#7EAgAQ0GR8!gqa;E|5dX`l(M`s2j_(p&gw^zgG&Cy@E*zOSN@p@8|i zEh~Q`jgKAZ^Wh@x=DTpz51N#rB=>I@8^3*xFFCBKS*uzytP$}uQ|`Ug8v+tc8g~up zHzxbG`BBLSll2KzHk@v)jbSCm#51W|W-&Fg**^PoxNk>8NR_h5wH03tXQTs!UA4o9 zuY)6fD~fL2({~sgrmX_QEN@41!DG?8QRcxHVDSA`?mu~2IA2g%9A+fj?*Bp=Y&3*@ z&$mBn(D95->0;Apdx#9k7`qkrwkhyh=%rB_S6f1u2&{)i?mr{J+b|eOc^2xyrhW)L z6QGUSVS4Jbb5VaftWCAQ!cOkfRot2&;JJI(f6<>E8;9h8=kb#=ysno{=hX!tyAsDl zirw!XlRBxtpI|UqC78*8uZ5t)U+PL<4W@pM@98qbNaSU^+sNvg5^*FAib*MocyV}{ z;TVU~TUtcTnU*C6uqx9it#ks*@G^o5qm<9Z%)Z@PG4#%;uIW0fIT>t7=87AW%&Fm8 zDY*Jko0nGhUM+7aWMVay$_Wt@+c9j(Jw^Jj)rdy@F8Ont5rxZ}7(3{xUQoyGI7@%8 zh$m8;HE_UVpATMG7iCw_$(LKS({%~ij*k8KGMrVHiqsj+lr&<83X?^sKy|E$o+&6s zvsqwE-C_QMTVBkj^plBBAK@p{h@2V9Sp84W+@KC9MAe#-lHm#3#|UJ4U_8kn2B($M zQBv#G(@=SH+agM9LEyBcFj9*@xlf)9lVQ)!oxhIJ*;&U{rDwQ^4n2~?k+;fzmTjcv z@N=c=1VW@JKJKCmJJx+7R^fTlb6H!(PS3c@qolX3T9GM$A=Tl|L~g6{aig` zla5oaT`+Q#9!^{y(9%zb`gxL-Jim>mV2n$*fUCNqKwL}n2Bx^vd=Vmjv4_jhhm^}( z6)>XHq;d-;uG`4H)%}3%e|(A3Lyvnl=Ff*VpJusXk9*Px>WXX@(?KH zEZTq#Fwx;D)D&#d7C2Cq)J>`jGv|w_&4zRop4n6oeSYNSIsaxk*s?r^Yf| z$ZZ?b=)~b^MVH|DBW7v6N>6tvZNeV?T=S-Bx0(l~Y1>*OFCf<;&!-j`#Una;SJd;R zbRvi*L*YE*J)Uw^EIehPEWB^_o3xrqjekf@si5w0eEf+tj1o3k=`6>+ni1+Bd1lLs z#dcS-$QZNPr*AL6;^BT7IG6b;7sK{pciR_~!zZXIrly=a8URO^vyOyIVZ5K_VvF~R zpaKVSH@fvhF1j~b!mELjz4m$m83+gSOuZ{LVomX;N{pd_Q9?f5f$?CRfD#Z|z8r-B zXuZ)Wl^7$g=;%(4HsKVr5Ky zRo&0PN*dXy{e4V3d8^ zJq$>OQ}c|znskX~_e&g>FFU}dOIFbisYp_7(9xl&`ebYg@j4>>l!jTBr&g(Eh-JfF z$!HIF&ua{^n6%pk^u`ZH^uiB-J{SNa{ckB)6#nlUqxvnz9P8G=j^A_sg@?C>S~JI0|?4 zYkV&-s7rN2&gwb51bP%>nv8hV*C^|QZJ8TqBS#IiR?Lw(6gunSc z*Y!_aa`a!Zi&nLy<31G|kW^cFT2@PVDi_RF)l_NeRJq{*UXYUiea}1+tH+g5^}ogc zZB}O3u89RD@P*X(isj?Jdrea8ay+#k_cHx*DXM|Pfi0K(?sUe2;?%HEEH1W1f+uCv zav+y#$3urvm4U)4i^MLujA4_oi+EIyI_k|OoIGs%xBV8Cd_un*qHub2DJ3}}wLXn> z=3>*@wK4s<-8xYU07w?^4oFuWj~Y3**qBA5 z?i`L9Zil2T`%#fX)At3+-TquA1)H};l1{0L{FL-~_o^%(qG&$Q$IP;%yuTy&KN=e! z8?$OCnzf3Q&ZIy;qr{@L;)kY~12O#1yZPOsB=Nk>ExHcc=VuW{fn{JlIe7YtQcbZ> z9|di)hQa=?w<&s>rwEi65KWD;3J@W5Te7;LZz*wOX3e;girh_CXxc~99e*86Fz3v zrf5}x-^K1llWChMSZWsD6nUE7f%;A37xye|k0A7ZDq~H=Rd#FyDay&*UbB|W0`be; zQ3FhEn(C=Hi0Ob*W-OgY4%5DM0JndTeuyE;Cr4ik-u54&l5NdCVEO!tAmiF{X`fgyyZU2?KWd zYhCQHrUHnu{z#0bpco0uo{@A_Jk>%STZ@OJw(m5;aGT7YGR?ay0aqs$5l*ZIz3R*l zW6*&frVaIC=&3a%`@*W6B%6MO6_Fq||IR)?8_{GSgbg1hypKF`_6>8C(F2>B=@Iu< zoW{=~u#GzAJd42D7gsLl-taVHOq*nTvK@RboTO=tRq+~vBFqeSY)yXbCb^4k350uf zmE>?@L3n(QVd-?Cx^x5FlJ<5TE?iFCs-Niw`j)95Ba!+)$anV1AN`VANQ}nlYwLzK zp6wYw->LdN$a;8v)^Nunj4;w6@Rbg~o1#nnV+O(e6HSHihCz~6%cDp=wbbP?WAbNX zu-Ny_tA^;5!BM14Negyx0p6#vLp3!4_V3N2k}Mx6Sa35>$=^3cvM7!yVPQcOvMwyC z^|`BzWD8_OifNP!PN?S#lmxI4!q{xtbzPVvGA*K;2MOuEHqiXz%d=rJ#xG!g8|tW= zI%ey_pAcaUNm65?)CGGfiJoVRVKGJj+giMaD-rQ9Oji%r8>^V9`F3Q5_rHrRI>6lG zRXIo}7heAgD*Bj8e3!?3JxN=OiL>KnmMIZ9JQ~N&qS2bdkH%L{%}(&-@#3Eky6-J- z%!tqH^1ObugbvM5?eR*$N#YG7ZnDawO<;uLr63IdTz?$M2MYzBmvqnGCuqv$oLp_SJSKJRDsf&+^9El_X z``;%aHxKtMPD^2jHL3ANU9R39G?S}~Dvbqte*DY``J_Vl;25vw)+CE)XB4tT13uGi zCBly|OPLx&p}_5yX3wtW2xNNrzX36mlZm9*8-E5WH%y8L%=uln6uTN>7TzSn0T`s8 zBm>{Zzvf4?7*eu&B!7lxxak6k+q_DhFy7aa#%Hw>^C$5;Rt&< z<6OM+Im1|2Hm)|aA`g#^4g#xFQ@Ok`W{I?2DIXcrNLkEyG7v}wJ-1;lZie0|!yogy zT{d>W`uhIajl=CXqK}u5Co*F`ce4PRKTZeb-uPCLr;mT05=8F){3^NFm6)_S9CWmy zgQygPgR^ipyw-YLFV>%T6V~odI+?Gx_7y+>zy)c5rzMu+x!~x@C#hXEgS`-`RRqk8 zUK0_*u0-0pUP6t50`47UxuZvx&O0xfa!w!oR*;>-4D^zU5)Wiak_$Q;*ht^8%AY`0 z%)~J42zojgKXebSUw=F}h2;tacL#2t=mbidL)L})dHxPZ_V8V9_i{p6bNReCR@ymN z$7>Wn*A^=|fxwY@L~Nse0zllDx#^PgzGkRaZkY2*+kIUvknu(IKJwCzJm~82>?Y`9 zGPsYH)wpZpAAKFS#PS!3{ryOeevwY~6l9+IP~3u{h$FMbMEoq1ac^2}$C9YBimA`? z2pU>omXtU+k^9Fz4?54Qnflu9$Ca&9n?r}*cPW`B1W97jb)U6whviK zv!8#*SZvTq13W9el~(X&;@=K72p1!J&A3X1JItw$4qFTq$GIy zV@c$R(Q~KqqkzR|V&#galSW*dOkC*p4ZT3$9+`MhgWZ^rK;u^=@PfRC3N5Cq% zmA@k~r0z9a`dPe}y??7e}cEeZFMW*M~(_gyDr zV`J~o2Ve%hH+F4(f$iDl_Irl0!%DMOLKYI7G#EMlX}9OLaappExwA$8s$IwB&mJwA zQTP1m!NOK^4oU;vVU&3l79~2_rBS=!O+TtMcf}(EDfF;vRt^*+FhJI3{~F?upK2w6qRy=qsOLyvJiVC zEOKK`54SH$zDL&~6d*xkYS%UCPG=R{KW9& z{31NKQM5y}rPI2T8!q^$e)4ixH*1_!n>}kU`?+1N%cV75wa*uQ8R~AK(@gym8Y~Hn zln9c2o4Vo%;csvoZ9N=(0s@dETgI(02aXmN{{H%Dqdm2}J$76xa=W)Dz1)GfL}+!r>pp`u9D|$k#veE>FcMd?U*r4skFtwD^4i>o=j6EN7$rMk*b0O_F=tNI-vPgEDt z#l|bYlevFCK_VE?+^?S?WKGXHE$a!89})#GUK2Uao6jKAhCg zTjuBHu?rrmt+)Ta{Qh0cg2m3WZOlqT0F$f@6zF92d%7>z28Pmr~rEgQFH8$UdN=`~m9eCs@$%L}FUya^h0uhONI^|uauOQL*R zZVT2lvNS)>&Z#%|7>m_Yupl&*z7BSNHV#XN*L!aJQT0i~XZ5kgoJ)r88)_W5QSYqp zAKo*oac&$@6Kkn#d(HL+`igI`gy{y2Llj_&bqI3-k zR(Edwdv1r*_Qz^6x^cmoZp*PzKP~74psoB?))MsO7Xs3ay@*pPirC z-xH6QZFJRDF6RJGfIakei!#Nl(~x#hRyNXu$6tW*oz)xsJ&r7o6!}}AY>RSB9YM=^ zXUpE8>&E;ezrgj|t=Kga&xPtXrbt<`=TXsTP+phl#ZGI_>Os1Ht>JAW=%MEtPCduy z$+4B6m;chmj>chXRK|4&lF;*bt8?0ocYS+g#)eOfPnZ=0twtLHFY|()4vo7WM`CQ; z!IP$~S>YBoHa<3Hb|WS&I@LV%DZ~ezSh+`{t{W$3hn&Ws!2J0NqQGA-yP$jM`s4BE zQ*@zQRnU_W5Kar3_o{Wa5Mpw4^fneapWL|MJy@RSo#$sU_(qp0oWoNUGogZlo)7_% zuN+tDQAr-5Nd`SMvOe#Fu8dEP>W^P8f6j{E#nm3We3#FFqtC%7$v+|^4xW$a*bkf8 zyWP8W_?R^e8^Cg^B+vPJjUE@Tq68#YteQqTlaP`HojN~LB*VD8YCAoyU}Fw{oAGX> zLZ^Aq0_^cFa58OeLaLkK;WzV-VYF^RD-Ecojk_=Dg3)Aetk*Qbuo9+<2~YgRjr7TQj}7jAZf{zkqW zzntB4g7+a%r}+0%<%``Hv?BEnPXt|esxL>h`xX==IsL@<3wQb&kUn%L16wD@ew>rv zNs^o!ds&sOD*~nmgYE9=-Pb#U!#-7u&Q8wkfu4^m z!;0RrvJv-WYe!CA!17VKy+&=%Z2(vZcr?`3T&rANU&)4wLv^23L1)&S^0rnqCgU@IFtw!iGb^=;kT4;Z(#YN{^j0w z7kPo!s$_0iC=scDe?M2>%Sxp!-o(vuUixz*ZXf>uTc{ zl>}Krkju6;8R^=?<0w=#@N_InlKF61#i;wtg&{A#w8TXzT7^{Lw!Oqr<7QBqcY-AD zJ#DG%gR1dinvgIFGwGPU6#xslJ5n^)co@7oCP|-}41G^_iRSIFq`f}pxBX}Tto#gO z&7wah(8_hOxS`Q!`!eV0NXeU!&kt$=Ic%w{oA}>EC_>}M;bo3#u*N#La=&RkF2aR8igX&)ddtMTrdtWxldODnIS1J6*%K=O2TUwThca#8> z4=}xxW@yn4$v()6h%7#Uo`*zv!kxiwv(D@Hal&9Ds7gF6KJfM#$g+v>lO1#t&E2ze z?gAa(S{nxm5TF_JdAqYD*Asr|d7f1@+n?#{olLdZKeAyz4D0TWoYqL`x#=VOb~`oN zb9ZUsuCd%9^MLmNBF!c42-po8+al<=`u!v0J!RopBcAGNK0?j<fL?enIL`Y*4c8ru=uB3(D$*Q>?!8u z%)195q+kdK9QFUo6=LUb-TjjWAGvYgo?>0Q-XkhBIrsa1YttBAITq;s5#&el%=$KcB@a z(&2IK!zbW=a(!8Y*L{cHef1-XRm5TG={|ln=XmCLYu*42Dl?VE)ZQw=TEyY|(BlAc zf=2gRtaaP(A`9|>fV|A(o(tngYIi5< z2*h(XK-GODY8CSS{q(eo8n3?#__^;YAfBs*Z)x2KeC+~$kF=*Goh315!1xcl@M>0t z19tov1XAKvNcjVU7*gB3uDtwMW{$=JZ_l1PA;H0gh~jKbEnGj&Vkcma2TwOZ^?i{C zPgu^CKxM4&o#MIY783%m&WhUjJ#{7pv%m%sMs>zMbxQzIq?O zlP6FcI3cjRh&2Q}bNB6*>z=l2uhzSl{12DZUViRl$?{e?-#-3q*MAzW74BK(^FEyp z9dbeivcbK{SXy(l1YIw`j9ZGhZ`^-(sj8mz-<&E`{LC63n_$%L3JRRqS>BxhUFR5= zsBh#1PO}G&F0U^fHXeqUPYWtCpy#y*a_|f25%h%a+o}}BwiJnLBX;9|?YhKS1 zULv3g2PVaiu_2#Ti63wOW-Ye)Y#w-4l4l^qKJ9EKytjJOdJlhsj&kDQng3|^5-!-4 zveDlc*(baztP;tOiDV$)8L-Z~c6*W#1hB4L4+pQDLC4{t`KM$=hdq8!X9_C?7#uq2 zdF^uRXWZdD%PQ$w_vYR2zX&YyB*%FP-F!Y*&ptLBE;n;v=ckjKHQyUR?Xkd6!f|62 zM)nd)=5cF?+vxi=7{}_c>a)L9U+w(uLiXi}%<=GYr8DqhZ1%MVP2fX+uqFdb77AH_ zSDUvB6IK=p;hwPT+5LjUp6N@$ye%OB-Ps;#58eod?4CNTw7K6Nl(V7}SFAse3@RT6 z&K;Fpe1_$=pLGINFz9lVOtjVCnnk#^zB0(l?)*tLK}l5!ZLOUq<%Xen?Pc%RZ=K(N z7E@YljdM|z^7sNxeav7Vk$2wnZ(F_bwnJ*%iF|>V9CV0|$6= z|GS^g_Yv^^UMJ^#hCTN=Jt(m#20ebljvk&KwLPHYk+_^zEPg{YdJmdnwvqO#UZ#By zTzbdEMj43HP{dsOey}+-L3tp>7~Emi+<6F|xUx)}F7C9gcyvsu z!SklweH!w|{V)rV@p_#9(_6?3==zyaAf0ObqTe8L?v0-PZ@VmC4J|7zPc2Vxtt(A$ zRqqKj{w+6HGOJLe^$k;gw);;!Qjw(HF>>qnl`Js$WS^e7k%Q55XZHRLp5CDtUD(`4 zbbkAL;@2NBzJ7<}XyiEdexeu~7kL;Pqg;7@_VsCV7Rkr=T)HH2M18qzTn{&gYgfw* z61m@qB%3Ox+o8x`?askn7?ipBbGf-#PK%x|l&OR0ftJUcm6jh+u&=~%@bi7E$fAL6 z_ucT&1?RLXnJ{5K7xUA^U_(I>Hdr2?xAbqW&QN}N39pr42mgMF@7Y$u64r^wboLwGCCXR1MtjlKecOS&E> z{^;r~J>3mFF4rGQHa)ChhhDhJKsGXS2v3uzw+2`5e%9%?tAqBu!RCST?JLwzG|24| zpD<=dySRRHM%EP4JDU0iS)K1d$*!-Py}eqxpB~T$2Wdz}+j8V(1v_&-&&}=behxge z-<&x4q^_47eU=;6^3E@^%!SGK^yJw1`7&Q8e*f^0aZBBe-SN-uWIfb7Pi11f<{o!` zStx#vW*2ljlwWm+m2e__!CWoe={?_CzqU5rN5D+cEB6D&D1d2}&c&b)5L zp2M{t6+m;JV%)7?Jm%Fp|H^IG>r-6F@!XwP$Da02M|#QCDC zz02Rk3YagU^-jm7AytMgEDJ`PZLERO^@$wMq%IrZLlhPDV^WagcqG|LIxa4KB~?{B z65D+bHGhn~}41eiPt%u7a#i18-!D&LGjQx}b~c2kn@y>gp^j{{Ih5 zL9@OIMkmXxB#_FkuD%Tz45mgDja2s=bY0(m!GyVuV$g3rB%US&o?H~j^ImeH*m8X8Yrh-Wi*i zc>mVZuKo*7hg-SY5p66^$M}3JV`C4WJ$pDiHGcoIk0vIj<~G7x(ZuuFX^!JeI)lsQ zvRN6DC=#UTa=VRI>!Yz}{$NPy49n8GAN}bYPw#&`ISoeyn`h2mFc}z9NTjnFT5l0~ z;b%Yoai%EPy^VT<*=aGtcp(~T>K(Cr8zRvNC5Vabkf*`v_P8G2hRA*N!Tp8*;N|cQPIhp9YzxbzgQ5e2>E*?w#;>SOJ zbob8U;#@~xS2&#rG*yzJMtD74i-F_m_ zmKKlmr~mjr^E6|2H>|9zO;3(zGf|f22|53}KYY9y&NMZ*=~%YG>osuTn-6WrIg_`s zshy<>kIV6QfBAzpC;RCBt?{K`|KLa=y!PPMhpU@wAKiW=(bkTZ*5Cd57mS|Kn@tbz zKUrK{9-A2B7~aShKE3zI>}jzYZSVg2*STyWlS^_&-Rhd}(StGny8rekpKyBi+@*^* zKe;=J4kzwKBcZOI9@c0sQj7?PQIsGnhaf828?%#v!C+1dG-d57W{J|TF%eKC!5S)t zJ#cp?RP2>s9RQTf7lWJYc6Y<@`EwV}4s9&YXL4E2Wa$~YaOuJY3sa0ow+qTI)D@IQ z6?ukeLn4{Bp20WYcxAY+Egah}QXFk?UcGX?r@@*^L>P<1+uSrX)JyT%jfELrW@Md( z!}lS!^7~fgVsve7X?%V?nkCx%&R@HH{leg&#b|16 zZfA8yueUK3i;^TgeBtuYz+gNSN@a2)#a_8~4SL_u(s=RQ5Lbw82LhpZo>zV@2N4na z5v&NIGc2ISaC}Y`D3-FjuDx{So3Fo|O~cWCjxO+l&CNhOX0e-u9H>S@XK}iko6np- zD`k^mzu)R&-V_Zf){r(>VzDl{bXtWcp99jchC~{N(10-rIGir%5NIqMOTU z7!+sbOr~TeWpmnH9+%Z&XLW{TI^WgRd-dwIb3?;$EK;C3dt>t(Z@x0r-r`~1%y({`^8c#eudjY+%6`hzJCC z4n8{PN2E+9wC+zN3N0;dmoJ|2x}3C3IvmdHSFg}QCWbCHjTHoNKtlY?QyfD`OB2sL z4W6M31M9wxd?Cldfe1a-QJe-=SD7H7zzagi9`xIQ7j7Ek+{?4zI5esV}qBY z2u98qvgsecd#}0o{PiTG%W z+O;!%ojSYwGyn3VZ>MmPA1=74G@zwzoDH?C$9&{jN=qlVAG z#^|+L%xGxJ4~fuOCuMxv5HT1`O{lw#Dy9eaAIMhb5ENa&u9nM7(NM(g_ME?TsiDyu z4EjVtA}RLF#VcnoTyRhL|dsizCpCg;MMUnY$PodLY%i^ZbEG`0+1 zIeSTng$8VDIVX>~=6{@HChWCa(u{-V9Nm$zs3!@*9_~UZq(v zmrtXODbutpy?M2d5cB`(?PnR$_VP%dh0GR`zF;(#fnFFbLb1TGI&V{}-eh$-oQZJQ zWHO(*c=h`Aml~W-Mq)*te(8-ju3ftd+cD<%CsP@d+1A+HGIFLjn~N{5`TK{?T|7V1 z(ujU+k0wV1+9onBH?=i}gWHLCzL<+e!Xc7@-Z~v-CKTRIWrSijwlFg>yAssfy#r?k z4V;{b_(G9LTBIPfQ+$;^C@>P`@B-Z!NXlk6eVcuQXU?7*?r3RVnqL6%Fxwp$E?;VD zY@#VfpmoC+FSj&U^T`kt#Zpgn0Yj^FSo?=ih$CtacMnbYbVb zF!UNaOdAcJZ@%)4>jRyXkk9dAj%P1l{>ETuM__f)?RGaeHubl+ip5-L+Yd^l(;IjJ z)K>25>SQ^lv9U?7gO34gx0whj9gGAs1wI}QLIj&i#5RN5dKbw3l|Gj_9SMWV<%+rs z7vFgOrPrlm;li~mmo8uAB(W$;vej|!%E;9#1B}sn?Uh$wI)5P_4JWqYP%9vFdYaRt z`z;DIpQkQdfBD;%;P4E>SSI}51ad{hKoP6RWZNb10hmJ1ZacJ_^=6R{_E?>~C{WN_q+$!I9%bBpr} zckkcNNutN&(Wz4yRHPV*BpHc^qj-^E(G3YuK1Iaw3bL@AQBTPf-+kQd@-=T0<$U{H*fpG_a8j{?w@?KrP+CQq>rR@>;9a> z>R6o~{p^#^9*<5Hc>;up7IJfQQ?`Z{gTXlQ`2OhArwz?*CbI*=4Nkce9jE6Y3`oZl z3v+W@J|Dyq&>vP3w|yJ8Z{50g_tC;?P>>m#;9>0O2L>cVLEmM8CM1^84Gs?V4Rk#j z8{1CtZkIE>wKBW73UORhYgcPyb0!kFfA9A4R#1>6s3Jk&W^%rK`ON#j|3&-I$k3%% zRu;ENUhHXc(S#s@Jh80FZl9PKkH_M0U?J0-Ow#DfIH{<92ZwI-N0Ob54Sn6cqjOtl zFTY|n=}B}Vc4l^FJ{(TybR2pY(GMyusc;~liaVXIh56;rKE5^jWE2!g1jS->1PLRe zI8ttFZU9wST-jXN2>15(x}BEpu9hcHpFVmvxgCkYd#%jTN~`eKWc~J^{rSq&vrpc8 z@1u`yZ)^od&JUlzcy?f*@9F*fpMCVnAO7&c2cO>AP78X2$xOjPPH1X=VLKXAK5ytM zCs|B}!hs}D<+FwL@hA80JbL(a+-!5{45kP79^bij-{Z7*cC_X5VFk39Vz)y@nUszt_Wex&h zMkeegLpGIKURf95!_Sx@_~Yoz%}?I{_~TFCe)s(cPsiZ{-_g;%JU#yK-rWKmfwi>L zjGjVO31|a8cxZo7K9-Q=X93eI`BK)X|nq zB=6n4?f3cG+dE*6k|lCxdiue=yUA3lxw!>BfQ6)ZiWM35>dP;0Yy{KE?DeY`Swaxg z@uk_Rx!L(#CWk75G{_KiP!^8r@9<8~%@elH3m2{j7G|2fHiMbFfB)|4`bIQYV9hoN zm?)W|(L}=a^bQo#>9zUUjjfG=GiO)_MlJ85Z5-Mx28V<%_ zUP5glsU;XnP;X!Z^A&7NyUlp*>ea`ii+%kU;DCXV`E)Ea`Fw13bxjZ?hJ#67XVe>o zOcVy?ZtdcE;px5GcW>SH`$Mt}b158wFf<8MIq$NWopxtnE4(nfVzt>l4esHygVS@f z_a8h91Vgl3M0b!tGe2rtVDx|Tr+=Oat=@d^{f|ESbZla#v%Bx?`EysUUs{-+`0T@v zKKSsXKYZ}XW*|y)28-2@E#&5w)|OUQibYZRe8{9++>V4|X&xr=uy6j}?T5E-KL{oB zorCAsmX_|{dAPj1dhYzij?PYj=bt@!64=@j1s*oL)!jfzGKlH($?@%IT-_8fy$_9? z``-7y*U{RtxxTWxw)$jrEV!MbNZN?Dm=Moqr)K7E-@0S7m_2TX1jly_Z39;n^X$R> zx!LJ#K1<7dG!pzTzxnW`H@?%?)_^W)LtO>nqeu%R10M(Fi(1%j@YbU{f}mU7qWj{( zJ3}!Pqc@q(j12jf7dMv|WtlXaEpxN8a|^4Pf~12ZJXxeTPG>UCLvva93~&Q|Jzkgo z{=J(Yef-JW@BHDDI}ZyI+uq(;OoZ;-y15dFc^cZxdLvRMbijaiA@~?Tf+5g(cZt@? z6oWbey9&q~=(EI!{ej1ipZfe!i6mIGSCJCIO6cX{U>%Kp{pX^==r><~$!<66;Fv!dE%375)(nwkE}tVghtutK zdu;vfOJOfBB`?pvHE{|HfP2gf@$bz{XZcpzWU4u8Ws1b~V^I zQjBe_7ZXXIC$B(Z07`0XYpLRdd=m4DB4Hy8Cq|$GkG@lPD*nRUJS(m5lYO6G;UY=F0AaB#rF6hpyvo-;G%rjD+@3&X7(C5N`72BYcX zh0D#YZN+3H?Dr+IvbUx4l~-Tx>F~Im*6naOwjB+|G7asWm(C9H*-SLJ4V$j1ckuFs zGYxhlDd)F+Tcgu+?Hw&FSM_FB*wVFdmhR zmeo1G+tzS?q$3#EEK+8(yX_ootlm}~CB;)|h{-QsIM>zPx3cDMZSZp zhSrW2Arj6z;NTja6{??UCmm4bI~*ZsSKtf=Lvxe+rIFrcIBqjHeD_cP z#K1}G%n=PJ>o`Heh2CGgi7V~-7 zfAkHly*({nBE3y;Hh0T_Oq;*`)~gmW6^q8r-rn}MMu=SD$cZ5e!4SmtsjNf~oxd~sPl=U&g|}LZZ;dZk&(`1E<;$GE}T1) z*$!J+y1%1M6d7k@pWf^lK6BQrhgg@rd~O7KwG}CT=dD+rY&sm>mN_TIS>r;Q*iNRoMB%d#;x8&P7UX}IwJ-_WliV1&2er0W|>)h3g18ojH54-zz zIHfl^-gxtyHcI;0kN?Z18#hARF^9YTtvB9ibXX`!i1_{bmfqnj*YoM*nW4^?ubzv= zvgqn~k5@0`TfL1&gZa|c^97M`csgGi>9^#wk!WG?d3R^aBVgcuU$YdsS^_5o%K@bc1;l4h%(+S;P_ieuNt#5l8+Ov_&55M(> znUixA*D-j8Dhd{wY-?(v81D7AzQM7^Oeo&eXzn}Hlg*3qU^tgAcJ~f??Y4L#^5%EH zB^0DwB6s!baD&^F$%?rmZFM!Dzi_G5$pr)JAcdT{!PC@!Gf z_3DbLSYUHIQ7~BDH(q^hu(!?Qb|n&tXebblWlWC7%a<=e=OY`78J^L*yUtv?*x%i1 zq>Dm6bLZAwm&awWyG2@`N^HwKOznxLw&v!}&S)eC2P(AA^4;%zs|)lxnGk3$9ElZ* zg}1I>$R`uqu^g*+wsiMjzjoeffe%745{dPmJvVs%vXIS*$;e<|TRfSydOO|D#*T(Y zPFGx9n{`s&K44WUT<#h831K@>FVW1kKSz7r&C!7 zreXMly&asG;YpLLsn5h(-ne$z?dC#}Xr49?^!3|dyP7zojsWG0L=)Q?zGwLS*|X=I zR!d>q7mY;)Ys>W;*IPUeI1;#i{koOqx3<>b_|~@wiQ@A@cW*bRXV3I?(iD>tO;;{o zA+zahI&%HS<#?uOakjbL&i0PR&eq0UE_3bm8zz%weR2KT<+EKKu3$8gCyhE<-_z0B z>ZYGhJRkQ-Km5_3THx@veAE~W=A=ueW04?#1%TlnlGToiir~X$Md{i&!Ri3 z?WZ6Yq8q`ytoOEgOeCN5Zv~@q6bSY=H%f~S|Ih#T|L3d!oBy`Ax6@{}v^BVl=(g%0 zzamjcudMrIPiw2g%JH%FK$bSxTkK3Uyq1zVv$J_)J>GjOAI*=IUxP zCt~4^aE>vWIV0oH(=Hvk5rWCw+=`sj$!OH)+v*w~=4hGX|=8ZER?6gUE7iWwEud-@wsgItXEBGDjJ#c29GQO-IoL zzwKMw4o3u1FEgygVW${9FAxSjUC5`}+*U%8CYOU9-F>l0z^aq&26A&dN757F#;HQmL3#M|o_*=i z)ENVjj6|`ViG>Z)-QbGHv%YZ3>o6F(LLiugtz-3g-HqO$e@jnEEnZtRR@lyv9bQW| zy5f)IcuMbSYW6s-h4|Ly<|e7LlB@+r(%N8QNhz=$$rp=lO^viH#6v!RD9$q`yUXQv zyN$Fc6*B&A>>Rr;lfv+dBGtI&zsp zI+N!~mN6Lnn(et{I2cax1nX{T^O%{Hr=R@c?t`?>GCQ{U=F8vuo4rQF`w8|M0VXF!9~L{8P%JbG5eF zY%l})MvG=| zgVmhgT4QLcP~;`O&FOU+$b2;D_XiUq1O01mG_wi+d?Y0pZQevy=`DT1rc~I5rz$xEut@wTUwg!dMTSs_%{P-kv4dmyIuNBY%3xdoXt(SNSMz=+nc?i zXg0;OW>zod@{L|YJQ0pa@L_IDZHI(R%&ez_!31k?h!kUUc?CWz7Bd~q&V07G;7j(l zHw&pve=tTH9D+pXSbFpMy`TQ<=hyz`|M>kMd_$F93p;quFa>phh9K zxt7=2Ee+mSFrcT39+xo`PUHzQN0RYS(4e;nqTJYQi={!b%##wJWXkW~? zV6=O!PETZWH6D%Vtu}_!nM~$%UY00hyVpbtNtl*FwRxSnt)}qQB zKx7C<2>ImV!XhuT0?Duj1B5POrr@xfWAU)T?l3tV0l%M?C8x<04EdYeTVjbkL?8_| zHWl>;lY-2dIyzd-dS-il5$0#cWD{7E$=&GIlR82oirM9*717er-0aQxm$OCD)!LKG zr8DVdtIL#4r&fcRhQ?+yEeFG)#;)!{zK}@7J$8rLXcTg}rRBx;zHUNh0vo~hMz5HQ zM6w0F+nb6+GVz4P>dNGD9o;PgFZtJkMhoX@GDpJk=ysCOTbf$hSU$hyTk9I`E9CfC zAlBeEOJV}VKMfIy)78?_#N@;4t7`&jVvIJ4*0(n~^%NYxWPO{yrtS`%j?PB6{77ga zUbcH18$lXnAsY(9HcaGYozv}UZgi1+CgNM&P6(3T0mHOe4J?rrvdMRU|B=}Wp<|EP zY72+MFba~OTiZMaJr(c;lF2-0b9Xnp6Dv=C^Wmpqfn5*B-Hpxvr+@jEoKys{C`hc? z)6m-FHc$ja;P7EGIBaISJrNG3;?bri*ZQWfNa#%llb+GveRk)QJ0JhupZ(D5@EYAM zjZL2Hc03UeHg$Nm!|7NwXE2(Je6hXN!HdO}tyFJck5RciZTBP0XVDE~txYbEQzvI* z(PSt^_O~_^BI}7_k+r%4+vyfKlrji~RCIkam@bkA2WY*e5L*ktF`UUM73B8jW`nT^ zTQ6E*+uPf$dKhw^2W<<+lNmu^4Xtf$ZWAXJQX${Qc3L1Tp6&)4Cuf%Z*`}6Gom^O5 zp6lrEEfj=!Bw@6e(}ir4ofG-&R-9~VYnKwKaB#h)&9xbbrg`|Za&X{k<#gM@P)k=U zeE8Sq*BV@QJy%!@z#$sE5wwM4f=l;r-Mu}PYWTnXKmOjM{E`)e!JHn2d@+;FF&sxz z=${gNk`Q(ZlJY&Lh#r#98}ytJJ)~O-wVE#dv{32)P6@hr171-THAm@*GCJjGT+LTeN})~2K^NeZ zR?$P!82GQ;5)Jx{T%k=+~;EB>YRPI(ug8{UtjR?92ly8tyMa3H=Rp-hY%2W*j z(N9oOG=da)z`jp zzQ378fva-qjnWNpxbw*=^Rd%&NQgx7_WSpQto+JbHw-qT(jmnN)#u?o+IgrQyr5c= z@?NW6%0S)O87b-^Y-_MlHX3rIc3AnWqE}djl=7iLA4o7zo(c!`A)6Ex_wZl&%&4E% z($A_@hwxv`Q9ekbq2$RTosauCW}34K79wWCL;DhA*= zpGnS5P56V`%>$SF`#aFJRi)<*?x4BAU@-fTiC8>|CVJ)h(UOQR2ejL*s0cF9?y2rR z=v*%Bvg!^ z=&v#hf@|a!H9?~p9NDYJkdGQsI|1y@OKQHN+EAv>59%s-R9b{rwQkw`4=;eyD3mD` z0W}v;3Sbp_0=3jw9OWy{Q595ccYvsKD5*@Fs8qFAbq7YOt^#UXfcjUV)Rmni+Punm zRrZ#mSF}MOy;t{3Wsp>6MYQ?VF{@gjj$Q3@Y3u;1p=Lv#;;GcIS`{+Y?Ep(@Q>Ysm zm4RDHOeHg5!|HVgJ^IaU8K@0-*P%C*R7h^le0ulEMy$xw#xs|$-ZN@` z;M7O-VlbE*k%?$L0aJ(?R!HbFQ^Mh}sYO+1mfg8WE*7^VQENj3sBmqHsn!LKp1MAl zDQ-_ATIT>YtHwTn*^Bk_WXF2ITgCp>(dl}-#}kEQJef=934$}4?GCf9#*c>vv?yf@ z#axlM7)@}XSIXUYV)0ZcZI{ExTxDwd5u+!@F27OiSJF-g{ z4CZK*urtfB978j^VP`JS!yX1(#}c zMzqcWYF33lRARqbjn#J1TCStc;T&ilGG54Wz2gCUq%y_LUFSi+214IAqLf zHc+u&hg2$2y|gZ1S5tSoBfXtqqZrKB7Zi48vJAHqc0#O3p-U%V2UGVkbd-N2n)S{e zsYVFM(P_t=05ounHq<_AJ+GZ(RH=u3?$yE7GsLQ$JL%3>=-6R>Ewx+oI8>AlqmPq% zg$(+DDhZ8!{th4Dp$#i;t8zrK${{Tu(wkGKrar5v8vs=(ynqtO1~1jZ*j6qp02`3i9=@{kN7aGV zHtG}DyeH0=;Qcz*W_h80e;MBh3b!W%bY|I^iQI8T?mrSe|zRJ^uoMUL4+$BR_Pfd%TLlVD^Ac5-I13w0#qO zNePR3_NbQgKvnnnV^G$YL#b*|L!SY)+x7Gub?k)(dvwQM$h`{cWhq&KGVc`))yygm zj>+*xrEZR$Q@uxXq@6argCjhcS(c-|qQ7OC<<#24nmMw?7vq4(o%8D$45nU`eH4YB zJ3CR8ovF6{Or20_nNu{gy^cvmtd2pA%~nV4%f6xRW~yx*+S1;7u(r>U!lAW~K=HM| zW~BxWr7q(dDC^82t}FKWAcuAASlg)K>!}l^oU9v1;u1a7x>CFE7>z)K-_T9TmsCHxsRWUYlmOol|M? zfYVdHLIH!Rn-`yfKX0@iSJ|2B+s|HL8|*d&PBcHC=SJN()aoNI>sTF|sC;O(QPKIA zJTlqo^ARTpt8BMAHtFZh@w%qg`VtQdgZbR}a!+6TfJsd0Z|Oy0-$l0NMU|*?ykK5l zLrw4X0W(SU$)sdZsqTq!td8yBlsZ-mS}&mwhj-(!;nXq4KRVPg*EsUB)jc&T);$Gw z8~wam#9+Pzl+9VknMDt;Q*}OkF_c~Oq)*+b{jI6XyOTvVsyeKxof<%X4(m>Ze5FHb zuPXQ8FkdIfPV1H1|2#QjtY6iWgW9ML8Gq&MN|pyX#3csv6=7%kIugy~MJBpRb!%&W zKiZZ55QmbvyZ{rhD5wumQSM}GGN^9RZvR9Z0I3Z5l;ftbfncb&OeldLM zHVX!W!PLeVJbmrV;g#8!pU)N2nJmlcXay3W&;wKiS(Zig+)imH?9{8C)yw1|Hic?C zO+koy>;XeX)ysZLcb-R{D;w-^q(KE>6iSbG`+dMgRkuhX!9(?vqsQskVQBpXj&fSL zT{TzngZ}JTXqIXV>T0p(?6(m0b%BMQO-ARwcBo z1GSLbQnE6NK{f5J&BMuabi2yCir8<5-d*%=m!w%4nevV!)K_h^XjNU=F*pRR22jzo zWPmjD9km7D3eI)_ zgBJ-qkMw_Rs<#VN2|Ll&{$mb1VL8U`Q_exRz?XJrIMOW`9Q0q#VFm|1t2qaakL*J^ z72U$}f#L^f?<$Ss#2&V zh)6Vsq!WGHN$d?fO9+C5ZUzJ8hjmEJuiVSS%c|8n0;MYaQO0l#P}NehI`#GOaJRdD z4)s`}vKn^o39b)s0yyaV(AF>*4Cc$su_iCI5>QjUJ=W#zLAsQn83qDejRP0if(TU& zJIm2@S8YrY)!I7xqLh#A1gXcZwn=NHg7Z@vhRUfr$6zp+F9+&W2b}tBS0;J8)Dm`n z&eXm|{zzn^)Xf*`ZS7lSKgX|$!C)|dJZN(rQ2TUOWo8y6NxcwAqrz`HN%Y0*@hR{0 zDRZ(-eU2Tk$QRu{27|$1Fc=I5gTb5tm3}yKkeb6zs@b_V`}V=PA|L5U{f`Bx2j!!C+C4B$AQ{ zN~UO=&EDGVMfdwFjRksmSSN)-Cb{O1J3UQKn}H%EF`rr4@aydjjUF3QvH?W+KR>@= zGMihP-D=heArX9bVSZtCJKNVk*wN%9B@spx42B^Hl}JV+Xn13r8ax&qx#9d0`py&%2ph;M94ysmw1BHvlP8s0+v!N7z{?@MrTuVqoZup8ZsgB5Esj=QOE3_ z7}(qBeyW#ZFc{327MK=QlqpPtC7;P{ZTU0VEXC>V?k2Ct#wrHKL6*c~ULYu1r-#YB ze3qAN~wSw^XU2)kxQI!v@X4L6jnq6bm4Z%d49S zj~?_$7Pi(m5~(yC08lh%cY0hdJ7^?0Df1)c^M!CIVltcTP8+pb2wu^dgnV9P8JcCQ z^;8xL;h;}oj1EtO4!MxCiO9MyV01J$H@VPlj-|NYAP=ve(d4BnVG3iZ{1l7Mt$LAfnYm2n?O-_CgnpW0yNNcI=u3qfBi|0 zuynOIFmf@zGW}0K|5ee}+1}>nR5NtUQII6@-~A6i&1S_jBi*I!Ljk`vPd&1n39SC7 z|M(v^)1;@ZyV-4}gxuER)T8@%CnhHEJQ!OKCD#HGi`7hL{XhBH&pkuetQOr)$9CB} z*;O1hPZVPFOKZ!ayxZyEN|Fde6A3Z@@vnaN`}aQe7fpTr-Nu7)C%g^G(Bo$l8P;L9 zfzX$zKEqZo#b7X)FD-lKP`SWoVvq0NzxmlspMPUwet98~@ia6#%(`0UxPy8i7IW+K z)0@Gt!P^XxPMIjeVJrNt=(SvzVcy=g$>s8}s?N8{nPu5%)GH+i{KznqZ$Ewj;xc~! z>GfwLDLbX*A*aBS@sp8JT-G)fx@28 z4CXYz$2^#?6Y8hE(r3Py+M0j*;U~AB&#y17EYHp_=}GCxY8pIjZ--4b1Ig=yIfgPTA8_3wQJLra6*Wh8w*|J2m%%JNFCkhi%V`FvsW*+eKD+uDwCq?C^M zC#I$sSJo5RqSNh!W@`F?V7>(0zJ1%}a&sIyv%&NH;^LAZ@MiP=qcIHTD^F?Gg1AG< ztxY`r>F+*bEbjh+UP&g$#up4ada$P{o5{?9&dkjQgF%DU!RWZTnfdMQkkey}Y{%zj zHw+AsiTUPX5{@S3XJ^CVu*K;N1^jRS@@LOx7IY0AZo5stbMeW<#3bx=R;yKAO{G$> z1F|e@FsNZ90G4X}36yG83OfyDI$MrN2*rFhNfX7#lgm+_JA3v_OOvOg!M?UIGd(l2 zu@w|)gWY6|Z7j_%uLh!trNxDCC~WgIsNc|$LS|$7;fD{WY(3Wo8}xzs(f{v%`JnI2 zl}p1dD+|+;)6*ON5KnMU9r^Tw-`!u0488KrjoJB3Eaq`r67l%d?5a`6>KS2u!#6&? zu(q~N(Ui?<6olf`)ZFasd?*;CIi22QL~Ws)PFvj0U@-FW z`=8qF=H9;c_0{#MnfcYVbx9Vj7WVOzXFvPd`^ikk+vG7Dbek*7Akb?Y8w6*xm`yO` z_0^TPn^@w$yASVCAHfB3)r=b!isrt{~{G&}Tx<(apC{?m^~SI@ls z?V&bXJh=W8ITDaGX*3jo<&7!JG)Qv$MrQ(F7k7W$%k@N9N|{o0=NcQViy+&cXQvrWzp;4t@CU zdy5;P*1jQ^&9pE#y%kMgymUb?=Qr0^#wMrNeL-GkY$k4dYh`{dV77a8q%ijQVGP7W zXIPn?3I;aUH&&N71B}7KO34r3`Q6Xnxoxz0yj~Y5uNqQpZf=2|n#~rPMqi_eqO`ug z77B%7Mpb%(5M>F%PO#QGdNN_B!DMP^Znhbz4?g_EH~;cqy>jD9tFbWl;Qq}!&l0g1 z3|M3-N2B*A|M4f2Po5b#VQhNt+0u4fd%N3efW9y~Lu_kn{Qj+ruUylcY`^@;I~2qI z*`K|(Iyd+1(bMR5cx>z$YqvR?JAd=@4|^S_`-e{#SA*Lj|LF5)-mVr&ApY^+{lm&eFh#H? zA~SjSz4^6`P`Wrev)0nl?Xc*}Pv>Lh`x0^B-FWAnKLmrJuC7kl`KG65A3S*Ic6&UY zlfAGUgZU$%v~$4!V)D*AzkRrt`tyJFudkdN?rCk&33-Q!Xlb@Qdp36S_QQB2JUu-T z7s!^b?%)05w`;457p@G>%&!0bcMrQgy6EbYpTGBMTwvDb=kDLT=WJ^iB=O@v{9$c7 z-86WitHop5xpHW1Y#jDDv)K%LTsob;bLZZ~#8i8GyUkV#M3vsCd+hFhdq~(>4$4*Q zlB~|}_=UpMCPPcRz{VMZ#SjEd@=PImZ(>z8w_onCKl$X{N6XQ_{$Kq|Qz7ud+dub5V{@y)wQymu z*}Xdca4934fBl=k{KsF#1Ho%odsdfMfA*W(UCnMfv+>?1cb5HezdyLJIM?6by0*IV zt6%*gpBH?an~8kU+1g=XDO#4Yk+rvf`Qyo@_3actKD}Z$G3n^)rw^uCTllP?o5O7- zKfC#0GmuzbS)G}kJaeXJ{Q1Fn?A z?=>4)^(PeT>l?T4+{xu~EiElHMa?fP{QjMH3=R>$z-$hGH4?- zCKCDhv&WC-*CLm%T1vi%#rqlW4;)Xww7q4DD&r;$a{_sI6m9^N+8@|nlkDn&vaY8CO zU3QDjGBq{(@Zn>J!`9N)>S}~TqaM9_l`R~k@P*Gl`NZ1LdikZ78|>`N^yqdz_jr7M z^!ZBvz}Xuwz3jBvB)-tw(E$fT5JR>$dLYJrHa^`pcYg2&r^teLa+eNjVl=+4MUa+HYLCxH>=kWOBjkZfS36ZSZp(-*l za%Myj#b5sNS5KclyLY8X+mrOWL3}8W@J9k-8XYqmKCC zgPY5%;g@f`Jk;MiIXXT&{yY^8t*mbu+%4CyT+Bs-AAE8PLR+*oXxiP{+1lJ1TwV-r z`o||{`v?1)TkImAGw3O|$Ck?F?mnK}^aT}jnEj>ob=V$ZLKbq_^x8%solGu`KN){M zO6v4Rlm5=FPiN;AR@XO1$DR?SY#A^g3{mB>G_Y}`{>Mti)Ay9Bq$m?~i%juB$+@~LZuo;fE^b8tJ_RjX!)&|S-(WeuWb2`1=VAOx~@n>`M zE2|5O&qqi5M$UBh^iVsW2n0#V1Y^?cub=5yoO&`dJ3F_!?r7_@x;>~@f~DUhy*5Pr=VgcmocIkT7W6nX)`U(Pk(glPDUVn zTcK1s+tb%8OTvRYH`A%O-EIvB!@vCbFJOC)J%8%oTC(a}P4F(5;1DE1gG&z1!QI{6B|sp! zyE_4bySux~2_7K0yF&=>!JX{D_q%tWyZh|^g`7FnHPu}`T{UmL)#>|io!MKso&9`i z`d;Yz@{%fuhpI^8zgku_zSB)>f~QsH!+(38IztPGH51%0?P;!PXaCgGi)o+=VZNR~u+ z$bq6FWEBnc5c;}TW)KT>V3_wlDRM#ZSk_K|Xyu6%e_DKpgP)EE@xouuC6SetUI*o+ zoY~%)f8A`p0E*68ckAvXGh7!5Jfy8`&kk;$j4&FZ1L>aTu<^cL?VPYA2ZzAvR2VTO z(+#M`{_zMAugW@PVQw2Ic5zFSHF4B;HO(K+8s2I8H0Z>hKh5M)&yRP0c$v|A!l-#f zkAUFnqnLo&e=6XXHjI6;`pk))qW?Kd3rRc~DwX&6n7GaDt~<#0xktd#)(*hS6ZS8X zIIyLYrTb*fG@@h*xVj8jPAkZd?}9Q5T%DYp_3@6(PR*LVj>*46=GBw)Chh2x)s~cm zKGC!*r7++WX6_v=#?I?`9-qbc1N2I^blAhR)hl+KM;0I8E*cG8%ks=JC#lY010=X| zzQ3cje0OotY(_;8(UJx)As#%2(gdKRKp0wzFma-gocNz{3C0LvlFGLBu4oyp9%mJ) zWWr};rZpZF6s=Ob4%!K}+=)-&ptSTfpTAE6AzVPNjC*THR=BBxxkpHz@jVXN*EWc?bPG z-|SbwfetO7r`K^3<&FJLsY2F;9}%odmL5@@!2W&$hAzhMm?Zu^AL67Uf;NZt2vPFW zpT!SKdCRR2)q1U%3Rcy3bMd7GR3x4y2RCBzXMeV78BnfWU0Qzp?ISCkJ{)lgFQ2qw z+MC!2fLTsSa!VbzdEm&BAE}W8m{tROYZ#IT{c(#o$1-u>#s=Mp&Yq|;r%IE<=KgLx zoDQ{P)Ma&F;u_nlP0fI_=fNb=tY0&_a$8BJ&q#DP;2}r`-9Hvy@bP65g}`dl$%X9k zw?stc(xWuS^p4p2J_&&mkJ}lo8d7q0_f`1`qPEYu^8KeL9eA6-f(Y_8n8rVNXEG7! z*L}E0@d-2-uA`z>^~12zmU)h4`9Cbm7hDj?EL3{HXF_OsD?9wNCs(W@VZD} zj}RsM_q_fu8BM5Mf!Lgb0#w$vF}+1d5z5YjC_Xia5y zy15s0PK$#?{731`KvGjfZ9#do1?jA%^{frfSSFRZRz6rWRlIkO}HRZWjJM5)MkkLrr@I1XjwEW|iqA;N&iF$5?J`n%<^y=yiP*b&Rp0=ZT zGBSX$B`Yf@;KNK4K=Ovwv{pMTb);9vx&t%l?lif_*@$#lD`&V?Uvy0p2W;F{|8;ZBrrVuBOudcSl!xM2Zf5xU_ z2Kp{i8_Ev;Vk^kgNf>rFmTQb;aL#Q1b}Vg%?d&zeblfll)nFk23?jwpUDk2rno&c= zEW8YO$JqSYQsUjqlR%0K%Dsq6IqzfC^uCtz)`dy^-JhU~W9v%S(^X$~b~Ov6;J~%~ zG=7*A2Bgd0hs0sqwli^4)7|v-+u->_rPG+uE-&v5r@-BD9E>iB)6Ua%P0w4WOW)`H z)2wkiz%+F~RDTgiQ_e%k_J%O?$7IhYE3ZZ@H-4FemivQ@Jj_^tjKL%n zOYjN%B2~8NdyygQeE#5v>&ENrrq26vV%-+Ev%bjWjqh_CH7e3xZhxrssk((@nP>N! zL<1~CMd?097Q+l$xhle>O7(r}0{c?^i3T0JERVU?A$Kjpw=T=|{ygQsr5gM301p>Y z@OU|ye>Pa!6eS-$FN2=oAfo#w0|T}F<2$-4fDQ#*Wdf^YV%9!6Fd>`Ynp@d8x^L&d zf_bqRHFk2b%YeUnbl+k{clLAN}~=kpCi z4tI-(&n=DsudB&-IwKe%R&8BOq2`LD=PbSS*%OCWDI~-W&|i%4tg#WWn-0$xhd`>7 zWGy#WSu3VwsV(xkHy+Z`qmd|JaHUJgv=LMK$h{%cuFg7g2wAL~G#|UNViY3P)by71 z;gQeZFH=^G*UrF0%V1_WJe;`g#vfAJTv;C|mMoPk@&;G;MC{6yRg3d(*VflA?&~fekQ!ibQ{57 zu?&~-FIa%&&!pE|@6q5Q*Weu|I+*Gjp3psRE&1a7U&7qMM1Pg|dxf^{0#AMa&1&fH z@1NXPKliRXH$bR4iov)uL^go)2k80G>jr%Y`5`TDH zY1gZa55baV-yLl#ta<-~j-O}odLB8cCNVoXN=)X|?rd&5zo(s-^$7c_6+ZhxVJm6g zD?qlp$N-@m`9rq<#^>wU*yrt9pfvn^(na0K2|Ir6G1J!f6Z-XPtK-etCgq@NhCwrm z{uc)exNe!&(WRxSJS&7WM$R$)79*3o&iic!{x+V)X@QyL)t?8NoSzL6mcdU^0vSLhjyzeVh_44%6N&zxF%Apf#HX|ie8%H6e|I0+@ z^-{U-1H^ZFX-+!#YvU>zuqF_CP<1``XNOI*ea^2Le9!fL0Mdmxlih(v4QshofW0O9 z!PMvaLZ6R7*W;qnmW?wK2*yn@CLz8zYv)VcmPW=&g_;;6TXdvd$R!-9$aLnvzb8fQ zI8i)3?q66n`I+=(0$a$Brn$M!r*z-vQOH`|vK1w(>B({ssl%oqw=CV!8mpAO@AWZ0 zLG0tc0?>AalA~Q$w`X^}eu6PO+XEvof5Tm7W@&w3!DJi!$@_u|u5Xxy{-iVhWSUVh0f(?Me!<>mJ9#+)a1G`cE$Q&MKyFQfF_nT7TR9 zpvaC~Yk&B%3NdEGuPfcUs10qLb)HyEDxv@=tpe$X`AqM}bono?t9`Ey*V{0_4jTG* zNwa3`_Q)PKNOg)42*FI+k?f|9I{o+z`rCCIK)Ji??!>^~zeg9vB;PSG;ynl@SU@3A z9N2k^VUwful~xj);_+B(MCq~kCzdHXDY*K`Q5mgY*lNFyX8~`Ld@U`94cV?PZyF#F zpW88>n^V3aMC5+lh0IDR5lOSAee0?X$K>VZhv0iSJS&RysHy3?QLCn0@6RxaVI^qbjdX3UH=)lIEW_t+0K(|d`+jdzphB-7aTxq@RZ zJxYcG`Z!qGvbh{xrgu9XZ#MFa$2r@HM4cVIEv>xh2_ik(l8VI9T5qQ7982rE2fbn# z@ecUKx>0#JIsbP46L{p<9m`hRLJz#dQ^Kw<`AMI1!S2y<*S9E3c3ZChc;ESWq@lAM zieKGX#lpB-m0@mm{dk?+`S^Qt8P0b6cXN4kJ~M3jugEja%skG6Z&f5*N=ibiS)}5UqX`U}~82YOa zOl85kN{+?g;BhWGlbRcLR!0Jf*sb4xCn7bfIIV(je0+zGZTMa7B~4k^e%Nn5+A$RK zw#yLuedxBScf1`*o!9doG@iqE${5^9G#WDJaJ><9EW~HBRna>Ztr?C z#ly(EBEUH{IW@IBi4?g5+qHeB*Xh#O*}7`Qgd>W?o5AO}gI}!&`6w776<~NI&p{yj zJ#J=VCb&bz;_AR`YNrM$muK^5Eo&Fb4EUa1&zTMf*J3U16p)-_7T&|c$!Wx42iIOz zSl*gjJ8IZ~dgIK-S%Eyt3TX(#q>dFe)fnG?x7(tPH_C1)ly}75-&=2b@4?gB!d=Op zJov?q%X&025)SoAnJtqV;I^u?%}LLv&RqM_#OB6_vJ2mWm(D8|z?uREI9aaVnT9xV z19U}xa!X6U_fGa5JkyMnX7-({JD!(jhm#Ftv?E%&{N*9bZ)@wu%m&ZUk+1I)%h%nu z@ml)5&3V28KmcNVP#10`;ju17e5gTcQq#4q_k+$S==S%bKXg&x+KF~9PCB}5y#WI0 z^4#XGuZ%j!Cq=pbxw#!Dxg9Ryt2>uXSI&*;oMAgZ{9`vxu%lNECvhv~L-GlaNIN)T zj%UoUEPfPD@Xt&SCPg&?{Irm$Tzot{D|u7B_k3%8^ZK5~CHY+fXKpmgW}UY!%fh&vzbtElq|-Mg#kH@gOkfT~SdHe)Za(jcsrs zDrdli&WIe?8YrH#zqiz2=yW<}F5Yw!m(VcP312SyoQ?dHOY(T=S8)wcCK#~jtmwH~ zO1R26rvJRiqq;&vUU9oKR-{TFoS2@TU0jvGuZW{Vxw>+4amnQK?6QP-5UQ(J->|Zx z+*~aQa=;3iGIlsU-KTcxl`rmDnHAycS~_k{{Izpk7qnE#zh_jA%d;jr{XM`Hvbs9C z#LT>6>$(tOV(P1);mWgDota!(6kO!k6F89osU1A9Iykm))w)s-$*-+EOgz-cP>-M8 z$0gumS(!H%at-jyN1d`@%jEK`DlV?>EFaCwZ*ApH!^6M&YjD9HnvhF1pi5Y}?sdV| z+Jlr`FRYYjesI*Bd#FLb44$Z7RTz0@;ANsjA;|v|8F9xQc$t%+Dum10vMJ6`T1W#4up`^4OsuZ!&4xJ{z!y(WaYFR@!3_Q zczN5v9Q9Ad*a>_1s=4crOOLAj{8bBf0%UqLkpMoY(<|W@^u*5jUdUMAn{NOV(@uo;x2jEY8*<3xACdDUiB^iN0r%3TWAz z(!PREq9P7$fuS~&Y;Tij--3IRNdEPmM6{-a=t~>A8A4DVJ-Nj3d*%?Y5(JT8XXAHy zYK3OIu-ZcIm-4T|2an zx#jQ=2_Dpp2bP^-f+m5cB^CibVfj?=QjYcr(WT!DsbW}jG%{Q1sCI(F$sy7ooMc3C zc4riG@73D6tF@cBi!tUNqpAm|m6DdKf>WuvzMoT9-Io#zVUi*%;VTaABJIm2Z96qUrAg-o_M`B)3av7< zmm!dt-kd}qa!x1GiiEh-;FXp01*$!tI5wptiY%-yJO~kr{*x)E!6G~f5Usc*Qr$%m zAeYvClK>%lR&~2@(LGME;Ie>HEC*_?ipAtqpQr#p-$?RDR?578g|pC9X=OzT0CPK9 zdKFsg$8t6`!aYe81JlTaKH=|PZpJ?R8ONNCwO!pudX}ob9IlXQA4MH$&k{{0p*7m3 zoRryRW;?TXJOXw0(gnUm8Zn-=H%4`)V!0NpdksJnwS0p|yeX~UEFc`!NNftUzj4?g z<5#hjYHTI-)oPrNn!nv9n%sr0B@w;^pAIu#au){2yBiyI5$|Hmt za-1^Dp+;0tRik1p+nlp6*t-1`+|c3`m7q;~IulD+VxfrVe_(g2d01@tl$H_jfg4v( zo9CyEklflUAhj=6rBRrze9B1|-x)WX_o2vwwb!!rfC|oHzI^e7mS^f%O0hk*hn-_a zIT?uxHbkxB{#huuhW5aNyL2%)sOzcA%z1C}a$XmmLd?#c`6Ok<0_kNzm>$gz7Xb+J_ z)z67-SGB2QpOH`CHQRVbbV35A|NQ|7S~W!@iqE}Ne%9QwI(#+mlfU3Oz`VJC_9Oby zdUw*mlp_9Vo58oST86QZ2C-3rhk=|m{s|T-(UEO}&^+;+kRee?#^0hNswgl00IXp& zp3`uzEsU=URy~-GD&{+WMFTHn;znm!VNGY^It#S=kiZ)3u0J2^mzUFogk)NP6Yj20 z*Ft+YWBe+5(u9t{D)W9reG>Uxid=he$We!$$rjMc=Q68`dWzu;Q(Fdn^o_N}s-r3_ zL(^)UBYZ#+Tz)a1U!yk4%X*GGPZi5d8Y(Vnfr`W^WHopmbnRH3_#K2*ncd$WU+GX7 zg#?P>8SqcDNa{w6YMA-8R_Xq}@(RQ1zF@+mioC%I3;@G}Uv_1agEXu19PUNeJ87^% zF}8Vb7FGM=U`eoYz4|7DKrweloa1eva&b5_P;V4?_h)iP?FviLl#=Z!NI^XhG&#f) z*=RF^R}zovqo{-&9M>+{Ye@A>d)r=fi(f}EiNH>=eUY(vSmJkHGHZ`s?;{k zdA1Nro<|4B72BC%4|TC{tA%>%zx#W2mNcE;Mts1jRd$ttznVy0nLqSxF-J6F9L$v4 zBYa5-6D3Uc!2wZ1TwNh^KmM}6cF29TbYoOIqgsXrRltW*8C*49)lIi_Ou$IboTZ*+ zyhd@VPcsK)pKocxzeE!78xy||!pU5hy4+qL^!-=NP3Nj(iP7rfY;{L-Wb1nBQQ2OG zF>0Oa>&!{XNH$XY6QB5k&B%0#%d3b-QF%#a=mM?!DK96&)Bs}!OUAXu$jCeakhs<9Omv~8^SUiy&4$I$2NS8sD?8M+HX1RMXUM0E@3khB+Nxx|coyp2zu zSC=6+t64gFlQ0;H+vRs{$%a96a{aW!;_hj&lAKAJXRT5s3C#*3fWN#^1Ddx)x(_kw}U{3 zo%MwZY(5PH(Ri^jd4#*-8-Zypx{NMXCiYy@1z~zFZtj-0gLqLXDr`FJxm}$ng@4bc z-$t6-u#@tOOii-+-P>wAr1!5B?F~E}EWdg?c`Z#ZR0tT7ysji|e_@ID63SdCH0NCZ zc9@4bn?!!~%6QAN^-}d_G!wu?9<;+I97ZB6nu#j3@Dng)BJe@u;%A2$JJ23lYKXTu z?B8yNHaGW*Nez8yXr@ZVBM2_spQIcY$I+NKEd8c8-o)VxCc-?(>aw=B z?elGt?csI*X=Md?TWsU_hJR=$EVpuWnZuSsnM)E#G>Uf%mBtL4IyB3QW1heL*SB{o zN)wN2RVg<%Ze_}>kj0mpohohWnCHNZ`??^-uw?>DentGvp2MZn(D$A_zOsvxwG_A! zd}~g9_Xokt#oFD%-JCyu^iBkL2Rp|KE>()Kf2ksgxmn5BOe3^R(RYCwCoetRJ@)Y=`uRY@_ih}Z$%kSH1?98o z0R6D8=Y20Uh>F2j;gaqfW5*%u_wlEXSNi{ck6J!;T*3O15i4wGus;mXSKVA+q9Z%r zEe*?|90T#M4w#V8LtOqI2Qrt$v(!rV_MZ!9$|tS*`A^>)7A-t4mTj*uUE+sq`9j7r zE`Fo~fWm({lh&VgvXVGAhpXFtY>Y?<)=6|~lm@|d11W!td zP9hFOPTL8kRI0{jNtP(}@M#0+z50C7`8>?hBZ5q=!mKdhkTv7`(7H}|bV|CN2g2Fe zRo9J*B7XiYA@KNob4Ab_lb0ensxW$qg4TY2KP;baGfhmQIgQVt>*jFy{;geuPO{&|4W$gPbxHB8qT46zMke{twZ~<;fod z?_AO|H!qoC%CRXUkg(|nUuIiLaeTz0i(HZ7!%(llPyTQmar$#!1`N1(#LHm|c3dX{ zbe4cWBl2dkv9Ne~io%kG%yeH3aQUb-L;};}#7e0sFiO2*qeXkv%hya?{kAyV2{tMl z3)%EVWGF8+2nF4<8)aV|RX)s+UT46Vo4d7o)os+Uetcw%P{HN^g-3`HM0+_==PR98@`U)(s_J7L3(JdTu)B8h;@Ts{ugo5I|7YC(acm8(mx z%F5Ks7{UC0Jth<))!Eowi~Ait&ZyDyl?ZmO!-lSDR=YyqW!xV-$KP=udI=nn&{KjgV@QqH~P+amwN%Yj((_ zVR1!L7t5zbw{FOOH0Xj(W&!PP}!rm)WDeYtM=6N<6-2 z6U%ri=cU&-fU3c}6c2{FiI_A3j9_75W@Of91DPfWKXT@dpIw_+I%&{8!j@6_`ZXW& zHcu|em=Hkxz)ez^v!?x=%3HtWjE7Y8yW zR;6_VE{XGbfSRt zOzzbvgGTpd)&SjSSel~nWs6S7~Ma;Fp&ezW#p_&NXSmh z$+}?W5@k>`U;vD^)4-%tQ86a!C?3DKGP$(0I44W1&^%LeCf{U4&oJa`Esi6aKmI0c5t$i zQtk{kez%a8ao$*8DMYdNYXH~!qz1Pp& zNL6dXcLc9;==_Me5)HoCZ&9Z^<0*WW$sX}Ypgn?q&H;Sr(siCI85Cs zUz+DHE;j4{d6>e(LSd!RPP+JG;~xgs*vdEcgG@r3XuoMiFnu zxR<;?cAgo|rAhTZ2PL-Tsb53c#+WBu#Yvt+>7nvOTudjLw9osZsQa8g!vCdIJU{nKD z9CYNjDV#jK`Li|ZXz;1b#?bJN$_tey)c^~>T3~6_VjswL6PQ;h*&vp{6>l|V0JCNT zl=UkD_t8wQIQjdXYiqhVLs@f0hlR6JXjcx$o|d!jASv3nOsuSBEh>aXtLJw}JeC|) ztLP=e|F>SRzbc~04_b3MH_uKLZ~bqr?Ytn;{v-AoBnZq)v@aHGJu`Tjjj+C#Rn-D6 zriWl_Hyg1V7r3{JOyVbp{EYpdImB_I?IEqE3U%0@;!S*+ zJ+BmC-g5Hn#h@d@{@<4a!jAhIb)c-jRG+_j!}mc-R7lks_dioxxRw_lI(w$P9WupD zGNB4~_qXLiYXR!zUs4M}c_U>+M2}4v=Y@O*ltu|^FZm2$7xJT$#*}N{6Ki_iNxt~y z_sGBQpdCI4d6Kh#m&Y6e5Bxg*VElOfT=lIb`RitcRl;=ii|jRyf4v+Ck6Sz&pzdkv z;Vh7Ox{_Of1NAt*lZx9h{Uk7q49c7|@{S|y;U~BYG5w*vrHDg9gvLG^O|$pc*Pt}-4vH)LRX$M5xdB6Hi|l)*P(N>9{S zNQl{Et0@iGEHP0}0x4^OZ>Q)cd{X`J+#Oyfbih>Jr2VOXjpK&hNwr?u04y=vxBw)` zP_B=?HK~|VR79|-3sT|P#ML{lc$GaZItydqZWAV0+{^Eh5KB|Sf_g$(JC_lg6$b$D zFO&x=sc3%CXKr+aJ4n+fom$lvl7x!a9hu8pQW^BkiHvA5YFA9GME)S9vF|4up2+cF znl#bceN+!LU&TZW-KR+U%GWLYB2Vx)g>igp4g(eXR@W(}jDrhiKLQV|Fntvr7{{SI zY9)8BP!b-auMSr z*8P8^bzi4}A0DJcb<2^I&Fl8K*A=0PT{KITtp;SQsnoy0ex{|-QWm)lq(AeADoFpE zx0Hu7OO%*XZGecY_eG5QTcMNpMAX|lRRUqCG(mEz@R<1hnVq>g`Ts=gA!~)fLDNnH zq0oNydBBf<%xYquexC|2J{p)ZwI4s+uA&uDV8^FIF$@Z=Fa7!R_@_^uH(mt~3xT?m z_rlA?=X>O6WNBm#GMTJxe`W_P7MPRzYb4hymXs3;pYz=zT;O zg2@^OD(ZruCuc*k;ux?p-iING{H1>9#of}})K=5b(1bOT^Sdc!;TjAc16Nj9o1SYa zh5aIH{)~;pd?(9^4iY8Z(uo%Ja+GnDN%yzJ4;&MCa8)5aOMr}G(GIjA*zm6iaR$C6(~ z$8;eyK{Y}mP-Txj3iKU zM_pr{I?SGX6(mM$K>1+->BlNjG|&Q0^H|;T?hR(Ic$G`stDj|%FpEtCCG5J#tK!lM zwCngM8=?sk=$jkAA4j%Uj%MPEzs71RQ(^aI@n&SEr)TM}T-xF|+$ApVgV$RmC1q&K zhr@?q^xfPJrxy#iOBe43CkHDd+58pg>A`X%bi$RpU&js47)8sneOz1(?7ex?VAQd9 zu}%6Y`?KZ7z$PGf3j=d23kLwKPDp_H>hV`^-{K;E_^iL4BW0Q}fP}L+Cz)wL`K=yg zZr>a!?&<0Y8U2NBC~w;2PT*qU>G;*1lpa0R3usYVSJ+sXU;IuLA1`N1nB=3L!r&_3 zlN@%G&^&4^j8rr4iIoG--m=HDmyNUaI+hT#g|vBf6basIOrHN%%YbWaVS3)0abMc~ zffI52ZSAJ{mCer(=0DSu05zKj9-b_+F$hH6L3nOk5Z=7MXdD$B!TT-N zeQ9Z#$B6nIpC!L`Zz_Y~7yISa)fM|f%4ho65ln0jbO29)f*MFCB_2M!$rvO2crv{Y zRq5K~vZNbzO+gvni}9ie1CrE)tc-r=q)oAL?24~E_M9c3oM%M1l~nq)F>6{Y5BCTK zO>)#PhrB^6NPWS;u0tFn4+o^~hwOBN?QpU*xp0>zJyvE4!A-yNq8B?ZqLo#J={qtZ zN8j@&;?LZ^K0hG+-FEdV(_&IjsYt?zoN6^zFR|v1(OY97O0mRs*{nX-fZxQSI1EUk zPHD;H@x9%O-!uo5Sm&qa#%jMQ4iv-#DVPR!F30_?oh5PZevT$r5xy|cXOv0+1}Ny#kKb^|@R*j*-3#Il%*tfB!ZQqyD{les|q`03?|nSnY?(hDFL zR{{wZi5+dclI6ulqPX>HiW&C%ZDUgv)D(D_?t{Q17Q6BnmQY?HzyFZgp;@)=NO*($ zkI8>d52HLe2@T2iwkMAxtpn<{^rL;h1>I|V!q~{>gew9>Fy0^MT=4nuaiOe$Z!hQ5d z44paHAvz~c9SHhn_aE+C*|HpP z31jb?6s`H5t^zf(c8jN{N5{rgk3U|>R=T`w{B{`MTT81d!I7$g_9j@G`=K(6u!7uJ znK&TWQQ~4+@5Al}cfVSe)0R2~8*%v;aJDXgsja90L)bh~2w*=HiZV9P#WIt|!YI_Z zC=_QU^__T~ufYRVQx^u@Dt>P9Aeh2dRyp)kBO`m~ukI|M3o$++x5&@@M8t&II|`eg zpI_DB%Qg0gvW`O&jc$aqyIlYG)aj3Nxu+1Lr(}d1ys6oE^j3~%m zUG2|OyJ6RTMd2FscwA0C>ie9JrOt0&cRB)mA&|3&uB8OVU`|T?(WNOY`Ox-xj23pz zka)fjbtwX39Yt7>87O`iF?xP_c6z@l{jpIN{y{CPf}BBdoqI_iBwu{YE+ZS?Ypu}X>s($iZLr& zb93T73kb6)cOtgAu8!rq=cQMdr~H;NXd1$hVPNKDEY~b3T_>xo>K^r9o;X-puv-fK z{}D`oFM&eW*`_uCwNQeoh1zJ8kZEJ7aCC8C#F){@dHu;W#Sc?Guv0~Q2e9vQVN-#o zp9%KsZ~i+($O#6D3Y$!9stWo$)VFzw)A%K(##R4v<99f7gNaXBO$){oA&55?SAi4x)IHbEa%ot0RN0=fxsyJvA-=4cHkI+~91EkENIbcGBE+Zb8+=n_4Hd1+9B1;^I0Cg?#OCC zmw?)e$AI$Qemk}gczQTO{Tsjyy!-4&cx-gjh~fGj=)D0eLkV|bEbi_XCYwN%(~X1T zVY3dc`j;r;WuR)%&~)2%wk_Y$BdwY7F`8o6)Ju{&rJA?Q5Gn3k)>vtQ8V$do@osZw z07#llpYG$ON4!*X$U~Hcbcsoa=2l{3m|rf%^tL$)8wR$d8C=X8R2Fq=j;cxYlGj)_ zjEOF00-5A3fk|65O=^vxFpD3I;;KlqePog#)>loETwK)#y5g0byxKIxcOX`1$u}Xm z8ud;6de53D7Z%u`rtd{`iD9XO zrnboFH(2zvw;;cs2(_U|w0ht#EXza{AikH$`QPfWRtb}6;e%|NJIBWUOgzO4q$tgN;iI7(f5w9EHXH;0k74Q!Db6k7-ie;&fQ`^=Bl zq6L=_z(*IOIIV4hHH1QgSN?wsN_*4bgeCL4ra@dR5QsPbQ`Qg0F6E5B%%~d*ar6zk zpflQbADcFmT7-fBHxor54dVcW*cKH3%X$^cubRGw!2j7z5Q++yR^M)jpdT?naerC9 zQk~1fgbiYx;7RprenVuyo`GRW+X?uptm-T;V&5SCX8fAyu!#o-NCPb)Fl8TmUI+ha z(DzUh_doWZ<$E>1DpN3EMIkJi#GWa<|3eQiGm5sK#4*ZIU*85BTcGmH+VX_=A{i9Z znKCbWRh3kfy5nhIG`@L>S}AS3q;34C@t1%!N5_r`4-f}Sp^koGHLBODQI)gYObB+7 zwt36=5+7?gn*mvelHOY&mymrpG0~!&2bY6a);MUy`teG-Mb%4lq14M5DMz6BGim%_ zPTZ5AdC-b9@WO+!YO;>r;#8!)9ai4UOdlQcbKdJ!6gz99VD&tfyB_vzBZggTGJ}bk z=UvAdlJiOZrS7M{p#p4JiMMd_m|hv2U;P z*99#bMZ$%`Grh6Q%2uyRcxY15>=0&%cf7^yrfn zpA?~_HacS)-}AwxKle$t!^Fr&@5B_xgef|B`R)O(7*~J~VYcPf-ZNnyKI%N)NI;H2 zA&UR;Xs{igLm+c2T)V@>kt`=z@NFz6jm7sop@x=EQ8^x7Mh+fJIAh^CS(3uDL`ShR zh8=b{JELw6Ix$G6?GH@Z@RVk6->JT{7zncBwL9#Z<}C})>H`Ow47dF(HXJmn(`<;J^Z7a))<+ka;7p56$QyV&KaXXmLrzxHGxTYs zLEpd75T07x>_zmEm4*>eBPp{d6Pq3XrqU*p3VXk0s9luG(RmXn@NXmf`EtDD^o(2R zPE>CQhuQm>D13G#`QSfn2*=R8Uya|J(9+Lk<@G8O2c;@uwML|w2vGvQ9uH&3o(fsw z%I3=00Ud0bPe&)KlY@(1xq?G&ngiB!V1c%Oe*xkIe@WqQoGj^h#NJL1W25lV*;YYc z^F$GO6~5o~HV^7Q{YgeU<&zQ@?ueXSc0E~dd$4n6A=#SVR5*RQc0FD5W~4BRcVzh* zoh6W+k{0tTU~xMsqAB1FQxOSPy<>g6C4VQ0l>b#CysPb6%hmqKqeGKl(Cfh>L`WR+ z$-DhYJS`RxJ+qZ=JGn$j7(kTlT-dKaaGZ*h9wl51JC5T#k?Mo4f1ePp-`9;p9B$S& z?F!yUOPsDgvA+LnYjbCsl=QWf&ay%GhmUnmXP|+LuwfkQLZ+?PE>EO9d}I`~VnxRI zc3jY(ne!>f_Xow%EL=o=CN&;odd)y@-hqs{+_x{T)6wnMRuX=1=dMW=ICwsH({XtI zLrW@8W=Xk@i~82k#@*b)!-V%e@(2Ui7A{~>_F$)&_zsFcTY!;^iASIlgll?~^K!bFbX0H2^%~aaO;X}QwRo{vjnBMm5%F_lX=ejyc8q#HcqnHxBfbsht zd0{eRprbM(rc|&%o@iWvY(4jIA+5&09oy&B6tI!VeqthSv(LZBhR-H;b$g zj#O|CRhTMIkuW+)O!0m2(7{JhVTroydeiY5)vVtT9Mdd0I_q4SU@Fz*Z$*|U#jhJG z7xDxFNDw4ON*a(zXsy)o4!j#AN|`x&`)MPW#q{}3|LMxL<1T5`>{6m>USy;5aZ>;3 z7|qwIsn*)ViB1OHJ>US3;O-gC_iujZZP(*3&TMKy4v+hLy=MEKLl??Tr4CI$p8-tg zvmxi?{EhLBi(>hZ$e3@>9a)z1Rn5Fa^2M!Q+tQx4<7hs&)`YYytdlHWXR{jX0O4WI z63JphhQ40P{biTt&EMXQ=W8=F+V`@$t=9*Kwr!+Hy=EX)qW_))_3sd4DFgLf^M*I6 z#ep1*#W$$!d{CBB)xhA^yBOMd)*da+c7GE|E{z;VVfIY>7TpP%q`Y?dkU=xW7U_V7 zQ$GK)3er@GD)IpTzgK-S8v32~`?DGhS1yh6;L4<@xC^(hukWZ#(0JC}Pt*#OJA!Gr z`;&?EFiE#q(q!K+bJJlbuO@-9!KjoX{@TjeX&)S5g_5}PLs?RCt)q<1wE)7XFF;Gy zJLOV3QkkKBZN<;ZAal)+!4$@^(}y}s+Bu;>jdWt8niDZhSnwoOJC0e}P6TSIpP9;& z(z{=?hTNHSVW8dv05^b8vMtM=EnNuk4#%~t@5*B+OfPP{4{r4PmILXOb z<0IAZ!ZzipG$u*dySo}m$0E@XZyx3YeTc=F-~tg1 zCAZ#XHW^FBSy(Yz-R`j5@s1u4(3{ev>uPGr8NG`bGfU{5IG`X6MUPW$Ff%O@8)9Vj zI@_-2a~vn4dqC&@?rm+wPB>`HtX|$@=z5F@8Frtv_5++Mr5bJz|CjQ)=8SJFc<=yx z(shEm{%7XTN?p&Y5epvJqbj$nr-neN27Ek95nk2UID2T3l9ra0ni*NFOb0Kfn4IgB zbiE_aqC3YZ^)W-;))6|;<5L|S7~yf`sC(uzjH*6a;(j5Ha5ybP57Muxhx6jfDPN(^ z2U9AO`qXhsMO~=)1KX4fil7erHMH`(7Uouxq>L#ki`m&ZNc}E3GXvYbr&*@s>shq4 z@%Vj(6mXY#iJDU~vH>%twt5|>tqriTLo_Rz6d6C$VIH&7mT#tMYdcrOQY_`I!S%@$74zC%@SlH`D|{(}xYk#vFX#o;)^xLruZcg~?&W?O*r6}(IC z_(4UQ3gi~TwQCn%^vK!-Bj*M4{J_FJFJ=Q*?T^8iwtYwH$z8&|h6cV=G#Cv%up4>! ztCEsCg@$7|!#uoet9wdhKyofGrk2A)>#|3Q2|d(S!jPFXbwoWzFHM!sSZ{#*tNWCh zBc9#XYfyy)MJ9uoBukSmkF+KZ?_Z^~iuTbwwNBRW?}s5>q%UgjbD>)G-S2N)f$vi^$nyATceg(<2tVMMH{>3+oRF zQHB6rrU@JFr{!gNNc<+}`vEt)rHPf4!L2`M36e@K#nYA?N(F7T&AN2h9!q@7XP~cV z+E>WElu&29ruMrSOd*S37!R2DM_m4|_O2={j;=`$1Pzt|K?6jA;O=fgf($T&26q_< z7F+^^;3UA{?hFKXOM=4yK?c_l+yVp$z76^Q-Tn7@_HHltZhHDmpPuUKI#qAIr;2N4 zWGqoh=G{`vBL#Xy|FZoEC;L5vThc0m04G_Vg`K6A;I}`H)FUVxB>*4ryrxZC`4@Z; zAoGx6n+3ZO#JB?wud2+4_g3O7zv$g8$@kSP zCvjKTYh~4_c{Amc>E9DK=AcQ&hdIvg{K`>78X0fYS4|| zX!{{ZX})ou0jL3BYN%ICDqh+Uk{0GQVZE$0^~r=L2|@mlRkL7IX7BM5O>V0hXs$w} zX=L&~(R?40I&mesm5}u0{RhhWJfUbWiWHP>aD~Ao+Pia-x%;fkbOnwX{<>0Uy;9|3P>nttcRer6vOFr<}=sa#z|A8+f{1#`jBfLla`YFs5KWR+2=%e z0RU!YKb_072(5-S{u0(dabl6};-MV;N%Hw4I>r85JfaxjIw-~az`uNiA>2pRfZTOk z{fv`oBvTDxW2se%1uc&lJ_^LbtJ1-mNoA{9^D{YpFl1F3bHLU`$wiLl0$|?*m8j7LN(7*8<>9 z5pcn3%_&RVha0tF`~;}X*+T$-;U6zl-^!c;fR0tMSti;3)`^;YseXZa9_$PhkON3e=bKrPO`AJ;<+HmRm> zALD@^Mc-WUzg@$IZkqhkSfcC~ot-O7&cv_{VM+FdjWGiY>BW7FqMoOa;Cv%AVdA2~ z16?j@S5#1hrgjAce-YClK7knf48N?e#a1b1QEEU_^pV5eKBX5`$js_aw`71&!lT4X zGEczU!fq%#ph?8dbBDKOh}i#?#6StqG=S<3HY-{W2G1SPNO6cy*E!b~RWk6vAMhT= z)h5EnZQ`jBN!WFXUB+E8pyDPJm#Vc@O%rBy7Np#aLN~~V_*EQag`J|1_LzEapv2Y+ zAoW1TkQ&n_y1EDm4A72Q6RHqOY4pNfXun8a77FO6@!swG&FtKuN2Q*Vmd)%{pR=qV zS`?Y5kC2Uy=$1N}@*XadjS3(sh`)%{=~6M8_brmh$kS6k|6H;*qq6Zm+%796Gbax| z=5~^Ggr+vigt`Hy5PATaMB2i`+M~5ga>y`FFH(0_%Ax_GdqXnOa>3I)@y^wYyyd~* zC#~cGPZC?y4-Li}jU%6Bs?C~{tv4XS%BqU6g0DQZ)*oh7n>+jn<876wi_zIFZUpEg z`)eD}9J1R(vKwN?gE@4Rs2>={OZWzlvdNgXPZJ8z=<7J~`=%>OiQTflakbC6fqGaC zMX?@;778{g)5^9S{{;s=Fe(6DQj8fsB?E6|!={7q;~zoUBZBGxTH6rN+BhjX9Yi{h z%b6H!?#J=oL@h?9N3DJEK%)-TKGDURRpe#EWEhc6@+I#t z?e1z4{6z9Mjfu5Sh)~;}%t3vIdW_DCCz#832xyV&Qv;BP@CB7ZxnqyN{Yj2UGGarI?N9f-;+beHe_wn7D|piG*zzByh8TR=n+xf-xPYz3KV6VTp<+c0T48r|tqt55S~2CXqin(m05rV8YzR zHev<1;v(kd{mLy{W-&kfN~5VF%(Ca=^5`iRH+AY!0lWDh_?! z8AL9ok?6(8EiT#}j?PN{G~fu>hf_2)b+lM35%VdA2$Rp!BEMjbtTt9h0sic9T_uM& zH#c`ved@pp&I@u}`%<7}CR+&-Inb@4Lu#oQEZ@V=%`M2?wjNE7X(jigPP#RCYNI!) zL5)Y{p45~3hPqRqWS`t8463WcJ8vJHQ~8S=(Wrl_g+nO<9(r9gGcpx$_e(fsD_BC@ z*eYdD4unhIC3{q}-%9c71Gr6a>=S!L;<7aLOsIUe8gk#;*VPyX^K^2vSiNeuZ1Co! z4ULErOG!?n1xknO8j#>k4dexf?(a_}HT13-@pY0&)vEnEeRp`+uMxXE)LnoX&|@|N zl=H=4Akom!;KtjKVId(#;IM=mU7q3s>?qx^nOfutF9ydR&ZYjCp)#*N50}QBh;nJ z1ZinIuhVFhG1@8YkFTzFEuwv_J-KKVO3uF}0oClL`^g8R*Eh0LRmGcKXI8D(X(%=w zwKK#$6B&QK2;k9fCTCA=@H94pIWeV>C5(H|6#YhRv1f>L$3>pr>94ZoCb?%tXwZ7K ziCW5a@b#V3dQ{kPd{$M_n`?K>$G5c+XcEnPn_jAsASPXgZ5gpx=#rrpU{-~??^>Hm zB%uJ2t3vFSP|Q3Ox=zz@o=XC?(-@ZoT!LU)aJGGu(GIgVnZfcTrB)e} z^Q_+);ZAM2tTAm#kB)UQy-~4V~7z_ zd>MNBeRVsQLDga2+s;)837s=?u;ihr_uJbI>{h)?JUWJ&;Ps}bJdU1g^1J?eD53a} zl7eeQ(^e1IFT*y~@C}J{VPfBIx`T0RHeEp#^vdOOG(l1257`fL|L!NtEb!~Ad=|#i z?)VS^FUtHvmc}6JX7)F7p`*<7AgwX{QOy6}bMnU@3T5u8`7Q~8)El8B5|?MeufLw3fCc)2{WPS$;SzO<}Q{0 zOk196+Vs1F1xDes-duT3o=UVkR^f80ix{2xYGv{bAirnt?wf_>eql8WwA572)aI}p zUKaW4pRH!5AEO{D073o@ILR^@%KgU}b>DU1v^;r4EhQV4-w&bBV9w>%fsYQ~wV4bx zzum%_IEvO8v0j#4b59T0?UAF3 zMTjnoOezcJN2Z_tKLQDqzvD-mXo2vDi>yeCJ_!}7AKdH;zDfAxg{xmPn&f5%W!Lx$ zhsOUinN+-)?8l|(Vq~&}t)MWwu%K{59_0CJPl&petOxjYkzjJoK>>zhLfNfL;H+MF zmMtQ&V&ypbck2>v<}9|cIJR`_s(kJj@!Ad}F|A+0 zH9$^Hw&k4G7xtF}e~vaF+~q8Mnyto2_T1%RNmxF8U%97R<_WItzwyRb_Rj$FZNO&w zmXlZR8`-F8krDfbfWH)J3V;UR1ymN;X$A7J0O=NR6NdorIp@iHb6IfAut5JrM z&~p1&SSYX(ITIZ`Fx@{~aypqyvNUvh!Ak3E`Myennf#oVp1Hjh6YmxEG3)$9E4L=z zQ>iXx1_NKEo#R1x!```DSQ@BYZ%)xNEX`a8b}c(4$4|B6`Fj8tTstSh(2bpPR@jiA zCe+@V?;HA(V@JQrUT+&5ODMiGMwvfYyJJ;wbB^|FwT9)SU#&J(1_Hr+`8AWpt@RHR zo{F&XCjNQy+4Fp|?XCYdGSRlyKH6zoL8Gl>jPjUwq8j+n%>DBtT@G$nHYy&4(m*IF znJ|Em?4I-0laxCZvo&>9o8R8#8KXOzM1(!j&6&gnIj1~!i`ty@$kM?BF^oF$*woBu zn65>o-vuG*zZDQvf;dPjNI+zdoYB9Obf|zpAYx)+G$XX5jX;n;<%cwoqvn%vv19>V zpT}Rx{fF>w#{TLdUaft?c9g(U=~TrM((ZX5luMdcPK6_FPNKxiFM~@4W4N2NAerSlh9%U8ALd{p>Nm-D&~m!k${O~ZR- zu3i~#{O>ECWG@>zYihoEBS1kG=v38oMR$EwW=phN;yNL=bAymoU(C>)9&G%?TDZ$X=G?IVbePzY)di&bG?dr7ca!u8+!AW$_CEfQpykIDGu&Oe?bJ=sR*=Hy1L`>WLDGzA702y`=n?mPv zNWCC--EqogYfn?o%@2s`)8sl4yJ5pwUp#Y$Nd4sqyPxaj0K&Fz!RP$Q@bY-`=)7f# zIe~rd>L)abU;(I)mqIt&_fn^gzuu?q97xA%&7aMsIOq>zy`2Z@9Ik22UoYm&)H$?> zPjCA+R@Cw_?TXfqwq5Vr0@r9fe-w^v@ZCGAbI@-+{(7eS)*7Bx4&p$F*uK5`(d~En zTPximA>_=K@aD!C501MS{Z^TWuII$BE*qTJS}%~?e%CL0YwjCTP;xpgzWS&VbOhI zv`3-Ef^`W(N=hE-?2ze??5Y{MtjqL6h#b>!U+8a7>dUKg?mjqNHO;_4H)?j$=B;O7 z<#wvi?v!PQSewh<>Hu>>nVk!NIFxzlKu8Y`X+|D`$ER5;j~&N0j^x_Ee(M%P`(pWF zP{TDrgl+kG_&s3Ck5=DNd0{|F96Pyg*h_i4_)f(pS5NbmlQzG#QpALK^U?6Ck@jk- z_Ur3Xi#()I4wzwAtU=u@XQ`&np~OA{s*?8l1r}Yiv#GYs8w8EUYUx_*Sq+`9jUFoy|I{ zris@94IB_dei!?JT4la2s~4xvA8nNs&LzdQB{wMVGkd_aOe8(A}HtPLZi6I^-FU2mV?0%)?$xl0LS^C z)sVHe3p<{~^{CiL3jwN{>78Eq)Xb#5-k#i$?ZiPCU@E+1hJ;x@YQ zv&F^=A(47H`wKQ=qoUt-g>Otml)-2of}j}%8D&MUfP{pb&0Wrc zyGr7J`-@4B(#hp^m8Ad@oa&fR40=?9$pItB)!HOU~I|r8vCxwti z?$tkBH&EE!PuQR8sYIp;doqE_6VLQ3&0P%JF1|fgqZ<(0*FCHZ6t}xkj{qAz7<>X7 z8`2~lkbB@hVBa#ni33bClj7T@_qqTu&5MOSsgC&n<4X`oUj9ZOxJCoyK#n7Tr&8`u zZ+tfi#E}N55#A(W>L&)!tH*BWU(jn+GdPY!?jANH6g8opRf$^zx}Q{p_1pHp0STv%EmHBzmn-|Vx9)O2lkhUQ;N{|RNinFN!EVK>Ehx3$r1^|N@!A68?L zWRnX~2{sw@T#z;t|Iqq%_pcLPpRef+FyG!-4I3s_p7kTC4aum4$rY zpwxEVG~8t4=OSqS6_v=%r+&%4f(8_ulRA6T5y2G}0w1D{U9XKHEm$CxVyn!QloUu$ z3Ag3wgJl>?i6=8ijXFv$<S*-NABBhWR5v5$ZZBoZr9&G3dDBtAPQqz@Ur{ zmwQNWAN=|NIvW{W!E`s7m0`uxMP%FCI{ZCteaih=+^&@hnU z2|pTcs9i*NrdQwn)(~8vto@JIks4cD6RU2`xyCof;mK?QRM=7*OI`D-UK@3tY*0na- z`@=kgHguNyo6q;}^Fo{>q7`c@YQg--O{BE)Xas@=n*!~NX|75t%GIR{`nwkzFJMZV z+*FYb?j9TfqaJQ8>eLOD7V4Y~7Kg%@xsMb(qP)tjCYSXXbA4##fL8|qD(^a1-(j%ABVh+GIwG-#2t za*ho#KDj+qQnqOtxVf&Ab~j7VpOI{$f_s<0mwVbgBKe9kLz$s;#)`LK7x&9@-V|j+ zP93D>jjh^LSeo*3MD%8@n4#g^gOn(pkU`ITCic#vk9VUAF#U((eLT(cU}3}9DTF!* k7~SsAS({9Vefp)ib_@_vCdxqpPynPLt0MDR%IMvH0Apw7EC2ui diff --git a/packages/ti_rapid7_threat_command/img/ti_rapid7_threat_command-ioc_correlation_details.png b/packages/ti_rapid7_threat_command/img/ti_rapid7_threat_command-ioc_correlation_details.png deleted file mode 100644 index 30119342c186f49c165a0206142a4d02a25c0096..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 359663 zcmYhiV{|25)GeH(W83c7II-19Ivu-X+jhssNjkQZ6Wg{swryKC&wan|9rs6#J!+4t zt*SlOnscuet{^9g1dk671_p*CEhVl51_n6;1_p5p3-MK>CELOHRe(DwNs5A1P7)q} z-9Va&$cli0)x;va89;sA!`Vw|I)Q;9_x*Q)580I%gMob(N{frAxa*$1L$y;%yDq^| z>lO`-zeUuPA>f0`ETjTw{tQ^n9qM=?o!+m+TWg-$30a)Kzn3QhX3T%!Bbf_}t+OM| zYK-53h}myVn5J$n$HI4F;prEeX*>fTPb( z8`xHZZZ04H`q*q6J<2OL;w&yA^sb^9OA_tYuSTka zak;}lvrdTT{&7xyY6a-P8XlGnHl<)e+&)~Rcc+mb)V0wqkMUjR{99QNP8N}XC~cCt zeG%G*Z*iFh?`*gkwuZo-r!87%Q7rS!Jsjt=zsD;jgoRZbH_8O*-5t%Q3#Ml0) zhEws=lED3%1o`pxf@g8T{l0tr@<(%2W?Cci9aAPTKd)e*SfjqFRe1%1dY$+wa-T9u z#Y}jQyL%3GMn(tWFdEuT;4jzDgdX=h4KHJ%aeiF8#gNQc6>3uJqi+4TUi(WidVa+{ z?2QOo{wDpX_-P+=d2W)wM#rAHu@@ev*6$C4+XDAVJ_pzRDG5FL z{OFjle2dysTrK>&MzYRqkeAdb#&13PEX2CCmx?#ux$>ip!V5@Do}GEc4HX&nwNor8 z=gS9V4%U%6t*VX_`!->+X^83EuN&q}bM}=U(7R+sTNjggvR^B0dW*2!*Pqm0c)bO^ z*QIoX7StG<>5UhKLdHMEM~GZJ8%}b%t7ywW<2m_kb6$!JFo58hV1u7wqoC-~RAU`y z{p%QEtl}O|h2o8mN>Xc$3J+h`A_;Ys+>G>Tg*hYoZ3fWV7~Zs8UZsyqW;!c;)1v}p z99JE#Ool%ugalaG(B8m(E1$;G{H~-z8qjM!%Nl4yi@7JDG>mNvQiwzONv73YDk`$^ zJ=l7?2p(!#+kZ&tyDSbEW5UWN*%GD%Eq0`bx;mCBSuKMJbYPEEHZ#0%Fw_(tfw4_5 zw#>tTCWWK4mm5`v`u&siw~9YS6b6YJI2<4-C(07tpi{Kb zXz<9%3Z7I3j)NRisSqp$Ef@k@7}6#bsy=|O;HL>@?N2=T6m==^1=K!>T>WeUZ2RBJ z!MVcX;^4`669MolFgWHBOH>x)qv)b(2R(>Q_$VEawBY^Xp#a%#w{^oapC`8$Q{VG+0 z+RGfuE%<`Ki_;J}Vj(iGj@llJ~oWI}H}#;P!wMG0XT$xw$m)9ZDN zTAPF&5a3V7u{Q?+KkUM4CQ}IdlYU$+;hp=Xw@)UbGzcfTFA<%rB1eHEC%XkuRELzqa(>e$Fun_DFU|M1!r3?nRCa*X zBb&wvhbwYHm2rsMv&jND|N34e$g3x|L5f6D1SRY7_+88pCDsAo{x)e1l-!C4pW~kA zYSG)Jcfh2__2{=#tEj5=JRAEOe00WYcs@X|LoooIAY`%2sTsW$ic4*PPI5AVVk_Fq zUVf(egCyS61&pRH0O=diT@YDs zR8>O1(|;6tT<%0+qloRnDIQ@9XkfTv2e`(SJJ`6~XEL6De|Jk?dD43^_W}Y`G$D}G z-dI<)yKf)nm$>}c{{Esn@+15ADLNq=&b0}x1j(<)eL?is>4P;ETs>`@>5#MWDaq6qWZ2x zaKaf@bcGi&b7}duaUJO>1haYTphZNIl;@!&jIAy_vs`)uH@1dX((gbGZRq^gUnY=7 zjOTL%Gq&&Bl7$%JJ;WoRF9<+ZTfp+HJb6tFge44Dh0I;GRt?~C&g(j=xeiJttOi}z zQVr9MOR$^Ow(wK#CnnZNQ4n68w*D0QPGv-4nG0qpZDC@|wDB|!zk{k_VQc$Rco4YH zl@zIxicrN(l>GB2w5;f#L(CGkhWMpJq&o@d-ENLK(lvhmO$5Y(`d$!iw+>qAqw=E*Syp+C>NghIE zjS%Uj@FCZQ7Nd?^(;uBw*%>LM1nm0Y)Mw{}Zz1HYUHhUaU^^~q(RU&Dz$77CC@IxMWtR_3jIcJgYwKGK5(2O|gs=XWrGB(5L6DRKa6p z`1?N**kAa}Qk?3*;-$k|$v$v@nLPJCW%Qs-)#V05{R~S(-lzrln#zXv<8ShkI6I28 ziklaumT4@Sp*axvE4|uV=pW70gX$7cetvmUFi6=Lu0^pP zDOwW;wY5r3LpDvzHfmN%(jd!+)D==6{XS{L$=GUSAQdd@R?uu=No0oTWN)w^vdW=& zW&&hpJ1VwK;dvp(bs*wY5TH(x*T#QN>AD1inho}t%vh?*OyF~r6 ziYPp?6BC~wpHGh!6|#QUIC`D#+dGN$>Xo`3GaJ(%EmOW!n8;J(<8jxB0+mf}&gl~e zF)@v98y>HGevg?L)G@2)u95TTh#~0V{cmsDFIsVXFRd5)V2&KRoF1dUABh{(Im_C^ zl9g!;|B~XEiFI3L=+|gaCM-7r$_B0vHV3;Z<@)5>*}nbQ?@w}=pnkBCD6DuTUeq=* z!Y8Sbq)($vE}o)@Da_zVGN>RYn|nZH7-twPHD<()ENpJZeUXT#ID(23HbCTiJQs4i zSi6~VG*LCt)YMc2wv{wX&2p$J)|X$F@)ADmfba9>e9Yyph;p(4Lv6qLMfdF2DR_Jr|f}MCrqDfOwL`;Q4 z1f+Vu4lJh2h#@PF&VoC+oTrIbjxQ*MDW&W*Ey!3@reE0fZsZ&JsjtxnR@@lQabGW7Ig+Q?Sq_z_l)61$UW=w58qas7|0 z2i~q@`uvC`MR|vUw?gmNUC-IpAHWS@c(vsWhnJ$_^ygE;r?#@H@5LP@F7mb}tjY-Z zNUt39E--(1_jx9{b8dcFQBAG3nWf9=@Z#a&;pXNhlg|yn$?+ExCpId|vqRAFc``^y zYi}4hM9k+6yOS9_AQ4+Ue0Zz&SN-l0W$By~)@1j(eaUQHIh1NOf}l0sjZlSxz68#F z0qqLgya+NTTnb_kEN@~P+3QejLqc~^Y1_ges+wJ=g*B8Fasym=9Q!uQOo;N*<6scP zYep}dl%O^aveS5`c?xEA& zKM&n}VM0JoPEG-&0M0p~&$l{-tEcc?FW1Wu_WKI0rfVwjuOF^?1c?t#1e3(;j1@Pc z<7LH)%XWj1kWgDwXT8A+XOD@Q*-SuK^e+0ABpY))`{k@S_QHk@E_`O@=kfs})f}kS zkOTYookV;FVj6$(G)7u)`c>#Px9s0vQv#0x#7M8n*koe65?Hm|?YGcr=t24I1vhNm zP%dx^$X3ZC>zoiET78%<*q*Waza{i3KqtRM7$_PEZv_b^xJ81nOml7+31OXGSvuxp zeq5@i%c}?q``Yu=Lp@l=UxT8Z1^VERq%ss$9L1G0=|TFay$p$NYKwCho9lvn0+nTo zGXirkQeg^h5$c#klPCRxRq+1+;mrl%gdq*7wm{i0<05I)srq@s#trErA|#CcuJT8& zK=+D}kA0Cv139Rf8QiKp0l_+~Ig|##q z7h_{~&k~#c1}e|GilWZ*nPirE3F869^~yxshdzLO)$M%!I`|N!<9c+;c7rIuCy|)& z3MEuQl`<&vRx=dg>wBm4To2bx37+11PGtyqZEg9h>w275G;Oqa-v8!CKR!8Wb-iDi z&}!o4Yr9zMC`*vE8EG&sgK1_6@A^3HdT{f5BuZXIQk)-%#Bn`4vb45Fgcdce!y_-1 zqDT|?@f)Rl>a66P_lT)VT0j@!kf2@sCfr=#18z`|sxCDvCd`RH=(p#17eC)fDO@vQ z0(mfN@1%9@DvZRr+#!(pqb~bJz$xnm&+M7dE=!ie?e9>zKUq2tndtDyHF!s*U&Fp+ zLgpsnB_Lgg2uYRQsP8wqc-mKQ(4yw3O@b`6*YA}P|8elwbU%T#pgA~&4q)= zm5Gs2Bnp}JbZ4e_r=^PB2cEAl za_QgwM{L4Ie20@VGTf!nV~B)4`bgfn@gx0VCl$BNja^+$7bkUgcQKA(2y6WljI>$K z`Kqb;y>6*DUti8Qu0Lv)_2ZqE$5HvPR5=08XG=BtPLgI;z&?JyE*hS($FtQYH+45z z8^(;~aT1nI8lM;DfM_DkotxBfdf zqwB9I01l3elaumFnj4SgJdnp_ZvN}Tg|$t2UHa3P5qZ0&zlzErw)m&?ThZt4$Y`Bt z0!ft;*o?kVPqEomb!^t_j=BWv#f3zbB!2y1)1 z4{4||V(fG#@V0cZ&bN|gWh?^w1Tm4xccR7Tc5!raVeO(>xEySu66}U5m&H2+B>oXY_g`v9`3bu&^lwG1ysIonKs3r}roBQ>waN3WUXo#4elI(xQTF zkJqNxJL=lT3=ek0pNxjGR;JgNwbhZ;*|LQWSw)XXmkTa8R+pSk2d#v>Zf!5S=g#t$ zb?RTcx2w4r%wMiCVB%YCYm?m?IVb}WuEmvh_nOT&8rBW!gzEHs{;h zPh#og3kKim%O<{DX(IlA%fBxjc(D(BkmW}%`a)gL&#Wy#az8MD_VtYwx7|juZjGD^ zYHBb(z|otX!54Tv(p<}=KA2WY&DiUOzM-t8`T3O@1xAMvdu_XA2mM2)Y6SxAdw;a0 zX7^_!7S15=H_;IDRtEc+Z!oLb-nGXoTP0-%hi6w;y>oN%XHOHGA290+OI)1~i*^1% z$VPm--w7yOn*LMD-nLA@vH!D6R#l(vm6fiRmM@9wdeK7(5unQQaw@~8oTD#KO+Jg) zWxLlyLQ#sA@FA}MpuVZTzJW8F$E&iq7^bq9I)(&80u7=taX+!Ar$@EQu8fs>e4_Ft zGd7h_;yAVyk}0a`yW`_WN@3=MD4c$-%@b zm)*MWbFol*X6EbjsokF|`OmX4K|Qd$S+j$rgQC7r60gJcy3bv|KO@Y2cVGM7czuBl zH!75X+a{#*Bd}C=yX%iHmte1P;aytV@zS)xI7_Im_`G1!uz5_iZgR7XDGoHOsAFKGP7Kn*I^zPRd@`it3hEvVK!pLmDZI9q758aXp=IR#qB^77un1q#jo;T;odGnIw=*j* za7^pU=>iaANkxRIKrUX^$%`zdPLQantvT-Y7dtS|E1GNgtRZTh=xMWx;lB=|DXYlj zh$UIYL5Ai|XgIy5rc38b*IJ1sS|J0K`E$EnEjj5--24BLXDZ!vy3#LHPIP_)koiC? z@}y!!(pjxO3R^u~fEZj#;TQj{wR|4=cZ9Z~T&(8~X=$ZfH%=2o*AwbOaU@1U zh5iUR*!ig_rsZSh=JmKSy7ICsiDGfBz=Bz3w`o9EwN}&Qr6=P6sNSKoG2iqnD9Aky zE{;u^uV(J&XuR}(Q)p`I-|#r9u4~-T)$utR-gQlIJ{!Kcs5G@BwQX!eCfd+Z)LL%% zw6`*1$MI*(E8&0Er46j1WkIB%29Hs95oBZKe5j~;-{RAIUEuoIp-*5(Q0%deCwhG( z#?Q=1Ny+M`Ub{kr{gMx9AcmOaMvU38V>vlFV`AlvKbQ8uh{V`FIwkF+nG|VeM=SUj zvQgV^c49I<^s`V7dJc}bs`6DzD#Qwb+*T-ZIki@L;CaJF)wp?Odff3 zhFw^r?M}ehtiXqUPCaPBCUFqjEC0G6ghcDR{fLtne>?1?9YjcG@MY)>iNN=8afV*X zd{agxYsK+};fO6STI1I&=clo{3cs#qqqXa6yG>d@6N{;^74*Xjhmq3X5vt(X>3KCg!>0+?&dtT&bIW|1y$_BhPL>s(D}W@Nhp$6Osh3pH=xU6YtsZP2ay96Voj7;rzv z&nlL>CA`>aTxh(t>-5|{OI6?Cbu+Wi0~PU91N`2{(=Ri+c=sbOg`95Z@YqL*B$lh47(Zetoi^emJGu#COJ6 zfy9B-fDq}FJekqreZL|~TC%hMZF-BBE@IpM=^|KWH?SjjX>{Tv_qGYzBt07EZ>HBO zc5*RO2A|u!v%9;yx=vL;G@B|}1N z_1ZDvp`)6H*>TgsU*YhIyCJEominKbmYbO6?_zb`PtS8}MpBqAmOGk2<##jDrw*zd z4|I)othljs?h{<;6P#uDGlepIu4mo!SVS=P+AgvaGdD{7#2D^jCbh9nQg)t8r><>C zy@k`$)8cHbe0;ZBUH7Z%Rk{Sk#2zoD#c#f!=c`;_)KE`RQBJG~6Od^~Xu0T2q-U8l zx$6=h38^-?JJSEQ!&VTn?i$r4rTtTyE+^a0lJUtVqj&yh@NfdC@HD9<hcs%DLq2jO6$vS1Xm2a?oewQ#TFwo#5ZJ~~Q}7kb|p z`kcM=dA#g=T)*^wY}>T3vKq+s&kaanEYf?~8|r$PuX=mV{_Og^7J4K3&wEzWQWnde z>2Q7?oznHVujz|@U;KOt^?N+G`?w}~_lqSGh;L~&(qea$MGCW7^8Lw%*LQe*lRo^V zI(u$aPw+UZsK%!u4q` zsu2PdR5dM{_)JX?J9J4>qK6EhcnhR{?YZO0Km3dP6{-M`i;7H2s;o52=2p0b z4GdG6ofC(Erxe!=pqC*>Q|5qu@+h02`f2E*S}3tINL{2R8qsSa$OP2~QEWbvINhUV z*Y&Z&XO~T!t*OM}>tV5M*x=4D!OmW{Wd=Y`(MzGuHrq+IMml=rhpHQ}uBaK&UXm}T zgxE;^a=;!Bk^*022>q^&Na!0!)D&X}$kU1{$}8n2#^K{L6fl=AKt&>45qW#}l4jWC zHXN$44S!=FkVEnV=1(x)bBjQ|)(yz=lOBO&a_Z;~&1dlucu`)#$Xo_R$83aKBti{b zcv*grXEwo3@pVXFyz4G!h@*w`s>$w=|8ecMu#htQ^{iOvX6IIdscFDku-b0ZOz8Ib zqH^+3&%Ltg(e`37ILG=0lme61?`6%uxv?S0CA7IT_cVtguifcFLRh-%%=?kH}s#qV>!il`{kXhN&9}Na zp)Zk%wEQzr=t+JkMnKMq)}tb)te@Zd>Wo?Z%N9yTj`vhpcFC^5z8Il~TRb^`9nU<$5eQO& zi^S*My1Ox;NBm7rPPb`HI~fHj#r_e>4oD(pE3dHolXBId?#C&_WyiKU3>Q;nXO2y| zY?D9$qNgf8RFQLSk@-3LQ`WSmvDMSXp|qvb^>OkdyW``f?2D~{%IjVfx%J)ZE0nv zfrrDzy}Dm3K*)$w6F_tsEQ;K}wU&1X4_n&QfGiZc{Ub-+!YxBchj zl;45!h}6uxs^hpB%D zHJh4@KLo^K&dV9yvqb02-wMs`N>R7`)}LGX9Nq~WDWnKBBl!Lwy;Q;lhfVD}Dr|2* zd-T2hQYexcO=r8_a6We){Vu;W%=O(z525SuSQ4MNqvzYh#rDFytr`^3j4eV4{*R~K zNSR13+qI{)L&4YUSfBCT2LK1>d$Q0|-^xmBXJ=<#o?-K(oSYoK#G=4$fkJ}8Wqe8B zKpMzkY58BHE^Ipgq}wEb;%6d;%OJXa&-Oy|+P|-p7ZFF24}dlA^C358-TlAZ*z)&(Cro+X zmU`UDuRAV3w+<$m`F zx3MW_dO3=m67;(1AAfqH7ZNz9W8AFqTa3x{()HekDr0E>s8h#Q%gcV+E7s$_@Auas za!N2NX5Qd+zQN#2(^4Chj0Y9nh$_u~pB_H+-LGSAe-ibPn4TbL@`U-Z(#k9Nu{CDkWV&6>2CnEXTjcJY7eXC~5`vxPH zWF;B4eB+qN+SYb|#~%nZkf;{)*jZ}0wUcOZKb$t=d*pAdMSodBkk=gO-vDVC>|x0BFVAmez%oUnASJ4Cgw^JExnWN34aE?(ukrx^yncIE+fzOlvy8I$YKo^_ zK34Oms=3(`HARh`MfC-bFAeddwY8(8)6<&%$*!&d?KV#v!$Cj&&t1Kz#3^E)W;f50 z$FtO17o=$7bO1LCZcGG%Oc}H9S^iYl)0=Ted-`z7vX>o7QnLK<^2W{tS zw>XB7=i{wzs^e*GBm(`5B@lYNU1xvp6?0W-dwm2eD<+neTYYJ3*M+49*_-mZW%Osu z9f!lY-=_p$Ys};Y%BT&Q->*Uu#{35lT$3emiHLdK&%zJ&yst-w9z)fz{T_Cc#nASL zXGz}o%mnMo@~>Z>oqV|LG}le^p6>mgdh4hoGI!+t-ufu*xRdty(&Q?$16u+}!o;%Zq+F0(Y>@Va z-aZ}&sSYu3zIUV~6074?VWx4ZeI116gNZY_d0x!TErbO0T>3tGRdv3ctlD)6001hA zy16AMdOqh?sO0-0K~Kl^z;W;(apX~cx3ADUAFoFNuM?ioSvXfJ>Y~n<`L2)EuJ?oG zIy0Q)Ugz1oH19F zA3*NDBcn%E#{;LeaPsJ%-q57r@e8kPGQFbq@Xc9g2rFx9a*ygrgmkP?c*;c*#0ygN z@Da{sq2(GFwA8yykh#<}vR)q4H(MOwb}aIh>~Tabvt|W9pY=Z8a5}H3{cfm}nRFFZ zy(u)%C5{5b$sgXFral(z-XBQbr%4*>8@;z9vp?52-`{g{(P%XGT;In&_p_7LRX$Gr zUN7JL|41iYYnPWoOyS^Q`JAq9zKwM~jdeZ0aJgNaeW-t)emWkEw_N&OdMS`~l4>a1 zZFb)Ky?=fj5o|sUZV0q}u77@9R_e69MB91OlW*;(=)B}!Wp9b2BLkvEl{MvHKJ{v&oTI%2N}3}EWDmf42f zmA5D=mhJ&$55p}bla;xNVC9Izcsu?z)1bRne3Qmqbq>8k+ptWLu{PRM$wHGD>LMQxx2ZK`c(v3Fs=^ z()+U2sm>yC*G-lx-ZR*);Hrx5PD<6O-1RwOwX^4#iRKiTYASdyaqO$woVt;(=-UNF zG7i($wVFROYTXRf6dEAyq^~#=P=O8ApfNgtf3k!kovYToJ2%?RfCmrR%DAP{O#D+M zTj>}{V2$A2orGKB9dd$T@wPlokNIqGu)$w=ugok@PNdsm!i9(PRkz(iS);GmLH@Tm z1(c)!Qo=7dZaK`NXB;T5@7=zdr&pKD7OXqD?={H6$igMzFp*Y5HHr(Rq=PleHv*dD zeiuS=qNV5t^sse_` z%mV@r6MEGb5{k)Qpp+D_PSP1?eLRuu$T)V&_|xtpqKI+obSH;z#|C#3=AnfvyT3h< zRf&k_@8&lWR_61d$t_v3p+!?-NN2wNpvuw=w+P#*H)cRbE`_I&Nz?atQt9Pm=XIyX z4E(bYbvfpuB_mVb7uYuzse40=%7WaJfFAk9ArVLdCiZFQTqY-eF;-RP4ejxzwO1ZR zpu_Amu?0L2M?Na4*9eo6BV_K^0w8bGWtZVl!BX2XjGzf+V)^sAN>XVabs zcq35Ved8YC8ynN%G;nmL!IegRWVu`TD-MX#QyLK5Hs;<>umx}1Qwr|WJxYRfjttmj zDqIh+tLf_;Xx9GTg^n~R9w$01$;7|6pMInPz?K(YRm|(VM-9|GQuh9*9>~I(_6t-$ zukdqs3qCYWgJ%H+oN3s>NTeFBp(jKXZdsTAqX-f=$hJ?9gi@lLBq|&ZqSG(N8y#Gf z1p+Q5pKqzA*`&uvE_^5-ZReXW6gE`tQ&n1=2u~ADFXv3MdKq7GSN(8Q0Ya(Qe$ELP;3DoGGE! zri@|oo!Z3$x|^!NnFB8cFRj^!2~8tcXrY5OxNowdf7c6^NQ}3y z55#E2Tqlm`S2Hv$zqq&$&h@7yg66imdVTNcaKpjIu6}MujUKqTyF)}m^6JpVjgXxh zM?{J3hI7`phjnDcKAqc}OSkL1zwdhX)bkS(kN=8o6(s4T5Q{G`2RuyjUHb0R`$_oL zM4$wV8X4tJo2w-47w#u&HF=_6_n&|s7tUAp2?u!oS&PCzuQX%?N)KomZ056JB$v&AZn~sd&T;a@(?<=qk|7N+wpUm@L z+-#`BIkU6ii0;HlfR#1_HbUqdcHKx!EH6+y?BBl>suNHNWlM>ji>LkFLh#j0eGa`x z5kl>>SmWRE!g-2wp603RC4U7MiGJ%HsGiO<_K8VGoz8>o?9y_Y)J)C0N=WHV|5ioh z;R{*qAyzmrL&CqnUzokT3!)#w!j9qp{z*#VpNlay{6q*qmCeb!ex(T@RUl%C$gfu6 z{DUP1tr(IRO{JT>y zr%}<>AWGC3$dm;FepxZ+?rlvS9i;H(mX^6@_=9x91^}N=)F#0(Z=)4;(*sgF)H78h z0*7&hh?tTTUe7Q_AwLgmaZkee?|sn%8Gp}KNUTcr!xy|q$;Rb?W0f6|`B*B8E*o#@ z(F2kBiKhW*p`C6h9j!X89$x0F*T>5)&-*m8{{V!-J(o5966+X4>LHb)YNMT@dsx*Y zm3`Uz0zGopsD{VJ)eArv6)Xmf6FSj5z#xPDtQCBkplwTftHzk;`Vd}hwlUY}Uvx4S znfhx^db_N}Yk*01Al;~l)&N~vZwk%J&Gxe>XT<~6=yVyp1*lrh@Wm*(OG`@Zxe335 zhNjIaT-5vn-BldouBvR=cQzln*O71$Ee zGlz%%<$?H<40pfcq;b%DOVLNM6}maTM<1pkF`&wd@#KS*3g_&C(_-fq5 zN?IuTI8t~Ob}h2RQNs$T@8Nq|!*wF>`S7Hac1Qtd&a{En2yt?nQV4bFKTe_SW$;WK z8E|F4d#Z#L)?y74&U)O>IExs#zUX3cmbxiJ#e;FG4da*=FDf?c4RNY!6wkfWx1;E! zq1%*zS=>1O#2l?5%#V@Zzx`7v$@4ma!42@VS3Y&s$f7D#o++e-QHGGeeO4f-8nu|S z9!tX9<;0yQs-Ytp-Ln+C_wlz)3l)CW)#bwXhfbVMC<*_wyLq;%goxf#7BR2XG+dN2 z`+1EYYv6r?a~kn@g zBaC5~04lCnzQDZvW~|uyZ1`)XZ3L zNr<<)KdXsfNp^|^9IKJOl6P>UV32|`f1KcC-qGK)w`Zf|*jD2$L=EUy{Aoh`%KZ6y z;;Xp!|0bfMODJLMQiT zP~3_9Z7^WI8vDsobkUy*(IaqgV-5iz!>(16-(og4M1hm8>Ejgq}U{w!K#GQ zCJQwcorG3A$DaRh-2c<#?zZ8(`4LX!<1P+EZh&YL6y@61ApMu>^FL!CR*WYsj+5qqBykjH8!;X|@ImCuB}Nyob&vnwHF+av znR2MQ7x(qtzUcNARu$Z}6W0-EGtT#;6dPap^b3$7$@v%UhP=_rNP~?De2qJU+FsjAUQZ^*rt|m}fTHv;KxLf{P_T&Q|m4$Pr(DUvd$3a^H4PWo{dPYZP7F zmirQ$1eKGS$v(SmMW{d_C81e9726-zNi*nr2kB@T5TV8ztmhayWsf&xd^HI*(Cq> zeLM2L6z6Gcrvr|U%L=XkT{`A;yZ+ODe@%7srwZm3s~PW?HZ}L%5FC07B9;W<3}b(D zso^p>eiT1GmHgbhNRWkC+HpgHA6FeS`bSor%z4p0+6~?Jvp>H$?=U6;{NhE4GDE;M zO~QZwHuGT%K@!0ytTtNgLvQpSpiuF$c1?{O+F`G&8!3R0AXV?)DPUnzHZ76Pn9jJ{ z+64P8f?c|H&&r@rPzt6MF{p&p9}5=dKt9DTF=iY@OO&reLvGR(u+3iK@GY!|!Q`zV zKn2`pm@Y#4M6T6h`BdQ-sRRqNGJMYzpA_~8O-Ve$0h)_SVZ>a=nrQt)^bBpbK_V_2 zrhQB2GXG2~UI~qAl8XKvTxpu=%$W;W8kBSOdjDdt!YOSv8w7)F?U^%=4pXr-Csy^? z|J@cwjK>HseUMQFPP)jggVMa%!kWHnRA%hL3D}&_URtzu;Ln0p{&d!$Mv0Hx^xLk_ zmtQN-=b}2@te0ux@H0X*L982t$g{TEGC#6x9g^P9MG%iZFGg-YZ@;^U>yv(bTz+-} zz5nRj%*_TM^`*=XISApNypP=VgQVrc0?4mGq$Mne9;y^hf43ktrTt@n7)4ZGGSF9H ziTAfgRj0Ki%l=ps53q2gPCPIa4O~KZWllpNvfaxQq!leM z{)P9WTB$aIfV=o**R8Bi(X2l4|$WNAbk0L zGLt&ZCU4Quc&$0({~&BvY*au8?s)!bgDH;%dZbgSssq=^J&AFAbkLI(PbCELP@z$(bbyNR6;d5Y||ls1zpe0iW{ z8R{QvJs0Hf#!&}5B$N;eMD7vj{QM6U=enXo!8&i+t@LP#sCz^O7Ixo7ZYES&NQ~Cr zG2U3W`Y>c+I_ZR!KT8$3@C7H7Q2Keh-oFX$T+t7QAvK!|EHP_KM_45mj>w@bm5oA1 zIR3Ck*yKk?ky*%WU?;iF>1 zEp3N|5dtA)df|Ty8>}G4gTSRzN8)s+m>_bnzPB)$M`6k&u9raC5Y3YkV-%0j0S)8J z4XNW-l%eeNBLBiOu|!tJ@$cS#`>Dn(Lf(;NNv|oYEp^9ka>H_x|Dy(iE+>u`d`+%D zh3uEuL}C9jk0$O{vUmdC0LNs(h{X!8siFxHg66;?nNT)Pt*g1}JUNi2rKSt3gd~0b zD;(lK&0PK^ExF}vdX5+8Gzy>6O~8y%9!t$2F6@>=leQLyQKc|v=Qmm67FaB@Y~0+_ z3RwRspcG6z0khbo5go(!PZ2OV72A4zFpj*Q@=@W1xLfwGGR8TVd6z9VRQfUn&>eZ` za!@!j#%en|B8s-*XHN|YhjHTb;EH3UG{8~Xq&i!NKPI$neKcFx#rSu~kekx?acY`9rZPi&)2|p>)3~lMMf0f=P* zl|3Q5*NPrJIAIj3>&n{XTh~7XZ=}zs0C7L@a!sS-7?e5SM@R~!x$j)pH&LV9FE>efymRl^PX%<59essH-})lU9;KV0v=DYCw7;Y)D)-AMG_K`h zr>yGQ``M2p{R2k>RVJ zbCIyfNkEydT^0h@mQ>sn5S_hTL6l^gRz2WaGs&qGWaK#_*TRw|hMW7hDnoK1xiRa8 z!2^@GX0iK|Cm&r*I9kM`@T?k>lmAVqDPk8VbWU8?)=;o*t$y!uHRwaN;s5XCjjyVI zRvt4oywk(eaikLr%M>-C>wO~P7ESJ@jU#QpY73W~x~@$+gP+y?93PugcEr&buL0!A zNN4{`haHq6OYP1ui(0#|z{ygmmy_x7W*ZRGYU(K5KOJr#+b)Jk51I@Yb8qsTXX-ae zNo|N&wmlH^%{MS~q58c}WQQDcN+!HqZMYf!3F$!U;N`uxwy=FpYk(jP@$zpNS!S)C zIpFW*{PC)t#io7@X0#|!HAi`K_!|&zeXvX~;Spd-=H~KQ)@=^?|eCFH|>$yHF`l^v)#d* zuaU@cF=J`!8q_-S^KHD|&2NkoBY<0!l<4&f``AX5iuBp`~SIfdvnnKi#xW$=>*q z4mMhCzlHc|TdOW3`S+XQOtHzG!Qoxi+M17v553)!)WAhEG6L=Iodji9>&SU-SW-ra<@T9oH z!OKZM#WPXWNN`4Dna9`8<2Ob-G(Bu7n*VC!{HuT+SmtKC)8_U0@^9K*oQaS@>IX8DbCb?LHZgJcmmBS@YP)8LQ~(-GMRLsCb$!7BZIfV|zy^o5EP}TGOfdeXBn5eXfL9b_FVV5e))PymKWBQjgfuYKPD!E7> zjbT&=JYfVxx}V?QGEPF$T_cuW7JdgWhlN{;rsL`6(ysY-n>52fsiJa{I_OJy__r4m zy7%KWAb}i4R$^A8(>uSlV~Y%ayLDt$+snqo=+Wx8b{UzJnw)0*OAf26=4re8`J%Fx zhK~0232~IOy$dr)u?p={_S)zO-wbTQjs!lwD+iA5k6x#bntkeKwJG#~UI7B|(b=2& z?vRj%XtJ9F8!7@in$cQ#^f2c|5uA_-(K+sRk@)AWcCY*6%vHke!*Hb0A&N@#vuPq+ z4YKT<3ahNg*K+IR1l5!(R>YhQ7*@TywYPWEk_n&Ni?d=&XQUJ(c4-*6iXd%AUY`Q# zS`}O4x-k?RVJXA^{_SFWftgpiG2LF|$}3B{yWNFVB|Qxj`*G30q}uHU5ku|Frw~)< za!r{(SIv>1a#z$P2ISE5%7)-eV`v|0)j>b-l(zQA_tgXDNs=It_&1IDR5fcloGjK2omE}8f-5_~fn!j8iR0V7H%y!HX zPMixS1afdP3opM-cJ+F_Q>blhuXboTrE0c*J4@yek$Sl5lPGAY9iryrD4}5)d6glk z_EV?nfH!Bx~naNsPMwNJA zuKd+i8n7+4A8B)M7R!cL%}A@)&A`gj#c`Ug0X39}Buj$ENSKuN)4$U(ibCx+3K5!0 z+!!fslU)3B@LrLB8MNrYM=7Chwhv(w-i)|zOMK(*ecXosx})1Hv!#K`!`*ibVuUfz%cc6b8~lh5Sd!~y5VtRefar$ zz`W$Paq<=28t>`piQOw)+LUVMbQ5-j?1v%jqx77Ro^ty#cZEYs>khBq-Wf3S5Y=1q zobqXrJgR7dab$Q{o3c`~ds2^Q8Vho>fw)3J{?Xp{`QYbW^PVF{t6K{| zfsn=RQ{GstabR?4L`*F`$(D%~^AwW2EKkC>wtCy7A#2K6av!1p%rPCmydFN^FTvq_ z^Wy$_Gg=|dt70Nb22kf>*=^Q$j#&hi4O%w4NAU8xd0Aapx?P_oxcltQ;8jXKd8Im! z(`;x5B$KlKy2i&2{8lu&-|yd-(01XhErfuf)KejDYlUu9|M`5ifQ z9^rVh&75Vu?XxGZrR2hK*2&GWF+ZO#`tOiv{(}9*l zQj(w=cxr0tNSGRi8Ch3&!N!cI+x)TH?)v+hAatOwj)sl~z;RGhQP$>rZJCAgip#UK zqy7ut!|nxcb+uW$({WHox#hMmV58w7V6)ZQ)k>j!bV}5_XBm*~{$3l$;M&j<6--Od zp>fN|BJ(vjcJ?-%xuFTjCd5^L`t)g}-jSF?{MwW9=f%l{?jb>eb)hUi znu@oROcIr$c`kj&&lNJvT zvx!Q_M9I?8)@oYINg^kUR4oze^f=F`Drza}wsWvEbMX;sAUPfr+&iKdP;6YkR0n6* z{fr)l+xdKMB9u0^m5s&yH}iCF09xaIv83p2sNmskH=U23U#}dR_E_C0EL^B$6Mek+ z7|=>D6XAG2wWRD2KfLeI$_o0yeGd0ogKB#r4i_g{xLoH=vFC&M2WtPa#7}gw{owwcI%=>1q zk-MWZSm*h88cnWMqr=zA(w6eyg_fBfuN$v5U3I0a2RVAr{lez1&*w)v4zWsfwh8*p zsh!TxN_x-Ys@F6K`{82G$6zDB@8N-ve0g;(lcc(=oNQ*n!z$e?4S7;&&URy^qGe?h zSD%1=@s{nSURvwwDw;;Inr_d-bn4E(^YzQX#)hT==);LrUw}*edcODlTq9R`K^=Ji z_v^}ZIsexP^{wtz`m4B=rjW#7Gh@efFy5?($D zBC9_1!7Q3Jqd~A9c;!j}D1yy!gVH|IC*!nCxHT#4;SJ>WwRm;iaPdM%o#sG9`2ujk zRp0UsTiG>9#)>%(@386ulWoJ2K7@P+fH2IVva!B7e`35HH)hg}%-Ym!HhD6G3@%p2 zLYoN*`e*MrSBJZQS$~aYE(IK+_cyJKCr4Xkl^RvR`NwfM)-a| zPOBH#y7!lB?zRpS8;keXMRP>M1+`jjdey`BeR}GwF1;g%QDvoFR=d6{Iy|CGRBSXp z?|a)Y&3L;T_b(`F7hOp*T-8LHhy)5UWCtjb#r8QqC~o5ZH~rhEeqNjVzBB8z#?_|I zKI~Lwl=$9%6ME`+ban(wi|oo;faQF2uH5uADa+S#Zm&VTrmZe#V@Ctc-xh$Ttm5)= znoMCXxjsI8;b5VogQ|4UVgFxrNlEBtE1kO<`WL|doV zXOX3;-ppf zyQvo&l?o)kZ~o}QizVbIAFKI&pg^Tyq^O34nsKsvykxU;u=;+UJV&nDx>Hr`a{B1{ z$HczPW_hd{w(gwc&wFgj>&-4dmP$)!rPArC--U1pevBjPIc~}tfwrC&8v2~(OC_Ff ztTS`t^OI;0Tqz5G?;Q+Oj2`BsN*qK|rti4Sv6y*MUs%}}qW3Sov`8XO+Kz0kC zT%KQ0*49OUY)FQE-Rj0+RKw-)-ZDz0o{+-ExzJWU|BvYT3KoiNGFJCPLrv{8TMJKNA(LN!9aQH*O#~2xq?SQcyb2(R|^o%C`03srOtY;=8 zBw2mdzNo3l*}}G>2y;O0^O7Ah*WC~wp8G3O8skPr`If)^)V`IyOm%~XolcLBpW$cN z@8SGn1GOd4!^`k?a*kt3vaYVH zeNx|-x3_V9E+F#0P|HuvT}k&6<;t=ISz01v0uPzP+komaHS>wU;$E|Z+0k6#`z>8+ z9pQZcBC&mQ_=m6Y(sULT&Y+Td8|kVV9|%KepH8nsX+v>$Nm+Bsi7ud))`e9yX(VVK z7>e7f67qIxb~c3X;rtXpBKUrJ)w8kM#Zr&h`i;x!ees@P?^SV;| z@1+(XPc^c4HXy{buBK(hux;-D3d^3W1d384JZZY9H$%8CdzDzF%dtD(Vr*?=>TXk1 zP+5+BrBMl)_0B*vIIXF<2%3J#DZ%rK{e8tzcbUCugzs^3KYPuX{qr6YFL@iEGBGza zVZXKN(dBbD6KuETRn`7v<@dPwI2cK&Lo~Z?yHpe1UaJO^&F6EH`!&N)zW9@sF?PZK zdHVB|n}6r#d+O(Vn!OnM5?Tb2+eFELQb!K&o}J2qnXE;C3SW#JNg7oO>J)I7AhRwn z8DlyF^DdS>PLj@2Go|$JK%CFh{ila1%*JB9_b7HW!P`Xk3l`tU^0h}!HziXOJIDLL zUQ0=7Eo>HZ68%w${11=olfIMFWBVlg2u2~EPG=6ELtc4{tFNJf`0C9czl+A|Xm}(R zgg>;w9MTF#qu)VZ!qSu69UHN~x$g$X3q=t)pJh3Lke}#yZJ?WCW2rwH_~8^Ymk%7< z!5m*Pze;5X)R)cSC9x~x*4g=rwXXm0cs%rd^SXAr-d}L4u;F=M-Q5?8Urhe`}PKKct%P^jF5{>N>^sFsVNy1PMd2$FUDZ;O z1tQH0&yY{r1|0I;d8#ZL*1;57>F!iJqhm!?%}x^>whbK&w@4q*OJ&(4?R!Gyw9+!0 zIdzcAV7s6`3%4z^Um?08dVcQWiNg?G+}LzGJ@}~p9<#cHz1%ddTblr0yt+Qbqpjau z@VvRJnI&#oWXkuc=k|&zDG}jyyOk`XXRRjx#=YOwnY?KI# zBXrwe9EC971|MWx-QjZG58d!`(-`ugs^`lBIcKke3u2I7?bW&2dMhSLyb`am*+r^ z7C9$P(nWWef>hI#A$n4@&}Q(EV;B$UyV$J#GBzFPv@#2sBz}I5&hdQE4^rZpr~1y^ zeN*=-*E&jARuSD!CSqsj=VNy}x!If5Yj0;^Y-y-#s2hr&4IvjVrR#F_a5TP~+3w7z zh+=!Ld4Z_2Z`(SMFWf21_+%1ro|dQyKmay~($hSD%iet}_IqwulC1sd{Wrhr>)Sqy z$VfncwLQOe_RDRBgC}c>wCyE3`?xqKM>@!d*XmhH*DywAVX7gO{+cJ4) zh4w04w%5(O8A!hb5jvlP`K(sz4V?ROu>4-3w|Vs-q32e@D5>W2UB6CCxadvisi$6M zxNh$B6%UdbooGnWOf|$3nrH;H`=@tMv=^c^@fDBj)tcYzelOM}+|TvU{o#KGz*zKz z;Bk&T4%Tz2A)fkR-jt&O=$axPde1GUcc0+i9cYwU>MqpNb`CpOF|+`+f8Wb?-lt)9 zUGH)XXR99h_0@+%iR8QPhuJ?bhk*2J3ot6&+R$8Pmvg4EMx!8khwD zhicNk&gYoE_h0v|4?AY~d{{5Ip!duA>GwJRw>Wy_dA(6AhwynC$iCHEnsteNvJD=R>iLHIUds zx($?>h<_rObzTG_pKvhMK>qL8P;oKwU0xqkd;7U-d)b&6zeBs;`xWk6lB6OCGc?av zY?^&FXwK9@s*7<6hP=v*8dzOFdv|BBj(!Wb@ws6#EKPW{@~){!)$}0DKmOHFX1vgT zU~MPcb-BCv1UojzxO4rXh2yM9NGh(vqes{+lkgpaCaLnn;uXoDap zj)QDRb|+Y%-G^6kS-*Lb+sh2%%^bmsh(@*-bWD*{2J|sC5$4|)E;>=`;%DLKzq7Ks zz#a}3fRMXDofHD%=}O<+#cQT?**RIcRN?vkBDkBv!M5RfQe9awvy+n@PM?#1!_r8R z9r~*WOYR(Z3zPJIkGDPid|dsMb^9V~GJB{#B6t;zX#fkfEHWv;jjClmN9G-ldiHmY z5eD(bAA25+@M3Adi$?4Kx^WS1{_t(=ZJpWdzQ#o-Xx;emKJrSF1oON9)$cC**2mA& z6`f0ca23+PL?7&8yV2~AlFwjk@3WiV=d>L?4PEKWE{{Y=@D;3>nc8Zz)oRcCv|ZTX ze0zI{o$uwQi;K%_miLBjPzBb1^c`<;phj^E4GE{YekZFvPgiEX=S7-1)Qpg3U=e#xUe29FKn(vAxmH@QAGkknmi)3L)p%WiPL5Cw-bUjjbXr#?g>5Y8N54l zGoMnH+y?g2DvpGne{E2<>jbuwFfjL_Dg-h(Qexs{sNBSa&1hd&TF``7C{&hOp5_;- zrfTi8`1O^NC70%Sn!fHAb`KubfhOpRKQfes=DScJrDbVkq&?5nf&p3#m&^x{;Wl64 z?`b39u6~r>DICqUx!$OTd5b|m02YDKmMk~2cC>Y8Vqs|S!d7Sk8HGUTsHc-lCCy*D z_BRzTj2GyuwSZ|MsANT|JF{d0=$pCl;UUn;N5sfYO;f&9Oh_M522oIq4wam!14M+4 zsDn*~g@XV|JmJDcB$HU#sioBwz;q7Xx!r*sF_-%lTsV5=>?O4g!1)|;+jU{TycY(H z)f10KMo8yF?!bp?3Ust#SlC`in!RAKpwrx-k#2eq>`dSk%k3iaksr*1hOFSqsXXK!%RGe zGbO0zfQQ+Xq|==&jm^!WHn^WhHqA;^iO|E8VCiEJ;o+jE#L<=y{E0`);AXK$Y=u5B zzXH&B%EquuE2JoJ%`eSuZ0uUqY29N85rPnI0uq+b?djllv+;0nGPU8s_GQ4q&x2dW zMh2T8aj9KqqGI6?5Tc`|y6$I&@nZ4aR4`hb+ikUdyqv8MX8O+BsolQ%%SIv{`ZpF< zDBn)PYI1P!@jHD#Z?gLx!lpCs=;dOf_uN9oOQ@|f#swqL=IE5&*OfF?E*x&oZ?3jH z$_h%>Es|wDS$=6YsLO1BBB-vcTp~F-1rDD`h!F|aVzdy8OsH12FtD?7vbk94kEtpm z)N_U(*K5tW7~(1tJkieliH(kqk<;tsUaPZftt@D3F9E9&n6}}@vAnPjRJ}?`#UK~% zk)Olo^n7x6u%Oib`5W0J4#d0n=yg?Nmg8GeRAA`f5uyy#T4u5!vCH%+sRC%%iNg$W~q zw9(c;zt6a+EpFBATGLMG7x(KGI-V#r?|O6L_0%zUx6{^o=Y^j4Yc!>uM1O1U9X6Q0 z%CHSuv79I+Redl@xW8Tf(D*VS^65y3(D@}AE+S;VKBA|~P}6d}b zX&1M*I7;*gqGG8j8?LIDprfc6an|P5Cxpr^P$xv0?6?bt`GM?7zj5bc=Rh-bPJa4F zW4y#aYjt_tuEx!3o@1&Y3SF9)>9fx{*?+;nx(fTiqcf{1=qjoyt;=g&GI)8`(y^jB z27B0tpnT&{qNG^fVrub)YX;xBIcZo*h9OL6|zS*AMjh*4VMa%^B^aSv&k)&Z> zT?T>47S35V0su!peUheH{Rkn{A_Bde?}?qQYP2W862Ehb#iySF{oIGR+0&6c0KxsU zp<7_jcuG>jQy2R>vISk;&xa5+I9CjY(t4Arcc&ErY7aLT7tazuJKNHVy3@g#pvE4? z$q67YFGJSd(9l#><-R93yLP5ea>VUx+$$?z9k`*aga%Dc(@@^FRxuvH5jN+m1%2Mz%q%`2<3V^arR>1SID7Iu-eIOo7H6=i^1v_H1i@#dtrt(rb#w$jR(yV`6vOGonsJvF7- z#W@}9pF+An|CK97JI~BP!$Wxa`$vVPpxW)rGZ{;DRn^dSQ|zq!po6Vp+pJ*%fDw`+ zVHrqpdt;73Grfa##;S3pYUbeO^ms84MImjYqjRK-WrNKTb5mR8J~>Gp5gCap3L8eW ztdfi#X~J5SlBAl}jrf)AVtAyvRlH5JJG#zrJw0`GZC0;0CncWV@wB7DS86H>9_I_9P@D#< z05qMRk!ZYDRd z5*r+dcYQ6T7ywk;(6C@x|B!WpC|2_V_wtH3CHu$K#pQOVvvue&A{2z(%hUAaw6d~N zIx-Ru{SiR4vAVoeQRrG+t)&`|SWt|!8aFo5v0=cauePkqpi!I2&CN)6=*a5q(3^a1atdhSJ`~w$c@q+Za>6|8IWL z8Z#ds8^h9NONN%^BsR6S(14omiDUaUweIeIwv8x*oS3YyugUYubx!;Ee0MfHdD+7wjUWTeEBP3V_BEw!ETf5mf1+p)q`Il}Z*0=_9Qqj(Ah`kS3j7v;JP5 zlkmueX`ag5bz(1HLn^iLcEROdZ z%kkW95!GAc#GO>yC4CXK6+P_lm8T2utg5jAyeC}?Tx>0CIX>F_vt+8Qb= z3yZ%rb;@|)CCvKxv?lVLLk2ybOdRO>R5;ha$^i(s0rSw2gDTr=-Y+A4V?qp6Yj>xJ zdGz{w(M~iFKM6yf+rLvM6;(Ht+Y1{_#Sg~mFlrS(1rm}hyKSNfgtSR%h|PwjrbT0eAJklwfDBFf5mzV20X!uB9Si=Rd*6!M%@ zWq&4v#9@DI$$^y#^YC&JgVExHvkCH0eAPjvbr#Y7O@Xf(T>f=ONmoLPGfx}Qx(qC# zyf;=%k$uxA{>BZVgFZvu`8ecMQOb|12yjE@yDhtf@gPz~(ubn8&w#1yBDe#A=#~ew zV}Y)#HHX&uQxQSZcP(3{S#=rU@8@74s`Bu=aLyfyn5e#g zhj0C+!qPfa9*HUhu1pEJ&ja2Y^iMy&M&xufybNtMndsy8_c;J(d1YR+glZp*LXu7% z4f#{f6?>mwQ87op2ks1AV(mTG%k!9=`^@t`PtWEhk{JgysuHv6+{KM(qsS_^ci&S( zAjPA;kiRO~^k*YE&>2HDzzr;)pAdMtT%Hrk1-=!${P#p5r2en2Fxm17^YpBmJgfYw zz}UA$y|W=Lzc+tczDXFVIiT==DO4=ENdq>(T0!5+Wijx`#=oq>G{eo_&M1?}W^0A; z{b?x#TS#8;{vF!Ltr3p9DzfOHimWZj<5`=9{~Fm-4`pi$=0tj1botWfcX_w z>cejd>g7Yn1!KKI!3SVF1ofe-)IrvF-i2fTZo&92qu^VO;>Q8=f>j2#JxrV^n$8RV zWZ+woiNRWvtmAmWc_Q?r*gwQnNAATA_{4EW=zxzwVW0C`E3OOS!i77lgW@K;#xy5R zH|qSgPLi6M+@6JC#EU@z+blq|toL7oz&|2?{_E&f#Y3W~RaxBVzK~o5+C4{^nihsI zSS!Uv`>wc-kpU#4_#p>O?fQ8Tgxe-}MKpUfz+lyP4@n|`PuHxEUcjdjnh%TspHIe+ zCa;XCmu7;SqTgI@fEy)gpCqQul-Fzv0jHop6-OW&M-q=IHmVOSi5cOq#-Q#mLXkQYWSf?RX~`coVcw zaSuNt`6Nrt@E62HKG4@+H_(?k-M$V&&iZQ9=gXFy&!c=&v!HO`KH0CWQ(dLk!PK6L zrfs5Px1DvP6ZOx zmV9|4%>fjn)An1v|JGw?Bs%ax$idudlPJ%yuG+7}G*O#{5`J<)#redrZ~+)wT(rrgOSixArw4L??D@oj2}4Uo#lv`rS%IF0{I@8%#Ux1a@UPejXm5 zKOf#!v6)2*K;<@S-KEk>MxVi4VA2H!{Cm(>UNE}!>i1YoyKi!{RZAF4bnMcAB`tF-h{HeS?rn&aN-@9wGoRBw zTtebk&@+wVoU&NJ8Mcn#qdl>qt!nQtlPX5h4W1Wbx-)E$ac8=sD3uC-YIQBu(~ za-G=_DibV#y$H~m15i6e0dCznf56Kn$hRs1E;Gp|~t@&{?2<4K6O zA#CmvZ>TaAj6$E80BL4Zk#gEKAm6#BX@>57c6Q6&1R%hD7W1W7Z)wDqpknD$1NPBk z#^=y3P-z@O-a-?ufaxvpdd7lAKSke~X^26`%!?EP9NL^v%shExb5i;MC_6 zNhJ{hYK5bO$;U)ra*41n{9y|S07A907*U*@d zRstP#)rIQOa8<}E9j{KM>@9tSD)S0DY|dKFNiMrA|I0WOGgZSla{#%_UmVmK4$Txu z&{m@;4=Jx0))cr1^$B8rpf6Qf2Id$|a+6S$!k9K&a9n3vQA~o2cSN#ZXu?A@s#)gr z$Y^bhRdk;-QL=)fmVjPGcakjhzlke->-c~5Rv&@dXGEO_Cv17HZ0sPO9ArbHJzViN z%QHboz^fj52IPU?f3tM0Q*BJ44@&e&e*Y~O0}AQO`p5!x{*9ns@5gMDZ&KzOz=Rmn zY+$D9--%V%dobvT(~z8o62~z!>_Fe*g4@_xA;ef2VTV9!L(ZGH3|(icz~aW!uEgL| zQqW@Ym4@QqkQ77H zu8>`B2-Ri{a%tW*YWd~LCjge+c&<%N|8+<_%D>uPxNS`Pha|F)k!d*6kOOTLnRMRW zf@Xd!{Lkvr&&xhBeUeJ;XY&l|-0xIbM|Ii25~z-e%QtLgCX-V3w5KbT0GaiKDrh)c zTV@+zls6odbqy}Gh%D3O5W~*(0jG!pIy!o*x3f>xe#WkN7Im}QnZJah(r7C(w^8dU zt2g`{fc6_=bVVU=r$C4*dyx3R19(So^e){dau|fMbl7?%6^HSEov;5=d z`W*W|9zwRvl}xN~?8zuFq1vw0SInbi833C<54$BLFz4u9FE9Il*2n+YhZIi2eDe8y z+e_Uje;?st`>rC1eIfoydmsRaDo&Pybc##-p69o7xAzMii6uVu0m`RRGq4m3cDC5w z6$MsJkrPDLy|S73T^?3cCLGbzb5hF!s{H zcq^5E9rdJ~x^h+kphhf0*@#bMb`_R~7Cb@EwvH$DwpFIq2VtooIVicUYxV$#(@4iC z(|`9F0VbIU#y$lOx*CUwl5%|Wt>+%X`!2~oXuUl_L);0-Z)*qBzVzee68-X}RD671 zCL6#qEchDt`~U72ksmzlUoVh@Kt;GmVdpF171(FfLi7jwwTNc8)Cy&z0ong9^Ivl+ zAHfQQ+wI`3tB{WK22@6Nb(06y|8uPZe#T>r3U%Yln8Wy;r-5_J{J);{A0H1r#J{mO z7P_&BnEhX~hlp2#3=y~Qz?^6a-k?Mz&<{%9T&2YAPfD&c|rzaY-X>%sPzl{LC|Un@8&#new8e=wP=)UgR93i zzsdunc);8?8%d-D3Xm{Ns*Zq#lqj0s$D&T3>lOq8;2~VZ2K`Ck6%cdEDH;;-iMkU5 zp%WgbiUi{8NLZ%xx>D}=rsafL&}p(6q0=%N1e#E?3j5fNB;;zGv@}P;F=TNj=!)QU zC`qgnS~i*!s8oqdpp2R8SS_aLinsGKcY9uN7-jww<<2Q&04v4+zaV1Ss3Q8=jKGRK zmgo@3ypVYWOskP=C%5o~^~69*(rOy`-#8L^l!e%l8UGTPx41%RX>4y_0+gtjBu7Q zX%W=48f3zebya08#RzfAX^Je|8$3ZWm=or8PrU<1CV{0&kQciu@uE)Gb0A;J!h|X8 z5}so3Jsfq2Dr#nCf#i8WGe^UcSTB8QHRp+G!a^1an<{NZGB`<G1N>5h7s7E#$_g2rXZ<8?7?lRTx``>>u5|RTOBI1hJOz#>mWj+DHicaS zv;6#E19KcB{3aG(UN&LvC|_ANFph{aLF^QR6COT8v?)CApml!sKJXLflzsG>ang9! z4V=gSs!y2MZOjHXEs7AgHe0*c2lX%(`$tF$_n&LkUf0VkE@Tk&X&d5|Aex)yl{ii> zOu0-69r)~E!I&2eeBHoN$^was2uK$%gd&tUSWxWg)qt2LiuC;Namt`kXc2d*g*3<5 zRK>~V@oFOx&cb%}jW!d!%a%kJwbMg=LJ)N4R=#_(Kp{M)a!y#-I#TH z4vfiE(5;gj^e8^vfXxJWm5EhexX8OhdeKzLbRjYjMqVc-&b%0H?#>lWkyA@$ZObWP zOm2|K2%TI;a4g(_d^R#+3{sd;WmqphUx0194H4IQNCLUkTnVm$iCF-)480{Z;y3LW z`k37X7wT0&wSY7)(--KC?a3wa3eo>Y^CRsKCB3V(6|}Nl>{$Cw+~)OomW4As;ZJ{y@Aq1ql-@Mk7xjFTB=x z#}?*Hp)YpT1%1gh0v7GW=3nO{c9lzB0sD~Y{2>0FYllNtS6&^*_9-{xTj*FY=i2`_ zsf>UE;oE@|FsS2m`I2eorTmWVmq?45+xzK9T!;!FDq*N+EyDqa5g1{cI%=$0w{g=Kn*iK0nbG?oeiB4sv#zdPa5 zz(j{>0EB(jSqcJb5(ph&<t!w+NDq( zrEjBWe%RYtTe^aVShw5^qO)3bYq58x!1I*;Uv;1C(r6D;wvmAdOM8P za>29J)|D2=T@FxP9q@lDlRx$<)JMCG*MMQ|3=m?|dNqj5XxgdH)R~0HQECK7gCiX8 zs~At~@W-1H_RvM2FFr;xGJ%zE=CSf9lEotaq|G2Z;!Fwpm1RAu9T7bRLc#$8lg7q$ zx2}a*47vouYWCD_kQpbZ#EY#TmzJAwPg3k(MHyn97dP#RzL0TA31mSSS1FJiyyB6~ zV+b#ll;B5zJxK40%=r{>&tpqeV_p%e_cH{Q>+ zh)_cxmJL~r32I*J9dS_=o1#m@>3rCBWAdY%^_h0to-?s$?Ab;kXAO{`(yRtp7jZc4ql~ zHa7^=pksIz;EI3W?C^^mWT%`8sL@a(@&aW*FoP6a@ye@MCbhyH10YDkVy9K&9ZZ9@ zAjx*h;08(|f!5bH`OykJV_KHFkhG+MTqOxUc`y`0t5&3ZXyxj?MMgk!b zZDO$U`gq56@$kS2bjg~AWM~6m;WQy|>jOOCnxdZM5DPGu$psd7(#YI6nk3kt2rl5~xJ-3P|VC3WiW9<#i~e8pbM?!Pz1r(ny`*B249HuALr( zb%_ZkwD2x#K+=>EFvm7*jf1Ac5e+niJh>7i&Ul78+Jt_g8qQ(naUOsMC5*Go*ncT0 zZa5am0g0>5g8X&B7AT@gSc@7*mxiv$X@b|tp)l=CnWyhrT}Pk{EcZ8VZAnNI%DO5J zeE{s-+5=Du(6m#b6xK`K7Upy^>lp&BT=2hamuc!$33aG&h_(_m{HgkqO1oTS0e5f1 zViS~22>4Vtwm+#fs}ve(|LX-au2fqdWlXM=P^g7D4~(n=(4>znz(n3nZlQr0KnnWY zpi=q;83LM|e^3YpY;NJSaAWv|cp<7(BvL0rp>_*PY$mT%Ga-=E8dw9aoUs7~J*)i5 z>S7)s=U6KIofMErBnR?+Rqdgr>JlWV>eYF2Boefg%wdPh8TmknGG;1(z~lNr%JeA` z(-j1BLRgMiOOZ-|nw+sSW)!~&BsoL*4yw7#(SorXXf$Zhq4=Es9eE_9fXo-sBS(`) zueOx*p>9ZEkyr#d_kqGLh_kL7`CpK8FWEw~~ zs}eR%>m>s7DhZ@olVXQe3ScHAXiC6>ey#mWAQ6(63V8)yLSW`aAJnsOSR)i!TKGzT z*w^)+E-m*a!gA@nW{X^pE0IT|O_xcdB@^sZ&m3F8&%&hbhExp0)9_FSveO5dUASi2 zkUsf;ahMna5;G~XWPnIcDAZ^SrW{oSI*hoA3Tdmb0}nK@bcaN2z$!F1V;9N9({>%j zwBlG&!8uFdSZ9{%T;LWBXIY7~nT20po;2ppSx1Ef(spnmw7ScNjr%O~F*z7#elXv4 z^pJ`UbA)v_Crc`o9pVQPg-65co^I6^zI@@3)$h#qDHBHFr)=bbs94e{mxx__ITB^4 zEhpD7ID)N|A7zc$QM5G%*G|&QP#eKdoSS}QpSzj^N;@*F>&r;N-j1@ zu$b2G83nBymB^EzN0N#vtbJdTGm!)Zq%%?tayG*g5se2>^|#3)dyofbmtRE1m0&eBqo6Udf=OcQye)SL-}aDjdj+=~b?o=|jXw#dk2XvtGiL1}evd=)(;~-Y;or ziRUTB)c`J+%p@DcQW>8RXu&^(Neb)vlP{vP4ABGXtra3zAC4>u1FS!Dr;0#uCxHM( zX1OG0Z7ukNL14kAE7$K*#Px-`$DOfSJXIE*pdX@G9J>O=U#1UyetBhMvaP%mx4$$o zn(G4a26LMbwlfvEFFpk}fcL(wrfpf{Z0>rf0&V*rE|UgjmI!hejFTFyrpPv7WR+Th z)kB~c&j;2w{;yl~_RSHZAjE(K)J@+Y*-vF)QNRB)_zNyWM)_G1Q?tmvZY$M7S@jpf z`uwdLsVl8x(*jEID7tJO7urG+sk5GWy&XrnoAao~#`RATgSLNs<;i1+i>@no^;2g! z_9!{Ht+gj>g*4Y6{NHQ@q!MPxktBRYOqOv7LBOci@N-2a4Cxotnmi_OC=3Dim!`L{ z=6F{$$#P1?!fX{{?9W$qD074H?mYQ0N3uepG?1tX1@G$=f!JfwW6g7Qiw0pjfHRdX z*+RufGUj#zU>XQj}@P)X9&0B#1GQ4R_ zGpcQfwX~9?O+Zry$r58a_q4Wd|F^zF)m9KM`kbfqf^L06@?}+~Xi@3a}Q3{eN7&^Lw08yRaSGc4OOi+Dz1F!p62H zPTJTu+ZZ#k*|@Q7+ew24?K^w#=lS9L{(zZdt-0?x*0nC2r^&>CecU1eC_hJ~z6{Pa zcyP32wC%f-52Qe{^6TWL+JtPVJOzrpcDi?`aSMSH!0JdClC~x_S=jYF*(H`^;$iN`?R~qLLGY zAOoEMO_&jmyhO$kBEcn(!X+W3BD#U-G+Z*C8Y>CxXcvAyJ|^0ZoJu(Tp2FX@G_dsg zL;Cj7c#4)22URm2)RvP(-5=CHdAv%cBV;y|v|rVX80tcn+n9vs^q5s$}nU`opmTGD@H_;a`^UcbD&k}C;thdC|yh)b^GC{t|8 zvP0{XOEg(k3+qwYBLXB?3y|)c>@ey@urvCpmCe;d6p}U;BFJl!6OLPVxZHrdPzge< z2qB~C50Gm*d$8xiSc8cbK149pL%*7+d`9w!s;LiYPIaWE@52eU#L3rAoWo(l6r|C; z+mfRgVyMpaQ`?*fe!N^#v`cA8RmH|%6F4x0&!-MQnM#dt#Jyk#%NFKF+ggMy$m>+b zaSGDv2Cr-_ZT&BW<$q~%aWO5D+;a`cMxdy4j?p@2By9k%piY6P<;KT_B`sBbeJ-iY zG_RQI^fg+`DAba;IV&&1^Cx~=(zA*rd-32$7>Fay9%#o?xeLg@2~+z0IR3i0sHlYj%L3o7J1M0V=aig2r* z-P1wygB}CH3kgc$E5;2iP9s!m92&VF{n$tX;lmqPhrdTIvNs|$WNLl3W0Cdp(`wk{ zi`#a9{9oaLTTh!@#KaBo3&6u(S5xnG7xdByrBi-Iq&-MG2RiiDTl9X z(kA|c$N?e!R~t+2oFT%hP_(51TNl=sk$FZzcRKtH6>?{mJwfJ~$p*FOF3c!WJg>PC zzH#b=H-M+Fd&m?zPk1hBW#G8dbkSUEULGnV9XM%I^^cWcn9j#@bozFlZw)p)ZXS|6 zZ7F&&V1qKP7OQmAw2?D=y}LZHopS6r9i0U}z83y|DzxJ#+H%fT07wt3d4)6<62Nap ze+oBJB56AE6=8h=W*Td7)ibvdcoUmWU~VtAG}lp*8CRF|+xr*0{!U>m_Se)OdA|hq z9b5CqW+c}1m=hCiELY9`lY4bchBG_JQB1S%rTF9}l1*)>wL$Xla8;VRizQEv!GXgn z)rhdn1H&u^txklTe2vyNVXf$>#eyG#v%*X;kDHuOi^nLZr!Wq3@PcdfDC5@$CWR$< z*YKf{mDv3iEihb(gz3m~2#75S9O)g#7isBF)}t-l`8-@BvyT{$pGiA*^Ly{DUz3{v z2^c$i0MdhuDdn6wC|@)v#FDPH5AFf126WLB5Y9pBV#`ta$OxAgn8?(rp#L4?-+#`o5Q0Xdtc!?E6)-9fWp3H4!WMm{FBD%ne zEMlfg?5u8XE^gd3Yu&%fGKr=M!q|gCt=)xs!D<0G z1yZJdl&|8xheUrgy{2?k%v_Wo26U*G0IJ-4F=lvP0Ww;J%Y~4JDi?%HA<5BL(@%4$ zWK0ac#(N-*&$7g5w)MvMWHiP*UyDSOQgo)zNT%QXJSyvd8?RrRyV?13+RwVwjzi3 zJY-4!pk8nFry!OhYj5v)g${$#3?-8#nQU{;ts?nXm|5nAa}a?OJ}D78SuI)@?T&D2 z*KTA+2XWl@G0HIH5Zv%C&8UyKztd$0wAj#G<{F$4tFa%D#Sdjnc1zU}wukHmMs;E- zqU3eqla*Q*op3cGE8teX;N>v*$`H!KBAtjjhR{!7Viv&%HQvhe*4Pt4Fa_~He*^HB zV`CtXYy`>U&3HWjA{$xx%bZgSimKE_BaMQZw*G!krl(H@gZG5~#CZ<7BKnz$5I~=^ z1g_$hQ?*2W;0sDK;-du^B zdb@!+3}!5(H}>5gg@uSc!)6W~8AEw;wDV#+;8jOjGp0w>WRF{)etRAZPBr=h8ZAx0 z&)Z*y-Q9u6SXbY6!;hb!`ZJGXHT@Kq&7alG_WHj1XPFj?xSCNgi)M+ox3>Q_zmKjC zRU%&h)>PC5vQXuH|8ZRPnB7ijTxVcKbMiD!gx_Jc;)7k_rd?*XdNb-{4(&bY*Lih1u-K2A_TO_*O5h zC5iHK41W))I_IXLuw!CC)reE7Q~tYkZX#8AW!0Rue( z=rGxiUUb@zU3P^3&E{iZSf#SKjF81L@dJq&NRIlF(3nUT{Py4e6qfcCJkL#z7M}V7 zxiOKSd%nGbExoz?-XX!J`udes3__F+X21hMW5E!ZP~Ysa0!di@-z#_h7lZCA`WHmE zy8`fCJwbF5cqo0M2y&o0rLbE)ieL9QA;AM#!R8#e(GS}fhI;y*I%xo(c@&NfF;HIi zx&_XHjH@+32->~>-4Ih=fGWVmkkl{(R7~_kmL3NCt8BfzIYZGV zSuUHKzOo~C(C5q{TzBCN3X1GYQp1xUPt#ofG~lLev&O@)eA9Jul!xC~Q|y0Y#=sM_ zAZr5}r}z|o#9IDzLp{CQa5=_ucnh=}w_IVB5d5=ob2b{`Ahj^U-L(^Q;ZdjoSL2Hb zUj2Hg;HL#^&*jVu$u8`@?4O181+0}_X`3Oc8a}=ZG~NC-dy9st9%d4isHJM_2^oGX zUtxh)*;sGCHLrKv*%=K49j`?_tz$jETKZJg_FQZIcqz>n^UC6|P93#uUGM0GnlnZD zp=M{P9%(eou^BS6PE8H|9Pz-HxrSwOj6cPNgbZX$1W*B7s>Z)+Ly6dNSk6&sLmOw> zOe)-kZA|a3TtC`0)2L*)nCNgNHLj^Q0tA}79{Gu6*I?5Baq*;EMjeKZI&Ei$NlFae zW5ob2lK@0WaPukHrw%FHvqF*j1A1_!x_r0ay&7IoKv%wPRtP({n1}!$w>Z{RkS;Aq z{A)~jyJ?>I1O|}FRP79pzKbwgGN{<}12#?9BpYiEl!(cXIVN-1HeU=;N01^`N8A@u zR?niIq(6o&J$_jnt*p!%!&GH|+PM7u>up#4;8%5UboQz%J<0v#M!TPxqqRs4nil^2 z`#U_^S3D?%FSw@YL!gF>C)MkcYi{IH5!cMX!B>_?_KI65EaIpcIzS>GtQPt+oM`qj zMB;>kIU$}QP}$)>hu1SAa%AjSQuvl*K-ZFs$pJ2*;&I&4r}MYX_Mi4E;*%I zrlp4oWtK4(8;*b(Dn&xSt8yH=b(ZOgq9wNuzk-5)h)~}Maq+N#bZLn(#i*N~qkYr$ z+=C&YAtBU?DxwmgpBRiL>4O4qNM$|}R=~#H1WzfG7#EL)kr+2b5YUem(V*@|OVaiG z@symn=DU=KWLe(~uBvhl5B(O8C>wn2GSX4))ASZumXSWHHlY~2WbLZ;lknvMqdyk;#${aW((d8N z6DP*zZ}Sl}D{^s72UY#;XOJd0Q(-M#AzEu`b>T$OZVOY8a)j;UM$$EBvok?HW(4aZk&9C5mD=&X}Nh$s(`8e0`JQoZZ zlSt5GCWt|}P`e*_*3|di9~&GwZQV9du~kc4?_;>yxN7%;xH!7YwD^hZcwA4CLupy9 zey=fOtn5Vi6ykjI_l@_GiR+wqW9bkH>&5|gJE-mEq+N_#vYUEcoGRDX%hHvFM6gpl zWy(nMTT2<((#&jkZSwE#t%y;B-xnR+0cB6KuU8j;ltTwncas|So|><1F@1IYYm7TR zy?p}gE1OoRV#7_o9v;)}^X1ucvABQ6*z9(H__Z@aANG#bO8zL2tfe3!$k)m(d|1uO z74zqaiKr`QH5KJgjj^zI>$d=R>w0hpZ6$pmM6z=ddMV^QKwbmh{0&Td1Yr)ETx>cO!57F|MIe0^}%YNE|raKck}hh(~G}( ziIAyyHdjtrb@E}WeMphkV10vG#xbwC@xbj!O4s1>2q^<#f<;CubRLtb*@+1cZ7Y8*%elagwf3OW6b1CWH(^fk?iVc z=&x7gK6tXbwWTF{M3PM%|62y_XeS@c_hG`^o0g{kdSsATUWF79f@2NN~eo(SK%L|`hAyg`V&$@ykx? zNu2L7^+OM6|H_Adj}Ne`YZADBcSyBm&IPGTX26mglV?ARZBzL^)B`Y;dsh0efQ0FR4WjD_c{)&|256Npo|4@=1zG z@SS^!tevyw;mDG`AVD;$ZOls{m3KqMVw+P9yoW?&r{#gGzxrmv!S9&Hg z=@IAeDgrQew-7J4^jOdrba3 zI+KgH@`o7tgN<}jg)ie->s%a>)Auur&o=JBlk`i(*jt_iLxety9$mAU5;^@;0T5;8qK zOrTJUp=#Z}^pLrDa#ntR%yWkM-}JuO`U=yZ?hZ4=F+ze%t5xnU)A@DNJ-kAEQavPE zBEbEZtH(1XkehG4cR)>7N6m`N5066&p2NFzLx#gc%y`dHJ;ms7PatZTY|-f4n)>Ll zP6XqzMVYy-9WXKiUUHdk=a{xC%#F+kZpokD}k0`U*#0iL!6 z(;pV+r1&s?1)?iwa(=0?bE#EY zh_BB-R5I6sS=n?51PW2u#@X)qQfVENqw7c8SJgGoKjgq3{t|t9n^@S(TRvoN(63G> zoUzvxCX4;GuNvQMohmLOfu9gIK~#CXmfq{W)4#ZG?alHVMq5r21QkF0&qd`~VVDGO zSAyGkuZg#F#n`Z=vDxjDgPent!Y8NG;K#L^wUo!TIo?d*j44V!YvDPgehj!Ddt3NY zSLN%d-|}#eN44(49%4_S!qsD+?63^A&L_4>vedq36~N1z45ZQLvrRWaJ{1``s@)#B zOFjhRVCztmNw0xFLG@YR2&k&6ADtZ#ueI+xdvvkU*)w>WZWBK~=kEflZb8~&YnT-cP_@G;)i@TlV~&0q5&LVUV}3P3*c^D&iEYM>TLLu~~<5a~4zw8MTN!At&$% zx(e~KOW`p0sD>GANmu;C8HNrWD|Y+v4w>3nu`vq)})bPV<}MMf}w94=e4 z&r@ReX?9t%cWc(|Kt}!;c}%DLckmQF6KoG*WmAS9SFTr2>Z<)%&Cb?hFhM-^Bk`B{ z0nY$tLA8FSQ&|43j|wmyjj5-+a)WO0d8df#%Rwl5sVvAuOTSr;07^~nE2oR+fWwSo z`NB`+Z7@lRx%j$vzJAVTuVnPPM(*7zw4{>;29w3HxmgW(Ibu2QnKFlA8;l)`eu(>+B?^@>P_IMdaz1%O^p|E zi}4Yn`uGA_AYdnZNOQK8`-ji$94yIgVcx!O_T~*u4Vo>vHQS^c^{=M>HV%dk__Ypf zvG+5O9bQQlbOmkI8A83BFIKA6=?u(EKEHA913hsh$wdjmT=eGQ-y z`@#KWB4-s62%@d2udjIluH|%Fn@n$3wN54Y@;xU%KbCPukZN;=z?SA>U?(qQMwnw% z88!R^X}0=aG9_iTS|&Pqb>CMk{{%f_{l&Fe9Ye!*ZoWQ-R6032C?2B))Y7_~zE)ip zM&0+T)ChI_r`UTAcsK_t4r`5_j7_nuIbq&Wi@eTh=<(DDxi}gRx(WsdSU)uc{!GoE-If zmo*V(j6eW8=M)zQ*Dw6~qYR|j!GF(Ce0Z~mw_P~$D=vh+>GVHotFIb;W;C@x;YkG@ zH_IL8h1Ldc9$Gey?YHN>XX#IYcJ=eDCkL@62qc<0R)2Q-;HQe_T;6tUER;u~j4Vin z!`kdxmj4raA9bp9PpMT^5XE*(Y%!noj<&u!8yL)Xw$?0f>h`uoJE$N|9Ag*y4n-KW zS62_|8$bban;SC=>PB|K)CAWew_xVjXI?y#7Ce8L1!{V1iVfe}y;9p0^8DQOc8C$S z$}|@{{RE+4?vMq*xXX`W%mb4{j1>aLD-4g0-qm;E{{`?$Ebr`ua?&bHpVQm|9Y~z$ z5IxoO9uQ3}uj-U$7D-ys1C%}gSma|qlwvXL>EhQneI;WiNmSSlIKKGy@4n~HU$$EB zYpIJS(QD(L%fydRcOu<5dhGrES74B9as9%kk%<{GP~i|dm+RG}O>fcn_m-h&`Ge8- z-!)ZglfL*J6d0c(BVXCA3p*Vmha6#FOBJrB9*>MR^M5V^Ne1?{#@3x|h}KcW6l4a; zuf&;d1ES{*t{Rd?4fdLX<%#7RNjn_;cO|J$^5#oAFP75PFWmnPPP<^3Q00;4VR!ik zK3|d#z-ys*G5fNoOs1`huOmKM@VY@q`n2Y?V(bS6nM=h`r#aX;)-JqKv%6fQuQIvE zYw)C~k}XpSY5S*YT6Cf~mIKV?sMMAe+=U2xlB(_M^$0pji@P!51Xt9EnCWJg5sDvZ zb1Nq%IBGt+s3Abk?5h|#i7?kMy<~7K0U7eBv}W!jq=s3)IodD`Wr<9+Og&L5qSYbn za?jTFdNdV_7F*=4&iU;;mTrX2&C+4f(=@RZlH4@+(c$fXgtofc&M*a9`H6_jv8gbs zc+^X(BM743v8dMm4QdTr{4MSIHzo9`j2J(J^tUS>{f*onqHtd7s4&QYma1{pvF=Ay zNSdz>snd?uof!59$-jfQe}cFE+}Z(~)+xOtNEcF*`+~&=Qt&O6NhXJ1#3PfhPleRIZT!H;>6%syb$yFZ3(YdEzmXr=PLuivRze7 zF(V1bMgo=@Zv*4Sg-d9Z|-G0|6e@EYbpAur~1}M~_ z!AUkaU|i3V$YN?T2~hMIu$|?!?}WLSyE=jjD?Jm@c1ix8?q*%F)<}8=^r$ZWI~zAS zzb3B+LoQD)!gdJJ26nz=nAK%JqFHpmU@vKfmcZD0^xokH0yXyc}+FG{d*Lyx){xS0NB$BF&~i z^+K_T5laWRb_3^CPK}h%mhrVqL78PbT;P6q2YBpi>FDY)W9o4!2aJ|ZOiX7_PsGLR zF(=qTnG7nOqY=_gcUNL3(aJR6bN_NzSvEv+9S@%MDH=4psvNyjm$JkW%1@LBoGr$ELN5x@#QO4F~3(JnAz~;81E~>^Mz#N!uW+-Q)w|Kxkmn zDRxBH*Pikc61W*3_9CYC(a}HB^kw_=UC$>_>C+dr^}9J)aiUOWCy+ZYMLgqPvL)@- z+7hgmc%{9P=7LD)YSrL=9X_J0S?hea_dlA(&3qMl9}ty6Bo|&tmTD|=Axoq3&(cyW zBLK$lC$Wo`flmodEiLh%)%JID*6s@kMDUZp>9e!3bp}4fkbR!u;^g9}#-q%V)=>BD zJMvmu5cY27-)i&YAlcn%65v@9k`e>z8a+K4mVdjOgT!-Gr;uXw|54nZrDc!vzyg8j zDX2)P?46vpzL`pq{6_BAiCxjt{WIVCS;+IcHGA?o-rR^GnN?!Dpq#Ohv?sjUUGmyK z&?xX}igVR6VYtY2q4R?BN6z2=%%9I!hAzx*8x(r8UQ=ZMO;DT1iG^`*(b3~=?CqIT z#zyD0w6bBV5RO&~8pakBkiE3FcDInq#L5P-KFU;O1mKzGp)c-)_Ngbt z$=+6{Bo%x{3Hh?ip0av-P$(hw=W1I=XHh@jO3=G>-no{u;bNYw^kP)pj%;pSPT(|ks;iLXliKPIJexw!eY&8y$(ID zjIo7l>TSZ$#|E%}(br_Z6Th(8e!m@G6cA7l6zR{MN~}TZQvM`*M#0+_Wd;x=@6tp` zlOPh|T=gs0DY~^x$>d-}wZ=z>)Q$iBxB7}LERq5(SgRTS1Vg$Ngj9rrB8E-hrYrYAs*3ShQc@&O_sbKRPQSh!T=~4@UnLBus_o_b-~nc9_FwA7wt8QYW^CI&!f)DM zcXo6sKXnr)XQv;o^-h=uJ$rjvTMot&b2aWM{DMq?F;K=lBrv}{tvbQVc>blW!_2aO zFHwgbhS#=5eH77KTwWe9^Lw|ET5q!B$GE$H#QllkxG*&I+U5f3FG?GM1*wW**K%ufO?N z?u?llX}$hhD!ZLcUR!GE@OyKkb`PSd&@^)Xdv+7x6nNY+Nhvvc;%Fxxa1%N(td^iU z^>DS;X*C}av@PKJXYH1bX(wL;GjRI*)}asU_c534E@-!pdCu;WQiJK+@AT#A-$rR) zB!xrP{acy#N72haKbf2;mv{)oJCTbT(#v^fSEU7T*= z-6`RSl8Ym>e<#o6q7-vy&KO&20SUG?9a_YG=z3o&g$P*_W&ZfK%NJ7f@#xqvha4{& zN)%~psd2VrNl`0rd33b1ccK#h_V*&X*xvX-z#GX>^gJLBy|Y}Bm-o!Yc6DY={T!ce zb})c`y|a|>A`^>B)cs858%U&v^v&km6}oXIPIiaq*~F;_G3R$te>a+(Gg}8YW#J>~ z-#(Xfhfmm4WMsK^wsxC8ojepLd@Qd9Qgwg+J~XMgMOy{=d0GE#Y@9q#A09pqDRfo# zP=8dc?Rp4aKipi<^nY2Xj3uu9JT--MZZFitpD*QK=CD3Bx!zg^t?C?iimpuvb=*Y! zXG}o6uIepSmV1DJns(P`5r^rR4*ga|%j5o`&%rpetE&y?#-I4;81MGE?CR>=qR}aS z*ShBqo4g>cORxA0m%FoZ5}dC-^y>ajnZXL`Z<`P4TvxqD^g zpOIlcyybuXoIF4p?s9Rm)#NsClK$5v@Z5zHQiPL7&A_poC zZ(mK{Z!bINube--Jg=RFxRPqyQA4JLpjv?ES!I(y%_g;#=pB|ndflMk{E(h$EatI$ zR{U9Fb3wg_U*P5JT#A&WBYO;;d`%E>qvJc&hwI(GX^mjpxb=eoj(XX*_w8I%kvyI_Txj2p0PoI*Y;xp`Zk)Dl<{M~rD*DptnW^h=#Ce*m@jgfT)#aX zZC5%h)(@3KBeC+kc*R#&7TN-}&i7;ytY3SRIm(5g0c<*Xn5f}-i{)Sqp6nFH_^%Vcp+u4@4hRmL-NFsdSzWZ(~KECJu&nK$N z0c^!F)sTHo6j|mIZz?#&p}pueSCqMfOIU}xw3jrn{W22rx0}!ppr%%r^_GXmAAwX2 z&}f0H`!^bb23Npi_*w_IJs-C8ETNNn2{?v&{Kk4fa*t3A(<^q~3ILl(pnzQ)Dy_7? z$+>DFod&kiR@+y|G(<_!~ zJH93EfCB*JU{4i?cPptanK^puv&_8)e@#n8=^o}OHw~FVU_yHq8&5gV6p+Xq2j`vO zS_y5PJ2K}Wly)R6|5Y#^m?q#)v>ePRj@I5fewRIOoWMZ`Rw}Gk*eoT58UE&8Ffy*!ufkSx*g7mECz*^-QXa^Qo(wqQn1Mh5imeb z(3m>Ji%^okiSi0~o!|6M=zcq7Glu`f44h>ku|gp9!b9Q_lB81ruy)Y{sEh~7Gwf-R zVLRBL`{L88SlfjG`~-vv?C&rkUZi)Vi2oTyf=5^J+Ph7g{?J?5nH?!_F`8F2piSf= zHqf~nmPeD*BcQnPMWqjEemv0>v!9=8jupf9NUk`^!b@Ys+E`w~%0S6>=63 zDOA#f7n@IW04F}LjHQx7-U2EDrQ%ZTn^4u7W7%+T=U<7)b``8VxDy%R@VCTeUuy8< z%qEr-Z=X}R#w75>N@M9NeEE`+;QdclIA^@%n5oRz_rAL4)&Czsk;3W>0te(kGrMbI zl&TdwL?>aKzM-96C6^)dN8~B9e4U>T!R9l8Y>0?M*g%#dgvH5*)(x8-9Y~-yb`lah zFCJ1xE-P6Ja27T%O4)Bnu!-QSn#AB$)PiX1m5YJTw|a@`a(nJB{N3>EOGIvHYb~Bnpz~qf{1n#(ZWv%j zp?G{erU>NeDTCD&dykG@+jZv`X!Nf8^{)apLZo!KMUW{~2SQmrvNRU91Ah{Kq+lPJ z%bmR0h&PcLhbHVOJ?%1=Q55;lYX2XOC};<|E$UoL{fU_ckU0{np=j1;Ci`eOJZQ|R zhw5$`${InxRj#C^7v-QRW7KsHbEr7YprAdmCac1r!)7g6AJZgHM31erAZf&Z7aA(3 z8^LIhvrea+yp~b6_1^i87x{x2NBO3%HzX>Q)lb?{0%tvhAWkd;hTRo4w+ulxwu1EK z;-otGZ?LLA)%DsOjm1i3?wF$09D;;S8(=XdV1h=-Ajp1##$P&7sO88u;r}d%`+W%3 zQt1OzK4|8!WL|R=%-^F}YQIxp2nhz$PaKh&jqAjp!iDL@=x2FhSr?+-4u}?h}k7i(9Vfb9Dd5GBF^7BzS5l zXIO#^|9cN#r_Yhs<|D&_DIQ@(WdYH@$;oC-mJ9w`ube8^=G2sfZV!N`B?x5Z#*#bP zxq0>SE5ga>auPQBi?p|R&|n|fj7bm9tHj4;j(ZNAJn1Izb!r%uM)Grw2VD9EjjmWI za6s)o3s30@MT&=dkw;Y!s_@?a_Ak`rrPSo+wTq;21`avAHLA)5`79vAD5A`EwTboB zrxm@U-PVh2P%wX~z!dL(_5r2NOhn5JxjF}N#?!UC=rH51h$#5XACt7Df@Uw=k}hL} zA=U1!yC5kuQ(=Y9k13D=qH^J-YDI5kE=Q_YCG#05(6@ic&}9YpNp!wwuVo_8+d9V` zD=!i%N&cUt^*$`JwS)tPn2g|X=dp(@e{u*WEk+}o#~Qu6pE8GJ^S0H2nPhx;RK8xI zH4xO?2&2vKaS_e6c(hVO-cLkZevlrZw7W@F8~f#knwFbT9$zs`N2eT* zWsW2x4r}6^aP#Z&?d)fbB#onZHWzjttn znROKHck$4pwDpZjTa7WWKTjD2zN%d-BfV&l+Q(LUb z#eS4k`?&_8S!)+Js8#4nS`61n^XBqg&_5{}HlH;AY#?Kkc8<Che(V+E?u_ zaF$R4!{l5NpZ?TlV!sW4?NGwj&yNvPPTT7|??;XoHsB1ZhHtAXD1d_il3TO+?X9b@ zl9|qx#-b+=sIy6l7OXE;t)0lnksQW1l-*&NEu9vt5LQBtR`L@N^4dOU?12STDLi3U z`i~~7V}#LXiOu|*1@j8}R%DaOJmQ7t|NGl;akDiredHD)_MP%0oIAi$%hM4l(-Ec& zyGQ|~Ypv(+s)uR~gVPWd9tE{&1qcIl_P^9v77@5&8%=hj`ayI?s>4x zet!BHv6dskf`<+VAhR2M^&LMcI4fBxX9KxRXOsTQaUGwyLApp5x!#W8Rxdv9I2 zFNp**S3=uSlC9wOTl0=nrjkRNVv^MekyjfxQ;01&OuxNtR5PlO`ZTGCl|p+4=Cbbx zgEgu!gb?!IKH6TIR>&-YehrBLFv~bSgtnlt071*4LRUp5wAfyTDF~0dnr+F^hA29R zAbQVOw<|)qH)~!c1D;_;dbf8IOFnv2vA&2#Wv9WhHwl+6$T4?9@@@m5=dsn(u=r74Ha0g-DCO&!A_APBt# ze8JalSXbeTp7I%E@FcoPp)8GY3IvR4UL%a+Xu`+@ot*_ary!xD=5Y4uAE;F>6*@db{5u&bbsg{8Ef5BuSo8N&E=k?#e$#v&}O`1G3!!KEa+vhamy&p z(~7|1nBtadJsfxtMTY1zH>i7L)p@qELVY_~Io0~WPOGV}Ew<`G_5Y-t#{E;D2zi*K zkv^&(;3S_G2T9`|&BSUP$va@)GvL&h))i&*v#hd5EU`stJ5Ejv0u`(X*)(EeXN1A9 zjGaK61OA>a6o-8>n=~+1A$}kViegSfo%=4G?ihq9Sc!rbw53YZlhUB%i3~E4L>r;^ zQy3VL7*7f6A+Vxi7RS*;98fE-Orh_~uqOCEs#!v=HATti(hag+O=6z)qeA>U=pqvj z-$-Jtup5JVl!_oIk65*XU+k>Pche`HWfn90Epa`6noT=FS`PFHNqvdp(u@8BUI|)Y zHL{l9kZU?~tIAKNnO<-XYWljMoND>uK|$^*9_tymp=XmJy-vLv!^D8v@2qqR(eXN| zL|6M^_KwSuYG%_b;eAdye|WLBxJb;4C+oYdyJUeu(}4a$kD?-$-uK?&tDdeDT{EKi z&r{S|LO#hX+{a#>^0-`=1vuH}*~-F6OL4IsQ%>_X}2LEjEe+&&@W&SZP7pH&n zv7?XUqdB-t=F^}_c{tq4b&=Y~V5G~5m{ZzVcYPpGq-R_8EB*>m5JDF6ko6sq~9;Ci^}%^Qx(8Bu1#)Hq2&<*Yj((CmAXo zehgotMLxY)3&hrDq&vJmjQt?SwP$C|^}%cno!$s3IJUXTYoWYv7$) zI^3`92)PqDTLaGWgFD~E;ZSUo!MT3QVqdu|gQ=2+=MfzDnL2wKykNvl-CniSfnYaE z0I>$6BP%O0XKENim1=XZeSZ|6lZA}|s@^`4@fLki8+So%n|uw;2?TZI*-;T=URCKs z0h|a<1T@2?&B_rovt2MCQ(llbC&YjP3VoCX_qD*emL&%mFKSPnd!(akDXRzSm*sN; zAz&X7@~wT-UI(LvGTu6QKC@#U&c&HxMRnB}+Yeky`1%b6o*amE%}BvTDk+=`2Ec+Z zmteRXY(obe<}vzH*=iu-*y2_@%-g^c8A1#%phMjO80_8*LF<)rtd=QY_HcqjY$ilh zWQ2iZhO0r4NEenx#9UlA0v0f*mY_H55V~52geUd?_-s;d#OeqMR{-GaFskc^GN`8k z=E4miXlW25Ak1Gg2TVAHYX$?jIv3)hGdW{zl_Bpaz0ENJ+ zMzx^8>wi|Th-fSI>GPNM8bYfSP~j37?$BPBumDvVrp5Jy+E`zvz({-7kl(gQDQAqHVB|_o03{&TM1(PF+ER_Vz`2BvsP9lJ*2Wm z6;3qQ?pH{}sZw7AQh?P;fjbn`Cg@cF!s-QOAAD6;&L3xZeW%h-xfP{6nu|i> z1{te^IMcOKo=LQ$YIZn2$xY^9ac44)pb=!fI*AynAMh%3fL{LyudVP&FM~>ZML!vzE!oY*y*e(Wz^BzCJxZDaB3*c*ZNag{l zG5--J{C=TvVWq-Uw|>-Uq;y2M8!6{KGW;lM#9avd@4Oi{0(S4gRNl{&!%qnOEISw3 z{FteB$Dmbyl#4!60crOc@#ogVJiFW&IJSj;*D$bPAt|F*hdE;%IB2rN9!Oj;`-vv1 zD2m^Gm;$46qGL&BQCKEa9FHO=J&GuG4^(-Em)GwlHWI{Q=&*1$ zCgDWl^2ycxNTb4p>Ts_HL-_RktmE^9d!&r~$%Paj&!d*0GWxt}sN`trZF>iqnG%v&lbc{Pw=3<22HgjC zP6waH|M{x_!&y7fTRm#xpdfCkFdI}X8;(r0q1*84Bktjg-Af z>C?x2+3Z|NJ)K8ct*Ds70;*a!(I3AEUp)DI$ruoIVsj5b+Q&!oB_j4Iqu%2inz=;V z%nraC+{f?dJ;m@r$m74Yp}%6CL1+O?W#xbeaA0#MCm(cZLT{5ozE;}iQIDm_cVTVz z?c#~&<;-O_IiI*Hb)P5r`kzqzT`NPgQ3XD{ZWfyM3a-8>k#9CV9b1G7e!a#bJL%!t zN^X{hW4hned(GYR5sRI}7I$qKJ0@H))b~p7r2Lywy}F1hI?Ob0hl1pbMXTnAxo=Fx z92$z-cbF0i>$18yb>@QKeHI$qKxxh`nQZ#`7nKvqsR~j6p>>i7KvcShAf$UQb_)RZDrj@A22pNGNL0 zk@9lR?L+H^0^)9QWIDwpDDkK($tfmuX;M5!IpfwTGPwwV%JiCDFg6TtohEsROpB(4 zrX)GbY_DC;$40V)iXQV*-NVvigo&6Kg4}m9v+wQ)lC!-sZxvfJuW+s^s`G>jo}Ef` zp9>EL5plsO%YcdK?)WK|YqQp34xkRUs;+PDM2f#PVd$+!Xds!I)DF7q%V0TQs!3wY z&hA9cINM3gpkb87-kjge{V>u>D9Ql=;*Jx&EhCF1Hx)vGGI|$GLM2#KK2T=@l>}U7 z)8ISLA%%y4Tg@Xx5*LXq4#)wZwZZ1WFaTySDMM5y>MVEU(^GbHv=Pc`z$Bay-!b+vKQPEKrY`aX(nIN~_pe>+j?(UhI|JAG-Tu zN~wfnLWvpW?cSlZOvO7aE1cXv;3fwcr zkj~>QZ@74oQuEiZBJb1 z*hQ$HebImJfE1?cebfY)8d@mmua@EiN;m>m3!s{aHKBFJKhVE#4A`EbFV}g;x5<^} z*5WQPeHfPedY?a`uMHwxV^6#Dl}woCJLEb8u!!eV|bU8Ih7 zZ(2@E?pIbBrLSEV#>#$DQdJPVmuF@%rlVejy567#LjS7-ts66ZNqM`Qca?E)8)|qY ziCe7eR3Gxyg-t3hD%DJw!u|PN#QZc0PTzK8J`9~6n=c20~zeuN#`ng#n`FxS2CcCWQ# zfmwyzgrh@KzN}QSA8Q+{_7|1pO;}DM)KCn8Qk2=b$TZaP1{GmL-99s)Mb_E5SQH&J z>2GbnarvWKmcE(GBsS*8 zI37NwybhSL)n-zRIV+_Xv{M)B4!9EZLc^SzcFr*ZLsrGe(kuAtSAy6+_8sUbA@Jx+*s z<)zYottdabT$c|R#u1uRr5haMslv1FS^e=Ohn+Hhl_O0f=aK~77A><(y|4mLT?vT* z$s&Hn8DQdIv1!Jn=~dRGr?s!A^6Ev%A&iivngv$rcHJsw$+4<&O)FS!+OVUr8(wQ! zvIfFcx|ET|`6Gb(_l%9!jwgOPHTU;ihbfMk5`OKQCxGbqlG)f>X$4)B#ZGWFNDoB5_$TGE0PsrR0reK9&H`WAtm7q)I`(BmLjNP z$AsllifWL~Udb#HE^437%#1W#Muzm;z}`s7nQXEF#ryB5VvbP>aeP!m>jX zrjd&jL9fLka1bv?kFY+07O;?NlaZry4q;qS@;FJKwNVwMVOJ;}rwcRm?3@RJ;O+(s zC;iD3Wz3-AAsfXeQII6SKhM`*rW{u}dHSNiyU9}#hlu^4XjS1_ssVQO7Lc3q_$ z;|LC5g60!ms#-pR=6Zd+p%o)96=z*$7J&RLw6whVu0~VGO`wiv_`S6aptHg;N;)!8 z88NU-t#RPf#V2VRAnEPXw}0C?09m3B1^s~M zwsg&cf9Fb)KR&Z5ahBUtm$P=zciLVv(874yu7nvomn#>1BvipyfCf0|>nP9PGvb)G z{9fOoeGC%cb~QzFYaQ&pltZEtV#Z`@O;2W5M^gje1L_!dG8sTT?EM+OXQ41|B3aAi zYj=CH20ZeKxst=t9V8D2K>bvlP>tldE%Eno*tTtU zY-f^8Jh5$0>||owwr!n$zl-m#yUtl>oj-f6r+QcIe!6N`)ek}3oO$r~{1C-#Ej76v z-l}j-5c~zdsKo1FEQVGnV+x#OBB1rTQRAkWsQgHT+>HLF<4In+*eP{bb3OuW`;5|h z5fIvcH&#}Gxc0m9o>TtVoY>=j+fdLBzsJ6;g!JTAKeb^@n){PgV8f%Xi747@nQp8* z!!Fp+-l~2U`I40N(kjB&h(Uelxsm47Nqj`m=Dc6Lyv6O@e!X{yZ;;zl4pgk_ML5s; zRSU$ZO-@gH{B1!KD8V;@!`x@=O$(&R%BQw*Zd{`zY=#6qe{A&Czo7K z*(|5Jzm|L~-xw99CGpSBJ_Pym(OL9D1{lRt-lwudSPDug#bS{x&JJEsr0tLxh)-Q9 z8|!dxU%}PF+KOxwOHwco*>KeBx_XD)q0psJpMx;H_R`KMEa@^IL$f8m-ijNA-o6aG zzRu#h@8_mtvwOUsCSIv>J%1)rob0~jBglx@dM2xc(2yGR&5mH8PmmvTj$@f%b71z> zp)0OykQ@Y}F?e7o#Pd93_dM){LrqWa>UPr2Xc&^+SM)`C-XPs;x7`C(Et<+Vs zP#!<8K;3y*lx2^5>T$x1_ z$ezLpXN3NG5EmiD#I`Y|F z3!jSBK=qwcgWaJ(`UO5pfH56LS}Gi{uz| z3e`2ZatsPP6OS-U2dTx;{sz7w|BSz#*_&&4T!N4Rn;x6fg{wx7$Ng*QNkG^5A1Hd% z5DoK)ixPnzaaf8;_^V?F(>}>CFKUo!zqayFy5X)bM6Z~9uxg?JfDL=6&K8-kk1lyO ze>~vR^82~N@#Cblw&(t<97r=wkJ06X-eByTal1n>=u_&e-64l0gkp%FFLSs-%V9aC zVphYxoWt6|BSik}U52n3P9?qW{G6&8&hfk`FSY5cX)INAxVU<1H^;R*AitrR0jcc< ze70BEU0;#np4i@i?Z`3UIdw~z8mS&EXz}|WZ3LRYJWje1gF)r1W?(7z{Tdfy zLf3Zo*iIt_%*ZaM^AAIu^LN^wbH5r9GLwB?yZx1b|74Zb&M| z@wOtrgbxjDtl-(AoE?&fO_}yeffd4TmWbz>nwT9tw87`T^+$KDw@k&w6g8#~EopSB z71%P@4ykfX51NbuO$(R8MCB1lR>JGFNGv_-2!>ElB{8MNb&buG!yRLC`2pRQK1?f! zHcnJh_sujG!NSd1xCr5hxua&{-1=)or6_sR)LxKNnlB$`q*vS*7+%%of)6ibUDcBu z;OMgfH$LBcjfz*fghaQY=e@s*+tOF=R9u}|5~6Z@*yG14o7|evQVnA#vUzd=`zpr*z;bIz}O{y}CuUtc;@Bie7Zch$5l4cs3q5`8au^nCa2CKV>Z zcQo5C?g7Z=0gw1Chx?J50eAbkUAOMruR%3e_WnJV&K6&~+iy?PTi%v8L)95?&20&` zRLDI6cWeJ*Mo-Y+o1+ej6sUQF>6B6Q0GLAquspB5|4^qWBE|OjwqKu$Wm7$_)+l5= z4MOh`rO46C13n$U?3N&6UrO?%sC?cJ+*w^Zc>Qe$dmkodW-h$- z?1n@)3!KaPJuDxe*Pm5B^A@#P>2dVZ`QGxAii*FZn0r$6k6;st=_#|Vqv$drj?5rlmONLS!AN2(q65n?{dOqJW z9do$>f*UJaT8546JYVyg2A`*ujycyob8~AoLlyxqpFKY^6bx}QR=RvL@z)9!5TM}< znnl5%f*MuoX#cPh{v7iLY2EeczTbS_{@&>=jN6MS<<1_U!Tnbda04B{%*NJX`RuS) zVJ7h__qOKRrgQ}G$kC@L(A+^o{m*UsIN*@T_o=Nk#K8GxZV+%h4QY%2AsCk;i-3q2 z8yjbN|0>6Oe*cS2)pS@fORh-eQJ#T6XGnH&?(@c5=4f7m6t8O~!1-HMahYqeg_Hea zt7!n+iAj>wvHNyuytdQ7xwfY!pFvF%;CE9ZiRInCR%?L&aen=^6M`JaD4}A{5Mxm5 z>*jRA^!>(n-4kGSG8BWD{o@mxsVCqD#_SDzcd3LDHoIdYVuHs`TQI~Ky7OT^wfjB$ z+W#!w(j5EM6LOl{mooExUg&jxT$Ay7t4kL{eC~SU-DC;JJ(w)1OrFhU^x5$J_As-s znvZaMPNRk2|JBj|WogCt?mpLt_ayagI=6$@Q$S0%)=K7kP_U1=lQpY-wwMVy21tWT z&5zy0V-aISjWgh0##S^3-(8dAPS&@-uAr}p2npJo+AJkCW+{iM zbntD132z^{fcRrNM?ygtRveg?CQb{$s%S)Pz_nw5)5Qud42!t5=Vy#Zt$vT!(FG9T z=e2O&pTthcvqs>RuYVvX&1wxBqKx!CK=gGIf-K~_7fE$WjuL3ST&`Mb=zV&4lycPG zt}{X7TF8gQH|s2xYPhr~+c*q`E%f*iEztMR@M|?-4!_-V)$e9b@n?udqb9y1|6NV0i3%7;u}$4pLsJq!zdjd2CoZ+{JAl^&xf zq~|H7{i4KM=gQ%Btzy*sj_$b`Y<^mLM#|ot*>ZE+3Epw}+~ev2ZHyR9Ki$+_+ca=g zd;UJU{xFFdW=OcL9!X?v9J@4Qu5##$7-+f%LUnI$MoQ%IKLv&45F{lezCWhFNs~rD zjvPP2x38hG|8_a)8&j1J016J09{*j$;KRSh3goV;(RDrV_q6+7%BboN6Mc^w+O4j5 zy>8SKeV#Z1bgsIP!zP6&=Zs&tArjI>M!Dl&EtnA35=If10nl|vb3%`qm%?7=X*Jjww@rHZy z5NFH3%}oI>eSP=XZyhbJ(7~WLf#v0=*Z$Xzr6ncZZ;OUDc6Omiik2-i&qiHOmDxD% zaP5hTxdJ{D_%+{28OLANPuvZ>x$ue4H$dK43y0qqaa2Kim9%Q-ky6 z!)|BF)ZK>AE75mdet9DhRQfjkC95xc2~E^pdbT#3bX-vH%Gq^8_5CQsKtFtbrV~rV z&*FYxkw>4??J}@lPe<@D8g4VWU~HWMOXZ3qPoIgp!q6j0K+w6g>_LJiJO1^i(~}lG z+4;1TK$Y|Q5j`D1OBiR^$+Ee%#ly$5q=QX>-;Om2nD#rxezL#zdQZ-^+g=sm?Q(jX zd*SN-Y7)rIl%y)L&FBCk&F|A6w%;$eVW7K~aPfptN;PKE(2e~kv|?fr@wWoLjRL+0 zyL_H|wUJH60LP3U7cpFfUS{9jeg^}@b1^5$n4X)~E3o%cA?TYDHpUKnD~p4}f{&~2 zj=ZVA4Z2yh(W|-y*`H3f^hLpspZOmruzQ~5;9oR#u0gQ)w~nNWr(V+LVoWMs6ra{~Qn@0O}(kB(AiXX|@jqJ_3Q zt?#ctx2_>WL;zb7-dOro*B#l+&~DQBT<#UYAG@>Y(8z>{5Wcs?^+7@RJvU8`t$snL zt5QCG_7=utmsryVt#xk0OSAR$^v3~Tuh=%5Z!aU}ak4QLIhF<=kEPyg3SIXy=TG__ zMBfhy&(j|R+pjTCSk@-)g30@(L#1FrYx;a1{eLrc%vUW`(A@V{v$=x%GO7i-cH7q? zN9$Gnu<)NxkDgMN7*Ogv+JM0QS*fpEs%Os;&6zwzD>#O}rl1}i3m@jAKX{{_BQy|BvTh{mn)B+<7Y_!XOC}GIs5tup7xpc0fn3h)!%kSWJ#LPmH_$n z+%24)HL#y$#f$p79=jhDJ=0Bf%cyx?DzEAUYAlqv3*Ox9=Z4-M$?N(Zr-o!CFeB{W59{u)w zhoy__3f)zCOMVr#o#0GaJX2lHvO7 zmW-e^*mZxo;4T0BX3|zXq<_vqYVGDCNFud$viDPzo1Kg6^^l2wdu8Lm)-EeuKR6+ul6o7c(9!c= z`mKhwS^IIaX!!NU)Xe_oFgfIAcz?76wW>5i&^V%LM4oR<)ix5862#XBGT&(L1JE6w z+fxbH#!byL1EdF?&wJ_XW#B3N+n1KVIxl}_<3#{>QiG$Pfg14Kb`n%_an!hz#rdRA+U_#nJ`Zpse!(g4exI?dJuUY zE>>!CIi5lx`|ZbYAro-l^jqdWd-AVjN)a^(8JFX@YrrrqgK3RYBywuvdFb+i%jvk(_wOX$?=UjGWw%BjVef&bFP)2rX>PuD?Il`uX|$-*#-j_qB9?ZrZQ=1l)54knKFflDGcl#ebMuKlK>x z-VHe$Un;>Y3n4Qf^XPHcd$oXrhojQmt#&)P*GD4+Q#gRM>a1_W zood|~=5wmspm=+v2_OO>my9c<>D; z-0p}ffM6AjIG$L&9~yp{pQLQRUOo5RU-ncZ0++DbZyR(21r~F;SIjqW3b<-5Oyla3 z#@eqNs%s)1eon5!TbmqJ7qr^ZnaNvleC=c2bw0uG)#K9e8sBfnuQ$tU!ck*Is`}cn z;^q-N_T*!e(TA0VDkco?i{33m@2`3}S9foozP6Aiw;0`KhwIhm%igUYBup@Saoq#3 z^T&@K?(R=^>uVjh%R{lvd6JxJ47upNeJ1r<>=|T*s98dN#R!noaoSrm$-a#6jIi$o z)NQ`8{-8~8|LCDivxTqsAZwaAKRo}?dp<9({hoccrw{M9KaRM#9JhXTn|M@` zIvPOZQPBkVv=v*63OtYDGfm@vHOC@?a;N`8-+mkK5p+2_019$UmA5OHh-;s(wHw=c zw|#$%)cSw1mACDNU{5=)HQ8RhJ*EO#Gw{o`6s*$V$BAfEt)l*;=X0#(6DuzhdgQYk zD=XUge-O9ZAclRnS9!KRkSGCk#N<;lnx3h)emaaDYq5^EoD|bXxGW zeA@18V?l2_K8kX_yz?Y{KFhCs9@PKrr|OA2IRpjg{YUkz?l6+S)7Q`M*UFZ=j5VeG z%QHLJ2yp2%87dVv0DRWL9EA4%fl*m=Wwr8zcw*$s15j6{f)KmK)OL7L_S5nmDwcrH z+1?7qcU)7Ijf;)VAD}VwR~DNIDNbI@v^+YsmVtp@?5KnZNiVh-cx@!LKx~t4O%UQt z1yfK5u)JpSd&IUG*p)=S_&(z5L517Z6r?VipUnv`B}~+UUUfa&I8Acw`dXU}iJ+n? z<>RyiTRyjPkPSYkXv{h(ceFX(=)4_!G!7`ME~&A#oxZ{o86U z5KW_M?aSX_Y!jr<;sLOix9jq8N*3%sXpXW`*+K0ApxerMEc z7-6fi%Rjrec2^ z-;0m*ZqbN1!)||3WypXsPHf$7FLQcAUBXsZb8p6mR*WuwCs)8H20OWU56#nsuyruTEhZyR0P=pO(u_Ogy2I~bGqJMvyz(3hP4vVy+^++tf5} z91Z$eu)0vW)81{g@rA8tjAbQ^|#Jtd>kA;_1~oba=082 z^gH>}G~3E=BW;&!EY;Im=L$n4;zN_}2%t>uZzNPz_qn=nAG15Wb#*g)fOS2P`1w#by^pj#g|D zdyYrg=T$$~-^$;V+}j-YF(-F>vjY+DQ&0Lht-R=yFSdB=I_n)e{pBOBtjRgrTC51_ zq4`1c6sa5aUX3Hx=~iaeJc5mXoV;v#*L90GOtwc=B^C7fH$4P_Qf0mkiL&|xt$$P> z@=0!X&PT-_#uh7+012*?KDYg^Va2~Bs5)LcjJaW3%8Y3DNub}ve00yZzkPbB#GkZ!N6w0cZWW%GH228#r_y28)@u)_LEy!3Wxc&|M;4`XH~i>nlEIh) zH%N-7^fnux%dL5F`ISO^)};RLIMG_WsU|nZ%`4bz7A>9*K$I9wb}S!C8)dHE9OV$w z&zEs)VJ#ACadH;g}i+<-twA#f$7|Cb} z*=P8kew<@lUYmgMCfX=2tor~;i$%TXA1uU*6}SO)YHJc>&lz#9 zshP|?I~VON;ow;K`5PAj0&Uicw%T(*9>1LzSQV$#F?Dm}%i8w69sTHNj_68ERZZj( zP+Fd{wc*5dw6)gKi7j^Z0H}&`VolP@l$DEPRd2iXHMUp-amwpPngvWb@GqZTUF$$a z*v+{Ou`5_=xsj8^hA-%{JY9#YwYvN+nvHhz{n+75TVtEi>y2(6J^a|gJ3`GoQ`2QE zr*tRa8BbxGY2!a154+3N`f3IYxVA3)X~9pm6~_a1lGLQLGknfRJ0PbU4-TTmVf_-& zv3}k)4**Cnf`gha4=Hd7a>`MOBDIxRhmCtC+3!Yh)(h{%#A~W>aG#r-@-Qqko3B6F z%e&j&9upJ)qBnKl?(I08Vk&W(q%ahf~$wXS<^bGdDYvN}f6zpG+fExIB zfdfVL%U9o?!SnFxay_^&aDSd?Zg7%a>6KDfFm)JZ+=3@%qB2}JoKWkPoEFb(Kq(O~ zYmc8$;C1)?no!Wo;rVOW;A2d)G5S8>jp%zI#}a4)f1eu$TdJ6{DIuYnr_T-W=1$!v z!zpk>qgXQr)eXNu1NSF-?ehcyj6gHC8=u%1Xd=L8 z^xU5-2jk5z!$bnv$5&PNU4P0WcWrb?eEnJeFG zD?!YfyX(vtE!Q&uC%PYTNR5~dz7J%g%R;C*M(5C$r&M2!2Xl}{kIBlJF5^u-{vcd+ z!ax1JJ9`*7J#w~Mbar>YW7GDhhHg~uEc;myhcNTw1G~G^XB!k-a1Wug(31$ppL?~P zK$+#LwC^;d#A>ISmnm2?7`}rWb5rN=rW;KAK{z&L950bk`sKDEaoqYKgnA_uvb`>6 z*-I3~NZ}GJEIcOyH7Ej|GvXBmeSo;krl1VJGbfBg@C6L7)`%p;*fcylP3)VkE3PK$ z4Jijw%CW!pCj&h_wDHg}Mi_CAU+1L=d^-`2D)#7+|21oWI30f-`+ zm^h#fp4}K`+&ocWwUyy;f)pp7e1x8VjHokUj`dJWH@(E?5faGyUt;X#l`$Dg;R_J_ zAqb&Lx9pJq>9e+CmzFbEPTRKk%f8f+bGQAhj0f|%0Z}%+F#g@wD!Rl1svAoQ(T54+ zdBH}RwP|5_91JRinI|knkz^7dG*vqiOadz-0XQy>A0Gk8Kuv{b6quMfVY(oZDrTLGV>h2v(8>y|07l}GndfIwbG z;GPXx?zf(Y6htBm&zLUngrkziK9Xs#sE7i~d|{`+go3*{&SEStI0;w%n{j-Tfb$^P zxEt19tsP~K6=E!+n4L!ZfRqu`;+!cCak4aOCYU?Dw6|K(3p^A7bC(ZN)%V^Td(1Rt zsrPt~J*qRDHmfo0(wU!IXwBCj%ES?#PzgRZ`*q_q&pAd*7n-e+uWk|qIY=>BU{M2z zs0W*bf^M)OAvST$*lU%S3y~>GQ4Q~FWq_M%BR%q(ncXF}6fmY*DEVAG9r>%jmR!#} zE6Noq6lh-3kq_ek&$Oh^g1T3(j2sV_gNKWmKl4wfyWJYf(^@WtX79B}$1M#8B*6gs zU-3W$I8JjswLmjo;wF}egSFy8zL3nn8ze@QIKNq~dO`$$&dq3F6crw0w4-=}C$M^c zHuo#^-qEP(+%SD0a3$&Cb-A0;C!}&aZVu&a+BX?s%VFnBXI=EeqQ~UTmGFel)y>lw zcYv>w^1=JSx0!YP>aR)19gJrMtCFe6WiiclthSzae|PANk4|MF)#~hNV9Ew2YwVmyoC8CYU95$;jlzJ;1HI}uXwt5e zJPf);YzQlpmUF6kFJYUfIc}LjN6|C4+=qoqT&_mp;e5wRCp!QvJxydLV4bsze~QQAd&QDiF0Z)+8}OZ zl$(eHA&p`jEi?;7xJIw1Xn>DP)3FtyOeKE_FB|S(uNJAEQp3=Ha^O%%C2AJlhwFaQ zu%@L_ZMY>JpkH1y6&baINs*emtoe(F!A_k#2(`2cJHFm#0=CLoXyg=KD33A0(9~^c zU=oklMB1?b%7U_TVQ8LG08j%BRQB(qYW;9%Stf&JRL~a%wpmd~$F8DA3_EYi==F`c zRjyO{rpMUf0GEvWoA{4R8E#4}ENRyMX|uv&18bqKqq33qK~H-D=iYE=)3n%MuYBSb z9jIOzdY>~Np?Q((F<>toAsVwvP;(XT0=1t65=leCI?zZak(x|8fhlmiC9>(n5Hla= zNFVT(Het?ug*j7P9cf1c)%7}MCV*O|y1Ukiu#kl8ytDc}(6<{c-7Triw4OQ>Z5 zB0pg~33z|BTa?f9^ee~|zg~4g3PslA7nd~52HnmGTa*nF4ez;^6Zx|e^f#lSQD6le zfWwD4Yl<6+pDG81~jl};sR1vj++lZ13rDa~bVG3Qs( zn$qYy9qU(cad4Xo6v9*F(CurE-ncHb&hC3zsk11H1t^3`+a_pk1aLDw{t?zo+d}mb zx&{rYhucYk`g+l@R^%Ls5POq+NMLA=<@^)CD&7a6t`bDk#rgdX{s6}Y3oDl>pCK=6 zBz<+zVMyH^+QzWo7o1a2Cz|SZ2K)07Mi1$~pNNO$U>Mptt zkYjAqsPL{(cM8ayHmZVpD}HT+G|zq|yWIR&T)|5a)`q`t9K>CcE-}Hbj|sQ*eRv*+ zQu>K7L`8(a+qa9*^`WPR=PrXLxSXO8D1<}=shYp~?&)g8d<9xGpUDMJ6SbFU?h;F% z6@8Q6lqjW8_e^56I2O**W8u3ut0tdv6EsuOV^YcmArfycy}bO%*4zUBh9~&*?~Xz& zIY_K~Zop6AL9aTy?-~kIf=JMWP|&*NvTQK{5WNT~76jxSzlwv#{m zJ-tlsdU=^QYxbg=IvPdiLnIZ?4TRG#pJU_$P+Gy3RgmUzTi%~Da&}vIEM+3>pnrfQ ztHi@GFm_NiET`sdEhvQr0*(CJ;0qp1*2i4TX!!g5oWHD^UJ_U0!X`D^AW&!%$9E>@ICK0wKCuHHo? zEc+o?J5KTE0#6>~`6OPWM*ROYR-PD;ZAPz&l?R(w0TnXO&X6>Do3-=U4uSAym5`6` z%bGoUeCISoPK3ESc7^(qz>K4$y3dpbUFH1`NKm_SOb0T}v}@>rm~J{uYi;R zlI;HPJUV*(Cy)PElxw9x%D~0{Ro5QjxY^v~fd_&z2G5?G4WZa<(wr)I?)|?xQ#Ap^ zH5D0esD8n8zdChONP_mk1mmzLDNP|RK%_I%>uixgH&~CiZL#uXG_j~{fFTpL>-EjV zL8Z1u$E7Xm*VG~9nnt3);tfg<<87OCrFW8?rOJg9)=d8EK{yyq^g#9sG%Cxyl;7sZ&lcT$JD`ic>!iK&`iS)TU!}q?s>)~QM(FAGgM`0 zC;%y1w&pp|xzs?@iasn80a?ZnPg@SQ{n?E!KhL(4RsqGNPi4Qwv~$%vp@$*g80~)9 zjC@K9X3JBg1Yb_CBmyK*mbr2Skq&5J5~pLXi)&y6J_!8HGQ$E=9edTH|I-UM?JpK0 zl@%0Ee(R_Lh(_(ZCYvg;6cjVs_GG9$JO`1iiZVF*+hz!t0kDdWh(H&1jP>53k(_ui zK6H(#zxwWq5O!k_z-yOcF!OYx>_GYSz!IhH`{f_|27N%zoFE~0AIFm|pO#^je69<`Q<}s3uTOha{`~YS8 z-*|!e;4|!tG3&kFkSNsWW$k+((XF0MiPNNB!tIT6{<3OM*$L9(oe(8K;Yh~O8N$$~ zyfjw{K-*ssj42931*PxyJ}-Vv>gEZJn$Z@XU)n_RnEf$|V^%U=uWP|9s8Hqe zDC3FqcKoB2|Fw@D;IE9J9tEBu5g>J$W7?y*_!QbX_=|_A06%nn?X?0!ch9brRBh)f z<7O1vJDDuFh)qX}JKz#THQqjD(??48DDhT0ygNvIGyHf&DctLD6ZXKFdj9&f6t6`j z?322W(}Njq&^QENo=(&E@DV9X0K9%WiGfl1%uGFqLxtJjtq@qCgg&|j z5KNBD5AEEX>Dx17_)+3AhEosiWDfqUSxs1(ml!BN%& z)rrP1NtD^uRJS72_zTNTt{I+n0Y8?tVu~Du&7I)?PYgi7a1$QbU{Ip0vk;M zlcyR~(Dm?OkX1@}9R%x$H5E`fVJz=-(O!*?y&6=S2;&kEYix0;3=DK*)iSj_x$5-D zb&ZT7D+!T-u?`JxVruoWLkwm~k`CBX5bbol2?kk^P;-$7PXUKiu^}!v`5g?g#Ya7b zpxNJoNMrecN$&HRALX(7dJDfq!Fe!T@c~(9OSYPjH!FScNbK4E#&k1z)TTA}@x0p@ z?ebVRlAPITU}iyh8veDDEw$A0nqibukOd=*`BBnqG)iS>R@kiapehnr;+GjVk%84q zG)BeBd2;p%f$9>Ai3nPlF$i@*IzWRaqe>1S89uR?K{)J(jVz=UWeMGtPQLy~9@wA_ z1HKHTk@$R38cgO-wLtQyIW=I47E<7VDXNQ1_L#KhDYB-tTjj)n7~#~es#&sbD^G!0 zvC-V%AU$NBz#zUXfRRozQC*qEwW7qVV~@9QpmxwKO}{~AC1-#Q9zIVVW%H&N!53Y= zP32Ze|6NcvQ$!=IOVjr^B&rw69>lypIEqgG#E>CEx%bU&>{m*3J%h)iS7z7!3D`k}Mz3*EdD>ez${+l82Unqyge zf}AD0I64Gsi!pShXb7*ZCWy^)hSNem;`+>Aws{R%bcNlqKg;yc=APj0+tG?~G%7KC zV#r*R4fD-`$skdo^0#|BgXT|IM(}CZc#LrA3dT|(9@I)XuvO$vKH;b`kR#3Mr*gIO zfs`P+JB2(Z!lUo-+>kQ1JoD-hv|0*IOJGqDBNb}B>DtPH^p&tx9ZQmnxKXUTL}k<< z!cpX7i1UaFs!e*F$3M-owBuExEO5%@G$t$gUpYZR3Q?-N@idYs(5N>PI4%}C6~^}T6!b5s-YV_B3-01?gqoy z7@jO~QytW5zBN9F1c2F)P-4q`wr6>O_?avJbeE7w!*7oVKnooygPjY+(2QNq^62`r%Pg5H<>;D99)COs9mEvPt{nL6#xL>0Ag$|A&) z{&~_m?h>)^IQ!zrp$oICR~I496f^wz$XNTDb>h^KN_v*r=Bcr1X175d9F9n-9fS=o zM;EWV>XCW8x@|Qzh!2u+X(qysZ77~_6V`7-P+BQr}5kxP{i#iq}caO0VTxt3Jg(8Q|?X|?$5s}UHO zSWOXUG_0aqwegW^w$xat_08Es2!1O%i)U)(T0n(}hMs5gA}IM zoFC9Za>kcrnoR&@6rf~u>UF8;=vg4)Ad9&}qw+W^)L3o*sOupAWn~=4qnRqR5am(u zDf0sAE9~!r35k;t8VzTG6p68B)`Jmf?ZHE}WEF6mDu7s;V}2kv^#zDn2hH)LG0ajr zKv!v$r`xnGT^ZGj?s4ie1xaK~g-G`akTU`1^+L+5e-{*Nk z9hXC$25Uef<2lVYF)2fSp*%6M?AGZmJWpZd;B2p^cM*aqfOK*cU z9Ik#zY@zmnQsqfS9Fy5%%KD>Gqban{2t!oynyxigH18h=q5_KNWlAJA7S`&M}!RJ&Q%%#E+BYPKT*&+*)ZcKW9*; ztKV$%^+pWJ*K7%SNtyf?-82dr1++m18ABL)KxQVPE|?T*pCoS$1N3gvv39>U5A~)c z_*Z~7fHhILw3wC_(z%R~i5e?v1nSnnH=kGab2I!z{L@T}#wJn=+`Sj6y7>0)M~DE* z7_`x`16m!dN`u4_-Lw(&5^^l0MMHeSmTWkitr(q=xfW4uW~~dYMMfY%lZnz4HTxr8 zI#oa`*%&@g&W+`tvXrhnBVA*GV3iezBESJ%&4f}m$ah$76{`r=C#lbKrLF`znI8n4 zilEsEA|Kc6l3+$Vs<|2~m zW*m=|M)=`yqw%sO%{MO8MXX_z)~L8IV;9uLZ?SAR$N~yfV4C?f5dkD%p5(amBW2-p zD9*;HQYem1<$E#ezB45D$%PJVUeEP0b?C{%*DAErwIj1GDZ=f(HE`dUnOgaqJ{}-I zaTCz2iCs&i9*X;BlatQLjMSAsQK+;QHQ<$?mZF$6EG1ycVxx(rp9JNz23sYv z#W`Voqm!ZiLzN``otNY18p{A30}X2tLgSSTDe&z;a3cjMLv)o{cN7jpLab{?lT}Cg zL#02M_pKXtQF68IF+FHhX$6^xQv z7$TrPu`yQ$`<+=St34D_#HHj2nl)yR?g%@|qfw$6Ul0Ks`t?Gd^}~BVA?9+vZYw=YmD!dy)GsXCpIPackkl&}RU`Py z@m$9d79DhQyA^>t%Vg6={KDLNT$ zP5|cI6=ZaX*iSG!WuoEmIIu=kd8p&$q*hS_{Z*FWdrt_BMKD1oWwH^)QJmW(t>LDp|(Iv^yt8Cs5rJ zkT$~{oZ?^BnZN60u{=(>I|CQt<7?b+J1|D_;sapbpJ9Pq& zrNL2|CD(>QkrX9i5eW6ESB6J{}KYk`lDX|gAQZAp}~Jcmo#7Z4w5HAM`|V&7E4(K04v^JbHIA5 z1w^D|j1=94M}^>G&4|J!i;1eTm8)rlk*?Jt5`bcmFnI&zPm3~2Dx8?3Au2@?=!sNt ze=9Qo)yyO```PJeZy@4V@kc!?^e^lU^Dis72{rZ~mYS|J6*69`JHL%+b!6v`D5Xu1 zN@2snLNW_}A_*@1V52F{kP=)A+5gj~4y)#Pk^z@Q=^IOAUxqWH&60#8n`9m@z+x0z zd2hp+Bqu?7JE+B(&er3kFwtzl56zb{dUTm9RQ{pR^Z^Y5^8Fw!CZd)y%OA4r`XiQY z)rgsp^k$(4NZdDM*Z+U{&YY>st_o;$p@m?j#X#OmQsF&76=*~eUGK@?u;bF<_3S4?oWqJPqAgdVl=3;h;&3 zQWQc`*5955`dFW0s>S?gdrJw|lbvhADn5N4j6od}%Adsjz<#A@O_d~7z&H(= z*8brLvU4IfA+gjS(WkH~+}{!DGK3%ostEshBzUvk+sxPsVF9VL}K*yR!_!Q?3@|`#Y0^V0C^w%4`fxEJ7`p8BZA ziyAYC9)9t3U@B?&dUaTSI1|2=r@QlK;?9M=mbziM+SbNk)U5GEI*VM!4D1MkGp3*} z$qY6_kd1dK!2V=3_x*MF`P%)^l$L2}fh$_a!RBJ=!IvIwT8gkI|8$?rVN6i*K77g5 z)ysx}^h%Ak5b~$smePFvU?kAob}+QSnmHcPfbipH$2mY$mso2*g|?FgxI(ELnIy=R zV2bxyV|k+bp`t~GR#-E(F@N^w$Lbocz?PM-_|$$K6fYZSYp_x&D8fiPc&F40_*v)mZtD3O- zx1fXHe-_~Ygq!@K%n0gZKTnY|Tuqq0LB{T_OI35dMd-G_l<4xxrpw>dRn-!>#H3q1KHxjKk`vGAH(V8U;FBUd*E~0+IJE>lvQL)5C7G*}*jM zp5ARCO2bY{JQwT(bU4^|xA#=rUXPEu_a>4NrxA^El6AZ0RUAGY$gEn%;BHTVKNC5_}ZR# z88c^pQNZ}fOToJ4w$|~qCA#dm^DnDS2h^kFJe=@zG1k#&Qn^qg->})|>F@R2v-W1^ zeF-bBTzRTS?K+63C8gxzL#x zS=aSoRtBG$q#dV=vwKJOz})-5{{6e78V6F$l7Ju!p^ok)NP@ckP*-=e@^T>k%c)&} z+0`t56ofn)eK~d{!$)azOq=f|FR4b23C3Rw1g{atH)AG(h%cjX_cWLfgr5FU4k1P$ zZy^o`UM1hAX|$~2*x11Qr>~M42jS7x4(_=qaxYx(rONOAJ%9lOWMk^|Der7`J)ipt zN2>#V72Xwq-&{-%+yhVJbH2TwKkr*#*9P=t0T>_j_=R{`eD@ZA_YmW>&wrg()GR%m zpB|sy%4JTN+~2Qj5fdbeRxL>$5^Xixi792^wcl*sG>93Y-^n5VvOIYYwL@a~F)7e~ zCa@YFWVg}6!_6v~JY~g<+wOQd5EXZmNxHZYLP_vIbGX^B+e43XJ1HP?t=wZw&&n!D z`W7gtvDuPW(OM-DKWLRw^N`bxp*TQgX1a&lNvh4o#)${la%$;At@scFm>NtW@9*b& z=V;8_K0Q0@=HVyM$jnMje}wICwnd7Gik9`Y)AF+FLAFB*0>#~YW7KVPe(4KFoMd3o zjls@Jm1j6SJk;~Kcn~I;SzZoXD-PPhY3!;6Zr^(!t_HLH>iHV)e$cXEz(?)$yAJp1 z3@-{UD49}VVwk3<_tfs&E^1hUsaeM(Zuc}Qtj?PyrwJAEJ{r1y(Aq=iQMGRm4){z^ z549C13qO8dUK8@_2QIG6t+X=pVBL=(vL#@{GX7QgtJC7lfK%>*cEy(I=Eh|$T8K04)V54GFG$x3bWy`!2qNXNq)=>p2&P)w48)5Qz} zVi1#WGDl7{1^tYiC4=2nIV~;wwA>zFJF}nrCdz<5%8292K*SsK`l=}|HUX@qB8Ihg zrUxCo4p#=eC}E}Y$S&UQr_;f^lr=Ta{@ddc-c z_Ou98U0j@;%=Gk(hxS6C6zcSJ^d!Sn1V^J$5c-RBlat(AaDXyf0=bb3UHRUH8l>hijmRl@cFHPJgC`rV_zFw>_DO0&)vfI_B1Ks4xVzRWAtLzUEu4} z>xzqu^Lf25JVC1XsDuegdjVP9XvC@R>iH!gAXxmoZyPgZ`_gvvn_jk^?M+s<`^$P! zUPeJddNuokheD2^w~?{2r7L67B&<)hRmxj6st$1%2ZD0fYq1*6$*2UjBNBp~)Urh< zY)J8hLbMdxkCi<{7}2%nr$wlZ6XW;mI<|&}yGSRtyU6iudnad}bihEft#!A<#p;S& z(5$$rt>v##s{Y2$NcE7{nkYu8WXX`~7YJ|>#~fZCMxvOdg^<5pufGi zkdP?~IlOBt3n%r0<7yZ#`rEhL+xlW+ol9p$(Ng}Z2el1-ssLDtf}A0l5Q4|RH4kHj z+ct;?@NTWc+m7rzL=PSom!132=Hj7Ees@P>+Re>x-d7LA3JgP{3_3>SYzQOIskejeFMJ3q%KrC|iA8I6yaBh6X?9#Z$`aZ6KJucm2G*#?Ox`4Y|oS zti_;yCOY`Q3{qFDEeU_2_1fGa9v*Btc+fN zNc5tn06GuQ&%v6Mhd+bwdH|^RevYn_h0nj4PRQp9^|5)B<5k`?q&!CknoQuwHAtcN zk||_9J|OKtilM$;vNpPDfV}+s^RN&hF44o=dohW@$B}nwz+QH>6*~IfutGM!)2VaR z^p$!;&HKd`g=+uSysL%%@qC#P4fP=iAO~ z-A&!+-S7}K^~b{`N1i4qA5XKabgU>K61dk4!;~%P_xXpw8Fho8%l>nBArgDj?`uEhseOPkp0r{S=(|$v%nY8BA)0T(D>t%yHG?^!7AF&uTeb^IhwbKxwPt-S$bXw6e z$@Lyexjluv?2kNTgeqnew|L6^Y^{r{OG|rsO>SCEU%ko8K)gew-NdgvtY5EFh9vU4 z2wAKxH-@!S000ucOZcP|-Fp%`Gj@k84-=PkI;5KpIgJ;J#f|9qX z9DKYiLGS15?HdVHXs6DzqPH~zvYx7YouPZVwIMdou;8Ey3g%pmC0PkQf5sTraa+?yKm;7a z5)&v;{Mz4RgUDRD(5j)Wb6nPdAjGqnlgIDaMqLzoT;6N<;tKCb9x*kN0eK{*t1q+V z%oII49jP)g`b6C?02Kb5WE;^BS0x@{;LPBB-% zmLXjvqG~49pnqIjVvn)6|F|u$8$}6>nv6m=@MFx{hA#U~m9=x7z0r=3|3Q=@hrt~) zOc`s(6({L@ixtbzaRJ%QX-X{ldif18ass6BGei>EZ?-vmnTyoR)Jy#uRn)`FNp17? zxVG#5GQwH%Jy7pjnVnS#$q#f2x~m-a3!BCbG#FWt$0HkXg8YaPx;yb7_G+zR+I}hq zmf82D$eDR;0vj#P0)}%|7uS6578|Yl#cc4~iTrlMeY_scPwxB915H~v?M_ZMni|{N zhxcx5E>3Pd1YW##)p;mw=I7b3eBR5VGWe9kgX7Ayc9MsNv%S5qHaC1zGRT+od%^la zb`+PqRePV`Q`AQ_I;~{w?>t#g?M3$!$9?C{njF788tckfu+nm})2x^0J3(E#IA1w@ zfb!WXCe&&pD*%zjVCtFu*q{izF=U_W;BG;J|KB?^{gEN0r1Ulp*pl^`C}T#W7))cM@>Do*>`S2yCm5xb6%|4KjW%b8 zAoEW|AQVvJC#dAdfpEcLoeV$;6~uwO@zT6@?6Lyw5(`Utt<}7ra+zqner|nU-xkrK zCjf;$Mk_#XP`&p)?B*w1^5)2RkDgaj^@pA_6I~4G?;#QFFOE$iPlv;3DNI}3*8^lopqj6*WR1@{`u2D;_1TC(&^=J)QH^x^0zYyL+3P!%^kdk2f^9y%~AA z9k*pmn~i={>64%|XsTgId}R-3Uv4f|(aEG%72U31N}-$!T}zvJ;s3=}KVSa0 zM7Zv^9gdy-b#CMLH8?vZXwO}_ zj1TReg^ri5MeMaZDn+!iwV~{AQ{J|@48~HHF^nJd;>}1LIY^O0 z7bn}Nzqq-WUx=n}1hDB8+TLigc}t$mvd44WachEFk+?MPzk`3@6OZ!+%uiJ4gLeDj zVLaL89lJiGY9x(juY9iFA|t=2rV{eIo69{Fn+bi$)8Mcks2PEhM*@KYj*v7H#1G_IX;JlmJ9+rZ3Chg)(4nC>69*4d^o)-A zsWN8qqoH=Jd(Zg~&QNIT@2jm{wCJcw$3iWc{G*-evkqf2Wm3p-m&OY6}e+N=qoqa$;-`PhLHLb$H_zA3ULyFZ)HfgUwl zu3i)(eY1bjZ(yn6LPjiz6z(IG05DHeV}eWPx4&p}B8T_J5fSejSm5}01h0?Lr#qhS zn0#L%r-Qu%hbf^0cZwe;2^nm%cED=(gT8gxE-$aw)pa$Yz^s^4RXOrc{3y7wR&%r4 zn0Y+Uu8PV_SJ(5RtFfe*(}L$0=v0N9v!_f#TUu_{K3Sh^ z)|<$+RKrlK8k^s`OLT96-a|8M?d=6s499VO9N?;|`Eg;@4ofwtpe2kZ`5nEE@{Y}@ z2~aNXpu>_PzN~0aA~n{eAuYJb1ldTBAohk{1lf?8NTrey<>wN}Pp|hm7P({p+`jbz z%I15>Qepk*Gt={@8992;+{1)dUOd5kwm_R`<8}k+*l1;34U9gajqcCi@8jFOTbufZ zCv?=g%VOz_%SCeZf>FbN%W5;JneY%-b(G5=9~A2vKd?Djo?l#?-Bcon-!6EanK?MV zT@RU>T78uSpo?!(Iy?tiGIs?qMRt6@UKq&7mAMyBG0KG{v(!l>k-lpiDfv`58X|^w zbm~yQhBBs~4Af_>FuB8%_rf|XhJH6;U3MBhLinKpP`^L^wePK$(=(nX-vxU8b#`{P zwt{jNnmIXyy4)0{#5VH8hIcKprbHv7Q(b6&6hbk1P$it)VKV~cr{=j9pPV_Y%B0zo zkmsAF<2!JVPi(9!pIW)U8%j>ud+;+a28#v|^0_%%ukPQt<6DXb7WeU^4>eV&*JSZ= z`RAbHa4!J48MDTjn1<)Q1rucZa!XF!r+41pGeew&fxIPAAi+0Ic7o3C6yaL;O;pXn z-HXuY-q-CRzMY%f6aQ1189p8!f;ykN(ZQALE`2b?w|elqA11c8pZ5o|B{{yuy%hk! z6rq6AgO%Qkx1quQ;l8NP+TnOg=+nh!L!E%in$q1=JF#|`vx%kcOWa5MU+wq(7dazk zIYg&OhRLXyt1H45*MpJP@wdmznwwThNvT)Z8iCvSk{tK*@N8rNI(mOX-Tvlq&g+Vt z(C7AsTLJDtoB*H1Pp`dYo|Qc>!=s@y$Rj=9lgR`hY&W4-6|<$G*0i!q2CcI*e0i<# zm3hy2)@$rwad=o#L>wuD(iVG%?eo^p06F#K-PTQkHxg-EI8Vm=tTql_-@8S3fR2%r z*7*H1gWXJXnVA-Ab_b{Z&EaGQI6Tj49&%=%k0xvR)G7 zy$nLy)^%Q7xNWt29<2Ui2euon&Cf?=aD_$_@$&Pad)yrPT5K&&rc7mfT_m|p=@6_x zEtfReo)L99bQTp=Ra5}`E0*j~KKHAh+^$yq_D&C)4wK#a)As)P#1OSO9MG1O=J?*$ zorH&@MrV#3{I#a-w6Ri@lJeqBT%ro8LzePYsWFALxFiSZkw zJU)sc=68C0cVzua!xkjIUdrUZ?>!N_qL;*S@w*seSgU!+>he7SWvK48KM}g$#|b=F zh~7^{7a)g{-4ZnJN4)Tg0r=*D2uu;MqoSaf>blZ8n<^36MFo9hlkh8^Y5Z^Zy^l$>Coh`kVic|jTK^CuIKA3>)Op20MIgI6wxfq z`u_e!Zs&Dz2VV>l`_;4AMNA7+4_%$E!x`{~|E0qj)#on_3*1J1?mh4k)YI{~D9Q0M zy)%Wg&|X;2rB~9}Y0vWCP9C&Z67)Jer(^2&eS9w(iUzzrUD%e^eBeUm)^s)z$bIdq zcad4P_TIE^LMnQ-zR!vgU;4b)B`+>M+Fx(DZSnZIn7gtxIb8*eoae_+x!PKv^7(nX z8~XmpLqVB-&$9b8biEu3FQ69J`xp`LsB!_8JlgQM9!C*(KOUyZi7|cds%M;?!Z0E8 zzdqYWsZVKVt^RX)8j|cTqzgqMw6L&9qI{Y;9&yU?GBEY#Z)>sFSG1$T^*d;Et3leF zpk1kDQaVDMWSsIjl+){QxLd?$`no^9Nzn3g6KE@OGjN3=o9I0=>RoNp(c;qO@p|81 z`K0Stw$W-5dOR-h{TUR7g_7%2d98GP-=1Y00=?$$294@)ySqN0)^IfS(Epp~xW>kF z|7Q3Ml(%DiIo1=r6Ib`Q*u`cgGfa{-e0ecDsu9@*L=OGCiPz4-sk$^X)6l4;nrH=z zTzh;%jRDwh)ispmsR5{`vIVjxMDFPxbBIgfTaL`A6tlY5XBV=<=zD%{Eq5+lJZ!V4 zr;1D(Fblq12a<$XTCT2Ys;ZuxocNxWQCnK|A7YowmA!8$2!^7{)7BEm?W>|l*4^fT zl0dCN0iOfriB{$pl?MeU#*d2-&5aczvM~%rciy=Ur1|p;oJ()Fl8n530vWTE{cAIu z+YTm2B`Iv>ICJj(S59_t?WQ2`dZMt@FicLNX??gknHqZOgO?AH08ck}1_ng0zPpDZ zdsX-^8!fXe3KJ|UvhwEQGRj;DVGY^wyKE(=40W{IQE3{SNB55Tc~<9CcaL@FOOwl# z9t-Btpt4{51?8C(ULP(Tx;a{`jwc5rjzS_WH<7g_O1G|IFBzpHU_qglW%yZ{i2*%Q$^m5y~eUf*K&2<-X0CTteW_-&tV!rFb(`qZrlhVC} zxRud^#Okn3C1t4|^5T3aB0UnEYp;L%@9XdK5mp5J?|9StQsh2#{Q}w)b#c-5 zWT|7vU*eDFTAtOM{&7-tGMZT~O%$_p`zDGk>ntKuq?}n(+*S7DoO}x|SE|JR8;K4+ zie`?}EK(NNy$V^Jf(aUKlG_`9uf9%{lo}}$rd&DgU!Ods2E_@g6y;1V75r`G(SrkX zNpz^@X<~#w8~NE$lDn-cYN4kO4*|KAW^=7YrJCrmCMjruyH6$Q@%?|=9c6-v6J>H1 z)p?v?V$Ap_IH=U=)d%%FfY6mNb+i*g)FcruS9j(KG{=apmVY?cFB9~z+e(4p{QzeR z79zz{yuU~fQB}UZBSWS~DTcVJ)fS+{ti5r@2`UaZx#p!2Ci%Z1ni-wGDXGyD^3%ph zToZPEQOK5L6!cp{!W<1zOC`{CUsxtUmo~wd?Ygb#17E0ulG|eVNOvEr2BTrq} zSz9Kfsz;~UxkZUD>IU!zWn&<&zdG=W*c{Xs#-(l8oq6H zm6g3y#N8q%q5#gV+~KsvZW_d)Mt6s&S_<(IER$V!XGIIgGV;md7!_qrHU4}CMrVxRe)K14{<_PUx-q3(&>dn$Xt*r3Q zK*)}!tSIxhGIsKf6#d(6$sBwm`pIBiLQ|Z_95(f%{#G%_0*P3qB`; z17?waV(YM$gfRp9*XHzlrtUJUaUm?xuX`Z^tK$Spuq|#Pq4z)0@%hf3|3Yy4EjWwK zAiWlmcUV9Y&xmKQqm13ugDVn2f)(Hw^AOpvv&WJt&IZl=WL7DSCdY?=l!z4{zfoVL zAnaZ!yURs(_9seZuE2{y{o}7jVDzou#KM#}pu;63i^4VdCkz%u zj4dK0T&qRoIw{j}pqH<~Yf_5e%u4GGqMmo$(FQX{uRSa|SW9>GC*!OEEFR=iC@CTg za&UqNPP8+!kag&HWcdJA9c*L<{EXMFuWP@I@B@t5W~XWNukB`Ey8Sqk$Nonsr9W=N z@dl)*1tC+TFr|MCRMho(3mh4BzKJl|nRgWT)%nL^LF=am_YQ$27^6U42RPR189$B8 z^?i3u*T)N$_R58X?ClL11p+%&laU2GlJ-6&6yk-dCe?`h&f+&p!C?>*4ILluTKw8B^`*B5tUn0hXJ$0l zLHP_XuAW2boPLc2&ZfP6TrRRsP&k3$Ew-g7%7#{|vWO^~O7CE}v29t!^IvC$Iq1w! z8BfVzcEJLiszH%&|y(2J)Vxeh7NCver?l>&4 zY!3V6)G+UYyaeb3cp`KDW%SV&`%-)(^xw;GnKuS!zu64;Y6Os?6TAJLbGKu~`dKm4 zrn>nbGcF8@;LKZH5O4&sjmJ7LGF8|i;!oBNA3UGKZ79GXurf>E)gd3QQX|<;)t>_i zuGo>SCJ-%i^f#FaM5@6Fn@A(5XjO<=BY<9nP~#|axMrhbhp}?2E%y__EDr_+6_9FwH)zv{Xwa;aK3SN`52#|M$@ro9 z+Ylxg=EL+mLrLEv<8}Z&(SZdtoobsK5==qnZAI3KtN}GNRJd~QYUVqps^qb$!5>GA zj42ImmE}M{TYwyJl2nF}unro`8Z4h9zIOPZEH@pvN_}n!{mF>-a$#d;0VQ|_dqQlk zK?zOlXswLFd_4zGt{2L!^N_rWJ#0nGO%Rn>Wb>YhE2XhxJlr6HykDyf>rYDd@_$G5N544{*N1^_$a^9nYvl#sy)=}C9 zUrX=%KSQ2ay(&0=*Xtn9XF5FR3E2aH67EFkhp-i4lKu2?KmjJ5IS401BW)?GmC|jc8us$TU-{beZw})p2!*1 zcu!zoL~^=dGz0h)W$-g60E2xe*O1DF{s4*<(M3VL?nfeX#m=*wa;mF&6M$q+1(jY- zi|(&x>2kGrGT0>hU?rdebL1Zy7W*Z`3Y}&JiFhsw8Vy=ObR zvK71v^bN0hEs0??(Z5o>K|I2E3Ikf<+R_#uEgZ)k6J%TG3XIU=Mk9qt`pORt%nB?N z%R}KmLAjlFV1y4!<*`<@p?}c~U_e>MC|1oU-UajYhyB&siH7o80h|S#ffdX7DHW1t4_Bcg(P+!2jrD^^PG7($=^2(qUj@YU~;G zQdMLk*`>N-tmFoORLI$~P?Hepk>mLxktF1(;3g65yh+K{WX2gPxnkYA29C$2hXh6A z`#67L1Izb@(n$==D5>+ulk%C4yu-YS(aiKz2SgIP%Kd{EnctwSeae z##;swf%-Nk8EcN!{YBQX}+-WYtt5=`jJdv*v8J^E#d;c2<6+Vs|UIleS$=X&O)i|~y45{E(bb)!VGA9*P zBKkO^ii@EQfOtYaC=YlbB%`Y+@Rxl@`;yfJN!zl@t5sUTj))giC4a=x2|m-Z&*k-X)%a8Ed-mR%OtTyWu0sSFwk_5Pl8q^P+_Q> zB3slCh$^i(+lgcfIz5c}FTrGHS%&gyrx2W&;>;B@(xlKm+wJLnj&Y`Q&ONUmVIW|@ukth`z%QTD0h@A~+aM|MQLsUJ(0l|TRXx^uI1mgV1J!hlJ0 zQ%*n-O!U+c3QC5sVie7}8d4&3Y5(jHr5da8fXY=-=~T$=jj+Lr_BS$T)hcia`$M^( zE4p}^nsgnh7JTR*|533{7IXvl%f>aJp=wU)&qVJS4CF}d-IyFey?|RHAl`K{A1%*t zBA(;<2v4V_rEE9nB{vbESb_5!M-gGB%>)lYIJ|5sF+kPjq&!xG%!5w7)EnOuBsWGq zrJyMMQzXDkisKqD@|PF!)9~N+`vyV<6<}^jlO}nZr35}$m-!>>RWWWHhxfz8i*FbM=%NF>Crc?X zT1gi%IC5{HvhN7!c3CXZvG#xo z`YF70!zXtb65Qit944k$vCnzHhL|y?EBVnB0h^vqP!wB9qa`8oW3X5i2jAniU3kzC z(_y~Rrmt>Th{7;1n6@L6a$t|FiE-661?drOmMk$)1m9bQFH4}c+F*;>`P0sj< z8U1m6q6b+!QAF}5Il-e?D`hx*x~sV^t~r|V1*FUzr4ri(xlhioQO6;|UX&9}lFhoY z09F%r)u228hBzIpT1TTMQa^a!g0=N|60H_VAlQd&m#f!aDy}XyknV zR@HnQ&PX~{2#QKe8hIFVI6eU)F2SDWQo)rF=#K})Jnd#mVT>ddDq$+H7YdOWlqAPR z$6^~=IFOs24&hrSM3G93$u0&>vJ=RN&dmlt#SZ$wKwe2J{JSE=FtZUvoJ9aV@oZV# z(6nQ!*!H$b2(f?IfQ&3Z&`U>TArz1?9S|_ac|gwi%rq!7JO_ltHY6!ZJ?! z`3CkL5~Cn=>QF{*63lqM{31vXmMh*{tkU!)i2sbdxZ7x-0PT)VE7Wr z7%6;m0Q`|&fA$ETi9ib3c!C0|b1``Ngzr8db_fEfsm0vT)?r|#8sP{KXLik*5fD=o zbLCV2vF()z|5&g};nr^O_JH!IdL{6(b{mjsoG7vb=Kd#*C!yo*sv(_9Xg zm+#Nk@UNV$As?*whm!1rCY1uX77AJ|331}jlu)Ep7k{q=YP>X@wmcdH?tkZwaX-T0 zzaQ1Ndb6fsLE%i0+=>&5SBO>fs-V$ex!SIf9V{EFnv4yxP%Dj><&_gC<-^9C0MhXy zBq<0WZp?9>*A?LSWU`h0RmdR3sV6C7(L%u{i@4dcOw`gfwP=;7G-!qG|9_4Hi1oUS zK~v<(fLk;npD_8H#g}AsomG z<+Oh_Eegi~q`|9<0c#UznZcp|5mCsb`$nk6<}oON^XC2x#`>4c7FtY*cfD(C!Enp! z6v0th1V1n~;4P<~_fy}cvDg4(jfgM64pQc4;{il0?Xo_2kqVeDCPVWAM3en@x^hZ< zOnN3XU56!R83P$i9ZpPmH`|DEI?+b1h66$@CJBliM}MLb4`i(!*nI> zNKSQ%j@|E&whe6DtQDFHvXPd(LMvFg@g%oIF~es!($9bGD^h7F(0O&a^uv^aW$f~+ z!kg9F@V^>8Z}6ZNVO3$d*;hRhZ=1&GL{N$mhj#d&YxkxPmp)npmh?#(&9h&iJi(Po~K7ujlFcOfu2gu&pH>FlE!4l z-`Mt=y5DwAsy?6l%+YnA?Nt21!&|7n?|8(l9X!2B-08BFCtC{Rf+}Lw>B1eRinHIc zR#?C2gfkoBDQrv@Ug<3)+ z|F2O0l|Kn&JF*b23=_@Hy=}q{477%J5X4LLRu@?TyVgrkkvloX;b6us+N@BSj46MD zG(>Rb_&Z0NFmQm^;WYaD0=e`1d`3E}Va!P`i~W1iboI^%vHbv`JN+1{0M7sz!tZzq zZjM+aTBSLVl`7P~L8k;JV+O3iry^|MUNB-wBQbwcpMMrmT_m{Hk%AHXd&$#vf zb5Zg~PHio^A67f}KqcBklJo}MF)BaHe>DxNwec$6i<)hHb~#}k|RbJCd#s(X7-ay{Rd`ocS1+GeyO_!AHAi=+1ji&Q%uWs?Qkyif4T?y zzR%qL%TZJ$6usPF{qeg!11Nklts13b%aTTdzteXhb$IB|eHK^>gubzGRL02ml5Z5t z(g|26G)V+ax5upLC)EP!DdooF8-Hm(xf&Qy|4+Ney|oE{$YQrW0tO%k17sLcHG<)K zx1EK*UDpjlEdIbqR;!v?rL=<$mEklc3h~Ernp+$%yhJOkd$=UWGs4;T-vp>FE4LSU zxe!EX^rHRW0Ra`kB#^yelJOL&e;AOwA|Qy7_-+EJpsXok=UkA*jb-|Bfr%RMrCv*7 zKQdfssE5`nyh4G6jj8H@!%c!_udcWM8d}hT5*cu$q6%~o`v%>?f=FTfTaolN`Y z6o_FKmj9dOP@L!1@fSmJdGc>;I#^SQq13=9{$t1Vf5|O%+95;{jq^I>`y|`FBjKtl|Md=4fP)a15mU0lBbW$4o1taK^&m1BD^rH&g>f6cqJAaBOvt z+@sNDBY1mp^)zSIFhAPLO$Sc{HVH-K%X&QmiZ5$6k*;Ey^;+;tpnWO8zBc!A0K zo|s0LoTd%Yi&Yf={SSAyuiGPuJA!^sBNA>V2Y*cvr6~{-FSn?tXw!+uq>U~8UPww3 zjBUN+CMfZ{hJa^>u(OR(hHRzp(Sn;M!Zcd!Yb+hX-=?-ukGqJ6vvr`aXGJWCEp75G zd!w@zc$Kg2JUO=pwwf=6yjpKv9i2xrYW^!pAg@-7!l5Go?^-`WOytiuC1`|`UX})F zboQSPOXUWHg6`yb2#fWWefVXj4KI~bZ=FQAHeAq`g8EP|H&o?>c#G^wTz`$x@KOYb zRxXB6c`I+dj3EEJPc1dfE!w(2F#$bxwsUgn{2^KU>Q*%G_UJDI_gHjVK5A@pQUue@4{)K>STIueAQ4VEDsckdUya3~X<*wJJqM z??0Y~C5jn{p94OMhin_nriNd&&)|FvVMoe4aEPEB;@q*OC_>o@-k_#x&_R;#; z733bX_*s~-_K@<12A|H?J1vG?iBaDw0z6DH=iy~%G)1P7pK=Jo&D*oxyLf2eB#GEF zd3_X6-Q10rl7Q4ZaBv}13wG|Ot=O87>yvcYQ(0H)Jk5PCNV;1cMGc(WN60o-(`qrp zu$H5~y%7GKxzO$_hqJ}d{8O2hg@-lKjBlr0ZtPwr+{xO}%83m}j5;08JSmg5$Cn#V z$7~l-g5TY~J!R7de@L$Fz-7>}aZ(P03m??VL?h8+N_SDh;Hn^B@|8(6I)snxhQgv= zdY#V}P)}1dtQN#vZnamai>exj{`c%O)GxwVLK8tHix#84NJ6$fxb^k%1z&UCEA%J3 zjS&F^A*E2rWsyi8SMa&M4Bhg45m#2;xSe=Nz_yFyrY>icqre>rfh4b+6J?yCq9pf+ZaycKevD7RfSDB~HKQI5LFM5R# z`3W*LxLVj+GNNJX_%@G#@~(qCK&RgE^n=PE14`PbmHHN+Yo(d8`p6kBF@DU@uC5-O zJTx8K?EH$D83;e&@i;i$<#pY8_wh09bE;e~+^3*3IY6!qyu+2a^~}{FPmuk)ftRd( zX-+>1Ur%vd_Yz*VLYWlmh%0KPkoD1<^OfSp6umUx2+(bHJ{hWN(uslA5j8$t6lFhn z6#Es!#AG^mB2E82{Gd;lw3Ayf=ldxyXFIaXqhz;Y*4tyu=cDQ7+RVD3!$*1Y-}@YX zZx6wxw|O%ypO>Q1aj_-FoXht2&v2_oz+@xx&g^W4Q9p>Kh#XgB5+g(tX2{=^IeEBy zQ#j!C;%sg0$XRhK7y}!qNlBQ4lOt^!m0Kw;HU0VWw52h^VZAbcn!qt7jih`2R^#^~ zAcH|E;PZJqqCK_MP}V=mcV$VBrRvyvyqh0CeH_Be(J*qu7(*|PWh(r2 z-e<^P5zgPu%~x=oK7Mv^TedPj)d$)O6R$ z$?qA~@A@8*X+1q#(4(5^w{nBeo2xtO$Pv#o77pIlvv>a_;>YP}JWY|xtCwg!ZjvX95c?4|Poq2~mg4h;=o7xSJrujhkHic@s`KDLkdwZD?aU0fQY z41`LCQMz7==bP@nK4N^=QsjsQJn}7o$)IC@#!Nvrc5YVZhq2Ag#T4C-(Q#PCn7@E5 zAV`3roi3uA7UcEkW07eQV$S`-3ybr9Gjib)%T8_0`RF@0YoUOMw`W3*|C) zWNAL6>B;){Z)p@Jgzl%WkByJci#@Iyos+8!Tw+0o_vNCxL59xuEsuk@5=G)1-BcjP z!*M9c?AB?2(-%$vHN}ApVvGn86BFWh@UsiBBu>$P?q4`r6!>mkUcUPG92jlA+;tO- zKYt2+oqs*;2XrrDprrr*I_m5jRbQXJ}5x8qLV^<-TGb&Sp0 z-1BM%h&1SSF;I4g{r0+c+BrHhpX2-X*1vaGz-60#M*Li~_38x*gzguEjCy$BbGu9) zF;V-Ug+~wMcgm17_Van?yYNgLH{KwK4nOo7kK|3Xa5ov*4myldCUAS^rG z{y4mI!`J5I!%gpF`+2rGCVT5`*=enPRnYyeXy+!bZSj%Nix}0@3Z?5t&Dn9kZ&WPd zt`0O{0=(`IV}pq8s05{UXEWk%)&`$5_%%3|)g{f%HgYv&hCSzhsHX!-9sczlU`=Q7 zthiac_k2Q#F-rEjp(*F5Dg%5e0@l_Y3Ai2}-jMtJ> zNOhEUyZ7DLlb(;&TDDo!)$(+tF5r5Mk>@-GCN$*E@OV_}adF(8!o-aR=l+==jT#!V zS80R}G<%FwxY=yfS`8O>fA-4lA&v$F1dQxXEM8<(YqxXq^0s@O6?^7dJhb4e5K|xU5%w?}Nn3TFbh~i6wz)mpWd>#niyM zl?$DnUVL@CDMk*^mPy^)_wKciv6$|5cA+`Hhh6#PtBtRL^XKQJu7sm}uB zjz-t=j><8?l<6a^JNJ#$|6N)9=V!&w4uaG5l%jPH$mmIvp0nHi3&z~Yw@Mec0L=4< zOzzJU5ML`YO?KWksK*fS;YCvB%cV^rXFLgYea#KB)qL%@tHZ!1q-Tzex4WMEczy}i z6b~feMx~r(tUg|?Y;@*Xm>S;q1qWnqpKUbwd@TYjja?m$ujf~~ays0+jh(4Dy9@Un zS2E{jHd}oZuXf)9<>HBWu1AKd6>7#8X4anvYrGvyov-=)9=`|#e5taUs|GsRzi!q- zYVm1P6xZ=^7Yoxny&i2WP?@Fxs3=i1fqqNmF(81GSm5(K=6bW=S8~)2$nr7DSJS~S zz?Q>CqBY~8aO-gw=wuLvs+nh@cXhA$Rg_I$UZ!< zw*q!`;zRBz*{nSZ@VVZUrDjhX-^#YMRy@T~3%E2QGwghL@j+H=dt2NF6;SK>J}uv$ zdy`>}A2{(SAUHc;`JLBEc7M|Xr8hcO)cF`)U1ncsaYcq8@If=xJ2`*-KdUNecrF=h z3(}c?d1tD9ARR^|=b5&h~!Q=w`~r&mW46hZSYu!9W6WarXFuS5}7l^=S8*rS~?p zwCQn{H9AVe@@o$&cz`Dmios;=1Qh5rMnkKFmBl6qrv%-|`@T}Yg*LWX1zu9H;Ivx%^RD3-sex51n z`ScT4j_=>Q({u2#rTmpVv$VPkoM_#s<{0j_=TwNk$GU;Nd!h6^s2mEggJaayRZ?o}86^2wg1EiTZ%HWGepkd_dw%cgLcH&ddY=y*IgoY;_vj7H)9_GRKd zN$6SVt0w0G;Cm>y^yydvCFi}DSm>#7%kvY2Lk=6#`zZ1ITCHFjb|I(s zWS?blC|BRje!1Vv)4$$&zxz5_U+KzKM1l56sX_U?6naVd8YljoUGn`z+{hyR7q9Nj z=vw_X@q&mQ?CiLG4XgJtrY`se0=K#O-QEV6=`AZIJhy{>CPKWdw-bnZA4N<)J4=3- zWkPSLUu`v4NLTRJ@q9J=Ux!Se=b--hB_(viqMV~{GhKMH_Y&KCw5|2$__=P4ERPJ- zr^_9EPH%mwQ!8dp#2w{Jhopy1etv#Ec6ZNm-JW1~FK*7$I8^JbxqYpsFLT6To7;88uV{o@?r~QhK<1Miha`&mE6Y&BZ3ygAPw2q#_2&wuQa2a z`sR+!wB+;HYIgdO_VtFQwbkf!)wdkwcc=Ju^N{!5uC`YX*j7|w9y|uIwcv~T9_+NY!!2< zip;ATclK|Mc}+@f?c{u7j}}&>o2tqNi;A$Z%sMz8JQhZdFwA8Z8r#}4Ppfb$`3Gmh3WNQ(}=`0)J(wVH9Do!G(rjW6j4U8eEQq z2@jtxZ${u^J;oUgsl;H|d^TWr5mkvwk zxP*;O{V45cA_ks985WIDZ@OiK8FC!#%@hd^IrIxKL2c=OrH=OC z#gg~|4(o8B|3`d>GTvb`Kt7%$AogNnyS^adUbVI{i^Coc$kj=5uQG(#8WSITc+`VLi(dxl5q8A8$d`Nl1$I+Oqwfa(9@?s`eQo~rT3H@NxrWpVG4U)DQ;DzLJdFig$0cD(TD31 ztCX@SYBJ`JP{rN*+!DoN|GM&$11M_OaPqK+*p8T-Jyt7;j^GaSSd0E(krWGv4m0oZ zCTj!}+F?u7Veg;6-@{ur$M2HLUG7EI~J!Z8!-1&H^w??WX;&hMXvSWLp_!S{Bh;&fEwYuWV5 zx)KOo!XfDO3-;XKtJ?@$W?K%JaCU5HKu9xLM(=7deHo;hurn7$JO4N=b!P%L>V2(dwZqb#`Xo;&}_> zL?$(JICTPH`Cp%}XQ0(dBeRx7bKkMysR^S1&; z1Y9cu;x`X4B3lO{H5@Y7ubthdq!1smy)4Gko$$a~`fw%Jcugu3`=b`qfINs%lbLn;*^lRsjP23BqYp4!Q-50z#a_$?|JpZ#LTpyEON}mL$i}ysp|aBY@P)eisRc=qMeB(B!`n| zX5%FF9MKzPqptvnEQ_D$@8!@)Hm>Gw+C_8I=Y+Or1L~4KS?h(dpXjBi4H6P1{(IIL z$Yw$oq*#^15H2G_ixEwsj1BAAC(N2m)}?)+XenAMF+0iaxS@40?JcG_dHg<6uM2ve zI1O;ui}IYT(S_Ig`}I#!O_Wq$hBj$DOOMHB%>0ldfyevX2U!^seL`kSmZsCchJj|A z4Taj@)p~wZSL#dEX5Hg#;is4Hu^hgDz#{KKC`qYA^W@zIsa!7Q5CKIBHyStkfBh`k zGlGmrf}-z#YWhp++2gk(gWTH(GaR7MHuh#dM*W=}*>`$Yt4}}8V`Ob5-hS%8@|!cWB`xOWJnUP}xt;?rnH}u+P z+UwNv-o`0789Qu;b?BY*JOG$-ow~6Sa;$@C8kVuIf87xxM|E$s2Bw2|-o}gXd=#ZA zPMR`X&|tBFUwJe*K2bE`DQ0gd#AV1(GNzcskc^`T(bH)~D7JZwgHnI?QQEhENcgH$ z&`SAmCT0tLP?l9@c70o7(anx)_3vu&(Ow(hlXkKllCPzRhVWWcoF$)O<`T*L;fQ!K zT$fWVY}euk<@?z_wI?C8=?(ee{O>o?%k%l%JyhKvs?|UWGTFa^>7% zXy$~yeleX?F6l$^uKwpg5n_UfnEtp2GH;V-0r0=erXHnT8FwX9wsuV1U>U@a!hYBd zlkE+~HZP4V-NI>|=QB)Iscev%x}7vAD7JlPyz3phkAQhvxWmOR?mvu)OPSN|`h%x} z|J(hyA$_wTeo1OHCa@?ULqbXGB#FpLCM4(We_jSDzxK=4wAJCU2|0`kLQj;eEXlif z5e2mgB|k_Fq=`iuKhKwoh9Q_lM+Q7>4;GUrncrj(B{%%`P3Xk-1rf4Z*KdXoFU7pb zGsG&E%!ErIaZm1i`O91cukN9@;2SJ{a(_C^Wd2hW#QfjcpqGcYN{Ruk(I57z5ttZP zUKfcIX=&;^Jd`(weshloRp=7}b(JsB0l-&nk*Fl1Kz zxNmNIHF$kryPKduFlg0tz)@ETCZuc>X|Y%=?hk5&UuT)~K-V6*N=PMkPR#F0KZEi` ziDO`3eN~XMN8O~9Sh+YE5UL1q^#>*4>>^g7=J=tx;v<*>jWffKA$lll6@h`pSH2I; zEmOKsZh^Zh3BlO)7iG~r5G>IRE$dp0FxqNsUnprR&w?H;MRiNs{C-Ks`yIU$11xTh zSU-A%g0(OdD$H5Yne->=H3UMK)-M*gYKVwq{7iT;XcTfr%>{Aq-t(!D%Udcj(Ia++%^VM#d^C$Fq6Z5im8EQl_W(c-j?R3&3@ z#SAba)O}F7c=WTkBkS5~sH;0)Lws(D#X|^>4z9PMEtz2YHjmD}BGz|!?|%O zK+5Be2sra8)No=02-{Voe+J6VeEuE=G3`uuAbgv%9k@!pL&*vPye zNmw8*8#-sUReWU;Y-I4*HpR}#&GF+V0$2~CNSo=wr`-9PopP|MMh#P%USS$cT@!VI zfZ?ev3?^-rZn=wmd*F#sR~}JbGfzz$bd{r0H5yGh%qdCgfnESpkdAqpp z{~mV3#@LexQCztU_;vE622@HrZ)dDzHSRighXqq8guhm@8U`GdE)=_@7sqU@sF?J) zj~~WNGXFx58oLnixLI6_%YsQog$p}U3Dgg`^<~3H*EyZVOyYXM)#)}xtIsPwP!uVI zJyA!1=Ep7;!_7` zK=>1XF&Tr^P_#o9vprxGu(xm9Ia;q>+i24Jd@1NGNaBPkaccT=x*#`=ZUzqeU4p*P z?MS<-$lK}_9!ffTSC#$Y&~RKOixD2UTVc?U?`d}}?W4EktkhUSiIy5EGtr1Ps{H=D zU-1ACr}~DOq8JKZUcB~_`GsrGme$f^q%538y||(i*hhnDtVia>j&$>*yBixEK0i$w zBY8%ot3*1U82S>>7phHCudN5EMx6wxZppK$hyU<%?xc7+Hy3_Egk|V@NlUBo&rJeB z)ED#i$i>4FQr97*Z`v*|NFa>))YCZ+NDjg>8G&^#F2C;XrhNzkzf0ZYb(asZh!=9#4(03m$|yo2IL^9*f&{rn(>*vNl!g5QUkA7WrsTAYesgk4t?s3W$~gd)pq zA)!_vf=n%4`Rn)J&vBA{%x>l{GSB@!2J=l?`0wszl4=y7Eg0e*%+AKMJ~wxBm$FqF z_Jz#EDe!`5XQR{JKu=ypy12Zd*r<3G*NWq{pq|Xw_U*y>_rqmDo?>i^0!K!_BoC+{ zFReHPh(72x)qX!kveo#y{@CfTrmwD_X*18QZ8SB}3{ucC*y&ocOU01lBhJkxpo&0{ zlzQ=dd47(1mbEDf-vp~6%@sM;Iopl!v+bE9Y;$wt(t>mJ>8VP@8yoFi^qo7z@{5+L zP<$O{9nUTtNbn2sNk6KeO|?l_cdlKaMj1ESgbfZ}I%SsNx91{7Y#6L7>E)Dl2`MPl z7A#z5Y>3P?AeP80RD4fFe% zdXvxJ?;wGXE1!?Qb}h^tPulUTO8EzD^`mxnI?qo7fuHRCT^;P)!Jz7p&+5mQ$N2d8 zggGwK{2=F9zJTrJhH2tj8c{|I2N$S1LV{N1)qLO9oJ4OpJLe_$L|<$@e%j+JVEt56 zc0BSC(dpUw=>-{Sryr$jKWb?In2Q$~9>T-@<2_2k>hJtHhxAb$!w9j}ACR2Cc#xyS z&AS~n`$whEpl*nw^tm`cse~kG*p`Hk1H|#-;DkGr2D}PC8FaLDx_f$}2;Xns_Ih2h zFhCsHjAvIDDGQcPPAtb_7$isbU4h*e0>6hkKXsOtlu(P-4%HkJky@ZUbz3Wgt&3WF zy&y9VJXFk`yM&B)BOv<%KWdYowq2z?zB(F3(lI{pW~^UogFme6?B}d{HI_~_31FyK zA>DT}>CKt^qQ$qG^=Sosmn(BH@AE88B^CNQFbpB|5klCk1l07u{Y*?#~+k%Gj z;B}9J62CSiRJu}Qi7m=Lk9Efn{{sJPstJowpi)^@9-K}GvorP?QorGP$~nl#UjC$` zMJUIu$-_lK<4!j+_ih6|&tScHHhT)MUY(xKwi*eF{#OE7^S__g z7xQboqluwuz3|$mNO%Ea>?6D<kX$|! z{WAw0xp)Vtpv=H~Wd%(%-}94^0(JSS3on&IS{MdQ4mNNq`ZsPJ3z`sR62 zNP79_u6{+*HKD!C!QAp!7}|Eg-k3Un7a}*0&+7OZ$r4JtLE-Ak+O}-d=@(UEj^m|x z!v<~pmh@9dBC1Ote;dWCF{xnww?&FH8Jetb+=L0^km@P~t!vcPh!N0_cBEDHKD`eY zb5v+!OZpjWU`TmB>d~Ekw@=QdV+Wr1?vK~IYJm+D=r^wiCIc!HZ39InQ)=yxwE_Y! z(8XYHB+6Tx-2MyMuB@-qDfDp+G+aS^I2uedN=D z+}ipt)5)}ciitIi-97f3Mm^oGuBK4FUw08#E9hkX1eXM&JrkV&+`Lbs;``B-Fr&oP z){cX{Z*bRRH8eeU`A&zg)b&cttv|8^l~fq+Ivbi_w!*BS;QedQ@4e?|6?>W8fq>q2 zJ6I~4WH)3Pd@0;kX-(AYz@O*i3md4yTFu>tqihP@N~K!%ceFC4Sx70lf}MiCa6*B9 z#B_QC?8@3oOijVRzo4 zBGk2Z`qX_)JLjwVAwY%M?_%V~=NBZ15$Sq%4YemKw@pb}_?{U#y#fXeEB9C1y#ZCd z7t0q6c?-OpBFGz=`9kgDLD#=e9y+ueMTL0Sw^o)a7iu^;>Rk*|U;u)nkutfJU6mgN zz?wiV1_sF~9<)`<5z09IE}s*JompKrbi$L1J3phyy8Pva!s!OoLaNv}MFbx2x8F~; zz27cwz3%R6uq8YrPoM7zlhT;RJGT2hJYG_S?Me^tAfuwQ-ZWkrTP-uJ{??KEl}ZtY zXK#c3t2h2%lf|0pvU}PE(>w=2$6w9667*cxcW(QFK!mtz+9#2<9^zRyaen=RBezkF)&yGZ8Kzw4h&T)eCH1|vZrMFD?asyeBaba z`!Nt~Slrac)oz26P8@Xk)Y#{~N{(jOzw*6QvjNJ!*;?pjb8eH;%}QEE$K=yDq@K0s z7cDD;PAMx66TY#?g2dg5!I+bqFjh!HQKZI!Uz&avrGEY;ax_W4hCfJWj(;U1J1YTy8b-MZ zFn(=g%q%-5iF(}?sn@pmLTBdZ)0udWl&P<5cJ=!lZC9H3UoTa9onW8$R}?k{U*<(P zl^`_uZ!}~LJl`LEgyblpe6cnXEbVmIX!h86n1ZN6oA%@Aq6IQQB*NZAeeP!H&5H5M z>58#$&*ta*d#(-2Ia^j)2983Xw_(2qrXC7YIcCQ9(0e*)47|u=9dIdQqq8Wo5^Lmuj5Od| zqT^_xNSU^V|LhsEi~~hUw;x+=(J#fu{)Ysej}z8HM#4rcAujOzLD9l*zZDz%ewi1m z%x%o!#&6jPD*B_(l?i;Q0#%2Lm6f)7O`P}~4rdvAKaAr&I$t>2wl&wJI{I~7ZMxpY z1irOA@zzpIzS$o}dEO{DehfJ<79gM%s1!;vR0 z1Cqo+DVHeDEie|-Qd84+j~=>W!BvF8W?v!0@L_WBy|UL;_}1GAfuD@Jc=&$QNK_ut zS%YDZ%kE7=F=CXXZz?8?Om&mBzOrwDVeu5>7AcCak%lBor=N?f@63ZTfFiVF9a@x= zokwUk=+pCMH&Rx^R?iPan0%2+3Ju4p#YE4}HUHwxEm^8}WP;plhCA1*g_Y6a8#pvy z)$B;2-#Hfhpb8^;st^h@Ma3qU<)@5$s}LMut|VG#*0w5d|!C~$q?pUyyF&=RDaPi)}xW>Y+2hnFRl*^Q6ju$nO!%3>j zIy#-N8#XUkauIUI({x9weLlLACEsqwKUAhFFlhKp!C(h96SyePm3wDNY0CmK-$WXh2biyFlHjgArbi{i-o?;?cotKgXyg z&s`QsO0wr>42Ui|G0jav{z7txCRO`DJId_Rl>Vtj2vVCkk3R zs-H%$EcLk9z!Wt_5eTCNLVmk@?Ri@Pk|Ltd5_B+83KC9T@|Q&(Qfy+c+qu;Tlo5fj*i8opI?Y$_xfr0Y9+Mtd$4p6^B!#U z3eITarES%x`|(OLw7Vp*M@70Ur#Ip6J}~;fb`GK$h9MQPcq~&1l?m6|xDA8c*%@VW zm_nrc`#T9CF@}s`D;ke`kJdD&LZlbxt)7K>{@B8x&|q@O%p6DCGlvLMB%03#(Z?kD z;~j@pa^_c=fW|M|JG=q{R;*hfl`+J28FgdrE|1%a7UtfM-iHTA9|ah&hS0}m_ew<( zCFmCp9OxPGFB)o{FBqyeQ_6KX{qYZi2cdH;xE;4N4fVRqT{os116~Bzq@U8&GjgoX zs~Zt9IBq*$31J=W8+92davb1A#q@Z4w<47_+c4&Nrnqh|3WTuv}r z*^i=~!FcOb%-_PG!cW_f-lUf;*22s&H~ zdqHzxWMm}ynA`35iJ$B2a5x%v*lF~yk(5-R7D*68Na>kAV7P*LNJ(`ogK-Wx<0>I( z@$F|1Luj#D=TSxf{9)n6Qdi*e%POEPZ1%jTv1x~$Ni4_aL z*iXPf97C2{oNZ4Kq`(q6W^Mau zUiUr@iGAmFEx+q}d08CR4QtejM~A3`8K8uleWkuS>KAe6F~+{ol z{VYqDG;qfq*_@7dz@D=E(#Z-ZscwwEE-0v4_^F|Nf0PO5E64N4z2~Ft*p(gwO#^%ztwGY8j^x4 zl4=fd1Nm#YX}Q?X1&trB-To^L!g*fjcRgEb2zxY{C6WW^M@Zs)FxSjvg6p{$NLZTBSxwrG$?(p}it_uMj) zep|{zb6_Sp@7q{ZBMBK4M<@^uAp6);H)n8^TUqo-%r$AvBvST*Qe6B zk{cJt+P6Q9XB1y`g0@n^Q8IDLYB(O9axNB3Y{|NAa}0q=!}M=&ZFD+r7{=stT1BC& zreheY!1p~|Y#FGli_dE!^n{e@fey2CD zcUq^W=r;WOOXtspk8)Exr zqI92&m;e>jN=wu96MU}*w(@v&yoKL!byx(wKH9aW%FH+%O0^9 zUlI}uKMx_{4D%bZxjr~7)tUsxsG}E(LFHO==O_XI^szHD(*i!b>)p3Hmz!Oech9IK zL7C_!@3)Mk^$wM3XewE@2Lfwr4j`8Na3B44881GL=yfUooRIc=>DL_9#i{rZo0VQ)$_Xi8hB+o zk>}&>0s|)#%bB-Q-16Vs7iR{KSCfn^4FR+6Z|7^v%aP-VSs<(JPMfs3GGDcg*WH(o z=WE77KW^?+;XVeKXGx212dUl8#kA@)ZjMhd2JIcIm+H^WtJP}PbULkxHw~G3HF9Fs zY`$iPhO=QrC!!|4?e%l=I&b%SA8N|#>{O7zqltc?maLrQ0*40f%W4-FZT?FY6_+`zh+p#i)u7cw7zk!?&v^s*Obl^mewlqcGyT`FyZmDzHx? z*|r~_1lwPF-`0Cw?KBoJ!=3N@-ILJ()GwX#Wr9iTjMQS-kkIE+@lHCZVpLU^c#tid z6|mT+>OK{I_KGF4H2>ShBmD2=&sB@ot%w1<3d5 z)1jY*Cz`i|O(?SL(@mKen^J5mS9q(@1*!}s7Dqrjr1+L$ixfFIZ9?e&)+PtV!C{T1p zx}G)-pZ7N0^fvw>-{FSX@1WcvRV;}Ox=ZfsnX4OzzRfa7Xc&%UyJ&+5AxeU<-q@bY zPE+9yMLFbvQoL&N2b%O+mA1`n-eif}Yzs%cJidO}=Py59y8GBx`9j03PZHqnP|U!N zvln;a(1Xzu#nVmM=>Q7sy}rWeVRLHR5Np`1Es7}IY65;T9PjB%z^~tdp-DCEwDp5! zm~x$t3XXH?@snn^U0W=5XI?{ zZz6{3K*e162@DAUU!h|+fqt|4xw;H2&y93JbdVh~GO~;U8&Ntbnqo@4c(u#A z4Hp4i)8^5&_ZDfQmD#V;1lk0^)>YhJ2fKgAuh&6SATpL|v``2HeEf>EOmG((3)MvP-V9uULsDrSQYSYpl0hl*vTCTMQ@RX&VgHCflPnl-P6LXB1f zOiz~D${+fwvlrFIb#L8i*&`_Hq`@Mao>A--80M!MK{Jz}61ju#hKo(!17Vn2ZTCu}cJ5wjz?NOxCA%z9bBdU3PkSZkcCnaver zjAfZ3L%idsoCKz9G+9-~cP_DboMMj>o@Qfep&%k|Xf2US>P%wJB(}VGlh;$7hx0X> z$O4r|@JrlqDMS>U8S~8F^Z)0SdO1V2$5sQxZAHakZwYK=_U0YF!}R@?p42 z4lJM)h7IPo(iC8t;zIEjB|XIu4t~eC!lK;_7X4V71y|aY}Dt4GS$J&X*)o zZqPBU0fP7MkfLuVN_Fb%`Xx`vIf?A80-2^c=lm9#E$^bEqHCAmQ{x1G)y1j$@pa}v z?B=IvKYN(vzH82)sV0Mk;&jX;qS;@sE78nzoo7Yi@U)4oJcpl(x?wu*ic{IEWt}Ar zo&1F@7B8oSi+GUc;5VGp)kb@k7|RVIq~X)y&V8m7oJL`|{J;ev`=-*Z;8*CLrf?a1sTia4ru=KNw&TqApXZslh7 zmyIxrR0`y4QpM?3JuHFRIiWSQFDbfczm{IUJ$OcIkk6 zY_|#qO#7EUHStZQ)sInS4$TVDv1QS$sK+o;X?WJmrqu^+YnRFB+{`t4$fM?vz}vz~ zgqtHg3Ic_OxmvA>atjqP5ETL241eonCo?^}2DPZ1{B1A-b4R<-2iR7YX!@)UOs_P` zH3rYG#MfVGCKOIwfL{|M_v@487JFgHIaC4Zj4&mOhll!xeUIe7hPA=)ucl)&FJ@r7VDwp+hIdn@%G*nTI#vO4die;{ zx04c?sX1gvpLy&SLutuVA{=vBo7B3?WEG4?C|cpDpLz%VH*lNc*N4lJaa)U6s?e6Q zOSEIkJmSi6QKfDDcxY_9+j5p#!VQvdzQ*g$7AB|bcBbcRV*CZ6-MZ*HuI8|?Z58xi ztC@GNdAB^V=h}>#Ai>}sr-fT%*eBI1(Cky!QqeR+-)2zZGA)!h+jS;KbTCzl*?|~9 ztdT61fqA&gEC(f;w$&gdL!?%m$-oA@YXoIbzGi^LvZ18*5;cDKygg~0X8Fn(HYmB> z-RZX~6jI5;Fpc(-%-=nO_15ZflLqyN^*l=e&6j1WA#IJ{$`cqzE1JANl`pAJtf!Bjw)kg4*JvVoTlU)8s`b zwTo{ICI$L2D3H9kJZ%ryR^@dlcKW#!Iyx^c6FQaJ=3x#hX(;u=(t7mvVYv@$3?_>G z-!iv~WaJ&d7xWVfdbJvb6;rhu156M;|8}WefU2>rvT)=ETgsP9{PpJR0z4e5Zm{L- zc&i?)GAi}_K$*<#0`0af#qE_qMk`0Pg?Y_^p7kuP0fBZ*B1^a2|Kd)x*ro-f3!~76 zVCbj`W2({t2{Jg}{)H$)Cc8Dw|Jr{r*+AA*YB@-{>A#;FWNJE)^PT?>+DW(;@^fn5 z(>IgsASTQ zjgVR7S5x;Cu{{+ifWB0S#xMs=kR<%E|4oOl1Pzkn$NLZ~wn~5`K|`4$mwu2sl9f!f z@$aYl&mct5b3YZ(Y3P5$R0 z{x>0?PZiz~{ln!yT|Zzjv1}-OLXxB?_XOzZOKtUO)8;s0Wj@e7lL1G|Z)Qz4(qpJbiIy z$4tO;>RC|b9gDCRLWwGZ5XH3A)!vtAF?!#{i_`Zr-s4Yk%_dA`GPL#-W#vCfTt!aV zn~$Npzow3JQDruG4Ko?&0B|#u+X61?hTGa!fBp+(&t`=)zoS&nr|1h;jpn65301~+ zQedZ(DgbieqztLh|CAEjrw^Rr?C5-M(#Y)@MJh6}!FUv@)Od!Sl25#2)^#mjY_Xz1 zGA74$o8IiSm3C}4nv0OvE7|6^#$iHB)l)G5U^3}-OlJVTMxw`WY2|bXedu)7g#A0@ zNxZOOGr9KXpUc_YHBu>Dh+l6d&|LVC^h6h^Uj3vm2m(n`mDMAj-vz!(w7) z;pi6ebo7fuBgUKnKL4>=YDoLfPuPv#{X+8_hrwMW+At3LuX`ORe}+MEu((wTj*a4C z3Q8>h;TP3!35|66-}k!eK0~)RU!Y*h$tmeTy|LDM7QmE!-G|8d24GSn+Sn!!3IFO2 zdBzsI75V>9*rXu_N6o_NuSlKc0Vkw(E~L!p_G8BPaL1Scf^*6p$uw!>K=febGGffK zE+Fc9oL6`k$wsmm4+N!=*cF`4XF{Z4pcc`lJT+o5|7VzRFQy4mya4|}3{t_jwu<8+hYBz~A|O~h!N0nx$~NW=LcC_r~H z!ZT{6E_Q&c5E2106}-H9uO=+IP9g5~>4GF?zRoa!8w#ewVl5}=BKZ_+MRs%aeuDsST)u1k5E%NU+ku4iV zriWKO)@qh^6fs2(dyhRgvlt5a#u`7QLJjaC9>suWwb^$i2(LVg!)Ag)qcN64P{!oZ znE}+n&uL1qyM33$G%Pi<#jMrxR~1u$J3Nq!tk2n>(1D&Oj~F~NLu>L(`+Hu)pA>?5 z7m&izp^QEUB#LP{_B1$gGQd!H4$e+Hnp+5;)rbPSdtGc|2T&wa^k-TWB2=Xt6Uq0< zxU;JwFhIwlyX02y$Olaqp={dmZrc+m)G}?QEK8P{@kV-o(AX4E# zF%DpY#!)SytZ$J|Nw0Sy!TWdRXHpjGfH6gS4F^aUJ3A|&Axc1l+p!`x7>_`u;*kSsx)&MoO2`m7q zu#`N9Qd|0W1c?z0U@R^c&8&vcuHtkfYfToJ7ltoU>)b`_MxtVV#i#U!&3 zQUwMF0oD62U^#JXwOw?^;Cg^&^_>Eg5J5J<$F7w{XRcf?hpjSpe4o_hxO!cFQxtC; zW;G<3skFA>fu=Zpflr`taM!N{g%AW7XjlICVt`XR_9WUASy+h?EH3YaNZi5i=p`i< zR>>?U;n!cTsb$q$V6tdG7=em-Fh{=B8GJT^q5EkGq*RL!tw@GsUeD_{`PJk7k7~3v=w-ndsAOy zWpC@lZGcGNW{PE?z2RAqKmgE4NS% zyEE74RE97;3dvnEqNbgG18$PkoO;^mHOjyZF~5uKFRYxFA;Dl_{80=DjMaApBh_{h znR-N$)!X^%_`9x3Yng=2^4MCFUrB#=`*Wbt%1e@18O^tzu2PT70E zjpBO%0Q$|YpY68!+2iOGd|jt!v1($s9r= zB0T)n8Oi25Psu2M7M@$s-&zu$73C7);u8`ODqCQPl%e~=(XTHr zxljL&RFNB(8fNgUDM?kOM!7=Qd;FzeBMb#)>hVlJvLc`jWIs>80OBUAzDi9GjW6p7 zXLGmrlT8{Wv$b`oa(2L7v@X?ypVG5k`u8oRuc~i*tb#HQR!PDQ7W>mDwkE(5?Qx0ekR+8tM*>6#7DjcAz{V8| zuWkea$%*|>zoI^sKSgtY*+UJNFV~0L)tTkzYz-2`Tz%V`ooBEZWrH-f-x=^V@ys5})kS$=bb#Y~T zhJLJ7e=@N0%jKObwPa}&*N5=$r02)4clx8B{&)pV{)*Zb4xj)tu*|SCsG~_C@_^m= z^0%St7su#B<9&@-D(Q$3WnmL(@CgQC`_mTELV!p-rIlD%bEoi+JN}Oab8~aWyMu0c z&W>AsRHG#*eny^A1vIuHW~(mIC|zHQgQqT&tJ^U`9BdsqPc-##3pNhi;Y0D9bs*Sl z4P#xGgWqery8|7G4Yw<#*-DWYd5Y%?SdTTAo4p#ZbMPNmUnzP6dbkuluJ>S#Z9%mt za|o4|Fg*LQGNq&+vwraF%SiUKG$xsIAv2?^e_S{SHOe(Z2$PH9DE#agh>wD@M@K!uH1RYY;xBqMWFmch%JmO0%0pB4p08ypQj)KJ4 z=`2f#c+^+vlNvpt$tg7~4+t1Jskj|~MBeB?(gU&PS|;YLID6iqF1J52Sf=MZeth2l zG96MJ*)ecQVPI_?sZvVK@6=VfVQI>;)%CWYH6Xyh+vib#cw&<%^zwUfeSKMuT)!&g zbw>2%mi6_JO!VdM+9l{!&RHWJ&CrQJ^jG;+&RqK!VRYd-IxC%Pe%4TGYWvJiWvge)t*j?Iom~pkf<=$A+*U{HjWCO3k_?Nr6bxq9&IW=bi&n6}LsK)JnK~CZ8y|<~L$DlV_)2*l1ptmq8 z!Kqi_AMf8o%7OA-PqTIiJ~FA8!k@$*%8;(O@RF#n43 zjhfjcdMOBc6YlQ6207OD-K;+N_ve0(iEcfeSo3R7FbYe1{n6lG`=RD`drdK`XViu; z&kuT_N=q6Nl4AU4R&3?_YIf8l>zHQpT;z1&^!50a|3!J}i&y{4WjB+CbxIDu-*aim zZgFDqT=c{_@zp1PtZ_hK&#RZyllLULNOSUOQu7Cj$Tp5C*H+;3iz zY>@iZ!ITVlyyaw>csH<()`4u1;&=%NhVSF>f-bz?esOl-TiG?TF&h3H-7i^x8X z=_{Ydt3VERKKJYA0&(8Tc`#waM_VVSo9l3Ljq{)zZy!AhWhodDAx>e*Y}369yjMe z`IKR>yYfb9F_1$(nGv|w`qHst_=$tdfrv1diFs0o5&sToEY7CK#3}j1`S+{n4aC}B z1(YE{#aNl%A|@_mJFrYhK#os9j+FNuGUGj|y522R%xV;>a;mCzTBz2vTzom4`7>zd z_2)-kWtdrxRwMOVQ*dAy7W&mX%%5NH>y@YcP>GpNz{oLcBNM4}QaQ?kVB2&q3 zP0(m8?A3dE*e>`8Cj*ZH=c6$d_Rw>9J@{ra@YX7q4T-T~VhrTZAO}+rx+-@rt!V3L zbyL-?+a3IhmKdo$I4{`ns;LoN_mg$r>{Ugt)0^qLZVe(P#dkV^Afb-C{c0=P`xPDM z(qL5G@(pRfO^<(@BUm@k=W*Tv8S5cXg{cEM>(+8Ik-Ot3$HvB{$JII9gAZuK%0Q)O zJwc`A4^A5P3)LGQeIiM_5vtqIR@pe%b{>+-9*T+@(Q(J^01-^@*Qq22C-F*l4d}*| z+9DZogvUp;nk9mb&P(9rxBAWQA1i?uz1q3`-p`9wA7=@bP*$cxZl0GjTOSE2BlAO= zixsm()EOiK`bk!tMZk6hRSizsKX;o4Dl}HEK+7c|gNbJ=Dv_n)krbL-ei!TaJ<9{9 znGN5xyb=U*5BsnBUQ`T@ex9^)&o!B9YfwLPQhI8Xj5++M1viD(E zuHWK%&!$CurMrw4+}k+!Hx%P7j2*OPn>8{i<#RMCf48Rnwi9yHD zAp-$P>#;QeW68IJEhR!>G_?c8&Gqd|N7vKCJS7Gcxe;D2ND36ygKy0tZ`ZG?#DNZf zEMPEd9IHsObH`cfh5Wrc^(rw!Fh8g_K?`rhQ@MqE9RW0 z0+o`b)gpPi;Bhs2My%$BH9`LO%34W7d7OyO`js)Tps*LYNNOfKibT|H@6C#<6SgpN zDg8mPMu!|^Q@4?+U1ey#bmSr%-LB1-5tA~82B#?yPK3zhKMyd~I(RpC6_*9}Dri0F z3%(@#=gU;2mDN;ZXE^X-+F3eCQ@j2O)Y(_YgEtb6#(8=pSa)pgBwUwSYsa~|N09v? z&mHN$3KMlth@(XKatG9J(I({Nas!F#)$-+&rY_1d_!@|tnl53^4dT6bgr8@nx*(@m^ zo8i(rgl$B(w<}z;4jjzODB;IEzdXIft+YL>N5web>e$Rr+U|5SurMqy=sKhKy?v6k z-egKTyb+Ee;A-?W&+TZc;>CqPP$muB76D(lM)YbxT04Rgg>ns5_^rZ%X8Pg7HoBT= z5I`i{SNAwJ_B-S6$(=Y95h9e;dh<)rQHy z4PZQ@#a6hm+wtgUKp%J?_phUR`RA@|td0SED0`SDfjB0t5r)1$GbfHA#a5SuutZLO zV%&UhPMYXEvp3qx1Q?eC7z75VR=xf60TxwDxoTrX#->DBs^uykS$(-n?Ao^rB2-vMFxj#NDzx%)uIVINl1MxT_l%dO{{0B4pcO%*^(}ZjvENop;gD^8)WNe{7>|ZF@zZx`X zam7s(EcSF6*4hCJKT7rW$EWRuV1!5j4Swh@l@&7ZiTBTi7+F0$l|G$C$^XNYi z+kaw2CrBy%3N(~|PDI}rq+5|wl8O&d2p~&j2undCQX=xaEux3uiRS;z@_o2#+4_j` zeepF(*AFKs?@)W#2KMlmJfwNLT+QVlO$iyqQyg>>mOu?HO#$AXlDmOhIKJ=VK)DKb zJU)-f_>>3wPk?PFNQMk}tOu0L;q^KI)SUCR0&h08_+MYPL6T|j3e|L84~sRnAXm}T zh7LVoN6+((?yfUvy|T#*|HtQ(2RHZU@e^<-g#SHG)3S7>eF7sqo7eU5LGL}Wcx8UxFw_rP zh&8av?|K~f{kZXcpX>R2;#?Kg^8rlE z@Y>s%dhI31%T2X*A*B~DrWY?Y_q_50-wvnFVt5}@#|pnEa0tnj-zR5w()&J4X!kl^ z^m7&rdED7dbzJ#k!-4lYq=(j89dteMz0w0OeDQrhgJiYXg$XSf%n^9%JdKTyXMp!J zV&cQI{&Yyzr4>~dxL&&x+e{4gffQ%NYIn0P_I(*8n3&9P1bN`m!Y7S{e~#SS1WG4| zZGDcoF=jG9u7D3cO^q%GM;Jn0&z~VVs>>|Li4MU~M@L!#M4(^((F`f{849p;k)-Ew z6Nbb76F7YZ+|~OyxN_zF6uEiS5sxO|2hM2$Z}{KU4M2R&X9KbU1~ACsKft+|L8#e} zx(CPXJXA4ND>;CCL9dHHA*0oOH#}%+wYIA zqiPvIiJw3fP4h6#{Y3bDlYjhZAh@7xF=iUC%#;!P+TfKs?nqSQZEj3l;S`Y^_ku^V zkMh?bdnwJ)p}t|kY4FPaM>MxL(UMi&ftf}k+>zZYd5Kk={)$zzDaPSE>PdsVtW2bM zekV~yZ)#dq5(<-lDERwFmkwFRgfJ~DC*bFFW9=5SZK_G+;TV=J%ecw06MjmSp=0&{ zPP$#7qbwIZUS_7t%YeU>*(k^eATwKO-YZ+h))5?!h>3q-$1!ph7hkBj*4WG}RVF*_ zByG%IjLe9Nw~Fn+4C{cDozDnXyq~O1^?LC>a(&lHa5A4!6CS-ncUU|?&Mtx;lL(rR zgk->q5%R;YY%EMab@BLKV|CSnY*6Ad`n4TlS}i3d1#h#5S!h(-z^|ARZ6NU=6-@W2 za0-hIvx<>qCb!mEC93tKeQz9iw@d&y{Pljx@5#D@ReZR_-N~Or^VHz`+IzBbUZUXoq-`RnrNgX zOHfFZkx5f5#RSXW2RIwp(%2{x}iX1SarYD4x{ z>KmhStZ#4@S~+uwlzsD8+%jh~O<%wtXNPwEHy1hhxbRSr7POesm$iLk4z!q zi7vJ%zT_}Pni zmcWr%V)6*-1_=mcL7>rgEU996VmO}yr(0N&K#aOXr4D#w9{9~ffy6hMAwf3Ns>WB? z@8K~(Bt1&OMnPiq_J}>h{1tUYhT?Byp_+rWJ+!0a5X`ZugrS#Wmw~8~--2FI>-TKr!P|(p!g8@5c*+Ite@Y2`76?H77U)5s z;j5LJM1mcLnP~^x8q!`tvyPnS|#jC;_x&1HT1SgcvJ94!28yPCtKMx9IGseg< zU*kGFAV-KCmRqab#c{5UO^J0cx3Xbj8Lc`+x{=xTBln9KoOri@z&UD!|4tGnKAlMD zD=#Q#gr&!jKbPU?;J`v{8f1_3i;ke9Me`1Cb7S zKi%}Ixk!g#!CqknX(1Y-y}l09{$I4aQ6yOIqD7FS*4$L)-iB6Zo#K0>HEj$kW7sar znm;h->E%sqBvYxB>Z^0!Y4Q#GYsZ(t%(|`zvQ3{)|JcdDdVd)I%iHDg7dS{@c#GyA zQx%$&j^y@(*cj1X=bBA$rFj0_{atX5wyh&--%!HZ?NPRoheDoUhJWaj&Z?&-m} zGVJtKQDfkhO0>@?jjlsp@4v#7v#FGpgvAhlR^SV zL-GGIA}tMF4Dn)kl{b6a%<+(kWVeY(R?l&nik8bIX*|QkZ&2rT>BR+`80-E?|+%3XH)q#>OTby2Z@r^5nYN=;&OW-#>s0C z<=0aLZdbs1=wu`(GbS{R3ORb7J752|yi6sR5W^>F#J>wy3P9mb*z*ve`L-w*C=M}+ z8tz^D4WLaPr9D6ET*Uo%uJ7UX`RcP*2;YSbI0t5l_pV%oR;Unh{bR(6YL%&`CW~x| z`jdMjiWm{%+{^<5J|4h2Q2*~?4G7expCH1@#R1V}q*y`3fL!zu1%;XE(P?aU0)eZYoWk= zq(-5PTc4PcQnDB+n#8Y;%HYDvYF%*SFVH__jYWqGXTQ*wWvj&Yf0wj|@k6E6qL%$S z7Q7hO7%tKz36V@DTE?`zjl4*Xrk)J4 zto)VnOaI>iSJd&StYR065&y*w`&mmX$tn?c?H{$M5|{rg-68>|aynIn6h0olf+Pq& zer*w}&8n;kmR4E`UWvF<-^f{|kg`e8;;+a&;c6{c{90@&TUl>Ct(L_F*hKuVfJ7+z ze+Ga{_|E|IsIgY+c#;(o|4cx`u!t~qm!p}1J|lRR**f_Lw`e{R)p@3GLY06Baooxe zAtvl|_0SdauT)vfwXKB<=ct7wh!l!+vF$tcgRB%P8RjcWY?X6=NdF8Ej>p$ob(Mh= z3YQx;Cl9U_Dk({wQYV|#X?{UYD3{$1E?NMSWF;Xa(WOTljZx7_BO7A^m&oBAESd;lHC8?olt0*C%Qc z;_a$b1YJO!Aea5S7e%8I{mXm%Lt`?n@XbLVT|jX#P<2WYB{_3FZHa8x~ffkTI(CPb`9ZO~Rj@Fil@b zi&bGIz{VC~z{gPf2M=Tne5!H%M;bNQ&Lc|`!yycgqy%F6bUd1vsSKfIG)bew9(E1f z`T6|Sbk@VyvTd9zT#g5B*D>OYI-|2*Yc;|~_$#(FEE@Gy#a}--DBAk%!FE11lTEVP zk!$D&UQ0E_1Nbaed8K*;_}l{3SMYES0BB`Hyj_^tgx^C(VDIWpoUEFZPdUSiHkv@Y zf1lECY+CgrnFNsuMyfB{)pve~YLMQweVc@f*NCrNx^rSGEyP7QCW8gN_3&DP6J-3} z20BUp&c7d-dUBI!9RW$zo0AXVmF|sj9_EE}=VX})vCSNwy5pH(Cq{J~rtlJ%vbzi5 zej;V7jY$pThW3TGj+#s5wmOpQn26d^E#Y3&I!1(VEZ#|0c>4 zCs!VHvPgO|)#(Y&V%(YfQLDS&5%!j3`%Rj84@^7t@wOUN&NrRmPLqGN_|unc z!yA!Kgcf+ff&+DXLo6L%&B|!lR8zYU4&Y~}U9U~;Wzr#UN1HZ{zh~;#4a2vH(2JR(KR~S29I{l!R6$FFk~d;oJO(;f=}5 z#;fb5`r5bolb>^Cu*OB&iiG53(JQNs#-U(1!N2ab0n+I=63jKwcaj~y|MPmWiCL|N z)-kkY->DmwJgP!j012T(@v%qyrc)>Zcqc(=2skDqVifJ3kRa0(e?L1~R(QUETF1}O zfseN6Lax*l6Os-ClP;d+$RK!4#czMh8Lb-*RkD1HRA#8a4T&xNWzwlv|Z!e*QdZ!B8pdCf#11UYY|J4=2NplQ$uOS+|BhIsN+?vP-y; zxx1lZL@=f)9VwUZgOBXOZLNC!bQ3(nZ!bx%rQ+ZCXVurthD(6DnP=*K;^gz}q_1m5 z%ja8Od(eCPK`0s}uRX`P&T>qAK}j2JvlGykd9_4c@yK^=D;UyKwMwXZ1Zd;2X(Oq5Y30h{uSsexwIWHx zk7g&b*sL9m-;M>cubG5)frt=#cKPBG{vkSyXx>%CZ83ujq;38J*SYY&;$k~!l@74h zHAaVVp%60Y#b}oLl|DN7-cO&|hw|!CBQg`_wQyDxak#&C?^K4|p`SeO;j&A&9}&@F z*R)#3O6uV*+cMm|l@!7|4J5@*HxduG2WHJ`OgyHL26Q-YY7mU@1$O)Gasq$V&faSH zarV93_BxnOmt`u~lTxu(`4_5?lS*Yoh^QKi$+$tQoWvr^hmP;iwLwUm(uyp!RML$( z4bdU7@1YGl7pVb{5>0r&+iiJb@VyuK-t8+dW2-k3kiG98$>qF%5C9jOP7f(z$dK$u zZstJOA}3QrVq&rEJH(Y)bzsiNNltdT1;TJVI+zZF?}ew0)_JZoVHq+e?{B!=gF=H; z()i$=8gzTx%4NmJiW9Sit>>?;7RfhjFpVWwz}9&dK+h`Yf??(h58T_xyz{47!$7%`*7%-~9kIg7o;Cau-Dgy98-iFuw z&uCJ_VgMo?nDC2R$Y51)mWC%8cS34=XzOI=d%u|Q_f&|Ka(B*nuTD4WLPJCcdOEt* zpU}k>k8?z0qZ&kp85lH3-b^Wxg{nHsR)S+=^KTeYWSJ-gnq`8QQP$HGm#rdn(oz)h zB0@^cGuePw7C|3XyRsNB zwIrY+sX-37eU{mcDZ_@+eK_Blr0NZU8ES-CXKrt?KFrNqs0nKV)YQh_mCm;IW59m1 zTNuO$m!>8daf0ku(oiULF0Vfh{U$f|;&GWt0(qjxKD)E4)|>gYzICpa|DyYtQqSqnxYL^UITyudw~Q3==n=E|;k9)1FV4>t1^;Vkp6- z9MeZuI__$qy2FOoU0z8WrWpyUlO=eEyMiTDQpO!5v#5{(tAG>*CVH%LDIK*9PuR^= z1v}X#zVXU@lEa+$1XR7#(^ys6le7k~hQFvXTHEchw_xqjlZ*A?(Oa0k(Gba`&O-w? zGnyJ@YIzqpv+y*xD*aW35glL+-&IjvgmUsQoW#zx2_L0S@4!MOh8S>Q?gQ_o5I|g) zHye$xsWRE@lHXK)gYEj5Gg+!4H$}8@gYkz#drC#5dnyv-LsjXrIkFOuAGuMScRy#8 zAn&=b?`p|Wa!B^JWUt|j%T5KfxmlmaFO@20e51Nlu}E3QJRSD|01&YET}@O^+jFr zBL^i{w$8Mw$~hlaxgpno=%Hv4T94uIJtuM{E{HVV^E>#Su9lsYwzyg`n**bLf{3c7 zN0x@2i_}zQl_Op1cCrRK8&pz2m<1Q>l&YV^#`i-mM3dYu2(X6GF-ay<$bt9DRq{z` zG?iY<$2(?|zF7!W>m@6rqdIk9d2HfjnbdCs9@4<%+qB$ddE#_ZkW|D14zSOlRs@~}34B^Y(y!@o_N!GH-dFmkt*KqiHA z`Rc9n6QH)AYj{j@kH_r>J*UrbEPtDu(yEw$+FB&={)^^&4$ii+0*;5@l)-hjlSstK zGxk@#AphN1j92uFd>oG5ru?zNn(uX&*$7mKzY>3;r&yPbGH1PB!wVJBZMWDgws3gbB(VZzSE9=@7bkzFoqf7MG|ee03AzW+K&@j z0I4DE4KtEjiq-!8H#)b;*Z9g((X|x5*f<63=`Rc-g-RfDFtX%E5aSowPzUg_{JMu1 z!aVxiu49jmK~@jJfI^!@DUzchJW4Jexb<9Vo=QR%les|YL_}^Axs;WFTF4QYbfOXD zB7`qo0pi|}pMh#Z!^DU63N*RlqLBJl;tRLe4U86bl0p^E{I03$rlDMv%95Lg5FtKn)7;=!ca{HU82vTkET1o2zr16Kwo!r^6$_sJYW0a{LQv zumM)OHfK^3Z?H3bf=7zpSoBz_ISP}OZ)EUcy@fQgb4 zdM61Z{&x_V10|{+ESTc2TvGGhfA0N#k`qmu8vosg^2!=FgAKc8 zC6|eRSH+h@E+lak>-AdROzXKI@9HnDI(ey45y{VB(!uUxPuGGuFgqtioLbh@5-x2BR?+hAD2O5OjPyFN$F_Km!~&r zVTYG}IIMV{E*GrO-Hz;68Z87{TFINhom-Zg)lQ&9aJ>4f6M@l;~%!w_!_p>Eo+s7E1Nx9vC?rb2zKD9M*h4q?fKOVW~p7AtV*z!&5WshPT4@ z$`(5ZpwalSUl4sJlf-5aModOiD2F-sMX4b$*3;vCzKTm)t}Z-`j`3S;TKOuElOF}5 z>F+jwu`KY@9TIiYk+i@*M0C&fgG?tuLxtvYyiC!ERD>KdF^&J-jt0{;Oj%;E#7bRmx-^j!ATV#tdq z>rLUu(jhD3(!uI5973XtTW|ua>KaRe`XkhXURHg-S(1s$EZn}ASC2QG_Tj3u)jN7a zp?*%v=tQst{iPGTS}-!Ro$;Tsh!5^&IIK2ieV@-MAUUu!>IM1rUSv1z%}*aUB9GIk8S!6XD;u((xl#yQrm;!5*5_4P8cQ zwY)YZy+vq8qplkJX`32odUC&j&|&?{ra->b#2Y(8@P0)OL`uof{b0}b^!0Uk&KGLU zP!5W6i#6iLrCgOhdm?0hRI?%inmM#rau2Vd}BR}+>vEk3?%w{GeN=)xM|xCrl#UXP|8ELKj!6$sKx z(UD@CXe1Z>PDl2On1mUSi%-SJ_5xPvr5nWSDk%8Yyna0Kr{6qx+IYI^ILD$zLZESB zY3VsXT*yza^6W~?YIp;?xrLIFlPY#Zu>amv{Al$k+l?ot`5NlkX-y|$|irTVUgS2(ytw&O-j<->-g-aOt!v_y-{T{`rn z!69_rVMea&d-e;YxtNIH?BX2tBMJaGI)&%Lrc1Hsk(Bne77F2gg(WXV#MtUHFf`Jz zSCxjw&BP*>;LrRkWZP+9U*r1z9LGxvElPQ9l}KvdnjDC`T(gan=3oLiieq}&=`CE< zA01;1gCWBCT|g%8$DK!h6O*~ql={`**CY3g!Zw?FwZ4Wy8ON2wfd=`HzdrMMowYR{ z@a-Wc$Lp3V_^#bc(9)ny_lFMxQXpK_u+*)&Gm@qsHk666LZ$$$@+=g?H>}249ZNC| zj9$K9L-4MyUhi9;BrXWjj0l%o2p(M-Eh^)^kV1ikCVS?B!H)SjJ793Ov3}JZUa^Gc zd@d;9lmUEbz&+UMgBSabocM}}sBs(&xfTR&Y4#Kvg$WU$e=XvnBvvDyOn6WCwE#V- zrKusd)c`{>R=sqK74^)_Y(-OhfOt;*aU)kzXJ;j4OYR>|-2sSz&*MnuHme1w z8*|aKFUF(`ZfB-ixCh`8W*U({%B5@X~tb_7}(L~(`HYPPc;LE3^<4C}?Ae=H53fgiTM zi(BmV7rh1zazwClo2?!oVJm(jxU?ayW^7}I!#QZotd2f#whd)1<@KeSX*zbw-5unb zK)c0n06Q_4s7x;3DqpTnqdRi6Z;*tMkflQHl3(G!AJdaYDdnQ^^ab&~AMbl+C4}Vg zP~!J1k0!`_0=XR3slJs0i!e%(2*q@=5# zls9D5imb3BVlOcx+iS(l47}2N-%rNtkaC10B}HbDK@?0UC!Vg`lAqRQHbpyww{U_$ zML-`7`YBROWPn~wMl0C$G!6MJ03_2#kSlTO=)tB%uTSfXZa^W}N-l1z)205n!WK1j z+v5A6Ts8N)r>3{6q9L&kNznUJ?bZ@@@BKc}6NU|w{c+3wsB&m$Rak8a%3aV-REjQ1 zvJJbJmeh*}K~PK;7Z+DoS4T#|1sf2;wjY0fyy0bKnV6U`hC%d7Mkkx3{t{I!&a(}l zru4lCB1sZW1Br%4i{(SK702z?p&Z#N3pKU?bfqmlWsTO8a9jhBx=R^i4mIAMcg9dC zYPQR=Yds^=UM%iI<{r)i$HvA$3TD(vQeAv(FzajUGg&>gXLTcmI{KfO`p{eMN8?TM zwk}=oNw)YNUJ<%gmsh8(=?`rXoFv|x6#TE(swz{Xg>)sgfv}L4wz}12RW-I2CC|qn z9WCkH9cSxYBPACM$MiWo_AhHw-S#15!c~eBGud4jKcMM(x@P!T-#|7a_kN< zlZ2;Sw_kUxyw?%6QKZWpPi|btjDA>}` zqBO4Zk6B#KH{%Z-PdMDSFyRlHWUZEHcuuzmV|E;wSy^-!axyZyJw7@Wi>HG=8ij~c zeim21HrwpqR%?8Wp7tRdoWvp&)fD279M^3?{?M22O^;hd6^odFetzFOk}9!`--#{G zPT5@=wyYMJ0T(6H**&@{XV8xBFE28Kz`k|cW(2qvXXh8;xn1ZCg8sOhZsw~V&xVOZ zio{im%li|Q^hu?n%<>NBvNlhF9GybbWBM&#Bm{gOkgWgc_;hku6l}22Q$+>H#v2wE z)_^?^V^A&|h@tNne>S-~6a?{|tl(D}Y{UdJoLE-)*u)f@7IPA|qm7LZ749O0I~p1q z*~_X$n~Ws`Mp7ccOv72Tij1PCwzaXd(@Obwo?KOKVmS|DGj^ zWgaX7_v3zfd3k_x&U|711xrq$#b$G@**b%gh2R8yT8s;a!0AV1=kw;ao7GYDc>X(X zLUU2I=>`VvcKtDk7MbV{{K(<7Y8(P8lL`aiU>jztC}V$>qQ zkQAp3_&4^So4+fsd=8T^T&}i_7>(6sgZusA)(=*KluPKhOR>{#G^ZNZ|jdSZXNob+uOLVBu(XF&I*R@e4_r# zJG0!UYIY|$%qjE;#rhkOqXL6p|x=Dp%M!Va)XATefw(|9nyJYKiN84MkH`8EjnvwAr zAp`SgL<_%tkc6}9+*Xz7x%yceNJFp*4%KG6%VgPQ&64}&634F3;^I;{W6JMj>~9V5 z-a`0_qoj=UY^9c5DDLQ}wyA&poDd?bv_f?~;EhMY_jx^>wdS`wR_SjTyyuBi zA)m?N-O)aW0+&{moRQ<@cDtV-`xi;ma!XskDDcY_Zl_O4cb&CJLR^>o8{0QP&-LzG zO2ryg*3C+UJgmXYhjhsfqWR@9E4DKa&dUkNT6U^DJ*~8|l~Nw5dArr;?tBO*3eVf4 zfJ|64)9dNt&p6LMjOu3Rw}!{bcU&f9t4`Om`&DUI%M9}(KJE#jkSv7qD_@7#*M-4r z2|a0vIK{T3KYkicTH#KY-l4rtdwW9>h*Z7CDpFXuxa|%A7+gG04^f`s(lAjTDn<`e z^75ILwkIU!ZJd9p1HDz2f9AA1EnY&qxIP9I#1+WnB}f_^y<6U!fyo@`r^DN%SlM@M zg6caub#1-sTLgPUwNh#w(dIe?kTT(3y&YPM8+=Fd_PIf_@V^uvpR=d({`k7tnYy_d znwuNX_pOcR%k`^F%nib6ucIv24?jYBL>1So z?vH71MEuEDb4JoBO1d`AAc$2Ei`%I200SKja5NPOr_J}lh~d)g(zI261|`-OUHn$^ zQ~QU4#m}9WgA`wO7PfP^ApZB`{?S=VRBLmqR`(h*MBO7f1!@&$W@g*22N!vH`t#v}}MZ{&!Q^hi_4=W>;~%XaKEfe9qe}TkngydMlvY@|mqS%kCjN zn(0P|{pWoV_m+NR!_8;X87MujDyU4ir~+CkOL#j@Lf4=R9xGk|r#nQ#rt`AxRwh)u zVz{7hry&W(bhgVY52uC(-Xg-Ks!AL=$xJB=wzr~9uy*LeGAqI({L3&T|L5_3v}Dg* zu4SvoUf&0I!OyD_wQ`${D%SF_rQ-Cz7*}qE1Z(0nm9vQVCG%-FyLU%&&G2wH;LcaK zi%V~=RtcK~S#2w9dw$A}S_9vd5Z$tyWTTv#mpCp4j%v2~^cM5jvCW1(wmjZa5F>PW zT;WZ}gCLT3=i=_vt~kj{Y_fS*xBe>EnwT-5wmIDhC5q}P=};*Qrl)-zYT4?wIiNLD zP?YdL?+kzxblY%0nsl_Q)xU_wG9?U+I`mCo$ZdAJZ)R$>T3+FEaX246MrlQTXmDyg z?oP|k=sJlc(nVQ6RqLVqPq(+9wm(+)#hpZ$Rf`SeRnmTpHDIJ`y@g6VzZOlHRc|8L z7lvOyJv}(V%UU#YVG)fU-0tNop&?n6wz>9{IgTTBx|X;YdLhe6>5V4%jahX&JgjNi zb`A6~n7y1W&jH}cPh8Jfny6_=YS|OBcLgMyg4B!%C$%b9oZC_SW!rf8mWjOq}dXB?Qim)4ujC_- z&SqDBK6XCFOO82n9_&qU`_-q7!Uc46CvNK=;(Algo9R-!!C>eV*H#A40Yw_m|L9dD$5_dwA-k%iJicV zidQI0J>Sqy)6PVWjT|#4?@Vy5*8O8n%3V|1NGmQ_w=C!D)paUp4^Z8*<$u|l85w@9 z-l#6Oz#E^MO24$_wSVm-kziYD%H;MQ$9R4d{FXLJ<(rr|dGTh7oR019 zQ_|n7`nJnuG5idssSe>0wj1rtOgzR5WyVZtQnq#KmB$k}V36(V;VW%Vb-||{)mX~{ z+fetKV#TVt>d6%Pmwc>z-Bq-nr8WPct&(j^xpB;J5JwhES8vx-dLU7N!(^3acGfKZ zhu?`2wcwn57lo~Vyh|UtT>0ubU*fj9TejcZkf&iR9v&i=J2Emnv@G~}ytk$bP!{xE zA?t;#QWqL$K%!IYo0}hx>sK;za)L9UE#MtwGM*%t;+4(~dn$yFhnx=pBe-9w(e4_D zJ!p>4%t)EhX?OJ1pLhS9$@LL}_TO&gIhc^M@dZzOmbEwR>yX zEFeThW^y~H-?{CqoMT}^RBhE=P8{){q+$BbuK2ttp*eM_lD(f}*ha~E41a&+f8XKN zLY&SDG&0OY?itSr4A~;Glg%@^W#9IC(|!2nq=b$A3Ba*!=gm%}C|b!wwFSfY(ZbdQ z2j>JhNNaC@oz7|-e&HqPc~f<~vfC}Tu1-sXe7cI43RWsZqxSZZOJ;I$^tGBN&fajl zk^B0`NiIg0!*kEZyMdLvrs8nx!7*n=dmqDAMXznUYB@vfm0LYJ2%i84ugmc)ol_Vk zT7+J^m6?;zx(-t)Gd3Y5r;6-#&0?F+UeK(u)cvVQ`X~dE+yc8@&c{KJs04~{VV!#r z_I5?mxtc=X(&mUL!Jx_K{$}K=`{^qt-~nPftH;Lj4twDI($23OA@(awpl35gpU8!5UTWldEV1iqhl z>#mpY7uz2n5%k@S-fwcFnhx3tsL&-}QcL=@@%YSx4H841tSoCP(s2ncjxYY29;!Rm zuf~qVrZw#E)T!loGO;XfudHzZ9=APbv7;RFdK)*{7B`mmT_6p)mZ7ucTn|PW(_}s$ zwQO_vU2iD(Uot-4o(Q;IXp?z8n=_YLbU`;J3%pDZG$t$~hIBUDb*rf*`Fj>t*B|)q zpA{p~7wg*b-WPIJ19-;5e3mYcd1ktlw4)S4K23~gs~9<(8mSuIAN6!19v^(Szo z9G}ZJGsmR!07%yoZz8SOnw8HLM|s}vw$4&tH>ObhaYSY;Hhmuok%2jL zf==LWh)c=YNl6Y{nv67VSgefoYTbvc@0BZi68Zq?3574v)odmkibG6OQwuUnoA8*z zpSh*{(zE|Q`$FsVQrmUin%CPKbb|ToB5!sSO2C^w#>>m>cxH;$*AS<$qS<({a#J$y zcpqoiI}yLy_VPVz*pTsRBi)jzG{T`iJtI9>oZK3}I=5CmqFdt;qA)l2dQq*%tET<6 zg#T^iY`MnwdN+i=^Lnp%d|ds}Q1vn8mlKI2@*$p%eVBXxjXx|px(xb+vONF3ONZ~v z1UtQ6+v}0@a5bb^KFnPn@eghR6@l(;$RaR8JOn?dk z)adnKSI95b)Z{~c`!XQbAuKI!yM+mz6AH%gPW_l?Los z5jFqXkxZwfrlQ+w&xr`;-RETxbrFLqq2E|svpEy^TrFC(F;nD<4grO=Oo<%d4$G<QcP3MWyLCHuT1&|w)_s5wYzxV0n8OSuUKS&xR zBMw^FM-k!SMH|Mk46|;25rO`KJu^6P!5Yy!JLRD4Y8wOOveknTw+jKElR$-{yiDXW z>r$=I!Pve$0B~qxqA`W;=ptyKoBjMC{nh)7L}=oXV5J64XtBkH^-(6ZQo}@4H5{t{ zm+xD(w^j@9VO^9=)Q?8zs5mBBK|xiq;Jp0Km8-@Uwgvv1d&iJyg4e#M?z=(1E(QZc zN(~#q)rJv#{?-OJFQ?@&UnxZ4qQo;UV;Xxla!wL%3xxMq=MV zeeru{p5ZyOE&xG%JGIZtj z#68339;rm_7C$~s?|r+{XB3n4f@`$@!&6y&dnIuB$nmbSrKF{$t;ndhW#+_*?`1E- z^YLP)uD20nlr2Gg!yn4ywNuz=yWKrbr^WZY6ClsW`IWImvx?K_y^QR#C)6*wWflv1 z6`o#-oSvSlVnZ8g?_F6LWMXt-#c=%Kq3QVwDL&GijL!GC;v#JyMn*%=&F$*w9wzmU z4aLQnR~;At_DFdn0!jasw{i}Y#K$nz8gWSiJTx!B!MU(M!D)oM5_sR9baAsy5Lu9o z!8Mow{k)mTI9Zt&mpPAJ+;2g^cEM)1QO2r3%d*--BnPi^y0(-u`D3)9 zy*9y6a@c&Di5X<+t(S?S{KJe8HOe9i+p;(=E>0Omd6qK~5f}IPr6Q+mbDotHJuy~n zvW6w>=m!)QXoFi?1S1U?i!crX=<}?}7Am%NEbx*^xv2@9rFX9;$4A zH?Dz<6^?F35WHR%)#yx>X|;@X{}Os6{Dla5c?`2>`*LzVxo`k^xPfjb8qOuT~-xteNNLCo{VCN)h{ZiNTc?UUNdVF$LC`#Yp z2739=d<@g;)mUGSQ&ZAXkHU!ycSh!!z(5ozP-8BjDU=Y32oYuP%O=Zk2>(`bh#A4# zg-9->OG_JuD;O&@;*1WG6D}Tr3^x^BmrOTgs&{0bG{u`l6_BPxjII@vPF~V)G*vh4 zz(O-vwIjrw$6}TtcT|)#02IRujd0OA*@X}}3{LDAzieMeETA(D#KIj{B_`YdIouC*QU(DK$ zx6bYfnXYwa;Vx@qe_{&oA2IS${KMF6G}65Nwz=KrdUe?Wn*UkP=b1c@y?TMh+#Ij? zJN?L>40u=kj8L*79eSeJHIG8O3^@(e&(}}>mj{7f;4qG@&r6eSL#4+YPY7*YpEB6r3YIR0*bQF5Qwfbuzg`7o_a4{en%9&gFhP_%hM5 zt0_lAxIwx|o#w`R^jzA~;+m?e-g6JA0rG=XnzZg3roEpp6Q{oCS()nE8`y)eXCB}N z^N6!l+VWXYg1VsK%~qFZ&&Sj<6SGVq;qs{rma3E9PplsTggiBV3SZYkfOqi(vb|X3 z2}o-&L?dA+6sS^%XL>+QdqpDAq3rL>(w&^8SGj7l+iinarNX_$&!#q8-HwMI1=@LK zwDgDw!h6fzz%$@|&IjQECjZUu+tJVMAC86oc>ty~WG=9zJ!rOt<#iOpM!mPk7GI#A z7X?4}zMRU%wfUS0I&=7~liJc5C$K$6AfIEAW$-8f~&+KU;n!Tu?dDV)=7m z`*rK-^Tf5M+jhkChC{%PRF?7qU0SSIQLWScjsR3ByVcfKdU^T4zV(vZU@JnNqI_&A z2h(=%%~pths3}#k*j};#%FFe1a__8lz6m5JtKRzjJn*?1KvBC~(5%AJYPRxU#gK+;pzIkkPRTSKadgj z)_ob!J5L<+Hbww>5fLx9yzU;-)f6w96Jq z2w0)3Dz!Ceuc$-CUD0p=j&s|3+3h{2_)J-_mFB{Fp|sd+@i}&BRL`m=WAyKi+!acN zEsZ8pvyPyA^%W?X>+e%gO4rj=5*i2O%2_gKFx}flgRSS&o*@K26i52^?~RX7fr^?x ze=7>gG3*pbFwxN96yv3fJ`K@6)9em_mxIom^xe<>)teoBy#EipKtsQALZj7u^=n@# zEG&d@G$xS@Qb1=U@lT4VCqh1d)s1V{Z``6a1_+-ho{bRHw}0@1fA)iK`|YEr-beRm z`3O15C>fejG18-e0D-2sXgC-QMg@WnMYt&Xl>p=lu*#a9ZO|JmMtwNw4+Q4eElms zDocWXFH8?JEa+Y#tyVAI-zM^z`96kpP{2uP-`>4{_y>P*{rc6asypBP?sxa@*{f2a zTQEQ%@xXaBS@BE{&Vz7i;Rr=`R>8~14_)}=os%a|UcPec?GsmF%D%NCx45_fI`8bK zpI$tDvHH%PpZ@Ii{^1F|$r3A%5m|8VfMB4qvht7r_>X@0!+(GL$zu>Oq;YP6`3L&m z49&CX3)KXnw&|;m{c} zCnqMS$A<*z2|eoyoQCr9a=-umU;p8c{^YgSUW0=-<++j~XvI^{J{xk3{o?Qb=EjZd z?|=AlRdp@JX!1%o>y&iO-D_jRlQoU)rG>eAorZ@~5=D#O7$SKB-6{?*nOa*?Ru**4 z==FwiM{sy(gbD{_1WS>;*X8W(>8q&N4A)?9zz1O~Nhvi-xqWhIa%w6H7bb|2XbNH^ zxs2{=c+k?));H-cEv+yp8H$gJ-+UEsas+L$`5Za~(8-j5Gan5nL6|aAVk`>E4HQxK5{i`l;hT`q2-6^Pm4Sh&dS)b1nq^ zEi#5MG&u6sTkqA?HQQ$FBLltAkNS-K3~LqKBQKsf9nStRD=*^gFctrZL_<) zzF?T0_h*QdM;2nJKQ8F4GR1gIT=#E2yM$f|tdc8HZ^?slC_|Zcqqp4?LILeYb zqeTdNNBbwyqwbMbzN@SIt+(EvQS##(_!q_~@iYMwJ%j z4h{8Lta;%G-`&x|aZwIc0y7|VFp?w(wS$TC>|VxIj}|cXgvj$tue|i*AN|Qc`StIW z6c@>4v8Re8kkBObR1ykKS?$fW^>s}xP0f7+LxaO(8nqr~RDPCcqZ}IypE+~d<8eN9 z{HcPx{Nd5jKqxFzY3z2})Pybei#mcZJTmgm`ybwa@L*ze*kPMisuXIyF}J8}Vt6P! z!xG}CruJTiLYrka5kVJB%O>o;!GV4v5)}IyPKRh7N~52eNIJ?sAH)wFhGBN?+WDg& z|H&Wz;qUF+w+H5YsgF4{K_VggHfLpL7i3xW8U+kV9(4~-@;pbwuLJ?9mD^n&2vk^zD`}+~0<+1n5uL%HGa7GPzC1EK^SA%-)3@IHFoJ%Hg`@=z zJ=leW>nFMm2TsDlP?X{+gr9&XsD&3@$I+X|Jg5o8S=vPgMt|a z%qIk79<7imaM!J$57~FMnusA`s%#3c1@hJTW-|mnw7|(sXfIX)xeF@$NgZAEyy;@ zX^Q9g8&@y)^!3)Xbm%j(^KuKb&HCQf2W@Tbx9-+Pqfts=M}`J{zF_6HJ#vN#1sps{ z$W=O+-VOJ5L;}&mvaNj3C!?qcsqXC^2zeZ(MLE+`qxFqVjm>S{J)PnMrxGrsb3E*B ziH~_WDed09>&HL(;qU+c@9x{X8=aKIbPz~+Ts#u2_>n?>x4XNir+ml0f}-Lb6$NhF zL|sE`SMR9CTKwAAzP_b2ORb;^3-Vlcdvkq#TlWB?F@NKm->4|bp8fkBCOL3C!z3dk zBSVgEbxH@0kA&O$CUi#YW1CAf=w}Logh0Q2v3}RSLtlF4026UF-@oAw)6=d{Ye(0v z$B(@9!V4x9V^)%ljp!FLd?D_!y^og`X22zA-A5`YgbM>SN4!WQ<Ey}qz;3NezS=Z2Z?C`-tt8Qpy z(itEQKfXt+gmKJzUGC=Y@%{TBSMY(pf&OF9y(lM%(cW%-R_4ybM`aw}*HSw$Fks0k zb$X*OJbf(eot|>~_dM}pai(Rauc@xCVPMpD?3w4cRFvjgRGpn|^-Ud?+&tzzr`?dACmD_i3DWSr?j{ZrN&a!t)u~wt3Zy%VNoY}wkF{Mlx z?QQIvbUyydcea;X&~K`Iae)rBn9a};aDtUae0m6kz=a)Sr#^c3jSoJ#akuvV{YFNk zx8`Qc(q0^%JG5c&2w}lH)z&@aW;I5=Lj2p!JmSKzq1U5j83no{U>O8~8ygw6djtEP zII2@XYy`0;+tJ#_YmNIKKh$`yw!9>N&z{XR$$9M))pae+9YYa8{?bb?ZZ6H!YP22A zold*Ge9LBy3XU$BQKOs~>2GXpYwqaf4jF{i0?+sz5Km z`4ff>oJ(N{En)p^g1~wl&gQn>@zK$)j<)XJeuc?uwqy^qwa(ZlSel{K8AqQutcW=8 z-M-P$GZrG1N1uLX_m(0V5pEfrnsNFc+ft@c$O($pYIIXWL(L5hojpSuOZIawzgSt4 zlbd7hYVU5UZ|oi%FRs{f@X$enRy)zt)==LxIPToD|G=h-vYw7kg`7Tkbl0f z%5AyU?5UxVo!cw&^R0{!ZEtP953{8HiM*onue|!A*{JgQ+3uD$jaHdcRG^gc0bk%w zZToXi9j(YSx%_PYrd@k?RE+d?XfyJ+Zr{VZ?R_0hy~AT_V-7@)Paoc^SMnVr_EEcM z|CW-xOmj_Lb7NDh!y9<+*{8EI^u0sVO09L@)p^X6XZL{G zWPSYLp2DJByUo?!*bol+X{}LZ$b9nfepSNXCO<=@laloC#aNO^lBorH@O5Nlc(Sd% zcVc9)qrGk1?kw1}-RtxWbagmAPC*Itrh>z}x7!C=t841Jhi$nfl}|qPWS&(Wjf5Yx z_A`uP`=(-=;GzM4`@oDfxA=)2rEdFVcKMDcpE_h88=kVw96bJv5ETYm+tBePgX7D5 z^w6OKGXo(|-?(dQMM+7Hv2S?1uC8Tj#Sk2l!Z&=n2&WsJ<6SGslEP91v6^n6x28CWyYIETYR zg-%KtT8$sWYP|E9)=G!bq|f(0y2`+sAR{E?qeh2ySMIl z^$vz;^|7a)+P=9`!9|9;Tc*7JP1|>&?_ZFDPN!iM>UM|&yL#NL{Mi>@d3^Ua|J1Jl2geALR@4meic~;x_Kuv2W%z_juXsq$^1AEcx zLab4MZ&%g)`MdXi?+^aqr6XIT&e31|99NC;8*K35QQ>?;I>ckG@~(Rs0nU*d^9XmTeGbSf`xPR^pp+#D!x*YX)$Tl%*>>d z6o~9h{mjgi!^bNWa`Z@Zxy)d(2tkiyW=c?K%~`oqqZ4|S(rQupyng$PJH(TWUYl=$ zLnzum=E%;>GAMbMJKzlQ*_l=)x@jX633|t7!e(oxj1AjtGZ_ViGJ)_+Pt!`d&SDCB zTrQhkpkVMD9KJwdZVn%Gdi)`cHAlg-&Y5wqk0lw#nw_OntAwz7YHG$GB1ok|XSQT% zm~g;8J>&O>1cH%eW@ehSFm-u22m%{$fD3$Fh$H0+CM(mbQ^}*DfMaIb7vMRWJR>th zr`0fI!0YynIzlF+G1H`{_>k9SL$}%UGPy>botdd7qN8IIgx;KG(#u%)v@;T>C!H@4D?G}=M8x;*+wb4HbML_M=QFH1 zb=407EdRaV{LSq}*+JXbxXlq{37sjkAU8`M4fYKV%Psl2W=&vf(8UVI>;lL56d8$- zRMZ^^DUI31nVRvI>;Le<4SngcZ-4FSJS%!w(K?JSp7XdIzF^ppoy*Xa9FBD^Vw;=@ z(n?cS_SDF@UZt{HO)wD*`s_BR-xnq+g~DpJn$D0P8bv|1&cY;7}B9&aQh$khgYZf1sp40_x_huyC= z>a-@Kl8Qtlq25tPUQUiq7O}em5xLf)Q+Z~F2*#i>nnK`W`!uOgGiqHR$`@s2kP+vE zE8-XEk_-bM^-axqVG_oumHE)KRKV_n^RP14s1EsT(=IkMH%~2N9kywQI}#NrwLzC{ zHZWw!X7_qMK^06I2s%vAc{!PiNBhW07Jsn>A8@;UGY+_pqFfmNMzcBS@&vtJl~%=4 zG)FVJaItobIh|gJSX4&6*<#VjV9MbbcZM{2LvDtNCL%m~K2}6fYO{5W(>@WVwB`&; z#O3sO9hU5za3JiQb|xNQ8X`14G2!FoxmM^IR_&I`+XIL{VO4-=RD6i3HSuMQR z?r;Z{8CeE7<+6=>yrBpoSL+Rs#Rxu!9RlRAQo&GElwh5k z(Q><7JSmTo=vkO~Rx=MX9A_ZPs8li;$@96{#&9S&J?RWY2uh>MvX~7TMcD7L+h#bq z)|{QAL4RZA2Rjb`I6CQUUO3HO6y~$)$ z5K;To1k45HY7NXGAz;eNvO>X!H4|G68$E#sc=Q~p@q+wp^!Pu5aJhYV?%tPrd&joQ zqQX2;Y9W4qFc=EU83rOxU^QW zTH_z?*ckuNmNcWSEqBNrG=K%L5HkayyV2e6_0#WFz0#RgSyidEj*JYgg-5vJx$Y5> zk&%(IvZ^xc`InIq?)RR1?z!h&agIw)R68#4Q^VhUb^R7??D*q9{zIQh#b%>le)9JP zwdai={((({E4Hn}qYFPV0=~fXs1u0no;N@+_<%Oh^DHGzhytQS9$j&Uh|m|T;^IXQ zs5zqUfI_@;pj;ffqIhX53TMS$iI|{mR2UIg=%s64B|eZ1o3H@{=<&Cru7CjjikFI^ z2jYn$p>$MFISYLOFSH^4h+l{RJ$OspMHDCny`@S#V9AMX6r~Y&;a6%k5J?0;3}Z*i z7A1LR5G4n-h|PfdMG>GaNHnp-AP|TQ{>!Id%B9fd%4JnZgyo(oHcM=Kg%9N9V;_I^ z_4rC`=)%SK-+xO>Z6C^g2D9fG0jMjP39kKL{_lU`o)=hT`%Z|M3z{n1au4}S6Q{^lFf^TvPuU;k%UE_G^8%$q@$2kUNk2@t^uqPHQ%TOIMXur(< zMMQnmklxTZ69HTBL8=hRq+LLH>f_L*eo&x1BUNX@GQ_c7nGB&od0s+01k6